Governance, the Board, and the Audit Committee

Let's set the governance chain straight, because the exam tests who is accountable for what. At the top sits the board of directors, which holds ultimate accountability for the AML program even though it doesn't run it. The board usually delegates oversight of the audit function to an audit committee, ideally one made up largely of outside, independent directors.

Senior management runs the program day to day. And the auditor's defining feature is the direction it reports: up to the board or audit committee, not into the business it audits. That reporting line is what keeps the third line independent, and it's why the FFIEC manual specifies it.

What does the board, through its audit committee, actually do for AML audit? Four things worth memorizing. It approves the risk-based audit plan, so coverage isn't left to the business to dictate.

It ensures the audit function has adequate resources, skills, and independence to execute that plan. It receives audit results directly, including significant findings, so bad news can't be filtered out by the people responsible for it. And it holds management accountable for fixing what audit finds.

The Basel Committee's AML risk-management guidance places this oversight squarely with the board and senior management. If a scenario shows results going only to the audited department and never reaching the committee, that's a governance failure.

Let's dwell on the reporting line, because it's a favorite exam theme. If audit reported its results to the head of compliance, and compliance owned the program, the very people being graded would control the grade before the board ever saw it. That's why the FFIEC BSA slash AML Examination Manual says the party conducting independent testing should report directly to the board of directors or to a designated committee, and that the committee should be composed primarily or entirely of outside directors.

The principle is unobstructed escalation. A finding should reach the board on a path that management cannot block or soften. Watch for scenarios where the chief audit executive's bonus is set by the auditee, or findings are routed for the auditee's approval before issuance; both break this principle.

Management won't always agree with a finding, and disagreement by itself isn't a problem. What matters is what the auditor does with it. The auditor records management's response, including its disagreement, but does not delete a supported finding because management dislikes it.

If management refuses to accept an unresolved high risk, the auditor escalates it to the audit committee rather than quietly dropping it. And here's a higher-order point the exam may test: governance and tone at the top are themselves auditable. If the board never meets, never reviews AML results, or rubber-stamps the plan, that weak governance is a finding in its own right, not just background.

A capable audit committee doesn't just receive reports; it interrogates them, and knowing the questions it should ask helps you audit governance itself. A strong committee asks whether the audit plan is genuinely risk-based and covers the whole universe over time, or whether something material keeps falling off. It asks whether findings are actually being remediated on schedule, or quietly aging past their due dates.

It asks whether the audit function has the resources, skills, and independence to do its job, since a starved audit function can't protect the institution. And it probes for themes: is the same root cause surfacing across different areas, signaling a systemic problem the individual findings don't capture on their own? When you audit governance, you're partly checking whether the committee asks these questions.

A committee that rubber-stamps whatever it's handed is itself a control weakness, because effective oversight requires active challenge, not passive receipt.

To recap: the board carries ultimate accountability, the audit committee oversees the audit function, and senior management runs the program. The committee approves the risk-based plan, secures the function's resources and independence, and receives results directly so findings can't be filtered by the people they concern. And remember that governance and tone at the top are themselves auditable, so a board that never reviews AML results is a finding, not just background.

In the next lecture, we look at who can actually perform that independent testing, internal audit, external auditors, or consultants, and the competence those auditors must bring. Take the practice questions on governance before you move on.