General6 min read

The AUSTRAC Audit That Costs You Nothing: What an Examination Actually Asks For

An AUSTRAC examination is only painful if you are not ready for it. It asks for a predictable set of documents. If they live in one place and are current, an audit is an afternoon. If they are scattered, or your program was a write-once PDF, it becomes a scramble that can turn into an external audit order you pay for. Here is the list they work from.

2026-07-16· AML Mate Team
The AUSTRAC Audit That Costs You Nothing: What an Examination Actually Asks For

Most firms preparing for Tranche 2 are worried about the wrong moment. They picture the enrolment deadline. The moment that actually decides how much trouble you are in comes later, and quietly: the day AUSTRAC asks to see your file.

Here is the good news that nobody says out loud. An AUSTRAC examination is not a mystery, and it is not designed to catch you out. It asks for a fairly predictable set of things. If those things exist, are current, and live in one place, handing them over is an afternoon of work and the audit is a non-event. If they are scattered across inboxes and folders, or your AML/CTF program was a document you generated once and never touched again, the same request becomes a month of scrambling. Same law, completely different day.

So the useful question is not "will I get audited". It is "if AUSTRAC asked me tomorrow, could I hand it over calmly". Here is the list they work from.

What AUSTRAC actually asks for

When AUSTRAC examines a reporting entity, whether through a request for information, a notice to produce, or an external audit order, it is checking the same core set. For a small firm it comes down to seven things.

  1. Your enrolment details. That you are on the AUSTRAC register, and that what you told them about your business and your designated services is accurate.
  2. Your AML/CTF program. The written program itself, across its parts: governance, staff and training, customer due diligence, transaction monitoring, reporting, and record keeping. Not a summary. The actual document.
  3. Your risk assessment. How you assessed your money-laundering and terrorism-financing risk, and how that assessment shaped your program. This is the piece AUSTRAC reads hardest, because it shows whether your controls actually fit your business.
  4. Your customer due diligence records. Who your clients are, how you identified and verified them, their risk ratings, and the enhanced checks you did on the higher-risk ones.
  5. Your monitoring and reporting. Evidence you are watching for suspicious activity, plus any suspicious matter reports and threshold transaction reports you have lodged. A busy firm that has filed nothing invites a question, as we covered in why zero reports is now a red flag.
  6. Your training records. That the people handling designated services were actually trained, with dates and completion, not just a policy that says training happens.
  7. Your records, kept for seven years. The identification and transaction records you have to retain, retrievable when asked.

None of this is exotic. It is the paperwork of doing the job properly. The problem is never the list. The problem is whether the list exists in a form you can produce.

The one thing that turns an audit bad

There is a single distinction that separates a calm audit from a painful one, and it is worth burning into memory.

AUSTRAC does not just check that your program exists. It checks that it is applied. The language it used against one payment platform this year was that the program was "not attuned to the full range of risks the platform faces". Translated: they had a document, but it did not match what the business actually did, and it was not really running. That is the finding that hurts, and it is the finding a write-once PDF is built to attract. We broke that down in the MHITS audit.

So the test is not "do I have a program". It is "does my program describe what my firm actually does, and can I show it is being used". A risk assessment that names higher-risk clients, paired with client files that show no extra checks on them, is worse than useless. It is evidence against you, in your own words.

Why "I'll sort it if they call" is the expensive plan

The instinct is to keep the paperwork light and deal with an audit if one ever comes. Two things make that a bad bet.

First, AUSTRAC's fastest tool is not a courtroom. It increasingly reaches for administrative powers: a notice to produce, or an order to appoint an external auditor at your own expense. Those are quick, they do not need a judge, and the audit lands on your desk with a deadline. The cost of being unready is not just stress. It can be a forensic auditor your firm has to pay for.

Second, you cannot backdate diligence. If a request arrives and your CDD was never really done, or your monitoring never ran, there is no weekend of catching up that fixes it. The record either shows a firm that was doing the work, or a firm that was not. That record is written continuously, or not at all.

How to be the firm that hands it over in an afternoon

The whole thing gets simple once you stop treating compliance as a document and start treating it as a place. Everything on the seven-point list should live together and stay current:

  • Your program and risk assessment as living documents, updated when your services or risks change, not a PDF from last year.
  • Client records, identity checks, risk ratings and screening results in one register.
  • Reports lodged, with dates.
  • Training completion, with dates.
  • An activity log that shows the program was actually used.

If all of that sits in one system and updates as you work, an AUSTRAC request is a export, not a project. That is the entire difference between the two versions of the same audit.

The takeaway

Stop rehearsing the enrolment deadline and start rehearsing the audit. Not because one is coming next week, but because the answer to "could I hand it over calmly" is the real measure of whether you are compliant, and it is a much better question than the one most firms are asking. Enrol by 29 July. Then build so that the day AUSTRAC asks is an afternoon, not a crisis.


AML Mate keeps your program, risk assessment, client CDD, screening, reports, training and audit log in one place, and bundles them into a single audit-ready export. Run a free compliance check to see where your firm stands, or view pricing to get set up before 29 July.

tranche-2austracauditexaminationaml-programrecord-keepingaccountantslawyersreal-estate

Ready to build your AML/CTF program?

AML Mate generates your AML/CTF program in 15 minutes using AUSTRAC's official templates. Start a 14-day free trial, cancel anytime.

This article is based on AUSTRAC's publicly available guidance. It does not constitute legal or compliance advice. Consult a licensed compliance professional for complex situations.

What an AUSTRAC Examination Asks For (Checklist)