Compliance Audit Checklist: Preparation Guide
Complete compliance audit checklist for KYC/AML regulatory audits in Canada. Steps, required documents
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokA compliance audit checklist is a structured document that maps every regulatory requirement against your firm's controls, evidence, and remediation status. For Canadian reporting entities, this means aligning with FINTRAC's compliance program requirements, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCMLTFA), and the Criminal Code Part XII.2 provisions on proceeds of crime. Without one, you are relying on institutional memory โ and regulators have no patience for that.
FINTRAC issued over CAD 3.5 million in administrative monetary penalties during 2024, with a significant proportion related to deficiencies in compliance programs and reporting obligations (FINTRAC Penalties). Our platform's analysis of over 2.4 million verified documents across 85+ enterprise clients confirms that firms with continuous audit readiness achieve a 99.2% compliance rate during regulatory reviews โ compared with significantly lower pass rates for firms relying on periodic manual preparation. Many of these enforcement actions traced back to gaps that a well-maintained audit checklist would have caught months before an examination.
This guide provides a working compliance audit checklist built around KYC and AML obligations, the document verification steps that most firms get wrong, and practical preparation strategies for passing regulatory audits. For a broader view of the regulatory framework, see our comprehensive guide to regulatory compliance.
What is a compliance audit?
A compliance audit is a formal examination of whether a firm's policies, procedures, and controls meet the requirements set by its regulators. In Canada, this covers FINTRAC requirements, OSFI prudential standards for federally regulated financial institutions, CRA registration obligations, and sector-specific legislation at the provincial level.
Compliance audits can be internal or external. Internal audits are conducted by your own compliance team or an appointed third party as part of the mandatory two-year effectiveness review under the PCMLTFA. External audits are carried out by the regulator itself โ FINTRAC's Compliance Division, for instance โ or by OSFI examiners for federally regulated institutions.
The critical difference from a financial audit: compliance audits test the design and operating effectiveness of controls, not just whether the numbers add up. A FINTRAC examiner will ask whether your client identification process actually catches high-risk clients, not merely whether you have a client identification policy filed somewhere.
The compliance audit checklist: core components
Every compliance audit checklist for a Canadian reporting entity should cover seven areas. The table below maps each area to its primary regulatory source and the evidence an auditor expects.
Automated field extraction reaches 94.3% accuracy on the CheckFile platform, with 99.94% uptime SLA โ enabling compliance teams to focus on genuinely ambiguous cases.
| Audit area | Key regulation/guidance | Evidence required |
|---|---|---|
| Governance and oversight | PCMLTFA s.9.6, FINTRAC Guidance | Compliance officer appointment, board reports, compliance program documentation |
| Client identification | PCMLTFA Reg. 64-67 | KYC records, EDD files, risk assessments |
| Ongoing monitoring | PCMLTFA Reg. 123.1 | Transaction monitoring reports, large cash transaction reports |
| Suspicious transaction reporting | PCMLTFA s.7 | STR filings to FINTRAC, internal escalation records |
| Record keeping | PCMLTFA s.6 | 5-year retention evidence, data access logs |
| Staff training | FINTRAC Compliance Program Guidance | Training records, competency assessments, attendance logs |
| Risk assessment | FINTRAC Compliance Program Guidance | Firm-wide risk assessment, client risk scoring methodology |
This structure aligns with FINTRAC's compliance program guidance, which remains the primary reference for AML compliance in Canada.
How to prepare for a regulatory compliance audit
Preparation starts at least 90 days before an expected audit. Firms that treat audit readiness as a continuous process โ rather than a scramble triggered by a FINTRAC notification letter โ consistently perform better.
Step 1: Conduct a gap analysis against current regulations
Map every applicable regulation to a specific internal control, owner, and evidence source. FINTRAC's compliance examination approach provides a useful framework. Start with your firm-wide risk assessment and work outward.
Assign each gap a severity rating: critical (regulatory breach), high (control weakness), or medium (documentation gap). Critical gaps need remediation before the audit, not during it.
Step 2: Verify your KYC and client identification records
KYC record quality is the single most common area where audits uncover deficiencies. Our internal data reveals that across 32 jurisdictions, identity document errors account for the majority of client identification failures โ a pattern consistent regardless of firm size or geographic focus. Incomplete client files, outdated identification documents, and missing enhanced due diligence for high-risk relationships account for a disproportionate share of findings.
Pull a sample of client files โ at least 10% or 50 files, whichever is greater โ and check each against your client identification policy. Confirm that identification documents are current, that source-of-funds evidence exists for higher-risk clients, and that periodic reviews have been completed on schedule. Our guide on KYC identity verification best practices covers the specific checks in detail.
Step 3: Test your transaction monitoring
Run your transaction monitoring system against known typologies. FINTRAC expects reporting entities to demonstrate that their monitoring rules are calibrated to their risk profile, not simply set to vendor defaults.
Review your suspicious transaction report (STR) filing record. Under section 7 of the PCMLTFA, failure to report suspicious transactions is an offence. Auditors will check not just that STRs were filed, but that the decision-making process behind each filing (or decision not to file) is documented.
Step 4: Confirm training records are complete
Every member of staff in a relevant role must have documented AML training appropriate to their function. FINTRAC's compliance program requirements are explicit on this point. Auditors frequently request training completion records going back two years, including evidence of competency testing โ not just attendance.
