AML/CTF Independent Review Evidence Checklist: How to Get Audit-Ready

Introduction

Maintaining a robust anti-money laundering and counter-terrorism financing (AML/CTF) program is a vital obligation for Australian reporting entities under Section 81 of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) (AML/CTF Act). Further, Rule 8.6 / Rule 9.6 of the Anti-Money Laundering and Counter-Terrorism Financing Rules 2007 (Cth) (AML/CTF Rules) requires that Part A of the AML/CTF program be subject to an independent review at regular intervals appropriate to the nature, size, and ML/TF risk profile of the business.

As the Australian Transaction Reports and Analysis Centre (AUSTRAC) shifts toward an outcomes-based approach, financial institutions and Tranche 2 entities must move beyond simply having a compliance program to proving that their risk management strategies actually work. This guide provides a practical evidence checklist to help your compliance officer and team prepare for an independent review, support customer due diligence (CDD) processes under the AML/CTF Act (Cth), and ensure your AML/CTF program is audit-ready and defensible.

Day 1 Readiness for AML/CTF Independent Review

Core Program & Risk Assessment Documents

An independent reviewer conducting a review under Rule 8.6 / Rule 9.6 of the AML/CTF Rules (Cth) will typically request a core set of documents to begin their assessment. Having these prepared in an organised folder creates a smooth start to the audit process. These documents form the foundation of your AML/CTF compliance framework.

Your initial bundle should include:

• Current AML/CTF Program (Part A & Part B): Provide the most recent approved version of your program. As the independent review requirement applies to Part A of your AML/CTF program, ensure this component is clearly identifiable. Including prior versions covering the review period helps demonstrate program maintenance over time, consistent with Section 81 of the AML/CTF Act (Cth).
• ML/TF Risk Assessment: This document underpins Part A of your AML/CTF program. It maps your identified ML/TF risks to the specific controls you have in place to mitigate them.
• Last Independent Review Report: Supplying the previous review report, along with evidence of how you addressed its recommendations, demonstrates to the reviewer that you have a process for governance oversight and continuous improvement.

Governance Documents & Your Evidence Register

Alongside your core program, reviewers need to see how your compliance framework is governed and organised. These documents demonstrate that your AML program is actively managed and that you can efficiently locate evidence of your compliance activities. 

While the AML/CTF Act (Cth) does not prescribe specific governance artefacts, maintaining documented oversight supports compliance with its Section 81 and strengthens defensibility under AUSTRAC’s supervisory powers in its Part 15.

Key governance and organisational documents include:

• Organisational Chart: This chart should clearly show the role of the AML/CTF Compliance Officer required under Rule 8.5.1 of the AML/CTF Rules (Cth). It should also clearly identify their reporting lines to demonstrate sufficient seniority and direct access to the board or senior management.
• AML/CTF Compliance Officer Profile: Although the current AML/CTF regime does not impose an explicit statutory “fit and proper” test, the appointed officer must be capable of performing the role required under Rule 8.5.1 of the AML/CTF Rules (Cth). Including a resume or professional profile of your appointed compliance officer helps prove their “fit and proper” status for the role.
• The Evidence Register: A master index, often in a spreadsheet format, is crucial for an efficient audit. This register should link every AML/CTF obligation to the specific file, document, or log that serves as proof of compliance. While not mandated by the AML/CTF Act (Cth), it assists in demonstrating compliance with record-keeping obligations under its Part 10 and independent review documentation requirements under Rule 8.6 / Rule 9.6 of the AML/CTF Act (Cth).

Proving Governance & Senior Management Oversight

Using Board Minutes to Demonstrate Oversight

An independent reviewer will look for proof that your board and senior management are actively engaged in overseeing the AML/CTF compliance framework.

The AML/CTF Act (Cth) does not prescribe a specific format for board engagement. However, the independent review must be provided to senior management and the governing body under Rule 8.6.6 / Rule 9.6.6 of the AML/CTF Rules (Cth). Accordingly, board minutes often serve as primary evidence that AML/CTF compliance is actively overseen at a governance level.

