Sanctions audit in your company — the complete self-assessment checklist before an inspection

Legal status as of: 2026-05-26.

If you already know that your company must run sanction screening, it is time to check whether you actually run it in a way that would survive an inspection by the Polish tax administration (KAS), the financial intelligence unit (GIIF) or a sanctions inspector. A sanctions audit is not a complicated process requiring external auditors. It is an internal self-assessment you can do in one afternoon — provided you have a checklist.

In this article you will get 10 areas to work through in order, with specific control questions, the legal basis and an indication of what signals a lack of readiness.

TL;DR

• A sanctions audit takes 90–180 minutes for a typical SME (10–250 staff). It does not require an external auditor.
• You check 10 areas — from appointing a compliance officer to documenting decisions.
• 3 critical areas (BLOCK): no compliance officer, no client verification procedure, no sanctions list in use — these are breaches an inspector will spot in the first few minutes.
• Remediation priority: BLOCK → 7 days, major FIX → 30 days, minor FIX → 90 days.
• The audit is worth repeating once every 12 months or after a material change (new industry, new market, new sanctions list).

What a sanctions audit is and how it differs from an AML audit

A sanctions audit is an internal assessment of whether a company meets the obligations arising from:

• the Act of 13 April 2022 on special measures to counter support for aggression against Ukraine (Journal of Laws 2022, item 835)¹,
• EU Regulations 269/2014 (freezing of persons’ assets)² and 833/2014 (sectoral sanctions on Russia)³,
• Regulation 765/2006 (Belarus)⁴,
• decisions of the Ministry of the Interior and Administration (MSWiA) on entries in the Polish sanctions list⁵.

An AML audit, on the other hand, covers all obligations under the Act of 1 March 2018 on counteracting money laundering and terrorist financing (Journal of Laws 2018, item 723)⁶ — including KYC (know your customer), client risk assessment, reporting transactions to GIIF, and identifying the beneficial owner.

The most important difference: a sanctions audit covers a broader range of entities. The sanctions regime applies directly (EU regulations) to all companies in the EU — not only to so-called obliged institutions. In other words: even if your company is not an obliged institution within the meaning of AML rules, it must comply with EU sanctions.

We break down the differences between AML and sanctions in detail in the article AML and sanctions — what is the difference.

Who should carry out the audit

The audit should be performed by every company that meets at least one of the conditions below:

1. It is an obliged institution within the meaning of Art. 2(1) of the AML Act⁶ — accounting offices, tax advisers, real estate agents, currency exchange offices, insurance brokers, virtual-asset service providers, dealers in luxury goods above EUR 10,000, and so on.
2. It conducts international transactions — export, import, services for foreign clients, export factoring, cross-border leasing.
3. It provides financial services in a non-financial way — operating leases, factoring, instalment sales, consumer loans below AML thresholds.
4. It bids for public contracts — Art. 7 of the sanctions act + Art. 5k of Reg. 833/2014 (more in our article sanctions and public procurement).
5. It serves clients from risk lists — Russia, Belarus, Iran, North Korea, countries covered by selected sectoral sanctions.

In practice — across our priority industries — the audit should be done by all firms in tourism, insurance, real estate, leasing and e-commerce. Also accounting offices and law firms — as obliged institutions.

The checklist itself — 10 areas to check

Go through them in order. Each area = one main question + 2–3 control questions. The answer is YES / NO / PARTIALLY. Do not peek at the priorities first — see for yourself how much pain you find in the company.

1. Compliance officer — appointed and known?

Main question: Has your company appointed a person responsible for sanction screening and compliance? (This can be the same person who handles AML, or a separate one.)

Control questions:

• Is the appointment decision in writing (a board resolution or an owner’s decision, an employee statement)?
• Does this person have access to sanctions lists and verification tools?
• Does everyone in the company know who to report a suspicious match to?

