Law Firm AML Audits – Independent CLC & SRA Compliance Checks

PDA Legal’s AML compliance specialists deliver independent, expert anti-money laundering audits for law firms and solicitors.

Book a free AML auditing consultation

The Importance of Independent Anti-Money Laundering Audits

Law firms and solicitors whose work falls within the scope of the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017) must comply with Regulation 21 of the MLR. The SRA and CLC require firms to have robust and effective systems intended to prevent money laundering, but staying on top of evolving rules can be challenging.

Non-compliance can lead to:

Financial fines
Reputational damage
Operational disruption
Regulatory action (in 2023, the CLC revoked a law firm’s license for the first time due to compliance failures)

Our AML Audit Services include:

Comprehensive review of your firm’s policies, controls, and procedures
Evaluation against SRA and CLC inspection standards
Clear reporting with actionable findings and hands-on remediation support
Regulatory action (in 2023, the CLC revoked a law firm’s license for the first time due to compliance failures)
Tailored training and ongoing compliance guidance

With our independent AML audits, you can identify gaps before regulators do and work towards a strong compliance culture within your firm.

Book Your AML Audit Today

Common Failings Identified During AML Audits For Law Firms

Law firms are navigating ever-tightening controls on sanctions and Proliferation Financing, all while adapting to ongoing SRA or CLC inspections. Staying on top of your organisation’s AML compliance has never been more critical.

SRA thematic reviews have highlighted not just gaps in rudimentary controls, such as conducting ID checks, but also other critical elements, including:

Ineffective or absent audits and reviews – leaving compliance blind spots unchecked
Inadequate Firm/Practice-Wide Risk Assessments
Incomplete matter-level AML risk assessments
Weak internal reporting structures and insufficient detail
Insufficient knowledge for submitting Suspicious Activity Reports (SARs)
Gaps in training, knowledge, or updates
Out-of-date policies, controls, and procedures
Over-reliance on Electronic ID/Verification (EID/V) without further checks
Limited review of EID/V effectiveness and appropriateness

Failing to address these areas can expose your firm to financial penalties, reputational damage, and regulatory scrutiny. An independent AML audit helps identify these gaps and ensures your firm is fully prepared.

Let us take it from here.

The Challenge with ‘Independent’ Audits Conducted In-House

Under Regulation 21, it is theoretically possible for solicitors or law firms to conduct their own ‘independent’ anti-money laundering audits. However, there are a few challenges:

Independence

MLROs and MLCOs cannot conduct a valid Independent AML Audits (IAAs). Nor can Compliance Managers, AML managers and others, if they are effectively ‘marking their own homework’.

Seniority

If an audit is conducted internally, it should only be by someone at a senior management level. This ensures that they will have unhindered access to all information that they require to conduct the audit.

Expertise

The regulations require that adequate resources be applied, and the auditor should be able to demonstrate experience and expertise in conducting IAAs and to understand the process of audit trailing.

Timing

If asked by the SRA or CLC, firms need to be prepared to defend their decisions as to the frequency of their IAA. On average, Independent AML Audits take place every 12-24 months.

Duration

Including reporting, IAAs take 3 to 4 days on average. If an IAA is conducted internally by a senior manager who is also a fee earner, that represents a lot of lost fee income.

Preparation

Preparation for an IAA is not necessary; in fact, it could be dangerous. Too much preparation could give rise to a false impression as to the true state of the firm’s controls.

Audit coverage

IAAs are not concerned with the firm’s AML policy alone. Dozens of associated policies, controls and documents should be reviewed, matters perused and trailed, and people interviewed.

Gravitas of the report

For an IAA to be valid, it cannot be ignored or put to one side. Also, Lexcel/CQS/ISO accreditation does not guarantee AML compliance; to the contrary, it can give rise to a false sense of security. PDA’s IAA reports are typically 40-50 pages long, for accredited firms as well as those that are not.

The good news is that our Independent AML Audit service provides a convenient solution, enabling you and your team to focus on revenue-generating work.

View PDF

Our AML Auditing Process

Our approach to Independent AML Audits is shaped by insight from our support to dozens of law firms that have already been through the SRA’s thematic review. We’ve built this knowledge into a clear audit process – fully transparent, scheduled in advance, and delivered on a fixed-fee basis – so you’ll always know what to expect.

