An auditor should be independent. You should also consider any other potential conflicts of interest that may call into question their independence.
For example, were they involved in the creation of your compliance documentation, do they have a financial interest in your business or does a part of their business supply outsource solutions.
(Check here for an official audit guideline)
Check for experience in AML as well as the specifics of your industry. Try not to be impressed that they will ‘audit all types of reporting entities’. Make sure they have the knowledge to help you and your business.
Experience in one of the 'Big Four' or Europe is not necessarily helpful, as they operate under a different regime and this often results in a ‘tick box’ exercise.
Your audit should be based on your unique business situation.
Your auditor should be able to assist you with remediation advice.
Most Reporting Entities are still on a learning journey (as are the regulators). Your auditor should focus on being educational rather than punitive.
Remember not to get distracted by it being a cost-effective and ‘easy’ solution. Often you get what you paid for. You do not want to end up with a generic templated report.
Be wary of an auditor whose recommendations are focused on pointing you at other services they provide, such as their training programs or outsourcing options.
Balance the costs of the audit against the degree of confidence required.
Typically, a reasonable assurance goes into more depth, in testing, during the audit than a limited assurance audit would. It is up to each reporting entity to select the type of audit they require.
Your auditor should advise you which level of assurance is best suited.