How to Conduct AML/CTF Independent Reviews: A Step-by-Step Roadmap

Introduction

Maintaining a robust risk management process is a mandatory requirement for every Australian reporting entity providing a designated service. Under Section 81 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act), a reporting entity must adopt and maintain an AML/CTF program. As per the current regime (pre-31 March 2026), Rule 8.6 (or Rule 9.6, where applicable) of the Anti-Money Laundering and Counter-Terrorism Financing Rules 2007 (Cth) (AML/CTF Rules) requires that Part A of the AML/CTF program be subject to an independent review at regular intervals. These reviews are to ensure systems and controls effectively mitigate and manage money laundering and terrorism financing risks.

This guide provides a step-by-step roadmap for a compliance officer to navigate the independent review process, from initial scoping to final reporting to senior management and the governing body. By following a structured, risk-based methodology, your organisation can demonstrate that its policies and procedures are adequate to manage the specific level of risk it faces. This approach ensures that the review satisfies AUSTRAC’s expectations while promoting continuous improvement within the AML/CTF framework.

Interactive Tool: See If You Need an Independent AML/CTF Review

Phase 1: Scoping the Review & Defining Materiality

Establishing the Review Universe & Scope

Before any testing begins, the reviewer must establish a “review universe” to identify all elements of the AML/CTF program that may fall within scope under Rule 8.6 / Rule 9.6 of the AML/CTF Rules (Cth).

Under the current regime, the independent review applies to Part A of the AML/CTF program. Accordingly, scoping should begin by mapping all components of Part A and the relevant operational dimensions of the reporting entity.

A comprehensive review universe supports compliance with Rule 8.6.2 / Rule 9.6.2 of the AML/CTF Rules (Cth), which requires reviews to occur at intervals appropriate to the nature, size and ML/TF risk profile of the business.

The review universe is typically built across two key areas:

1. Program Components (Part A requirements): This includes foundational elements such as:

• The ML/TF risk assessment;
• Internal controls and risk mitigation measures;
• AML/CTF Compliance Officer appointment;
• Employee due diligence procedures;
• Ongoing AML/CTF training programs;
• Governance and oversight arrangements.
  
  Part B (customer identification procedures) is not legally required to be independently reviewed under Rule 8.6 of the AML/CTF Rules (Cth). However, testing of Part B controls is commonly undertaken to assess whether Part A controls are operating effectively in practice.

2. Business Dimensions: This covers the operational aspects of your organisation that inform the ML/TF risk assessment, such as:

• Designated services provided, as defined in Section 6 of the AML/CTF Act (Cth);
• Delivery channels;
• Customer types;
• Geographic exposure and jurisdictions of operation.

The scope and depth of the review should be proportionate to the entity’s ML/TF risk profile, consistent with the risk-based framework embedded in Chapter 8 of the AML/CTF Rules (Cth).

Testing approaches should vary based on risk levels:

• High-risk areas, such as complex products or manual controls, will require larger samples and more detailed walkthroughs.
• Low-risk areas may receive more limited testing.

Setting Materiality Thresholds to Assess Findings

Although the AML/CTF Act (Cth) and AML/CTF Rules (Cth) do not prescribe formal materiality thresholds, establishing documented criteria for classifying findings is considered best practice and supports defensibility under AUSTRAC’s supervisory framework in Part 15 of the AML/CTF Act (Cth). This is a critical step that determines when a control weakness or gap escalates into a significant issue.

These thresholds help classify findings based on their potential impact, which refers to the seriousness of the damage which could occur if the risk happens. Defined thresholds help ensure that the review focuses on what matters most to your organisation’s compliance and risk management.

Findings are typically categorised into three levels:

• Major Finding: This is the most serious category and is usually triggered by a significant control failure. Examples include a direct breach of the AML/CTF Act (Cth) or its associated rules, a systemic breakdown of a key control, or a repeated failure that exposes the business to money laundering or terrorism financing risk.
• Moderate Finding: This category applies when a control exists but is not consistently applied or has notable documentation gaps. For instance, a policy may be well-designed, but staff do not follow it consistently, or there are issues with how systems and controls are relied upon.
• Minor Finding: These are issues that do not have a direct impact on risk management. This category often includes administrative errors, formatting issues in documentation, or other minor deficiencies that do not compromise the effectiveness of your systems and controls.

AUSTRAC’s recommended risk matrix and risk score give the most weight to major and moderate findings.

Phase 2: The Desktop Review & System Walkthroughs

Desktop Review: Policies & Risk Assessments

This phase of the independent review focuses exclusively on testing the design effectiveness of your AML/CTF program. It is a thorough document-based analysis that assesses whether your written policies and procedures, on paper, meet the requirements of Section 81 of the AML/CTF Act (Cth). Importantly, no transactions are tested at this stage.

