AML CTF Program Template, Controls and Evidence Mapping for Accountants
Build an AML CTF program that is provable. Free program template, risk assessment workbook, controls and evidence map, registers, CDD templates, and record keeping checklist.
Last updated: 31 December 2025
If you want to prove compliance later, your AML CTF program cannot be a standalone document. It must be a system that links what you are required to do, what you designed, who owns it, and what evidence proves it happened.
---
Who this is for - Compliance owners who need an obligation to control to evidence chain - Partners who want a defensible, maintainable operating model - Firms who do not want shelfware policies
---
Related guides - Readiness toolkit and timeline - SMR reporting playbook
---
Table of contents
1. The compliance chain you must be able to show 2. Build sequence that avoids shelfware 3. Example: one control mapped to evidence 4. Common pitfalls that break evidence 5. Resources and downloads 6. How Nelvo can run this for you 7. FAQ 8. Sources
---
The compliance chain you must be able to show
You must be able to answer these four questions quickly:
1. What are we required to do? The obligation from legislation and AUSTRAC guidance. 2. What controls did we design to meet it? The specific procedure or check. 3. Who is responsible for running the controls? The owner with accountability. 4. What evidence proves the controls operated? The record that shows it happened.
---
Build sequence that avoids shelfware
Step 1: Risk assessment drives program settings Use the risk assessment workbook to set onboarding strength, enhanced due diligence triggers, training scope, and monitoring cadence.
Step 2: Convert risk into controls, then map controls to evidence Every control needs owner, cadence, evidence item, and evidence location.
Step 3: Use registers as your evidence backbone Registers are how you avoid the inbox problem. Every entry has a mandatory evidence location field.
Step 4: Write the program last Write the program after the workflows exist so the program matches reality.
---
Example: one control mapped to evidence
| Field | Example | |-------|---------| | Obligation area | Training | | Control ID | C003 | | Control description | Deliver AML CTF training to all staff and retain completion evidence | | Owner | AML CTF compliance officer | | Evidence item | Training register entry plus training deck and attendance proof | | Evidence location | SharePoint, Compliance, Training, FY26 Q4 | | Cadence | Annual, plus induction for new starters |
---
Common pitfalls that break evidence - Controls described in the program with no evidence item defined. If you do not define what proves the control ran, you will not collect it. - Registers exist but evidence location is optional, so nobody fills it. Make evidence location mandatory on every register entry. - No version control on the program and risk assessment, so approvals become unclear. Use clear version numbering and approval records.
---
Resources and downloads
Program build set - Risk assessment workbook (Excel) - Controls and evidence map (Excel) - AML CTF registers workbook (Excel) - Record keeping checklist (PDF) - AML CTF program template (Word)
CDD standardisation set - CDD decision trees (PDF) - CDD templates (Word)
---
How Nelvo can run this for you
A practical delivery model looks like this:
1. Complete the risk assessment with you and produce an approval pack 2. Build the controls and evidence map with real owners and cadence 3. Stand up registers and evidence repository rules 4. Draft the program so it matches the operating model 5. Implement a monthly monitoring rhythm and a quarterly partner pack
Outcome: the program is provable, not just written.
---
FAQ
What is the most common mistake firms make? Writing policy first. It creates a program that does not match reality and will not be maintained.
What is the simplest way to prove you trained staff? A training register plus stored copies of the training content and attendance evidence, with the evidence location recorded in the register.
How do we keep this lightweight? Define controls once, use registers to capture evidence, and schedule a review cadence that matches your risk.
---
Sources - AUSTRAC preparing for the changes if you are newly regulated - AUSTRAC record keeping - AUSTRAC record keeping checklist reform - AML CTF Act 2006
---
Important note
This guide is general information only. It is not legal advice. Tailor to your firm and obtain advice where needed.