AML Audits: Make Auditors Your Friend Not Your Enemy

An audit is a requirement of many AML regimes and in New Zealand, as an entity you need to ensure an audit is carried out on your AML compliance programme every three years by an independent, appropriately qualified person.

Your first step will be in securing your auditor and ensuring they have the necessary skills and experience to do the job you’re paying them for. Consider, how well they know your industry sector and the specific AML challenges you may face. An auditor who knows your industry and understands your business will be able to provide value which you many not be able to get from somebody less familiar with your sector.

Assuming you’ve secured your auditor, agreed the scope of work, and a date has been set, it’s time to ensure you’re prepared for your big day(s).

The focus of an auditor’s visit will be in ensuring you are actively following compliance regulations, are keeping robust records, and have the right processes and procedures in place to ensure requirements can be properly met. To get the most out of your audit make the following preparations:

• Compliance programme. As a reporting entity you’ll have your compliance programme well established. Make sure this is up-to-date and readily available to your auditor as it will be a key part of their investigations.
• Customer due diligence and ongoing monitoring. Ensure your customer due diligence (CDD) documents are available and well organised so all details of your due diligence can easily be found. Show transactions, your CDD processes, the rationale behind them and how you continue to monitor activity and any changes in situations.
• An audit will likely include a look at how you handle high-risk clients so ensure you can easily access all of your client records and have an organised method of being able to easily access and review them.
• Staff training registers will be reviewed to ensure staff are being properly trained and have the right support to carry out compliance duties effectively. Make sure you keep a record of when training has taken place, who attended the training, and details of the training carried out.
• Staff vetting. Keep comprehensive records of your staff vetting procedures and evidence of due diligence carried out on staff in key positions.
• Risk assessment. As a key part of your compliance programme, auditors will want to review your risk assessment documents and see evidence of how it is used and put into practice.
• Sounds simple but ensure you have the correct access to systems before the auditor arrives on your doorstep. Wasting time sorting out access when the auditor is already at your office will cost you money so make sure you’ve still got access to all the systems you use to store records, including GoAML for your suspicious activity, and prescribed transaction reporting.

Also ensure relevant staff are available (including senior management) as the auditor may want to speak with them.

If you are following procedure and have good record keeping processes your preparation shouldn’t be too arduous and it’s worth taking the time to get it done right, making sure your processes are up-to-date and reflect the current practices of your business.

Doing so, will provide more time for your auditor to focus on providing insight and advice rather than dealing with basic admin factors you can rectify yourself.