AML/CFT Audit Report cover

AML / CFT audit

If you are a reporting entity, (other than a high value dealer) under the AML / CFT Act, you must undertake an audit of your risk assessment and your AML / CFT programme:

  • Every two years, or
  • When asked by your AML / CFT supervisor, or
  • In a different time period if prescribed by regulations.

It is perfectly acceptable for reporting entities to proactively undertake their audit well in advance of the two yearly deadline. Contact us to enquire about an AML /CFT audit:

Direct dial +64 9 414 1303 or send us a message:

Strategi believes there are compelling reasons to do undertake an advance audit:

  • Reporting entities can have peace of mind knowing they have addressed, sooner rather than later, serious non-compliance detected (if any) with the AML / CFT Act;
  • Greater flexibility of timing in that reporting entities can determine when the best time is (work flow and cash flow wise) to have the audits conducted;
  • Strategi can keep audit costs to a minimum as it can keep its auditors engaged throughout the year plus keep travel costs to a minimum through combining an audit with other work in the same region; and
  • A reporting entity can demonstrate to its AML supervisor that it is pro-active in meeting its commitments and hence does not require vigorous supervision by its supervisor with regards to meeting AML / CFT obligations.

What is an AML / CFT audit?

An audit is a systematic check of your risk assessment and programme by an independent and suitably qualified person (the auditor).

These are two separate audits, however, these should be conducted simultaneously. You must provide the audit reports to your supervisor when asked.

To clarify your obligations, see what are my AML / CFT obligations?

The aml audit is separate from your own review of your risk assessment and programme. It will assess whether your AML / CFT programme complies with all of the obligations below:

  • The programme is based on the risk assessment undertaken.
  • Includes adequate and effective procedures, policies and controls for:
    • Vetting.
    • Training on AML matters.
    • Complying with customer due diligence (CDD) requirements.
    • Reporting suspicious activities.
    • Reporting prescribed transactions.
    • Record keeping.
    • Setting out what the reporting entity needs to do, or continue to do, to manage and mitigate the risks of money laundering and the financing of terrorism.
    • Monitoring, examining, and keeping written findings on specified issues.
    • Preventing the use, for money laundering or the financing of terrorism, of products and transactions that might favour anonymity.
    • Determining when enhanced CDD is required and when simplified CDD might be permitted.
    • Determining when and how third party CDD is permissible.
    • Monitoring and managing compliance with, and the internal communication of and training in, those procedures, policies, and controls.
  • Whether the policies, procedures and controls are adequate and have operated effectively through out the period.

What should I consider before undertaking an AML audit?

Undertaking the prescribed audit should not be taken lightly. Several important factors need to be considered to ensure you comply with all the requirements under the AML / CFT Act. The matters you should consider are:

Decide whether the audit should be undertaken internally or externally

The AML / CFT Act requires the auditor to not be involved in the development of your risk assessment, or the establishment, implementation, or maintenance of your AML / CFT programme. If you wish to appoint an internal person to undertake your AML audit then you should critically examine if the person could be considered “independent”. There is unlikely to be adequate separation of duties in a small to medium-sized reporting entity.

Experience and skill of the auditor

Select the auditor with appropriate experience and skills. You should ask the potential auditor about their background and qualifications. This information will help you make your decision in selecting an appropriate auditor.

Level of assurance desired from the auditor

The level of assurance you want the auditor to provide. The AML / CFT Act does not require your auditor to provide a specific level of assurance.

The auditor can perform two types of audits:

  • limited assurance audit in which the conclusion is expressed in a negative form.
  • reasonable assurance audit in which the conclusion is expressed in a positive form.

The reasonable assurance audit is more in-depth than a limited assurance audit. In a limited assurance audit, there is an increased risk that the auditor may not become aware of a significant non-compliance with the AML / CFT Act. In a reasonable assurance audit the extent of the detail with which the audit will assess your compliance is likely to be more than a limited assurance audit.

Expectations of your supervisor

Your supervisor may take into account the robustness and adequacy of your audit in determining the extent of your supervision. A reasonable assurance audit may offer a greater level of comfort compared to a limited assurance audit depending upon the nature, size and complexity of the reporting entity.

Your desired deliverables from the audit

Do you want the auditor to only highlight the areas identified as non-compliant or do you also want the auditor to make recommendations for rectifying non-compliance and identify areas for improvement?

Strategi recommends you embrace the best practice approach of engaging with the auditor not only for identifying the areas of non-compliance but also for receiving comprehensive feedback on how to rectify the identified non-compliance.

Who can audit – why consider Strategi as your AML / CFT auditor?