To effectively demonstrate senior management oversight, your meeting minutes should document key activities, including:

• Program and Risk Assessment Approval: Formal approval of the latest versions of your AML/CTF program (Part A) and ML/TF Risk Assessment, often confirmed with digital signatures or a clear resolution.
• Discussion of Risks and Compliance Reports: Records of discussions on specific ML/TF risks, trends in suspicious matter reports (SMRs) under Section 41 of the AML/CTF Act (Cth), and the review of monthly or quarterly compliance reports from the Compliance Officer.
• Review of Audit Findings: Evidence that the board has reviewed findings from previous independent reviews and has overseen the progress of any required remediation plans.
• Strategic Decisions: Documentation of key decisions related to the compliance framework, such as budget approvals for compliance tools, approval of the training plan, or defining the company’s risk appetite.

While not explicitly mandated by statute, documented board engagement strengthens defensibility under AUSTRAC’s supervisory and enforcement powers in Part 15 of the AML/CTF Act (Cth).

Defining Roles with an Ownership & RACI Matrix

Clearly defining who is responsible for each compliance task is crucial for preventing gaps and demonstrating a well-managed program. A Responsible, Accountable, Consulted, Informed Matrix (RACI matrix) is a simple yet powerful tool for documenting these roles. 

A RACI matrix is a best practice rather than a statutory requirement, as the AML/CTF Act (Cth) does not mandate it. However, clearly documenting role allocation supports effective maintenance of the AML/CTF program and assists in evidencing governance maturity during an independent review.

A well-structured RACI matrix ensures there is no confusion about ownership. For instance, while a compliance team member might be responsible for day-to-day tasks, a senior manager or CEO is ultimately accountable for ensuring the obligation is met.

Your RACI matrix should cover all critical AML/CTF functions, such as:

• Document Gathering: Assigning responsibility for collecting and organising evidence for the independent review.
• KYC File Sampling: Defining who is responsible for preparing Customer Due Diligence (CDD) files for the reviewer. This is linked to implementation of Part B of your AML/CTF program.
• Board Minutes Retrieval: Clarifying who is tasked with providing relevant board meeting records, as well as ensuring independent review reports and compliance updates are escalated appropriately
• Technology and Vendor Proof: Designating ownership for assembling contracts and logs from third-party technology providers.

Customer Due Diligence & KYC Evidence

Organising Individual & Entity KYC Sample Files

Under the current framework, customer identification obligations are set out in Part 2 of the AML/CTF Act (Cth). A reporting entity must document its customer identification procedures in Part B of its AML/CTF program, as required under the AML/CTF Rules (Cth).

Although the independent review requirement only applies to Part A of the AML/CTF program, reviewers commonly examine customer due diligence (CDD) files when testing operational effectiveness. In practice, reviewing CDD files provides evidence of whether Part A controls, including the ML/TF risk assessment and risk-based procedures, are functioning as intended. Accordingly, your Know Your Customer (KYC) files should demonstrate compliance with those obligations.

To prepare for this, your KYC evidence should be organised into separate, clear protocols for individual clients and corporate entities. This ensures every file is easy to retrieve and understand.

Verification date-stamps are crucial to prove that identification occurred before you provided any designated services, as required under Section 32 of the AML/CTF Act (Cth) (subject to limited exceptions such as delayed verification under the AML/CTF Rules (Cth)).

For individual customer files, you should be prepared to present:

• Proof of Identity: This includes copies of identification documents like passports or driver’s licenses, or verification certificates from electronic sources.
• Verification Records: Evidence confirming the customer’s full name, date of birth, and residential address.
• Screening Results: Timestamped logs showing that you have screened the individual against lists for Politically Exposed Persons (PEPs) and sanctions.
• Risk Rating: A documented risk rating (e.g., low, medium, high) with a clear rationale for the assessment.

When assembling files for entities such as companies or trusts, your compliance checklist should include:

• Corporate Documents: Recent company searches from ASIC or registry extracts, along with trust deeds or partnership agreements where applicable.
• Beneficial Ownership Information: A high-resolution organisational chart or a register that identifies the ultimate beneficial owners (UBOs) and controlling people.
• Verification of Individuals: Proof that you have verified the identity of the beneficial owners and other individuals who control the entity.

