Independent Audit Webinar Transcript
Welcome to this webinar on your audit obligation – commonly referred to as your “independent audit” or the “AML/CFT audit”. We know for many of our businesses that 2020 is the first year you are required to have an audit of your risk assessment and AML/CFT programme. That’s why we have created this webinar to help you understand this obligation, and how to get the most out of your first AML/CFT audit.
Before I get started, it’s important you know that there is guidance available on our website to help you understand your audit obligation. You should see on the screen now where to find the audit guideline published by all three supervisors.
First up, let’s look at the audit obligation and what is required of you…
You are required to have an audit of your risk assessment and AML/CFT programme conducted by an appropriately qualified and independent individual every two years, and to keep adequate records of your audit. Please note that an independent audit is different to a review or inspection that the Department may conduct on your business. It is also different to the internal review of your programme.
An independent audit will help ensure that your policies, procedures and controls are adequate and effective, and identify any short-comings that need to be remediated. It will help to reassure you that you are complying with your obligations under the Act, and that you are protecting your business from the risks of money laundering and terrorism financing. We would expect that your AML/CFT programme would demonstrate and understanding of the audit obligation and notes when your last audit was undertaken.
Now let’s move on to the auditor…
Your audit must be carried out by an independent person appointed by you, who is appropriately qualified to conduct the audit. “independent” includes the requirement that the person must not have been involved in the undertaking of your risk assessment or the creation or operation of your AML/CFT programme. You should also consider other actual, potential or perceived conflicts of interest that may call into question their independence. There are many aspects to consider when determining whether someone is independent enough to complete your audit such as:
- Were they involved in the development of your risk assessment?
- Were they involved in the creation, implementation or maintenance of your AML/CFT programme?
- Do they have financial interest in your business?
- Would this interest be harmed by, or interfere with, the outcome?
- Do you have a financial interest in their business? Would this interest be harmed by or interfere with the outcome?
- Does the auditor have any relationship with any shareholder, director, senior management and or employees, for example, family, friends, ex-colleagues?
So, as I have already stated, your audit must be carried out by an independent person appointed by you, who is appropriately qualified to conduct the audit. The person who performs your audit needs to be appropriately qualified but does not need to be a Chartered Accountant or otherwise qualified to perform a financial audit. We consider appropriately qualified to mean the person must have relevant skills or experience to conduct the assurance engagement. At this time there is no approved or endorsed list of AML/CFT auditors. Therefore, you will need to be confident on whether they are appropriately qualified as you may have to explain to us how you have considered the qualifications of your selected auditor to be appropriate. This includes having knowledge of the Act, and its supporting regulations, as well as audit experience or sufficient knowledge of audit processes. There are many aspects to consider when determining if someone is appropriately qualified:
- What level of knowledge do they have about AML/CFT?
- Do they understand the Act and its supporting regulations?
- Do they know the Codes of Practice and guidelines?
- If they haven’t had direct experience developing or implementing a risk assessment and AML/CFT programme, how can they then demonstrate the level of knowledge required in order to effectively audit these documents and their implementation?
- Do they have audit experience? Ideally your auditor should have experience conducting an audit, if they don’t, they should demonstrate how they have sufficient knowledge of audit processes in order to effectively undertake your audit, maybe they have been a recipient of an AML/CFT audit.
- Have they been a compliance officer at another, similar reporting entity to your own (it may be similar in terms of size, sector, service offerings etc.)
- How much knowledge do they have of your industry, and how can they demonstrate this?
- Have they participated in an industry or government AML/CFT seminar, workshop or informative event?
- Do they have a relevant AML/CFT qualification or accreditation, or work or experience for a New Zealand AML/CFT consultancy?
You can determine for yourself the best time to have your audit conducted within your two-year timeframe. You are responsible for your own compliance with the audit requirements, so it is advisable to plan ahead. New reporting entities should consider having their audits completed early. Bringing forward your audit will provide you with a number of benefits including:
- audit resources to perform the independent review will be more readily available;
- early independent assurance around your AML/CFT programme compliance;
- a properly planned and executed independent audit performed to an appropriate standard may reduce the likelihood that your supervisor will need to visit you for a supervisory visit, as supervision is conducted on a risk-based approach.
