What is an AML / CFT audit and what do I need to consider?

An AML / CFT audit is a systematic check of your risk assessment and programme by an independent and suitably qualified person (the auditor). The audit report must be provided to your supervisor if requested.

The audit is separate from your own review of your risk assessment and programme, and will assess whether your AML/CFT programme:

  • Is based on the risk assessment undertaken.
  • Includes adequate and effective procedures, policies and controls for:
    • Vetting;
    • Training on AML matters;
    • Complying with customer due diligence (CDD) requirements, including what type of CDD is required and when;
    • Reporting suspicious activities and prescribed transactions;
    • Record keeping;
    • Managing and mitigating the risks of money laundering and the financing of terrorism;
    • Monitoring, examining, and keeping written findings on specified issues;
    • Monitoring and managing compliance with the programme.
  • Whether the policies, procedures and controls are adequate and have operated effectively throughout the audit period.

For more information on a reporting entity’s obligations, see what are my AML / CFT obligations?

What should I consider before undertaking an AML audit?

The matters you should consider are:

Decide whether the audit should be undertaken internally or externally

The auditor cannot have been involved in the development of your risk assessment, or the establishment, implementation, or maintenance of your AML / CFT programme. If you wish to appoint an internal person to undertake your AML audit then consider whether the person could be considered “independent”. There is unlikely to be adequate separation of duties in a small- to medium-sized reporting entity.

Experience and skill of the auditor

Select the auditor with appropriate experience and skills. You should ask the potential auditor about their background and qualifications. This information will help you make your decision in selecting an appropriate auditor.

The level of assurance you want from the audit

The AML / CFT Act does not require your auditor to provide a specific level of assurance.

Strategi Compliance’s auditors can perform two types of audits:

  • limited assurance audit which takes a 10% client sample size, or
  • reasonable assurance audit providing greater assurance due to the 20% client sample size.

In a limited assurance audit, there is a higher risk that the auditor may not become aware of non-compliance with the AML / CFT Act. In a reasonable assurance audit, due to the bigger sample size, there is less chance of non-compliance being missed.

Expectations of your supervisor

Your supervisor may consider the robustness and adequacy of your audit in determining the extent of your supervision. A reasonable assurance audit may offer a greater level of comfort compared to a limited assurance audit depending on the nature, size and complexity of the reporting entity.

What you want from the audit

Do you want the auditor to only highlight the areas identified as non-compliant, or do you also want the auditor to make recommendations for rectifying non-compliance and identify areas for improvement?

Our approach is to engage with reporting entities and not just identify the areas of non-compliance but also give feedback on how to rectify any issues and improve AML / CFT performance.

Contact the Strategi Compliance AML Team if you have any questions or need more information.