New Zealand Law Society - The AML/CFT external audit and internal review

The AML/CFT external audit and internal review

By Marty Robinson

If you’re covered by the AML/CFT Act you need to have your AML/CFT independent auditor visit before 1 July 2020 (unless you can show COVID-19 prevented it).

Audits can be a headache and feel like dead time and expense, but a quality audit with detailed recommendations can save you money and stress in the long run by steering you to better efficiencies and minimising the risk of negative regulatory attention.

The AML/CFT Supervisors encourage reporting entities to consider the external audit as an opportunity to improve your AML/CFT systems through an objective review that you may not be able to generate from the inside.

Along with effective internal review under section 59(1) of the Anti-Money Laundering and Countering Financing of Terrorism Act 2009, the independent audit (under s 59(2)) helps your business respond to the dynamic and emerging money laundering and terrorism financing threats facing it, as well as keeping your processes current with changing law and supervisor guidance.

This article discusses how to get the best out of your auditor and how to use the audit report to best effect.

The basics

All AML/CFT reporting entities need to engage an independent AML/CFT auditor every two years. Audits are a systematic check of your AML/CFT risk assessment and compliance programme – both on paper and in practice – by an independent and qualified person. They give an opinion on whether:

  • you meet the minimum requirements for your AML/CFT risk assessment and AML/CFT programme;
  • your AML/CFT programme was adequate and effective throughout the specified period; and
  • any changes may be required.

The s 59 processes are designed to regularly assess your compliance systems and identify where repairs are needed. They may also identify changes that improve efficiencies.

Audit reports usually include helpful recommendations, which is where they can be most valuable. The more thoroughly an auditor understands your business and processes, the more helpful they can be. So a higher assurance audit, while probably more expensive, may be more valuable when you’re still new to the regime or after any significant changes, but less necessary when you’re already compliant and the law or your firm haven’t changed significantly.

The audit process routinely results in reduced compliance burdens. Often businesses overdo their compliance at the beginning (and can save time and money once they realise this), whereas others don’t realise they’re failing to meet their responsibilities, which is worse. Many firms, for example, are doing unnecessary enhanced customer due diligence (EDD) investigations, which are time-consuming or costly if outsourced. By contrast, many are also failing to do EDD when it’s required, bringing unnecessary regulatory risk.

Choosing an auditor

AML/CFT auditors may be lawyers, accountants, or AML/CFT or general compliance consultants.

An article in LawTalk 924, December 2018 (Ismail Rasheed, “AML/CFT compliance: Emerging practical issues”) recommended using an auditor within a law firm so as to safeguard privilege, avoid conflicts of interest, facilitate an unqualified audit opinion (thereby reducing regulatory risk), avoid unexpected SAR filings, improve governance and ensure your auditor properly understands law firms.

The author also recommended using auditors with a sound knowledge of white collar crimes with experience in conducting criminal investigations. Auditors who understand the modus operandi of launderers and terrorism financers and how to recognise it are better placed to perform a high quality and helpful audit.

Your AML/CFT programme should be well designed to detect bad actors and to manage and mitigate the risk of them abusing your business to launder funds or finance terrorism. Engaging a capable auditor who can spot compliance holes in your programme is therefore critical – not only to keeping out bad actors, but also to avoiding negative regulatory attention.

The Supervisors recommend changing your audit partner from time to time to bring in new ideas, overcome capture, and improve the chances of finding non-compliant, risky or inefficient practices. Having said that, building a relationship with a helpful auditor can also be beneficial.

In terms of cost, the auditor may ask to see your risk assessment and programme and associated material to gauge the amount of work before proposing a price. For smaller practices, a fee of around $2,500 to $8,000 might be expected, depending on a number of factors including the level of assurance you need (discussed further below). Audits can be tens of thousands at the top end, however.

Supervisor guidance

Official guidance on audits is found in the joint Supervisors’ Audit Guideline for risk assessment and AML/CFT programme. But a very useful guide from the Financial Markets Authority called Getting the best outcome from your AML/CFT Audit is relevant to law firms just as it is to FMA reporting entities.


For your two-yearly independent audit, you cannot use an auditor who had a hand in creating or updating your risk assessment or programme. This aims to ensure independence.

