This Guidance Statement has been formulated by the Auditing and Assurance Standards Board (AUASB) to provide guidance to auditors of a Registrable Superannuation Entity (RSE), reporting pursuant to the prudential reporting requirements specified by APRA in its RSE Prudential Standard SPS 310 Audit and Related Matters (July 2013) (SPS 310).
Preamble
Authority Statement
The Auditing and Assurance Standards Board (AUASB) formulates Guidance Statement GS 002 Audit Implications of Prudential Reporting Requirements for Registered Superannuation Entities pursuant to section 227B of the Australian Securities and Investments Commission Act 2001, for the purposes of providing guidance on auditing and assurance matters.
This Guidance Statement provides guidance to assist the auditor to fulfil the objectives of the audit or assurance engagement. It includes explanatory material on specific matters for the purposes of understanding and complying with AUASB Standards. The auditor exercises professional judgement when using this Guidance Statement.
This Guidance Statement does not prescribe or create new requirements.
Application
1
This Guidance Statement has been formulated by the Auditing and Assurance Standards Board (AUASB) to provide guidance to auditors of a Registrable Superannuation Entity (RSE), reporting pursuant to the prudential reporting requirements specified by APRA in its RSE Prudential Standard SPS 310 Audit and Related Matters (July 2013) (SPS 310).
Introduction
3
Under the Superannuation Industry (Supervision) Act 1993 (SIS Act), APRA is responsible for the prudential supervision and monitoring of prudential matters relating to all Registrable Superannuation Entities (RSEs) in order to protect the interests of members and beneficiaries or prospective members of the RSE concerned.
4
APRA formulates, promulgates and enforces prudential policy and practice through Superannuation Prudential Standards (SPSs). In addition, APRA may also issue nonenforceable Superannuation Prudential Practice Guides (SPGs) and other guidelines, to assist RSEs in complying with the requirements in its Prudential Standards and, more generally, to outline prudent practices in relation to certain elements of the RSEs operations.[1]
5
The RSE auditor is required to report pursuant to the prudential reporting requirements specified by APRA in SPS 310 paragraph 19 as outlined below:
- reasonable assurance addressing:
- annual financial statements of each RSE prepared in accordance with relevant Australian Accounting Standards issued by the Australian Accounting Standards Board; and
- the annual information, relating to each RSE, required under the reporting standards made by APRA under the Financial Sector (Collection of Data) Act 2001 (FSCOD Act) that are identified in Attachment B to SPS 310 as requiring reasonable assurance; and
- compliance with provisions of the SIS Act, Superannuation Industry (Supervision) Regulations 1994 (SIS Regulations), the Corporations Act 2001 (Corporations Act), Corporations Regulations 2001 (Corporations Regulations), FSCOD Act, and additional conditions imposed under section 29EA of the SIS Act, that are specified in an approved form; and
- limited assurance addressing:
- the annual information, relating to each RSE, required under the reporting standards made by APRA under the FSCOD Act that are identified in Attachment B to SPS 310 as requiring limited assurance; and
- the RSE licensee’s systems, procedures and internal controls that are designed to ensure that the RSE licensee has complied with all applicable prudential requirements, has provided reliable data to APRA as required under the reporting standards prepared under the FSCOD Act, and has operated effectively throughout the year of income; and
- the RSE licensee’s compliance with its risk management framework,[2] and
- the RSE licensee’s compliance with its operational risk financial requirement (ORFR) strategy.[3]
6
This Guidance Statement provides guidance for each element of the assurance engagements under SPS 310, except for the report on the audit of the financial statements of the RSE licensee as specified in paragraph 19(a)(i) of SPS 310, for which mandatory requirements and explanatory guidance are provided in the Australian Auditing Standards. The RSE auditor is required to comply with all requirements in each of the Auditing Standards relevant to the financial statement audit in determining the audit procedures to be performed when conducting an audit in accordance with the Australian Auditing Standards.
7
In addition to the legislative and regulatory requirements imposed on RSE auditors, relevant Auditing and Assurance Standards Board (AUASB) Standards are applicable to engagements under the prudential standards. This Guidance Statement has been developed to clarify how the RSE auditor meets their regulatory obligations whilst also applying the requirements of:
- ASA 805 Special Considerations Audits of Single Financial Statements and Specific, Elements, Accounts or Items of a Financial Statement, when conducting assurance engagements on subject matters of a single financial statement and specific elements, accounts or items of a financial statement, which includes assurance engagements under SPS 310 paragraph 19(a)(ii).
- ASAE 3100 Compliance Engagements, when conducting assurance engagements regarding compliance with legislative or regulatory requirements as outlined under SPS 310 paragraph 19(a)(iii), 19(b)(ii), (iii) and (iv).
- ASRE 2405 Review of Historical Financial Information Other than a Financial Report, when conducting assurance engagements on specific elements, components, accounts or items of a historical financial report, which includes assurance engagements as outlined under SPS 310 paragraph 19(b)(i).
- ASAE 3000 Assurance Engagements other than Audits or Reviews of Historical Financial Information, when conducting assurance engagements on subject matters other than historical financial information, which includes assurance engagements as outlined under SPS 310 paragraphs 19(a)(iii), 19(b) (ii), (iii) and (iv).
8
The RSE auditor in meeting their role and responsibilities under these engagements is required by APRA to comply with relevant standards and guidance issued by the AUASB to the extent that they are not inconsistent with the requirements of SPS 310 and other prudential requirements[4]. In the exceptional circumstances that an inconsistency arises between APRA prudential requirements and those of the AUASB the RSE auditor[5] will need to communicate such matters to those charged with governance (TCWG).
Access to APRA Prudential Standards, Prudential Practice Guides and legislation relevant to RSEs is available on APRA’s website (www.apra.gov.au).
Refer to Prudential Standard SPS 220 Risk Management for the requirement for the RSE licensee to have a risk management framework.
Refer to Prudential Standard SPS 114 Operational Risk Financial Requirement for the requirement for the RSE licensee to have an ORFR strategy.
“Prudential requirements” include requirements under the SIS Act, the SIS Regulations, prudential standards, reporting standards, the FSCOD Act, licence conditions, authorisations, superannuation data and payment standards, directions and any other requirements imposed by APRA under legislation.
The RSE auditor has regard to the requirements and guidance in ASA 200 Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with Australian Auditing Standard, paragraphs 18 to 24 and APES 210 Conformity with Auditing and Assurance Standards.
Definitions
9
For the purposes of this Guidance Statement, the following items have the meanings attributed below:
9(a)
Assurance engagement means an engagement in which the RSE auditor aims to obtain sufficient appropriate evidence in order to express a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the subject matter information (that is, the outcome of the measurement or evaluation of an underlying subject matter against criteria).
9(b)
Internal control encompasses the following components:
- the control environment;
- the RSE licensee’s risk assessment process;
- information systems, including the related business processes, relevant to financial and prudential reporting, and communication;
- control activities; and
- monitoring of controls.
The way in which internal control is designed and implemented varies depending on the RSE licensee’s size and complexity.
9(c)
RSE auditor means an independent auditor(s) appointed by the RSE licensee to meet the prudential reporting requirements under SPS 310.
Under SPS 310, it is possible for the RSE licensee to have more than one RSE auditor at any time, and for an RSE auditor appointed who satisfies the criteria under SPS 310 to be different from the RSE auditor responsible for undertaking the financial statement audit under SPS 310.
9(d)
APRA Annual Return(s), means a form used for the collection and reporting of information in relation to the RSE licensee, as required to be provided to APRA by the RSE licensee in accordance with APRA Reporting Standards made under the FSCOD Act.
9(e)
Limited assurance engagement means an assurance engagement in which the RSE auditor reduces engagement risk to a level that is acceptable in the circumstances of the engagement but where that risk is greater than for a reasonable assurance engagement as the basis for expressing a conclusion in a form that conveys whether, based on the procedures performed and evidence obtained, a matter(s) has come to the RSE auditor’s attention to cause the RSE auditor to believe the subject matter information is materially misstated. The nature, timing, and extent of procedures performed in a limited assurance engagement is limited compared with that necessary in a reasonable assurance engagement but is planned to obtain a level of assurance that is, in the RSE auditor’s professional judgement, meaningful. To be meaningful, the level of assurance obtained by the RSE auditor is likely to enhance the intended users’ confidence about the subject matter information to a degree that is clearly more than inconsequential.