The AML / CFT Act states that the person conducting the AMl / CFT risk assessment and programme audits MUST be independent (not involved in development of your risk assessment, or the establishment, implementation, or maintenance of your programme) and appropriately qualified.

The person undertaking the audit must have relevant skills experience, and knowledge of the AML / CFT Act and Regulations.

You must be able to justify to your supervisor how your auditor is appropriately qualified. You could appoint a member of your staff to undertake the audit but this could be difficult as you need to prove that the person is competent to undertake the audit, plus the staff member needs to be adequately separated and not involved in carrying out your risk assessment and the programme.

  • Strategi firmly believes identifying non-compliance is only half the job. The other half is offering the right solution, making recommendations for rectifying non-compliance and/or identifying areas for improvement in behaviour and practice. Strategi views compliance with legislation and regulations as a business enabler and promoter of a win-win situation for all stakeholders. Strategi has been built on this philosophy.
  • Strategi has been in existence since 1999 and is not a ‘one man band’. It has the experience, resources and capability to provide you high quality AML / CFT audits.
  • Strategi has staff with Certified Anti-Money Laundering Specialist (CAMS) credentials to help clients meet the challenges posed by the dynamic AML / CFT environment. CAMS is recognised as the benchmark for AML / CFT certifications by regulatory agencies globally.
  • Strategi will keep you up-to-date with your on-going AML / CFT compliance obligations.
  • Strategi is independent as it was not involved in the establishment, implementation or maintenance of your risk assessment and programme.
  • It is supported by its sister company Strategi Institute Ltd. Strategi Institute developed the AML / CFT manual widely used by financial advisory businesses in New Zealand. More recently it has developed the AML / CFT manual and AML / CFT online training modules for accountants, and work on similar material for lawyers and real estate agents is underway.
  • Both Strategi and Strategi Institute are non-aligned. Both businesses work with most of the major banks, insurance companies, QFEs, networks, share brokers and fund managers. Exceptional care is taken to avoid potential conflicts of interest and full disclosure is provided.
  • Strategi is well respected in the New Zealand financial advisory market, and is arguably the most experienced and competent organisation in New Zealand that delivers specialised support services to financial advisers and the wider financial services industry.

What is the outcome of an AML / CFT audit?

The audit will provide you with an independent assessment of your risk assessment and programme. You will receive another person’s view of how well your risk assessment and programme are designed and working. The findings of the audit may influence the degree of supervision you could expect from your supervisor.

The AML auditor will present a written report after the audit. The report will contain certain minimum requirements and it could contain additional reporting based on the agreed deliverables between you and the auditor.

The report will include a title (eg: ‘Independent AML / CFT Audit’) and clearly state the period covered by the audit.

As a minimum the report will contain:

  • Whether your risk assessment and your programme meet the requirements of the AML / CFT Act; If not, then which requirements it does not meet and why?
  • Whether your programme is functioning in practice as required and intended?
  • A description of methods used to determine the adequacy and effectiveness of your risk assessment and your programme.
  • The date and signature of the auditor.

The report may also include:

  • Identification of areas to be accorded highest priority for improvement.
  • Recommendations for rectifying non-compliance.
  • Any weaknesses in your systems and processes, such as (but not limited to) your procedures for identifying or reporting suspicious transactions.

What should I do with the audit report?

  1. Address, as a priority, any non-compliant areas identified in the audit report with the AML / CFT Act.
  2. In your annual AML / CFT Report to the AML / CFT supervisor, you must state whether you have made the necessary changes to address issues raised (if any) in the audit report.
  3. Keep the audit report on file. Section (51) (1) (b) of the AML / CFT Act requires reporting entities to keep records relating to risk assessment, programmes and audits. Reporting entities should submit the AML / CFT audit report when the supervisor requires.

How much will an AML / CFT audit cost?

Strategi Ltd is an AML / CFT auditor and can provide a combined audit assessment. Indicative fees for audits of small to medium-sized reporting entities are outlined below. Please note: these fees could vary depending on the entity size, complexity, risk profile and the level of assurance required.

Level of assurance Combined risk assessment and programme audit
Limited assurance

$1,200 to $1,700

Reasonable assurance

$1,500 to $1,900

Prices exclude GST and any travel fees. Prices are indicative only and subject to change. Fees for larger reporting entities will be quoted once more detail on the entity is known.

Some information contained above has been sourced from the guidance note titled “Guideline for audits of risk assessments and AML / CFT programmes” published by the AML / CFT supervisors.

Contact us to discuss your AML / CFT audit requirements.