Anti-Money Laundering and Countering Financing of Terrorism Audits


AML/CFT Act audits represent a significant opportunity for auditors to expand their assurance services, with many more entities requiring audit within the next year or two.

The work-flow of the AML/CFT Limited Assurance Compliance Engagement template is as follows:

  • Normal acceptance/independence/engagement requirements
  • Gathering information from client including their Risk Assessment and AML/CFT Programme
  • Documenting and evaluatingAML/CFT Programme and Risk Assessment including walk-through tests of significant controls
  • Materiality setting, identified risk analysis and strategy
  • Testing of key controls to see if they extend across the period under review
  • Compliance checklists for all the requirements of the AML/CFT Act
  • Management representation letter, and management report and breach evaluation
  • Summary of assurance engagement process, and completion of final report with options for modifications 

Our template is based on SAE 3100 (Revised), Compliance Engagements, ISAE (NZ) 3000 (Revised), Assurance Engagements Other than Audits or Reviews of Historical Financial Information and SAE 3150, Assurance Engagements on Controls. It includes assurance reports based on those recommended by CAANZ. 

We also working on a new version tailored to AML audit professionals who are not chartered accountants, leaving out the referencing to the standards, and with a suitably updated audit report.

For existing subscribers , go to the "Compliance Audits" tab, select new job and you will see the option to create a new job using this template.

For new users go to our signup page and select the AML/CFT Audits option.


Note that CAANZ has released their guidelines to practitioners - this are available to members here. We have used this to assist with preparing our template and used the model Engagement Letter, Representation Letter, and Assurance Report from the Appendices. 



The Anti-Money Laundering and Countering Financing of Terrorism Act 2009 ("the Act") came into effect on 30 June 2013 for “reporting entities”. Money laundering is how criminals disguise the illegal origins of their money. Financiers of terrorism use similar techniques to money launderers to avoid detection by authorities and to protect the identity of those providing and receiving the funds. 


If you want to get some background on why this legislation has been introduced, I suggest watching the Tom Cruise movie “American Made”. It is based on the true story of Barry Seal, a former commercial pilot who in the 1980s flew missions for the CIA and became a drug smuggler for the Medellín Cartel. In order to avoid jail time, he became an informant for the DEA. It’s a bit over the top but it’s a fun watch and you get the idea how easy money laundering from illegal operations has been - and where there is easy money there will likely be all manner of corrupt activities.

To maintain New Zealand’s image as corruption-free in the global economy this legislation has been adopted, to make the transfer of wealth from illegal activities into the enonomy or into terrorist activities more difficult, and to spot and track schemes set up to facilitate these activities. The process of implementing and supervising the whole thing is shared between the Reserve Bank, the Financial Markets Authority (FMA), and Internal Affairs (DIA).

Reporting entities were required to prepare a AML/CFT compliance programme in terms of the requirements of the Act. The first entities to be affected by the Act were Banks, Casinos and a range of Financial Service Providers.

The Act has recently been updated to include a much broader range of entities including: Lawyers, Conveyancers and Businesses that provide Trust and Company Services (from 1 July 2018), Accountants (from 1 October 2018), Real Estate Agents (from 1 January 2019), Businesses trading in High Value Goods (from 1 August 2019) and the NZ Racing Board (also from 1 August 2019).

This affects accountants and auditors in a number of ways:

  • From 1 October 2018 accountants may need to prepare their own AML/CFT compliance programme and have it audited (see below*)
  • Accountants and auditors are in a great position to assist clients with setting up AML/CFT compliance programmes
  • The programmes are required to be audited every two years, and this presents auditors with a new opportunity to offer their services for this work

Any “appropriately qualified” person may perform these audits may, (not restricted to chartered accountants). Those with an audit background will obviously be a first choice.

For the chartered accountant, the appropriate frameworks for this type of job will be:

  • SAE 3100 (Revised) - Compliance Engagements
  • ISAE (NZ) 3000 (Revised) - Assurance Engagements Other than Audits or Reviews of Historical Financial Information
  • SAE 3150 - Assurance Engagements on Controls.

In terms of these standards the subject matter of the audit is the AML/CFT Programme established by the entity in terms of S56(1) of the Act. The purpose of the work is to provide assurance that the entity has complied with the requirements of the Act.

AML/CFT Programme Requirements

The programme sets out internal policies, procedures and controls designed to detect and identify activities within the entity that may be attempts to carry out money laundering and/or financing of terrorism. The programme also identifies ways to manage and mitigate risks of these things occurring:

  • Policies set out expectations, standards and behaviours in the entity
  • Procedures are more detailed and set out day to day operations
  • Controls are tools that management use to ensure the business complies with policies and procedures

The programme is based on a risk assessment made by the compliance officer responsible for the programme in terms of S58 of the Act. The policies, procedures and controls must be adequate to reasonably address the risks identified in the risk assessment.

A suitable compliance officer must be selected to run the programme, and this person must report to a senior manager in the entity. This is usually an employee, but may be a senior manager or the business owner.

