GS 004

This Guidance Statement has been formulated by the Auditing and Assurance Standards Board (AUASB) to provide guidance to the Appointed Auditor of a general insurer and the Group Auditor of a Level 2 insurance group^[1] in reporting, pursuant to the prudential reporting requirements specified by the Australian Prudential Regulation Authority (APRA) in Prudential Standard GPS 310 Audit and Related Matters.

APRA Prudential Standard GPS 310 Audit and Related Matters applies to general insurers and insurance groups from 1 January 2013.

This Guidance Statement is issued on 16 May 2013 by the AUASB and replaces GS 004 Audit Implications of Prudential Reporting Requirements for General Insurers, issued in October 2007.

APRA Prudential Standards

The primary objective of general insurance Prudential Requirements is the protection of the interests of policyholders and prospective policyholders. This Guidance Statement acknowledges that the auditor of an insurer and an insurance group, has an important role to play in the prudential supervision process.

Reporting requirements imposed on the Appointed Auditor of a general insurer and the Group Auditor of the insurance group by APRA are in addition to the audit and review of financial reports required under the Corporations Act 2001. Section 49 of the Insurance Act 1973 (the Act), in conjunction with APRA Prudential Standard GPS 310 Audit and Related Matters (reissued in January 2013), include the following additional requirements of the Appointed Auditor and Group Auditor:

1. Appointed Auditor
   1. an audit (reasonable assurance) of the insurer’s yearly statutory accounts;
   2. a review (limited assurance), on an annual basis, of the insurer’s systems, procedures and controls designed to address compliance with all applicable Prudential Requirements and to enable the insurer to report reliable financial and statistical information to APRA;
   3. a review (limited assurance), on an annual basis, of the insurer’s compliance, in all significant respects, with its Risk Management Strategy (RMS) and Reinsurance Management Strategy (REMS);
   4. a special purpose engagement (which may be an audit, review or agreed upon procedures), where requested by APRA in writing, of specific matters relating to the insurer’s operations, risk management or financial affairs; and
   5. non routine reporting under sections 49, 49A and 49B of the Act, where APRA requests specific information, or where the auditor possesses reportable information specified in that Act or where the auditor considers that the provision of information would assist APRA in performing its functions under the Act.
2. Group Auditor
   1. a review (limited assurance) of the annual accounts of the group;
   2. a review (limited assurance), on an annual basis, of the group’s systems, procedures and controls designed to address compliance with all applicable Prudential Requirements and to enable the group to report reliable financial and statistical information to APRA;
   3. a review (limited assurance), on an annual basis, of the group’s compliance, in all significant respects, with its Risk Management Strategy (RMS) and Reinsurance Management Strategy (REMS);
   4. a special purpose engagement (which may be an audit, review or agreed upon procedures), where requested by APRA in writing, of specific matters relating to the group’s operations, risk management or financial affairs; and
   5. non routine reporting under sections 49, 49A and 49B of the Act, where APRA requests specific information, or where the group auditor possesses reportable information specified in that Act or where the Group Auditor considers that the provision of information would assist APRA in performing its functions under the Act.

Previously, GPS 310 only dealt with prudential requirements for general insurers and their appointed auditors. Prudential Standard GPS 3111 issued in December 2011, dealt separately with the requirements for insurance groups and their group auditors. The reissued GPS 310 now incorporates the prudential requirements in relation to the insurance group and the group auditor.

Guidance Statement GS 004

This Guidance Statement has been developed to assist the Appointed Auditor of a general insurer and the Group Auditor of an insurance group in reporting, pursuant to the prudential reporting requirements specified by APRA and not in relation to reporting on the audit of the financial report of an insurer or insurance group, for which mandatory requirements and explanatory guidance are provided in Auditing Standard ASA 700 Forming an Opinion and Reporting on a Financial Report.

This Guidance Statement is to be read in conjunction with Standard on Assurance Engagements ASAE 3000 Assurance Engagements Other than Audits or Reviews of Historical Financial Information, Auditing Standard ASA 800 Special Considerations-Audits of Financial Reports Prepared in Accordance with Special Purpose Frameworks, and relevant APRA Prudential requirements and best practice guidance in this area.

For the purposes of this Guidance Statement, the following items have the meanings attributed below:

Annual Accounts of an insurance group, refers to accounts constituting reporting documents required to be prepared by the parent entity of the group in compliance with reporting standards made under the Financial Sector (Collection of data) Act 2001.

Appointed Auditor means an auditor appointed under paragraph 39(1)(a) of the Insurance Act 1973 (the Act).

General insurer means, under section 11 of the Insurance Act 1973 (the Act) as amended, a body corporate that is authorised in writing by APRA, under section 12 of the Act, to carry on general insurance business in Australia. The term ‘general insurer (insurer) includes a foreign general insurer (foreign insurer) as defined in subsection 3(1) of the Act^[2].