Auditors are not there to trip you up. They are professionals providing you with a service designed to improve your compliance with the AML/CFT Act. They should know your industry and will learn about your specific business during the audit process.

Getting the best value from your audit

You get maximum benefit from an external audit by obtaining a good quality audit that’s meaningful and informative.

The Supervisors say “If we receive an audit report we believe has been completed to a good standard, it will influence our monitoring behaviour. For example, we take a risk-based approach to our inspection programme and a good audit (with good outcomes) will likely reduce the need for us to have a direct engagement with your Reporting Entity.” (FMA website)

The Department of Internal Affairs (DIA) will also be influenced by the robustness of your audit report, its level of detail, and whether it was a limited or reasonable assurance audit.

You will have a good idea where the biggest problems lie. By explaining this to your auditor up front, your auditor can adapt the audit accordingly. Many auditors have significant experience in addressing areas where remediation is required. Don’t be afraid to ask them for help and detailed recommendations.

An auditor will likely offer you the choice between a limited assurance audit or a reasonable assurance audit and may make a recommendation.

In a limited assurance audit, the auditor expresses the conclusion in a negative form (eg, no signs of non-compliance noted). In a reasonable assurance audit, the auditor expresses the conclusion in a positive form (eg, appears compliant). They cannot say with certainty you are 100% compliant and you shouldn’t expect that.

The reasonable assurance audit requires more work from the auditor than a limited assurance audit and typically involves more sampling and testing. In the limited version the auditor is more likely to miss any problems. This would be more appropriate for later audits when you have previously passed an audit and made few changes since. At the outset you may prefer a more comprehensive assessment, given you have little idea what an auditor may find. But the Supervisors ultimately leave this choice up to you. Ask prospective auditors for the cost differential. You will need to balance the costs of the audit against the degree of confidence you require from the audit.

You should discuss and agree the scope, deliverables and other expectations of the work with your auditor. You or the auditor should set out your expectations clearly in writing. Your Supervisor may ask you to produce this document at a later stage, so keep it with the audit report. Note that the audit and the terms of the engagement do not need to be sent to the DIA unless they specifically ask, but you will have to advise the DIA of the results of your audit in the annual return (due by 31 August).

Selecting the cheapest audit offered to you may not be the best long-term strategy if it doesn’t also meet your needs. You’re engaging professionals to learn about and review your business and AML/CFT systems, including performing sampling, testing and interviewing relevant staff. Just like AML/CFT document templates, the audit service can be done well with due regard to your business, or it can be done at volume without much specificity or detail.

Particularly in the early years, good quality audits will help improve and streamline your AML/CFT efforts and save you money and headaches downstream. It provides you with a greater understanding of the issues and problems in your AML/CFT compliance than a templated or briefer audit report.

Fixing the problems found

Your auditor should clearly identify and describe non-compliant aspects of your AML/CFT regime so that you and your Supervisor can understand them and you can fix them properly. While you don’t have to give the DIA your audit report (unless they ask) you will have to detail the findings in the annual return.

The auditor might refer to these issues as ‘breaches’ or ‘material’ or ‘significant’ findings. The Supervisors expect such issues to be corrected promptly.

The auditor may give recommendations about how to do this. While the recommended method of resolving a non-compliant matter may be optional, the need to fix the problem is not.

But your auditor may also provide suggested improvements that do not represent breaches of your obligations, but would nevertheless improve your AML/CFT systems or their efficiency or effectiveness.

The language here should make clear that you are not in breach, but could re-prioritise efforts, focus on higher risk issues, save time on less critical aspects, use better compliance systems or agency arrangements or improve efficiencies.

If you can remediate the problems the auditor identifies before the annual report is due, this will keep you in the DIA’s good books.

Marty Robinson co-authored The Anti-Money Laundering Regime: A Practical Guide (LexisNexis, 2018) and is a litigator specialising in financial crime cases. He advises reporting entities on a wide range of AML/CFT matters and conducts audits. He previously oversaw the Department of Internal Affair’s litigation and advised the DIA on AML/CFT enforcement cases and legislative amendments ahead of Phase 2.

Lawyer Listing for Bots