Auditing SAR/CTR Quality, Timeliness, and Recordkeeping

Detection only matters if it leads to reporting, so audit tests the institution's filings. Two reports dominate. Suspicious Activity Reports, SARs, filed with FinCEN under thirty-one CFR ten-twenty point three-two-zero, report activity the institution knows or suspects involves illicit funds.

Currency Transaction Reports, CTRs, filed under thirty-one CFR ten-ten point three-one-one, report cash transactions over ten thousand dollars. Each carries strict filing deadlines. Audit examines three dimensions: decisioning, was the right call made on whether to file; quality, is the filing complete and useful; and timeliness, was it filed on time.

A program that detects suspicious activity but files late, poorly, or not at all has a control failure at the most consequential point.

For SARs, test the decisioning in both directions. Sample cases that resulted in a SAR and confirm the filing was justified. But just as important, sample alerts and investigations that did not result in a SAR, the no-file decisions, and ask whether any should have been filed.

The dangerous error is under-filing: genuinely suspicious activity closed with a thin rationale and no SAR. Check that escalations were resolved with documented, sound reasoning, and that similar cases reach consistent outcomes, because wildly inconsistent decisions suggest the process turns on who happened to review it rather than the facts. The no-file population is where audit adds the most value, since nobody else is checking it.

Next, quality and timeliness. A SAR's narrative should clearly tell the story, the who, what, when, where, why, and how, so law enforcement can act on it; a vague or boilerplate narrative is a quality finding even when the filing decision was right. Check that data fields are complete and accurate.

Then timeliness, which is refreshingly testable because it's binary. The SAR rule generally requires filing within thirty days of initial detection, extendable to sixty days when no suspect is identified, and CTRs are generally due within fifteen days. You can measure the gap between detection and filing across a sample and find late filings precisely.

Chronic lateness points to capacity or workflow problems worth a systemic finding.

Finally, recordkeeping and retention, governed by rules including thirty-one CFR ten-ten point four-three-zero. Test that SARs and their supporting documentation are retained for the required period, typically five years, and that other required records, wire-transfer details, CDD documentation, monitoring records, are kept and retrievable. Confirm SAR confidentiality controls: the law prohibits tipping off, disclosing to the subject that a SAR was filed, so audit checks that access is restricted and the prohibition is respected.

And test retrievability, because records that exist but can't be produced on a regulator's request are effectively missing. A program can detect, decide, and file well and still fail here if it can't preserve and produce the evidence.

Two governance points round out SAR auditing. First, continuing activity: when suspicious behavior persists after an initial SAR, institutions are generally expected to review the activity and file continuing-activity SARs at defined intervals, commonly every ninety days, so a customer doesn't get one report and then vanish from scrutiny. Audit checks whether a real process exists for this, or whether ongoing suspicious activity quietly drops off the radar after the first filing.

Second, program-level governance: is there quality assurance over SAR decisions and narratives, so the second line catches weak filings before they go out, and does management track the right metrics? Useful metrics include filing timeliness trends, the ratio of alerts to SARs, and re-opened or amended filings, because the wrong trend lines reveal under-filing or chronic delay that individual case reviews might miss. A SAR program that files when prompted but never reviews continuing activity, and never measures its own quality, has a governance gap even if each individual filing looks fine.

Recapping: audit tests SAR and CTR decisioning, quality, and timeliness, paying special attention to no-file decisions where under-filing hides, to narrative quality that makes a SAR useful, and to filing deadlines that are precisely measurable. Recordkeeping must satisfy retention rules, protect SAR confidentiality against tipping-off, and keep records retrievable on demand. Next, we go underneath all of these systems to the data that feeds them, with data-integrity and completeness testing and the discipline of root-cause analysis.

Take the SAR and CTR practice questions first.