Group Auditor of a Level 2 insurance group, under GPS 310 must be one of the following persons:

1. the Appointed Auditor of the parent entity where the parent entity is an insurer;
2. the Appointed Auditor of an APRA authorised insurer within the group; or
3. a responsible auditor of the parent entity where the parent entity is an authorised Non-Operating Holding Company (NOHC)

Level 2 insurance group (insurance group), under Prudential Standard GPS 001 Definitions^[3] is:

1. where there is no authorised NOHC and an insurer has controlled entities, the consolidation of the insurer and its controlled entities; or
2. where there is an authorised NOHC, the consolidation of the authorised NOHC and its controlled entities; or
3. where there is no authorised NOHC and an insurer does not have controlled entities, the consolidation of the insurer and any entity that meets the following criteria:
   • the entity is subject to control by an entity or group of related entities that are the same or very similar to the entity or group of related entities that control the insurer; and
   • the entity conducts insurance business or business related to insurance business; and
   • APRA determines, in writing, that the entity is to be consolidated.

However, APRA may, in writing, determine that a group that meets subparagraph (i) or (ii) is not to be treated as a Level 2 insurance group.

Parent Entity of a Level 2 insurance group, under GPS 310 is:

1. where the Level 2 insurance group is headed by an authorised NOHC, the authorised NOHC; and
2. where the Level 2 insurance group is headed by an insurer, the insurer.

APRA may, in writing, determine that a different entity within a Level 2 insurance group (which must be an insurer, authorised NOHC or a subsidiary of an insurer or authorised NOHC) is the parent entity of that group.

Yearly Statutory Accounts, in relation to a body corporate, means the reporting documents^[4] that the body corporate is required to lodge with APRA in respect of a financial year, under section 13 of the Financial Sector (Collection of Data) Act 2001(FSCODA Act 2001).

Periodic APRA liaison with the Appointed or Group Auditor will be conducted normally under trilateral arrangements involving APRA, the insurer or insurance group and the Appointed or Group Auditor. Under GPS 310, any one of these parties may initiate meetings or discussions at any time, when considered necessary.

However, notwithstanding the trilateral relationship, in exceptional circumstances, such as that required under the statutory obligations imposed by sections 49, 49A and 49B of the Act, an insurer’s Appointed Auditor or Group Auditor and APRA may engage with each other on a bilateral basis where either party considers this to be necessary (refer paragraphs 122-131). APRA may communicate with the Appointed Auditor or Group Auditor on a bilateral basis to obtain or discuss information for whatever reason(s) it considers appropriate.,

The continual development of the trilateral arrangements assists in achieving:

1. greater clarity of expectations by APRA of the Appointed or Group Auditor;
2. more meaningful contribution to the prudential supervisory process through special purpose engagements (refer paragraphs 109-121) undertaken by the Appointed or Group Auditor in accordance with instructions from the insurer to meet the requirements of APRA; and
3. improved value added feedback to insurer management in areas such as the RMS and the REMS and systems to implement insurer strategies.

The Act provides for the prudential supervision of insurers by APRA, the national prudential regulator created on 1 July 1998^[5].

APRA formulates, promulgates and enforces prudential policy and practice applicable to insurers and insurance groups. It does this through General Insurance Prudential Standards (GPSs), which have the force of law. Non-enforceable best practice guidance in relation to prudential matters is contained in Prudential Practice Guides (GPGs).

Without limiting the role of the Prudential Standards in their entirety, the Prudential Standard of most relevance to the auditor of an insurer and/or insurance group is GPS 310.

Under GPS 001, the term ‘Prudential Requirements’ ^[6] includes requirements imposed by:

1. the Act;
2. Insurance Regulations 2002;
3. APRA Prudential Standards;
4. Financial Sector (Collection of Data) Act 2001 (the Collection of Data Act);
5. APRA Reporting Standards (made under the Collection of Data Act);
6. APRA conditions on the insurer’s authorisation;
7. Directions issued by APRA pursuant to the Act; and
8. Any other requirements imposed by APRA in writing^[7].

Access to the Prudential Standards, Practice Guides and legislation relevant to insurers is available through APRA’s website (http://www.apra.gov.au)

Under section 49L of the Act, an insurer and parent entity of an insurance group are required to submit to APRA all certificates and reports required to be prepared by their Appointed or Group Auditor in accordance with the Prudential Requirements and within the time specified in GPS 310.

Under section 49J of the Act, an insurer and parent entity of an insurance group are required to make arrangements necessary to enable the Appointed or Group Auditor to undertake the audit function as required by the Act and Prudential Standards made under the Act. Under GPS 310, these arrangements include ensuring that the Appointed or Group Auditor is kept fully informed of all APRA Prudential Requirements applicable to the insurer and/or insurance group.

Under GPS 310, the insurer and parent entity of the insurance group are furthermore required to ensure that the auditor has access to all relevant data, information, reports and staff of the insurer or insurance group, that the auditor reasonably believes is necessary to fulfil their responsibilities. This includes access to those charged with governance^[8] of the insurer and insurance group and to the Board Audit Committee.

