The Dynamic Role of Internal Audit in Strengthening the AML Framework

Historical background of AML and internal audit

The fight against money laundering has evolved significantly over the years. The need to combat illicit financial activities gained prominence in the late 20th century, following major financial crimes that exposed vulnerabilities in banking and financial systems. The establishment of the Financial Action Task Force (FATF) in 1989 marked a turning point in anti-money laundering (AML) efforts, setting global standards to prevent financial crimes.

At the heart of every successful business, lies a robust system of risk management, governance, and internal controls. The art of internal audit is to ensure that these critical elements function effectively and reliably. Acting as business coaches, the internal auditors meticulously evaluate each component of your business framework, carefully examining critical components to provide assurance that risks are managed, and processes operate as intended.

The continued expansion of organisations into new global markets, combined with increasingly complex regulatory environments, has significantly heightened their exposure to regulatory and compliance risks. The internal auditors’ role involves looking way beyond the financial risks and consider broader issues such as the organisation’s reputation, sustainable growth, and its impact on the environment – just to mention a few. Therefore, as money laundering threats are on the rise, regulators increasingly expect organisations to perform comprehensive due diligence and maintain robust oversight. As fraud and compliance risks evolve, regulators demand greater transparency and vigilance. Fraudulent activities and non-compliance not only expose organisations to regulatory scrutiny but also to significant reputational harm.

The International Professionals Practices Framework (IPPF) sets out clear expectations regarding the role of internal auditors in assessing anti-fraud measures. Internal auditors must possess adequate knowledge and understanding of fraud risks within the organisation, enabling them to evaluate effectively whether such risks are managed appropriately. Furthermore, under the IPPF internal auditors are responsible for providing assurance to both the board and management regarding the adequacy, comprehensiveness, and effectiveness of fraud prevention and detection controls. They also have the responsibility to critically evaluate management’s identification and mitigation of fraud risks, particularly focusing on risks relating to management override of controls.

The role of internal auditors has shifted to a more risk-based approach, aligning with AML frameworks. The issued FIAU and MFSA guidelines and the EU’s AML Directives further emphasised the need for robust compliance monitoring, reinforcing internal audit’s role in AML compliance. In line with this, the perception and expectations of internal auditors has been slowly shifting from problem-finders to providing recommendations for remediation. An internal auditor needs to be suitably qualified, possess the necessary knowledge and expertise, and maintain open, meaningful communication with various stakeholders. In doing so, they can provide valuable insights and tailored recommendations, ultimately serving as a trusted advisor of any organisation.

Current role of internal audit in AML compliance

In many organisations, the internal audit function has evolved to take a more proactive approach to AML. Traditionally operating as the “third line of defence” by providing independent assurance once controls are in place, modern internal auditors now often serve as business coaches rather than merely acting as compliance enforcers. This transformation is achieved by:

1. Deeply understanding and identifying emerging AML risks that could impact the organisation, thereby highlighting potential vulnerabilities and gaps at an early stage.
2. Evaluating the effectiveness of AML policies, controls and procedures and ensuring that AML systems operate as intended.
3. Providing tailored, forward-looking, and actionable recommendations aligned with the organisation’s strategic objectives and goals, championing best practices that drive sustainable growth.
4. Facilitating open communication by engaging with the risk and compliance teams, the money laundering reporting officer, management, regulators, and other key stakeholders to promote collaboration and knowledge-sharing.

 

Key responsibilities of internal auditors in AML-related areas include:

