Skip to main content

Lesson 06 of 25

The Audit Lifecycle and Continuous Monitoring

4 min read · CAMS-Audit

Get the full engagement map, plan, fieldwork, report, follow-up, plus continuous monitoring and CAATs. The lifecycle that mirrors the four exam modules and frames every lecture ahead.

The audit lifecycle, end to end

  • Plan — risk assessment, scope, objectives
  • Fieldwork — testing, evidence, evaluation
  • Report — findings, ratings, recommendations
  • Follow-up — track and validate remediation

Let's see the whole engagement at once, because the rest of this course walks through it in detail and you'll want the map in your head. An audit moves through four stages. First, planning: assess risk, define the scope and objectives, and decide what evidence you'll need.

Second, fieldwork: perform the tests, gather evidence, and evaluate whether controls are designed and operating effectively. Third, reporting: write up findings, rate the issues by risk, and recommend fixes. Fourth, follow-up: track whether management actually remediates, and validate that the fix worked.

These four stages also mirror the exam's four modules, so this lifecycle is both how the job works and how the test is built.

Risk-based, not calendar-based

  • Coverage and depth follow risk, not habit
  • High-risk areas: more frequent, deeper testing
  • The plan is a living document, refreshed for new risk
  • Annual plan plus an audit universe across the cycle

The thread running through every stage is that audit is risk-based, not calendar-based. You don't test everything equally every year. You direct more frequent and deeper testing at the higher-risk areas, correspondent banking, high-risk customer segments, the transaction-monitoring system, and lighter coverage at lower-risk ones.

The plan isn't carved in stone in January; it's a living document you refresh when a new product, a regulatory change, or an incident shifts the risk picture. Institutions usually maintain an annual plan plus a multi-year audit universe so that, across the cycle, everything gets appropriate coverage. We'll build that universe in detail when we reach planning.

Continuous monitoring

  • Ongoing, between-engagement risk surveillance
  • Key indicators, exception trends, incident signals
  • Feeds the plan — reprioritize as risk moves
  • Complements, doesn't replace, periodic deep testing

Modern audit functions don't go silent between engagements. They run continuous monitoring: ongoing surveillance of key risk indicators, exception trends, incident signals, and metrics from the second line. If alert backlogs are climbing or a new high-risk product is growing fast, continuous monitoring catches it and feeds the plan, so audit can reprioritize before the next scheduled engagement.

Be clear on its role, though. Continuous monitoring complements periodic deep testing; it does not replace it. A dashboard can tell you something looks off, but you still need a real engagement to test whether a control is designed and operating effectively.

The exam may try to blur that line.

CAATs — auditing at data scale

  • Computer-Assisted Audit Techniques
  • Test full populations, not just samples
  • Re-perform monitoring logic; spot data anomalies
  • Powerful, but only as good as the data and the auditor

When the data is large, auditors reach for Computer-Assisted Audit Techniques, or CAATs, sometimes called data-analytics auditing. Instead of pulling a sample of a few hundred transactions, CAATs let you test the entire population: every wire over a threshold, every customer missing a risk rating, every alert that closed in under a minute. You can re-perform a monitoring rule's logic and compare it to what the system actually did, or scan for data anomalies that would never surface in a small sample.

CAATs are powerful, but with a caveat the exam likes: they're only as good as the data feeding them and the auditor interpreting them. Garbage data produces confident, wrong conclusions. So data integrity testing, which we'll cover later, underpins all of it.

Quality assurance over the audit function

  • The audit function audits itself, too
  • Internal quality reviews plus periodic external assessment
  • IIA expects an external assessment on a defined cycle
  • A weak audit function is itself a finding

One more governance idea before we move on: who audits the auditors? A mature audit function runs a quality assurance and improvement program over itself. Internally, that means supervisory review of engagements and periodic self-assessment to confirm the work meets professional standards.

Externally, the Institute of Internal Auditors expects an independent external assessment of the audit function on a defined cycle, commonly every five years, performed by a qualified reviewer from outside the organization. The point is that the third line is not exempt from scrutiny just because it scrutinizes everyone else. If the audit function itself is under-resourced, lacks competence, or isn't truly independent, that's a finding in its own right, and it undermines confidence in every conclusion the function reaches.

So when you study independent testing as the fourth pillar, remember it includes holding the auditors themselves to the same standard they apply to others.

Recap and next

  • Four stages: plan, fieldwork, report, follow-up
  • Risk-based coverage, refreshed continuously
  • Continuous monitoring feeds, doesn't replace, deep testing
  • Next module — planning and scoping the engagement

Recapping: an audit runs through four stages, plan, fieldwork, report, and follow-up, and every stage is driven by risk rather than the calendar. Continuous monitoring keeps the function watching between engagements and reshapes the plan as risk moves, while CAATs let you test full populations instead of small samples. That closes out the governance module.

And keep in mind that the audit function is held to the same professional standard it applies to others, complete with periodic external assessment. Next, we open the planning and scoping module, about a quarter of the exam, starting with how to build the audit universe and target it by risk. Test yourself on the governance material first, then meet me in planning.

Sources

  • IIA International Professional Practices Framework — engagement planning, performance, and communication
  • FFIEC BSA/AML Examination Manual — Independent Testing
  • ACAMS Advanced CAMS-Audit (audit process stages, CAATs, continuous monitoring)

Test your knowledge

A few CAMS-Audit questions on this material — pick an answer to see the explanation.

  1. Q1. A small community bank has no internal audit department. Its BSA officer proposes using a senior operations manager, who has no responsibility for AML functions, to perform the annual independent test. Is this permissible, and why?

  2. Q2. An AML auditor is scoping an engagement and notices the institution's enterprise risk assessment rates its private-banking segment as 'low residual risk.' However, the auditor's preliminary work reveals controls in that segment are materially weak. What should the auditor do?

  3. Q3. When building a risk-based AML audit plan, which factor should cause an auditor to INCREASE coverage frequency for a particular area?

  4. Q4. An audit engagement plan states the scope as 'reviewing AML controls generally.' A regulator later asks what specific systems, time periods, and populations were covered. The auditor cannot answer precisely. What planning failure does this illustrate?

Ready to practice?

Put this lesson to work on real CAMS-Audit questions.

Drill the full CAMS-Audit bank →