The reviewer will examine a range of key documents to ensure they are current, tailored to your organisation, and defensible. This process verifies that your documented controls align with the identified money laundering and terrorism financing risks. Key documents under review typically include:

• The enterprise-wide ML/TF risk assessment
• Product, service, and channel risk assessments
• The customer risk rating methodology
• AML/CTF Program Part A (mandatory review scope)
• AML/CTF Program Part B (not legally required to be independently reviewed, but often examined to test implementation of Part A controls) 
• Know Your Customer (KYC) and enhanced due diligence procedures
• Suspicious Matter Report (SMR) procedures
• Governance charters and relevant board minutes
• Staff training materials

If the design of the program fails at this stage, any subsequent testing of its operational effectiveness becomes largely irrelevant. The desktop review confirms that the foundational elements required under the AML/CTF Act (Cth) and AML/CTF Rules (Cth) are present in your documentation before moving on to practical testing.

System Walkthroughs: Testing AML & CTF Technology

Following the desktop review, the focus shifts from documentation to how controls operate in practice. While the AML/CTF Act (Cth) and AML/CTF Rules (Cth) do not prescribe specific technological standards, reporting entities must maintain systems capable of meeting their statutory obligations, including suspicious matter reporting under Section 41, threshold transaction reporting under Section 43, and record-keeping under Section 107 of the AML/CTF Act (Cth). Reviewers also examine whether technological controls are capable of supporting your AML/CTF obligations in practice, and not just on paper. 

System walkthroughs are conducted to test how your AML/CTF controls actually operate within your software and technology environment. The objective is to assess whether the technology supporting your AML/CTF program aligns with your documented Part A controls and ML/TF risk assessment.

These walkthroughs involve a hands-on evaluation of your AML software and automated controls. The reviewer will trace processes from end-to-end to assess both the design and initial operating effectiveness of your technology stack. This includes examining:

• Transaction Monitoring Systems: The logic behind monitoring scenarios, the rationale for transaction thresholds, the history of rule tuning, and the process for alert generation and escalation.
• Customer Risk Engines: The inputs and weightings used for risk scoring, the events that trigger a change in a customer’s risk rating, and whether these ratings are dynamic or static.
• Screening Tools: The logic used for matching against Politically Exposed Persons (PEP) and sanctions lists, procedures for handling false positives, the frequency of list updates, and the cadence of ongoing screening.

To create a clear audit trail, these walkthroughs must be documented with evidence such as:

• Screenshots
• System logs
• Flow diagrams
• Detailed reviewer notes

Phase 3: Designing the Sampling Framework & Determining Sample Sizes

Creating a Risk-Based Sampling Framework

An effective independent review relies on a sampling framework with a clear and defensible logic. While AUSTRAC does not prescribe a specific methodology, the review must be documented and based on your AML/CTF risk profile. The goal is to select representative samples that provide adequate coverage of your organisation’s activities and controls, proportionate to the nature, size, and complexity of the business

Your sampling framework should be designed to test different aspects of your AML/CTF program. Key sample types to include are:

• Customer Samples: This involves selecting a range of customer files to test customer due diligence processes. Samples should be stratified by risk level, including low, medium, and high-risk customers, as well as PEPs and those subject to enhanced due diligence. The objective is to the practical implementation of Part A controls and customer due diligence procedures (linked to Part B implementation).
• Transaction Samples: These samples are used to assess whether transaction monitoring controls are functioning consistently with documented risk settings and capable of supporting suspicious matter reporting obligations. Selections should focus on transactions that pose a higher ML/TF risk, such as high-value transfers, unusual patterns of activity, cross-border payments, and potential structuring behaviours. 
• Alert Samples: Reviewing alerts generated by your transaction monitoring system is crucial. This should include a mix of closed alerts, escalated alerts, and false positives to assess the quality of investigations and internal decision-making by your compliance team.
• Suspicious Matter Reports (SMR) Samples: It is important to test your SMR process, to ensure compliance with Section 41 of the AML/CTF Act (Cth) and avoid issues like tipping off offence. This includes reviewing SMRs that were filed with AUSTRAC to check for timeliness and accuracy, as well as instances of suspicious activity that did not result in a report.

Determining Appropriate Sample Sizes

AUSTRAC does not mandate specific sample sizes or require statistical sampling. However, your organisation must use a defensible, risk-based logic to determine the number of items to test.