The following are minimum requirements of the Programme:

  • Vetting: Policies, procedures and controls for vetting senior managers, the compliance officer and other employees involved in AML/CFT activities – to avoid hiring someone who may use the business of AML/CFT activities. This involves what background checks are required, and the level of checks depends on the risks identified.
  • Training: Specifying what training will provided for senior managers, the compliance officer and other employees involved in AML/CFT activities, how and when this will take place.
  • Customer Due Diligence (CDD): The process by which the entity understands it’s clients and the risk they potentially pose to the business. It involves gathering and verifying information about the customer’s identity, beneficial owners and representatives. The Act identifies three kinds of CDD: Standard CDD whoch applies to most NZ customers. Simplified CDD applies to specified set of organistions such as government departments who represent a lower risk group. Enhanced CDD applies when the specific situations arising in S22 of the Act arise.
  • Written findings: All the above must be suitably documented, and any complex or unusually large transactions or unusual transactions with no obvious purpose must likewise be documented.
  • Suspicious transaction reporting: policies, procedures and controls around what will be done when a suspicious transaction is detected and how these will be reported to the relevant authority.
  • Record keeping: Record must be maintained for five years after a transaction takes place. Policy and procedure must describe how these records will be maintained, organised, protected and eventually destroyed.
  • Products and transactions that favour anonymity: If the entity offers products or services that favour anonymity, the programme must identify how these will be monitored to detect AML/CFT activities.
  • Managing and mitigating risk: Policies, procedures and controls around managing emerging risks from new products or services, or new or emerging AML/CFT methods.
  • Ensuring compliance with AML/CFT programme: How the business will monitor and manage compliance with the programme on an ongoing basis, plus ensuring that branches and subsidiaries are included.
  • Review of programme: The AML/CFT programme must be reviewed internally on an ongoing basis to ensure that it remains current and any deficiencies are addressed, and any change in risk assessment is addressed in the programme.

Audit work

  • Audit occurence: The entity is required to ensure that an independent audit is carried out every two years, or at any other time that the AML/CFT supervisor requests it.
  • Annual report: Must be made to the AML/CFT supervisor which includes declarations around what procedure is in place for independent audits, when the last audit was undertaken, if any deficiencies were highlighted, and whether the changed identified as necessary have been carried out.
  • Audit process: We are checking that the AML/CFT risk assessment and programme meets the minimum requirements and that the programme was adequate and effective throughout the period, and whether any changes are required.
  • Audit of risk assessment: Whether the risk assessment document complies with the obligations in S58(3) of the Act. Auditors are not expected the audit the judgement calls made in the entity’s risk assessment.
  • Audit of programme: Whether it complies with the obligations of S57 of the Act, whether the policies, procedures and controls are adequate, and whether they have operated effectively through the period.
  • Items required for audit: We will require the following from the client as a minimum:
    • AML/CFT Risk Assessment documents
    • AML/CFT Programme
    • Documents relating to development of the above
    • Access to staff member and senior officials
    • Access to files, customer records, transactions and outputs from AML/CFT systems
    • Disclosures of known instances of non-compliance
    • Results of monitoring and reviews of risk assessment and AML/CFT system
  • Level of assurance: It seems that the consensus is that these are best treated as limited assurance (negative conclusion) engagements so our template is prepared on this basis.
  • Engagement letter: Clearly describing scope, level of assurance, outputs, access to records and staff and any other relevant items.
  • Audit Report: The audit report must be in written form and express our view on whether the AML/CFT risk assessment and the AML/CFT programme comply with the requirements of the Act and whether the programme is functioning in practice as required and intended, and has been over the course of the period. The report should also cover:
    • The period covered by the report
    • A title in the form of “Independent AML/CFT Audit”
    • Key findings – whether requiremets of Act have been met, any not met, and an indication of where there are potential failings
    • A description of methods used to determine adequacy of the risk assessment and programme
    • Recommended course of action to rectify non-compliance
    • Date and signature of auditor
  • Letter of representation: Written representations would include statements concerning responsibility of client for compliance with requirements of Act, that the auditor was provided with all relevant information and access and that all relevant matters have been disclosed to the auditor.
  • Management letter: Though not mandatory, we may also make suggestions on how to rectify non-compliance or identify areas for improvement in behaviour and practice.
  • Reporting suspicious transaction: Under S 43 of the Act, the auditor may submit suspicious transaction reports direct to the Police.

When do accountants need to prepare their own AML/CFT programme?

  • If acting as a formation agent of legal persons or legal arrangements,
  • If acting as, or arranging for a person to act as, a nominee director or nominee shareholder or trustee in relation to legal persons or legal arrangements,
  • If providing a registered office or a business address, a correspondence address, or an administrative address for a company, or a partnership, or any other legal person or arrangement (unless it's solely for a service which isn't covered by the Act),
  • If managing client funds, accounts, securities, or other assets, providing services (either yourself, or when you give instructions to someone else) to:
    • carry out a real estate transaction (as defined in section 4 of the Real Estate Agents Act 2008).
    • carry out a transaction on behalf of any person in relation to the buying, transferring or selling of a business or legal person (for example, a company) and any other legal arrangement; or creating, operating, and managing a legal person and any other legal arrangement.
    • transfer a beneficial interest in land or other real property.

Sources and further reading:

Ministry of Justice. Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (reprint 28 September 2017).

Reserve Bank of New Zealand. Guidelines for audits of risk assessments and AML/CFT programmes.

Financial Markets Authority. AML/CFT Programme Guidelines

Department of Justice. Tackling money laundering and terrorist financing

Andrew Homes (DIA) and Andrew Sloman FCA (BDO). The AFL/CFT Act – An added opportunity for other assurance services. CAANZ Audit Conference 2017 presentation.

Have more questions? Submit a request

Subscribe to our mailing list

We have a regular newsletter which includes the latest updates in the audit and assurance space as well as on to our latest work.

Click here to view previous newsletters, enter your email bellow to subscribe.