It feels like you just wrapped your last round of AML compliance audits. Yet here you are, plugging key words into the LinkedIn search bar, cruising for the next auditor to cringe about.
You don't need your audits to be fun, you just need them to
Satisfy the regulator
Fit within your budget, and
Deliver a decently insightful opinion on the money laundering risk in your business.
AML auditors in New Zealand can be clustered into three categories that give you three options to achieve this.
Option 1: the bare minimum
If you dig in the dustier corners of AML consulting services, you’ll find a provider willing to sling you an AML audit for NZ$1500 or so. Expect it to involve a phone call, an online questionnaire, and an email requesting you send them a bunch of highly confidential customer files they’ll pretend to look at. They’ll spend 1.5 hours writing the audit report and it will look like it.
This is watery audit soup. Your goal is to get it down the hatch as quickly as possible. Regulators won't agree that it is robust enough to help you manage money laundering risks but it is still technically an AML audit.
The danger with watery audit soup, however, is that should the regulators turn their spotlight on your business, an emaciated audit report will be as a red flag to their bull, encouraging them to charge harder at what your auditors didn't try to find. It could be used as evidence of your business' failure to effectively comply with the AML/CFT Act.
Option 1 is for those who can stomach the risk that they won't get found out.
Option 2: aggressive defence
If you’ve got a $50,000 audit budget, then there is a Big Four consulting firm ready to eat it up. They’ll sell you the expertise of the managing partner who read an article about AML one time, and march in the army of grads whose ability to rack up billable hours with no discernible outcome is diabolical and impressive. The audit report will have many words and many appendices and at least one (1) pie chart.
This is a vat of scalding audit soup that billows jargon and mumbo jumbo. This AML audit is not intended to be useful, it's intended to be intimidating.
Boards of directors love scalding audit soup because there's too much steam for anyone to be able to understand or verify its meaning. A surfeit of paraphrased legislation can cloud a regulators’ vision and provides indisputable evidence that money has been spent on compliance so you can’t say we’re not trying to be compliant and if you do it’s not our fault here wow feel the heat.
The danger with over-heated AML audits is that their brawn can obscure the true likelihood that dangerous money laundering activity is taking place - if your business is large enough to have a big audit budget, it's large enough to be riddled with shady customers and transactions. These insidious risks are more nuanced than an army of grads is able to identify and smothering their existence encourages them to multiply unseen.
Option 2 is for those who prioritise the theatre of compliance over true insight.
option 3:temperate sustenance
Look, you're just here to get the AML audit job done, right? The soup doesn't need to be delicious or remarkable, just edible, affordable, and basically nutritious. You just want a decently competent AML auditor.
Budget for something less than $10,000 if you’re a smaller-more simple-lower risk business, and something less than $20,000 if you’re bigger-more complex-higher risk.
You can spot a decently competent AML auditor when;
They ask you screening questions about your industry, financial turnover, and customer base before getting you a quote and proposal. The inherent money laundering risk of your specific business must guide the auditor's specific process
They can ELI5 what they will write in the audit report and what the impact of that audit report could be. You must be clear what a finding of 'compliance' or 'non-compliance' will actually mean for your business before you get them in writing
Their audit project plan clearly records the billable hours, compliance audit expertise, and expected outcomes assigned to each stage. Question carefully any expensive customer file testing stages - these are a great way for steamy auditors to rack up the billable hours with few insightful results for you
They invite you to speak to a recent client who has engaged with a regulator about the quality of the AML audit process and report. A competent auditor will have had indirect feedback on their audits from regulators, and be secure enough in their abilities and reputation to discuss it.
Ask your prospective AML auditor to get you these things, and you're on the road to getting a decently competent experience and outcome this time around.
Option 3 requires proactive scanning for signs of decent competency
The least-terrible AML auditor you can hire is one who can describe and demonstrate what decent AML audit competency is. You are relying on them to get you a process that satisfies regulators, spends billable hours judiciously, and delivers something you could call useful insight.
Sturdy, luke-warm AML audit soup does the job