AML/CFT Act audits represent a significant opportunity for auditors to expand their assurance services.
Our original template (2018 and updated in 2020) was based on SAE 3100 (Revised), Compliance Engagements, ISAE (NZ) 3000 (Revised), Assurance Engagements Other than Audits or Reviews of Historical Financial Information, and SAE 3150, Assurance Engagements on Controls. We used the CAANZ guidelines to assist with preparing our template and used the model Engagement Letter, Representation Letter, and Assurance Report from the Appendices.
We have now released an updated (2022) version of the "limited assurance" engagement, incorporating revisions based on suggestions and feedback from the first versions.
This is based on the latest versions of SAE 3100 (Revised) and ISAE (NZ) 3000 (Revised), which differ significantly in simplifying and clarifying the approach. We have also incorporated significant feedback received in the older versions including:
- Reducing repetition of work
- Simplifying checklists
- Combining checklists into the workflow so all the work on a particular control is addressed in one place
- Using variables so that work that is not applicable to the client type is removed or suppressed
- Making testing pages more specific
- Removing excessive wording
- Having just one report (updated to the latest format), with areas that toggle on if modifications are applied
- And lots of other significant streamlining.
We have three versions:
- Compliance Engagement - AML/CFT Limited Assurance (2022) - For NZ CA users based on the NZ AML/CFT Act 2009.
- AML/CFT Audit (2022) - for other NZ AML audit professionals who are not chartered accountants (while following the same basic workflow as per the standards, this one leaves out the referencing to the standard and also includes a suitably updated report and engagement letter).
- Compliance Engagement - AML/CFT (Samoa 2022) - For Samoan CA firms based on the Money Laundering Prevention Act 2007 and the Money Laundering Prevention
Regulations 2009.
The AML/CFT audit templates are included with our "medium" and "large" audit packages and may be purchased as an add-on for "small" firms,
They are also available in a stand-alone format for AML-only audit firms. Contact us for a demonstration or more details.
Background (NZ)
The NZ Anti-Money Laundering and Countering Financing of Terrorism Act 2009 ("the Act") came into effect on 30 June 2013 for “reporting entities”. Money laundering is how criminals disguise the illegal origins of their money. Financers of terrorism use similar techniques to money launderers to avoid detection by authorities and to protect the identity of those providing and receiving the funds.
To maintain New Zealand’s image as corruption-free in the global economy this legislation has been adopted, to make the transfer of wealth from illegal activities into the economy or into terrorist activities more difficult, and to spot and track schemes set up to facilitate these activities. The process of implementing and supervising the whole thing is shared between the Reserve Bank, the Financial Markets Authority (FMA), and Internal Affairs (DIA).
Reporting entities were required to prepare an AML/CFT compliance programme in terms of the requirements of the Act. The first entities to be affected by the Act were Banks, Casinos and a range of Financial Service Providers.
The Act now includes a much broader range of entities including Lawyers, Conveyancers and Businesses that provide Trust and Company Services (from 1 July 2018), Accountants (from 1 October 2018), Real Estate Agents (from 1 January 2019), Businesses trading in High-Value Goods (from 1 August 2019) and the NZ Racing Board (also from 1 August 2019).
In terms of the standards, the subject matter of the audit is the AML/CFT Programme established by the entity in terms of S56(1) of the Act. The purpose of the work is to provide assurance that the entity has complied with the requirements of the Act.
AML/CFT Programme Requirements
The programme sets out internal policies, procedures and controls designed to detect and identify activities within the entity that may attempt to carry out money laundering and/or financing of terrorism. The programme also identifies ways to manage and mitigate risks of these things occurring:
- Policies set out expectations, standards and behaviours in the entity
- Procedures are more detailed and set out day-to-day operations
- Controls are tools that management use to ensure the business complies with policies and procedures
The programme is based on a risk assessment made by the compliance officer responsible for the programme in terms of S58 of the Act. The policies, procedures and controls must be adequate to reasonably address the risks identified in the risk assessment.
A suitable compliance officer must be selected to run the programme, and this person must report to a senior manager in the entity. This is usually an employee, but may be a senior manager or the business owner.
The following are the minimum requirements of the Programme:
- Vetting: Policies, procedures and controls for vetting senior managers, the compliance officer and other employees involved in AML/CFT activities – to avoid hiring someone who may use the business of AML/CFT activities. This involves what background checks are required, and the level of checks depends on the risks identified.
- Training: Specifying what training will provided for senior managers, the compliance officer and other employees involved in AML/CFT activities, and how and when this will take place.
- Customer Due Diligence (CDD): The process by which the entity understands its clients and the risk they potentially pose to the business. It involves gathering and verifying information about the customer’s identity, beneficial owners and representatives. The Act identifies three kinds of CDD: Standard CDD which applies to most NZ customers. Simplified CDD applies to a specified set of organisations such as government departments that represent a lower risk group. Enhanced CDD applies when the specific situations arising in S22 of the Act arise.
- Written findings: All the above must be suitably documented, and any complex or unusually large transactions or unusual transactions with no obvious purpose must likewise be documented.
- Suspicious transaction reporting: policies, procedures and controls around what will be done when a suspicious transaction is detected and how these will be reported to the relevant authority.