Two businesswomen in professional suits collaborating over a laptop, engaged in a discussion in a modern office setting.

Stage 1.1 - Initial Consultation

We conduct an initial consultation with you, where we discuss the make-up of your firm and start to identify the level of risk to which it is exposed. During that conversation, we can pinpoint the aspects to be covered in the audit, the people and documents involved and even commence the planning for the visit to your offices in due course.

Stage 1.2: Desktop Review & Gap Analysis Report (GAR)

Our clients have told us time and again that our audit reports are the most detailed, but easy to digest, that they have ever received.

We start by reviewing your documented controls and records that support AML controls and provide you with a written Gap Analysis Report.

We don’t simply review an AML policy. Like dropping a stone into a pond, your AML controls touch upon many others. And so, we review a host of supporting documents and records as well, including;

The Practice/Firm-Wide AML Risk Assessment
The policy for staff training on AML
Staff training records
Supervision procedures
File review procedures
Reporting and monitoring procedures
MLRO reports
Matter file forms for recording outcomes of AML checks
Reviews of EID/V service providers

Stage 1.3: Interim Discussion on the GAR

We are unique in the sector by sending you an interim written report after the desktop portion of the audit, rather than making you wait until after the onsite visit!

And, we conduct a conversation with you to consider the findings so far.

This provides the opportunity to pinpoint any particular aspects of concern that the firm might like for us to drill into when we conduct the onsite portion of the audit.

Then, we prepare the visit plan to share with you in advance of the visit.

Stage 2.1: Audit Visit

After the desktop review has been completed, we follow up with a visit to your offices to examine the controls in action.

The list of aspects that we examine is long and thorough, and includes;

Meeting with supervisors, Heads of Department, the MLRO and others in responsible roles
Conducting file reviews to examine the conduct of AML controls in the ‘real world’
Viewing the operation of the case management system controls for AML
Perusing the AML forms on matter files
Examination of the training records and training programme that supports AML controls
Examination of the risk register
Examination of the register of breaches, near misses and the regular reviews of risk data
Reviewing historical file review findings/trends
Meeting with fee earners and support staff to understand their perspective and to test their application and experience of controls

At the end of the visit, we meet with the MLRO and compliance managers to provide immediate feedback and to discuss any immediate concerns.

Stage 2.2: Update GAR

We add our findings from onsite to the Gap Analysis Report to provide you with a written narrative as to where your practice stands with its AML controls and next steps to resolve the gaps.

There is no 'pass' or 'fail’ where the audits are concerned. Instead, we apply colour coding to each of the remarks in our report, to provide at-a-glance navigation as to the suggested prioritisation that the Firm might apply to addressing each concern.

We endeavour to provide as much value as possible by providing you with plain language feedback and explanations of concerns to be addressed. This means that our reports typically run to a sector-leading 30+ pages.

Stage 3.1: Discussion on Final GAR

After your having read the report, and if you wish, we conduct a final conversation with you to chat through any points raised in the report.

Three business professionals engaged in discussion at a table, with a laptop open in front of them.

Stage 3.2: Optional Progress Review

A review of the Firm’s progress in taking action on the guidance provided following the Audit; usually 3 to 6 months after Stage 6.

We ask the Firm to provide us with copies of documentary evidence of the progress that it has made towards addressing the issues.

Then we conduct a remote meeting, either by MS Teams or telephone, to provide our feedback and discuss any aspect of the issues.

Finally, we follow-up with a written summary by way of our independently documenting the Firm’s progress and to summarise any further guidance.

Join Our Free Best Practice Group

Members of our free-to-join Best Practice Group receive a substantial discount on all of our services. Through this group, we bring together legal practices of all shapes and sizes that wish to confidentially discuss and share knowledge of best practices.

Find out more

Why Work With PDA Legal?

The PDA Legal Team:

Has over 25 years experience in the legal sector.
Has supported over 500 legal organisations.
Has worked with The Law Society on Lexcel and has authored articles and spoken at national Law Society events on key compliance topics.
Ensure that all discussions with us are conducted in the strictest of confidence.
Operates, wherever possible, on a fixed price model and project scheduling.
Offers a free, no obligation initial consultation.

Book your free AML consultation today

What Our Clients Say About Our AML Audit Services…

“We’ve had independent AML reports before, but PDA’s was by far the most detailed and helpful.”

