SURVIVING AN AML/CFT AUDIT - R + A's TOP TIPS:
Many New Zealand law firms are now subject to the AML/CFT Act. Those law firms are required to engage an independent auditor to complete a statutory audit of their AML/CFT programme by 30 June 2020. For most law firms, this
will be their first statutory audit under the AML/CFT Act and, understandably, many do not know what to expect from their AML/CFT auditor, and the audit process in general.
Undergoing an AML/CFT audit can be a stressful time for law firms, or any reporting entity. We have been busy with AML/CFT audits, advice and Ministerial exemption applications over the past six months. We have noticed that there are a few common mistakes that reporting entities make with their AML/CFT processes. The good news is, these are simple ways that law firms can improve their experience with the audit regime. Even better, implementing these improvements should improve compliance throughout your organisation, and save money!
We have put together our “top 10 tips” for getting the most out of your AML/CFT audit – we hope they are helpful!
1. Review your risk assessment and compliance programme
In general, it is expected that the risk assessment and compliance programme are reviewed regularly, and particularly after any changes in the business which may need to be reflected in those documents.
In reality, many law firms may not review their risk assessment and compliance programme as often as they should. Reviewing these documents before engaging an auditor is a great opportunity to rectify any out of date procedures, as well as checking that all your policies are fit for purpose. This will help your auditor, and can improve your audit outcomes.
2. Use version control
When making those changes to your risk assessment and compliance programme, ensure you save each separate version as a new version of the document, with the version clearly dated.
In addition, make sure all the superseded versions are saved and accessible in your AML/CFT file. Otherwise, your auditor won’t be able to see that you are regularly reviewing the compliance programme and risk assessment – and this is something they will be looking for!
3. Make sure your files are in order
Most auditors will review a sample of your client files as part of their process. You can make their lives easier, and ensure a more positive outcome for your firm, if you take the time to organise the relevant client files before giving them to the
auditor for review. Make sure the file-opening checklist (if your firm has one), your client’s instructions, and evidence of the due diligence procedures conducted are there for your auditor to see.
4. Be careful with your SAR information
Many firms will have filed, or considered filing, a suspicious activity report (SAR). Hopefully you are aware that there is a limited number of persons to whom disclosure of SAR information is permitted – please see section 46 of the AML/CFT Act if you are unsure. Disclosure of SAR information to other persons is an offence under the Act.
Section 46 does not permit disclosure of SAR information to your auditor, so make sure any SAR information is removed from client files that the auditor may review, and do not give the auditor access to your SAR register.
5. Choose your auditor carefully
The AML/CFT Act is largely silent about who may conduct independent audits. Because of this, AML/CFT
auditing is a growth industry at the moment, with many consultants offering audit services despite having no history with the AML/CFT regime. The AML/CFT Act places the onus on the reporting entity to select an auditor who is independent and appropriately qualified.
The Department of Internal Affairs (DIA) may ask you to justify your selection of auditor, so make sure you engage a firm with a deep understanding of the legal industry and the AML/CFT regime.
6. Make sure your staff are up to date with any recent changes in your compliance programme
Most auditors will conduct interviews with the compliance officer, a “senior manager” (normally the partner or partners who supervise the compliance officer in their role), and a limited number of staff who perform AML/CFT duties (i.e., solicitors). While the compliance officer generally lives and breathes AML, the interviews with staff are often where any disconnection between the written compliance programme and its implementation in practice are revealed to the auditor.
There’s a lot to be gained by having a refresher training shortly before your audit begins. You should be having regular AML/CFT trainings anyway – so kill two birds with one stone. Key issues for staff to be on top of are:
The firm’s policies on exceptions;
When to conduct enhanced due diligence; and
The definition of politically exposed
person/PEP.
7. Find and update all your registers
Compliance with the AML/CFT Act requires the keeping of several registers, including an exceptions register, a PEP register, a training register, and a SAR register. Allowing your auditor to review these (with the exception of the SAR register – see above!) will save a lot of time and demonstrate your proficiency with the AML/CFT regime.
Have these registers been updated recently? Now is a good time to check!
8. Review your previous audit report or review outcomes
Most law firms will be preparing for their first audit. However, if your firm has already been audited, or been subject to a desk-top review (or on-site inspection) by the DIA, make sure that any recommendations from the audit or review are being implemented. At the very least, you can design a plan for implementation before your independent audit begins.
9. Consider a pre-audit review
If reading this list is making you nervous, your organisation might benefit greatly from a pre-audit review. In a pre-audit review, a reporting entity’s policies and procedures are evaluated and tested, just as they would be in an audit. You can then work with the reviewer to address any weaknesses or gaps which are revealed, before the statutory audit. Unlike a negative audit result, a negative review result will not have to be disclosed to the Department of Internal Affairs in your annual report.
Pre-audit reviews can also help if there are any internal issues being faced by the compliance officer dealing with a firm's lawyers, or in specific practice areas.
Over the long term, a pre-audit review can save your law firm a significant amount of time and money.
10. Don’t panic!
Undergoing the scrutiny of an AML/CFT audit is understandably stressful for any business.
We think of audits as an opportunity to “spring clean” AML/CFT processes and to ensure they are as robust as possible. A good AML/CFT auditor should work collaboratively with you, while retaining their independence, so that the ultimate result of the audit is a useful document your firm can use as a blueprint for improvement. As long as your organisation is prepared to make any necessary changes, an audit should be a positive, not scary, experience!
We would love to hear from you if you have any questions about audits. If you are yet to appoint your auditor for the current audit cycle, or you would like a pre-audit review, please get in touch with us. Schedule your audit well before the 30 June 2020 deadline!
February 2020