9(f)
Prudential requirements include requirements under the:
- SIS Act;
- SIS Regulations
- prudential standards (and Prudential Practice Guides(SPG));
- reporting standards;
- FSCOD Act;
- license conditions, authorisations, superannuation data and payment standards; and
- directions and any other requirements imposed by APRA under legislation.
9(g)
Reasonable assurance engagement means an assurance engagement in which the RSE auditor reduces engagement risk to an acceptably low level in the circumstances of the engagement as the basis for the RSE auditor’s conclusion. The RSE auditor’s conclusion is expressed in a form that conveys the RSE auditor’s opinion on the outcome of the measurement or evaluation of the underlying subject matter against criteria.
9(h)
RSE under section 10(1) of the SIS Act means:
- a regulated superannuation fund; or
- an approved deposit fund; or
- a pooled superannuation trust;
but does not include a self-managed superannuation fund.
9(i)
Reliability under the Australian Accounting Standards Board’s Framework for the Preparation and Presentation of Financial Statements means information has the quality of reliability “… when it is free from material error and bias and can be depended upon by users to represent faithfully that which it either purports to represent or could reasonably expected to represent”.
Tripartite Relationship
10
APRA’s liaison with the RSE auditor is normally conducted under tripartite arrangements involving APRA, the RSE licensee and its auditor(s) (see SPS 310).
11
Any one of the parties involved in the tripartite relationship may initiate meetings or discussions at any time, when considered necessary.
12
Notwithstanding the tripartite relationship, APRA and the RSE auditor may meet, at any time, on a bilateral basis at the request of either party. APRA may communicate with the RSE auditor on a bilateral basis to obtain or discuss information for whatever reason(s) it considers appropriate.
13
Under SPS 510 Governance, the RSE licensee is required to ensure that its internal policy and contractual arrangements do not explicitly or implicitly restrict or discourage auditors (or other parties) from communicating with APRA.
14
Under section 130A of the SIS Act, the RSE auditor may give to APRA information about the entity or a trustee of the entity obtained in the course of, or in connection with the performance of the audit, if the RSE auditor considers that giving the information will assist APRA in performing its functions under the SIS Act, regulations, prudential standards or FSCOD Act.
Obligations of RSEs Licensees
Lodgement of Auditor’s Reports
15
The RSE licensee is required to submit to APRA all reports required to be prepared by the RSE auditor in accordance with the prudential requirements and within the time specified in SPS 310.
16
These reporting requirements include the scenario where the RSE licensee has more than one RSE within its business operations. In this case, the RSE licensee must ensure that the RSE auditor completes a separate auditor’s report for each RSE.
17
In the case of the RSE licensee whose business operations include one or more small APRA funds (SAFs), the RSE licensee may engage the RSE auditor to prepare a single auditor’s report covering some or all of the SAFs within its business operations, provided that the RSE meets the requirements as set out in SPS 310 in relation to:
- its risk management strategy;
- each SAF is individually audited;
- the RSE auditor's report is unmodified; and
- the RSE licensee provides APRA with a listing of all SAFs covered by the single RSE auditor's report.
18
Where the RSE licensee is part of a group, the RSE auditor may prepare that part of the auditor’s report as the RSE auditor considers appropriate, either as part of the group, provided it is clear where the RSE auditor is referring to the RSE licensee or the group; or on a standalone basis separate to the group.
Responsibility to Keep Auditor Informed
19
Under SPS 310, the RSE licensee must use all reasonable endeavours to assist the RSE auditor in being fully informed of all APRA Prudential Requirements applicable to the RSE licensee. This may include the RSE licensee making the RSE auditor aware of any circumstances that have changed in the RSE licensee’s business operations that may impact the scope of any limited or reasonable assurance engagements under SPS 310.
20
Under SPS 310, the RSE licensee is furthermore required to ensure that the RSE auditor has access to all relevant data, information, reports and staff of the RSE licensee, that the RSE auditor reasonably believes is necessary to fulfil their responsibilities. This includes access to the Board of the RSE licensee, the Board Audit Committee and the internal auditor’s where required.
21
In particular, the RSE licensee is required to provide the RSE auditor with access to their Risk Management Framework (RMF) documents, as outlined in SPS 220 Risk Management, including the annual Risk Management Declaration as approved and signed by TCWG, and forwarded to APRA by the RSE licensee. In practice, this declaration may only be available immediately prior to the RSE auditor completing their audit.
22
Under section 35AB(1) of the SIS Act, the RSE auditor can request, in writing from the trustee of the RSE a document that is relevant to the preparation of their report. Each trustee of the RSE must ensure the document is given to the RSE auditor within 14 days of the request being made.
23
In relation to the RSE licensee’s responsibility to keep the RSE auditor informed, the RSE auditor includes these responsibilities clearly in the engagement letter[6] and also requests management of the RSE licensee to sign an appropriate representation letter[7] (refer paragraphs 129 and 130).
Risk Management Declaration
24
Under SPS 220, the RSE is required to submit to APRA, at the same time as lodgement of the annual information under FSCOD Act, a declaration on risk management. This declaration includes but is not limited to, statements by the RSE on:
- the reliability of financial information lodged with APRA;
- the adequacy of the systems in place to ensure compliance with APRA prudential requirements including the Risk Management Strategy (RMS);
- systems and resources are in place for managing and monitoring risks, and the RMF is appropriate to the RSE licensee’s business operations;
- adequate reporting systems and internal controls supporting the preparation and reporting of accurate financial and statistical information to APRA;
- the effectiveness of the RSEs processes and systems surrounding the production of financial information.
Refer to SPS 220 Attachment A for further information in relation to the RSE’s Risk Management Declaration.
25
The RSE auditor is not required to form an opinion on the declaration other than in the context of the RSE auditor’s responsibility to express a conclusion on the RSE’s compliance in accordance with the responsibilities and reporting requirements of SPS 310.
The RSE auditor has regard to the requirements and guidance provided in ASA 210 Agreeing the Terms of Audit Engagements when completing the engagement letter.
The RSE auditor has regard to the requirements and guidance provided in ASA 580 Written Representations when requesting this letter.
Responsibilities of the RSE Auditor
Those Who May Conduct the Reasonable and Limited Assurance Engagements
26
As outlined in SPS 310, the RSE licensee needs to ensure that the RSE auditor:
- is not disqualified under section 130D of the SIS Act;
- satisfies the eligibility criteria in Prudential Standard SPS 520 Fit and Proper (SPS 520) as applicable to the RSE auditor;
- is a fit and proper person in accordance with the RSE licensee’s Fit and Proper Policy as required by SPS 520; and
- satisfies the auditor independence requirements in Prudential Standard SPS 510 Governance.
As such, the RSE auditor will need to provide information to the RSE licensee to assist the RSE licensee to adhere to this requirement.
Role and Responsibilities of the RSE Auditor
27
The roles and responsibilities of the RSE auditor under SPS 310 will include at a minimum, reporting in an auditor’s report:
- a reasonable assurance opinion on the requirements in SPS 310 paragraph 19(a)(i), (ii) and (iii); and
- a limited assurance conclusion on the requirements in SPS 310 paragraph 19(b)(i), (ii), (iii) and (iv).
These requirements are discussed in paragraph 5 of this Guidance Statement.
28
In addition, APRA may require the RSE auditor to undertake a special purpose engagement, when requested by APRA in writing, in relation to a particular aspect of the RSE licensee’s business operations, prudential requirements or the risk management framework.
29
The RSE auditor also has certain obligations and responsibilities under section 129 of the SIS Act to report to the RSE licensee and APRA in certain circumstances. Refer to paragraphs 46 and 47 for further guidance.
30
The RSE auditor is required to modify the opinion contained in the auditor’s report for breaches of any provisions which, in the RSE auditor’s professional opinion, are material. In forming an opinion as to whether a breach is material, the RSE auditor refers to relevant AUASB standards and SPG 310 Audit and Related Matters.
31
The RSE auditor is required when preparing a report or assessment required under the SIS Act or SPS 310 (whether as part of a routine or special purpose engagement) to:
- do so on the basis that APRA may rely upon the report in the performance of its functions under the SIS Act; and
- exercise independent judgement and not place sole reliance on work performed by APRA.
