AML/CTF · Accountants

AUSTRAC Audit-Ready: AML/CTF Compliance Records for Australian Accounting Firms 2026

Published 4 May 2026Last reviewed May 20265 min readBy Paul Wise

There's a difference between a firm that has AML/CTF compliance and a firm that can prove it. When AUSTRAC comes asking, only the second kind matters. The reforms don't just require accounting practices to do the work — they require you to evidence it, and to keep that evidence for years.

Here's what an audit-ready accounting practice looks like, and what an AUSTRAC reviewer actually expects to see.

Why documentation is the obligation

AUSTRAC supervises through education, but also through monitoring, information requests and examinations. When it reviews a reporting entity, it isn't looking for a feeling that you take compliance seriously — it's looking for records. Compliance you can't produce on request is, for practical purposes, compliance you can't demonstrate.

Reporting entities must make and keep AML/CTF records — generally for seven years — covering their program, their customer due diligence, their reporting, and their decision-making. Treat record-keeping not as an afterthought but as the obligation that proves all the others.

What an AUSTRAC reviewer typically asks for

While every review is different, an inspection of a professional-services firm commonly looks for:

  • Your AML/CTF program — your current ML/TF risk assessment and your AML/CTF policies, with evidence of senior-management approval.
  • Risk assessment reviews — a dated history showing the assessment has been kept current, not written once and shelved.
  • CDD files — identity verification and beneficial-ownership records for clients, and evidence that enhanced due diligence was applied where it should have been.
  • SMR history — records of suspicious matters considered and reported, with the reasoning, kept confidentially.
  • Staff training records — who was trained, on what, and when.
  • Your compliance officer — evidence of the appointment and that the role is actually being performed.
  • Independent evaluation — confirmation that your program is scheduled for independent evaluation within the required timeframe (newly regulated firms generally have until no earlier than 1 July 2029 for their first one).
The recurring theme: not just that you did something, but a dated, retrievable record of it.

What goes wrong

Patterns visible in AUSTRAC's published enforcement outcomes are instructive. The failures that attract action tend to be systemic: programs that existed on paper but weren't followed, risk assessments that were never updated, CDD that wasn't completed or recorded, and suspicious matters that weren't reported. The lesson for a small accounting firm isn't that you need a bank's compliance department — it's that your records need to show your program is real and is being followed.

A second common gap is fragmentation — CDD in one system, training in a spreadsheet, the risk assessment in a partner's documents folder, SMR notes in an email chain. When a request arrives, assembling all of it under time pressure is where firms come unstuck.

Building an audit-ready practice

  1. Keep everything in one place, version-controlled and dated.
  2. Make the record contemporaneous — capture the evidence as the work happens, not reconstructed later.
  3. Retain for the full period (generally seven years), securely and retrievably.
  4. Be able to export on demand — if producing your compliance history takes a week of digging, that's a finding waiting to happen.
  5. Schedule your reviews and your independent evaluation, and keep proof they occurred.

How Veriqua helps

This is where Veriqua is designed to earn its place. The platform is designed to keep an audit log of every compliance action, an evidence vault for program and CDD documents, staff training records, independent-review scheduling, and board/compliance-officer reporting with distribution receipts — all in one place and exportable as a single record when AUSTRAC asks. Every obligation is timestamped as it's completed, so the audit trail builds in the background while you work.

The point isn't to make compliance look impressive — it's to make it provable. Veriqua supports your obligations; it does not remove your responsibility as a reporting entity to comply with the law.

Frequently Asked Questions

How long must an accounting firm keep AML/CTF records?
Generally seven years. This covers AML/CTF program documents, CDD records (including beneficial ownership), SMR and TTR histories, training records, risk assessment reviews, and compliance officer appointment evidence. Records must be kept in a form that is retrievable on request from AUSTRAC.
What does AUSTRAC look for when reviewing an accounting firm?
Reviewers typically look for: the current AML/CTF program with senior management approval, dated risk assessment reviews, CDD files with beneficial ownership records, evidence of enhanced CDD where applicable, SMR history including reasoning, staff training records, compliance officer appointment, and confirmation of a scheduled independent evaluation.
When must accounting firms complete their first independent evaluation?
Newly regulated firms are generally required to complete their first independent evaluation no earlier than 1 July 2029. However, your program should be built to withstand scrutiny from day one — the evaluation is not a reason to delay building a compliant program.
Do accountants need to lodge Threshold Transaction Reports (TTRs) with AUSTRAC?
Yes, where physical cash of A$10,000 or more is received in a single or related transaction. TTRs must be lodged with AUSTRAC within 10 business days. The obligation is threshold-based and applies regardless of suspicion — receiving the cash triggers it automatically.

See how Veriqua handles this

Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.

Disclaimer: This article is general information only and is current as at May 2026. It reflects our understanding of the AML/CTF reforms, the AML/CTF Rules 2025 and AUSTRAC guidance as at that date, all of which may change. Record-keeping and evaluation obligations depend on your circumstances. This is not legal, financial or compliance advice and must not be relied on as such. Obtain advice from a qualified professional and refer to current AUSTRAC guidance before acting.