The Department of Internal Affairs

The Department of Internal Affairs

Te Tari Taiwhenua

Building a safe, prosperous and respected nation

 

Services › Anti-Money Laundering › AML/CFT Audit

Overview

The Anti-Money Laundering and Countering Financing of Terrorism (AML/CFT) Act 2009 requires all reporting entities to have their risk assessment and AML/CFT programme audited every two years, or at any other time at the request of the relevant AML/CFT supervisor.


If your financial activities were captured by the AML/CFT Act before 30 June 2013 your first audit report was required by 29 June 2015. Your second independent audit was then required within two years from the first audit.

If your financial activities were established after 30 June 2013, you had two years from the date your financial activities were captured by the AML/CFT Act to have your first independent audit report completed.

Once an AML/CFT audit has been completed, you must undertake actions to remedy issues identified by your auditor. How you do this is up to you.

In your annual AML/CFT report to the Department you must state whether you have made the necessary changes to address issues raised in an audit report. We may also ask questions about the actions you have taken.

IMPORTANT – you do not need to submit your audit report to us unless we request to see it.

For more information on AML/CFT audits, please refer to Guidelines for audits of risk assessments and AML/CFT programmes.

Frequently asked questions

Where can I get more information?

You can contact us at
amlcft@dia.govt.nz for general AML/CFT queries. However, for any specific legal enquiries please consult your legal adviser.

The Department recently visited us to examine our AML/CFT compliance. Does that count as an AML/CFT audit?

No.

Exactly when do I need to have my audit completed?

That will depend on when your business was first captured under section 5 of the AML/CFT Act or additional Regulations.


As a general rule, if your business was carrying out activities captured by the Act/Regulations on or prior to 30/06/2013, your first independent audit was required by 29 June 2015. Your second independent audit was then required within two years from the first audit.

If your business did not begin carrying out activities captured by the AML/CFT Act until after 30/06/2013, your first independent audit was due within two years of the commencement of the relevant activity.

What do we mean by the phrase “audit required by”?

This is the date up to which the audit must review your AML/CFT programme. The audit work should be completed (i.e. the auditor should do their review/testing) by this date.

Does the Department have a list of recommended auditors?

No. The AML/CFT Act requires the auditor to be independent and suitably qualified.


Ideally the auditor should understand your industry, and have audit experience. It is imperative you are comfortable with the auditor you appoint as we may request that you provide evidence to demonstrate to us how your auditor is appropriately qualified.

The AML/CFT Act states that the person who conducts the audit must be independent, and not involved in the development of your risk assessment, or the establishment, implementation or maintenance of your AML/CFT programme.

Should I send my audit report to the Department?

Not unless we request it.

What is the difference between our own review, an independent audit, and a desk-based review (by Internal Affairs) of my risk assessment and AML/CFT programme?

  • Your own (internal) review is a process that you carry out to ensure that your risk assessment and AML/CFT programme are up to date and to help you identify and remedy any areas of deficiency;
  • The independent audit is to verify that your risk assessment identifies the money laundering/terrorist financing risks faced by your business, that you are keeping the assessment current, and that you are effectively determining the levels of risk faced by your business. In essence the independent audit of the risk assessment and AML/CFT programme is intended to check that you are implementing your programme effectively;
  • The desk-based review by Internal Affairs is to ensure that you have produced a risk assessment and AML/CFT programme that meet the requirements of the AML/CFT Act.