27.5.2026 · Carl-Johan Westerlund · accounting-operations · 6 min read

Automatic Sanctions Screening for Accounting Firms: How to Build a Reliable Process

Sanctions screening is not just a one-off name search. An accounting firm needs to know who is checked, when checks are repeated, how hits are handled and how the audit trail is retained.

Sanctions screening sounds like a small step: type a name into a search field and see whether there is a match. In the daily work of an accounting firm, that is not enough.

A working sanctions screening process must define who is checked, which lists are used, when the check is repeated, who handles a possible match and how the firm can later prove that the check was performed.

The tulos.ai view is practical: sanctions screening should be brought into the same workflow where a client is onboarded, responsible persons are identified and accounting material is handled. Then the check does not remain a separate note or a manual task during the busiest month.

This article is not legal advice. It is a practical guide for building an accounting-firm process.

Why sanctions screening matters for accounting firms
Which lists should be monitored?
Who should an accounting firm check?
When should checks be performed?
How should a possible match be handled?
What should the audit trail contain?
How tulos.ai helps
Summary

Why Sanctions Screening Matters for Accounting Firms

Finnish anti-money laundering legislation also applies to operators that provide bookkeeping services as a business or professional activity. An accounting firm is therefore not merely a technical processor of the customer’s financial administration. It is part of a system that must identify and prevent risks related to money laundering, terrorist financing and sanctions evasion.

The firm has an unusually good view into these risks. It sees the customer’s sales, purchases, bank transactions, receipts, payroll, owner withdrawals and unusual payment patterns. That is why sanctions screening should not belong only to client onboarding. It should be part of ongoing customer due diligence.

Practical risk often arises from four situations:

the client, owner, responsible person or supplier is on a sanctions or freezing list
ownership changes but the check is not repeated
international trade or payment traffic introduces new counterparties
a match is noticed but the handling is not documented sufficiently

A single manual search does not solve these situations. The firm needs a repeatable operating model.

Which Lists Should Be Monitored?

For a Finnish accounting firm, the core level is usually the EU list, the UN list and Finnish national freezing decisions. Many firms also monitor OFAC lists because clients may have dollar payments, US counterparties, international banking connections or other risk factors that make an OFAC match practically relevant.

Source	Why it matters
EU consolidated list of financial sanctions	EU sanctions apply to companies operating in Finland and to making economic resources available to listed parties.
UN Security Council sanctions list	UN sanctions are implemented in Finland through EU and national regulation.
National freezing decisions	In Finland, the Financial Intelligence Unit maintains the national procedure related to freezing terrorist assets.
OFAC lists	Does not replace EU and national obligations, but is an important practical risk source in international payments and bank controls.

The number of lists alone does not make the process good. The process must also handle name variations, company and personal identifiers, false positives and a retained handling history.

Who Should an Accounting Firm Check?

Checking only the company name is too narrow. A corporate customer’s sanctions risk can also relate to people who own, represent or effectively control the company.

At minimum, the firm should define the check scope like this:

The customer company, meaning the actual contracting party.
Customer representatives, such as the CEO, board members and users acting on behalf of the customer.
Beneficial owners, meaning people who own the company or exercise control over it.
Key suppliers and other counterparties on a risk basis, especially if the customer has international trade, large individual payments or unusual payment arrangements.

Beneficial owner data from the Finnish Trade Register is useful, but it is not enough on its own. The accounting firm must understand who actually controls the customer and whether that information is current.

When Should Checks Be Performed?

Good sanctions screening is not a one-time onboarding form. Lists change, ownership changes and the customer’s business may change.

A practical rhythm usually looks like this:

Situation	What to do
New customer	Check the customer, representatives and beneficial owners before or at the latest during onboarding.
Customer data changes	Repeat the check when ownership, responsible persons, industry, countries or payment methods change.
New higher-risk counterparty	Check a supplier or other counterparty if the transaction is large, unusual or related to a higher-risk country.
List update	Recheck active client relationships when monitored lists change materially.
Periodic review	Update the check based on risk class, for example annually or more often for higher-risk customers.

Automation matters here because manual calendar tracking begins to fail as soon as the firm has more than a few dozen clients.

How Should a Possible Match Be Handled?

A match does not automatically mean the customer is a listed person or entity. Names vary, many people share the same name, and some lists contain limited identifying information.

The firm should therefore have a match-handling process:

Check which list the match relates to.
Compare name, date of birth, nationality, address, business identifiers and other identifiers.
Assess whether the match is a false positive or a possible real match.
Record the assessment, reasoning and handler.
Escalate an unclear or possible real match to the responsible person.
Pause onboarding, payment or another action if needed until the matter is clarified.
Make required authority reports according to internal instructions and applicable law.

A good system does not try to hide human judgment. Its job is to surface the match, show why it was created and require documented handling.

What Should the Audit Trail Contain?

If there is no trace of the check, it is difficult to show later that it was done. The firm should be able to prove at least:

when the check was performed
who or which system performed it
who or what was checked
which lists were checked
what the result was
how a possible match was handled
who approved the final assessment

This does not need to become a heavy manual archive. The point of a good workflow is that the audit trail is created as a by-product of normal work.

How tulos.ai Helps

tulos.ai can bring sanctions screening into the same place where the accounting firm manages clients, responsible persons and accounting workflows.

In practice, this means:

checks can be connected to client onboarding
active customers can be rechecked when needed
matches are surfaced to the accountant instead of hidden
handling creates a record
the check is part of customer due diligence rather than a separate spreadsheet process

Automation does not remove the need for the firm’s risk assessment. It helps make the process repeatable and visible.

Summary

For an accounting firm, sanctions screening is not a single technical search. It is a process:

who is checked
which lists are checked
when checks are repeated
how matches are handled and documented
how the firm proves afterward that the check was done

When these points are built into the software workflow, sanctions screening stops being a separate compliance task. It becomes part of customer due diligence and the firm’s normal quality control.

Also read: Sanctions List Checks for Accounting Firms: A Mandatory Part of AML and KYC