In BSA/AML the terms audit and independent testing overlap and are often used interchangeably, but they are not identical. Independent testing is the named third pillar: a risk-based review of the whole program by a party independent of it. An audit can mean that same review, or it can mean a narrower internal-audit engagement or a financial-statement audit that does not satisfy the pillar. What matters for compliance is that the work meets the independent-testing standard, whatever it is called.
Ask whether your institution needs an AML audit or independent testing and you will get the terms used as synonyms about half the time. They are close, and in many cases the same work answers both, but the words are not interchangeable, and the difference matters when an examiner asks whether the third pillar was satisfied.
The short distinction
Independent testing is a defined regulatory term: the third pillar of a BSA/AML program, a risk-based review of the program by someone independent of it. Audit is a broader, looser word. It can describe that same independent test, or an internal-audit engagement scoped to one area, or a financial-statement audit that has nothing to do with the third pillar. The label does not decide whether the pillar is met. The substance does.
What independent testing means
Independent testing is named in the program rule and detailed in the FFIEC manual. It is risk-based, reaches the whole program, is performed by a party independent of the functions tested, and reports to the board or a board committee. The independent testing guide covers the scope, frequency, and who can perform it.
What audit can mean
Audit covers several different things, and the differences are what cause the confusion.
- Internal audit. A function within the institution that reviews controls. A properly independent, risk-scoped internal audit of the BSA/AML program can be the independent test. A narrow internal audit of one process is not.
- External or financial audit. An engagement to opine on financial statements. It serves a different purpose and does not satisfy the third pillar.
- A vendor "AML audit". A service some firms sell. Whether it satisfies the pillar depends entirely on whether it is independent, risk-scoped, and genuinely tests the program, not on what it is called.
Where they overlap
In practice, the independent test is often delivered as an audit, internal or external. A risk-scoped internal-audit review of the whole BSA/AML program, performed by staff independent of it and reported to the board, is the third pillar. The terms describe the same work when the work meets the standard. The overlap is why the words get used interchangeably, and why the distinction only surfaces when the standard is not met.
| Independent testing | Internal audit (general) | Financial-statement audit | |
|---|---|---|---|
| Purpose | Assurance on the BSA/AML program | Assurance on controls, varies by scope | Opinion on financial statements |
| Scope | Whole program, risk-based | Whatever the engagement defines | Financial reporting |
| Performed by | A party independent of the program | Internal audit function | External audit firm |
| Satisfies the third pillar? | Yes | Only if independent and program-wide | No |
What examiners actually care about
An examiner does not grade the label on the report. They check independence, risk-based scope, real testing rather than a checklist, and whether findings were closed. A review that meets those criteria satisfies the third pillar whether it is called independent testing or an audit. A review that fails them does not, no matter how it is titled. The program pillars guide covers where the third pillar sits among the others.
Practical guidance
Call the work whatever your institution calls it, and make sure it meets the independent-testing standard: independent of the program, scoped to your risk, testing operation rather than existence, and reporting to the board. If you are buying an "AML audit" from a vendor, the question is not the name. It is whether the engagement is independent and reaches the whole program, because that is what an examiner will test. For how to scope it, see the BSA/AML independent testing guide.
Primary sources
- 31 CFR 1020.210: Anti-money laundering program requirements for banks (the program pillars, including independent testing and customer due diligence).
- FFIEC BSA/AML Examination Manual: The interagency supervisory standard; see the BSA/AML Risk Assessment and Independent Testing sections, including the risk-based approach to scope and frequency.