AUSTRAC's Audit Powers

AUSTRAC holds broad examination and information-gathering powers under Part 15 of the AML/CTF Act. These powers allow AUSTRAC to require any reporting entity to produce documents, answer questions, and permit inspections of its premises and records. The powers apply without the need for a court order in most circumstances, and non-compliance with a production notice is itself a serious offence carrying civil and criminal penalties.

For Tranche 2 entities — newly regulated from July 1, 2026 — understanding the scope of these powers is critical. AUSTRAC can conduct examinations in several forms: a desktop review based on documents produced in response to an information notice; an on-site inspection of the firm's premises and records; an examination of specific individuals under oath or affirmation; and a formal audit by an AUSTRAC-appointed auditor. Each form carries different timelines, different obligations, and different levels of intensity.

AUSTRAC prioritises its examination resources using intelligence and risk-based targeting. Firms that are not enrolled, firms that are enrolled but report nothing, firms in high-risk sectors with unusual transaction patterns, and firms that have been the subject of law enforcement referrals or suspicious matter cross-references are the most likely to receive early examination attention. But AUSTRAC also conducts industry-wide sweeps of newly regulated sectors — which means that even well-intentioned firms with genuine compliance programs may receive examination requests in the early years of the Tranche 2 regime.

Types of AUSTRAC Examinations

Not every AUSTRAC examination is a full audit. Understanding the different examination types helps firms calibrate their response and manage the process efficiently.

An information request or production notice is the most common initial contact. AUSTRAC requests specific documents — the AML/CTF program, training records, CDD records for a sample of matters, the SMR register, and transaction monitoring records — and sets a deadline for production. This type of examination can often be satisfied through document production alone, without an on-site inspection.

A compliance assessment involves a more structured review of the firm's AML/CTF posture, typically conducted through a combination of document review and interviews with the AMLRO and relevant staff. AUSTRAC compliance officers will test not just whether the program is documented but whether it is implemented — by asking staff how they apply the procedures in practice and comparing those answers to what the program says.

A formal audit is the most intensive examination type. It is typically triggered by a specific concern — a law enforcement referral, a pattern identified in transaction reporting, or a significant failing identified in an earlier compliance assessment. A formal audit involves detailed review of client files, financial records, and internal communications, and may result in formal findings and remediation directions.

The distinction between examination types matters for timing. A production notice may give as little as 14 days to produce documents. A compliance assessment may involve pre-scheduling of interview dates several weeks in advance. A formal audit may arrive with very short notice. Firms with well-organised, systematically maintained compliance records will respond to any of these more quickly and with less disruption than firms that need to reconstruct records from disparate sources.

Documentation You Must Have Ready

The ability to respond promptly and comprehensively to an AUSTRAC information request is itself evidence of compliance posture. Firms that produce complete, well-organised records quickly demonstrate to AUSTRAC that their compliance function is genuinely operational, not a paper exercise. Firms that produce incomplete records, or that take the full production period to compile records that should be systematically maintained, invite closer scrutiny.

The core documents AUSTRAC expects to see include: the current AML/CTF program (both Part A and Part B), dated and version-controlled; the risk assessment underlying the program; the AMLRO appointment documentation; training records for all staff in AML/CTF-sensitive roles, for at least the past 12 months; the annual review report, including the reviewer's findings and the firm's response; customer due diligence records for a representative sample of recent matters, including identity verification documents and SoW assessments; the SMR register, including both filed reports and documented non-filing decisions; and transaction monitoring records demonstrating that ongoing monitoring is being applied to existing client relationships.

For firms that have recently become reporting entities, the records available will necessarily be limited to the period since enrolment. AUSTRAC understands this — it will not expect seven years of records from a firm that has been enrolled for six months. But it will expect that the records from the enrolment period are complete and that the program was implemented from the enrolment date, not phased in gradually.

How a Compliance Assessment Proceeds

A typical AUSTRAC compliance assessment for a Tranche 2 entity follows a structured process. Understanding the sequence allows firms to prepare effectively and manage the process without disruption to client services.

AUSTRAC will typically make initial contact with the firm's AMLRO by letter or email, identifying the examination as a compliance assessment, specifying the period under review, and requesting an initial document production. The letter will identify the AUSTRAC compliance officer assigned to the assessment and provide their contact details for correspondence.

Following the initial document production, AUSTRAC may request additional documents or clarifications. This iterative exchange can take several weeks. The AMLRO should maintain a log of all communications with AUSTRAC during this period — what was requested, what was provided, and when.

Once the document review is complete, AUSTRAC will typically schedule an interview or meetings with the AMLRO and, depending on findings, other senior staff. The interview covers the implementation of the program in practice — how the AMLRO manages internal reports, how CDD is conducted, how training is delivered and recorded, and how the annual review is structured. The AMLRO should prepare for this interview by reviewing their own records and being ready to walk AUSTRAC through specific examples of how each program element operates in practice.

Following the interview, AUSTRAC will typically provide draft findings to the firm for response before finalising. This is an opportunity to correct factual errors, provide additional evidence, and make representations about any deficiencies identified. Firms that engage constructively at this stage — acknowledging deficiencies, proposing remediation timelines, and demonstrating genuine commitment to improvement — consistently achieve better outcomes than firms that contest every finding adversarially.