If you do have an early audit, your next one will be due two years after your audit is completed.
When it comes to audits, there are different levels of assurance available to you. This is an accounting term and it may not mean much to your business, but it could be important to understand if your consultant offers a choice. The Act does not require a specific level of assurance; however, each reporting entity will need to balance the costs of the audit against the degree of confidence required from the audit. An auditor can perform either a ‘reasonable’ or a ‘limited’ assurance audit. While the design of your AML/CFT programme’s policies, procedures and controls will be assessed, to offer a reasonable assurance opinion, your auditor will likely test a larger number of samples to see how they are working in practice. This results in a more reasonable basis of assurance. A limited assurance engagement still involves assessing the design of your AML/CFT Programme’s policies, procedures and controls but involves less work effort than a reasonable assurance engagement, meaning a smaller number of samples maty be tested or a targeted testing approach may be undertaken. This means the opinion offered by your auditor as to compliance with the Act is ‘limited’.
Auditors can only provide an opinion based on the information they have gained access to and for this reason, auditors cannot be expected to guarantee that a reporting entity is “absolutely” compliant. Your audit is an independent assessment of whether your reporting entity’s policies, procedures and controls, are adequate and effective at ensuring that you comply with your AML/CFT obligations.
The person conducting your audit is required to assess whether: your risk assessment identifies the ML/TF risks your business faces your policies, procedures and controls in your AML/CFT programme are based on your risk assessment your policies, procedures and controls comply with the Act, and your policies, procedures and controls are adequate and effective.
The person conducting your audit is likely to follow this high-level process: First, they will request and review your risk assessment and AML/CFT programme. The second step is to assess whether you are complying with the policies, procedures and controls in your AML/CFT programme.
The next questions are:
- Whether the policies, procedures and controls you have in place are adequate and effective?
- Are there areas that do not comply with the Act?
- And whether any changes are needed?
These questions can only be answered by looking at samples of onboarding files to assess Customer Due Diligence requirements, transaction monitoring alerts, suspicious activity or prescribed transaction reporting. Specifically, the person conducting your audit will ask about:
- Your risk assessment and your process for updating it
- Whether your AML/CFT programme is based on your risk assessment
- Whether your AML/CFT programme meets the minimum requirements of the Act such as staff vetting and training, customer due diligence (CDD), reporting and record keeping.
- Your compliance officer, whether they understand their responsibilities and how they execute them
- Whether you are complying with your AML/CFT programme and whether it is adequate, effective and kept up to date, and
- Your process for implementing new AML/CFT policies, procedures and controls when required.
At the end of the audit process you will receive an audit report from the person conducting your audit. The audit report should clearly identify: your reporting entity, the period covered, details about the auditor, including consideration of their independence and qualifications, the scope of the audit, the responsibilities of both parties, the approach to the audit, a summary of findings and any identified deficiencies, and a conclusion or opinion.
The audit report may include actions that are required to rectify non-compliance as well as identifying areas for recommended improvement in behaviour and practice. This includes an indication of where there are potential failings and a recommended course of action. Non-compliance or partial compliance identified in the audit report must be addressed. How each reporting entity responds to these issues is their responsibility.
We have released a statement that confirms that no adverse compliance action will be taken against any DNFBP not able to complete its first independent audit by the relevant deadline, providing they have acted in good faith. If you are in this situation, you should be able to explain how COVID-19 affected your ability to complete your audit and be able to demonstrate steps taken to do so upon lifting of Alert Levels. The independent audit must be completed as soon as practicable in the circumstances. We also note that some reporting entities, where relevant staff and auditors are working remotely and have access to all required documents, may be unaffected. These entities should complete their audits by the current deadline.
Lastly, if you are a financial institution who is having problems having an AML/CFT audit conducted please get in touch with us and let us know. And that concludes the audit webinar. Thank you for watching.