- Record keeping: Record must be maintained for five years after a transaction takes place. Policy and procedure must describe how these records will be maintained, organised, protected and eventually destroyed.
- Products and transactions that favour anonymity: If the entity offers products or services that favour anonymity, the programme must identify how these will be monitored to detect AML/CFT activities.
- Managing and mitigating risk: Policies, procedures and controls around managing emerging risks from new products or services, or new or emerging AML/CFT methods.
- Ensuring compliance with AML/CFT programme: How the business will monitor and manage compliance with the programme on an ongoing basis, plus ensuring that branches and subsidiaries are included.
- Review of the programme: The AML/CFT programme must be reviewed internally on an ongoing basis to ensure that it remains current and any deficiencies are addressed, and any change in risk assessment is addressed in the programme.
Audit work
- Audit occurrence: The entity is required to ensure that an independent audit is carried out every three years, or at any other time that the AML/CFT supervisor requests it.
- Annual report: Must be made to the AML/CFT supervisor which includes declarations around what procedure is in place for independent audits, when the last audit was undertaken, if any deficiencies were highlighted, and whether the changes identified as necessary have been carried out.
- Audit process: We are checking that the AML/CFT risk assessment and the programme meet the minimum requirements and that the programme was adequate and effective throughout the period, and whether any changes are required.
- Audit of risk assessment: Whether the risk assessment document complies with the obligations in S58(3) of the Act. Auditors are not expected the audit the judgement calls made in the entity’s risk assessment.
- Audit of the programme: Whether it complies with the obligations of S57 of the Act, whether the policies, procedures and controls are adequate, and whether they have operated effectively through the period.
- Items required for audit: We will require the following from the client as a minimum:
- AML/CFT Risk Assessment documents
- AML/CFT Programme
- Documents relating to the development of the above
- Access to staff members and senior officials
- Access to files, customer records, transactions and outputs from AML/CFT systems
- Disclosures of known instances of non-compliance
- Results of monitoring and reviews of risk assessment and AML/CFT system
- Level of assurance: It seems that the consensus is that these are best treated as limited assurance (negative conclusion) engagements so our template is prepared on this basis.
- Engagement letter: Clearly describing the scope, level of assurance, outputs, access to records and staff and any other relevant items.
- Audit Report: The audit report must be in written form and express our view on whether the AML/CFT risk assessment and the AML/CFT programme comply with the requirements of the Act and whether the programme is functioning in practice as required and intended, and has been over the course of the period. The report should also cover:
- The period covered by the report
- A title in the form of “Independent AML/CFT Audit”
- Key findings – whether requirements of the Act have been met, any not met, and an indication of where there are potential failings
- A description of methods used to determine the adequacy of the risk assessment and programme
- Recommended course of action to rectify non-compliance
- Date and signature of the auditor
- Letter of representation: Written representations would include statements concerning the responsibility of the client for compliance with the requirements of the Act, that the auditor was provided with all relevant information and access and that all relevant matters have been disclosed to the auditor.
- Management letter: Though not mandatory, we may also make suggestions on how to rectify non-compliance or identify areas for improvement in behaviour and practice.
- Reporting suspicious transactions: Under S 43 of the Act, the auditor may submit suspicious transaction reports direct to the Police.
Note: The requirements of the Samoan Act and Regulations varies, but the overall thrust is the same - identification of risks, policies, procedures and controls including variations for CDD based on the customer profile. The template is specifically tailored for these requirements. The audit approach follows the NZ versions of the international standards, which are essentially the same as the IFAC versions. Reference is also made to the Samoan Money Laundering Prevention Guidelines.
Sources and further reading:
Ministry of Justice. Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (reprint 28 September 2017). http://www.legislation.govt.nz/act/public/2009/0035/latest/DLM2140720.html#DLM2140849
Reserve Bank of New Zealand. Guidelines for audits of risk assessments and AML/CFT programmes. https://www.rbnz.govt.nz/-/media/ReserveBank/Files/regulation-and-supervision/anti-money-laundering/guidance-and-publications/5067334.pdf?la=en
Financial Markets Authority. AML/CFT Programme Guidelines https://fma.govt.nz/assets/Guidance/111213-aml-cft-programme-guideline.pdf
Department of Justice. Tackling money laundering and terrorist financing https://justice.govt.nz/justice-sector-policy/key-initiatives/aml-cft/
Andrew Homes (DIA) and Andrew Sloman FCA (BDO). The AFL/CFT Act – An added opportunity for other assurance services. CAANZ Audit Conference 2017 presentation.
Money Laundering Prevention Act 2007 (Samoa) https://www.cbs.gov.ws/assets/Uploads/DMS-2/2170Money-Laundering-Prevention-Act-MLPA-2007.pdf
Money Laundering Prevention Regulations 2009 (Samoa) https://www.cbs.gov.ws/assets/Uploads/DMS-2/2172Money-Laundering-Prevention-Reculations-2009.pdf
Money Laundering Prevention Guidelines 2010 (Samoa) https://www.cbs.gov.ws/assets/Uploads/DMS-2/2171Money-Laundering-Prevention-Guidelines-2010.pdf