Common Findings and How to Avoid Them

AUSTRAC's published guidance and the enforcement actions it has taken since the Tranche 2 legislation passed provide a clear picture of the compliance failures that are most commonly identified in examinations. Avoiding these failures requires proactive action before an examination, not reactive repair after one arrives.

The most common finding is a program that is generic rather than tailored. AUSTRAC's officers are experienced readers of AML/CTF programs, and they can identify boilerplate language that does not reflect genuine analysis of the firm's specific risk profile. Programs that use identical or near-identical language for law firms, conveyancers, and real estate agents are a red flag — the risk profiles of these entity types differ substantially, and a single template cannot genuinely address all of them.

The second most common finding is a gap between the program and practice. The program says training is delivered annually; the training register shows the last training event was 22 months ago. The program says enhanced due diligence is applied to clients with complex beneficial ownership structures; the files reviewed show no evidence that the EDD procedure was applied to several such clients. These gaps indicate that the program is aspirational rather than operational.

The third most common finding is inadequate SMR reporting relative to the firm's transaction volume and risk profile. A firm handling 200 property settlements per year in a metropolitan market, with a diverse client base including foreign national buyers and off-the-plan purchasers, that has filed zero SMRs in its first year of operation will face questions about whether its suspicious matter detection is functioning as documented. This does not mean every transaction must generate an SMR — but the reporting record must be proportionate to the risks and the volume.

Managing the AMLRO Through an Audit

The AMLRO is the primary point of contact for an AUSTRAC examination. The quality of the AMLRO's engagement with the process — their preparation, their organisation, their candour, and their command of the firm's compliance records — will significantly influence the examination outcome.

Before an examination, the AMLRO should review the firm's compliance records comprehensively and identify any gaps or deficiencies. If there are deficiencies, it is better to identify and address them proactively — and to be transparent with AUSTRAC about what remediation has occurred — than to be discovered during the examination. AUSTRAC's approach to firms that self-identify deficiencies and demonstrate genuine remediation is materially more constructive than its approach to firms that appear to be concealing problems or minimising them.

During the examination, the AMLRO should be the firm's sole designated spokesperson on AML/CTF matters. Other staff may be interviewed, but their responses should be consistent with the program and with what the AMLRO has communicated. Inconsistencies between the AMLRO's account and staff members' accounts of how the compliance function operates are significant red flags in any examination.

After the examination, if AUSTRAC identifies deficiencies, the AMLRO should develop a structured remediation plan — with specific actions, owners, and timelines — and track implementation against that plan. The remediation plan should be reported to senior management and documented in the annual review record for the following cycle. This demonstrates the kind of continuous improvement posture that distinguishes a firm that is genuinely embedded in the compliance framework from one that treats compliance as a one-time event.

What Strong Compliance Posture Looks Like

Firms that successfully navigate AUSTRAC examinations share several common characteristics that go beyond having the right documents in place. Compliance posture is not just about documentation — it is about the extent to which AML/CTF obligations are genuinely embedded in the firm's culture and daily operations.

Strong posture firms have an AMLRO who is genuinely engaged with the role — who reads AUSTRAC guidance publications, who discusses AML/CTF issues with staff proactively, who treats the internal SMR register as a live tool rather than a compliance obligation, and who reports regularly to senior management without being prompted. The compliance function in these firms is not a burden that happens around client work; it is integrated into client onboarding and matter management as a standard part of the workflow.

Strong posture firms also have senior management that is genuinely accountable for the AML/CTF program. Partners and directors who have read and approved the program, who received the annual review findings and engaged with them, and who can articulate the firm's risk profile and compliance approach in broad terms project a very different impression in an examination than firms where the principals have effectively delegated all AML/CTF responsibility to a junior appointee and know nothing about their own program.

Finally, strong posture firms are transparent about their imperfections. No compliance program is perfect, and AUSTRAC does not expect perfection. What it does expect is honesty about limitations, a genuine effort to identify and address gaps, and a demonstrable trajectory of improvement over successive annual review cycles. A firm that acknowledges a gap, documents its remediation plan, and shows that the plan has been implemented is in a fundamentally stronger position than a firm that claims compliance perfection while evidence of gaps is visible in the files.

Tranche and Audit Readiness

Tranche is designed with audit readiness as a core design principle. Every significant compliance action taken through the platform — program generation, AMLRO appointment, training record entry, SoW analysis, SMR register update, annual review completion — is timestamped, attributed, and stored in a retrievable format.

When AUSTRAC requests production of a firm's AML/CTF program, Tranche can export the current program as a PDF in under 60 seconds — complete with generation timestamp, version number, and firm details. When AUSTRAC requests training records, the training register export provides a structured, formatted document covering all required fields for all training events within the requested period.

The compliance dashboard surfaces the current status of each required compliance element — program currency, training currency, annual review status, SMR register open items, and CDD record completeness for recent matters — so the AMLRO can confirm at a glance that the firm is examination-ready. Elements that are overdue or approaching their due date are highlighted, enabling proactive remediation before an examination arrives.

For firms that receive an examination notice, the Tranche compliance timeline view provides a chronological record of all compliance events — exactly what was done, when, and by whom. This view provides the narrative of the firm's compliance history that AUSTRAC examiners look for when assessing whether compliance obligations have been consistently met over time, not just in the weeks immediately before an examination notice was received.