Compliance Audit Checklist: Preparation Guide
Complete compliance audit checklist for AML/CTF regulatory audits in Australia. Steps, required documents
Summarize this article with
ChatGPT
Claude
Perplexity
Gemini
GrokA compliance audit checklist is a structured document that maps every regulatory requirement against your firm's controls, evidence, and remediation status. For Australian reporting entities, this means aligning with AUSTRAC's AML/CTF Act 2006, the AML/CTF Rules, and โ for financial services licensees โ ASIC's Regulatory Guide 104 and APRA's prudential standards. Without one, you are relying on institutional memory โ and regulators have no patience for that.
AUSTRAC imposed AUD 1.3 billion in penalties against Westpac in 2020 for over 23 million contraventions of the AML/CTF Act, and has continued enforcement action against reporting entities across banking, gambling and remittance sectors (AUSTRAC Enforcement Actions). Our platform's analysis of over 2.4 million verified documents across 85+ enterprise clients confirms that firms with continuous audit readiness achieve a 99.2% compliance rate during regulatory reviews โ compared with significantly lower pass rates for firms relying on periodic manual preparation. Many of these enforcement actions traced back to gaps that a well-maintained audit checklist would have caught months before an assessment.
This guide provides a working compliance audit checklist built around KYC and AML obligations, the document verification steps that most firms get wrong, and practical preparation strategies for passing regulatory audits. For a broader view of the regulatory framework, see our comprehensive guide to regulatory compliance.
What is a compliance audit?
A compliance audit is a formal examination of whether a firm's policies, procedures, and controls meet the requirements set by its regulators. In Australia, this covers AUSTRAC obligations for reporting entities, ASIC requirements for AFS licensees, APRA prudential standards for ADIs and insurers, and ATO compliance for tax obligations.
Compliance audits can be internal or external. Internal audits are conducted by your own compliance team or an appointed third party. External audits are carried out by the regulator itself โ AUSTRAC's compliance assessment team, for instance โ or by external auditors fulfilling statutory obligations under the Corporations Act 2001.
The critical difference from a financial audit: compliance audits test the design and operating effectiveness of controls, not just whether the numbers add up. An AUSTRAC assessor will ask whether your customer identification procedures actually catch high-risk customers, not merely whether you have an AML/CTF program filed somewhere.
The compliance audit checklist: core components
Every compliance audit checklist for an Australian reporting entity should cover seven areas. The table below maps each area to its primary regulatory source and the evidence an auditor expects.
Automated field extraction reaches 94.3% accuracy on the CheckFile platform, with 99.94% uptime SLA โ enabling compliance teams to focus on genuinely ambiguous cases.
| Audit area | Key regulation/guidance | Evidence required |
|---|---|---|
| Governance and oversight | AML/CTF Act s 81, APRA CPS 510 | Board minutes, compliance reports, AML/CTF Compliance Officer appointment |
| Customer identification (Part A) | AML/CTF Act s 28-35, AML/CTF Rules Ch 4 | KYC records, identification procedures, risk assessments |
| Ongoing customer due diligence (Part B) | AML/CTF Act s 36, AML/CTF Rules Ch 15 | Transaction monitoring reports, enhanced CDD files |
| Suspicious matter reporting | AML/CTF Act s 41-43 | SMR logs, AUSTRAC submissions, internal escalation records |
| Record keeping | AML/CTF Act s 107-112 | 7-year retention evidence, data access logs |
| Staff training | AML/CTF Act s 83 | Training records, competency assessments, attendance logs |
| Risk assessment | AML/CTF Rules Ch 8.3 | ML/TF risk assessment, customer risk scoring methodology |
This structure aligns with AUSTRAC's compliance guide for reporting entities, which remains the primary reference for AML/CTF compliance in Australia.
How to prepare for a regulatory compliance audit
Preparation starts at least 90 days before an expected audit. Firms that treat audit readiness as a continuous process โ rather than a scramble triggered by an AUSTRAC notification โ consistently perform better.
