AML/CFT Act audits represent a significant opportunity for auditors to expand their assurance services, with many more entities requiring audit within the next year or two.
Our original template was based on SAE 3100 (Revised), Compliance Engagements, ISAE (NZ) 3000 (Revised), Assurance Engagements Other than Audits or Reviews of Historical Financial Information, and SAE 3150, Assurance Engagements on Controls. We have used the CAANZ guidelines to assist with preparing our template and used the model Engagement Letter, Representation Letter, and Assurance Report from the Appendices.
We have now released an updated (2020) version of the "limited assurance" engagement, incorporating revisions based on suggestions and feedback from the first versions plus we are working on a "reasonable assurance" version.
In addition, we also have a version adapted for AML audit professionals who are not chartered accountants, leaving out the referencing to the standards, and with suitably updated audit reports and engagement letters. This called just "AML/CFT Limited Assurance Engagement".
The work-flow of the AML/CFT audit template is as follows:
- Complete acceptance/independence/engagement requirements
- Share pages to gather information from the client including their risk Assessment and AML/CFT programme
- Document and evaluate AML/CFT programme and risk assessment including walk-through tests of significant controls
- Materiality setting
- Identified risk analysis
- Plan and strategy
- Test of key controls to see if they extend across the period under review
- Compliance checklists for all the requirements of the AML/CFT Act
- Management representation letter, management report and breach evaluation
- Summary of assurance engagement process, and completion of final report with modifications as appropriate
The AML/CFT audit template is included with our "medium" and "large" audit packages, or may be purchased as an add on for "small" firms, or in stand-alone format for AML-only audit firms . Contact us for a demonstration or more details.
The Anti-Money Laundering and Countering Financing of Terrorism Act 2009 ("the Act") came into effect on 30 June 2013 for “reporting entities”. Money laundering is how criminals disguise the illegal origins of their money. Financiers of terrorism use similar techniques to money launderers to avoid detection by authorities and to protect the identity of those providing and receiving the funds.
To maintain New Zealand’s image as corruption-free in the global economy this legislation has been adopted, to make the transfer of wealth from illegal activities into the economy or into terrorist activities more difficult, and to spot and track schemes set up to facilitate these activities. The process of implementing and supervising the whole thing is shared between the Reserve Bank, the Financial Markets Authority (FMA), and Internal Affairs (DIA).
Reporting entities were required to prepare a AML/CFT compliance programme in terms of the requirements of the Act. The first entities to be affected by the Act were Banks, Casinos and a range of Financial Service Providers.
The Act now includes a much broader range of entities including: Lawyers, Conveyancers and Businesses that provide Trust and Company Services (from 1 July 2018), Accountants (from 1 October 2018), Real Estate Agents (from 1 January 2019), Businesses trading in High Value Goods (from 1 August 2019) and the NZ Racing Board (also from 1 August 2019).
In terms of the standards the subject matter of the audit is the AML/CFT Programme established by the entity in terms of S56(1) of the Act. The purpose of the work is to provide assurance that the entity has complied with the requirements of the Act.
AML/CFT Programme Requirements
The programme sets out internal policies, procedures and controls designed to detect and identify activities within the entity that may be attempts to carry out money laundering and/or financing of terrorism. The programme also identifies ways to manage and mitigate risks of these things occurring:
- Policies set out expectations, standards and behaviours in the entity
- Procedures are more detailed and set out day to day operations
- Controls are tools that management use to ensure the business complies with policies and procedures
The programme is based on a risk assessment made by the compliance officer responsible for the programme in terms of S58 of the Act. The policies, procedures and controls must be adequate to reasonably address the risks identified in the risk assessment.
A suitable compliance officer must be selected to run the programme, and this person must report to a senior manager in the entity. This is usually an employee, but may be a senior manager or the business owner.
The following are minimum requirements of the Programme:
- Vetting: Policies, procedures and controls for vetting senior managers, the compliance officer and other employees involved in AML/CFT activities – to avoid hiring someone who may use the business of AML/CFT activities. This involves what background checks are required, and the level of checks depends on the risks identified.
- Training: Specifying what training will provided for senior managers, the compliance officer and other employees involved in AML/CFT activities, how and when this will take place.
- Customer Due Diligence (CDD): The process by which the entity understands it’s clients and the risk they potentially pose to the business. It involves gathering and verifying information about the customer’s identity, beneficial owners and representatives. The Act identifies three kinds of CDD: Standard CDD which applies to most NZ customers. Simplified CDD applies to specified set of organisations such as government departments who represent a lower risk group. Enhanced CDD applies when the specific situations arising in S22 of the Act arise.
