What to Look for When Choosing an AML Auditor

By Tadius Munapeyi, Fellow Chartered Certified Accountant (UK), Certified Public Accountant (Australia) PP, Licensed Auditor (FMA) New Zealand, ACAMS


Regardless of size or type of organisation, audits offer crucial insights into the functioning of the AML processes and procedures.


Audits identify compliance issues, and good Auditors provide detailed reports which articulate the issues in the AML process and provide pragmatic suggestions for remediation. They invest time in understanding your business and operations, and provide a bespoke audit process tailored to your company. Good auditors also have a structured methodology based on audit frameworks that ensure effectiveness and quality.


The Regulations do not prescribe qualifications of AML auditors, however, good auditors are members of reputable professional bodies and are subject to quality reviews by their regulator. Auditor status is commensurate with vigorous training including ongoing CPD obligations, experience, dedication, and the requirement to uphold ethical values. All of which are essential for client satisfaction and value.


The Importance of Undertaking Audits and How to Get the Most Out of an Audit


Ensures Integrity of the AML Process


An audit identifies what’s working and what’s not working, which provides an opportunity for remediation of the compliance documents; processes; and procedures where necessary.


Frequent audits ensure issues are identified and resolved early


Issues can arise and may go undetected for a long time, exposing the company to AML risk and non-compliance with the regulations. A common scenario is where there is staff turnover or staff movement within the organisation of the key personnel performing the AML tasks, including the Compliance Officer. Procedures may not be followed due to lack of awareness or knowledge.


Regulatory changes and updates may require changes to be made to the Risk Assessment documents or Compliance Programme. These changes may not be updated in time, nor translated to the firm’s actual procedures. Audits provide an opportunity for these issues to be identified and corrective changes made timeously.


Ensures remediation changes are independently reviewed timeously


Issues identified resulting from an audit will require changes to the process or introduction of a control. Once this has been implemented, management may be informed on the effectiveness of the new change in the following audit performed. Waiting for 3 years to verify the process of control’s effectiveness is not ideal. There may be a need to make changes to ensure there is ongoing overall efficiency in the business while compliance is maintained; also, the design effectiveness and operating effectiveness of the control will need assessment.


Fosters and Control Centric culture


Regular audits encourage staff to consistently apply diligence in executing AML procedures. This reduces the burden of management having to over communicate the requirement for staff to follow AML procedures.


Provides management with regular feedback on process


Frequent feedback to management, for example, annual feedback on the company’s performance on AML compliance provides peace of mind that there is a third eye monitoring the process and reporting to management. It enables management to focus their attention on running the business.


Reduces surprises


Audits are done verifying adherence to compliance requirements throughout a reporting period. Waiting to find out about compliance for a three year period is not effective and does not provide management with the opportunity to remediate issues timeously. Having to call back archived files from three years ago for an audit can use up staff resources to collate the information and respond to the findings of the historical issues.


Regular audits ensure issues are identified timeously and resolved. They also enable follow up on changes made and enable updates where necessary.


Ensures consistency of procedures


Regular audits encourage staff to consistently apply diligence in executing AML procedures. This reduces the burden of management having to over communicate the requirement for staff to follow AML procedures.


It is important to plan ahead of the audit and get as much information from the auditor as required. Regular dialogue with the auditor during the audit ensures you are updated and can plan your staff resources adequately to avoid disruption to your normal business processes during this time, as staff may be required to assist with information.


A meeting to discuss the issues identified by the audit is important, in order to clarify the areas that you are concerned with. You understand your business better than the auditor and, at times, challenging the findings from the audit will not only provide clarification for the auditor, but may result in a change of the findings following corroboration of facts.


Get an experienced auditor at the outset and you can have issues resolved and agreed timeously.


Changes Faced


Disparate Filing of Documents


Each reporting entity is unique, and has its own processes and systems. Most of the reporting entities I have come across have a manual operating system and use manual files. Documents have not always been available readily, especially for repeat customers where CDD procures would have been done in the past, and reliance on the Identity copy documents has been filed in an archived file. It is important to ensure that files provided for the audit are complete and readily available.


Key Personnel Staff Turnover


The Compliance Officer role is integral to the effective operation of the AML process. Where a compliance officer has moved on and the new incumbent is having to respond to questions for a period when they were not part of the organisation, delays in obtaining information and valid explanations can occur, affecting the reporting.


Template Approach of Risk Assessment and Compliance Program


We have identified templates that have not been tailored for the business and they still have generic instructions on them. This results in a long report outlining all the issues which have not been complied with.


Management may only focus on CDD Procedures only


The AML Compliance covers various areas which include compliant documents; compliant processes and procedures; assurance framework, governance, training, staff vetting, ongoing monitoring, prescribed transaction reporting; and suspicious transaction reporting. At times, we find that the CDD process has been executed perfectly, however, the other key areas would not have been done so well.


Last Minute Audits


Some organisations may leave audits to the end of the reporting timeframe and try to complete it in a rush. They have been disappointed several times when we advised them that adequate time was required and they could miss the deadlines due to leaving it to the last minute. Audits follow quality standards and require adequate time.


Audits can be done at any time during the specified period by the regulations. Audits can also be done multiple times. This is of benefit to the clients in that they can plan accordingly for the audit to ensure they are not pressured, and sufficient time is available for the audit.



Tadius Munapeyi

A seasoned professional with over 20 years of professional practice experience most of which has been gained from Big-4 firms EY and PWC. Strong technical experience in financial statements audits, NZIFRS implementation, internal audit, IT Audit, AML Audit, and Consulting.


Strong knowledge of Sarbanes Oxley (Sox), and COSO frameworks. Tadius sits on the CPA Australia Public Practice Committee for NZ; the committee promotes the interest of members and represents public practitioners in NZ. He has been involved with the Association of Chartered Certified Accountants in the past as a Panel Member for Australia and NZ. Tadius is a member of ACAMS (Association of Certified Anti Money Laundering Specialists), the global association for AML.



For more information on non-compliance, visit our printable resources page to get access to our non-compliance checklist.