Course/Module 5/Lesson 3
Module 5 · Lesson 3

Audit Preparation Checklist

Putting It All Together

Understanding the Examination Process

Whether you're being examined by your bank partner's compliance team, an OCC/FDIC examiner, a state regulator, or an independent auditor, the process follows a predictable pattern. The more prepared you are, the shorter and less painful the examination will be. A well-prepared fintech can complete an examination in 2-3 weeks. A poorly prepared one can drag it out for months — with much worse outcomes.

What Examiners Are Looking For

Examiners evaluate your program against the five pillars of BSA/AML compliance (per the FFIEC BSA/AML Examination Manual):

  • Pillar 1: A system of internal controls (policies, procedures, and processes)
  • Pillar 2: Independent testing (audit) of the BSA/AML program
  • Pillar 3: A BSA-designated compliance officer with adequate authority and resources
  • Pillar 4: Training appropriate to each person's role and responsibilities
  • Pillar 5: Customer due diligence and beneficial ownership (added by the 2016 CDD Rule)

Beyond the five pillars, examiners conduct transaction testing — they'll pull a sample of your accounts and transactions and check whether your monitoring system detected the suspicious activity they spot. This is where weak programs get exposed.

Pre-Audit Preparation (4-6 Weeks Before)

Step 1: Conduct a Self-Assessment

  • Walk through the FFIEC BSA/AML Examination Manual yourself (available free at ffiec.gov)
  • Grade your program against each section: compliant, partially compliant, or non-compliant
  • Identify and remediate gaps before the examiner finds them — self-identified issues are viewed much more favorably than examiner-discovered issues

Step 2: Organize Your Document Repository

Create a structured folder (physical or digital) with these sections:

  • Program Documents: Current BSA/AML policy, risk assessment, CIP procedures, OFAC policy, SAR filing procedures
  • Governance: Board minutes showing BSA/AML oversight, BSA Officer designation letter, organizational chart showing reporting lines
  • Training: Training materials, attendance records, completion certificates for all employees
  • Monitoring: Transaction monitoring rule documentation, tuning records, alert statistics, SAR conversion rates
  • SARs and CTRs: Copies of all filed reports with supporting investigation documentation
  • Testing: Independent audit reports, management responses, remediation tracking
  • Customer Files: Sample CIP records, EDD files for high-risk customers, beneficial ownership certifications

Step 3: Prepare Key Metrics

Examiners love data. Have the following ready:

  • Total number of SARs filed (by quarter, for the past 2 years)
  • Average time from alert generation to SAR filing
  • Alert volume by rule type and disposition (true positive vs. false positive)
  • SAR conversion rate (alerts that resulted in a SAR / total alerts reviewed)
  • Number of customers by risk category (low, medium, high)
  • Number of OFAC hits, false positives, and true matches
  • Training completion rates by department

During the Examination

  • Designate a single point of contact. This is typically the BSA Officer. All examiner requests should flow through this person to ensure consistent, controlled information sharing.
  • Respond promptly. Set a 24-hour SLA for examiner document requests. Delays signal disorganization — or worse, evasion.
  • Be honest. If you don't have something, say so. If there's a known gap, explain what you're doing to address it. Attempting to hide deficiencies is exponentially worse than disclosing them.
  • Take notes. Document every question the examiner asks and every document they request. This gives you a roadmap for improving your program and preparing for the next examination.
  • Don't volunteer information that wasn't asked for. Answer questions completely and accurately, but don't introduce unrelated topics. Stay focused on what's being asked.

Common Examination Deficiencies

Based on published regulatory findings, the most frequently cited deficiencies include:

  • Outdated risk assessment: The risk assessment doesn't reflect current products, customer types, or geographic risk
  • Inadequate independent testing: The audit scope was too narrow, didn't include transaction testing, or was conducted by someone who isn't truly independent
  • SAR filing delays: SARs filed beyond the 30-day window, or continuing activity SARs not filed every 90 days
  • Insufficient CDD: No process for updating customer information, or no enhanced due diligence applied to high-risk customers
  • Training gaps: New employees not trained within a reasonable period (30 days), or training that doesn't cover role-specific BSA responsibilities
  • Monitoring system not validated: No evidence that the transaction monitoring rules are effective at detecting suspicious activity
  • Weak board oversight: No evidence that the board or senior management is informed about BSA/AML program status and risks

Post-Examination

  • Review the examination findings with your team within 1 week of receiving them
  • Create a remediation plan with specific action items, owners, and deadlines for each finding
  • Track remediation to completion — examiners will check on prior findings during the next examination
  • Use the examination as an opportunity to request additional compliance resources from management or the board

Audit Preparation Quick Checklist

  • Self-assessment against FFIEC manual completed
  • All policies and procedures current (reviewed within 12 months)
  • Risk assessment current and comprehensive
  • BSA Officer designation documented with board approval
  • Training records complete for all employees
  • SAR and CTR filing logs complete with supporting documentation
  • Transaction monitoring rule documentation and tuning records available
  • Model validation report (if applicable) available
  • Independent audit report and remediation tracking available
  • Key metrics compiled and ready for presentation
  • Customer file samples pulled and reviewed for completeness
  • Board minutes demonstrating BSA/AML oversight compiled

Practical Tip: Conduct a mock examination 6 months after your program goes live. Hire an external BSA consultant ($10,000-$25,000) to play the examiner role. They'll find issues you've overlooked because you're too close to the program. Fix those issues before the real examination. The ROI on a mock exam is enormous — it's far cheaper to fix a problem proactively than to remediate it under a consent order.

Previous
Common Mistakes That Get Fintechs in Trouble
Next
Resources and Next Steps