Skip to content
Case studiesPricingSecurityCompareBlog

Europe

Americas

Oceania

Compliance10 min read

Compliance Audit Checklist: How to Prepare for Regulatory Audits

Complete compliance audit checklist for KYC/AML regulatory audits. Steps, required documents, and best practices to pass FCA and regulatory inspections.

James Whitfield, Head of Compliance
James Whitfield, Head of Complianceยท
Illustration for Compliance Audit Checklist: How to Prepare for Regulatory Audits โ€” Compliance

Summarize this article with

ChatGPTChatGPTClaudeClaudePerplexityPerplexityGeminiGeminiGrokGrok

A compliance audit checklist is a structured document that maps every regulatory requirement against your firm's controls, evidence, and remediation status. For UK-regulated firms, this means aligning with the Financial Conduct Authority's Senior Management Arrangements, Systems and Controls sourcebook (SYSC), the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017, and the Proceeds of Crime Act 2002. Without one, you are relying on institutional memory โ€” and regulators have no patience for that.

The FCA issued ยฃ176 million in fines during 2024, with a significant proportion related to anti-money laundering failures. Many of these enforcement actions traced back to gaps that a well-maintained audit checklist would have caught months before an inspection.

This guide provides a working compliance audit checklist built around KYC and AML obligations, the document verification steps that most firms get wrong, and practical preparation strategies for passing regulatory audits. For a broader view of the regulatory framework, see our comprehensive guide to regulatory compliance.

What is a compliance audit?

A compliance audit is a formal examination of whether a firm's policies, procedures, and controls meet the requirements set by its regulators. In the UK, this covers FCA rules, PRA prudential standards, HMRC registration obligations for money service businesses, and sector-specific legislation.

Compliance audits can be internal or external. Internal audits are conducted by your own compliance team or an appointed third party. External audits are carried out by the regulator itself โ€” the FCA's Supervision division, for instance โ€” or by statutory auditors fulfilling obligations under the Companies Act 2006.

The critical difference from a financial audit: compliance audits test the design and operating effectiveness of controls, not just whether the numbers add up. An FCA supervisor will ask whether your customer due diligence process actually catches high-risk customers, not merely whether you have a CDD policy filed somewhere.

The compliance audit checklist: core components

Every compliance audit checklist for a UK-regulated firm should cover seven areas. The table below maps each area to its primary regulatory source and the evidence an auditor expects.

Audit area Key regulation/guidance Evidence required
Governance and oversight FCA SYSC 4, 6, 7 Board minutes, compliance reports, SMCR allocation
Customer due diligence (CDD) MLR 2017 Reg. 28-30 KYC records, EDD files, risk assessments
Ongoing monitoring MLR 2017 Reg. 35 Transaction monitoring reports, SAR filings
Suspicious activity reporting POCA 2002 s.330-332 SAR logs, NCA submissions, internal escalation records
Record keeping MLR 2017 Reg. 40 5-year retention evidence, data access logs
Staff training MLR 2017 Reg. 24 Training records, competency assessments, attendance logs
Risk assessment MLR 2017 Reg. 18 Firm-wide risk assessment, customer risk scoring methodology

This structure aligns with the Joint Money Laundering Steering Group (JMLSG) Guidance, which remains the primary industry reference for AML compliance in financial services.

How to prepare for a regulatory compliance audit

Preparation starts at least 90 days before an expected audit. Firms that treat audit readiness as a continuous process โ€” rather than a scramble triggered by an FCA notification letter โ€” consistently perform better.

Step 1: Conduct a gap analysis against current regulations

Map every applicable regulation to a specific internal control, owner, and evidence source. The FCA's Finalised Guidance on financial crime systems and controls (FG 26/1) provides a useful framework. Start with your firm-wide risk assessment under Regulation 18 of the MLR 2017 and work outward.

Assign each gap a severity rating: critical (regulatory breach), high (control weakness), or medium (documentation gap). Critical gaps need remediation before the audit, not during it.

