Here's the process I've implemented in our Trust division. It hasn't been the target of regulatory criticism, but as you know the devil is in the details and how the process is implemented. One additional note - although our trust division is 2.5 billion in assets, it is still operated very much like a small trust division - we know our clients. Most clients have a connection to the bank, existing clients, and/or community, so to start with we deal largely with people we know.
Account acceptance - approval by committee. Must have CIP information along with all other information for consideration.
Initial account review (aka 60-day review) - presentation by trust officer to committee. Must attest to the accuracy of the system set-up and coding, including the setting-up of all interested parties. On review form define the types of "normal" activity that is expected and permissible under the terms of the govening document. This definition sets the standard that all account activity for that particular account is measured.
Daily the trust officer is responsible for reviewing the prior days trransactions. By definition if transactions don't fit in the definition of what has been defined as "normal" - it's abnormal and must be reported with 3 business days of the transaction to the compliance officer (me).
Upon notification of abnormal activity, I review the transactions, documentation regarding the transaction, and review the governing document. I prepare a report on my findings and submit to the BSA officer for potential SAR filing.
Annual review (we incorporate both investment and administrative review into one process). Trust officer again defines "normal" activity for the account and explains any changes from a prior definition of normal. Trust Officer affirms their review and monitoring of daily activity by responses to various questions on the review form. They attest to the fact that with the exception of specifically cited instances/incidents reported to the compliance officer all account activity during the review period is consistent with the definition of "normal" activity for that particular account.
Internal audit includes testing in their process (or atleast in their risk assessment to determine whehter testing should be done). Since I was largely responsible for the development of the process and am a member of the account acceptance account review committees, I don't conduct testing on this aspect because of a lack of independence in the process.
That said, I can be a tough task master if something isn't right on the front-end. the only part I don't have a hand in is the daily review and monitoring of account transactions....but then this comes back to one of my earlier statements...we know the majority of our clients
Hope this helps