Step 1: Conduct a gap analysis against current regulations
Map every applicable regulation to a specific internal control, owner, and evidence source. AUSTRAC's guidance on AML/CTF programs provides a useful framework. Start with your ML/TF risk assessment under the AML/CTF Rules and work outward.
Assign each gap a severity rating: critical (regulatory breach), high (control weakness), or medium (documentation gap). Critical gaps need remediation before the audit, not during it.
Step 2: Verify your KYC and customer identification records
Customer identification record quality is the single most common area where audits uncover deficiencies. Our internal data reveals that across 32 jurisdictions, identity document errors account for the majority of CDD failures โ a pattern consistent regardless of firm size or geographic focus. Incomplete customer files, outdated identification documents, and missing enhanced due diligence for high-risk relationships account for a disproportionate share of findings.
Pull a sample of customer files โ at least 10% or 50 files, whichever is greater โ and check each against your Part A procedures. Confirm that identification documents are current, that source-of-funds evidence exists for higher-risk customers, and that periodic reviews have been completed on schedule. Our guide on KYC identity verification best practices covers the specific checks in detail.
Step 3: Test your transaction monitoring
Run your transaction monitoring system against known typologies. AUSTRAC expects reporting entities to demonstrate that their monitoring rules are calibrated to their ML/TF risk profile, not simply set to vendor defaults.
Review your suspicious matter report (SMR) filing record. Under sections 41-43 of the AML/CTF Act, failure to report suspicious matters is a civil penalty provision. Auditors will check not just that SMRs were filed, but that the decision-making process behind each filing (or decision not to file) is documented.
Step 4: Confirm training records are complete
Every member of staff in a relevant role must have documented AML/CTF training appropriate to their function. Section 83 of the AML/CTF Act is explicit on this point. Auditors frequently request training completion records going back two years, including evidence of competency testing โ not just attendance.
Ensure your training programme covers current typologies, including trade-based money laundering, digital currency risks, and emerging threats identified in AUSTRAC's Strategic Analysis reports.
Step 5: Prepare your document pack
Assemble the following before the auditor arrives:
- ML/TF risk assessment (current version, approved by senior management)
- AML/CTF program (Part A and Part B, current versions)
- Compliance monitoring plan and most recent report
- Customer file sample (ready for review)
- SMR register and tipping-off controls
- Training completion records with assessment scores
- Policies and procedures (customer identification, enhanced CDD, PEP screening, sanctions screening)
- Board or committee minutes showing compliance oversight
- Remediation tracker for any previous audit findings
Ready to automate your checks?
Free pilot with your own documents. Results in 48h.
Request a free pilotDocument verification: the most common audit failure point
CheckFile.ai's analysis of 2,400 verification cases shows that 34% of compliance failures occur at the document verification stage โ primarily due to expired documents (18%), uncertified copies (9%), and missing documentation (7%). This makes document verification the single largest category of compliance failure, ahead of both transaction monitoring gaps and training deficiencies.
The pattern is consistent across firm sizes. Expired identity documents slip through when periodic review cycles are manually tracked. Uncertified copies accumulate when customer-facing staff accept photographs of documents without following certification requirements. Missing documentation โ typically proof of address or source-of-funds evidence โ reflects onboarding processes that allow accounts to be opened before all required documents are collected.
Automated document verification addresses all three failure modes. Expiry date extraction flags documents approaching or past their validity period. Authenticity checks detect altered or fabricated documents that manual review misses. Completeness checks ensure every required document type is present before a customer file is marked as compliant.
For firms still relying on manual document checks, the maths is straightforward: a single AUSTRAC enforcement action costs more than years of automated verification. CheckFile.ai's identity verification solution processes documents in seconds and flags the exact issues โ expired, uncertified, missing โ that cause audit failures.
