What an independent AML audit covers

A plain look at what an independent AML/CFT audit actually examines, why the third line of defence exists, and what real assurance looks like to a board and a regulator.

Most compliance teams know they are supposed to have one, and most boards have signed off on one, but ask five people what an independent AML audit actually covers and you will often get five different answers. Some picture a file review. Some picture a policy check. Some assume it is whatever the regulator asked about last time. The reality is more structured than any of those, and understanding it is the difference between an audit that reassures a board on paper and one that genuinely tells you whether your financial crime controls work.

In my experience the confusion usually starts with the word independent. An independent AML audit is not the second line marking its own homework, and it is not an external file-quality review dressed up as assurance. It is the third line of defence forming an objective opinion on whether the whole anti-money laundering and counter-terrorist-financing framework is designed properly and operating as intended. That distinction shapes everything else, so it is worth being precise about it.

The three lines, and why the third one is different

The three-lines model is simple to state and easy to blur in practice. The first line owns and runs the controls day to day: the relationship managers who onboard customers, the analysts who clear alerts, the operations teams who screen payments. The second line sets the policy, owns the risk framework, and challenges and oversees the first line: this is the compliance and MLRO function. The third line of defence, independent audit, does something neither of the others can do for itself. It provides assurance to the board, free of any responsibility for designing or operating the controls it is examining.

That independence is the entire point. The second line cannot objectively assure the board that the second line is effective, because it would be assessing its own work. An independent AML audit reports to the audit committee, not to the head of compliance, and it can tell the board things the business would rather not hear. When a regulator asks who provides credible challenge over the compliance function, the honest answer should be the third line.

What a framework audit examines

A genuine framework audit is broad by design. It does not pick one process and stop. AML audit scope, when it is done properly, covers the full control environment and how the pieces connect. The core domains are reasonably stable across firms:

Governance and accountability: is there a named, empowered MLRO, clear board oversight, adequate resourcing, and a working management-information flow that lets senior people actually see risk?
The business-wide risk assessment: is it complete, current, and genuinely linked to the controls that follow? In the Netherlands this is the SIRA, the systematic integrity risk analysis, and DNB expects it to be the foundation everything else rests on.
Customer due diligence: are onboarding, ongoing monitoring, beneficial-ownership identification, and enhanced due diligence applied to the right customers at the right depth?
Transaction monitoring: does coverage match the risk assessment, are the rules tuned and tested, and does alert handling actually detect what it is meant to?
Sanctions screening: are name and payment screening configured sensibly, with defensible fuzzy-matching and timely list updates?
Training and awareness: do the people running the controls understand their obligations, and is training role-specific rather than generic?
Reporting: are escalations and regulatory reports made correctly and on time? In the Netherlands a particular point of accuracy matters here: firms report unusual transactions (ongebruikelijke transacties) to FIU-Nederland, not suspicious ones. That Dutch specificity catches out auditors who import an Anglo framing.

An audit that touches all of these, and tests how they hand off to each other, is auditing the framework. An audit that samples a few files is auditing a process. Both have a place, but only the first answers the board's real question.

Design versus operating effectiveness

This is the distinction that separates useful assurance from box-ticking. Design effectiveness asks whether a control, if it operated exactly as written, would actually mitigate the risk. A policy can be immaculate and still be designed to catch the wrong thing. Operating effectiveness asks a different question: does the control work consistently in practice, on real cases, over a period of time?

You need both, and the order matters. There is no point testing whether a poorly designed control operates consistently, because consistency in doing the wrong thing is not a comfort. Equally, a beautifully designed control that fails three times in a sample of twenty is not effective, however good it looks on paper. A common failure I see is an audit that confirms a policy exists and stops there. That tells the board the firm has paperwork. It does not tell them the controls work.

How findings map to the rules

Findings only carry weight if they are anchored to recognised standards rather than the auditor's preferences. A credible independent AML audit maps each conclusion to the framework the firm is actually held to.

The AMLR (Regulation (EU) 2024/1624) is the single rulebook of directly applicable obligations, with most provisions applying from 10 July 2027. Audit findings on due diligence, beneficial ownership, and the risk assessment increasingly point here.
AMLD6, the directive, sets the supervisory and institutional architecture that member states transpose, including how supervisors expect firms to organise themselves.
The EBA Guidelines translate the rules into supervisory expectations on risk factors, governance, and the role of the compliance function, and they are what national supervisors look to.
The FATF standards sit underneath all of it as the international benchmark, useful for testing whether a control is principled or merely procedural.

Anchoring findings this way does two things. It tells the business why a gap matters beyond one auditor's opinion, and it gives the board a defensible record if a supervisor later asks the same question.

What good assurance looks like

To a board, genuinely useful assurance is honest about what was tested, clear about what works, and specific about what does not, with findings rated by risk rather than volume. Twenty cosmetic observations are less valuable than three that name a real exposure. To a regulator, credible assurance shows independence, a scope that matches the firm's risk profile, evidence of actual testing rather than restated policy, and management actions that are tracked to closure. The test I apply is simple: could a sceptical supervisor read this report and conclude the firm understands its own weaknesses? If yes, the third line has done its job.

Key takeaways

An independent AML audit is the third line of defence: it assures the board objectively because it owns none of the controls it examines, unlike the first and second lines.
A true framework audit spans governance, the business-wide risk assessment (the SIRA in the Netherlands), CDD, transaction monitoring, sanctions screening, training and reporting, and how they connect.
Assurance requires testing both design effectiveness (would the control work if followed?) and operating effectiveness (does it work consistently on real cases?). Confirming a policy exists is not enough.
In the Netherlands, firms report unusual transactions to FIU-Nederland, not suspicious ones; auditors importing an Anglo framing get this wrong.
Credible findings map to the AMLR, AMLD6, the EBA Guidelines and FATF standards, and are rated by risk so a board and a supervisor can see what genuinely matters.