What auditors want to see in a rescreening programme
Auditors are rarely impressed by a rescreening policy that exists only as a PDF. They want evidence that the programme is risk-based, consistently applied, legally defensible and actively managed.
For senior compliance and risk managers, the question is simple: could you prove that your firm still knows who its people are after they have been hired?
That is the test a financial services rescreening programme has to pass.
A clear risk rationale
Auditors want to see why rescreening exists, who it applies to and how often checks are repeated. A blanket approach is easy to write down, yet difficult to defend. A cleaner model links screening frequency and check type to the risk attached to each role.
That means separating employees by factors such as:
- Access to client money, trading systems or payment infrastructure.
- Regulated status, including certified roles or senior management functions.
- Access to sensitive client, employee or market data.
- Authority to approve transactions, onboard customers or override controls.
- Authority to approve transactions, onboard customers or override controls.
- Jurisdiction, especially where local law affects what checks can be run.
A junior operations analyst and a senior finance leader should not automatically sit in the same rescreening tier. Auditors will expect the difference to be explained.
Veremark’s guide to employee background checks for financial institutions is a useful reference point for firms reviewing how role risk should shape screening decisions.

Documented ownership
A rescreening programme should not sit vaguely between HR, compliance, risk and legal. Auditors want to know who owns it.
The best programmes define responsibility at three levels. HR or people operations may run the process. Compliance may define minimum standards and regulatory obligations. Risk may review exceptions, control gaps and management information. Legal or data protection teams should review consent, lawful basis, retention and cross-border requirements.
The ownership model matters because rescreening creates sensitive decisions. Someone has to decide what happens when an employee does not complete a check, disputes a result, moves country or changes into a higher-risk role.
If that decision route is unclear, the policy will fail under pressure.
Evidence of consistent application
Auditors will usually look for a sample of employees and test whether the process worked as described. They may ask:
- Was the employee in the correct risk tier?
- Were the right checks ordered?
- Was consent or the correct lawful basis recorded?
- Were results reviewed by the right person?
- Were adverse findings escalated?
- Was the final decision documented?
- Were checks completed within the required timeframe?
This is where manual processes often break down. A spreadsheet may show that a check was due, yet it may not prove who approved the check, what evidence was reviewed or why a case was closed.
For regulated firms, consistency is as important as intent. A financial services rescreening control has to produce a reliable audit trail across departments, countries and worker types.
A defined check set
Auditors do not expect every employee to be rescreened for every possible risk. They do expect the check set to make sense.
Common checks in a regulated environment may include criminal record checks where legally permitted, employment history verification, directorship checks, credit or financial probity checks where proportionate, sanctions and watchlist screening, adverse media checks, right to work checks and professional qualification or licence checks.
The check set should map back to role risk. For example, sanctions screening may be relevant across a wide employee population in financial services. Credit checks may need tighter scoping and a stronger justification. Criminal record checks will depend heavily on local law and role requirements.
Veremark’s overview of employee rescreening checks gives practical examples of the checks firms may include in a rescreening cycle.
Trigger-based rescreening
Periodic checks are only part of the picture. Auditors will also want to see what happens between scheduled cycles.

Trigger-based rescreening is often more useful because risk can change quickly. A good programme should respond when an employee changes role, moves into a regulated position, relocates, returns after a long absence, joins a sensitive project or gains new access rights.
The same logic applies when the firm acquires another business or moves contractors into permanent roles. A person who was low-risk at onboarding may no longer be low-risk two years later.
This is one of the main weaknesses auditors find in financial services rescreening. The firm runs a fixed annual cycle, yet role changes and access changes happen throughout the year.
Clear exception handling
No rescreening programme runs perfectly. Employees miss deadlines. Data comes back incomplete. Results need review. Local law prevents a check that global policy expects.
Auditors know this. What they want to see is a disciplined exception process.
Each exception should record the reason, the risk assessment, the decision maker, the agreed action and the deadline for resolution. Open exceptions should be visible to the right governance forum. Long-running exceptions should be challenged.
A weak exception process turns rescreening into an administrative exercise. A strong one shows that the firm understands residual risk and is actively managing it.
Privacy and proportionality
Rescreening existing employees raises different privacy questions from pre-employment screening. Employees may have been with the firm for years. Local laws may have changed. Consent that worked at hiring may not be enough for repeated checks.
Auditors will expect evidence that the firm has considered proportionality, lawful basis, data minimisation, retention periods, employee notices and access controls. This is especially important for firms operating across several countries.
Veremark’s guide to GDPR compliance in background employment screening sets out key issues for employers handling screening data.
Management information that leads to action
Auditors are not only checking process design. They want to know whether management can see the risk.
Useful reporting should show completion rates, overdue checks, exceptions, adverse findings, turnaround times, role-tier coverage and country-level issues. The data should be good enough to spot weak areas.
For example, if completion rates are strong in the UK yet poor in Singapore, that needs attention. If senior certified roles have overdue checks, that should be escalated. If one business unit keeps overriding policy, compliance should be able to challenge it.
A financial services rescreening programme is credible when reporting changes behaviour.
The audit question for you to ask now
The strongest test is simple. Pick ten employees in sensitive roles and ask whether you can prove, within a day, that each person has been screened in line with current policy.
If the answer depends on chasing emails, checking old spreadsheets or asking several teams to reconstruct what happened, the programme is not audit-ready.
Auditors want control evidence. That means a clear policy, sensible risk tiers, documented decisions, privacy controls, exception management and reporting that reaches the right people.
Rescreening is not only about finding new issues. It is about proving that the firm has an active control over people risk after hiring. That is what auditors will expect to see.
.png)
FAQs
Background checks are essential in financial institutions to ensure the integrity and trustworthiness of employees handling sensitive financial information and large sums of money, helping to mitigate risks of fraud and financial mismanagement.
Employers may rescreen employees for various reasons, including promotions to higher-risk positions, compliance with regulatory requirements, addressing security concerns, or as part of a routine review to ensure ongoing adherence to company policies.
Employers can create a robust employee rescreening guide by clearly defining the criteria triggering rescreening, ensuring compliance with relevant laws, maintaining transparent communication with employees about the process, and implementing a consistent and fair rescreening procedure across the organisation.
Trusted by the world's best workplaces


APPROVED BY INDUSTRY EXPERTS
.png)
.png)




and Loved by reviewers
Transform your hiring process
Request a discovery session with one of our background screening experts today.



.png)



