<!-- Bizible Script --> <script type="text/javascript" class="optanon-category-C0004" src="//cdn.bizible.com/scripts/bizible.js" ></script> <!-- End Bizible Script -->
Contact Sales
Legal

How to get the most out of the AML Independent Audit

An AML Independent Audit isn’t just a regulatory requirement under Regulation 21 — it’s a strategic opportunity. When done well, it can strengthen your firm’s compliance framework, uncover gaps, and even support future growth plans. Treating it as more than a tick-box exercise can deliver real business value.

Written by Mariam Dobosz, Senior Risk and Compliance Associate 

Risk & Compliance Software Compliance

Posted 07/11/2025

A lot of law firms fall within the scope of Regulation 21 and they do have the AML Independent Audit Function established. Unfortunately, some firms still treat it as a tick-box exercise to satisfy the regulatory requirements.


Benefits of a good Audit

However, this audit can benefit the firm not only in relation to this aspect but can also help from the business perspective. Below are a few examples:

  • Assess whether the firm’s current AML controls address it’s risk appetite – This will help to understand whether any changes to the current procedures are required, whether the firm’s processes correspond with the risk results within the AML Firm Wide Risk Assessment.
  • Provide an overview of the financial and economic crime controls – AML Independent Audit services offered by Access Legal includes audit of the Sanctions processes and review of the other relevant controls in relation to financial and economic crimes such as bribery and tax evasion.
  • Provide opinion & insights for the planned business growth – the Audit can assess whether the firm’s current controls are ready for planned expansion and provide recommendations. These is useful for Senior Management when deciding on the next steps.
  • Identify potential training needs – the Audit can provide an overview of the areas needing further training from an AML and wider compliance perspective.

How to prepare for the audit

Before commencing the audit, the MLRO/ MLCO or other relevant person should ensure that:

  • All data is available for the auditor for a review. This includes access to the files, documents such as AML Firm Wide Risk Assessment, AML policies, relevant registers, MLRO’s records.
  • There is internal capacity for the audits. The key personnel should ensure availability for calls, support, employees must be able to attend interview at the agreed time.
  • It is also a good idea to have already booked time to review the report, documents, and add the audit discussion to the following Senior Management Meeting. Make sure you share with the auditor any plans for the firm, possible changes to the risk factors

Internal or External Auditor?

Section 9.3.1 of the LSAG Guidance provides the specific requirements regarding the AML Auditor, stating they must be independent of the work areas being audited e.g. not the MLRO/MLCO, members of the compliance team or the team that did the original work;

  • Have the requisite skills and knowledge in audit and AML/TF in order to be able to adequately carry out their duties.
  • Have the authority to access all relevant material (including file materials) to be able to evaluate and report on the adequacy and effectiveness of the PCPs.
  • Make recommendations about the PCPs and file remediation if required (in applying these changes, file remediation should retain records of the file pre- and post-the remediation work);
  • Monitor the practice's implementation of those recommendations.
  • Have direct access/report findings directly to the practice’s Senior Management; and
  • Where audit is conducted by an internal partner/member of staff, they must be prepared to make an internal report to the MLRO should they have knowledge/reasonable suspicion that a matter has involved the Proceeds of Crime

The above bullet points can constitute a checklist for a firm to decide whether there is someone within the practice meeting these requirements.

In addition, regardless as to whether the person is internal and external, the firm must check that they have sufficient knowledge and experience in AML and CTF to conduct such an audit.

Some firms find it difficult to find an internal person who is independent of the AML controls and at the same time have the required knowledge about AML.

When searching for an external auditor, the law firms should check that the offered audit meets the requirements of Regulation 21 and is in line with the SRA standards.

The firm’s approach to the audit

The success of a good audit also depends on the firm’s approach to this review. If the law firm’s treats it as a tick box exercise to be able to tell the SRA they have audit in place, that is not the best approach. The Audit can be an opportunity to highlight strong AML controls and identify any aspects of AML governance needed improvement.

With the report in hand, the firm is able to prioritize areas to focus on and allocate the resources accordingly. The audit can give a basis for the compliance plan for the following 12 months.

However, the audit will not represent true and objective findings without honest answers from the firm and cooperation with the auditor. Therefore, all team members must be encouraged to tell the truth when speaking with the auditor and to not hide any details. In addition, if not all relevant documents or data is provided, the Audit will not be accurate.

Usually the firm has a person responsible for AML compliance and arranging the audit such as the MLRO, MLCO, Head of Compliance. Etc. Nonetheless, the input from other team members is essential. This includes IT Team, Senior Management, etc. They should be aware of the audit been completed and importance of it.

What next?

It might be a good idea to discuss the AML Independent Audit during the next compliance or Senior Management. Would it be a good time to book one? Our Risk and Compliance Services Team offers the AML Independent Audit meeting the requirement of Regulation 21.

Ready to strengthen your AML compliance?

Contact our Risk and Compliance team to book your independent audit today.

Talk to our expets