The sample size should be sufficient to allow the reviewer to draw reliable conclusions about the effectiveness of your systems and controls. Sample sizes should be proportionate to:

• The entity’s ML/TF risk exposure.
• Transaction volumes.
• Control complexity.
• Prior review findings or known weaknesses.

In industry common practice, sample size ranges often seen in Australian independent reviews include:

• Customer files: Typically between 20 and 60 files.
• High-risk customers: A higher proportion, sometimes 100% of a small population or a minimum of 10 files.
• Alerts: Anywhere from 25 to 100 alerts, depending on volume and system complexity.
• Transactions: Generally between 30 and 100 transactions.
• SMRs: It is common practice to review all SMRs filed within the review period.

Sample sizes should increase where controls are manual rather than automated, previous independent reviews identified deficiencies, there is heightened ML/TF risk exposure or evidence of potential systemic weakness.

Documenting the sampling rationale strengthens the defensibility of the independent review under AUSTRAC’s supervisory powers in Part 15 of the AML/CTF Act (Cth).

Phase 4: Control & Competency Testing

Design Effectiveness vs. Operating Effectiveness

A critical distinction in any independent review is the difference between design effectiveness and operating effectiveness. These two concepts assess different aspects of your AML/CTF program.

Design effectiveness testing asks whether a control, if followed correctly, would successfully mitigate the identified money laundering or terrorism financing risk.

For example, a policy that requires enhanced due diligence for all PEPs is considered well-designed if it:

• Identifies triggering events.
• Specifies additional verification steps.
• Requires appropriate approval or escalation.

This is typically assessed during the desktop review of your documentation.

Operating effectiveness testing, however, examines whether that same control is actually being performed consistently and correctly in practice.

Following the previous example, the reviewer would test whether enhanced due diligence was actually triggered when required, properly documented, and reviewed/ approved as per internal controls. While the AML/CTF Act (Cth) and AML/CTF Rules (Cth) do not expressly use the terms “design” and “operating effectiveness,” the purpose of the independent review is to assess whether Part A is functioning effectively in managing ML/TF risk. In practice, this requires evidence of operating effectiveness and not merely well-drafted documentation. 

Live Transaction Testing: Tracing End-to-End Processes

Live transaction testing is one of the most powerful methods for assessing the operational effectiveness of your systems and controls, particularly for SMR obligations. This technique involves selecting a transaction and tracing its entire journey through your organisation’s AML/CTF framework to see how it is handled from start to finish.

This end-to-end trace directly answers the core question: “Could you reasonably detect and report suspicion?” The process typically involves tracking a transaction through the following stages:

• Initiation: The transaction occurs and enters your systems.
• Monitoring: The transaction monitoring system flags the activity for review, or fails to do so.
• Alert Generation: An alert is created for an analyst to investigate.
• Investigation: An analyst reviews the alert and documents their findings and decision-making process.
• Escalation & Reporting: A decision is made on whether to file an SMR, which is then lodged with AUSTRAC within the required timeframe prescribed under Section 41 of the AML/CTF Act (Cth).

A failure at any point in this chain can expose a significant vulnerability in your ability to manage financing risk, and almost always leads to major findings in a review.

Staff Competency Interviews: Assessing Training Effectiveness

Staff interviews are not informal chats; they are formal control tests designed to assess the effectiveness of your AML/CTF training program and the overall compliance culture within the organisation. These conversations verify whether employees truly understand their responsibilities in mitigating money laundering and terrorism financing risk.

Reviewers often use an “interview map” to structure these tests, targeting different roles with specific questions relevant to their duties. This ensures a comprehensive assessment across your business.

• Frontline Staff: May be tested on their understanding of KYC procedures and how to identify red flags during customer onboarding.
• Analysts: Could be asked about their logic for handling alerts and the process for escalating suspicious activity.
• Compliance Officer / MLRO: May be questioned on oversight mechanisms, escalation thresholds, governance awareness, and monitoring of controls

While the AML/CTF Act (Cth) does not prescribe interview testing, material inconsistencies in responses or a demonstrated lack of understanding are often treated as operating effectiveness failures, as they indicate weaknesses in training effectiveness or governance oversight. This may result in poor implementation of policies and procedures by the people responsible for them.

Phase 5: Managing Evidence & The Audit Trail

Establishing an Evidence Room & Index

To streamline an independent review and reduce “audit fatigue,” it is essential to create a centralised repository for all evidence. Often referred to as an “Evidence Room,” this is typically a secure digital data room where all documentation requested by the reviewer is stored and organised.

Furthermore, an evidence index that mirrors the structure of your AML/CTF program should be used to categorise the evidence logically. This organised approach prevents back-and-forth requests and ensures the process is efficient for your compliance officer and the reviewer.

