Preparing for Compliance Audits

Alain Meier


December 1, 2021

An illustration of a criss-crossing staircase with people at each level examining books or looking at a giant gavel, magnifying glass, clipboard, etc. On the top stair is a giant check mark and a businessman celebrating that he got through the audit.

For regulated institutions, compliance audits can happen any time and be prompted by many different stakeholders, including internal teams, regulatory bodies or potential partners looking to mitigate their own risk. The term “audit” can also apply to many teams in an organization, such as a security audit for SOC 2 compliance from a potential partner, or an external money-laundering watchlist compliance audit to satisfy a regulatory agency. Because you do not always know in advance when an audit is coming, preparation can feel secondary to more pressing daily tasks. Indeed, if you are not ultimately audited, it may seem like wasted effort.

However, you can craft policies and procedures around audit preparation that are routine, continuous and automatic. The following five-point checklist can help your business be ready for whenever an audit arises:

1. Create different onboarding processes for individuals and entities based on country. Onboarding is the first stop for getting your audit house in order. There are three categories of screening sensitivities recommended by the Office of Foreign Assets Control (OFAC) risk matrix, and all of them should be incorporated into your onboarding process. There are specific requirements that you need to put in place for individual people, as well as different sets of requirements for non-person entities and organizations. Additionally, because different countries have different rules and ­regulations, onboarding processes should be customized to meet the requirements of the region and jurisdiction in which you are operating.

The OFAC risk matrix is the standard that many auditors will have in mind as they assess whether your company has made its best effort to mitigate fraud. You can also implement various levels of access and get granular around which features are gated for different users and groups. Having multiple sensitivities for different groups will help demonstrate that you are doing your due diligence and can help make a good impression with the regulators conducting your audit.

2. Document KYC and AML processes. Most companies do not maintain a comprehensive guide of the steps they take to enforce know-your-customer (KYC) and anti-money laundering (AML) rules, but from an auditor’s perspective, documenting these processes can be just as important as implementing them.

Compile a thorough outline of the KYC and AML screening processes your company has in place. This overview should explain in detail how you proceed if there is an incident, and describe what your case management process looks like from end-to-end. Be ready to show auditors exactly how you would respond to risks, in or outside of an investigation. If these records are current and accessible, it makes audit preparation a lot easier.

3. Create, record and report audit trails. It is tempting to think that not having a history of red flags is a positive thing, but regulators will actually have more confidence in you if they see that you have intercepted and investigated incidents in the past. If your record appears too clean, it can imply that you are over-constraining your search and screening criteria so that users are only flagged as potential risks if they fulfill specific conditions. To ensure you are taking a comprehensive approach, support a gradual verification flow and keep your false positives queue on file to streamline the audit process.

4. Conduct scans and re-scans on a regular basis. To show auditors that you take compliance seriously, demonstrate that you are re-scanning data regularly. Banks and other financial institutions re-scan on a daily basis, but this practice is less common among organizations in industries like financial technology and health care. If you can prove that your system conducts a daily scrub, it will put you well ahead of the pack.

Make sure you are using constantly updated watchlists as they can change frequently. If you are screening new and existing customers against the same list, you run the risk of missing some compliance issues.

5. Rigorously test the system. Every time you are audited, regulators evaluate how often you test your system. Exceed their expectations by testing regularly and documenting it each time. One of the reasons regulators conduct audits in the first place is to confirm that the proper procedures and workflows are being followed. Keeping a record of this activity can save everyone time.

Addressing these five points will put you well on your way to a painless review. Technology tools are also available to help you stay on top of these processes and streamline audit preparation by providing automated screening processes for onboarding customers, daily re-scans, and gradual and granular verification to help prove your audit trails and false positives.

By ensuring your KYC and AML internal processes are running properly, regulators and auditors can see clearly into your compliance practices and know you are holding yourself to the highest industry standards.

Alain Meier is the CEO and co-founder of Cognito, a provider of online identity verification services.