32
As outlined in SPS 310, the RSE auditor is required to retain all working papers and other documentation in relation to the prudential requirements of the RSE for a period of at least five years after the end of year of income. Where requested to do so in writing by APRA, the RSE auditor must provide the working papers and other documentation to APRA.
Agreeing the Terms of Engagement
33
The RSE auditor and the RSE licensee agree on the terms for each discrete engagement as outlined under SPS 310, paragraph 19. Such terms may be detailed in one engagement letter or other suitable form of written contract. The RSE auditor has regard to ASA 210 Agreeing the Terms of Audit Engagements when agreeing the terms of the engagement with the RSE licensee.
34
It is noted that the appointment of the RSE auditor by the RSE licensee may cover more than one year of income in which case it would be prudent for the RSE licensee to confirm the appointment of the RSE auditor annually.
35
It is important that TCWG of the RSE licensee are aware of the RSE auditor’s obligations referred to in SPS 310 and of the implications for confidentiality and restriction of distribution of the auditor’s report beyond those users for which the RSE auditor reports were primarily prepared being the RSE licensee and APRA. It is important also that the engagement letter includes a reference to the responsibility of TCWG of the RSE licensee to establish and maintain effective internal control to meet its APRA reporting requirements.
36
The engagement letter explains that any special purpose engagement of specific matters relating to the RSE licensee’s business operations, prudential requirements or the risk management framework, will constitute a separate engagement(s) and that the details of such engagement(s) will be the subject of a separate engagement letter(s).
37
An example engagement letter to reflect APRA reporting requirements as per SPS 310 is set out in Appendix 2 to this Guidance Statement.
Planning the Annual Reporting Engagement
Materiality
38
When planning and performing an assurance engagement, whether the engagement is being conducted under ASA 805, ASRE 2405, ASAE 3000 or ASAE 3100, the RSE auditor considers materiality.[8] The materiality levels set (overall and performance materiality) will determine the nature, timing and extent of risk assessment and further assurance procedures to be performed on the subject matter, whether it be account balances or disclosures in the APRA annual returns under the FSCOD Act, internal controls or compliance matters. During the engagement the RSE auditor reassesses materiality if matters come to their attention that indicate that the basis on which materiality was assessed has changed.
39
In determining materiality, the RSE auditor applies professional judgement to understand and assess what factors might influence the decisions of the regulator and other intended users and the magnitude and nature of misstatements, nondisclosures or compliance breaches which may adversely affect decisions made by those users. Where particular types of accounts, disclosures or compliance matters may have a greater impact on the decisions of users, materiality may need to be set lower for those amounts or matters.
40
Materiality is determined in the same way whether the engagement is a reasonable or limited assurance engagement. The difference between limited and reasonable assurance engagements lies in the nature, timing and extent of evidence gathering procedures, which will differ in order to reduce the risk of a material misstatement or compliance breach remaining undetected to an acceptably low level, in the case of a reasonable assurance engagement, or to a limited level, in the case of a limited assurance engagement. The risk of material misstatements or compliance breaches in a limited assurance engagement is not reduced to the same extent as in a reasonable assurance engagement, because of the more limited nature, timing and extent of procedures conducted. In a limited assurance engagement, the RSE auditor seeks to obtain a meaningful level of assurance, which is likely to enhance the intended users’ confidence about the subject matter to a degree that is clearly more than inconsequential.
41
Although there is a greater risk that misstatements, control deficiencies or instances of noncompliance may not be detected in a limited assurance engagement than an reasonable assurance engagement, the judgement as to what is material is made by reference to the subject matter on which the auditor is reporting and the needs of those relying on that information, as opposed to the level of assurance obtained.
Reasonable and/or Limited Assurance on APRA Annual Returns
42
In applying ASA 320, ASA 805 and ASRE 2405, as appropriate, to individual APRA annual returns, the auditor has regard to the nature, purpose and use of the information included in each annual return. The collection and analysis of data in specified annual returns is a critical component of APRA’s supervisory function. APRA collects data from RSEs (and other APRAregulated entities) for a broad range of reasons some of which may include:
- verify compliance with prudential requirements (e.g. solvency and adequacy of ORFR target amounts and tolerance limit requirements);
- understand the operations of the entity and the industry;
- identify emerging issues in both the entity and the industry;
- pass on data to other government agencies; and
- provide information on the finance sector to research organisations and the general public.
43
The RSE auditor determines:
- materiality for the report or application as a whole and, if appropriate, materiality for particular classes of accounts or disclosures, for assessing misstatements; and
- performance materiality, for assessing the risks of material misstatement and determining the nature, timing and extent of further procedures.
44
Materiality is to be addressed in the context of the RSE’s objectives relevant to the particular reporting standard being examined and whether the internal controls will reduce to an acceptable level the risks that threaten achievement of those objectives. These objectives are developed having regard to the protection of the interests of the members and beneficiaries as a whole and prospective members of the RSE. AASB 1031 Materiality may provide useful guidance to the RSE auditor with regard to matters likely to adversely affect the interests of members which generally relate to solvency and going concern assumptions.
Reasonable Assurance on Compliance
45
APRA expects the RSE auditor to consider each compliance requirement contained in paragraph 19(a)(iii) of SPS 310 individually when applying materiality considerations to form an audit opinion.
46
Where the RSE auditor identifies any instance whereby the requirements of paragraph 19(a)(iii) of SPS 310 or any other requirement of the law referred to in section 129 of the SIS Act has been contravened or is being contravened or is likely to be contravened, under the SIS Act the RSE auditor is required to report that noncompliance to the trustees of the RSE in writing. If the contravention may affect the interests of members or beneficiaries of the entity, then the RSE auditor is required under the SIS Act to report that instance of noncompliance to APRA.[9]
47
Where the RSE licensee is already aware of a matter or instance of noncompliance, and has informed the trustee of the RSE of the matter or instance of noncompliance, the RSE auditor is not required under the SIS Act to report the matter or instance to the trustee of the RSE. The RSE auditor need not report the matter to APRA where the RSE auditor reasonably concludes that another RSE auditor or actuary has already appropriately communicated the noncompliance to APRA.[10]
48
Matters or instances of noncompliance under section 129 of the SIS Act refer not only to past and present matters or instances but also reasonably possible future matters or instances that the RSE auditor may become aware of whilst conducting an audit or review for which they are engaged during any year of income.
49
The RSE auditor exercises professional judgement in considering materiality appropriate to the RSE’s circumstances, having regard to their obligations, the purpose and terms of the specific engagement, together with the size, business mix and complexity of the RSE’s business operations.
50
When considering materiality in relation to compliance, both quantitative factors, that is the magnitude of the amounts, the period of time between the required time for compliance and actual fulfilment of the requirement, whether the matter is part of a systemic issue and qualitative factors, such as how the information will be used or how close the reported amounts are to applicable thresholds, are taken into account by the RSE auditor.
Limited Assurance on Internal Controls and Compliance
51
In accordance with ASAE 3000 and other applicable assurance standards, when reviewing internal controls, the RSE auditor assesses materiality in the context of the RSE licensee’s objectives relevant to the particular area of activity being examined, and whether the internal controls will reduce to an acceptably low level, the risks that threaten achievement of those objectives.
52
In assessing materiality, the RSE auditor has regard to the measures the RSE licensee has adopted to ensure:
- compliance with all applicable prudential requirements;
- reliable data is provided to APRA in all APRA Annual Returns prepared under the FSCOD Act; and
- there operating effectiveness throughout the year of income.
53
ASAE 3100 sets out the requirements and provides guidance to the RSE auditor in applying materiality in the context of a compliance engagement.
Overall Materiality
54
Performance materiality is usually set below the overall materiality so that the aggregated uncorrected or undetected misstatements is not likely to exceed overall materiality. If only one source is reported, it may be appropriate for performance materiality to be set at the same amount as overall materiality. It is not simply a mechanical calculation but involves the exercise of professional judgement.
55
Overall, materiality and performance materiality, including the percentages and tolerances on which they are based, are documented in the engagement plan.
