If you are a reporting entity, (other than a high value dealer) under the AML/CFT Act, you must undertake an audit of your risk assessment and your AML/CFT programme:
- Every two years, or
- When asked by your AML/CFT supervisor, or
- In a different time period if prescribed by regulations.
It is perfectly acceptable for reporting entities to proactively undertake their audit well in advance of the two yearly deadline. Strategi believes there are compelling reasons to do this:
- Reporting entities can have peace of mind knowing they have addressed, sooner rather than later, serious non-compliance detected (if any) with the AML/CFT Act;
- Greater flexibility of timing in that reporting entities can determine when the best time is (work flow and cash flow wise) to have the audits conducted;
- Strategi can keep audit costs to a minimum as it can keep its auditors engaged throughout the year plus keep travel costs to a minimum through combining an audit with other work in the same region; and
- A reporting entity can demonstrate to its AML/CFT supervisor that it is pro-active in meeting its commitments and hence does not require vigorous supervision by its AML/CFT supervisor with regards to meeting AML/CFT obligations.
What is an AML/CFT audit?
These are two separate audits, however, these should be conducted simultaneously. You must provide the audit reports to your AML/CFT supervisor when asked.
To clarify your obligations, see what are my AML/CFT obligations?
The audit is separate from your own review of your AML/CFT risk assessment and AML/CFT programme. It will assess whether your AML/CFT programme complies with all of the obligations below:
- The programme is based on the risk assessment undertaken.
- Includes adequate and effective procedures, policies and controls for:
- Training on AML/CFT matters.
- Complying with customer due diligence (CDD) requirements.
- Reporting suspicious transactions.
- Reporting prescribed transactions.
- Record keeping.
- Setting out what the reporting entity needs to do, or continue to do, to manage and mitigate the risks of money laundering and the financing of terrorism.
- Monitoring, examining, and keeping written findings on specified issues.
- Preventing the use, for money laundering or the financing of terrorism, of products and transactions that might favour anonymity.
- Determining when enhanced CDD is required and when simplified CDD might be permitted.
- Determining when and how third party CDD is permissible.
- Monitoring and managing compliance with, and the internal communication of and training in, those procedures, policies, and controls.
- Whether the policies, procedures and controls are adequate and have operated effectively through out the period.
What should I consider before undertaking an AML/CFT audit?
Undertaking the prescribed AML/CFT audit should not be taken lightly. Several important factors need to be considered to ensure you comply with all the requirements under the AML/CFT Act. The matters you should consider are:
Decide whether the audit should be undertaken internally or externally
The AML/CFT Act requires the auditor to not be involved in the development of your AML/CFT risk assessment, or the establishment, implementation, or maintenance of your AML/CFT programme. If you wish to appoint an internal person to undertake your AML/CFT audit then you should critically examine if the person could be considered “independent”. There is unlikely to be adequate separation of duties in a small to medium-sized practice.
Experience and skill of the auditor
Select the auditor with appropriate experience and skills. You should ask the potential auditor about their background and qualifications. This information will help you make your decision in selecting an appropriate auditor.
Level of assurance desired from the auditor
The level of assurance you want the auditor to provide. The AML/CFT Act does not require your auditor to provide a specific level of assurance.
The auditor can perform two types of audits:
- A limited assurance audit in which the conclusion is expressed in a negative form.
- A reasonable assurance audit in which the conclusion is expressed in a positive form.
The reasonable assurance audit is more in-depth than a limited assurance audit. In a limited assurance audit, there is an increased risk that the auditor may not become aware of a significant non-compliance with the AML/CFT Act. In a reasonable assurance audit the extent of the detail with which the audit will assess your compliance is likely to be more than a limited assurance audit.
Expectations of your AML/CFT supervisor
Your AML/CFT supervisor may take into account the robustness and adequacy of your audit in determining the extent of your supervision. A reasonable assurance audit may offer a greater level of comfort compared to a limited assurance audit depending upon the nature, size and complexity of your business.
Your desired deliverables from the audit
Do you want the auditor to only highlight the areas identified as non-compliant or do you also want the auditor to make recommendations for rectifying non-compliance and identify areas for improvement?
Strategi recommends you embrace the best practice approach of engaging with the auditor not only for identifying the areas of non-compliance but also for receiving comprehensive feedback on how to rectify the identified non-compliance.
Who can audit – why consider Strategi as your AML/CFT auditor?
The AML/CFT Act states that the person conducting the AML/CFT risk assessment audit and AML/CFT programme audit MUST be independent (not involved in development of your AML/CFT risk assessment, or the establishment, implementation, or maintenance of your AML/CFT programme) and appropriately qualified.
The person undertaking the audit must have relevant skills experience, and knowledge of the AML/CFT Act and Regulations.
