Foundation
AML risk assessment
The assessment the auditor reads first — current, specific, genuinely driving the controls.
AML risk assessmentSRO audit
preparation
An issue you fix before the audit is housekeeping; the same issue found by the auditor is a documented finding you must formally remediate, and a pattern of them can threaten your SRO affiliation. Audit preparation does the SRO’s review before the SRO does: a structured pre-audit that examines the same things, finds the gaps, and closes them while there is time. Then we liaise through the audit itself, so the annual review is a confirmation, not a scramble.
At a glance
Find the gaps before the auditor does.
A pre-audit review, plus liaison through the audit.
- The audit
- SRO’s annual AML review
- We run
- The same review, first
- Tests
- Written vs genuinely operated
- Output
- Prioritised gaps, closed
- Then
- Liaison through the audit
The essentials
What audit preparation is
The annual SRO audit confirms whether a financial intermediary meets its obligations under the framework around the Anti-Money Laundering Act, and material shortcomings become findings the firm must remediate. Audit preparation does that review first: a structured pre-audit that examines the same areas, tests whether the framework is genuinely operated and not just written, and closes the gaps before the auditor finds them. We then liaise through the audit, turning it from a scramble into a confirmation.
Who this is for
- financial intermediaries with an SRO audit approaching;
- firms that want to pre-empt findings, not receive them;
- firms unsure whether their framework will hold up;
- firms that have had findings and want a clean next audit.
Where it fits
The review tests the risk assessment, the policy framework and the monitoring records the audit examines.
The scope
What the review examines
The pre-audit covers the same areas the SRO will, and tests each for the gap between what is written and what is done.
| Area | What the review tests |
|---|---|
| Risk assessment | Current, specific, genuinely driving controls |
| Policy framework | Matched to actual practice, consistent |
| Onboarding & monitoring | Records complete, alerts handled and documented |
| Screening & training | Hit clearance documented, training current |
For every area the test is the same: not “does a document exist” but “is the control real and does the record prove it”. That is where auditors find findings, so that is where the pre-audit looks hardest. The output is a prioritised list of gaps, weighted as an auditor would weight them, and a plan to close each before the audit.
How it runs
How preparation runs
Review the framework as an auditor would, close the gaps, then liaise through the audit itself.
- Step 1
Pre-audit review
Examining the framework against the SRO standard and testing whether each control is genuinely operated.
- Step 2
Prioritise the gaps
Producing a clear list of what to fix, weighted by how an auditor would treat each gap.
- Step 3
Close before the audit
Remediating the gaps properly (documents, records and controls) while there is still time.
- Step 4
Liaise through the audit
Assembling the documentation, responding to questions and managing the exchange with the auditor.
- After
Remediate any findings
Helping close anything the audit does raise, properly and on time, ahead of next year.
Budget
What it costs
Cost depends on the firm’s size and the state of its framework: a firm with sound controls needs a confirmatory review, while one with real gaps needs the remediation work that follows. Liaison through the audit is scoped to its length and complexity.
We scope and quote against the firm’s profile and audit date. Pricing is on request.
Discuss your audit
What it takes
What makes preparation work
Preparation that turns the audit into a confirmation rests on:
- running the review against the standard the SRO actually applies;
- testing whether controls are operated, not just written;
- starting early enough to remediate properly;
- closing gaps for real, not papering over them;
- experienced liaison through the audit itself.
A superficial fix the auditor sees through is worse than the gap
Preparation is not about dressing up the framework for a day. An auditor tests whether controls are real, and a cosmetic fix (a policy updated but not operated, a record back-filled without substance) is exactly the kind of thing experienced auditors catch, and it damages credibility more than the original gap would have. The point of finding gaps early is to have time to close them properly: rebuild the stale risk assessment, fix the alert handling, complete the records. We remediate for real, because the audit rewards substance, not presentation.
Why Goldblum
Preparation: the work behind it
Finding the gaps before the auditor, closing them properly, and liaising through the audit is what makes the annual review manageable. That is the work this firm does.
Before
The auditor’s review, first
A pre-audit that tests the framework the way the SRO will, and surfaces the gaps while there is still time to close them.
Real
Gaps closed properly
Substantive remediation, not the cosmetic fixes an experienced auditor sees straight through: documents, records and controls.
During
Liaison through the audit
Assembling documentation, answering questions and managing the exchange, so the audit runs as an orderly confirmation.
Related
What the audit tests
The rulebook
AML policy framework
The framework the audit tests for the match between what is written and what is done.
AML policy frameworkRun it for me
External AML officer
The officer who runs the framework year-round, making each annual audit straightforward.
External AML officer
FAQ
SRO audit preparation: FAQ
01What is the SRO audit?
