AML/CFT Independent Audit & Internal Review

A check of your AML/CFT risk assessment and AML/CFT compliance programme

Audits & reviews

An AML/CFT independent audit is a systematic check of your AML/CFT Risk Assessment and AML/CFT Compliance Programme by an independent and suitably qualified person (the auditor). It includes a check of how your AML regime is working in practice.

(For law firms, Law Talk advice recommends you consider using an auditor within a law firm specialising in AML/CFT compliance.)

The end result of an audit is a written report on whether:

  • you meet the minimum requirements for your AML/CFT Risk Assessment and AML/CFT Compliance Programme;
  • the Compliance Programme was adequate and effective throughout a specified period (increasing from 2 years to 3 years); and
  • any changes may be required.

Recommendations may be given. A good auditor will invariably give you the benefit of their experience in how you might best approach the remediation work.

The audit complements your own ongoing review of your Risk Assessment and Compliance Programme as required by section 59(1) of the AML/CFT Act.

Official guidance on audits can be found in the joint Supervisors’ Audit Guideline for risk assessment and AML/CFT programme. An associated FMA guide helps you get the best outcome from your AML/CFT audit and in our view should be read by all reporting entities getting an audit, not just FMA reporting entities.

We summarise the best content from both these guides on this page.

Effective internal review and independent audits help your business respond to the dynamic and emerging ML/TF threats facing your business and keep your processes up to date with the law and prevailing Supervisory guidance.

Internal review and audit

An internal review or audit provides a report by or for your AML/CFT compliance officer (ultimately for the directors) summarising your compliance systems and proposing repair where required. It will usually make recommendations to improve effectiveness or efficiency.

While you're required to undertake at least periodic internal reviews/audits, using an independent professional for these reviews brings greater objectivity and clarity. This will invariably reduce unquantified risk.

This process routinely results in savings to the compliance budget where businesses are overdoing their compliance and it frequently finds areas where businesses are exposed through failure to meet legislative obligations or adequately follow Supervisor guidance.

Independent audit

For your independent audit, you can't use an auditor who helped create or update your Risk Assessment or Compliance Programme. This requirement ensures independence and objectivity.

Auditors are not there to trip you up. They are professionals providing you with a service designed to improve your compliance with the AML/CFT Act. They know your industry and will learn about your business during the audit process.

The Supervisors encourage reporting entities to consider the independent audit as an opportunity to improve through an objective, independent review of your systems that you may not be able to appreciate from the inside.

The Supervisors recommend changing your independent auditor from time to time to bring in fresh ideas, overcome capture, and improve the chances of finding risky or inefficient practices.

The AML/CFT Act requires reporting entities to have their Risk Assessment and Compliance Programme audited every 2 years, soon increasing to 3 years, or when otherwise required by their Supervisor.

Section 59 of the Act and the Audit Guideline for risk assessment and AML/CFT programme provide useful information.

Getting the best value from your audit

You can maximise your benefit from the independent audit by getting a good quality audit that is meaningful and informative and gives the level of assurance you need. Build relationships and compliance history with the Supervisors.

The FMA has helpfully said: “If we receive an audit report we believe has been completed to a good standard, it will influence our monitoring behaviour. For example, we take a risk-based approach to our inspection programme and a good audit (with good outcomes) will likely reduce the need for us to have a direct engagement with your Reporting Entity.”

It may be a mistake to select the cheapest audit offered if it doesn’t also meet your needs. You’re engaging professionals to learn about and review your business and AML/CFT systems, including performing testing and interviewing relevant staff. This service can be done well with specific regard to your business or, like template AML documents, it can be done more quickly at volume without much customisation or care.

Particularly in the early years, the value of a good quality audit will save you ongoing headaches downstream and provide greater understanding of the issues and problems you need to tackle to reduce your Supervisor’s monitoring of your compliance.

Your AML/CFT Compliance Programme should be well designed to detect bad actors and to manage and mitigate the risk of them abusing your business to launder funds or finance terrorism.

Engaging a capable auditor who can spot compliance holes in your Programme is critical not only to keeping out bad actors, but also to avoid negative regulatory attention. If issues are missed early in your AML/CFT career, the cost to later remediate them, or deal with the Supervisory fallout, tends to be significantly higher. Imagine that your customer due diligence was missing an aspect since inception. The Supervisors may require CDD to be re-done across all customers since the regime applied, and breach action could be taken against you. This could include published formal warnings, injunctions, enforceable undertakings or civil or criminal prosecution.

Fixing the problems

Your auditor will identify and describe problematic aspects of your AML/CFT regime so you and your Supervisor can understand them and so you can fix them.

Non-compliant aspects should be fixed. The auditor might refer to ‘breaches’ or ‘material' or 'significant’ findings. The Supervisors expect those issues to be corrected promptly.

The auditor may also give recommendations about how to do this. While the recommended method of resolving a non-compliant matter may be optional, the need to fix the problem is not.

Your auditor may also provide overall 'recommendations' on non-material findings. These are suggested improvements that do not reflect breaches of your legal obligations, but would nevertheless improve your AML/CFT systems or their effectiveness or efficiency. These are not mandatory.

The language here should make clear that you are not in breach, but could (rather than must) consider certain improvements. Such improvements might for example relate to focusing more expenditure on higher-risk issues, spending less time or money on non-critical processes, or improving or expedite certain compliance systems, agency arrangements, or similar.

How we can help

We conduct internal reviews and independent audits for reporting entities.

After undertaking such reviews, we are also often asked for help with the specific remediations needed to comply or improve. We focus on long-term durability and cost-effectiveness.

We appreciate how much value a high quality audit can provide. Our preference is to give extensive feedback to ultimately save you money, time and effort.

Our audits are careful, detailed, objective and thoughtful. They're also excellent value for money given our expertise, our close understanding of the Supervisors' interpretations of the law and guidance, and our innovative cost model.