What AML audits reveal about your culture, not just your controls

Guest blog with Amy Bell and Kayleigh Smale.

Let’s be honest.

Most people hear “AML audit” and think: policies, registers, a few dusty spreadsheets and someone nervously clicking through their intranet folder trying to find the latest training log.

But the reality? Audits have changed. Dramatically.

We’ve seen it shift from a tick-box exercise into something more like a cultural MRI. Yes, your documents still matter but how your team talks about compliance, how comfortable they are saying “I don’t know”, and whether your board actually engages with risk… that’s what sets the tone now.

Controls alone won’t save you

Plenty of law firms have beautifully written policies. We've read them. We've even written some of them. But during an audit, what we often find is that those controls are gathering dust, metaphorically if not literally.

Auditors now ask: does the behaviour match the policy?

For example:

• Your AML policy might say all high-risk clients are reviewed monthly but is anyone actually doing that?
• The suspicious activity escalation chain may look pristine on paper but what happens in practice when someone’s genuinely unsure?

In short, having controls isn’t enough. Auditors are looking at how those controls show up in real life. And the gaps? They almost always appear in human decision-making, not in the existence of a document.

Cultural signals auditors pick up on

Here’s where it gets interesting and a bit uncomfortable. Auditors pick up on cultural “tells” faster than you think. These are some of the red flags that signal surface-level compliance:

• “We just do that” or “I think it’s in the policy somewhere…”
  Vague answers like this usually mean training hasn’t stuck or the process isn’t embedded.
• Hesitation when asked about escalation
  If your team has to think twice about who to report to, that’s a sign your reporting chain isn’t clear or worse, isn’t trusted.
• Junior team members not owning their role in compliance
  If the narrative is “compliance is the MLRO’s job”, you’re missing shared accountability.
• Board reports that tick a box but don’t lead to action
  A traffic-light dashboard once a quarter doesn’t cut it if no one’s asking “why is this amber?” or “what are we doing about it?”.

Auditors don’t need a smoking gun to draw conclusions. If your team can’t talk confidently about the why behind your controls or if everything feels a bit too performative they’ll sense it.

Building a visible compliance culture

So what does good look like?

In smaller firms, culture shows up in how comfortably people raise their hand and say, “This feels off”. It’s in the partner who pauses a new matter meeting to ask about source of funds. It’s in the training that doesn’t just get signed off but discussed.

In larger firms, culture is in the rhythm of your reporting, in how risk is owned, and in whether compliance is seen as a burden or a backbone.

Want to strengthen your culture? Start here:

• Empower your team to question and escalate
  Make it okay not to know something as long as they ask. That’s what regulators want to see.
• Use training to signal your values
  Yes, the regs matter. But the why behind them is what sticks. If you’re just pushing out annual modules, that's not culture - that’s survival.
• Talk about compliance like you talk about billing or clients
  It should be normal, not niche.

Conclusion

Audits aren’t just about assessing your controls. They’re holding up a mirror to your firm’s culture. Do your people understand their role in preventing financial crime? Do they feel confident to act when something’s not right? Or are they hoping someone else will catch it?

A mature compliance culture doesn’t happen by accident. It shows up in small moments; how a query is handled, how a junior is trained, how your board reacts to risk.

And here’s the clincher: a strong compliance culture won’t just help you pass your next audit. It’ll help you prevent the issue in the first place.

Because as we always say, “Compliance isn’t what you write down. It’s what you do when no one’s watching.”

+ + +

About our authors

Amy Bell, Teal Compliance

Amy Bell is a leading expert in legal compliance, specialising in anti-money laundering and risk management for law firms. With over 20 years’ experience in the legal sector, she is the founder of Teal Compliance and AML Sorted, helping firms build practical, sustainable compliance frameworks. Amy is a sought-after speaker and trainer, known for translating complex regulations into straightforward guidance. Passionate about driving cultural change, she has developed industry standards and training adopted across the UK and internationally. Amy is committed to making compliance more effective, less stressful, and better aligned with the realities of modern legal practice.

Kayleigh Smale, Smale Compliance

Kayleigh Smale is the founder of Smale Compliance and a passionate advocate for making Anti-Money Laundering (AML) and compliance both practical and enjoyable. With over a decade of experience in the legal sector she has made it her mission to support law firms in navigating AML in a way that feels less like a box-ticking exercise and more like a meaningful part of doing business well. 

Her work is guided by five key values: practicality, engagement, integrity, simplicity, and empathy. Whether delivering webinars, speaking at legal conferences, or developing clear and usable compliance policies, Kayleigh is known for her ability to bring clarity, confidence, and even a touch of fun to what can often feel like a daunting area.

She’s not just passionate about compliance, she’s passionate about helping others feel empowered and supported in getting it right.