AML/CFT Audit
As a part of your anti-money laundering and counter financing of terrorism (AML/CFT) compliance, you must ensure that your Risk Assessment and Compliance Programme are audited by an independent and qualified auditor. In addition to complying with your obligations, a good audit will give you the peace of mind of an independent assurance and it may also reduce the likelihood that the Department of Internal Affairs (DIA) will need to visit you for a review, as supervision is conducted on a risk-based approach.
This post aims to shed light on the audit process to get your prepare for your next AML/CFT audit.
What Is an Audit?
An audit is a systematic check of your Risk Assessment, Compliance Programme and their application. An audit review would ordinarily assess whether:
your Compliance Programme is functioning in practice as intended;
your policies, procedures and controls are based on the Risk Assessment; and
your policies, procedures and controls have been operated effectively throughout the audited period.
An auditor can perform either a ‘reasonable’ or a ‘limited’ assurance audit. Typically, a reasonable assurance goes into more depth (more testing) during the audit than a limited assurance audit would. It is up to you to weight the pros and cons of one or the other. It goes without saying, a limited assurance audit would be cheaper, but also would provide you with a lower level of assurance.
Whether you chose a reasonable or a limited assurance audit, your auditor will provide you with an opinion based on the information reviewed and for this reason, the auditor cannot be not expected to guarantee that you are absolutely compliant, nor that all aspects of non-compliance can be identified.
Frequency
You must have your Risk Assessment and Compliance Programme audited every three years, or any other time as requested by the DIA.
The relevant period, i.e., the time frame of your audit review, will be from the date of when you started trading, plus three years; or from the date following the end of testing of your previous audit, plus three years. An audit is not completed until your auditor issue you with the final report. This means that you then have three years after the date in which your audit report was finalised to complete your following audit.
Selecting Your Auditor
You must appoint an independent person who is appropriately qualified to conduct the audit. The auditor:
is not required to be a chartered accountant or a person qualified to undertake financial audits; and
must not have been involved in the development of your Risk Assessment and Compliance Programme.
Some auditors hold a Certified Anti-Money Laundering Specialist (CAMS) certificate. However, this is not a requirement as there is no regulating body for AML/CFT audit in New Zealand. Nonetheless, the DIA may ask you to evidence on what basis you assessed that your auditor was appropriately qualified, and holding a CAMS certificate can add to such assessment.
A simple Google search will help you identify the auditors in the market. Auditors are nowadays well accustomed to conduct remote reviews, so do not settle for an auditor you may not be fully satisfied with, just because they are the sole provider in your area.
When selecting your auditor, you can ask them to provide an explanation of their experience and qualifications, a proposed plan for the audit and the methodology they are going to use, and a list of what they are going to review as part of the audit process. All of this information, along with the quoted price, should inform your decision.
Scope of Your Audit
On the one hand, the audit of a Risk Assessment is limited to an audit of whether your Risk Assessment:
identifies the risks faced by your reporting entity in the course of its business;
describes how you will ensure that the assessment remains current; and
enables you to determine the level of risk involved in relation to relevant obligations under the AML/CFT Act and regulations.
An auditor would also usually review whether your Risk Assessment assesses all the relevant risk categories as listed in Section 58 of the AML/CFT Act (nature, size, and complexity; products; delivery methods; customers; countries; and institutions) and considers all relevant guidelines.
And on the other hand, your Compliance Programme will be checked against the minimum requirements included in Section 57 of the AML/CFT Act. For example, your auditor will check if you have sufficient policies, procedures, and controls in relation to training and how these policies, procedures and controls are applied.
Audit Process – What to Expect
A good audit will:
Check your compliance documents against the relevant requirements.
Assess the adequacy of your compliance documents. Adequacy is described as how compliant your compliance documents are with the various obligations of the AML/CFT Act.
Test effectiveness of the minimum requirements. Effectiveness is described as how well the practical application of your Compliance Programme meets the obligations of the AML/CFT Act.
Prepare for your audit
An auditor will usually ask to review your Risk Assessment and Compliance Programme, any previous AML/CFT audits, any AML/CFT annual reports submitted during the relevant period, training, vetting, transaction monitoring, information on suspicious activity reports, prescribed transaction reports, disclosures of all known instances of non-compliance, and the results of your own monitoring.
Likely, your auditor will ask you to provide relevant information in advance and select a sample of data for them to review. For example, you may have 300 captured customers and the auditor will want to see 10 of those clients’ customer due diligence (CDD) information.
During the audit, the auditor may request to have meetings or phone calls with relevant staff members. For example, they may wish to talk with the Human Resource Team for staff vetting review and with the AML/CFT Compliance Team for CDD review. Moreover, your auditor may wish to talk with the Senior Management Team or ask for clarifications on the documents supplied.
When you are planning for your audit, you should consider blocking some of your time to make sure that the audit process goes efficiently and smoothly. You should also alert any relevant staff members that they may be called for a meeting by the auditor.
Internally, you should have a clear idea of where the audit will take place (remotely or onsite), when will the review commence and when it is expected to be completed, who will be the first point of contact with the auditor, who will provide the auditor with the requested information and an idea of when the audit report will be sent to you.
The Audit Report
After the audit review, your auditor will issue an audit report with the assessment of your compliance, and details of the findings. The AML/CFT Supervisors suggest the following ratings:
Partially Compliant – you have met some of the requirements of the AML/CFT Act; however, additional steps are required to achieve ongoing compliance.
Non-Compliant – you have failed to meet a requirement of the AML/CFT Act and immediate steps are required to achieve ongoing compliance.
In general, areas of compliance are not mentioned in the audit report.
The audit report may also include suggested actions that are required to rectify non-compliance as well as identifying areas for recommended improvement in behaviour and practice. While the recommended solutions proposed by your auditor might be optional, the need to remediate identified non-compliance is not. Non-compliance or partial compliance identified in the audit report must be addressed, how you respond to the identified issues is for you to assess.
After you receive your audit report, you should be given the chance to state if any factual mistakes have been made on the side of the auditor, and to include comments to the audit findings in the audit report.
Your Responsibilities
As part of the Audit review, you must cooperate and provided the evidence required by the auditor. After the issuing of the audit report, you must:
Communicate the audit findings to the Senior Management Team.
Address all non-compliant and partially compliant areas identified.
Record in your compliance documents, via version control tables, that remediation has been undertaken as result of the audit.
Record that the audit has occurred in your Compliance Programme.
Disclose the result of the audit in your annual report, including any actions take in response to the findings.
Keep a record of the audit report and provide it to your AML/CFT Supervisor, when requested.
Useful Links
For further readings refer to:
Section 29 of the AML/CFT Act.
What’s Next
If you are due for your next audit, get in touch.
