Skip to main content

Lesson 14 of 25

Auditing the Enterprise-Wide Risk Assessment

4 min read · CAMS-Audit

Audit the risk map itself: test methodology, inputs, and conclusions, reconcile it to the real business to find gaps, and flag residual ratings that don't match the control strength you observe.

Auditing the map itself

  • The risk assessment underpins the whole program
  • Audit tests its methodology, inputs, and conclusions
  • Is it complete, current, and defensible?
  • A flawed risk assessment cascades everywhere

We saw in planning that the enterprise-wide AML risk assessment drives scope. In fieldwork, we audit the risk assessment itself, because it underpins the entire program. If the map is wrong, every control built on it is aimed at the wrong place.

So you test three things: the methodology, the inputs, and the conclusions. Is the methodology sound and consistently applied? Are the inputs complete and accurate?

Do the conclusions actually follow from the data? A flawed risk assessment cascades, mis-rated risks lead to mis-calibrated monitoring, mis-targeted due diligence, and gaps nobody planned for. That's why this is one of the highest-leverage things an AML auditor tests.

Testing completeness

  • Every product, customer type, geography, channel covered?
  • New lines of business and acquisitions included?
  • Material risks not quietly excluded?
  • Reconcile to the actual business inventory

Start with completeness, because the most dangerous gap is a risk the assessment never considered. Does it cover every product, customer type, geography, and delivery channel the institution actually has? Were new lines of business, new digital channels, or recent acquisitions folded in, or is the assessment still describing the firm as it was two years ago?

Was any material risk quietly excluded? A powerful technique is to reconcile the risk assessment against an independent inventory of the actual business, the product catalog, the customer-segment data, the list of countries served, and look for what's present in the business but missing from the map. Whatever's missing is unassessed, and unassessed risk is uncontrolled by design.

Testing methodology and inputs

  • Is the rating logic documented and reproducible?
  • Inherent risk, control effectiveness, residual risk linked correctly
  • Inputs accurate — volumes, counts, high-risk flags
  • Judgment supported, not just asserted

Next, test the methodology and the inputs. The rating logic should be documented and reproducible, so two reasonable analysts using it would land in the same place; if the ratings feel like opinion dressed as analysis, that's a weakness. Check that the chain from inherent risk, through control effectiveness, to residual risk is applied correctly, the very relationship we covered earlier.

Verify the inputs: are the transaction volumes, high-risk customer counts, and geographic exposures accurate, or pulled from stale data? And where the assessment relies on judgment, as it always must somewhere, is that judgment supported by rationale, or simply asserted? Unsupported ratings are the soft spot examiners and the exam both probe.

Testing the conclusions and refresh

  • Do residual ratings match the actual control strength?
  • Cross-check against your own fieldwork findings
  • Is it refreshed for change and triggering events?
  • Are results escalated and acted upon?

Finally, test the conclusions and the refresh cycle. Do the residual-risk ratings match the control strength you observed in your own fieldwork? If you found weak controls in an area the assessment rates low residual risk, the assessment is overstating control effectiveness, and that's a finding.

Confirm the assessment is refreshed on a defined cycle and after triggering events, a new product, a major incident, a regulatory change, rather than gathering dust. And check that its results are escalated to senior management and the board and actually drive decisions, because a risk assessment nobody acts on is paperwork. The exam likes the scenario where audit's own findings contradict the risk assessment's optimistic ratings.

Governance and ownership of the risk assessment

  • Who owns it, and is that owner accountable?
  • Approved by senior management or the board?
  • Challenged and reviewed, not just rubber-stamped
  • Drives real decisions: monitoring, EDD, resourcing

Beyond the numbers, audit examines the governance around the risk assessment, because a technically fine document that nobody owns or acts on still fails. Ask who owns the risk assessment and whether that owner is genuinely accountable for its quality. Confirm it's reviewed and approved at an appropriate level, senior management or the board, rather than produced in a corner and filed.

Look for evidence of real challenge: did anyone push back on the ratings, or was it rubber-stamped? And most importantly, trace whether the assessment actually drives decisions, does a high-risk rating in a segment lead to tighter monitoring, more enhanced due diligence, and more resources there? A risk assessment that's well-built but disconnected from the program it's supposed to steer is a finding, because the whole purpose is to direct the institution's controls toward its real risks.

The exam likes the case where the document looks rigorous on paper but plainly didn't influence how the program was actually run.

Recap and next

  • Audit the risk assessment: methodology, inputs, conclusions
  • Reconcile to the real business to test completeness
  • Residual ratings must match observed control strength
  • Next — the AML pillars and the fifth pillar (CDD/BO)

Recapping: because the enterprise risk assessment underpins everything, auditing it is high-leverage work. Test completeness by reconciling it to the real business, test the methodology and inputs for rigor and accuracy, and test whether its residual conclusions match the control strength you actually observe. A stale or unsupported risk assessment is a serious finding, not a footnote.

Next, we audit the program pillars themselves, the internal controls, the BSA officer, training, independent testing, and the fifth pillar, customer due diligence and beneficial ownership. Take the practice questions on risk-assessment auditing first.

Sources

  • FFIEC BSA/AML Examination Manual — BSA/AML Risk Assessment
  • FATF Recommendation 1 — risk-based approach
  • Basel Committee, Sound management of risks related to ML/FT

Test your knowledge

A few CAMS-Audit questions on this material — pick an answer to see the explanation.

  1. Q1. An audit report is distributed to senior management and the compliance team but not transmitted to the audit committee. The compliance team resolves two findings before the committee's quarterly meeting. The committee therefore never sees those findings. What governance failure occurred?

  2. Q2. Management commits in writing to remediating a high-risk finding by a specified date. On the follow-up date, management submits an attestation stating the control has been fixed. What should the auditor do next?

  3. Q3. An audit function closes findings when management submits a remediation plan rather than waiting for implementation and re-testing. A subsequent regulatory exam finds the same issues unresolved. What systemic failure does this reveal?

  4. Q4. An audit finding's remediation target date has passed with no action taken. The finding was rated 'high' risk. What is the auditor's appropriate next step?

Ready to practice?

Put this lesson to work on real CAMS-Audit questions.

Drill the full CAMS-Audit bank →