161External audits—risk management etc.

#### 161 External audits—risk management etc. (1) This section applies if the AUSTRAC CEO has reasonable grounds to suspect that a reporting entity has not taken, or is not taking, appropriate action to identify, assess, manage or mitigate the risks of money laundering, financing of terrorism and proliferation financing that the reporting entity may reasonably face in providing its designated services at or through a permanent establishment of the reporting entity in Australia. Requirement (2) The AUSTRAC CEO may, by written notice given to the reporting entity, require the reporting entity to: (a) appoint an external auditor; and (b) arrange for the external auditor to carry out an external audit of the reporting entity’s capacity and endeavours to identify, assess, manage or mitigate the risks of money laundering, financing of terrorism and proliferation financing that the reporting entity may reasonably face in providing its designated services at or through a permanent establishment of the reporting entity in Australia; and (c) arrange for the external auditor to give the reporting entity a written report (the audit report) setting out the results of the audit; and (d) give the AUSTRAC CEO a copy of the audit report within: (i) the period specified in the notice; or (ii) if the AUSTRAC CEO allows a longer period—that longer period. > Note: The AUSTRAC CEO’s decisions under this subsection are reviewable (see Part 17A). (3) The notice must specify: (a) the matters to be covered by the audit; and (b) the form of the audit report and the kinds of details it is to contain. (4) The matters that may be specified under paragraph (3)(a) may include either or both of the following: (a) an assessment of the risks of money laundering, financing of terrorism and proliferation financing that the reporting entity may reasonably face in providing its designated services at or through a permanent establishment of the reporting entity in Australia; (b) an assessment of what the reporting entity will need to do, or continue to do, to appropriately identify, assess, manage or mitigate the risks of money laundering, financing of terrorism and proliferation financing that the reporting entity may reasonably face in providing its designated services at or through a permanent establishment of the reporting entity in Australia. (5) Subsection (4) does not limit paragraph (3)(a). Eligibility for appointment as an external auditor (6) An individual is not eligible to be appointed an external auditor by a reporting entity if: (a) the individual is an officer, employee or agent of the reporting entity; or (b) both: (i) the reporting entity is a member of a reporting group; and (ii) the individual is an officer, employee or agent of another member of the reporting group. Offence (7) A person commits an offence if: (a) the person is subject to a requirement under subsection (2); and (b) the person engages in conduct; and (c) the person’s conduct breaches the requirement. Penalty: Imprisonment for 6 months or 30 penalty units, or both. Civil penalty (8) A reporting entity must comply with a requirement under subsection (2). (9) Subsection (8) is a civil penalty provision.