Tranche 2 is not the hard part. Proving it is.
Most accounting firms will not fail AML CTF because they do not care. They will fail because they cannot show what they did, when they did it, who approved it, and how they keep it current.
Most accounting firms will not fail AML CTF because they do not care. They will fail because they cannot show what they did, when they did it, who approved it, and how they keep it current.
This article is general information only, not legal advice. AUSTRAC guidance is the source of truth, and each firm remains responsible for ensuring its program is suitable, implemented, and maintained. See the AUSTRAC reform overview and AUSTRAC reforms guidance hub for official information.
---
The hidden workload most firms underestimate
Most firms imagine AML CTF as a set of documents. A policy. A procedure. A checklist.
The reality is that AML CTF becomes a living system inside your practice. It touches onboarding, engagement acceptance, ongoing client monitoring, staff training, and incident escalation.
The risk is not just missing a step. The risk is that you do the right thing, but you cannot prove it later because the evidence is scattered across emails, spreadsheets, and shared drives.
So the real question becomes:
Do we have a system that makes the right behaviour easy, repeatable, and provable?
---
What good looks like in plain language
A workable AML CTF setup for an accounting firm usually comes down to six building blocks:
1. Clear ownership - Who is accountable for the program, updates, and oversight.
2. A risk approach you can actually use - A practical way to rate clients and situations and decide what to do next.
3. KYC and verification workflows - Steps that match your services and your client types. See AUSTRAC customer identification and verification guidance and AUSTRAC KYC guidance.
4. Training and attestation - Everyone knows what to do, and you can evidence it.
5. Monitoring and review - A light but consistent cadence so the program stays current.
6. Evidence and audit readiness - So you can export what happened without panic.
If one of these is missing, firms usually compensate with manual effort. That works until it does not.
---
The 12 question readiness checklist
If you cannot answer these questions quickly, you are not ready yet. You might be doing the right things, but you are not set up to prove it.
Ownership and governance
1. Who is your AML CTF compliance owner, and is it recorded formally? Not just "everyone knows it is Sarah". A named role with responsibility. See AUSTRAC compliance officer guidance and AUSTRAC compliance officer reform guidance.
2. Can you show a simple schedule of program maintenance? For example, review dates, policy updates, training cycles, and monitoring checks.
3. Do you have a clear internal escalation path? If staff suspect something is off, do they know what to do, and can you evidence what happened?
Risk and controls
4. Do you have a documented risk assessment approach that fits your firm? It should account for your client base, service lines, delivery channels, and higher risk scenarios.
5. Are risks linked to controls and evidence? Risk is meaningless unless it links to what you actually do and how you prove it.
6. Can you explain, in one paragraph, what triggers enhanced customer due diligence in your firm? Enhanced customer due diligence means extra checks for higher risk clients.
KYC and client work
7. Is KYC built into your workflow, or is it a "nice to have"? If it is optional, it will be skipped under pressure.
8. Do you know when you need to update or repeat KYC checks? This is where firms drift. Initial onboarding is not the whole story.
9. Can you show a consistent record for each client assessment? Who assessed, what they assessed, the outcome, and supporting documents.
AUSTRAC's KYC and customer identification guidance is a good baseline reference when designing this. See AUSTRAC customer identification and verification guidance, AUSTRAC KYC guidance, and AUSTRAC customer identification and verification easy reference guide.
People and training
10. Can you evidence that staff were assigned AML CTF training, completed it, and attested to understanding? Completion is not the same as acknowledgement. You need both.
11. Do you have training evidence in one place, including new starters? New staff are where gaps appear, especially in busy periods.
Evidence and reporting readiness
12. If you had to produce an evidence pack tomorrow, could you do it in under an hour? Policies, procedures, versions, approvals, training logs, risk assessments, and key decisions.
Also consider whether you could complete an annual compliance report without a scramble, if and when it applies to your firm. See AUSTRAC compliance reports guidance.
---
Common failure points that show up in real firms
These are the patterns that create risk fast:
1. Policies exist, but nobody knows which version is current 2. Training happens, but there is no central record or attestation 3. Risk assessments are inconsistent across staff and offices 4. KYC documents live in client files, but the rationale lives in someone's head 5. Reviews are meant to happen but there is no reminder or register 6. Evidence is reconstructable, but only with days of manual work
None of these mean your firm is careless. They mean you are operating with tools that were not built for regulated evidence.
---
A simple routine that works
If you want a low stress way to run this, aim for a basic cadence:
1. Monthly: check outstanding training and any open incidents 2. Quarterly: sample check risk assessments for consistency and gaps 3. Six monthly: refresh monitoring for higher risk clients where relevant 4. Annually: review and re approve core policies, procedures, and your risk approach
The cadence matters less than the discipline. You are building consistency and proof.
---
Where software helps, and where it does not
Software will not make your judgement better. Your firm still owns the responsibility for suitability, implementation, and maintenance of its compliance program.
Software is useful for three things:
1. Making steps consistent 2. Making ownership visible 3. Making evidence easy to export
If your current approach relies on spreadsheets, email trails, and shared drives, you are relying on people to behave perfectly forever. That is not a strategy.
---
How to systemise this without adding admin
Nelvo is built to help accounting firms run AML CTF obligations as a living system, not a pile of documents.
In one place you can manage:
1. Obligations and reminders 2. Policies and procedures with version control and approvals 3. Training assignment, completion, and evidence 4. KYC and risk assessment workflows 5. Reporting support and exportable audit evidence packs
If you want a quick internal sanity check, run the 12 questions above with your team and note where you cannot produce evidence quickly. That gap is what you need to systemise.
If you want help, email our team at team@nelvo.com.au or book a short call and we will point you to the fastest path to close the gaps, whether you use Nelvo or not.
---
Want to make this checklist real inside your firm?
Start a Nelvo trial and load your obligations, policies, training, and risk workflow in one place. - Start a trial - Book a call - Or email team@nelvo.com.au
---
Additional reading - AML/CTF Reform overview - Reforms guidance hub - AML/CTF compliance officers (core guidance) - AML/CTF compliance officer (reform guidance) - Customer identification and verification (core guidance) - Customer identification KYC page - Customer identification and verification easy reference guide - AUSTRAC compliance reports