Legal basis: Art. 8(1) of the AML Act⁶ (for obliged institutions) — the obligation to appoint a member of senior management responsible for performing AML obligations. For firms outside the category of obliged institutions — the requirement of sound risk management; in the event of a sanctions inspection, the absence of a designated person amounts to an allegation of omission.

What signals a gap: “no one specifically does it”, “the board oversees it generally”, no specific person named in the answer.

Tip: in SMEs of 10–50 people this is usually a proxy holder, the chief accountant or the finance director. In larger firms — a dedicated Compliance / Compliance Officer function. We describe a practical approach to the role in the article compliance officer in a small business.

2. Internal sanction screening procedure — written down?

Main question: Do you have a written document describing when and how you check a counterparty against sanctions lists?

Control questions:

• Does the document define the moment of verification (before concluding a contract, before the first payment, periodically)?
• Does it define which lists are checked (EU, MSWiA, OFAC, UN, UK OFSI)?
• Does it define who makes the decision on a MATCH / POSSIBLE?

Legal basis: Art. 50 of the AML Act⁶ (internal procedure for obliged institutions). For other firms — an element of the due-diligence standards arising from the direct application of EU regulations.

What signals a gap: “each employee does it their own way”, “we check intuitively”, “we have it somewhere in an email from the lawyer”.

Tip: the procedure must be operational — described in 2–4 pages in language a salesperson will understand. Not a 30-page document written by a lawyer. We show the template and structure in sanctions policy — document templates.

3. Hit register — maintained and up to date?

Main question: Do you keep a register of cases where the verification system returned a MATCH or POSSIBLE — with the decision and its justification?

Control questions:

• Does each entry have a date, a client identifier, the source list and the type of result?
• Does each decision (continue / refuse / report to GIIF) have a justification?
• Is the register immutable (append-only) — so it cannot be “corrected” retroactively?

Legal basis: Art. 34(4) of the AML Act⁶ (documentation of business relationships), Art. 49 (the 5-year retention period for documentation). For asset freezing — Art. 23 of the Act of 13 April 2022¹ (the documentation obligation).

What signals a gap: no register, ad-hoc notes in Excel without versioning, “we have it in the CRM but no one has looked”.

Tip: a hit-register template (with mandatory fields and a sample decision) — sanctions hit register.

4. Sanctions policy — does it exist and is it signed off?

Main question: Does the company have a written sanctions policy document, approved by the board or the owner?

Control questions:

• Does it define who, when and by what means we verify?
• Does it reference specific legal acts (Reg. 269/2014, 833/2014, the Act of 13 April 2022)?
• Does it define what to do in the case of a MATCH (the escalation procedure)?
• Is it up to date (reviewed at least once a year)?

Legal basis: Art. 50(1) of the AML Act⁶ — the internal procedure for counteracting money laundering and terrorist financing, of which sanctions obligations form part; Art. 23 of the sanctions act¹ — the documentation obligations of obliged institutions.

What signals a gap: “we don’t have a policy, but there is a procedure”, “the document sits in a drawer at the lawyer’s”, “no one has ever read it”.

5. Sanctions clause in commercial contracts — added?

Main question: Do the contracts concluded with counterparties contain a sanctions clause?

Control questions:

• Does the clause include the counterparty’s declaration that it is not subject to sanctions?
• Does it give you the right to withdraw if the counterparty is added to a list?
• Does it include an obligation to inform you of changes to the ownership structure?

Legal basis: the principle of freedom of contract (Art. 353¹ of the Civil Code) — the clause is not required by statute, but its absence means that, if a counterparty is added to a list, you have no instruments to safely terminate the contract. This is market practice also recommended by the Public Procurement Office (UZP)⁷ in the context of public procurement.

What signals a gap: “we have old contract templates from before 2022”, “contracts are signed without a clause, because no one reads them”.

Tip: a sanctions clause in commercial contracts should also cover the question of public procurement, if the company bids for it.

6. Employee training — conducted and documented?

Main question: Have employees who deal with clients (sales, customer service, accounting, legal) been trained in the principles of sanctions verification?