1. Risk assessment and governance: Conduct independent risk assessments to evaluate an organisation’s exposure to money laundering risks and ensure that AML policies align with regulatory standards and guidance and internal governance standards.
2. Process and control testing: Perform regular reviews of KYC and customer due diligence procedures. Identify deficiencies in current policies and processes and non-compliance issues, recommending actionable corrective actions to strengthen internal controls and support the organisation’s strategic goals.
3. Transaction monitoring and red flags: Examine suspicious transaction reporting processes, including the identification of suspicious transactions and red flags, escalation procedures, timeliness of filings with regulatory bodies, communication with regulators and remediation actions taken by organisations. Internal auditors also analyse transaction patterns to uncover potential gaps or red flags in the organisation’s detection mechanisms.
4. Regulatory compliance checks: Ensuring adherence to national and EU AML guidelines and regulations, including FATF guidelines, the FIAU Implementing Procedures and EU AML Directives. The internal auditor is also tasked with assessing the processes in place to ensure ongoing compliance with evolving regulations.
5. Training and awareness: Recommend and support regular staff training programs to enhance AML awareness, reporting mechanisms and the overall compliance culture.
6. Vendor and third-party due diligence: Review the policies organisations have in place to perform risk profiling of third-party relationships including but not limited to vendors, partners, and correspondent banks. Internal auditors should also review AML clauses and monitoring processes included in service level agreements and contracts and verify whether these are appropriate.
7. Reporting and escalation: Immediately communicate critical AML findings to senior management or key personnel, enabling timely remediation and mitigating any further potential risks which may arise, rather than waiting until the final stages of the audit to communicate and address significant AML concerns.
8. Analyse what is not captured by the first and second lines of defence – Internal auditors should proactively identify gaps or control weaknesses in AML frameworks by independently reviewing areas that may not be adequately covered and monitored by the first and second lines of defence. This includes critically considering key questions such as “Is there something important being overlooked, or perhaps intentionally left undisclosed by the first and second lines?”

Enhancing the role of internal audit in AML for the future

As financial crimes become more sophisticated, the role of internal audit in AML must adapt and innovate. The following are some pivotal AML and financial crime compliance trends that are expected to influence the landscape in the years ahead.

1. Advanced AI-driven AML solutions: Integrating artificial intelligence (AI) and machine learning into AML frameworks, organisations can enhance AML monitoring by detecting complex money laundering patterns more efficiently, reduce false positives, and enable real-time monitoring, ultimately enhancing the efficiency and accuracy of identifying suspicious activities and unusual patterns.
2. Regulatory technology adoption: Leveraging RegTech solutions to automate compliance checks, enhance transparency and improve audit efficiency and traceability.
3. Enhanced beneficial ownership and KYC requirements: Financial institutions, in particular, will face increased pressure from more stringent KYC and AML obligations related to identifying and reporting ultimate beneficial owners (UBOs). Key frameworks, such as the EU’s 6th AML Directive, will serve as pivotal regulatory drivers in this evolution. Furthermore, the EU’s AML package and FATF recommendations are laying the foundation for global collaboration on KYC and UBO transparency. An increase in the sharing of UBO data across jurisdictions is anticipated, driven by more stringent regulatory requirements and the growing threat of cross-border financial crimes.
4. Enhanced regulations on cryptocurrency, digital assets and cybersecurity: As cryptocurrency usage expands and illicit digital asset transactions rise, stronger AML regulations and oversight will become essential. Financial institutions must adapt to evolving regulatory frameworks targeting crypto exchanges, wallet providers and decentralised finance platforms, while simultaneously integrating cybersecurity with AML functions to combat increasing financial crime and digital threats, including cybercrime and ransomware attacks.
5. Proactive detection of suspicious activity: A key trend in AML compliance is the move toward proactive, rather than reactive, identification of suspicious transactions. Traditionally, AML controls focused heavily on historical data; however, modern internal audit and compliance teams increasingly rely on AI and predictive analytics. Leveraging extensive data – including transaction patterns, customer behavioural analytics, and external market indicators – AI powered predictive tools are becoming commonplace. By 2025, predictive analytics is expected to be an integral component of most transaction monitoring platforms, enhancing accuracy, significantly reducing false alerts, and enabling earlier identification of potentially suspicious transactions.
6. Leveraging AI for real-time AML monitoring and rapid response: AI-driven real time transaction monitoring is transforming AML processes by enabling instantaneous detection of suspicious activities and providing immediate, actionable recommendations – including transaction blocking, investigation initiation or account freezing – thereby significantly enhancing decision-making speed, accuracy, and overall effectiveness in combating financial crime.