- Written findings: All the above must be suitably documented, and any complex or unusually large transactions or unusual transactions with no obvious purpose must likewise be documented.
- Suspicious transaction reporting: policies, procedures and controls around what will be done when a suspicious transaction is detected and how these will be reported to the relevant authority.
- Record keeping: Record must be maintained for five years after a transaction takes place. Policy and procedure must describe how these records will be maintained, organised, protected and eventually destroyed.
- Products and transactions that favour anonymity: If the entity offers products or services that favour anonymity, the programme must identify how these will be monitored to detect AML/CFT activities.
- Managing and mitigating risk: Policies, procedures and controls around managing emerging risks from new products or services, or new or emerging AML/CFT methods.
- Ensuring compliance with AML/CFT programme: How the business will monitor and manage compliance with the programme on an ongoing basis, plus ensuring that branches and subsidiaries are included.
- Review of programme: The AML/CFT programme must be reviewed internally on an ongoing basis to ensure that it remains current and any deficiencies are addressed, and any change in risk assessment is addressed in the programme.
- Audit occurrence: The entity is required to ensure that an independent audit is carried out every two years, or at any other time that the AML/CFT supervisor requests it.
- Annual report: Must be made to the AML/CFT supervisor which includes declarations around what procedure is in place for independent audits, when the last audit was undertaken, if any deficiencies were highlighted, and whether the changed identified as necessary have been carried out.
- Audit process: We are checking that the AML/CFT risk assessment and programme meets the minimum requirements and that the programme was adequate and effective throughout the period, and whether any changes are required.
- Audit of risk assessment: Whether the risk assessment document complies with the obligations in S58(3) of the Act. Auditors are not expected the audit the judgement calls made in the entity’s risk assessment.
- Audit of programme: Whether it complies with the obligations of S57 of the Act, whether the policies, procedures and controls are adequate, and whether they have operated effectively through the period.
- Items required for audit: We will require the following from the client as a minimum:
- AML/CFT Risk Assessment documents
- AML/CFT Programme
- Documents relating to development of the above
- Access to staff member and senior officials
- Access to files, customer records, transactions and outputs from AML/CFT systems
- Disclosures of known instances of non-compliance
- Results of monitoring and reviews of risk assessment and AML/CFT system
- Level of assurance: It seems that the consensus is that these are best treated as limited assurance (negative conclusion) engagements so our template is prepared on this basis.
- Engagement letter: Clearly describing scope, level of assurance, outputs, access to records and staff and any other relevant items.
- Audit Report: The audit report must be in written form and express our view on whether the AML/CFT risk assessment and the AML/CFT programme comply with the requirements of the Act and whether the programme is functioning in practice as required and intended, and has been over the course of the period. The report should also cover:
- The period covered by the report
- A title in the form of “Independent AML/CFT Audit”
- Key findings – whether requirements of Act have been met, any not met, and an indication of where there are potential failings
- A description of methods used to determine adequacy of the risk assessment and programme
- Recommended course of action to rectify non-compliance
- Date and signature of auditor
- Letter of representation: Written representations would include statements concerning responsibility of client for compliance with requirements of Act, that the auditor was provided with all relevant information and access and that all relevant matters have been disclosed to the auditor.
- Management letter: Though not mandatory, we may also make suggestions on how to rectify non-compliance or identify areas for improvement in behaviour and practice.
- Reporting suspicious transaction: Under S 43 of the Act, the auditor may submit suspicious transaction reports direct to the Police.
Sources and further reading:
Ministry of Justice. Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (reprint 28 September 2017). http://www.legislation.govt.nz/act/public/2009/0035/latest/DLM2140720.html#DLM2140849
Reserve Bank of New Zealand. Guidelines for audits of risk assessments and AML/CFT programmes. https://www.rbnz.govt.nz/-/media/ReserveBank/Files/regulation-and-supervision/anti-money-laundering/guidance-and-publications/5067334.pdf?la=en
Financial Markets Authority. AML/CFT Programme Guidelines https://fma.govt.nz/assets/Guidance/111213-aml-cft-programme-guideline.pdf
Department of Justice. Tackling money laundering and terrorist financing https://justice.govt.nz/justice-sector-policy/key-initiatives/aml-cft/
Andrew Homes (DIA) and Andrew Sloman FCA (BDO). The AFL/CFT Act – An added opportunity for other assurance services. CAANZ Audit Conference 2017 presentation.