EDD Evidence for High-Risk Customers

Customers who are flagged as high-risk require Enhanced Due Diligence (EDD), which involves collecting additional evidence to mitigate the increased ML/TF risk, in compliance with Chapter 8 of the AML/CTF Act (Cth).

You must have a dedicated file for each high-risk customer which documents the extra steps taken. This includes the trigger for applying EDD, such as their PEP status or connection to a high-risk jurisdiction.

Key evidence for an EDD file includes documented proof of the customer’s source of wealth (SoW) and source of funds (SoF).

This documentation provides clarity on the origin of the customer’s overall assets and the specific funds used for transactions. Examples of acceptable evidence include:

• Bank statements
• Payslips
• Contracts of sale
• Letters from financial advisors or accountants

If your Part A controls require senior management approval for onboarding or retaining higher-risk customers, this approval should be documented (e.g., email approval or formal sign-off). While the AML/CTF Act (Cth) does not mandate a specific approval format, documenting escalation supports defensibility.

Documenting Your Technology Stack & Verification Sources

If your business relies on a technology stack for identity verification, you are responsible for proving that these systems and vendors are independent and reliable. Under the AML/CTF framework, outsourcing does not transfer statutory liability.

The reviewer may want to see clear documentation of the tools you use to perform CDD and screening. 

You should maintain a folder with key evidence related to your technology and verification partners. This includes:

• Vendor Contracts: Agreements with third-party electronic verification providers.
• Verification Certificates: “Match/No Match” certificates or reports generated by your electronic verification service.
• System Logs: API logs or system screenshots that provide an audit trail of verification checks being performed.
• Integration Specifications: A brief document explaining how your technology integrates with verification sources to prove it functions reliably.

Although the AML/CTF Act (Cth) does not mandate specific software solutions, the reporting entity must be able to demonstrate that its systems support compliance with statutory obligations.

Demonstrating Ongoing Monitoring & Reporting Compliance

Evidencing Action with Transaction Monitoring Logs

An independent reviewer will need to see proof that your transaction monitoring system is not just active but effective.

While the AML/CTF Act (Cth) does not mandate a specific “transaction monitoring system,” reporting entities must maintain systems capable of identifying suspicious matters and complying with reporting obligations under its Section 41.

It is therefore insufficient to merely document monitoring procedures in Part A. The reporting entity must be able to provide evidence that alerts are investigated and resolved in accordance with its AML/CTF program.

Messy or non-existent logs are a common reason for reporting entities to fail a review. Your compliance checklist must include detailed transaction monitoring logs that create a clear audit trail.

Key documents to prepare include:

• Alert Logs: Maintain a complete list of every alert generated by your system, whether manual or automated, detailing the date, the customer involved, and the specific rule or reason that triggered the alert.
• Adjudication Evidence: For every alert, you must document the investigation process and the outcome, including disposition notes explaining why an alert was cleared or why it was escalated.
• Proof of Action: Timestamps are crucial for demonstrating that alerts were reviewed and actioned in a timely manner, including evidence of review by the AML Compliance Officer or senior management for escalated alerts.
• System Logic Documentation: Keep a record of the threshold rules and logic your transaction monitoring system uses, along with a short memo explaining why these rules are appropriate for your specific ML/TF risk.

Proof of AUSTRAC Reporting (IFTIs & TTRs)

Reporting entities must retain records of all mandatory reports submitted to AUSTRAC, including the following under the AML/CTF Act (Cth):

• Suspicious Matter Reports (SMRs) as per Section 41
• Threshold Transaction Reports (TTRs) as per Section 43
• International Funds Transfer Instructions (IFTIs) as per Section 45

Record-keeping requirements for these reports are set out in Part 10 of the AML/CTF Act (Cth), including retention periods.

An independent reviewer will expect to see documentation evidencing that reports were lodged and retained appropriately.

