In our most recent BSA exam, the external auditor wrote us up on not having the requirement of annual independent testing in our policy. We do have this in our policy but the policy says that "the Compliance Officer will be responsible for establishing a schedule of surprise checks for compliance." and so on and so on. We have several paragraphs relating to independent testing. Realistically, the Compliance Officer in our institution cannot complete the independent testing because they are the BSA Officer as well. Therefore, I think that this is what the auditor was really referring to.

We also have the statement in our policy that says: "Independent testing of compliance by bank personnel or by an outside party." I guess that I'm not quite sure what the auditor is looking for. Do I need to make a statement that says we require an annual external audit?

My understanding is that you should have independent testing (audit) at least every 12 to 18 months. This testing should either be outsourced or conducted by the internal audit department, outside auditors, consultants, or other qualified independent parties.

You are right that the BSA Officer can not do the testing. It has to be someone that is independent of any BSA functions.

Do I need to make a statement that says we require an annual external audit?

I think you should word it similar to the way it is worded in the FFIEC BSA/AML Examination Manual on page 34.

Thank you! I need to remember to refer to the manual when trying to figure out how to word things for our policies.