Step 2: Verify your KYC and CDD records

KYC record quality is the single most common area where audits uncover deficiencies. Incomplete customer files, outdated identification documents, and missing enhanced due diligence for high-risk relationships account for a disproportionate share of findings.

Pull a sample of customer files โ€” at least 10% or 50 files, whichever is greater โ€” and check each against your CDD policy. Confirm that identification documents are current, that source-of-funds evidence exists for higher-risk customers, and that periodic reviews have been completed on schedule. Our guide on KYC identity verification best practices covers the specific checks in detail.

Step 3: Test your transaction monitoring

Run your transaction monitoring system against known typologies. The FCA expects firms to demonstrate that their monitoring rules are calibrated to their risk profile, not simply set to vendor defaults.

Review your suspicious activity report (SAR) filing record. Under sections 330-332 of the Proceeds of Crime Act 2002, failure to report suspicious activity is a criminal offence. Auditors will check not just that SARs were filed, but that the decision-making process behind each filing (or decision not to file) is documented.

Step 4: Confirm training records are complete

Every member of staff in a relevant role must have documented AML training appropriate to their function. Regulation 24 of the MLR 2017 is explicit on this point. Auditors frequently request training completion records going back two years, including evidence of competency testing โ€” not just attendance.

Ensure your training programme covers current typologies, including trade-based money laundering, proliferation financing, and โ€” increasingly โ€” crypto-asset risks under the FCA's expanded perimeter.

Step 5: Prepare your document pack

Assemble the following before the auditor arrives:

  • Firm-wide risk assessment (current version, signed by MLRO)
  • Compliance monitoring plan and most recent report
  • Customer file sample (ready for review)
  • SAR register and consent request log
  • Training completion records with assessment scores
  • Policies and procedures (CDD, EDD, PEP screening, sanctions screening)
  • Board or committee minutes showing compliance oversight
  • Remediation tracker for any previous audit findings

Document verification: the most common audit failure point

CheckFile.ai's analysis of 2,400 verification cases shows that 34% of compliance failures occur at the document verification stage โ€” primarily due to expired documents (18%), uncertified copies (9%), and missing documentation (7%). This makes document verification the single largest category of compliance failure, ahead of both transaction monitoring gaps and training deficiencies.

The pattern is consistent across firm sizes. Expired identity documents slip through when periodic review cycles are manually tracked. Uncertified copies accumulate when customer-facing staff accept photographs of documents without following certification requirements. Missing documentation โ€” typically proof of address or source-of-funds evidence โ€” reflects onboarding processes that allow accounts to be opened before all required documents are collected.

Automated document verification addresses all three failure modes. Expiry date extraction flags documents approaching or past their validity period. Authenticity checks detect altered or fabricated documents that manual review misses. Completeness checks ensure every required document type is present before a customer file is marked as compliant.

For firms still relying on manual document checks, the maths is straightforward: a single FCA enforcement action costs more than years of automated verification. CheckFile.ai's identity verification solution processes documents in seconds and flags the exact issues โ€” expired, uncertified, missing โ€” that cause audit failures.

Continuous compliance vs. point-in-time audits

The FCA's supervisory approach has shifted decisively towards continuous compliance. Rather than annual inspections, the regulator now expects firms to demonstrate ongoing adherence through real-time monitoring, regular self-assessments, and proactive remediation.

This means your compliance audit checklist is not a document you dust off once a year. It should be a living tool, updated whenever regulations change, reviewed quarterly at minimum, and integrated into your compliance monitoring programme.

Firms subject to the Digital Operational Resilience Act (DORA) โ€” which applies to UK branches of EU-regulated entities โ€” face additional requirements around ICT risk management and third-party oversight that must be folded into the compliance framework. Similarly, firms deploying AI in their compliance processes should prepare for explainability requirements that regulators are increasingly testing during audits.

