Search
Close this search box.
Physical address

Unit E, Corinthian Office Park
17 Corinthian Drive, Albany 0632
Auckland, New Zealand

Get in touch with us

Send us a message

How to avoid the most common AML/CFT audit breaches

How to avoid the most common AML/CFT audit breaches

As many of you prepare for your next audit we wanted to share the most common audit findings from the last 12 months and provide recommendations and resources so that you can specifically review these areas before your audit commences.

Audit finding #1: Risk Assessment documentation is not kept up to date and does not contain version control.

  • Recommendation: Schedule regular reviews to ensure descriptions relating to key services are accurate and current. If nothing changes in the business e.g. no new products, services or risks identified then an annual review is fine. Otherwise you should conduct a review each time something changes e.g., a new product or the product is now offered online both of which create additional risk for the business that needs to be assessed and addressed.

    Remember to update the version numbers of key documents each time you conduct a review or make a change outside of your normal review date. This is usually done via a table on the front page where you record the date the change was made and the new version number. As an auditor we expect to be able to see when a review or change has taken place. 
  • Resources: Keep up to date with the current sector risk assessments:

    DIA
    Phase 1 Sector Risk Assessment DIA
    Phase 2 Sector Risk Assessment DIA

    FMA
    Sector Risk Assessment FMA

Audit finding #2: Dealing with customers in different countries without any assessment of their Money Laundering/Terrorism Financing risks.

Audit finding #3: Client due diligence (CDD) documentation – either not verified / certified or insufficient documents obtained.

  • Recommendation: Make sure that the staff who conduct CDD have the appropriate training and understand the requirements of the Amended Identity Verification Code of Practice (IVCOP). 
  • Resources: The IVCOP document below provides an outline of who can verify / certify and what documentation needs to be obtained: 

    Amended IVCOP

Audit finding #4: Failure to conduct politically exposed person (PEP) checks on all customers.

  • Recommendation: Run new customers through some sort of PEP technology check – this is something the supervisors expect you to do for all customers.
  • Resources: Some widely used PEP check tools are KYC360, MemberCheck, WorldCheck, Dimension GRC etc. These tools are specifically geared or designed for testing the PEP status of individuals. 

If you need help with any of the points listed above or have any questions regarding any aspect of your audit please don’t hesitate to contact the team . We are happy to answer your questions and point you in the right direction.

Strategi Institute Search
Popular search's

Subscribe and stay informed with Strategi's email newsletter

Subscribe and stay informed with Strategi's email newsletter

Download this resource

Disclaimer: By supplying this information, you agree to receive occasional email newsletters and other marketing from Strategi.

Download this resource

Disclaimer: By supplying this information, you agree to receive occasional email newsletters and other marketing from Strategi.

Download this resource

Disclaimer: By supplying this information, you agree to receive occasional email newsletters and other marketing from Strategi.