You must be able to justify to your AML/CFT supervisor how your AML/CFT auditor is appropriately qualified. You could appoint a member of your staff to undertake the audit but this could be difficult as you need to prove that the person is competent to undertake the audit, plus the staff member needs to be adequately separated and not involved in carrying out your AML/CFT risk assessment and the AML/CFT programme.
- Strategi firmly believes identifying non-compliance is only half the job. The other half is offering the right solution, making recommendations for rectifying non-compliance and/or identifying areas for improvement in behaviour and practice. Strategi views compliance with legislation and regulations as a business enabler and promoter of a win-win situation for all stakeholders. Strategi has been built on this philosophy.
- Strategi has been in existence since 1999 and is not a ‘one man band’. It has the experience, resources and capability to provide you high quality AML/CFT audits.
- Strategi has staff with Certified Anti-Money Laundering Specialist (CAMS) credentials to help clients meet the challenges posed by the dynamic AML/CFT environment. CAMS is recognised as the benchmark for AML/CFT certifications by regulatory agencies globally.
- Strategi will keep you up-to-date with your on-going AML/CFT compliance obligations.
- Strategi is independent as it was not involved in the establishment, implementation or maintenance of your risk assessment and AML/CFT programme.
- It is supported by its sister company Strategi Institute Ltd. Strategi Institute developed the AML/CFT manual widely used by financial advisory businesses in New Zealand. More recently it has developed the AML/CFT manual and AML/CFT online training modules for accountants, and work on similar material for lawyers and real estate agents is underway.
- Both Strategi and Strategi Institute are non-aligned. Both businesses work with most of the major banks, insurance companies, QFEs, networks, share brokers and fund managers. Exceptional care is taken to avoid potential conflicts of interest and full disclosure is provided.
- Strategi is well respected in the New Zealand financial advisory market, and is arguably the most experienced and competent organisation in New Zealand that delivers specialised support services to financial advisers and the wider financial services industry.
What is the outcome of an AML/CFT audit?
The audit will provide you with an independent assessment of your AML/CFT risk assessment and AML/CFT programme. You will receive another person’s view of how well your AML/CFT risk assessment and AML/CFT programme are designed and working. The findings of the audit may influence the degree of supervision you could expect from your AML/CFT supervisor.
The AML/CFT auditor will present a written report after the audit. The report will contain certain minimum requirements and it could contain additional reporting based on the agreed deliverables between you and the auditor.
The report will include a title (eg: ‘Independent AML/CFT Audit’) and clearly state the period covered by the audit.
As a minimum the report will contain:
- Whether your AML/CFT risk assessment and your AML/CFT programme meet the requirements of the AML/CFT Act; If not, then which requirements it does not meet and why?
- Whether your AML/CFT programme is functioning in practice as required and intended?
- A description of methods used to determine the adequacy and effectiveness of your AML/CFT risk assessment and your AML/CFT programme.
- The date and signature of the auditor.
The report may also include:
- Identification of areas to be accorded highest priority for improvement.
- Recommendations for rectifying non-compliance.
- Any weaknesses in your systems and processes, such as (but not limited to) your procedures for identifying or reporting suspicious transactions.
What should I do with the AML/CFT audit report?
- If you are an AFA, then Standard Condition 3 of ‘The Standard Conditions for Authorised Financial Advisers’ requires AFAs to notify the FMA in writing within five business days of any significant matter concerning the AFA’s authorisation or financial adviser activities. This includes notifying the FMA if you are in breach of the legislation, regulations and Code. You should inform the FMA of any non-compliance identified in the audit. You could also include the steps you plan to take to rectify the identified non-compliance.
- Address as a priority the non-compliant areas identified in the audit report with the AML/CFT Act.
- In your annual AML/CFT Report to the FMA), you must state whether you have made the necessary changes to address issues raised (if any) in the audit report.
- Keep the AML/CFT audit report on file. Section (51) (1) (b) of the AML/CFT Act requires reporting entities to keep records relating to risk assessment, AML/CFT programmes and audits. Reporting entities should submit the AML/CFT audit report when the supervisor requires.
Note: The annual AML/CFT Report is in addition to the obligation to notify the FMA under the Standard Condition 3 referred to above.
How much will an AML/CFT audit cost?
Strategi Ltd is an AML/CFT auditor and can provide a combined audit assessment. Indicative fees for audits of small to medium-sized financial advisory businesses are outlined below. Please note: these fees could vary depending on the business size, complexity, risk profile and the level of assurance required.
|Level of assurance||Combined risk assessment and programme audit|
|Limited assurance|| |
|Reasonable assurance|| |
Prices exclude GST and any travel fees. Prices are indicative only and subject to change. Fees for QFEs and corporate audits will be quoted once more detail on the entity is known.
Some information contained above has been sourced from the guidance note titled “Guideline for audits of risk assessments and AML/CFT programmes” published by the AML/CFT supervisors.
Contact us to discuss your AML/CFT audit requirements.