We were asked recently what impact the AML/CFT laws have on regular audit work and whether we would be adding content to cover this.
- Is the auditor exposed to extra risk and is there a need to update engagement letters to specifically address an obligation to report transactions found that could trigger a need to report any suspicious activity?
- How does your audit work impact your firm risk assessment and AML compliance programme?
- Is there a new NOCLAR risk in term of AML - especially if auditing an entity that is subject to AML/CFT regulations, even though the auditor is not necessarily carrying out an AML audit on the entity. Should engagement letters be updated to include this?
The DIA Guidelines for accountants (p17) say:
- "In general, financial auditing and other assurance services are not captured by the AML/CFT Act, so you will not be required to apply your compliance programme to clients who are only requesting these kinds of services."
- "You may be requested to provide AML/CFT auditing services to businesses which, by virtue of their being either a financial institution or a DNFBP, are required to comply with the AML/CFT Act. Similarly, this activity is not captured by the AML/CFT Act and you will not have to apply your compliance programme to it."
- "If, however, in the course of your (financial or AML/ CFT) auditing or other assurance procedures you have reasonable grounds to suspect that an activity is relevant to the potential investigation or prosecution of any person for a money laundering or other offence, you should consider your obligations to report that activity to the FIU.”
So generally your audit work falls outside of your AML requirements, except where in your work you stumble across a suspicious activity of some sort. So what are the obligations mentioned above and should we be specifically mentioning them in our engagement letter?
I asked Zowie Pateman from CAANZ for her opinion on this. She said:
"This is with reference to section 43 of the Act (Auditors may report suspicious activities). Also see page 12 of the Suspicious Activity Reporting Guideline. It comes under the existing NOCLAR provisions in section 225 of the Code of Ethics. You will see that PES 1paragraph 225.6 refers to “money laundering, terrorist financing and proceeds of crime” as an example of laws and regs that the section addresses. I wouldn’t have thought it necessary to explicitly reference the AML/CFT Act in the engagement letter but no other applicable laws and regs."
On this basis and in discussion with some other users we are taking the following position:
- We haven't amended the engagement letters within Audit Assistant as there is already provision in these that "we will comply with ethical requirements" - which covers the “money laundering, terrorist financing and proceeds of crime” issues mentioned above.
- The AML/CFT legislation does not compel the auditor to report - only that they "may report suspicious activities" - it is up to your judgement but I would suggest there is a general ethical responsibility to do so, and the legislation gives you permission to do so.
- To prompt auditors to consider these issues, we have added an extra section into the Laws and Regulations page in the "D" section asking whether the entity is subject to AML reporting and if so, have they had an AML audit and what were the results, and also prompting the auditor to be aware that if they do find unreported AML transactions that they should (may?) report them (even if not a reporting entity under the AML legislation).
Of course you may have a different take on this - please feel free to let us know.