Planning and Work Program for the AML/CFT Auditor: Why They Are Key

FINANCE AND BANKING / by Miguel Gallardo Guerra

One of the elements that most frequently weakens an AML/CFT Audit Report is not the absence of policies or controls, but rather poor audit planning and an insufficient or overly generic work program.

The Guidelines for the preparation of the Audit Report provide that the audit must be supported by appropriate planning and a formal work program, which constitute the methodological basis of the entire review.

Audit planning

Planning is the stage in which the auditor defines how—and with what level of depth—the entity’s AML/CFT system will be assessed. At this stage, the following aspects must be considered, among others:

• The period under review.
  
  
• The applicable regulatory framework, in light of the type of entity and its business model.
  
  
• The identification of the highest-risk areas, processes, and products.
  
  
• The methodological approach to be followed for the review, prioritizing a risk-based approach.
  
  

Proper planning allows the auditor to focus efforts on the critical components of the AML/CFT system, avoiding superficial reviews or reviews misaligned with the entity’s actual risks.

The work program as the backbone of the audit

The work program is the document that translates planning into specific audit procedures. It details the tests, reviews, and verifications the auditor will perform to assess compliance with the applicable provisions.

A robust work program should:

• Be aligned with the entity’s risk analysis.
  
  
• Cover all AML/CFT obligations, with special emphasis on those with the greatest exposure.
  
  
• Clearly define the tests to be performed, the documentation to be reviewed, and the evaluation criteria.
  
  
• Enable traceability between the procedures performed and the findings identified.
  
  

Generic work programs—or those replicated year after year without adjustments to the entity’s risk profile—are often among the main points of observation in supervisory processes.

Relationship to the Audit Report

The content and strength of the Audit Report depend directly on the quality of the planning and the work program. Each conclusion, finding, or recommendation included in the report must be derived from procedures that were defined in advance and actually carried out, rather than from general impressions.

In this regard, the absence of clear planning or a formal work program undermines the technical support of the report and may affect its credibility before the National Banking and Securities Commission.

Conclusion

Planning and the work program are not ancillary documents. They constitute the methodological backbone of an AML/CFT audit and determine the depth, quality, and usefulness of the Audit Report.

A properly planned and executed audit makes it possible to identify real risks, adequately support findings, and anticipate potential regulatory observations—thereby strengthening the entity’s compliance system.