Identifying and Assessing the Risks of Material Misstatement or Compliance Breach
56
When identifying and assessing risks of material misstatement or compliance breach as a basis for designing and performing further assurance procedures, the RSE auditor does so at the reporting standard level or the individual compliance requirement level, and for reasonable assurance engagements, also at the assertion level for material classes of transactions, accounts, disclosures or compliance matters.
57
Factors impacting the risk assessment for engagements under SPS 310 may include:
- the reliability of the reporting systems;
- the risk culture of the RSE;
- the adequacy of systems and controls to identify, assess, manage, mitigate and monitor material risks;
- history of non compliance by the RSE licensee;
- reported concerns regarding the RSE licensee as communicated by APRA;
- the estimation and uncertainty inherent in the measurement methodologies applied by the RSE;
- any bias inherent in the measurement methodologies adopted by the RSE;
- level of change in the RSE licensee's business operation’s or environment.
Overall Responses to Assessed Risks of Material Misstatement and Further Procedures
58
The RSE auditor designs and performs further assurance procedures which are responsive to assessed risks of material misstatement or material compliance breach. The assurance procedures performed on any particular engagement is a matter of professional judgement and the nature, timing and extent of procedures will vary widely due to the different circumstances of each engagement. The RSE auditor chooses a combination of assurance procedures, which may include: inspection, observation, confirmation, recalculation, reperformance, analytical procedures and enquiry. Irrespective of the assessed risks of material misstatement or material compliance breach, the RSE auditor designs and performs test of details for each material source of accounts, class of transaction, disclosures or compliance matter. In designing these tests the RSE auditor needs to consider the risks of material understatement, particularly with respect to immaterial amounts reported, or risk of material omission.
Work Effort for a Limited versus Reasonable Assurance Engagement
59
ASAE 3000 clearly differentiates between the work which is required to be conducted for a limited versus a reasonable assurance engagement. However, the nature, timing and extent of evidence gathering procedures which are conducted in any given circumstance is a matter of professional judgement and is determined in response to the RSE auditor’s determination of materiality, the risk assessment and the results of the procedures conducted in response to assessed risks. As the level of assurance obtained in a limited assurance engagement is lower than in a reasonable assurance engagement, the procedures the RSE auditor will perform will vary in nature from and will be less in extent than for a reasonable assurance engagement. In a limited assurance engagement procedures primarily involve enquiries and substantive analytical procedures and may not include tests of controls.
60
Although procedures in a limited assurance engagement will be more limited in nature, timing and extent than for a reasonable assurance engagement, ASAE 3000 and ASAE 3100[11] require additional procedures to be conducted if the RSE auditor becomes aware of a matter which causes them to believe the subject matter may be materially misstated or there may be a material compliance breach. The RSE auditor may conduct procedures more akin to a reasonable assurance engagement on this particular matter in order to satisfy themselves that either the subject matter is not likely to be materially misstated or noncompliant or it is materially misstated or noncompliant.
61
In a reasonable assurance engagement, procedures will include tests of controls as well as tests of detail. When conducting a reasonable assurance engagement, if the RSE auditor is able to obtain evidence that the controls they wish to rely on are operating effectively, then the nature, timing and extent of tests of details may be reduced or modified. If reliance is to be placed on the operating effectiveness of controls throughout the period, then testing will need to cover that period. Alternatively, if the identified controls are not operating effectively, then the nature, timing or extent of tests of details will need to be increased or modified.
Understanding the Entity and its Environment
62
ASA 805, ASRE 2405, ASAE 3000 and ASAE 3100[12] require the RSE auditor to obtain an understanding of the entity and its environment and identify and assess the risk of material misstatement or compliance breach in order to plan the engagement. In gaining this understanding, the RSE auditor can draw on knowledge gained as part of the annual financial statement audit[13] conducted under the SPS 310, however this understanding would need to be updated[14] and broadened to meet the requirements of an SPS 310 engagement. ASAE 3100[15] provides a list of matters to be considered by the RSE auditor in understanding the entity and the compliance framework. It is likely the RSE auditor will conduct the following procedures in obtaining that increased understanding and assessing risk: enquiries, analytical procedures and observation and inspection.
63
For a limited assurance engagement, the RSE auditor does not normally develop the depth of understanding of internal controls as is required in a reasonable assurance engagement and so gaining that understanding may be limited to enquiries.
64
The assessment of risk is directed at identifying those risks that may result in either the subject matter being materially misstated, or, for a compliance engagement, the existence of material breaches of the relevant requirements.
Considerations relating to the RSE Licensee using a service organisation
65
In auditing the RSE licensee, it is likely that the RSE auditor will consider service organisations providing services such as administration and custody. Such organisations typically provide Type 1 or Type 2 service organisation auditor's report under ASA 402 Audit Considerations Relating to an Entity Using a Service Organisation.
66
In accordance with ASA 402, the RSE auditor would obtain an understanding of the following:
- the nature of the services provided by the service organisation and the significance of those services to the RSE licensee, including the effect thereof on the RSE licensee’s internal control;
- the nature and materiality of the transactions processed or accounts or financial reporting processes affected by the service organisation (and subservice organisation, where applicable);
- the degree of interaction between the activities of the service organisation and those of the RSE licensee;
- the nature of the relationship between the RSE licensee and the service organisation, including the relevant contractual terms for the activities undertaken by the service organisation; and
- the design and implementation of relevant controls at the RSE licensee that relate to the services provided by the service organisation, including those that are applied to the transactions processed by the service organisation.
67
Where audit evidence over relevant assertions is to be obtained from either a Type 1 or Type 2 service organisation auditor's report under ASA 402, the RSE auditor needs to:
- evaluate the service auditor's professional competence and independence from the service organisation; and
- evaluate the adequacy of the standards under which the Type 1 or 2 service auditor's report is to be/was issued.
68
Where audit evidence relating to controls design, implementation and operating effectiveness is to be obtained from either a Type 1 or Type 2 service organisation auditor's report under ASA 402, the RSE auditor needs to:
- determine whether complementary user entity controls identified by the service organisation are relevant to the RSE licensee; and
- to the extent they are relevant, obtain an understanding of whether the user entity has designed and implemented such controls and, if so, plan to test their operating effectiveness, as appropriate.
Internal Audit
69
SPS 510 requires the RSE to have in place an independent and adequately resourced internal audit function.[16] SPS 510 and APRA Prudential Practice Guide SPG 200 Risk Management set out the requirements and provide guidance to RSEs in relation to internal audit.
70
When the RSE auditor is considering the scope and work involved in assurance engagements under SPS 310, APRA expects the RSE auditor to consider the extent to which the work of the internal audit function is likely to be relevant in the context of the engagement. Auditing Standard ASA 610 Using the Work of Internal Auditors, sets out the requirements and provides guidance to the RSE auditor in considering the activities of the internal audit function and evaluating the effect, if any, on audit procedures.
Refer to section 129 of the SIS Act.
Refer to section 129(3A)(b) of the SIS Act.
See ASAE 3100, paragraph 56.
See ASAE 3100, paragraphs 28 29.
See ASA 805, paragraphs 7-8.
See ASRE 2405, paragraphs 26-27.
See ASAE 3100, paragraphs 28-32, 49 and 50.
Under SPS 510, APRA may approve alternative arrangements where APRA is satisfied that they will achieve the same objectives.
Report on Reasonable Assurance Requirements by the RSE Auditor
Reporting Requirements
71
SPS 310 paragraph 19(a) states the RSE auditor’s report at a minimum is required to provide:
- reasonable assurance:
- on the APRA Annual Returns under FSCOD Act as outlined in Attachment B to SPS 310; and
- compliance with provisions of the SIS Act, SIS Regulations, Corporations Act, Corporations Regulations, FSCOD Act, and additional conditions imposed under section 29EA of the SIS Act.
Reasonable Assurance on Historical Financial/APRA Annual Returns (ASA 805)
72
In performing the reasonable assurance engagement on the annual APRA Annual Returns of the RSE, the RSE auditor is required to comply with all Australian Auditing Standards relevant to a reasonable assurance engagement of other historical financial information.
Audit Evidence
73
The RSE auditor obtains sufficient appropriate audit evidence[17] as part of a systematic process, that includes:
- obtaining an understanding of the specified APRA annual returns and individual data items included in these annual returns (subject matter), the intended use of the information included in the annual returns by the intended users, and the prudential requirements applicable to the preparation and submission of the annual returns.
