Actually, BSA is not required to be audited annually. The time period is based upon the risk assessment, although annual tends to be the norm (I know one high risk entity that audits twice a year). From the FFIEC manual:
Independent testing (audit) should be conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties. While the frequency of audit is not specifically defined in any statute, a sound practice is for the bank to conduct independent testing generally every 12 to 18 months, commensurate with the BSA/AML risk profile of the bank.