How to prepare for your AML/CTF audit using Workflow
When it's time for your AML/CTF audit, give the auditor a login to Workflow — that's where all your records are, and it's the most efficient way for them to review your compliance history.
Step 1: Create a login for your auditor
Go to Settings and click Team
Click Invite User
Enter your auditor's email address
Assign them an Agent plan — this lets them view cases and records.
There is no additional charge for user seats. You can give your auditor access without affecting your billing.
Step 2: Brief your auditor on how to navigate Workflow
When your auditor logs in, show them (or send them this article):
Cases — the main list of all AML cases, filterable by status, risk level, and date range
Risk Assessment tab within each case — shows the completed assessment and result
Documents tab within each case — shows all uploaded source of funds and other compliance documents
History tab within each case — shows the full audit trail of every action taken on the case, timestamped and attributed to specific users
Step 3: Use Workflow's built-in filters, not manual exports
In the Cases view, use the filters to narrow by risk level, date range, or status
Select the Case requiring a review to see all the related details
Auditors typically work through high-risk cases first, then medium-risk. The filter by risk level makes this straightforward.
What auditors typically look at
High-risk cases receive the most scrutiny. For each one, auditors will check:
Was verification completed before the service was provided?
Was a risk assessment completed, with an appropriate result?
Is source of funds (and source of wealth, if applicable) documentation on file?
Are there notes explaining any flags, overrides, or judgement calls?
Medium-risk cases follow a similar review pattern, with particular attention to source of funds documentation.
Low-risk cases are generally reviewed at a higher level — auditors confirm the checks were done and the assessment was completed.
How review periods support your audit
Workflow's review period system helps auditors understand your ongoing obligations:
Risk level | Review period | What this means for audit |
Low risk | 3 years | Client re-verified every 3 years — auditor checks that no client has gone without a check for longer than this |
Medium risk | 2 years | More frequent re-verification — auditor checks for any lapsed medium-risk clients |
High risk | 1 year | As above — and with closer attention to enhanced due diligence documentation |
Workflow displays the review period status for each client, making it easy to identify any that are approaching or past their review date.
What if you discover a gap during audit preparation?
If you find a case where a check wasn't done, documentation is missing, or a risk assessment was skipped:
Do not try to backdate or reconstruct records
Create a note in the case acknowledging the gap and explaining the circumstances
Complete any missing steps now (e.g., run a late verification if the client is still available)
If a check genuinely cannot be completed retrospectively, document why
Auditors are experienced with gaps in new compliance programs — particularly in the early years of Tranche 2. Transparency and documentation of your response is more valuable than attempting to cover the gap.
What if my auditor has questions about how Workflow works?
Direct them to this Help Centre, or contact APLYiD support — we can assist auditors with questions about how records are stored and how the system generates its outputs.
Related articles
This article provides general information only and is not legal advice.