- obtaining an understanding of the RSE licensee’s system of internal control and the compliance function.
- evaluating the controls over the preparation and compilation of the APRA annual returns.
- assessing the risk that information in the APRA annual returns may be materially misstated.
- responding to assessed risks and determining the nature, timing and extent of further evidence gathering procedures.
- performing further evidence gathering procedures clearly linked to the identified risks.
- evaluating the sufficiency and appropriateness of evidence.
74
The RSE auditor exercises professional judgement in determining the nature, timing and extent of reasonable assurance procedures to gather sufficient appropriate evidence on which to base the reasonable assurance opinion.
75
A controls based assurance approach is often the most appropriate approach to adopt in these circumstances. However, where the RSE auditor determines that a material weakness exists in the RSE licensee’s internal controls designed to ensure reliable data is provided to APRA in the APRA Annual Returns, and/or where the RSE auditor makes a determination based on effectiveness and/or efficiency, a substantive approach may be more appropriate.
76
Reasonable assurance procedures for obtaining audit evidence include, but are not limited to, testing of specific controls aimed at ensuring the data in the APRA annual returns is reliable and prepared in accordance with APRA Prudential Standards and Reporting Standards. Reasonable assurance procedures may include observation, inspection, confirmation, recalculation, reperformance, analytical procedures, enquiry, obtaining independent corroborating information, testing of controls over the compilation of the APRA annual returns, testing of controls over the extraction of data from the underlying accounting records (including all relevant yearend adjustments) and obtaining management representations.
Evaluation of Findings
78
In evaluating whether or not the specified data in the APRA annual returns, is, in all material respects, reliable and in accordance with the relevant APRA prudential and reporting standards, the RSE auditor exercises professional judgement, having regard to both the user and intended uses of the information in the APRA annual returns.
79
The magnitude of a misstatement alone is only one factor used to assess the materiality of a misstatement. The RSE auditor evaluates each identified misstatement in the context of information relevant to users of the APRA annual return, by considering qualitative factors and the circumstances in which each misstatement has been made.
80
The RSE auditor may designate an amount below which misstatements need not be aggregated, because the RSE auditor expects that the aggregation of such amounts clearly would not have a material effect on the reported information. In doing so, the RSE auditor needs to consider the fact that the materiality of misstatements involves qualitative as well as quantitative considerations and that misstatements of a relatively small amount could nevertheless have a material effect on the reported information.
81
In circumstances where the RSE auditor may conclude that information reported by the RSE licensee is not in accordance with the relevant APRA Prudential reporting standards. The RSE auditor discusses the matter with management and, depending how it is resolved, determines whether, and how, to communicate the matter in the auditor’s reasonable assurance report.
Reasonable Assurance on Compliance (ASAE 3100 or ASAE 3000)
82
In performing the audit on the compliance requirements as specified above in paragraph 71 and reported under Part 2 - Independent Auditor’s Reasonable Assurance report on APRA Annual Return and Compliance: Part (B) Compliance, the RSE auditor is required to consider the requirements in ASAE 3000 and ASAE 3100.
Audit Evidence
83
In a compliance engagement, evidence may be gathered through enquiry and observation, tests of controls, substantive testing, and representations received from management.[19] The amount of evidence from each source which is assessed by the RSE auditor to constitute sufficient, reliable evidence to reduce compliance engagement risk to an acceptable level is a matter for the RSE auditor’s professional judgement.
84
In a compliance engagement, sufficient appropriate evidence is obtained as part of an iterative, systematic engagement process involving:
- obtaining an understanding of the RSE licensee’s business operations and its compliance environment which includes the key elements of the entity’s compliance framework;
- obtaining an understanding of the prudential requirements, and other engagement circumstances which, includes obtaining an understanding of internal controls over the preparation of the subject matter, evaluation of design, implementation and testing the effectiveness of controls that are relevant to the engagement;
- obtaining an understanding of the internal compliance function where appropriate and any relevant testing of compliance controls performed as part of that function during the period. Evaluating the results of this testing and the level of reliance that can be placed on this work and the impact on further control and substantive procedures;
- based on the understanding acquired under (a), (b) and (c), assessing the risks that the RSE licensee may be non compliant with requirements as specified under Part 2 - Independent Auditor’s Reasonable Assurance report on APRA Annual Return and Compliance: Part (B) Compliance;
- responding to assessed risks, including developing overall responses, and determining the nature, timing and extent of further procedures; and
- performing further evidence gathering procedures clearly linked to the identified compliance engagement risks, using a combination of inspection, observation, confirmation, recalculation, re performance and enquiry. Such further evidence gathering procedures may involve substantive procedures, including obtaining corroborating information from sources independent of the entity, and depending on the nature of the activity or subject matter, tests of the operating effectiveness of controls.
85
In a compliance engagement the RSE auditor normally performs a combination of evidence gathering procedures that reflect a strategy to obtain planned levels of assurance from testing of the compliance framework, controls and substantive testing. It is unlikely that sufficient assurance may be obtained from only performing one type of testing. The type and extent of these procedures will be based on the complexity of the RSE licensee, nature of the business operations and initial risk assessment. The types of procedures that may be undertaken are:
- walk throughs and controls testing in key risk areas;
- substantive testing; and
- enquiries of management and representations.
The results of the above testing are evaluated by the RSE auditor to ensure the evidence gathered is sufficient and appropriate for the purposes of the reasonable assurance engagement.
Evaluation of Findings
86
Where the RSE auditor becomes aware of material deficiencies in the RSE licensee’s compliance framework they assess the impact on the risk of noncompliance with the prudential requirements as specified in Part 2 - Independent Auditor’s Report on APRA Annual Return and Compliance: Part (B) Compliance, and the implication for planning and performing the engagement.
87
If the RSE auditor becomes aware of material deficiencies in the compliance framework for example:
- a limited or inadequate monitoring plan for key compliance controls over the period; and/or
- a lack of staff training and awareness of the need to identify, assess and report compliance breaches
the RSE auditor needs to consider the following implications:
- risk of non compliance being increased;
- amount and type of evidence gathering procedures to obtain sufficient appropriate evidence; and
- reporting of material deficiencies to the responsible party and the intended users.
88
The RSE auditor will evaluate any compliance breach with the prudential requirements to determine if the breach is material, and how this may impact on the RSE auditor’s planned engagement approach.
89
The RSE auditor normally considers the following factors in evaluating if a breach of the compliance requirements by the entity, is material:
- size, complexity and nature of the entity’s activities;
- nature of the breach – one off or systemic;
- evidence of a robust compliance framework in place to detect, rectify and report compliance breaches;
- commonly accepted practice within the relevant industry;
- regulatory, legislative or contractual requirements;
- impact on the decisions of the intended users and stakeholders of the entity; and
- specific terms of the compliance engagement.
Format of Reporting Requirements
90
If APRA has an approved form as specified under SPS 310, the auditor’s report must be in the approved form. APRA may under SPS 310 provide approved forms in relation to the reporting requirements under paragraphs 19, 21, 22 and 23 of SPS 310 as well as other requirements as the prudential regulator deems appropriate.
91
Refer to apra.gov.au website (Superannuation/Reporting Framework) for the latest version of the Prudential Standard SPS 310 Audit and Related Matters – Audit Report Form. This form is reviewed and updated annually as required by APRA.
The concepts and discussions on evidence relevant to an audit engagement are contained in Auditing Standard ASA 500 Audit Evidence, and may be helpful in determining the evidence applicable to a compliance engagement.
See ASA 450 Evaluation of Misstatements Identified during the Audit, paragraphs 10 and 11.
The concepts and discussions on evidence relevant to an audit engagement are contained in Auditing Standard ASA 500 Audit Evidence, and may be helpful in determining the evidence applicable to a compliance engagement.