Control questions:

• Is the training recurring (recommended: at least once every 12 months)?
• Is there an attendance list / completion certificate?
• Do the training materials include specific cases from your industry?
• Does the employee know how to recognise the warning signs of a suspicious transaction (red flags)?

Legal basis: Art. 52 of the AML Act⁶ — employee training in obliged institutions; a recurring obligation.

What signals a gap: “we train them on the fly”, “everyone knows what to do”, no document confirming the training.

Tip: an outline training plan + a checklist of topics to cover — employee sanctions training.

7. Updating the sanctions lists — process and frequency

Main question: How often do you check for updates to the sanctions lists (EU Annex I, MSWiA, OFAC SDN, UN Consolidated List)?

Control questions:

• Have you defined the list sources (URLs, formats)?
• Is the update process daily or ad hoc?
• When a list is expanded (a new EU sanctions package), do you re-screen your active clients?
• Do you have alerts / a subscription for list expansions?

Legal basis: EU Regulations 269/2014 and 833/2014²³ — the measures apply from the date they enter into force. A sanctions package often enters into force the day after publication in the Official Journal of the EU — the lack of a daily update means a risk of executing a transaction with a newly listed entity before you can react.

What signals a gap: “we checked when we concluded the contract”, “once a quarter someone takes a look”, “we have a paid tool, but no one knows whether it updates”.

Tip: the most critical sources: sanctions list updates, the MSWiA list, the OFAC list.

8. The procedure for handling a MATCH / POSSIBLE — written down?

Main question: Do you have written-down steps for handling a hit (MATCH or POSSIBLE)?

Control questions:

• Who receives the notification?
• What steps do they take (escalation to compliance, suspending the transaction, verification against a second source)?
• Within what deadline is the final decision made?
• Is there a procedure for notifying GIIF (the form, the deadline, the person responsible)?

Legal basis: Art. 74 and Art. 86 of the AML Act⁶ — the obligation to notify GIIF of a suspicious transaction (within 2 working days); the Act of 13 April 2022¹, Art. 8 — obligations upon establishing an asset freeze.

What signals a gap: “we haven’t had such a situation yet”, “we’ll probably call the lawyer”, “we ignore false positives because no one will check anyway”.

Tip: how to handle results correctly — false positives in sanction screening.

9. Client risk assessment — done before concluding the contract?

Main question: Before concluding a contract with a new counterparty, do you assess the level of sanctions risk (country, industry, ownership structure, the context of the transaction)?

Control questions:

• Is there a risk-assessment form (KYC light) or a scoring system?
• Do you treat high-risk clients (countries covered by sectoral sanctions, offshore structures, a lack of UBO transparency) differently?
• Do you document the decision to conclude a contract despite an identified risk?

Legal basis: Art. 33 of the AML Act⁶ — financial security measures proportionate to the client’s risk; Art. 27 — client risk assessment.

What signals a gap: “we trust common sense”, “we don’t have a risk assessment — the client either exists or doesn’t”, no distinction between a client from Poland and a client from Cyprus.

Tip: the detailed process — verifying a counterparty against sanctions.

10. Documentation of decisions — 5 years, immutable, accessible?

Main question: Are all sanctions decisions (verification, MATCH, escalation, report to GIIF, board decision) documented and retained for 5 years from the end of the business relationship?

Control questions:

• Are the documents stored in a way protected against modification (a system with an audit log, backups)?
• In the event of an inspection, do you know where the documents from 2022 are (4 years back)?
• Are the decisions signed (digitally or by hand) by the compliance officer or an authorised person?

Legal basis: Art. 49(1) of the AML Act⁶ — “Obliged institutions shall retain, for a period of 5 years counted from the first day of the year following the year in which the business relationship with the client ended”⁶. An identical period applies to sanctions documentation (Art. 49 of the AML Act, Art. 23 of the Act of 13 April 2022¹).

