What should a well-supported AML/CFT Audit Report contain

FINANCE AND BANKING / by Miguel Gallardo Guerra

A major error in compliance is assuming that the AML/CFT Audit Report is a flexible or free-format document. In reality, the Guidelines for preparing the Audit Report clearly specify its contents, structure, and the expected level of technical support.

An incomplete, generic, or poorly structured report significantly increases regulatory risk, even when theentity has formally implemented policies and controls.

Purpose of the Audit Report

The Audit Report aims to assess effective compliance with applicable AML/CFT Provisions and to provide the entity with objective information to identify deficiencies, implement corrective measures, and enhance its prevention system.

Similarly, the report serves as a crucial input for the supervisory processes conducted by the National Banking and Securities Commission, making its content and technical quality essential.

Basic framework of the Audit Report

According to the Guidelines, a thoroughly supported AML/CFT Audit Report should contain at least the following elements:

1. Planning and scope of the audit

The reviewed period, audit scope, and criteria for execution should be detailed, including the applied methodology and risk-based approach.

• Work plan

The auditor should outline the work program executed, the tests conducted, and the audit procedures used to evaluate compliance with AML/CFT obligations.

• Review outcomes

The report should clearly indicate whether the entity adheres to the obligations outlined in the Provisions, specifying whether the entity:

• complies,
• mostly complies,
• partially complies, or
• fails to comply.

Such pronouncement should be duly supported by objective evidence.

• Relevant audit matters

The most relevant aspects identified during the review should be outlined and detailed, especially those posing significant risks to the entity.

• Findings, recommendations, and corrective actions

The report should include a specific section outlining the identified findings, along with the proposed recommendations and corrective actions to address them, including, if applicable, the responsible parties and implementation deadlines.

• Auditor’s conclusions

In conclusion, the auditor needs to provide clear findings on the overall condition of the AML/CFT system and its effectiveness, considering the business model, identified risks, and the level of compliance observed.

Importance of technical support

An AML/CFT Audit Report cannot be limited to general descriptions or transcripts of internal policies. Each conclusion must be supported by sufficient, relevant, and traceable evidence obtained from documentary review, substantive testing, and risk analysis.

The lack of sufficient technical support frequently leads to regulatory comments, extra information requests, or heightened scrutiny from the authority.

Conclusions

A well-structured and technically supported AML/CFT Audit Report not only fulfills a formal obligation but is also a key tool for risk management and prevention of regulatory contingencies.

Ensuring the report aligns with the applicable Guidelines is an essential step to reduce risks, anticipate observations, and strengthen the entity’s compliance system.