Does a small accountancy firm need an independent AML audit?
Small accountancy firms must decide whether their AML arrangements require independent testing under Regulation 21 and who can perform that work with sufficient separation.
Any review carried out for that purpose should establish whether the practice’s controls operate effectively in day-to-day work and whether identified weaknesses are sufficiently addressed.
Whether independent testing is needed depends on the firm’s structure, services, and risk profile, rather than headcount by itself.
A sole practitioner without relevant employees often falls within a narrow exception, while a firm with staff, shared decision-making, or higher-risk services might need a suitably independent internal reviewer or external support.
Key takeaways
- Small firms do not automatically need a full external AML audit, as the decision depends on the practice’s risks, services, and operating structure.
- The firm-wide risk assessment should support the chosen level of independent testing.
- An internal review can be suitable when the reviewer has the competence, separation, and authority required for meaningful challenge.
- External input is appropriate if sufficient independence cannot be achieved within the practice.
- Review timing should respond to risk and material change rather than follow an assumed annual timetable.
The AML audit requirements under Regulation 21
Under Regulation 21, the independent audit function has three connected responsibilities:
- Assess whether the firm’s anti-money laundering framework is adequate and effective
- Recommend improvements where they are needed
- Check that those improvements are implemented
While this AML judgement should be grounded in the firm-wide risk assessment (FWRA) under Regulations 18 and 18A, there is no fixed numerical threshold or default requirement for an annual external review.
Moreover, an AML independent audit function is separate from a statutory financial statement audit. As such, the reviewer does not have to be a registered auditor simply because Regulation 21 uses the word audit.
A narrow exception applies if the relevant person is an individual who neither employs nor acts in association with anyone else. CCAB defines this arrangement as a sole practitioner with no relevant employees.
A single-principal practice that employs staff cannot assume it falls within the same exception.
When independent AML testing is likely to be appropriate
In practice, the FWRA should identify the business-model factors that determine how extensive independent testing should be, supported by client risk assessments if client-specific exposure affects the conclusion.
For example, a two-person practice serving straightforward local owner-managed businesses might only need limited independent testing.
Yet, a practice of the same size undertaking higher-risk or complex work, such as trust or company services, likely needs stronger independent challenge even though its headcount remains low.
The operating structure also affects the decision because a practice with more layers can create scope for inconsistent decisions, particularly when responsibility for client acceptance or control application is dispersed.
Rapid growth or a material systems change can have a similar effect, as established AML controls might no longer operate as intended.
Signs that stronger independence could be justified
External or more clearly separated testing becomes more compelling if the practice handles complex or cross-border matters or has control weaknesses. HMRC’s 2026 accountancy sector risk guidance also highlights these factors.
Past performance is also relevant, as unresolved supervisory or file-review issues could indicate that internal ongoing monitoring has not been sufficiently rigorous.
Taken together, these factors can make it difficult to defend a limited internal check as providing the required degree of independence.
Achieving independence in a small practice
CCAB recognises that an appropriate internal assurance function can perform the review, while ICAEW advises making the arrangement as independent as possible for the firm’s size and nature.
Testing can be conducted by a suitably senior person, including someone in an internal quality or compliance role.
Furthermore, as part of the firm’s wider senior management responsibility for AML, the reviewer must be competent, sufficiently separate from the work, and empowered to challenge decisions and require action.
The same independence should extend to the outcome of the review, which means the reviewer must be able to report failures candidly and secure corrective action.
Practical takeaway: When a very small firm has no in-house reviewer able to act independently, commissioning third-party support could be the most credible option.
Proportionate alternatives to a full external AML audit
An accountancy practice can build risk-based AML testing into an existing quality-monitoring programme and assign it to someone not involved in the activity being reviewed.
If a particular service presents greater AML exposure, an external specialist could review that area or examine a known weakness.
Some firms combine routine internal testing with periodic external assurance, bringing outside scrutiny when it offers most value while keeping the model aligned with the practice’s risk profile.
Whatever form is chosen, the work must assess both the documented arrangements and how those arrangements operate in practice.
The timing should follow the same risk-based logic, as Regulation 21 does not prescribe annual testing and CCAB guidance expects reviews at intervals proportionate to the business.
The detailed testing method should be recorded separately in the firm’s review plan or working papers.
Recording and reviewing the decision
The practice should document why its chosen review arrangement is suitable. The record should identify the reviewer, explain the safeguards for independence, and show how recommendations will be tracked through to completion.
It should also confirm whether the firm’s AML supervisor has issued any additional expectations or required an independent review. The rationale should be reviewed and updated when the practice’s risk profile or operating model changes, or when a supervisor identifies weaknesses.
In summary
Whether a small accountancy practice needs an independent AML audit depends on proportionality.
A full external review is best when internal separation is weak, risk is higher, or earlier issues have not been resolved. In a lower-risk firm, a competent reviewer with enough separation and authority can often provide a suitable internal route.
The decision should, however, be evidenced in a clear record.
The record should identify who will carry out the review and why the reviewer is sufficiently independent. It also needs to explain how AML findings will be followed through and how the review approach will be reconsidered as the practice changes.
FAQs
An individual practising alone with no relevant employees may fall within the Regulation 21 exception for someone who neither employs nor acts in association with anyone else. A practice with one principal and employed staff should assess the position differently. The decision should reflect the firm’s AML risks and any specific expectations set by its AML supervisor.
Registered auditor status is not required merely because the Money Laundering Regulations label the function an “audit”. The subject of the review is the firm’s AML arrangements instead of the statutory financial statements. The role requires an understanding of AML requirements, authority to raise concerns, and objectivity when examining the work.
A senior, competent person can undertake the review if their role does not compromise impartiality. They should be able to question decisions openly and follow up on weaknesses. That said, if everyone in the practice is closely involved in the same activities, an external reviewer may provide greater independence.
The Money Laundering Regulations do not make an annual review mandatory for every firm, so the practice’s AML risk and circumstances should determine the timing. A review might be needed in some situations, such as after significant growth or a major change in how the practice operates.
The firm should record why its chosen level of independent testing fits its size, services, and AML risk. The note should name the reviewer, set out the follow-up process for required improvements, and explain the measures used to preserve independence.
References and Source Material
- Money Laundering Regulations 2017 (Regulation 21)
- Money Laundering Regulations 2017(Regulation 18)
- Money Laundering Regulations 2017(Regulation 18A)
- HMRC, Risks common to accountancy service providers
- CCAB, Anti-Money Laundering, Counter-Terrorist and Counter-Proliferation Financing Guidance for the Accountancy Sector
- HMRC, Accountancy sector guidance for money laundering supervision
- ICAEW, Perform a regular compliance review