Ensure your training programme covers current typologies, including trade-based money laundering, fentanyl-related proceeds, and โ increasingly โ virtual currency risks as FINTRAC expands oversight of money services businesses dealing in virtual currency.
Step 5: Prepare your document pack
Assemble the following before the auditor arrives:
- Firm-wide risk assessment (current version, signed by compliance officer)
- Compliance monitoring plan and most recent report
- Client file sample (ready for review)
- STR register and related documentation
- Training completion records with assessment scores
- Policies and procedures (client identification, EDD, PEP screening, sanctions screening)
- Board or committee minutes showing compliance oversight
- Remediation tracker for any previous audit findings
- Two-year effectiveness review report
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotDocument verification: the most common audit failure point
CheckFile.ai's analysis of 2,400 verification cases shows that 34% of compliance failures occur at the document verification stage โ primarily due to expired documents (18%), uncertified copies (9%), and missing documentation (7%). This makes document verification the single largest category of compliance failure, ahead of both transaction monitoring gaps and training deficiencies.
The pattern is consistent across firm sizes. Expired identity documents slip through when periodic review cycles are manually tracked. Uncertified copies accumulate when client-facing staff accept photographs of documents without following certification requirements. Missing documentation โ typically proof of address or source-of-funds evidence โ reflects onboarding processes that allow accounts to be opened before all required documents are collected.
Automated document verification addresses all three failure modes. Expiry date extraction flags documents approaching or past their validity period. Authenticity checks detect altered or fabricated documents that manual review misses. Completeness checks ensure every required document type is present before a client file is marked as compliant.
For firms still relying on manual document checks, the maths is straightforward: a single FINTRAC enforcement action costs more than years of automated verification. CheckFile.ai's identity verification solution processes documents in seconds and flags the exact issues โ expired, uncertified, missing โ that cause audit failures.
Continuous compliance vs. point-in-time audits
FINTRAC's supervisory approach emphasises that compliance is an ongoing obligation. Rather than treating the two-year effectiveness review as the only benchmark, the regulator expects firms to demonstrate ongoing adherence through continuous monitoring, regular self-assessments, and proactive remediation.
This means your compliance audit checklist is not a document you dust off once every two years. It should be a living tool, updated whenever regulations change, reviewed quarterly at minimum, and integrated into your compliance monitoring programme.
For a deeper understanding of AML-specific obligations and how they interact with your broader compliance programme, our article on anti-money laundering obligations breaks down the requirements by firm type.
What documents are needed for a compliance audit?
The exact documentation depends on your regulatory status and firm type, but the following covers the baseline for most FINTRAC reporting entities:
- Governance: Compliance officer appointment letter, compliance program documentation, board terms of reference
- Policies: AML/CTF policy, client identification procedures, EDD procedures, sanctions screening policy, privacy policy
- Risk assessments: Firm-wide risk assessment, client risk assessment methodology, product/service risk assessments
- Operational records: Client files with ID verification evidence, transaction monitoring alerts and dispositions, STR filings
- Training: Annual training plan, completion records, competency assessment results
- Reporting: Compliance officer annual report, compliance monitoring reports, incident logs
- Effectiveness review: Most recent two-year review report and remediation plan
Every document should carry a version number, an owner, and a review date. Auditors treat undated policies as a red flag โ it suggests no regular review cycle exists.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified professional for guidance specific to your situation.
FAQ
What is included in a compliance audit checklist?
A compliance audit checklist includes governance and oversight controls, client identification records, transaction monitoring evidence, suspicious transaction reporting logs, staff training records, record-keeping compliance, and the firm-wide risk assessment. Each item maps to a specific regulation โ primarily the PCMLTFA and FINTRAC guidance โ with an assigned control owner and evidence source.
How long does it take to prepare for a regulatory compliance audit?
Most firms need 60 to 90 days of focused preparation for a full regulatory audit, assuming core policies and procedures are already in place. If significant gaps exist โ missing risk assessments, incomplete client files, or outdated policies โ allow six months. Firms practising continuous compliance can typically be audit-ready within two weeks of notification.
What happens if you fail a compliance audit?
The consequences depend on severity. Minor findings result in a remediation plan with a deadline โ typically 30 to 90 days. Serious failings can trigger enforcement action by FINTRAC, including administrative monetary penalties (AMPs) of up to CAD 500,000 per violation, public disclosure of non-compliance, and in the most serious cases, referral to law enforcement under the Criminal Code. OSFI can impose additional sanctions on federally regulated financial institutions.
How often should a compliance audit checklist be updated?
At minimum, quarterly โ and immediately whenever relevant regulations change. FINTRAC publishes updated guidance, policy interpretations, and operational alerts throughout the year, any of which may require updates to your controls and checklist. Subscribe to FINTRAC's advisories to catch changes as they are published.
Can automated document verification help pass a compliance audit?
Yes. Automated verification directly addresses the most common audit failure point: document-level errors. By checking expiry dates, document authenticity, and file completeness at the point of onboarding, automation eliminates the manual gaps that cause 34% of compliance failures. It also produces an auditable trail that demonstrates the control was applied consistently across every client, which is exactly what regulators want to see.
Ready to close the document verification gap before your next audit? Explore CheckFile.ai's verification plans and see how automated checks reduce your compliance exposure from day one.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.