compliance

BSA/AML Independent Audit Preparation Checklist

Use this BSA/AML Independent Audit Preparation Checklist to gather the documents, logs, and evidence an independent tester will ask for before fieldwork begins.

Fill it now — Free Get Started

Customize with AI → Live preview →

Trusted by frontline teams 15 years of frontline software AI customization in seconds

Built for: Banks And Credit Unions · Money Services Businesses · Fintech And Payments · Broker Dealers · Casino And Gaming

9:41

Inspections

1 Audit Scope and Readiness

Audit period and entity scope documented !

✓ Yes ✗ No

Independent tester engagement letter or assignment documented !

✓ Yes ✗ No

Prior audit findings and open issues tracked

✓ Yes ✗ No

Current BSA/AML risk assessment available !

✓ Yes ✗ No

2 Policies, Procedures, and Governance

BSA/AML program policy current and approved !

✓ Yes ✗ No

Procedures for customer due diligence and enhanced due diligence available !

✓ Yes ✗ No

Board or committee reporting package available

✓ Yes ✗ No

Independent testing scope and methodology retained

✓ Yes ✗ No

3 Transaction Monitoring and Regulato...

SAR log complete for audit period !

✓ Yes ✗ No

CTR log complete for audit period !

✓ Yes ✗ No

OFAC screening hit log available !

✓ Yes ✗ No

Alert investigation and case disposition records available

✓ Yes ✗ No

4 Training, Staffing, and Competency

Annual BSA/AML training records complete !

✓ Yes ✗ No

Role-based training for high-risk functions documented

✓ Yes ✗ No

Training completion rate 0

Training materials and attendance rosters retained

✓ Yes ✗ No

5 Records, Retention, and Evidence Pa...

Evidence binder or shared folder organized by audit request

✓ Yes ✗ No

Record retention periods applied consistently !

✓ Yes ✗ No

Supporting evidence for sampled items available !

✓ Yes ✗ No

Known deficiencies and remediation plan documented

✓ Yes ✗ No

Overview

This checklist is a pre-audit preparation tool for BSA/AML independent testing. It helps you confirm that the audit period, entity scope, governance records, transaction monitoring logs, training evidence, and remediation files are assembled before the independent tester begins fieldwork.

Use it when you need to prove that your program is organized, current, and traceable across the audit period. It is especially useful before annual independent testing, after a material change to products or risk profile, or when prior findings remain open and need to be tracked. The checklist is also helpful when multiple teams own different parts of the evidence package, because it forces one view of what exists, what is missing, and what still needs review.

Do not use this as a substitute for the audit itself or as a generic compliance inventory. If your institution is not subject to BSA/AML obligations, or if the review is limited to a narrow policy spot-check, this template may be broader than needed. It is also not the right tool for live case management; it is meant to prepare the records an independent tester will sample, not to run investigations. The strongest use is as a controlled readiness tracker that reduces last-minute document chasing and makes gaps visible before the audit request lands.

Standards & compliance context

This checklist supports documentation practices commonly expected under the Bank Secrecy Act framework and related FinCEN examination expectations for risk-based AML programs.
Transaction monitoring, alert disposition, and sanctions screening evidence should align with your institution’s internal controls and OFAC screening obligations, with records retained in a reviewable format.
Training and governance records should support board oversight and program accountability consistent with common expectations in BSA/AML supervision and internal control standards.
If your institution operates in a regulated financial services environment, retain evidence in line with applicable recordkeeping and retention policies and any examiner guidance specific to your charter or license.

General regulatory context for orientation only — verify current requirements with counsel or the relevant agency before relying on this template for compliance.

What's inside this template

Audit Scope and Readiness

This section confirms what period, entity, and testing scope the auditor will review so the rest of the evidence package matches the assignment.