Challenges faced by internal auditors in strengthening AML controls

Several institutions such as the FATF and the Institute of Internal Auditors (IIA) underscore the importance of independent and objective internal audit functions in assessing the effectiveness of AML measures. While FATF recommendations and the Global Internal Audit Standards, 2024, issued by the IIA, do not explicitly state that internal auditors must be independent of the operations they audit or refrain from developing or implementing AML policies and procedures, such independence is a widely recognised best practice to ensure objective evaluations. Such involvement could impair their independence when auditing these areas. Therefore, to avoid conflicts of interest and ensure unbiased evaluations, internal auditors should refrain from participating in the creation or execution of the policies and procedures they are responsible for auditing.

To be more implicit, some internal auditors may face pressure from management to overlook or downplay deficiencies in AML/CFT controls.  Moreover, internal auditors sometimes do not possess the requisite knowledge and background for identification of AML/CFT risks and deficiencies, considering the changes in the regulatory environment.  Moreover, internal audit may be challenged adversely due to lack of support or trust from senior management.  A poorly defined internal audit scope and insufficient audit planning can significantly limit the effectiveness of internal audits in uncovering financial crimes and misconduct. Internal audit plans should not be overly rigid; instead, auditors should treat the audit plan as a dynamic, “live” document – updating it in response to evolving risks, new information, and insights gained during the audit process. Maintaining this flexibility allows the internal audit function to adapt quickly and effectively identify emerging financial crime risks.

Financial Crime Scandals

Understanding the practical challenges internal auditors face in strengthening AML controls provides essential context for examining how such vulnerabilities can lead to significant AML failures, as evidenced by notable financial crime cases.

Credit to divulgation made by Fenergo, over €4,150,000,000 was the aggregate amount of penalties, collected from financial institutions across the globe for failure to comply with anti-money laundering obligations in 2022.

Focusing on Malta, financial and non-financial institutions faced over €12.3 million in administrative penalties in 2021 alone.

Conclusion

The role of internal audit in AML is more dynamic than ever, evolving from a compliance checkpoint to a strategic partner in safeguarding AML systems. By leveraging technology, ongoing monitoring, and enhanced collaboration, internal auditors can fortify AML frameworks, ensuring stronger resilience against financial crime in the years to come.

The internal auditor inevitably plays a pivotal role in supporting organisations to build trust with the relevant stakeholders. For such a role to be executed effectively, the internal auditor needs to have a deep understanding of the business and its strategic objectives, allowing them to engage in critical risk and opportunity conversations across the company. Additionally, they must be equipped with adequate resources and expertise to effectively combat money laundering and strengthen the organisation’s AML framework.

 

References:

• https://timesofmalta.com/article/the-role-of-internal-audit-in-aml.852980#:~:text=Internal%20audit%20may%20provide%20this,detected%20by%20the%20competent%20authorities

• https://ganado.com/insights/publications/aml-internal-audits-a-need-or-a-must/

• https://www.silenteight.com/blog/2025-trends-in-aml-and-financial-crime-compliance-a-data-centric-perspective-and-deep-dive-into-transaction-monitoring

• https://advisense.com/2023/10/03/the-future-role-of-internal-audit-in-financial-crime-prevention/

• https://amlyze.com/aml-fines/

• https://accountingjournal.umyu.edu.ng/index.php/ujafr/article/view/5/5Abdulmalik, O. M., Chikwe, G. U., Adeleke, A. O., & Gado, A. S. (2019). Internal auditing and money  laundering  prevention  in    Journal  of  Money  Laundering  Control, 22(3), 348-362

• Ojo, O., & Popoola, O. M. (2020). The effectiveness of internal audit in the detection of money laundering in Nigerian banks. Journal of Financial Crime, 27(2), 498-509.

• https://ae.com.mt/internal-audit-aml

• https://www.piranirisk.com/blog/risks-that-may-arise-in-an-internal-audit