SRO audits are the primary supervisory mechanism for most Swiss FinTech companies and financial intermediaries. Whether supervised by VQF, PolyReg, AOOS, or another recognised body, periodic audits assess AML/KYC compliance, organisational adequacy, and adherence to SRO regulations. Poor audit outcomes can result in membership suspension, FINMA intervention, or criminal referral. This guide helps you prepare effectively and avoid the most common findings.

How SRO Audits Work

SROs conduct audits on FINMA's behalf at intervals determined by risk classification — typically every one to three years, with higher-risk firms audited more frequently. Auditors review:

  • AML/KYC policies and their operational implementation
  • Customer due diligence files for completeness and accuracy
  • Transaction monitoring rules, alerts, and investigation outcomes
  • MROS reporting procedures and tipping-off compliance
  • Organisational structure, compliance officer qualifications, and staff training
  • Record retention and data protection practices

Audits combine document review, sample testing of client files, and interviews with management and compliance staff. Findings are classified by severity with required remediation timelines.

Pre-Audit Preparation Steps

1. Conduct an Internal Pre-Audit

Three to six months before the scheduled SRO audit, perform an internal compliance review mirroring SRO scope. Sample 10–20 client files across risk categories and verify CDD completeness, beneficial ownership documentation, and ongoing monitoring evidence. Document gaps and remediate before the auditor arrives.

2. Organise Documentation

Prepare an audit data room with: AML/KYC policy (current version with approval date), organisational chart, compliance officer CV and appointment letter, staff training records, transaction monitoring rule documentation, sample MROS reporting evidence (anonymised), and previous audit remediation evidence. Missing documents create immediate findings.

3. Verify System Evidence

If using automated monitoring, prepare evidence that rules are configured correctly, alerts are reviewed within defined timelines, and false positive rates are managed. RegTech platforms should produce audit-ready reports showing control execution history.

4. Brief Management and Staff

Auditors interview compliance officers and senior management. Ensure staff understand AML obligations, MROS reporting triggers, and their individual responsibilities. Inconsistent answers signal weak compliance culture.

Most Common SRO Audit Findings

  • Incomplete CDD files — Missing beneficial ownership, outdated identity documents, or absent purpose-of-relationship documentation.
  • Insufficient PEP and sanctions screening — No evidence of ongoing screening after onboarding.
  • Transaction monitoring gaps — Rules not calibrated to business model; alerts not investigated within SLA.
  • Missing training records — Staff AML training conducted but not documented.
  • Delayed MROS reporting — Internal investigation prolonging mandatory suspicion reports.
  • Outdated policies — AML policy not updated after regulatory changes or business model shifts.

Detailed guidance on avoiding CDD and monitoring findings is in our AML/KYC compliance guide. Crypto firms should additionally review digital asset compliance requirements.

Document Retention Requirements

AMLA requires retention of CDD documentation and transaction records for ten years after termination of the business relationship. Auditors verify retention systems, backup procedures, and accessibility. Digital storage must ensure records remain readable and retrievable for the full retention period.

Remediation Best Practices

When findings occur, respond with a structured remediation plan: root cause analysis, corrective actions with owners and deadlines, and preventive measures to avoid recurrence. SROs track remediation completion and may conduct follow-up reviews for material findings. Proactive remediation before the audit deadline demonstrates compliance commitment.

Transitioning from SRO to FINMA Supervision

Growing firms may require direct FINMA licensing. SRO audit history and remediation track record feed into FINMA licence applications. Clean audit outcomes strengthen applications; recurring findings delay authorisation.

Pre-Audit Checklist

  • Internal pre-audit completed with findings remediated
  • AML/KYC policy current and management-approved
  • Compliance officer qualifications documented
  • Sample CDD files verified for completeness (natural persons and legal entities)
  • PEP and sanctions screening evidence for sample clients
  • Transaction monitoring rules documented with alert review evidence
  • Staff AML training records for all relevant employees
  • MROS reporting procedure tested and understood by staff
  • Previous audit findings remediated with evidence retained
  • Data retention system verified for 10-year AMLA compliance

SRO audit preparation is not a last-minute exercise — it reflects the health of your ongoing compliance programme. Firms that treat audits as continuous readiness rather than periodic fire drills achieve cleaner outcomes and stronger regulatory relationships.