For a deeper understanding of AML-specific obligations and how they interact with your broader compliance programme, our article on anti-money laundering obligations breaks down the requirements by firm type.

What documents are needed for a compliance audit?

The exact documentation depends on your regulatory permissions and firm type, but the following covers the baseline for most FCA-authorised firms:

  • Governance: SMCR responsibilities map, compliance officer appointment letter, board terms of reference
  • Policies: AML/CTF policy, CDD/EDD procedures, sanctions screening policy, data protection policy
  • Risk assessments: Firm-wide risk assessment, customer risk assessment methodology, product/service risk assessments
  • Operational records: Customer files with ID verification evidence, transaction monitoring alerts and dispositions, SAR filings and consent requests
  • Training: Annual training plan, completion records, competency assessment results
  • Reporting: MLRO annual report, compliance monitoring reports, incident logs

Every document should carry a version number, an owner, and a review date. Auditors treat undated policies as a red flag โ€” it suggests no regular review cycle exists.

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified professional for guidance specific to your situation.

FAQ

What is included in a compliance audit checklist?

A compliance audit checklist includes governance and oversight controls, customer due diligence records, transaction monitoring evidence, suspicious activity reporting logs, staff training records, record-keeping compliance, and the firm-wide risk assessment. Each item maps to a specific regulation โ€” primarily the MLR 2017 and FCA SYSC rules โ€” with an assigned control owner and evidence source.

How long does it take to prepare for a regulatory compliance audit?

Most firms need 60 to 90 days of focused preparation for a full regulatory audit, assuming core policies and procedures are already in place. If significant gaps exist โ€” missing risk assessments, incomplete customer files, or outdated policies โ€” allow six months. Firms practising continuous compliance can typically be audit-ready within two weeks of notification.

What happens if you fail a compliance audit?

The consequences depend on severity. Minor findings result in a remediation plan with a deadline โ€” typically 30 to 90 days. Serious failings can trigger enforcement action, including fines, public censure, restrictions on business activities, or requirements for skilled person reviews under section 166 of the Financial Services and Markets Act 2000. In cases involving money laundering regulation breaches, criminal prosecution under the Proceeds of Crime Act 2002 is possible.

How often should a compliance audit checklist be updated?

At minimum, quarterly โ€” and immediately whenever relevant regulations change. The FCA publishes policy statements, finalised guidance, and Dear CEO letters throughout the year, any of which may require updates to your controls and checklist. Subscribe to the FCA's regulatory news feed to catch changes as they are published.

Can automated document verification help pass a compliance audit?

Yes. Automated verification directly addresses the most common audit failure point: document-level errors. By checking expiry dates, document authenticity, and file completeness at the point of onboarding, automation eliminates the manual gaps that cause 34% of compliance failures. It also produces an auditable trail that demonstrates the control was applied consistently across every customer, which is exactly what regulators want to see.

Ready to close the document verification gap before your next audit? Explore CheckFile.ai's verification plans and see how automated checks reduce your compliance exposure from day one.

Ready to automate your checks?

Free pilot with your own documents. Results in 48h.

Related articles

Compliance11 min

AML Transaction Monitoring: Rules, Thresholds and Red Flags

Complete guide to AML transaction monitoring for US businesses: BSA rules, CTR/SAR thresholds, red flags, and FinCEN compliance obligations under the Bank Secrecy Act.

Read
Compliance10 min

PEP Screening: Identifying Politically Exposed Persons in the US

Complete guide to PEP screening under US law: BSA, FinCEN CDD rule, OFAC obligations, PATRIOT Act Section 312 requirements, and best practices for US financial institutions in 2026.

Read
Compliance11 min

Sanctions Screening: OFAC, BSA/AML Compliance Best Practices 2026

Complete guide to sanctions screening in the US: OFAC SDN list, FinCEN BSA requirements, federal and state obligations, and best practices for American businesses in 2026.

Read