SRA AML Audit: A Practical Guide to Being Ready Before the Letter Arrives
An SRA AML audit rarely arrives with drama. It usually starts with a short, polite letter from the Solicitors Regulation Authority attached to an email confirming that your firm has been selected for an AML inspection. It is not an allegation of wrongdoing. Even though the majority of the industry has now had an audit, for most firms, an SRA AML audit immediately raises anxiety levels.
The reason is simple. An SRA AML audit comes with tight deadlines, extensive document requests, and very real regulatory, financial, and reputational consequences if things are not in order.
This article explains the SRA AML audit process in plain English. It sets out what the SRA asks for, how desktop and on-site SRA AML audits work, where firms typically fail, and what you should be doing now to be genuinely audit ready before the letter ever arrives.
Why the SRA AML Audit Programme Is Expanding
The volume of SRA AML audits has increased significantly in recent years. The SRA has publicly confirmed that hundreds of AML audits are now conducted annually, with further expansion planned.
Most regulated law firms will fall into one of two categories:
-
Firms that have already been through an SRA AML audit
-
Firms that have not yet been audited
The second group should not assume they are safe. Based on current audit volumes, recruitment within the SRA, and recent enforcement trends, most firms within scope can reasonably expect an SRA AML audit within the next few years.
Importantly, SRA AML audits are no longer one-off events. Repeat audits are becoming more common, sometimes within a relatively short timeframe. The SRA’s position is clear: AML compliance must be continuous, not episodic.
The SRA AML Audit Letter: What Happens First
An SRA AML audit usually begins with written notification. Once that letter arrives, the clock starts immediately.
Firms are typically given around seven days before the audit format and date are confirmed. Within fourteen days, the SRA will expect a comprehensive package of AML documentation. For many firms, this is the moment where stress escalates.
The firms that handle an SRA AML audit calmly and efficiently are almost always the firms that prepared well in advance. Those that scramble tend to expose weaknesses they did not realise existed.
Do Not Scramble. Prepare for the SRA AML Audit in Advance.
Fourteen days may sound reasonable, but in compliance terms it is extremely tight.
An SRA AML audit requires firms to produce a full and coherent AML framework, not just isolated documents. This usually includes:
- A current AML policy and procedures
- Firm-wide risk assessments, including historic versions
- Proliferation financing risk assessments
- AML training records for all relevant staff
- Results of internal file reviews
- Details of any external AML audits
- Registers of high-risk clients and matters, including PEPs
Alongside this, firms must complete a detailed SRA AML audit questionnaire. This often requests operational data that firms do not routinely collate, such as:
- Total staff numbers and office locations
- Breakdown of income by service line
- Proportion of work subject to AML regulation
- Exposure to conveyancing, private client, or trust work
- Involvement in tax advice or higher-risk matters
If documents are not already stored centrally and kept up to date, the SRA AML audit deadline quickly becomes unmanageable.
What the SRA Will Ask for in an AML Audit
Although every SRA AML audit is slightly different, the document requests are remarkably consistent.
Firms are usually required to submit:
-
A firm-wide risk assessment aligned to current practice
-
A current AML policy reflecting how the firm actually operates
-
AML training logs showing who was trained, when, and on what
-
File review results and audit findings
-
A list of high-risk clients and politically exposed persons
-
A completed SRA AML audit questionnaire
Problems most often arise when documents contradict one another. Dates do not align, risk assessments are outdated, or policies describe practices that are no longer followed. These inconsistencies are routinely flagged during an SRA AML audit.
Desktop SRA AML Audits vs On-Site SRA AML Audits
The SRA conducts two main types of AML audit: desktop audits and on-site audits.
An on-site SRA AML audit typically allows more time. Documents are submitted first, followed by a visit from the assessor. This provides an opportunity to brief staff and ensure processes are clearly understood.
A desktop SRA AML audit moves much faster. Everything is handled remotely, usually by email, and deadlines are tight. There is no opportunity to clarify issues face-to-face. The documentation must stand on its own.
In both formats, the SRA will request client files. Firms are usually given only a few days to produce complete files, including:
- Client due diligence and ID evidence
- Client matter risk assessments
- Source of funds and source of wealth checks
- Client care letters and engagement terms
- Financial records and ledgers
Weak file-level compliance is one of the most common causes of adverse SRA AML audit outcomes.
The Interview Stage of an SRA AML Audit
Most SRA AML audits include interviews with key personnel, particularly the MLRO and MLCO.
The SRA will explore how AML compliance works in practice, not just on paper. Typical areas of questioning include:
- How high-risk matters are identified and escalated
- How red flags are handled and documented
- How sanctions checks are carried out and monitored
- How ongoing risk is reviewed during a matter
Technology is also a key focus. Firms using electronic ID or AML software are expected to understand how those systems work. MLROs should be able to explain search results, false positives, and the limits of the technology being used.
Poor understanding at this stage can significantly weaken an SRA AML audit outcome.
Can You Fix AML Issues After an SRA AML Audit Starts?
Technically, yes. The SRA generally prefers updated documents to missing ones. If something is corrected during the audit process, transparency is essential.
However, last-minute remediation during an SRA AML audit carries risk. Stress increases, errors multiply, and historic gaps cannot be recreated. Training records, historic risk assessments, and audit trails cannot be rebuilt after the fact.
The strongest position is always to enter an SRA AML audit already prepared.
If It Is Not Documented, the SRA Will Treat It as Non-Compliant
One of the most consistent findings in SRA AML audits is poor documentation.
Many firms carry out AML checks but fail to record them adequately. From the SRA’s perspective, undocumented work effectively did not happen.
Client matter risk assessments, source of funds checks, and source of wealth analysis must be recorded clearly and meaningfully. Generic tick-box templates are rarely sufficient in an SRA AML audit.
The SRA expects to see evidence of judgement, not just process.
What Happens After an SRA AML Audit
Following the audit, the SRA issues an outcome letter.
Some firms receive confirmation that no further action is required. More commonly, firms are issued with required improvements. These might include:
- Updating AML policies and procedures
- Improving firm-wide or client matter risk assessments
- Strengthening source of funds documentation
- Enhancing AML training programmes
Minor issues are often accompanied by a 21-day remediation period. More serious concerns may allow up to three months. In some cases, matters are referred for enforcement, leading to investigations, fines, or public outcomes.
Outdated risk assessments, generic documentation, and weak client matter risk assessments remain the most common red flags in SRA AML audits.
What Law Firms Should Do Now to Prepare for an SRA AML Audit
Firms that want to be genuinely ready for an SRA AML audit should already be doing the following:
- Centralising all AML compliance documentation
- Retaining current and historic AML policies and risk assessments
- Maintaining detailed AML training logs
- Conducting regular internal or external AML audits
- Keeping registers of high-risk matters, PEPs, and SARs
- Using narrative-based client matter risk assessments
- Properly documenting source of funds and source of wealth
- Running regular file reviews
- Ensuring MLROs and MLCOs have adequate time and authority
- Understanding the limits of AML technology tools
Many SRA AML audit failures are ultimately caused by lack of capacity rather than lack of intent.
Final Thoughts on the SRA AML Audit Process
An SRA AML audit is demanding, but it does not have to be disruptive or damaging.
The firms that navigate an SRA AML audit most successfully are those that prepare early, document thoroughly, and treat AML compliance as a core business function rather than a regulatory afterthought.
That approach aligns directly with what the SRA expects to see during an AML audit.
Being ready before the SRA AML audit letter arrives is the single most effective way to protect your firm, your reputation, and the individuals responsible for compliance.