In our most recent BSA exam, the external auditor wrote us up on not having the requirement of annual independent testing in our policy. We do have this in our policy but the policy says that "the Compliance Officer will be responsible for establishing a schedule of surprise checks for compliance." and so on and so on. We have several paragraphs relating to independent testing. Realistically, the Compliance Officer in our institution cannot complete the independent testing because they are the BSA Officer as well. Therefore, I think that this is what the auditor was really referring to.
We also have the statement in our policy that says: "Independent testing of compliance by bank personnel or by an outside party." I guess that I'm not quite sure what the auditor is looking for. Do I need to make a statement that says we require an annual external audit?