What happens when AUSTRAC audits your agency?
What triggers an AUSTRAC audit, what auditors look for, and how a real estate agency with good records and a documented program can get through one. A plain-English explainer.
What happens when AUSTRAC audits your agency?
The agencies that fail an AUSTRAC audit don't fail on knowledge. They fail on records.
Most agency principals are focused on the July 2026 compliance deadline: getting enrolled, building a program, training staff. That is the right priority.
But the question that comes next is: "What happens if AUSTRAC actually shows up?"
This post explains what an AUSTRAC audit involves, what auditors look for, and what separates an agency that gets through it smoothly from one that doesn't.
AUSTRAC's posture: supportive but firm
AUSTRAC has described its approach to the real estate sector as "supportive but firm." That matters.
For agencies that are making a genuine, documented effort to comply (enrolled with AUSTRAC, a written program in place, staff trained, CDD being conducted) the posture is constructive. AUSTRAC has published extensive free guidance, a Program Starter Kit, and sector-specific education materials specifically to help small agencies get compliant.
For agencies that have ignored their obligations, or where non-compliance is wilful or systemic, AUSTRAC has a track record of enforcement. It has pursued major actions against reporting entities in banking, remittance, and gambling. The real estate sector is not exempt.
The practical implication: documentation beats perfection. A clean paper trail of good-faith compliance effort is your best protection.
What triggers an AUSTRAC review?
AUSTRAC monitors reporting entities through several channels. A review of your agency may be triggered by:
| Trigger | What it means for your agency |
|---|---|
| Annual Compliance Report patterns | AUSTRAC reviews the Annual Compliance Reports submitted by all reporting entities. Inconsistencies, gaps, or unusually low reporting rates can prompt follow-up. |
| Suspicious Matter Report activity | Agencies that report frequently, never report at all, or file reports with unusual patterns may attract attention. SMRs are analysed for quality and timeliness. |
| Sector-wide risk-based monitoring | AUSTRAC conducts risk-based monitoring across newly regulated sectors. Real estate agencies should expect heightened scrutiny in the first compliance cycle. |
| Intelligence referrals | Referrals from law enforcement, other agencies, or financial intelligence partners can prompt a targeted review. |
| Complaints or notifications | Complaints about an agency's compliance practices, or self-notifications of a breach, can initiate a review. |
Source: AUSTRAC public guidance and AML/CTF Act 2006·As of April 2026
What auditors actually look for
Whether it is a routine risk-based review or a targeted audit, AUSTRAC auditors work through the same categories. Here is what they examine:
Your AML/CTF program
The program document is the foundation of the audit. Auditors will check:
- Whether you have a documented program at all
- Whether it addresses the risks identified in your risk assessment
- Whether it covers all required components (CDD, monitoring, reporting, record-keeping, training, governance)
- Whether it has been formally approved by senior management
- Whether it is being followed in practice, not just in writing
Customer due diligence records
For each client, auditors may request:
- Verification of identity documents (what was collected, how it was verified, by what method)
- Evidence that CDD was completed before a designated service was provided
- Risk ratings assigned to customers, with reasoning documented
- Enhanced due diligence records for higher-risk clients
- Beneficial ownership records for clients that are companies or trusts
The key test: is there a documented record for each client showing what you collected, how you verified it, and when?
Screening records
Auditors will check that you screened clients against the DFAT Consolidated List (Australian autonomous sanctions) and checked for Politically Exposed Persons. They want to see:
- That screening happened at onboarding
- That it happens periodically for ongoing relationships
- That screening results are documented: the date, the list checked, and the outcome
Undocumented screening is treated as screening that did not happen.
Training records
Every staff member who performs AML-relevant duties must be trained before they do so. Auditors will ask for:
- Evidence that training was delivered
- Records showing who was trained, on what date, and what topics were covered
- Annual refresher training documentation
A training session with no attendance record does not satisfy the obligation.
Reporting records
If your agency has filed Suspicious Matter Reports or Threshold Transaction Reports, auditors will review them for completeness and timeliness. They will also look at your internal process for identifying and escalating suspicious activity: whether you have a documented procedure and whether staff understand it.
The independent evaluation: an audit you arrange yourself
Separate from a regulatory audit, the AML/CTF Act requires reporting entities to commission an independent evaluation of their AML/CTF program at least every three years.
An independent evaluation is conducted by a qualified third party, not a self-assessment. The evaluator assesses whether your program addresses your identified risks, whether it is being followed in practice, and whether it is effective. Any issues found must be documented and remediated with a timeline, and the evaluation results kept for seven years.
What separates agencies that get through it from those that don't
Based on AUSTRAC's published enforcement patterns and sector guidance, the difference comes down to two things:
Key takeaways
-
Documentation. If it is not recorded, it did not happen. Agencies that maintain accurate, dated records of their CDD, screening, training, and program approvals are in a fundamentally different position to those operating on informal processes. AUSTRAC auditors cannot verify what has not been documented.
-
Genuine implementation. A program that exists on paper but is not followed in practice will not withstand scrutiny. Agencies that brief their staff on the program, conduct real CDD on real clients, and actually file SMRs when triggered are demonstrating good faith. That matters, both in an audit and in how AUSTRAC approaches any remediation.
A 3-person agency that follows the AUSTRAC Program Starter Kit, maintains clean CDD records, and trains its staff is well-positioned for any review. The obligations are not ambiguous. Agencies that meet them have nothing to fear from an audit.
Build the records that matter
AML Simple is designed for exactly this scenario: helping you build and maintain the documentation that an AUSTRAC audit would look for. Your CDD records, screening results, training logs, and program documents are stored in one place, dated, and retrievable.
58 days until obligations commence
1 July 2026
Start your AML program free, no account needed
AML Simple helps you build the records that matter: CDD documentation, screening results, training logs, and a program consistent with AUSTRAC's own Starter Kit.
Get AUSTRAC ready