Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Journal Archive
  4. Issues
  5. September 2020
  6. AML: making the most of your audit

AML: making the most of your audit

Some suggested criteria for carrying out an anti-money laundering audit – which, properly conducted, should enhance a firm’s good governance
14th September 2020 | Ian Wattie

Effective implementation of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on Payer) Regulations 2017 (the “AML Regulations”) requires certain internal controls to be put in place in any regulated organisation, including law firms. One of those controls is a requirement in some cases for an audit function. This article examines the audit function and offers some guidance as to its use.

Regulation 21 states that, where appropriate with regard to the size and nature of its business, a firm must establish an independent audit function with the responsibility “to examine and evaluate the adequacy and effectiveness of the policies, controls and procedures adopted by [it] to comply with the requirements of [the AML Regulations]”.

The audit function may be an external or internal resource; but where it is internal, it must be independent of the team responsible for ensuring compliance with the regulations. The auditor must have the necessary authority to access all relevant materials (policies, client files, internal procedural notes etc), to make recommendations and to monitor compliance.

For some firms, bringing in an external resource to provide challenge to the internal compliance function may be more efficient than the artificiality and cost of creating a second independent internal team.

It would be prudent to record (in a board minute or the like) the deliberations, and associated reasoning, together with all material factors that justify the firm’s response to the requirement for an audit function, including decisions as to how that function is resourced, its duties, and accountability within the firm’s management structure.

Twin objects

Broadly speaking, in the context of the AML Regulations the audit function can be seen as having two objectives:

  • first, to review the infrastructure a firm has put in place – i.e., the policies, controls and procedures (“PCPs”) in response to the regulations (let’s call this the “macro audit”);
  • secondly, to assess how well those PCPs are being implemented in practice (the “micro audit”). Put crudely, it is one thing to have a shiny set of written policy and procedural documents, but they are of little value if they are not being properly adhered to. A firm needs to be able to demonstrate good implementation and compliance.

By now, most firms should have completed – or at least have in hand – a first macro audit of their PCPs, and they should be in the course of implementing any remedial action identified in that audit. The macro audit should be updated periodically, the particular timeframe being dependent on the size and nature of the business.

Any update audit should look at whether the recommendations of previous audits have been implemented; whether any new requirements of the regulatory authority (the Law Society of Scotland or, in England & Wales, the SRA) have been put into effect; whether changes in legislation or best practice (e.g. as a result of any reported cases) have been taken into account; and also whether the firm’s PCPs have been updated to take account of any changes in technology, the firm’s business model or practice areas, which should, in any event, be reflected in an updated AML risk assessment.

For the micro audit, best practice would require a regular review – perhaps on a monthly basis – of a selection of client matter files, to assess whether and how the firm’s PCPs are being implemented. Some larger firms will have an in-house audit function that can fulfil this role. While smaller firms may not be able to sustain that level of permanent resource, they should still consider having micro audits carried out regularly, either by an experienced and senior practitioner in their firm who commands internal respect, or by an external consultant. Micro audits should look at a client file in its entirety, or alternatively adopt a thematic approach with a particular focus on any area that the firm may see as of heightened risk (e.g. source of wealth, proper completion of risk assessments etc).

Positive potential

Overall there are two key points to have in mind. One, it is important that the firm has given proper thought as to the scope of the audit function that is appropriate for the size and nature of its business, taking into account its obligations under the AML Regulations and the degree of exposure it has identified in its AML risk assessment. Separately, there needs to be in place a clear process – e.g. by an upgrade of systems, change of procedures or internal controls, or enhanced training (or maybe a combination of these) – which ensures that the issues identified in any audit are properly and promptly addressed.

The AML audit function should not be regarded as a burden or a tick box exercise. Properly resourced and culturally embedded in the firm with strong support at senior management level, it’s a vital tool to help ensure that potential legal, financial, ethical and reputational traps are avoided.

The Author

Ian Wattie, former managing partner of Burness Paull, is a consultant with a focus on AML compliance. This article reproduces a blog by the author

Share this article
Add To Favorites
https://lawware.co.uk/

Regulars

  • People on the move: September 2020
  • Book reviews: September 2020
  • Reading for pleasure: September 2020

Perspectives

  • Opinion: Laura Hutchison and Sharon Cowan
  • President's column: September 2020
  • Editorial: September 2020
  • Letters: September 2020
  • Profile: Stuart Munro

Features

  • Soft skills for a harder world
  • A specialism of many angles
  • EOTs: the post-COVID succession solution?
  • Fair sharing in a financial storm
  • Ogden 8: shifting the balance

Briefings

  • Civil court briefing: Lessons from a video proof
  • Corporate briefing: Business support: going our own way
  • IP briefing: China – a friendlier place for IP rights?
  • Agriculture briefing: Was there a croft here?
  • Scottish Solicitors' Discipline Tribunal
  • Planning obligations: seeking better practice
  • Construction briefing: Rough justice, smoother delivery

In practice

  • SARs: where do they end up?
  • Full circle: the way ahead
  • Ask Ash: September 2020
  • The billable hour: some fairy tales
  • AML: making the most of your audit
  • COP26: working in support
  • Corporate and commercial risks: communication
  • The Word of Gold: Keeping the dream alive

Online exclusive

  • Proof of the pudding
  • Looking after remote workers: an employer's duties
  • Criminal injuries compensation: the changing scene
  • Tradecraft: keeping the client happy
  • Child maintenance: the balance of care

In this issue

  • Denovo joins forces with Amiqus
  • How Scottish firms can remain competitive in a pandemic

Recent Issues

Dec 2023
Nov 2023
Oct 2023
Sept 2023
Search the archive

Additional

Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited