Risk-Based Audit Planning and the Audit Universe

Planning starts with a question: what could we audit? The answer is the audit universe, a complete inventory of every auditable unit, process, and system in the institution's AML program. It includes the program pillars, the transaction-monitoring system, sanctions screening, customer due diligence and beneficial ownership, suspicious-activity reporting, recordkeeping, data feeds, and the models behind it all.

Think of it as the full menu. You will never order everything in a single year; the universe is bigger than any annual plan. So the universe exists to make sure nothing is forgotten, and the planning job is to choose, from that universe, what to cover and how deeply.

Once you have the universe, you rank it by risk. Higher-risk areas earn more frequent coverage and deeper testing; lower-risk areas can be touched less often. This is the same risk-based logic that runs through all of AML, the approach FATF Recommendation one asks every country and institution to take, here applied to audit's own resource allocation.

The FFIEC manual expects the scope and frequency of independent testing to be commensurate with risk. And crucially, you document the rationale: why correspondent banking got an annual deep dive and a low-risk retail product got a lighter touch every third year. That documented reasoning is what defends the plan to a regulator who asks why something wasn't covered.

What makes one area riskier than another? Several factors, and the exam may ask you to weigh them. Inherent risk comes from the business itself, the products, customer types, geographies, and delivery channels involved; private banking and correspondent relationships carry more inherent risk than basic savings accounts.

The strength of the controls then determines residual risk, what's left after the controls do their work. Change raises risk: a new product, a migrated system, or a fresh regulation all warrant attention. And history matters: areas with prior findings, recent incidents, or regulatory scrutiny climb the list.

A good planner blends all of these rather than ranking on inherent risk alone.

Risk also sets frequency. The highest-risk areas may be audited annually or even more often; lower-risk areas are scheduled across a multi-year cycle so that, over a defined period, the whole universe gets covered. The trap to avoid is letting some area fall permanently off the plan because it never quite ranks high enough; coverage gaps are exactly what examiners probe.

Rotation helps too: varying what's tested and how keeps the program from becoming predictable, which matters when the people you audit might otherwise prepare only for the test they expect. So balance risk-weighting with assured cycle coverage.

Let's name the planning failures examiners and the exam draw on, because recognizing them is half the skill. The first is the perpetual gap: an area that's always ranked just low enough to skip, so year after year it goes untested, until that's exactly where the problem surfaces. The second is the frozen plan, locked in at the start of the year and never refreshed even as a new high-risk product launches or a major incident occurs; a risk-based plan has to breathe.

The third is coverage driven by convenience rather than risk, auditing the easy, well-documented areas while the messy, high-risk ones get deferred. And the fourth is the silent plan, one with no documented rationale, so when a regulator asks why correspondent banking wasn't covered this cycle, there's no defensible answer. Strong planning is risk-driven, refreshed, complete over the cycle, and documented well enough to explain itself.

Recapping: planning begins with the audit universe, the full inventory of what could be audited, then ranks that universe by inherent and residual risk to decide coverage and depth, always with documented rationale. Frequency follows risk, but you still ensure the whole universe is covered across the cycle so nothing is left permanently untested, and you rotate coverage to keep it fresh and unpredictable. And avoid the classic planning failures: the perpetual gap, the frozen plan, coverage chosen for convenience, and decisions with no documented rationale to defend them.

In the next lecture, we connect audit planning to the institution's own enterprise-wide AML risk assessment, which is one of the most important inputs to scope, and a frequent exam topic. Test yourself on the universe first.