What signals a gap: “the documents are somewhere in an email”, “accounting has it archived, but we don’t know where”, no access to documents from 2 years ago within 30 minutes.

What to do about the gaps — remediation priorities

After working through the 10 areas you have a result. Now the priority:

BLOCK — fix within 7 days

If you answered NO in areas #1, #2, #3 — that is a BLOCK. An inspector will notice these gaps in the first minutes of the inspection.

The consequence of omission: an administrative fine under Art. 15 of the Act of 13 April 2022 — from PLN 10,000 to PLN 20,000,000¹. A detailed discussion of penalties — penalties for breaching sanctions.

Major FIX — fix within 30 days

Areas #4, #5, #6, #7 — a gap = a major FIX. An inspector will notice this at the second stage of the inspection (after reviewing the documents).

Minor FIX — fix within 90 days

Areas #8, #9, #10 — a gap = a minor FIX. An inspector will notice this at the third stage (checking specific cases).

How to prepare for a KAS / GIIF inspection

An inspection of internal sanctions compliance may be conducted by several authorities:

• The General Inspector of Financial Information (GIIF) — supervises the performance of AML obligations, including sanctions obligations, by obliged institutions⁸.
• The National Revenue Administration (KAS) — supervises companies’ sanctions obligations in foreign trade (export, import, customs duties) — in detail in a KAS inspection — how to prepare.
• The Ministry of the Interior and Administration (MSWiA) — verifies asset freezes against persons on the MSWiA list⁵.
• The Public Procurement Office (UZP) — supervises the application of sanctions-based exclusions in procurement proceedings under the Public Procurement Law⁷.

What an inspector usually requests:

1. The sanctions policy (#4)
2. The internal screening procedure (#2)
3. The hit register (#3)
4. The documents appointing the compliance officer (#1)
5. Training materials and attendance lists (#6)
6. Logs from the screening system — evidence of verifying specific clients (#3, #10)
7. The MATCH procedure + examples of its application (#8)
8. Sanctions clauses in selected contracts (#5)

If you can hand the above to an inspector within 60 minutes — you are ready. If you first have to compile it — you have gaps in areas #1–#10.

How Sanqto helps

Sanqto is sanction screening software installed on-premise — your clients’ data never leaves your infrastructure. In the context of a sanctions audit, we cover several areas of the checklist directly:

• Area #2 (procedure): a built-in verification procedure + an audit log of every decision.
• Area #3 (hit register): an automatic register with mandatory fields and a 5-year retention period.
• Area #7 (list updates): daily synchronisation of the EU, MSWiA, OFAC and UN lists.
• Area #10 (documentation): an immutable record of decisions with an audit log and backups.

In addition, you get an implementation package: a sanctions policy, a workplace instruction, a sanctions-clause template, a risk-assessment form. This covers areas #1, #4, #5, #9.

Book a demo or explore the Sanqto product.

Legal basis

• The Act of 1 March 2018 on counteracting money laundering and terrorist financing (Journal of Laws 2018, item 723, as amended), Arts. 2, 8, 27, 33, 34, 49, 50, 52, 74, 86⁶.
• The Act of 13 April 2022 on special measures to counter support for aggression against Ukraine (Journal of Laws 2022, item 835), Arts. 7, 8, 15, 23¹.
• Council Regulation (EU) 269/2014 (freezing the assets of persons and entities) — Annex I².
• Council Regulation (EU) 833/2014 (sectoral sanctions on Russia) — Annexes IV–XXVI³.
• Council Regulation (EC) 765/2006 (Belarus)⁴.
• The list of persons and entities subject to sanctions — MSWiA⁵.
• The General Inspector of Financial Information (GIIF) — Ministry of Finance⁸.

Information, not legal advice. This article is for information and educational purposes only and does not constitute legal advice. The specific legal assessment of an individual case should be carried out with a qualified lawyer specialising in sanctions and export-control law. Legal status: 2026-05-26.