Interpreting the audit timeframe extension

Interpreting the audit timeframe extension

14 JUL 2021

The compulsory audit period has now been extended to three years – BUT only for those whose audit is due after 9 July 2021. If your audit was due before 9 July 2021 and was not booked in, then you are now technically non-compliant. Read on for a high-level summary of how these changes apply to your business and most importantly additional business risks that you should consider before moving to a three-year cycle.

Interpreting the audit timeframe extension

Audit due after 9 July?

(Including those undertaking first ever audit).

You can now move to a 3-year cycle.

Read our recommendation below before making a decision.

Audit due and completed before 9 July?

You can now move to a 3-year cycle.

Read our recommendation below before making a decision.

Audit due before 9 July but not yet completed?

2-year timeframe still applies. You can only move to a 3-year cycle once your audit has been completed.

Technically you are now non-compliant.

If a reporting entity was due to have an audit undertaken before 9 July 2021 (but has not yet done so), the law states that the two-year timeframe for this audit still applies. If the reporting entity was due to have an audit prior to 9 July 2021 but has not done so, it is non-compliant with the law and its audit obligations.

  • Despite this non-compliance, DIA guidance issued on 3 December 2020 provided DIA supervised entities some supervisory lenience. This guidance explicitly stated that reporting entities with audits due between January 2021 and July 2021 would not be subject to any adverse compliance action if they did not complete an audit by the original deadline. This was conditional on the reporting entity acting in good faith and completing their audit within the three-year deadline (i.e. 1 January 2022 for real estate agents), or three years from the date of their last audit or the date they became a reporting entity.
  • If a reporting entity, supervised by either the FMA or RBNZ had an audit due before 9 July 2021 and it has not completed the audit, it is non compliant with the law. Neither the FMA nor RBNZ released any guidance confirming the DIA’s lenient approach would be taken for non-compliant entities under their supervision. These reporting entities should complete their audits as soon as possible or seek clarification from the relevant supervisor that no adverse compliance action will be taken against them. Reporting entities supervised by FMA or RBNZ should not rely on the DIA’s guidance and assume they will not be subject to adverse consequences in relation to any non-compliance with audit timeframes.

If a reporting entity is due to have an audit undertaken after 9 July 2021, the next audit will be due three years from the date of the last audit (rather than two years). For example, if the reporting entity’s last audit was 10 July 2019 and it was due to have its next audit on 10 July 2021, the new three-year time-period will apply. The reporting entity will now be required to undertake an audit by 10 July 2022, three years after the date of the last audit.

If the reporting entity hasn’t yet had an audit and its first audit date was due after 9 July 2021, the reporting entity’s first audit date will now be due three years after the date it became a reporting entity (rather than two).

Reporting entities will need to update their AML/CFT programmes to account for this changed timeframe and ensure they arrange to complete their independent audit well in advance of their next audit deadline. It’s likely the supervisors will strictly enforce these timeframes and will not be lenient if a reporting entity has been given an additional year but has still not arranged their audit in time.

Due to the default timeframe being automatically extended, some reporting entities will be at increased risk of ML/FT, and of non-compliance with the AML/CFT Act. Independent audits are a crucial tool for many reporting entities to identify and remedy weaknesses and gaps in their processes. For reporting entities that are already struggling and non-compliant with the law, this additional year before their next audit may provide an opportunity for criminals seeking to launder money or finance terrorism through their business, and an increased risk to the business if the supervisor inspects their business and finds non-compliant practices. 

Our recommendation

We recommend businesses that have not yet completed their first audit, businesses whose risks have significantly changed since their last audit, and businesses that had significant issues raised in their last audit, arrange their audit within a two-year (rather than three year) time-period. This will provide assurance as to whether their AML/CFT risk assessment and programme are operating effectively.

Once the audit confirms compliance with the Act, then from a business risk perspective, it’s a good decision to move to a three-year audit cycle.

Whether you’re reading this as a business manager, compliance officer or more importantly as a director you must make sure you are meeting your audit obligations and if you’re not then get a plan in place now. The team at Strategi Compliance can help you regardless of where you are at in your audit cycle. 

The Strategi Compliance Guidance Note: AML/CFT Regulation Amendments provides detailed commentary on the issue.