Audit period and entity scope documented (critical · weight 4.0)
Verify the review period, legal entity, branch coverage, and business lines included in the independent audit are clearly defined.
Independent tester engagement letter or assignment documented (critical · weight 4.0)
Confirm the independent testing engagement, scope, and reporting line are documented and available for review.
Prior audit findings and open issues tracked (weight 3.0)
Check that prior BSA/AML audit findings, management responses, and remediation status are compiled.
Current BSA/AML risk assessment available (critical · weight 4.0)
Ensure the most recent enterprise-wide BSA/AML risk assessment is available, approved, and dated.

Policies, Procedures, and Governance

This section shows that the BSA/AML program is current, approved, and supported by documented oversight and testing methodology.

BSA/AML program policy current and approved (critical · weight 5.0)
Confirm the written BSA/AML policy is current, approved by management or the board as applicable, and accessible.
Procedures for customer due diligence and enhanced due diligence available (critical · weight 5.0)
Verify procedures address customer identification, beneficial ownership, CDD, and EDD where required.
Board or committee reporting package available (weight 4.0)
Confirm recent board, committee, or senior management reporting on BSA/AML metrics, issues, and escalations is compiled.
Independent testing scope and methodology retained (weight 3.0)
Verify the testing methodology, sampling approach, and workpapers supporting prior independent reviews are retained.

Transaction Monitoring and Regulatory Reporting Logs

This section proves that alerts, SARs, CTRs, and sanctions hits can be traced through the full review and filing lifecycle.

SAR log complete for audit period (critical · weight 7.0)
Confirm the Suspicious Activity Report log includes filing dates, case references, disposition, and status for the audit period.
CTR log complete for audit period (critical · weight 6.0)
Verify the Currency Transaction Report log includes reportable transactions, filing status, and exception handling.
OFAC screening hit log available (critical · weight 6.0)
Ensure sanctions screening alerts, true hits, false positives, dispositions, and escalation evidence are compiled.
Alert investigation and case disposition records available (weight 6.0)
Check that alert review records show investigation steps, rationale, and closure decisions for sampled cases.

Training, Staffing, and Competency

This section demonstrates that the people running the program were trained, assigned, and qualified for their roles during the audit period.

Annual BSA/AML training records complete (critical · weight 5.0)
Confirm annual training completion records are available for applicable employees, officers, and directors.
Role-based training for high-risk functions documented (weight 4.0)
Verify enhanced training exists for roles such as operations, onboarding, investigations, and sanctions screening.
Training completion rate (weight 3.0)
Enter the percentage of required personnel who completed assigned BSA/AML training on time.
Training materials and attendance rosters retained (weight 3.0)
Confirm course materials, rosters, completion certificates, and make-up training evidence are retained.

Records, Retention, and Evidence Package

This section organizes the supporting files so the tester can sample items quickly and verify that retention and remediation records are complete.

Evidence binder or shared folder organized by audit request (weight 5.0)
Verify documents are organized by request number, topic, or control area for efficient auditor access.
Record retention periods applied consistently (critical · weight 6.0)
Confirm BSA/AML records are retained according to policy and applicable regulatory retention requirements.
Supporting evidence for sampled items available (critical · weight 7.0)
Ensure supporting documents exist for sampled accounts, alerts, filings, investigations, and approvals.
Known deficiencies and remediation plan documented (weight 7.0)
Document any known deficiencies, root cause analysis, remediation owner, and target completion dates.

How to use this template

1. Confirm the audit period, legal entity scope, and independent tester assignment, then record the current BSA/AML risk assessment and any open prior findings.
2. Gather the current approved program policy, procedures for customer due diligence and enhanced due diligence, board or committee reporting, and the retained testing scope and methodology.
3. Pull complete SAR, CTR, OFAC hit, alert investigation, and case disposition logs for the audit period, and verify that each record can be traced back to source evidence.
4. Collect annual and role-based training records, attendance rosters, and training materials, then check completion status for high-risk functions and unresolved exceptions.
5. Organize the evidence binder or shared folder by audit request, apply retention rules consistently, and attach supporting documents for sampled items and known deficiencies with remediation status.