Report on Limited Assurance Requirements by the RSE Auditor
Reporting Requirements
92
SPS 310 paragraph 19(b) states the auditor’s report at a minimum is required to provide:
- limited assurance on:
- the APRA Annual Returns under FSCOD Act as outlined in Attachment B to SPS 310;
- the RSE licensee’s systems, procedures and internal controls that are designed to ensure that the RSE licensee has complied with all applicable prudential requirements, has provided reliable data to APRA as required under the reporting standards prepared under the FSCOD Act, and has operated effectively throughout the year of income;
- the RSE licensee’s compliance with its risk management framework[20]; and
- the RSE licensee’s compliance with its ORFR strategy.[21]
Inherent Limitations of Limited Assurance
93
As stated in ASAE 3000, the level of assurance obtained in a limited assurance engagement is lower than in a reasonable assurance engagement, the procedures the RSE auditor performs in a limited assurance engagement vary in nature and timing from, and are less in extent than for, a reasonable assurance engagement.
94
There are inherent limitations in any internal control structure. Furthermore, fraud, error or noncompliance with laws and regulations may occur and not be detected. As the systems, procedures and controls to ensure compliance with APRA Prudential Requirements are part of the RSE’s operations, it is possible that either the inherent limitations of the internal control structure, or weaknesses in it, impact on the effective operation of RSE’s specific control procedures.
95
Projections of any evaluation of internal control procedures to future periods are subject to the risk that control procedures may become inadequate because of changes in conditions after the limited assurance report is signed, or that the degree of compliance may deteriorate.
Limited Assurance on Information under APRA Annual Returns (ASRE 2405)
96
In performing the limited assurance procedures to report on the APRA Annual Returns as specified in paragraph 92(a)(i) and reported under the Independent Auditor’s Limited Assurance Report on APRA Annual Returns and Compliance – Part 3(A) that incorporate historical financial information at a MySuper product level, the RSE auditor needs to consider the requirements in ASRE 2405.
97
The RSE auditor obtains evidence, as part of a systematic process directed by the risk assessment carried out during the planning phase of the engagement. The RSE auditor exercises professional judgement in determining the specific nature, timing and extent of limited assurance procedures to gather evidence on which to base the conclusion.
98
It is most likely the limited assurance procedures will include a review of specific controls aimed at ensuring the data in the APRA Annual Returns is reliable and prepared in accordance with APRA Prudential Standards and Reporting Standards. Limited assurance procedures may include analytical procedures, enquiry, limited testing of controls over the compilation of the APRA Annual Returns, limited testing of controls over the extraction of data from the underlying source systems and obtaining management representations.
99
If the RSE auditor has reason to believe that the historical financial information subject to limited assurance may be materially misstated, the RSE auditor shall carry out additional or more extensive procedures as are considered necessary to be able to express a limited assurance conclusion or to confirm that a modified report is required.
100
The RSE auditor shall evaluate, individually and in the aggregate, whether uncorrected misstatements that have come to the RSE auditor’s attention are material to the historical financial information.
Limited Assurance on Compliance (ASAE 3100 and ASAE 3000)
101
In performing the limited assurance engagement on the compliance requirements as specified in paragraph 92(a)(ii), (iii) and (iv) and reported in the Independent Auditor’s Limited Assurance Report on APRA Annual Return and Compliance - Part 3(B) Compliance - (A),(B),(C) and (D), the RSE auditor is required to consider the requirements in ASAE 3000 and ASAE 3100 and other applicable standards on assurance engagements.
Limited Assurance on Systems, Procedures and Internal Controls (ASAE 3000 and applicable standards on assurance engagements)
Obtaining Evidence Regarding Design of Systems, Procedures and Controls
102
The RSE auditor needs to determine which of the systems, procedures and controls at the RSE licensee are necessary to achieve the control objectives relating to compliance with all applicable prudential requirements, reliable data under FSCOD Act and operating effectiveness throughout the period, and whether those controls are presented in the RSE licensee’s description of its reporting system or identified by the RSE auditor and whether those controls were suitably designed. This determination is likely to include:
- identifying the risks that threaten the achievement of the identified control objectives; and
- evaluating whether the controls as designed would be sufficient to mitigate those risks when operating effectively, in all material respects.
103
When evaluating the suitability of the design of a control, the RSE auditor considers the general understanding of the control activities as well as other components of control not within the scope of the engagement, such as knowledge of the control environment and information system, gained when planning the engagement. A deficiency in the control environment could undermine the effectiveness of controls, and this needs to be considered in assessing the suitability of the design of those controls.
Assessment of Design Deficiencies
104
Where the RSE auditor is unable to identify controls which are suitable or controls as designed are not suitable to achieve a control objective, if operating effectively, this may constitute a deficiency in relation to the suitability of design.
Obtaining Evidence of Operating Effectiveness of Controls
105
In a limited assurance engagement the nature, timing and extent of tests of operating effectiveness, are usually limited to discussion with entity personnel and observation of the system in operation for deviations from the specified design. This may involve observation of, and enquiring about the operation of the controls for a small number of transactions or events.
106
The RSE auditor applies professional judgement in determining the specific nature, timing and extent of procedures to be conducted in a limited assurance engagement, which will depend on the assessed risks of significant deficiencies in the operating effectiveness of controls. If the RSE auditor determines that additional assurance procedures are required to dispel or confirm a suspicion that a significant control deficiency exists, the performance of such additional procedures does not convert the engagement to a reasonable assurance engagement as they relate to the reduction of risk to an acceptable level with respect to that matter alone.
107
When designing and performing tests of controls, the RSE auditor considers whether:
- Performing other procedures in combination with enquiry to obtain evidence about:
- how the control was applied;
- the consistency with which the control was applied; and
- by whom or by what means the control was applied; and
- the period of time over which the controls were applied; and
- Controls to be tested depend upon other controls (indirect controls) and, if so, whether it is necessary to obtain evidence supporting the operating effectiveness of those indirect controls.
108
When determining the extent of tests of controls, the RSE auditor considers matters including the characteristics of the population to be tested, which includes the nature of controls, the frequency of their application (for example, monthly, daily, a number of times per day), and the expected rate of deviation. Some procedures operate continuously while others operate only at particular times, for example, yearend close off procedures. The tests of operating effectiveness need to be performed over a period of time that is adequate to determine that the control procedures are operating effectively over the period of intended reliance.
109
Where control procedures have changed during the period subject to examination, the RSE auditor tests the operating effectiveness of both the superseded control(s) and the new control(s) and considers whether the new controls have been in place for a sufficient period to assess their effectiveness.
110
The RSE auditor generally adopts a ‘top down’ approach in gathering evidence, by making enquiries of key personnel, observing the RSE licensee’s operations, performing ‘walk through’ tests of controls, obtaining written representations and inspecting relevant documentation, as appropriate, in order to achieve the following:
- obtaining an understanding of the RSE licensee’s overall control environment and compliance framework.
- ascertaining whether the person(s) performing the control(s) possesses the necessary authority and competence to perform the control(s) effectively.
- identifying the internal compliance function(s) designed to ensure compliance with all applicable prudential requirements.
- identifying policies, procedures and controls designed to ensure compliance with all applicable Prudential Requirements, by reviewing documents such as the RSE licensee’s RMF, RMS and similar risk management policy documents issued by the RSE licensee in accordance with applicable prudential standards.
- identifying the processes used by the Board of the RSE licensee to support its Risk Management Declaration to APRA as outlined in SPS 220.
- identifying key Board and operational matters by reviewing the minutes of the RSE licensee’s Board, as well as minutes of any sub committees responsible, for example, for oversight of compliance and audit, held during the year and enquiring about matters discussed and outcomes from the RSE licensee’s Board decisions.
- identifying the internal compliance functions designed to oversee the provision of data to APRA in the RSE licensee’s APRA Annual Returns.
- identifying significant processes for the preparation of the RSE licensee’s APRA Annual Returns.
- identifying the key controls over these significant processes that are designed to ensure that reliable data is provided to APRA in the RSE licensee’s APRA Annual Returns.
The above is not an exhaustive list, nor is it intended to direct the RSE auditor as to the conclusion over the RSE licensee’s internal controls.
111
RSE licensees have different systems and procedures in place to monitor compliance with specific prudential standards. Financial projections and estimates are likely to be part of the monitoring process, as the preparation of a full financial report is unlikely to be practical on a daybyday or weekbyweek basis. Varying degrees of precision may exist therefore in applying the monitoring process. Notwithstanding these differences, such systems seek to ensure that RSE licensee complies with all prudential standards on a continuous basis.
