Internal vs. External Audit; Co-Sourcing and Qualifications

Who is allowed to perform the independent testing the BSA requires? The FFIEC manual gives a clear menu. It can be the institution's internal audit department.

It can be outside, external auditors. It can be qualified consultants or other independent parties. And for a small institution with no internal audit function and no budget for outside firms, it can be qualified bank staff, as long as they're not involved in the function being tested and have no conflicting BSA responsibilities.

Notice what every option has in common: independence from the tested function. The label, internal or external, matters less than that the tester is genuinely separate from the work.

Internal and external audit each have strengths the exam may ask you to weigh. An internal team knows the institution deeply, provides continuity year over year, and costs less. But proximity is also its weakness; an internal team can become too comfortable, even captured, by the areas it covers, which is the familiarity threat we met earlier.

External auditors bring fresh eyes, specialist depth in areas like model validation, and credibility with regulators and markets. Their weakness is the mirror image: less institutional context, and coverage limited to whatever the engagement contract specifies. Neither is automatically better.

The right answer usually depends on the risk, the expertise needed, and whether independence can be preserved.

A practical middle path is co-sourcing: an internal team supplemented by outside specialists for the parts they can't cover well, like statistical sampling or transaction-monitoring model validation. Co-sourcing is often the smart answer when an area is both specialized and a self-review risk for the in-house team. But here's the rule the exam wants you to hold: outsourcing the testing does not outsource the accountability.

The institution still owns its AML program and still owns the findings, no matter who holds the pen. If a scenario suggests a bank is off the hook because a vendor did the audit, that's wrong. The bank remains responsible for acting on what the audit found.

Whoever performs the work must be competent to do it. The Institute of Internal Auditors frames this as proficiency and due professional care. Proficiency means the auditors collectively have the knowledge and skills the engagement needs, both AML subject-matter knowledge and audit technique.

Due professional care means working diligently, with professional skepticism, and basing conclusions on evidence rather than assertion. Match the expertise to the area: auditing a sanctions-screening engine or validating a monitoring model demands specialist skill a generalist may not have. And competence is auditable too.

If the team assigned to test a complex model clearly lacks the skill to do so, that resourcing gap can itself become a finding about the audit function.

Because outsourcing is common, the exam tests how you manage it well. When work is co-sourced or sent to a vendor, the engagement contract should define the scope, the deliverables, and the standards the work must meet, so coverage doesn't quietly shrink to whatever's cheapest. The institution must confirm the provider is genuinely independent of the function being tested and competent for the work, the same requirements that apply to internal staff.

And it must review and take ownership of the provider's workpapers and conclusions, rather than accepting a clean opinion on faith; if the institution can't stand behind the work, it hasn't really discharged its testing obligation. Finally, the institution itself presents the results to the board, because accountability never leaves the building. A scenario where a bank simply forwards a vendor report it never reviewed, and treats the obligation as satisfied, is a control failure, not a shortcut.

Recapping: independent testing can come from internal audit, external auditors, or qualified consultants, and the unifying requirement is genuine independence from the function tested. Co-sourcing fills specialist and conflicted gaps, but the institution always keeps accountability for its program and its findings. And whoever does the work must be proficient and exercise due professional care.

And whoever holds the pen, the institution reviews the work, owns the conclusions, and presents them to the board. Next, we put the pieces in motion: the full audit lifecycle from planning to follow-up, plus continuous monitoring and the computer-assisted techniques modern auditors rely on. Run the practice set first.