While the AML/CTF Act (Cth) does not prescribe an “evidence room” concept, reporting entities are subject to record-keeping obligations under Part 10 of the AML/CTF Act (Cth). Maintaining organised review materials also supports the entity’s ability to demonstrate compliance to AUSTRAC in any supervisory engagement.

The evidence room should contain a comprehensive collection of materials to support the review, including:

• Version-controlled documents, such as your AML/CTF Program and risk assessment.
• Sample tracking sheets for customer files and transactions.
• Screenshots and system logs from technology walkthroughs.
• Interview notes and transcripts from staff competency tests.
• Copies of prior independent review reports and remediation trackers (where applicable).

Documenting the Review’s Audit Trail

Every step of the independent review must be meticulously documented to create a traceable audit trail. This process is effectively a “review of the review,” ensuring that all testing, work papers, and conclusions are supported by clear evidence.

The AML/CTF Act (Cth) and AML/CTF Rules (Cth) do not prescribe specific “work paper” formats, but a defensible audit trail supports the credibility of the independent review and assists in demonstrating compliance if AUSTRAC requests substantiation of methodology or findings.

If the regulator asks how a conclusion was reached, the answer must already exist in writing within the audit trail. This trail should include:

• Testing work papers detailing the procedures performed.
• The rationale for selecting specific samples and the logic behind sample sizes.
• The reviewer’s documented conclusions for each area tested.
• A clear record of all evidence examined during the assessment.

Phase 6: Finalising the Review Workflow & Remediation Plan

Navigating the Draft Report & Management Response Period

The draft report is a crucial collaborative step, not the final verdict. Its primary purpose is to validate the factual accuracy of the reviewer’s findings before the report is finalised.

This phase provides an opportunity for management to:

• Offer context for any identified issues.
• Provide evidence that may have been overlooked during testing.
• Confirm whether conclusions accurately reflect operational realities.

An exit meeting is typically held to present preliminary findings, ensuring there are no surprises for the compliance officer or senior management. Following this, the draft report is issued, initiating the management response period, which usually lasts between one and four weeks.

During this time, your organisation can formally respond to each finding by outlining:

• The root cause.
• Proposed remediation actions.
• Target completion dates.

Creating a Final Report & RACI Remediation Roadmap

Once the management response period concludes, the reviewer incorporates your feedback and issues the final report. This documented report must be provided to senior management and your governing body.

It typically includes:

• An executive summary.
• The scope and methodology of the review.
• Risk-weighted findings and recommendations.
• Details of the sample sizes used in testing.

Although the AML/CTF Act (Cth) and AML/CTF Rules (Cth) do not prescribe a specific remediation format, documenting corrective actions supports effective governance and demonstrates that the reporting entity is maintaining its AML/CTF program

To turn findings into an actionable plan, a remediation roadmap is created, often using a Responsible, Accountable, Consulted, Informed (RACI) matrix. This framework clarifies roles and responsibilities for addressing each issue:

• Responsible: The person or team who will perform the work.
• Accountable: The individual who owns the outcome and signs off on the completion.
• Consulted: Subject-matter experts who provide input.
• Informed: Stakeholders who are kept up-to-date on progress.

This roadmap assigns clear ownership and deadlines for each remediation action. It strengthens governance oversight and reduce exposure under AUSTRAC’s supervisory and enforcement powers.

Presenting Findings to the Board & Risk Committee

The final step in the review workflow is presenting the findings to your organisation’s board or a dedicated risk committee. 

This is a critical, though often overlooked, element of good governance that demonstrates leadership accountability for the AML/CTF framework. While the AML/CTF Act (Cth) does not impose personal liability on board members for the independent review itself, governance oversight forms part of maintaining an effective AML/CTF program

This presentation ensures that senior leadership is fully aware of the health of the AML/CTF program, any significant vulnerabilities, and the resources required for remediation. Board discussion should focus on:

• Material findings;
• Root causes of systemic weaknesses;
• Remediation timelines and risk exposure.

Documented board engagement strengthens the entity’s ability to demonstrate that AML/CTF risk management is actively overseen at senior levels.

A structured independent review, encompassing everything from scoping and control testing to reporting and remediation, is fundamental for any Australian reporting entity. This methodical approach ensures your organisation not only meets its obligations under the AML/CTF Act (Cth) but also transforms the review into a valuable tool for continuous improvement of its systems and controls.

To ensure your risk management process is robust, defensible and aligns with AUSTRAC’s recommendations, leverage the specialised expertise of our AML/CTF lawyers at Click Legal. Contact our AML independent review lawyers at Click Legal today to discuss how our tailored services can help your organisation confidently mitigate and manage its money laundering and terrorism financing risk.