112
The way in which internal control is designed and implemented varies with a RSE licensee’s size and complexity. Smaller RSE licensee’s may use less formal means and simpler processes to achieve their control objectives.
113
The RSE auditor gathers evidence in response to assessed risks with a focus on identifying key controls within the control systems design. The RSE auditor exercises professional judgement in determining the specific nature, timing and extent of limited assurance procedures to obtain sufficient appropriate evidence to reach a limited assurance conclusion.
114
Interpretation of the word ‘reliable’ in the context of limited assurance on controls over the RSE licensee’s APRA Annual Returns has practical limitations in some circumstances. For many RSE licensee’s, it is only at the financial yearend (or for RSE licensee’s that are disclosing entities, also at the half yearend) that all the necessary accounting adjustments, such as accruals, prepayments, provisioning and valuations, are prepared and subjected to audit or review.
115
The RSE auditor enquires about whether there were any changes in internal control, or other matters, subsequent to the financial yearend date and up to the date of the RSE auditor’s assurance report, that may have an impact on the RSE auditor’s conclusion about the effectiveness of internal controls, and obtains written representations from management relating to such matters.
Nature and Cause of Deviations in Operating Effectiveness
116
The RSE auditor investigates the nature and cause of any deviations from the design identified in the operation of the controls and determines whether:
- identified deviations are within the expected rate of deviation and are acceptable; therefore, the testing that has been performed provides an appropriate basis for concluding that the control is operating effectively throughout the specified period;
- additional testing of the control or of other controls is necessary to reach a conclusion on whether the controls relative to a particular control objective are operating effectively throughout the specified period; or
- the testing that has been performed provides an appropriate basis for concluding that the control did not operate effectively throughout the specified period.
Limited Assurance on RMF(SPS 220)
117
The objective of the RSE auditor’s limited assurance engagement on the RSE licensee’s compliance with its RMF is whether they have complied substantially with systems, structures, policies, processes and controls documented in the RMF and which are intended to identify, assess, manage, mitigate and monitor material risks that may affect the RSE licensee’s ability to meet its obligations to beneficiaries for the period covered by the engagement. There is no expectation that the RSE auditor expresses assurance on the adequacy of the specific controls of the RMF.
118
The RSE auditor’s limited assurance engagement on the compliance with the RMF may include the following procedures:
- Obtaining an understanding of the RMF and the process to identify material risks.
- Reviewing the RMF to determine at a high level whether it is broadly consistent with the minimum components outlined in SPS 220 and with the minimum material risk requirements as outlined in SPS 220.
- Reviewing the evidence to support the RSE licensee’s maintenance of adequate financial, human and technical resources as outlined in SPS 220.
- Reviewing the relevant risk appetite statement and RMS to confirm that they are up to date and approved by the RSE licensee Board.
- Reviewing the processes (including monitoring and reporting procedures) the RSE licensee has in place to ensure ongoing compliance with the RMF and RMS. Reference to work performed on the RSE licensee’s systems, procedures and controls to ensure compliance with prudential requirements may be useful in this circumstance.
- Reviewing the evidence supporting the RSE’s licensee’s attestation in the Risk Management Declaration in relation to compliance with the RMF and RMS.
119
The RSE auditor may consider the measures in place which relate to the RSE licensee’s monitoring of, and reporting on, specific matters incorporated into the RMF. Such a review may include the following matters:
- Whether breaches of the RMF have been detected and reported by the monitoring systems. When breaches have been detected, whether such breaches are significant either in themselves or, when they are of a recurring nature and have not been rectified, whether their cumulative effect renders them to be a significant non compliance matter.
- Identifying systems which they use to ensure that business units and staff comply with the measures in the RMF on a day to day basis.
120
As part of the limited assurance engagement on compliance with the RMF, the RSE auditor may seek the following types of information and documentation:
- Copies of the RMF documents that set out the RSE licensee’s RMF during the period.
- Details of changes to the RMF and the RMS and related policies and procedures and the reasons for the revisions.
- Copies of the risk appetite statement and RMS that applied during the period covered by the engagement.
- Copies of the comprehensive review report of the RMF performed at least every three years by an operationally independent competent person.
- Copies of the RSE licensee’s attestation in the Risk Management Declaration in relation to compliance with the RMF and RMS and any supporting evidence.
- Documentation that identifies and describes the systems, policies, procedures and structures that are in place to manage identified risks and representations that such systems, policies, procedures and structures have been complied with during the period.
- Minutes of the meetings of TCWG and sub committees responsible for monitoring compliance with aspects of the RMF and the RMS.
- Internal and external incident and breach reports, breach and complaints registers and follow up action taken to the extent that recorded items may indicate a failure to comply with the RMF and the RMS.
- Internal audit reports.
- Certifications made by the RSE licensee and relevant supporting documentation to substantiate compliance with the RMF and the RMS during the reporting period.
- Other supporting evidence to confirm that the controls identified in the RMF and the RMS have been in place during the reporting period.
The above is not meant to represent an exhaustive list and there may be other evidence that is relevant to the specific circumstances of each RSE licensee.
121
There are practical limitations in requiring the RSE auditor to express a conclusion as to the RSE licensee’s compliance at all times with the RMF during the engagement period. However, the RSE auditor performs limited assurance procedures to the extent that the RSE auditor considers appropriate in order to obtain sufficient appropriate evidence as to the RSE licensee’s compliance with the written descriptions within the RMF and the RMS throughout the period covered by the engagement.
122
While the RSE auditor is not expected to review the adequacy of the RMF and the RMS, during the course of the limited assurance engagement the RSE auditor may become aware of significant deficiencies in the RMF and the RMS which they report to an appropriate level of the RSE licensee’s management.
Limited Assurance on Operational Risk Financial Requirement (ORFR) Strategy (SPS 114)
123
The objective of the RSE auditor’s limited assurance engagement on the RSE licensee’s ORFR strategy is to ascertain whether the RSE licensee has complied with the policies, procedures and strategy contained within the ORFR strategy. There is no expectation that the RSE auditor expresses assurance on the adequacy of the specific contents of the ORFR strategy.
124
The RSE auditor’s limited assurance engagement on the compliance with the ORFR strategy may include the following procedures:
- Reviewing the ORFR strategy to determine at a high level whether it is broadly consistent with the minimum components as outlined in SPS 114.
- Obtaining an understanding of the ORFR target amount and the process to identify operational risks within the RSE licensee’s business operations.
- Reviewing the documented strategy that sets out the RSE licensee’s approach to determining, implementing, managing, monitoring and maintaining the ORFR target amount and in turn observing adherence to this approach. Reference to work already performed on the RSE licensee’s compliance with maintaining an operational risk reserve at the required target amount in accordance with its ORFR strategy may be useful in this circumstance.
- Reviewing the policies, procedures and controls in place to manage the financial resources held to meet the ORFR target amount and to ensure it remains at an appropriate level and is invested and deployed in accordance with the documented strategy.
- Reviewing the evidence supporting the RSE’s licensee’s attestation in the Risk Management Declaration in relation to compliance with all prudential requirements.
125
As part of the limited assurance engagement on compliance with the ORFR strategy, the RSE auditor may seek the following types of information and documentation:
- Copies of the ORFR strategy document that applied during the period covered by the engagement.
- Details of changes to the ORFR strategy and related policies and procedures and the reasons for the revisions.
- Minutes of the meetings of TCWG and sub committees responsible for monitoring compliance with the ORFR strategy.
- Internal and external breach reports, breach registers and follow up action taken to the extent that recorded items may indicate a failure to comply with the ORFR strategy target amount and the need to implement a replenishment plan.
- Copies of the RSE licensee’s attestation in the Risk Management Declaration in relation to compliance with all prudential requirements and any supporting evidence.
The above is not meant to represent an exhaustive list and there may be other evidence that is relevant to the specific circumstances of each RSE licensee.
126
While the RSE auditor is not expected to review the adequacy of the ORFR (or target amount), during the course of the limited assurance engagement the RSE auditor may become aware of significant deficiencies in the ORFR target amount or policies, procedures and controls over the ORFR strategy which they report to an appropriate level of the RSE licensee’s management.
