Early Christmas Present from the SRA - Our Experience of an Office-Based AML Audit

We received notification shortly before Christmas that the SRA intended to carry out an office-based AML audit. While the timing was not ideal given the volume of work in the run-up to the festive period, there was no cause for concern. Our approach to compliance is based on the assumption that an inspection could take place at any time, and our systems and documentation are maintained on that basis.

Indeed, this was the second occasion on which we have taken part in an SRA office-based AML audit. For a conveyancing firm, this is not unusual. Residential property work continues to be a key focus for the regulator, and firms operating in this sector should expect periodic scrutiny of their anti-money laundering arrangements.

The SRA provided a list of documents and information to be supplied within 14 days. This did not present any difficulty, as the requested material was readily available and up to date.

Shortly after notification, we were contacted by the appointed auditor, who telephoned to introduce himself. The call was professional and helpful. The auditor explained the audit process, outlined areas of focus, and gave us the opportunity to ask questions. A few days before Christmas, once the documentation had been submitted, we spoke again to agree a date for the audit.

Pre-Audit Preparation and Practical Steps

Before submitting documentation, it is advisable to carry out a thorough internal review. There is nothing to prevent a firm from identifying weaknesses or omissions and proactively bringing these to the auditor’s attention, together with details of the remedial steps already taken. A transparent approach helps frame the audit constructively.

Preparation should begin as soon as notice is received. Staff should be informed that an audit is taking place, and consideration should be given to whether AML training requires refreshing. This may include topping up existing training or arranging a formal refresher session.

Although the SRA has moved away from its previous practice of routinely interviewing staff members other than the MLRO, this position could change. Ensuring staff remain familiar with AML obligations and are prepared for the audit is therefore a sensible precaution.

File Selection and Pre-Audit Review

Approximately one week before the audit, we received a list of eight to ten files selected from an open and closed matter list we had previously provided. These were the files the auditor intended to review on the day.

Once the file list is received, an immediate review of the AML work on those matters should be undertaken. Any deficiencies identified should be noted and prepared for discussion during the audit. Demonstrating awareness of issues and active management of compliance risk is far preferable to issues being identified for the first time by the auditor.

Where AML checks and risk assessments are recorded on a case management system (as in our case), relevant pages and supporting documentation should be printed and collated into a clearly organised file. The aim is to make the auditor’s review as efficient and straightforward as possible.

Firms should also ensure that their SAR register is readily available, as auditors will usually wish to select and review a sample of SARs during the audit.

The Audit Day

On the day of the audit, all documentation should be readily accessible, and the MLRO should be fully prepared to answer detailed questions regarding the firm’s AML policies, controls, procedures, and firm-wide risk assessment.  This is not a quiz and the auditor is not there to trick you with his questions. 

The auditor arrived at our office at 9.30am, introduced himself, and outlined the plan for the day. We had originally been advised to expect a three-hour interview with the MLRO, followed by file reviews in the afternoon, with an anticipated finish time of around 4.30pm. We prepared on that basis.

In practice, the meeting with the MLRO lasted approximately one hour. The auditor then reviewed the selected files, conducted a short debrief, and left the office before lunchtime. We consider that the efficiency of the process reflected the fact that the firm was well prepared and that the required information and documentation were readily available.

A key focus of the audit was ensuring that client and matter risk assessments were not treated as a tick-box exercise. Particular attention was given to whether the rationale for risk assessments had been clearly recorded and whether files evidenced not only source of funds but also source of wealth, where appropriate.

The Value of an External Review

One factor that significantly assisted our preparedness was that, prior to receiving notice of the SRA audit, we had undertaken an external Regulation 21 review. For firms that have not had such a review within the last 12 months, this is strongly recommended.

The review was extremely helpful in identifying gaps in our policies, controls, and procedures and effectively acted as a dry run for the SRA audit. It provided reassurance where systems were working well and highlighted areas requiring improvement.

When commissioning an external review, it is important to ensure independence. The reviewing firm should not be the same provider that assisted with drafting your PCPs, as this may weaken the perceived independence and robustness of the assessment.

Overall Reflections

Having been through an office-based AML audit on two occasions, we found this experience to be proportionate, well-run, and entirely manageable with the right level of preparation. We were unable to fault the auditor’s approach, which was informative, professional, and constructive throughout.

For conveyancing firms in particular, this type of regulatory engagement should be expected. With robust systems, regular training, and a proactive compliance culture, an SRA AML audit does not need to be a stressful experience.

Our Top 10 Audit Readiness Tips

1. Assume an audit could happen at any time
   Build audit readiness into day-to-day compliance rather than treating it as a reactive exercise.
2. Ensure consistency across AML documentation
   Firm-wide risk assessments, AML policies, matter risk assessments, and file evidence should align.
3. Avoid tick-box risk assessments
   Clearly document the rationale behind client and matter risk ratings.
4. Evidence both source of funds and source of wealth
   This remains a key regulatory focus for conveyancing practices.
5. Check timing and sequencing of AML checks
   Ensure checks were completed at the correct stage of the transaction and not retrospectively.
6. Document supervision and escalation
   Particularly on higher-risk matters, ensure there is clear evidence of review and MLRO involvement.
7. Prepare files for easy review
   Collate AML documentation clearly to make the auditor’s task straightforward.
8. Keep training records up to date
   Maintain clear evidence of AML training, attendance, and refresher activity.
9. Maintain a complete and accessible SAR register
   Auditors will often select a sample for review on the day.
10. Use external reviews strategically and independently
    A recent Regulation 21 review can significantly improve audit readiness, provided it is genuinely independent.