To ensure you can provide this evidence, your compliance team should maintain an organised file containing:

• Submission Receipts: The most important evidence is the confirmation receipt generated by AUSTRAC Online after a report is filed, which should be saved as PDFs or emails for easy retrieval.
• Copies of Submitted Reports: Retain a copy of every report you submit, including SMRs, IFTIs and TTRs for cash transactions of $10,000 or more, and annual compliance reports.
• A Reporting Register: It is best practice to keep a master log that tracks all reports submitted to AUSTRAC, including the report type, submission date, the customer involved, and any relevant submission metadata.

Although it is not a statutory mandate to keep a “reporting register,” maintaining one supports defensibility in any supervisory engagement under Part 15 of the AML/CTF Act (Cth).

Documenting Key Compliance Obligations

Staff Training & Competency Records

Under Chapter 8 of the AML/CTF Rules (Cth), Part A must include an AML/CTF risk awareness training program for employees. The program must be appropriate to the nature, size, and ML/TF risk profile of the reporting entity. An independent reviewer will assess whether your AML/CTF program includes and implements an effective staff training program.

Your compliance files should therefore contain evidence demonstrating that training obligations are implemented in practice and retained in accordance with Part 10 (record-keeping) of the AML/CTF Act (Cth).

To demonstrate an effective training program, you should maintain the following evidence:

• Training Materials: Keep a copy of the specific slide decks, videos, or manuals used for training, ensuring they are version-controlled to prove they were relevant for the period under review.
• Attendance Records: Use attendance sheets, sign-in logs, or digital records from a Learning Management System (LMS) to show which staff members, including senior management, completed the training and on what date.
• Competency Proof: Document the results of quizzes or assessments, which prove that staff achieved a passing grade, typically 80% or higher.
• Remedial Training: You should also record any remedial training provided to those who did not pass.
• Induction Logs: Maintain records showing that new hires were trained on their AML/CTF obligations before they began handling customer accounts or designated services.

Although the AML/CTF Act (Cth) does not prescribe a specific training format, failure to implement the documented Part A training program may amount to non-compliance with its Section 81 and Chapter 8.

Outsourcing Agreements & Third-Party Due Diligence

If your business outsources any part of its AML/CTF functions, such as KYC verification or transaction monitoring, you remain accountable for any failures by your vendors. The AML/CTF Act (Cth) does not permit delegation of reporting obligations under:

• Part 2 (Customer Identification)
• Section 41 (Suspicious Matter Reporting)
• Section 43 (TTRs)
• Section 45 (IFTIs)
• Part 10 (Record-keeping)

Accordingly, reviewers will expect to see robust evidence of due diligence and clear contractual agreements with these third-party providers.

Your compliance framework must include documentation that proves you are actively managing these relationships. Key items to have on file include:

• Outsourcing Agreements: Maintain written, legally binding contracts or service-level agreements (SLAs) that explicitly detail the vendor’s AML/CTF responsibilities, your right to audit their work, and data security protocols.
• Initial Due Diligence: Keep records of the due diligence you performed before engaging a provider, such as reviewing their SOC2 reports, privacy policies, and compliance certifications.
• Annual Reviews: Provide evidence that you conduct periodic checks, at least annually, to ensure your vendor is still performing to the required standard and meeting their contractual obligations. While the AML/CTF Act (Cth) does not prescribe an annual review requirement, maintaining periodic oversight supports defensibility.

Safe Redaction for Staff & Client Privacy

When providing evidence to an independent reviewer, particularly concerning SMRs under Section 41 of the AML/CTF Act (Cth), it is crucial to protect sensitive personal information and manage confidentiality carefully. Improper disclosure of SMR information may engage the offence provisions relating to “tipping off” under Section 123 of the AML/CTF Act (Cth).

You must have a clear process for redacting documents safely. The goal is to demonstrate your compliance process without unnecessarily exposing private data.

Your redaction policy should ensure you can provide the necessary evidence while protecting privacy. Best practices include:

• Focus on the Process: When sharing SMR evidence, redact details that identify whether a report was filed with AUSTRAC. Instead, provide internal logs or de-identified case notes that show how a suspicion was escalated and investigated.
• Protect Personal Information: Redact personal identifiers of staff and clients that are not relevant to the review, such as last names, phone numbers, or home addresses, especially from training logs or internal reports.
• Maintain a Redaction Log: Keep a record of what information was redacted, the reason for the redaction, and who performed it.
• Secure Originals: Always work from copies and keep the unredacted original documents in a secure, restricted-access folder.

