Guidance for AML/CFT Programme Audits has been released by the New Zealand Department of Internal Affairs. Whilst not applicable in Australia it is informative with regard to Independent Reviews under AML/CTF Rule 8.6 (or 9.6) subject to the key differences between the two countries respective AML regimes.
Some of the key points:
Para 9 - "We (DIA) expect that your AML/CFT programme includes a procedure for undertaking an independent audit and notes when your last audit was undertaken. Remediation undertaken as a result of the audit, should be explained in a version control table in your document." How many Australian AML/CTF Programs have good version control?
Para 10 - Frequency - "Every two years or at any other time at the request of your supervisor. This requires that you have an audit completed every two years. An audit is not complete unless the final audit report is issued by your auditor. You then have two years from the date of your last audit report, to have your next audit completed and the audit report issued." This in itself is a good reason why Australia should not follow the mandated two year Independent Review timescale.
Para 10 - Record Keeping - "You must keep records relating to your audit. These records must be kept for a period of at least 5 years after the date on which they ceased to be used on a regular basis. You must make your records relating to audits available to your supervisor on request." What are the records? Does this obligation extend to the working notes of the Auditor? Hopefully not. Auditors and Independent Reviewers are not subject to the respective AML Acts therefore the respective supervisors' information gathering powers do not apply.
Para 12 - Plan ahead - "Reporting entities can determine for themselves the best time to have their audits conducted. You are responsible for your own compliance with the audit requirements, so it is advisable to plan ahead. New reporting entities should consider having their audits completed early."
Para 14 - Assurance of the audit report -"An auditor can perform either a‘ reasonable’ or a‘ limited’ assurance audit.Typically, a reasonable assurance goes into more depth (more testing) during the audit than a limited assurance audit would. The type of audit selected, is up to each reporting entity." This is certainly a good idea for Australian Independent Reviews.
Para 23 - Audit outcome, report and recommendations - "While the recommended solution proposed by the auditor might be optional, the need to remediate identified non-compliance is not. Your supervisor expects that you will take appropriate corrective action to remediate any issues identified in the audit report. Your supervisor may also ask questions about what issues have been identified and how remedial actions have been addressed by your organisation." No more ignoring audit / Independent Review findings of non or partial compliance."
Para 33 - Independence - no conflict of interest, or perceived conflict of interest by the auditor. Does this extend to pitching for the remediation work?
Para 33 - Reciprocal auditing - "If reciprocal auditing is intended (where two reporting entities decide to complete each other’s audits) how can you demonstrate that each auditor is objective in their assessment and not affected by the nature of the reciprocal process?" Not a common occurrence in Australia.
Para 34 - Appropriately qualified - "What level of knowledge do they have about AML/CFT? Do they understand the Act and its supporting regulations? Do they know the Codes of Practice and guidelines? If they haven’t had direct experience developing or implementing a risk assessment and AML/CFT programme, how can they then demonstrate the level of knowledge required in order to effectively audit these documents and their implementation?" Well said.
Para 35 - Other matters to consider when planning your audit - "Your audit should be based on your unique business situation and the content of your audit report should not be copied by your auditor from other entities’ audit reports." If an Independent Reviewer did this it is hardly an Independent Review, however, the basis of the report can be generic.
Para 38 - Preparing for your audit - "You should discuss and agree the scope of your audit and confirm the following in writing with your auditor in an engagement letter: What information is required; Review of information; Audit report."
Para 39 - Engagement letter - "Your engagement letter must be signed off by you and your auditor. Your supervisor may ask you to produce this." Controversial. Is there noting scared?
Para 40 - Your compliance with the Act - "The auditor may request a written acknowledgment of your responsibility for compliance with the applicable AML/CFT requirements. This establishes that you have provided the auditor with all the relevant information and access agreed to, and that you have disclosed any relevant matters to the auditor (for example, any non-compliance with the Act)." A good idea.
Para 42 - Reviewing the audit process - "As this is an important process for a reporting entity, it is recommended that you review how the process has worked for you, as well as evaluating whether your auditor has met your expectations. This may help you in undertaking a better audit next time." We carry out post Independent Review reviews with clients, but are not sure if a client carries out an internal post Independent Review review."
Appendix 1 - Precedent Audit Report - useful for those new to auditing.
Appendix 2 - Audit timeframes - "The audit of your risk assessment and AML/CFT programme is not complete until the date on which the final audit report is issued. This means that you must ensure that your next audit report is issued on or within two years from the date on which your last AML/CFT audit report was issued." More confirmation that the Australian "regular" Independent Review is a far better system than the New Zealand mandatory 2 year audit cycle. This strict 2 year audit cycle means that a reporting entity only has 12 months not either planning for an audit or responding to audit findings. Also, it makes it difficult to find good auditors. It might be self serving for the audit community but as an Independent Review I do not think it is useful for reporting entities.
Note 4 - "Note that for departures from the audit timeframes, the reporting entity may expect regulatory action under Part 3 of the Act from its supervisor. Supervisors take a risk-based approach to compliance and will use the enforcement option appropriate to achieve compliance. The response will be proportionate and guided by factors such as a regulated party’s history of compliance and degree of openness and preparedness to cooperate. This can include, for example, a warning under section 80 of the AML/CFT Act. The relevant supervisor may also request for an additional audit, which may have the effect of realigning or altering the reporting entity’s next audit due date. The obligation is on the reporting entity to ensure that its risk assessment and AML/CFT programme are audited (with audit report issued) before the due date."