Best practices

Use the exact audit period dates everywhere so the tester does not have to reconcile mismatched timeframes.
Tie each log entry to a source record, case number, or screening reference so sampled items can be traced without rework.
Flag open findings separately from closed items and include the current remediation owner and due date.
Photograph or export evidence at the time of collection when the source system is volatile, especially for dashboards and case queues.
Keep SAR and OFAC-related evidence access-controlled and share only the minimum necessary files with the audit team.
Verify that training records distinguish annual enterprise training from role-based training for investigators, onboarding, and high-risk functions.
Use one naming convention for all files and folders so the evidence package can be reviewed in the same order as the checklist.

What this template typically catches

Issues teams running this template most often surface in practice:

The audit period is documented inconsistently across logs, training records, and board reports.

Prior findings are listed but there is no clear remediation owner, due date, or closure evidence.

SAR or CTR logs are missing entries, contain duplicate rows, or cannot be reconciled to source case files.

OFAC screening hits are recorded, but the disposition rationale and escalation trail are incomplete.

Annual training is complete for most staff, but high-risk functions lack role-based training evidence.

The independent testing scope or methodology was not retained, so the tester cannot confirm what was reviewed.

Evidence is stored in multiple folders with different naming conventions, making sampled items hard to trace.

Retention periods are applied unevenly, leaving some supporting records unavailable for the audit sample.

Common use cases

BSA Officer preparing for annual independent testing

The BSA officer uses this checklist to confirm that governance, monitoring logs, and training records are ready before the tester arrives. It helps surface missing approvals, incomplete logs, and unresolved findings while there is still time to fix them.

Compliance manager supporting a fintech audit request

A compliance manager can map this checklist to the exact evidence requested for a fintech product line, including customer due diligence, alert reviews, and sanctions screening. It is useful when multiple systems feed the audit package and records must be assembled quickly.

Internal audit coordinating remediation follow-up

Internal audit can use the checklist to verify that prior findings have documented remediation plans and supporting closure evidence. It keeps the follow-up review focused on whether the control gap was actually corrected, not just acknowledged.

Operations lead gathering training and case records

An operations lead can use the checklist to collect attendance rosters, training materials, and case disposition records from different teams. This is especially helpful when investigators, onboarding staff, and branch teams all own separate parts of the evidence.

Frequently asked questions

What does this BSA/AML Independent Audit Preparation Checklist cover?

This checklist covers the core evidence an independent tester typically requests for a BSA/AML audit: scope and readiness, governance documents, transaction monitoring and reporting logs, training records, and the evidence package. It is designed to help you confirm that the audit period, entity scope, and supporting records are organized before testing starts. It does not replace the audit itself; it prepares the materials the tester will review. If your program includes additional lines of business or products, you can extend the checklist to match them.

How often should this checklist be used?

Use it before every independent BSA/AML audit or annual independent testing cycle, and also after major program changes. That includes new products, new geographies, material changes to transaction monitoring, or a revised risk assessment. Many teams also run it quarterly as a readiness check so missing logs or expired training records are caught early. The goal is to avoid scrambling when the tester requests evidence.

Who should complete this checklist?

It is usually owned by the BSA/AML compliance lead, with input from operations, investigations, training, and records management. The independent tester should not complete the checklist, because the purpose is to prepare the audit package before testing begins. In smaller organizations, one compliance manager may coordinate the work, but the underlying evidence should still come from the people who maintain the records. If governance is board-level, a committee secretary or compliance officer may also verify the approval trail.

Does this checklist map to a specific regulation?

It is aligned to common BSA/AML audit expectations under the Bank Secrecy Act framework, FinCEN guidance, OFAC screening practices, and broader internal control expectations. It also supports the kind of documentation an independent tester expects under a risk-based compliance program. The checklist is not a legal opinion and does not replace counsel or your designated compliance officer. You should tailor it to your institution type, products, and examiner expectations.

What are the most common mistakes this checklist helps catch?

Common misses include an outdated risk assessment, incomplete SAR or CTR logs, missing alert disposition evidence, and training records that do not tie back to the audit period. Teams also often forget to retain the independent testing scope and methodology, or they cannot produce board reporting packages on request. Another frequent issue is inconsistent retention, where one department stores evidence differently from another. This checklist helps surface those gaps before the audit starts.