Format of Reporting Requirements
127
If APRA has an approved form as specified under SPS 310, the RSE auditor’s limited assurance report must be in the approved form. APRA may under SPS 310 provide approved forms in relation to the reporting requirements under paragraphs 19, 21, 22 and 23 of SPS 310 as well as other requirements as the prudential regulator deems appropriate.
128
Refer to apra.gov.au website (Superannuation/Reporting Framework) for the latest version of the Prudential Standard SPS 310 Audit and Related Matters – Audit Report Form. This form is reviewed and updated annually as required by APRA.
Refer to Prudential Standard SPS 220 Risk Management for the requirement for the RSE licensee to have a risk management framework.
Refer to Prudential Standard SPS 114 Operational Risk Financial Requirement for the requirement for the RSE licensee to have an ORFR strategy.
Written Representations
129
Prior to issuing the APRA Approved Form audit and review reports on the Annual Returns and Compliance, the RSE auditor obtains written representations, as are considered appropriate to matters specific to the RSE licensee, from the party responsible[22] for the RSE licensee.
Management and, where appropriate, those charged with governance of the RSE Licensee.
Communication
131
It is the responsibility of the RSE auditor to make the RSE licensee aware, as soon as practicable, of any identified material misstatements in RSE licensee APRA annual returns, material deficiencies in internal controls and instances of material noncompliance arising from the prudential reporting engagement.
132
Such communications are made as soon as practicable, either orally or in writing. The RSE auditor’s decision whether to communicate orally or in writing ordinarily is affected by factors such as the nature, sensitivity and significance of the matter to be communicated and the timing of the communications. If the information is communicated orally, the RSE auditor needs to document the communication.
133
When, in the RSE auditor’s judgement, TCWG do not respond appropriately within a reasonable period of time, the RSE auditor considers whether to modify the RSE auditor’s approved form report.
134
It is important that the RSE auditor understands the additional statutory responsibilities to report certain matters to APRA under the SIS Act. Failure to notify APRA as required represents a criminal offence, which attracts criminal penalties.
135
Material findings (misstatements, control deficiencies and noncompliance) are reported to APRA and the RSE licensee’s Board (or Board Audit Committee) as modifications to the RSE auditor’s approved form report.
136
Under Auditing Standard ASA 260 Communication with Those Charged With Governance (ASA 260), ASA 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and Management (ASA 265) and ASAE 3000, the RSE auditor communicates relevant matters of governance interest arising from the engagement to TCWG on a timely basis. Examples of such matters may include:
- The general approach and overall scope of the engagement, or any additional requirements.
- Fraud or information that indicates that fraud may exist.
- Significant deficiencies in internal controls identified during the engagement. A significant deficiency in internal control means a deficiency or combination of deficiencies in internal control that, in the RSE auditor’s professional judgement is of sufficient importance to merit the attention of TCWG.
- Disagreements with management about matters that, individually or in aggregate, could be significant to the engagement.
- Expected modifications to the RSE auditor’s approved form report.
137
The RSE auditor informs TCWG of the RSE licensee of those uncorrected misstatements, other than clearly trivial amounts, aggregated by the RSE auditor during and pertaining to the engagement that were considered to be immaterial, both individually and in the aggregate, to the assurance engagement.
Special Purpose Engagements
Terms of Engagement
138
APRA may require the RSE licensee, by notice in writing, to appoint an auditor, who may be the existing RSE auditor or another auditor, as specified in APRA’s notice, to provide a report on a particular aspect of the RSE licensee’s business operations, prudential requirements or the risk management framework.
139
Following the determination by APRA of the specific area to be examined, the RSE auditor, APRA and the RSE licensee agree on the terms of the engagement in accordance with the requirements of applicable AUASB Standards. These arrangements are legally binding and include the required terms of engagement specified in SPS 310.
140
The RSE auditor accepts the engagement only when the RSE auditor is satisfied that the RSE auditor and the engagement team, if applicable, have met the relevant ethical requirements relating to the assurance engagement. The concept of independence is important to the RSE auditor’s compliance with the fundamental ethical principles of integrity and objectivity and the RSE auditor must be able to meet the independence requirements stipulated under both SPS 510 and ASA 102 Compliance with Ethical Requirements when Performing Audits, reviews and Other Assurance Engagements.
141
An engagement letter (or other suitable form) helps to avoid misunderstandings with respect to the engagement and confirms both the RSE licensee’s and the RSE auditor’s understanding of the terms of the engagement, and the RSE auditor’s acceptance of the appointment. Both parties sign the engagement letter to acknowledge that it is a legally binding contract.
142
To ensure that there is a clear understanding regarding the terms of the engagement, the following are examples of matters to be agreed:
- APRA is to identify the scope of the RSE licensee’s business operations, risk management framework or prudential requirements to be the subject of the engagement.
- The RSE auditor, APRA and the RSE licensee are to agree on the objectives of the engagement, key features and criteria of the area(s) to be examined, and the period to be covered by the engagement.
- APRA is to identify clearly the level of assurance required, that is, limited or reasonable assurance.
- The format of reports required (for example, long and/or short form reports) and other communication of results of the engagement.
- Responsibility of TCWG for the subject matter of the engagement.
- Understanding of the inherent limitations of an assurance engagement.
Reporting Requirements
143
The RSE auditor appointed for a special purpose engagement under SPS 310 must provide limited assurance on the matters upon which the RSE auditor is required to report unless otherwise determined by APRA and advised to the RSE licensee in writing.
144
The RSE auditor appointed for a special purpose engagement must submit, within three months of the date of the notice commissioning the report, the RSE auditor’s report simultaneously to APRA and to the Board of the RSE licensee, unless otherwise determined by APRA.
Format of Reporting Requirements
145
The format of the special purpose assurance report may vary depending on the type of engagement: that is, reasonable or limited assurance, as well as the subject matter and the findings. The RSE auditor has regard to the requirements, guidance and illustrative examples of reports provided in relevant AUASB Standards – Auditing Standards, ASREs and ASAEs, as applicable, when preparing the special purpose assurance report.
146
AUASB Standards do not require a standardised format for special purpose reporting under SPS 310. Instead, these Standards identify the basic elements to be included in the RSE auditor’s report. Ordinarily, the RSE auditor adopts a long form style of reporting and the report may include a description of the terms of the engagement, materiality considerations applied, the assurance approach and an other matter paragraph which may include - findings relating to particular aspects of the engagement and, in some cases, recommendations.
147
The RSE auditor’s assurance report is to be restricted to the parties that have agreed to the terms of the special purpose engagement, namely the RSE licensee and APRA, as well as other parties with whom APRA is lawfully entitled to share the information, by means of an emphasis of matter paragraph required by ASA 706 Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s Report.
Transitional Arrangements
Period for submitting auditor’s reports and transitional arrangements
148
The RSE auditor must ensure they provide the auditor’s report to the Board of the RSE licensee within sufficient time to enable the RSE licensee to submit the auditor’s report to APRA as follows:
- for years of income ending on or after 1 July 2013 but before 1 July 2015
- within four months after the end of the year of income to which the report relates; and
- for years of income ending on or after 1 July 2015
- within three months after the end of the year of income to which the report relates.
Other Reporting Responsibilities
149
The RSE auditor also has certain obligations and responsibilities under section 129 of the SIS Act to report a contravention of the SIS Act or the regulations to the RSE licensee and APRA that may have occurred, may be occurring, or may occur, in relation to the RSE licensee that is of such a nature that it may affect the interests of members or beneficiaries of the entity. The RSE auditor must immediately inform the trustee and APRA about the matter in writing, unless the RSE auditor has reasonably concluded that the RSE licensee has already appropriately communicated the contravention to the trustee and APRA.
150
The RSE auditor also has certain obligations and responsibilities under section 130 of the SIS Act in relation to the RSE licensee’s solvency and when the RSE auditor must inform APRA and the trustee of the RSE licensee about such matters.
151
Whilst conducting the audit of a RSE and associated RSE licensee, the RSE auditor may have other regulatory obligations that stem from the RSE licensee’s other financial services regulatory requirement. The RSE auditor should ensure there is a knowledgeable and co ordinated approach taken in respect of these requirements. Examples of other obligations might include Managed Investment Scheme compliance plan or Australian Financial Services License obligations.