Common Gaps & Missing Evidence

Independent reviews often identify gaps not because controls are absent, but because evidence is not retained. Proactively closing these gaps can prevent negative findings and demonstrate a mature compliance framework. Many of these missing items relate to processes that occur infrequently but must still be documented.

To avoid being caught out, ensure your compliance checklist includes these often-overlooked artefacts:

• Employee Due Diligence: While the current AML/CTF Act (Cth) does not impose a general statutory “fit and proper” test for staff, keeping records of the background and police checks conducted on employees in sensitive roles, like the AML/CTF Compliance Officer, supports governance defensibility.
• Internal Suspicion Logs: Even if you have never filed an SMR, you must be able to show the internal process for how a staff member would escalate a suspicion to the compliance officer.
• Rejected Customer Records: Maintain proof of customers you decided not to onboard due to AML/CTF concerns, as this demonstrates that your risk-based controls are being applied.
• Management Response to Prior Independent Reviews: Document how your senior management and board have responded to recommendations from previous independent reviews, including a tracker showing the progress of remediation plans.

How Evidentiary Expectations Will Change After 31 March 2026

From 31 March 2026, the shift from an “independent review” to an “independent evaluation” under Section 26F(4)(f) of the amended AML/CTF Act 2006 (Cth) and the AML/CTF Rules 2025 (Cth) will materially raise evidentiary expectations.

Under the current framework (Rule 8.6 / 9.6 AML/CTF Rules (Cth)), the focus is largely on demonstrating that Part A exists, is documented, and is subject to periodic review. Evidence typically centres on policies, sample testing, and governance minutes.

Post-31 March 2026, evidentiary requirements will shift toward proving effectiveness, not just existence.

Key changes include:

• Consolidated AML/CTF program: The current independent review technically applies only to Part A of the AML/CTF program, and CDD testing is used as practical evidence of control operation. From 31 March 2026, the distinction between Part A and Part B is removed, and CDD controls become embedded within the effectiveness-based independent evaluation framework under Section 26F of the amended AML/CTF Act 2006 (Cth).
• Mandatory minimum frequency: Independent evaluations must occur at least once every 3 years, meaning documented evaluation cycles and forward planning will be required.
• Explicit evaluation framework in policies: Reporting entities must specify in their AML/CTF policies how independent evaluations are conducted and how findings are addressed.
• Documented updates within 14 days: If AML/CTF policies are updated following findings, the updated program must be documented within 14 days (Rule 5-15(2) AML/CTF Rules 2025 (Cth)).
• Effectiveness-based testing: Evidence will need to demonstrate outcome-based control performance — for example:
  • How risk assessment methodology was validated.
  • How proliferation financing risk was assessed and mitigated.
  • Whether monitoring thresholds are demonstrably calibrated to the entity’s ML/TF risk profile.
• Clear linkage between risk assessment and controls: Evaluators will expect to see documented logic mapping risk assessment outputs to specific operational controls.
• Stronger remediation tracking: Evidence will need to show not only that findings were identified, but that remediation was implemented and tested for effectiveness.

In practical terms, reporting entities will have to move from maintaining an “evidence folder” to maintaining a defensible control performance record, including documented rationale, data analytics outputs, system tuning history, escalation evidence, and post-remediation validation.

The 2026 AML/CTF reforms do not merely increase documentation; they increase the standard of proof. Reporting entities will need to demonstrate that their AML/CTF program works in practice, not simply that it is documented.

Conclusion

A successful AUSTRAC independent review requires organising a comprehensive evidence bundle that proves your AML/CTF compliance framework is effective. This includes everything from core program documents and board minutes to detailed CDD files, transaction monitoring logs, and staff training records.

Navigating these detailed requirements can be complex, but you do not have to manage it alone. For trusted expertise in preparing for your independent review and ensuring your business operations meet all compliance obligations, contact Click Legal’s specialist AML/CTF independent review lawyers to request a consultation today.

Frequently Asked Questions