AUSTRAC Audit-Ready: AML/CTF Compliance Records for Australian Accounting Firms 2026
There's a difference between a firm that has AML/CTF compliance and a firm that can prove it. When AUSTRAC comes asking, only the second kind matters. The reforms don't just require accounting practices to do the work — they require you to evidence it, and to keep that evidence for years.
Here's what an audit-ready accounting practice looks like, and what an AUSTRAC reviewer actually expects to see.
Why documentation is the obligation
AUSTRAC supervises through education, but also through monitoring, information requests and examinations. When it reviews a reporting entity, it isn't looking for a feeling that you take compliance seriously — it's looking for records. Compliance you can't produce on request is, for practical purposes, compliance you can't demonstrate.
Reporting entities must make and keep AML/CTF records — generally for seven years — covering their program, their customer due diligence, their reporting, and their decision-making. Treat record-keeping not as an afterthought but as the obligation that proves all the others.
What an AUSTRAC reviewer typically asks for
While every review is different, an inspection of a professional-services firm commonly looks for:
- Your AML/CTF program — your current ML/TF risk assessment and your AML/CTF policies, with evidence of senior-management approval.
- Risk assessment reviews — a dated history showing the assessment has been kept current, not written once and shelved.
- CDD files — identity verification and beneficial-ownership records for clients, and evidence that enhanced due diligence was applied where it should have been.
- SMR history — records of suspicious matters considered and reported, with the reasoning, kept confidentially.
- Staff training records — who was trained, on what, and when.
- Your compliance officer — evidence of the appointment and that the role is actually being performed.
- Independent evaluation — confirmation that your program is scheduled for independent evaluation within the required timeframe (newly regulated firms generally have until no earlier than 1 July 2029 for their first one).
What goes wrong
Patterns visible in AUSTRAC's published enforcement outcomes are instructive. The failures that attract action tend to be systemic: programs that existed on paper but weren't followed, risk assessments that were never updated, CDD that wasn't completed or recorded, and suspicious matters that weren't reported. The lesson for a small accounting firm isn't that you need a bank's compliance department — it's that your records need to show your program is real and is being followed.
A second common gap is fragmentation — CDD in one system, training in a spreadsheet, the risk assessment in a partner's documents folder, SMR notes in an email chain. When a request arrives, assembling all of it under time pressure is where firms come unstuck.
Building an audit-ready practice
- Keep everything in one place, version-controlled and dated.
- Make the record contemporaneous — capture the evidence as the work happens, not reconstructed later.
- Retain for the full period (generally seven years), securely and retrievably.
- Be able to export on demand — if producing your compliance history takes a week of digging, that's a finding waiting to happen.
- Schedule your reviews and your independent evaluation, and keep proof they occurred.
How Veriqua helps
This is where Veriqua is designed to earn its place. The platform is designed to keep an audit log of every compliance action, an evidence vault for program and CDD documents, staff training records, independent-review scheduling, and board/compliance-officer reporting with distribution receipts — all in one place and exportable as a single record when AUSTRAC asks. Every obligation is timestamped as it's completed, so the audit trail builds in the background while you work.
The point isn't to make compliance look impressive — it's to make it provable. Veriqua supports your obligations; it does not remove your responsibility as a reporting entity to comply with the law.
Frequently Asked Questions
How long must an accounting firm keep AML/CTF records?↓
What does AUSTRAC look for when reviewing an accounting firm?↓
When must accounting firms complete their first independent evaluation?↓
Do accountants need to lodge Threshold Transaction Reports (TTRs) with AUSTRAC?↓
Related articles
Am I Even Captured? Scope for Accountants
How to determine if your practice provides designated services and is a reporting entity.
Business-Wide Risk Assessment for Accountants
The ML/TF risk assessment — what it is and how accounting firms complete one.
SMR and TTR Guide for Accountants
The trigger, the 3-business-day deadline, and what happens if you miss it.
See how Veriqua handles this
Veriqua is an Australian compliance operating system for AFSL holders and AUSTRAC reporting entities — automating AML/CTF programs, customer due diligence, transaction monitoring, SMR lodgement and board reporting.
Disclaimer: This article is general information only and is current as at May 2026. It reflects our understanding of the AML/CTF reforms, the AML/CTF Rules 2025 and AUSTRAC guidance as at that date, all of which may change. Record-keeping and evaluation obligations depend on your circumstances. This is not legal, financial or compliance advice and must not be relied on as such. Obtain advice from a qualified professional and refer to current AUSTRAC guidance before acting.