This article is based on a Jade ThirdEye Spotlight on AML podcast, which featured AML/CFT auditing specialist Martin Dilly, who spoke on AML Programme Audits, Independent Reviews, and Assurance.
What is the biggest risk associated with your auditing and reviewing obligations?
Well, the biggest risk is not to get an audit or review done at all, as it is a crucial requirement under the AML/CFT Act. If you fail to get one done, it will be considered a breach of the AML/CFT Act and your supervisor will undoubtedly have a view on that and how to follow that up.
Ineffective AML programmes put communities at risk
Suppose you don't get an audit done, or you have an ineffective AML programme. In that case, you are likely missing out on that extra line of defence, being able to protect your customers and the broader community from the harms of money laundering and the financing of terrorism. AML audits and independent reviews allow you to improve your AML programme to stop your organisation from being a vehicle for advancing criminal activity.
Inadequate AML audits leave reporting entities exposed
The second biggest risk would be having an inadequate audit, where the auditor has not done a thorough job or looked into everything they were supposed to given your risk profile. It could be that the auditor lacks adequate knowledge of the AML legislation itself, your business, or a thorough understanding of your sector and the intricacies that may impact your AML programme. These are things that you should be talking about with your auditors ahead of time.
Ineffective AML programmes think short term
A lack of preparedness from both the reporting entity and the auditor can increase the chances of a poor outcome. Preparedness does not mean running around the month before the auditor turns up, quickly trying to make new registers and backfill things.
Organisations who are well prepared for audits form healthy habits around their AML programme. These habits include making sure you are training your staff; you have detailed records; your registers are up-to-date; and you have documented everything to demonstrate your compliance. You also need to be ready to share these with the auditors.
Any auditor will be able to pick up where things have been done at the last moment, and they'll realise that you only did it for the previous month, but not for the preceding 23 months. Indeed, there's a lot of cost and stress associated with trying to get things organised at the last minute, whereas if you have a good programme operating all the time, it's a better outcome overall.
Remember, auditors are not there to catch you out but to help you. It's better an auditor finds something and outlines a remedy than having an issue you are not aware of being picked by your supervisor.
Reporting entities having the wrong mindset with audits and reviews
A common mindset that many have with audits and reviews is that they exist for auditors and reviewers to come in and find things that need to be fixed. While this is true, a better approach is to flip this perspective and instead think about how you will demonstrate to this person that you're compliant against each of the obligations? How can you show your staff are well trained? How do you exhibit you're monitoring for all your risks?
Suppose you can instil this kind of thinking in your whole team. In that case, your people will be more likely to be challenging themselves to adopt this 'self-audit' approach, so they will always be in a good position to demonstrate your AML/CFT programme's effectiveness.
Martin Dilly is an AML auditor advisor, who has consulted full time as an AML/CFT specialist since 2012. Martin has assisted hundreds of entities across every sector through the provision of audit consulting and training services in New Zealand, Australia, Samoa, and Vanuatu.