The SRO audit is the annual review a self-regulatory organisation conducts of each affiliated financial intermediary to confirm the firm meets its anti-money-laundering obligations. The SRO, or an auditor it mandates, examines the firm's risk assessment, policies, onboarding and monitoring, screening, training and records, and tests whether the framework is not just written but genuinely operated. The audit ends in a report; material shortcomings become findings the firm must remediate, and serious or repeated ones can threaten the affiliation the firm needs to operate. It is the principal external check on a Swiss intermediary's AML compliance.
02What is audit preparation?
Audit preparation is doing the SRO's review before the SRO does: a structured pre-audit that examines the same things the auditor will, finds the gaps, and closes them while there is still time. It covers the risk assessment, the policy framework, the onboarding and monitoring records, the screening and the training, and tests them against the standard the SRO applies. The aim is to turn the audit from a scramble into a confirmation: by the time the auditor arrives, the gaps they would have found are already fixed, and the documentation they will ask for is ready. We then liaise through the audit itself.
03Why prepare instead of just being audited?
Because a finding is more expensive than the gap that caused it. An issue the firm fixes before the audit is housekeeping; the same issue found by the auditor becomes a documented finding the firm must formally remediate, on the record, under a deadline, and a pattern of findings can put the SRO affiliation at risk. Preparation also removes the scramble: instead of assembling records and explaining gaps under audit pressure, the firm walks in ready. The cost of preparing is small against the cost of receiving findings that could have been pre-empted. That is the case for doing the review first.
04What does the pre-audit review examine?
The same areas the SRO will: the institution-wide risk assessment, the policy framework, the onboarding and KYC records, transaction monitoring and its alert handling, sanctions screening and hit clearance, staff training, and the AML officer function. For each, the review tests not just whether a document exists but whether the control is genuinely operated and the records show it, because that gap, between written and done, is what auditors probe. The review produces a clear list of what to fix, prioritised by how an auditor would weight it, and we close the gaps before the audit.
05What is the most common reason firms get findings?
The gap between the written framework and actual practice. Firms often have policies that look complete on paper but describe controls they do not fully operate, records that are incomplete, a risk assessment that has gone stale, or hit-clearance and alert handling that is inconsistent or undocumented. The auditor's job is to test whether the framework is real, and these gaps are where it is not. Preparation targets exactly these: it checks that what is written is done, and that the doing is documented, before the auditor checks the same thing.
06Does Goldblum liaise with the SRO during the audit?
Yes. Beyond the pre-audit review, we support the firm through the audit itself, helping assemble and present the documentation the auditor requests, responding to questions, and managing the exchange so the audit runs smoothly. A well-prepared firm with experienced liaison turns the audit into an orderly confirmation rather than a stressful interrogation. Where findings do arise, we help the firm remediate them properly and on time. The combination of preparing before and liaising during is what makes the annual audit a manageable event rather than a recurring crisis.
07How far ahead should we prepare?
Far enough that the gaps the review finds can actually be closed before the audit, which, depending on what surfaces, can mean weeks. Closing a documentation gap is quick; rebuilding a stale risk assessment or fixing months of inconsistent alert handling takes longer. The earlier the pre-audit review runs, the more can be remediated calmly rather than in a rush, and the less chance a real gap is left exposed. We scope the timing to what the review is likely to find and to the audit date, so there is room to fix properly.
08What if the review finds a serious gap?
Then finding it in preparation is exactly the point: far better the firm discovers it than the auditor. A serious gap, such as a stale risk assessment, missing records, or a control that is written but not operated, gets a remediation plan and the time to execute it before the audit. We help the firm close it properly rather than paper over it, because a superficial fix the auditor sees through is worse than the original gap. The value of preparation is that serious issues are caught early, while there is still room to do the remediation right.
09Who actually carries out the SRO audit?
The self-regulatory organisation the firm is affiliated with is responsible for the audit, and it is conducted either by the SRO's own auditors or by an external audit firm the SRO mandates and accepts for the purpose. Either way the auditor applies the SRO's standard and reports to the SRO, which decides how to treat any findings. The firm does not choose to skip the audit: affiliation requires it, annually. Our preparation and liaison work alongside whoever the SRO sends: we get the firm ready for the review they will run and support the firm through the exchange, regardless of which auditor conducts it.
10How does this connect to the rest of the AML framework?
Audit preparation tests the whole framework, so it touches everything: the risk assessment, the policy framework, onboarding, monitoring, screening and training. It is most valuable for firms that have those controls in place and want to confirm they will hold up; for firms whose framework has real gaps, the preparation overlaps with building or fixing the underlying controls. Where the firm wants the framework run as well as reviewed, our external AML officer mandate operates it year-round, which makes each annual audit straightforward. We can prepare, liaise, and run.
Want the audit to be a confirmation, not a scramble?
Tell us when your SRO audit is due. A partner runs a pre-audit review, closes the gaps, and liaises through the audit itself.