Continuous compliance vs. point-in-time audits
AUSTRAC's supervisory approach has shifted decisively towards continuous compliance. Rather than periodic inspections alone, the regulator now expects reporting entities to demonstrate ongoing adherence through real-time monitoring, regular self-assessments, and proactive remediation.
This means your compliance audit checklist is not a document you dust off once a year. It should be a living tool, updated whenever regulations change, reviewed quarterly at minimum, and integrated into your compliance monitoring programme.
Firms subject to APRA's CPS 220 Risk Management face additional requirements around operational risk management that must be folded into the compliance framework. Similarly, firms deploying AI in their compliance processes should prepare for explainability requirements that regulators are increasingly testing during audits.
For a deeper understanding of AML-specific obligations and how they interact with your broader compliance programme, our article on anti-money laundering obligations breaks down the requirements by firm type.
What documents are needed for a compliance audit?
The exact documentation depends on your regulatory permissions and firm type, but the following covers the baseline for most AUSTRAC-regulated reporting entities:
- Governance: AML/CTF Compliance Officer appointment, board terms of reference, compliance committee charter
- Policies: AML/CTF program (Part A and Part B), sanctions screening policy, privacy policy
- Risk assessments: ML/TF risk assessment, customer risk assessment methodology, product/service risk assessments
- Operational records: Customer files with identification evidence, transaction monitoring alerts and dispositions, SMR filings
- Training: Annual training plan, completion records, competency assessment results
- Reporting: AML/CTF Compliance Officer reports to senior management, compliance monitoring reports, incident logs
Every document should carry a version number, an owner, and a review date. Auditors treat undated policies as a red flag โ it suggests no regular review cycle exists.
This article is for informational purposes only and does not constitute legal, financial, or regulatory advice. Consult a qualified professional for guidance specific to your situation. Australian organisations should seek advice tailored to their obligations under AUSTRAC, ASIC, APRA and the OAIC.
FAQ
What is included in a compliance audit checklist?
A compliance audit checklist includes governance and oversight controls, customer identification records (Part A), ongoing customer due diligence evidence (Part B), transaction monitoring evidence, suspicious matter reporting logs, staff training records, record-keeping compliance, and the ML/TF risk assessment. Each item maps to a specific provision of the AML/CTF Act and AUSTRAC Rules, with an assigned control owner and evidence source.
How long does it take to prepare for a regulatory compliance audit?
Most firms need 60 to 90 days of focused preparation for a full regulatory audit, assuming core policies and procedures are already in place. If significant gaps exist โ missing risk assessments, incomplete customer files, or outdated policies โ allow six months. Firms practising continuous compliance can typically be audit-ready within two weeks of notification.
What happens if you fail a compliance audit?
The consequences depend on severity. Minor findings result in a remediation plan with a deadline โ typically 30 to 90 days. Serious failings can trigger enforcement action by AUSTRAC, including civil penalty proceedings (up to AUD 28.2 million per contravention for corporations), enforceable undertakings, remedial directions, or infringement notices. In cases involving systemic AML/CTF failures, AUSTRAC may seek court orders. ASIC can also take action against AFS licensees for compliance failures.
How often should a compliance audit checklist be updated?
At minimum, quarterly โ and immediately whenever relevant regulations change. AUSTRAC publishes regulatory guidance, typology reports, and compliance guidance throughout the year, any of which may require updates to your controls and checklist. Subscribe to AUSTRAC's news and updates to catch changes as they are published.
Can automated document verification help pass a compliance audit?
Yes. Automated verification directly addresses the most common audit failure point: document-level errors. By checking expiry dates, document authenticity, and file completeness at the point of onboarding, automation eliminates the manual gaps that cause 34% of compliance failures. It also produces an auditable trail that demonstrates the control was applied consistently across every customer, which is exactly what regulators want to see.
Ready to close the document verification gap before your next audit? Explore CheckFile.ai's verification plans and see how automated checks reduce your compliance exposure from day one.
Stay informed
Get our compliance insights and practical guides delivered to your inbox.