Can I customize this checklist for my institution?

Yes. You can add product-specific items such as correspondent banking, MSB activity, cash-intensive business reviews, or sanctions escalation evidence if those are in scope. You can also add columns for owner, due date, file location, and status so the checklist becomes a working tracker rather than a static list. If your audit request list is already known, map each item to the exact evidence source. That makes it easier to assemble the final binder or shared folder.

How does this compare with ad hoc document gathering?

Ad hoc gathering usually leaves gaps because different teams respond with different versions of the same record, or they cannot confirm whether the audit period is complete. This checklist creates a repeatable evidence trail so the tester receives the same scope, logs, and approvals every cycle. It also makes open issues visible, which helps management explain remediation status instead of discovering problems during fieldwork. For regulated programs, that consistency is often the difference between a smooth audit and a delayed one.

Can this checklist be used with shared folders or GRC tools?

Yes. The checklist works well as a tracker for a shared drive, evidence binder, or GRC workflow because each section corresponds to a document set the tester will ask for. You can link each line item to a folder path, file name, or ticket number so reviewers can find evidence quickly. If your organization uses workflow approvals, add the approver and completion date fields. The key is to keep the checklist synchronized with the actual evidence repository.

Related templates

Inspections

CTR Exemption Annual Review Checklist

Annual review checklist for CTR exemption files, used to confirm Phase I and Phase II customers s...

Inspections

CIP Customer Identification Verification Checklist

Use this CIP Customer Identification Verification Checklist to confirm the required identity data...

Inspections

Gaming License Posting Verification

Verify that gaming licenses, occupational licenses, and required regulatory notices are posted, c...

Inspections

Annual ACH Rules Compliance Audit

Annual ACH Rules Compliance Audit template for reviewing policies, return handling, risk controls...

Inspections

Regulation Best Interest (Reg BI) Disclosure Documentation Checklist

Use this Regulation Best Interest (Reg BI) Disclosure Documentation Checklist to verify that each...

Forms

Best Execution Review and Documentation Worksheet

Best Execution Review and Documentation Worksheet template for recording periodic trade execution...

Sop

Cash Drawer Open & Count

Cash Drawer Open & Count is the SOP for verifying a drawer, counting the starting bank, recording...

Hr Policy

Anti-Harassment & Anti-Discrimination Policy

Anti-Harassment & Anti-Discrimination Policy template for defining prohibited conduct, reporting ...

Go deeper on the topic

Related concepts

Predictive Scheduling Law

Predictive scheduling laws — also called fair workweek laws or secure scheduling — require employers in covered industries to publish employee schedules...
Overtime Calculation

Overtime calculation is the process of applying federal, state, local, and contractual rules to hours worked to determine the correct pay — including...
Near-Miss Reporting

A near-miss is an event that could have caused injury or damage but didn't — a slip that didn't fall, a load that shifted but didn't drop, a machine that...
Lockout/Tagout

Lockout/tagout (LOTO) is the procedure for controlling hazardous energy — electrical, hydraulic, pneumatic, mechanical, thermal, chemical — before...

Related guides

How Bank Managers Keep Every Shift Covered with Scheduling

See how bank branch managers use MangoApps scheduling to fill shifts, communicate policy updates, and eliminate last-minute coverage chaos.
Closing the Accountability Gap in Workforce Operations

See how connected 1:1 tracking, employee audit history, and LMS completion records turn scattered processes into verifiable workforce documentation.
How Customers Use The MangoApps Projects Module

See how customers use MangoApps Projects Module to collaborate, track progress, and share knowledge across teams.
MangoApps Now Available in Okta Integration Network to Automate User Provisioning, Access and Authentication

MangoApps in Okta Integration Network automates user provisioning, SSO, and access management for stronger security and less admin work.

Ready to use this template?

Get started with MangoApps and use BSA/AML Independent Audit Preparation Checklist with your team — pricing built for small business.

Get Started Customize with AI