Independent Audit Webinar Transcript

Welcome to this webinar on your audit obligation – commonly referred to as your “independent audit” or the “AML/CFT audit”. We know for many of our businesses that 2020 is the first year you are required to have an audit of your risk assessment and AML/CFT programme. That’s why we have created this webinar to help you understand this obligation, and how to get the most out of your first AML/CFT audit.

Before I get started, it’s important you know that there is guidance available on our website to help you understand your audit obligation. You should see on the screen now where to find the audit guideline published by all three supervisors.

First up, let’s look at the audit obligation and what is required of you…

You are required to have an audit of your risk assessment and AML/CFT programme conducted by an appropriately qualified and independent individual every two years, and to keep adequate records of your audit. Please note that an independent audit is different to a review or inspection that the Department may conduct on your business. It is also different to the internal review of your programme.

An independent audit will help ensure that your policies, procedures and controls are adequate and effective, and identify any short-comings that need to be remediated. It will help to reassure you that you are complying with your obligations under the Act, and that you are protecting your business from the risks of money laundering and terrorism financing. We would expect that your AML/CFT programme would demonstrate and understanding of the audit obligation and notes when your last audit was undertaken.

Now let’s move on to the auditor…

Your audit must be carried out by an independent person appointed by you, who is appropriately qualified to conduct the audit. “independent” includes the requirement that the person must not have been involved in the undertaking of your risk assessment or the creation or operation of your AML/CFT programme. You should also consider other actual, potential or perceived conflicts of interest that may call into question their independence. There are many aspects to consider when determining whether someone is independent enough to complete your audit such as:

So, as I have already stated, your audit must be carried out by an independent person appointed by you, who is appropriately qualified to conduct the audit. The person who performs your audit needs to be appropriately qualified but does not need to be a Chartered Accountant or otherwise qualified to perform a financial audit. We consider appropriately qualified to mean the person must have relevant skills or experience to conduct the assurance engagement. At this time there is no approved or endorsed list of AML/CFT auditors. Therefore, you will need to be confident on whether they are appropriately qualified as you may have to explain to us how you have considered the qualifications of your selected auditor to be appropriate. This includes having knowledge of the Act, and its supporting regulations, as well as audit experience or sufficient knowledge of audit processes. There are many aspects to consider when determining if someone is appropriately qualified:

You can determine for yourself the best time to have your audit conducted within your two-year timeframe. You are responsible for your own compliance with the audit requirements, so it is advisable to plan ahead. New reporting entities should consider having their audits completed early. Bringing forward your audit will provide you with a number of benefits including:

If you do have an early audit, your next one will be due two years after your audit is completed.

When it comes to audits, there are different levels of assurance available to you. This is an accounting term and it may not mean much to your business, but it could be important to understand if your consultant offers a choice. The Act does not require a specific level of assurance; however, each reporting entity will need to balance the costs of the audit against the degree of confidence required from the audit. An auditor can perform either a ‘reasonable’ or a ‘limited’ assurance audit. While the design of your AML/CFT programme’s policies, procedures and controls will be assessed, to offer a reasonable assurance opinion, your auditor will likely test a larger number of samples to see how they are working in practice. This results in a more reasonable basis of assurance. A limited assurance engagement still involves assessing the design of your AML/CFT Programme’s policies, procedures and controls but involves less work effort than a reasonable assurance engagement, meaning a smaller number of samples maty be tested or a targeted testing approach may be undertaken. This means the opinion offered by your auditor as to compliance with the Act is ‘limited’.

Auditors can only provide an opinion based on the information they have gained access to and for this reason, auditors cannot be expected to guarantee that a reporting entity is “absolutely” compliant. Your audit is an independent assessment of whether your reporting entity’s policies, procedures and controls, are adequate and effective at ensuring that you comply with your AML/CFT obligations.

The person conducting your audit is required to assess whether: your risk assessment identifies the ML/TF risks your business faces your policies, procedures and controls in your AML/CFT programme are based on your risk assessment your policies, procedures and controls comply with the Act, and your policies, procedures and controls are adequate and effective.

The person conducting your audit is likely to follow this high-level process: First, they will request and review your risk assessment and AML/CFT programme. The second step is to assess whether you are complying with the policies, procedures and controls in your AML/CFT programme.

The next questions are:

These questions can only be answered by looking at samples of onboarding files to assess Customer Due Diligence requirements, transaction monitoring alerts, suspicious activity or prescribed transaction reporting. Specifically, the person conducting your audit will ask about:

At the end of the audit process you will receive an audit report from the person conducting your audit. The audit report should clearly identify: your reporting entity, the period covered, details about the auditor, including consideration of their independence and qualifications, the scope of the audit, the responsibilities of both parties, the approach to the audit, a summary of findings and any identified deficiencies, and a conclusion or opinion.

The audit report may include actions that are required to rectify non-compliance as well as identifying areas for recommended improvement in behaviour and practice. This includes an indication of where there are potential failings and a recommended course of action. Non-compliance or partial compliance identified in the audit report must be addressed. How each reporting entity responds to these issues is their responsibility.

We have released a statement that confirms that no adverse compliance action will be taken against any DNFBP not able to complete its first independent audit by the relevant deadline, providing they have acted in good faith. If you are in this situation, you should be able to explain how COVID-19 affected your ability to complete your audit and be able to demonstrate steps taken to do so upon lifting of Alert Levels. The independent audit must be completed as soon as practicable in the circumstances. We also note that some reporting entities, where relevant staff and auditors are working remotely and have access to all required documents, may be unaffected. These entities should complete their audits by the current deadline.

Lastly, if you are a financial institution who is having problems having an AML/CFT audit conducted please get in touch with us and let us know. And that concludes the audit webinar. Thank you for watching.

If you have any questions, please email us at AMLCFT@dia.govt.nz or call us on 0800 257 887.