“PDA’s AML audit report works like a checklist, so that we can see what we need to do, at-a-glance.”

“Thank you for the AML audit, PDA. We feel much better prepared for an SRA visit now!”

“PDA understands AML controls in the context of how real law firms actually work.”

“We now have a reliable structure for the screening of employees, thanks to guidance from PDA”

“AML felt like ‘smoke and mirrors’ until PDA simplified it for us.”

“PDA has been a second and third pair of hands to support our time-poor MLRO.”

“The Partners’ hesitance about an Independent AML Audit melted away when PDA hand-held us through every step.”

“We knew that something wasn’t quite right with our AML processes; thank you, PDA, for pinpointing the issues for us.”

“PDA conducted our Independent Audit so smoothly. We didn’t realise that it could be that painless!”

“PDA didn’t just conduct our AML audit; they stayed to help us update our AML controls, too.”

“PDA’s insight cut through the fog to help us select the appropriate EID/V system for our needs.”

“PDA conducting our Independent Audit saved us a lot of time (and we enjoyed the fresh perspective).”

“PDA’s Independent Audit report put the whole thing into logical context. Very pleased!”

“We’ll be welcoming PDA back to do next year’s Independent Audit too.”

“PDA isn’t the first consultancy that we’ve used to help us with AML… but it will be the last.”

More Testimonials

Additional Anti-Money Laundering Services

In addition to Anti-Money Laundering audits, we also offer:

Anti-Money Laundering Training

Learn More

Anti-Money Laundering Consulting

Learn More

Additional Auditing Services

We can also provide auditing in the following areas:

Book Your Free AML Consultation Today

By clicking submit you agree to how we use your data as explained in our Privacy Policy

Submit

AML Training FAQs

When is an Independent AML audit required?

In practice, firms usually carry out an Independent AML Audit at least every 12 to 24 months, and earlier if there are triggering events (for example: a significant change of business or service lines, a major systems change, an SRA visit, or a serious breach).

How long does an AML audit take?

While the length of an AML audit can vary based on firm size, record organisation, and the nature of any compliance issues, PDA Legal’s experienced team generally completes audits in around 3 to 4 days on average.

What happens after an AML audit?

You receive a written Gap Analysis / Audit Report that sets out findings, a narrative of where your firm stands, and prioritised recommendations. There is no formal “pass” or “fail” – the report is a roadmap to fix weaknesses in your firm’s PCPs.

Following your audit’s conclusion, our team can provide you with hands-on support (training, policy rewrites or remediation projects). An independent audit also helps you prepare for SRA inspection because it surfaces issues before regulators do.

Can the SRA inspect my firm's AML audit report?

Yes. When the SRA conducts firm inspections, it routinely asks for AML documents in advance – this can include copies of any independent audits and any resulting recommendations or follow-up.

The SRA has also run programmes to review outcomes of firms’ last independent audits as part of its supervisory activity.

How do you access my firm's files for the review?

Auditors normally use a staged approach:

A desktop review of your policies, training records, risk assessment, MLRO reports, and sample documentation (you supply documentary evidence in advance).
An on-site or remote visit to inspect files, interview staff, view case-management controls, and test AML processes in practice.

In practice, document exchange is done securely (e.g. secure portal/upload or encrypted communication) and/or via on-site access to your systems – both to protect client data and create robust audit trails.

How does your team ensure independence?

Independence is central to a Regulation-21 audit. The auditor must be independent of the functions being reviewed – MLROs, MLCOs, compliance managers, or those who manage or oversee the controls cannot credibly audit their own work.

At PDA Legal, we provide an external audit team so the audit cannot be characterised as “marking your own homework”.

If you conduct an internal “independent” audit, the auditor should be senior, demonstrably independent of the compliance function, and adequately experienced – otherwise, regulators may question its validity.

What is the difference between an internal audit and an independent audit?

An independent audit is carried out by someone independent of the firm’s day-to-day compliance functions (e.g. external consultant or a senior manager not responsible for AML).

An internal audit carried out by the MLRO/MLCO or someone who designed the policies risks a conflict of interest.

An independent auditor should have seniority and unrestricted access to files, staff, and systems. Internal reviewers must be senior enough to access everything and defend frequency/scope to the CLC or SRA.