In particular, the insurer and insurance group are required to provide the auditor with access to their Risk Management Strategy (RMS) and Reinsurance Management Strategy (REMS) documents, as discussed below, approved by those charged with governance and forwarded to APRA by the insurer and insurance group, including information relating to the timing of their supply to APRA and any changes in the documents.

In relation to the insurer’s or insurance group’s responsibility to keep the Appointed or Group Auditor informed, the Appointed or Group Auditor requests management of the insurer and/or insurance group to sign an appropriate representation letter^[9].

Prudential Standard GPS 220 Risk Management (GPS 220) requires an insurer and the insurance group to have in place a Risk Management Framework (RMF) to manage the risks arising from its business. Prudential Standard GPS 230 Reinsurance Management (GPS 230) requires an insurer and the insurance group to have in place, as part of their overall RMF, a Reinsurance Management Framework (REMF) to manage the risks arising from their reinsurance arrangements. There must be a clear link between the insurer’s and the insurance group’s REMF (including its REMS) and the insurer’s or group’s RMF.

The RMS is a high level, strategic document intended to describe the key elements of an insurer’s and insurance group’s RMF, including the insurer’s risk appetite, policies, procedures, managerial responsibilities and controls to identify, assess, monitor, report on and mitigate all material risks, financial and nonfinancial, having regard to such factors as the size, business mix and complexity of the insurer’s operations. Appendix 6 of this Guidance Statement includes a list of some of the key aspects to be included in an insurer’s and/or the insurance group’s RMS^[10].

The REMS is a high level, strategic document intended to describe the key elements of the insurer’s REMF, including policies, procedures, management responsibilities and controls to manage the selection, implementation, monitoring, review, amendment and documentation of reinsurance arrangements of the insurer or the insurance group. Appendix 6 of this Guidance Statement includes a list of some of the key aspects to be included in an insurer’s and the insurance group’s REMS.

Under GPS 220, an insurer or parent entity of the insurance group is required to submit to APRA, at the same time as lodgement of the yearly statutory accounts or group annual accounts, a declaration on risk management and on financial information. These Declarations include statements by the insurer or the insurance group on: the reliability of financial information lodged with APRA by the insurer or insurance group; the adequacy of the insurer’s or group’s systems in place to ensure compliance with APRA Prudential Requirements; the effectiveness of the insurer’s or insurance group’s processes and systems surrounding the production of financial information; and compliance with the insurer’s or insurance group’s RMS and REMS. Refer to GPS 220 for information in relation to an insurer’s or insurance group’s Risk Management and Financial Information Declarations.

The Appointed or Group Auditor is not required to form an opinion on these Declarations other than in the context of the auditor’s responsibility to express a conclusion on the insurer’s or insurance group’s compliance with the responsibilities and reporting requirements of GPS 310.

Section 39 of the Act outlines the mechanism for the appointment of an auditor by an insurer and parent entity of the insurance group. Under this section, an insurer or the insurance group must not appoint a person as the auditor unless:

1. the insurer is reasonably satisfied that the person meets the eligibility criteria for such an appointment set out in the Prudential Standards; and
2. no determination is in force under section 44 which disqualifies the person from holding such an appointment^[11].

Prudential Standard CPS 520 Fit and Proper (CPS 520) sets out the eligibility criteria for appointment as auditor of an insurer or insurance group. Prudential Standard CPS 510 Governance (CPS 510) includes provisions relating to the independence of an Appointed Auditor or Group Auditor engaged to perform work of a prudential nature in relation to the Act, APRA Prudential Standards and APRA Reporting Standards.

Section 44 of the Act sets out the circumstances under which APRA may disqualify a person from holding an appointment as an auditor of an insurer.^[12] APRA may, if satisfied that grounds exist under section 49R^[13], direct an insurer to remove an auditor.

Under section 41 of the Act, an auditor appointed by an insurer and the Group Auditor appointed by the parent entity of an insurance group, must comply with the Prudential Standards in performing their duties and exercising their powers.

Sections 49, 49A and 49B of the Act, together with GPS 310, specify certain circumstances where the Appointed Auditor or Group Auditor is required to report to APRA on a nonroutine basis, where APRA requests specific information, or where an Appointed Auditor or Group Auditor possesses reportable information specified in the Act or where the Appointed Auditor or Group Auditor considers that the provision of information would assist APRA in performing its functions under the Act (refer paragraphs 122-131).

Appointed Auditor

Broadly, section 49J of the Act, together with GPS 310, requires the appointed auditor to:

1. conduct an audit of the yearly statutory accounts of the insurer and provide an auditor’s report to the insurer which contains the auditor’s opinion in relation to the audit (refer paragraphs 40-51 and Appendix 1);
2. undertake a review and prepare a report, on an annual basis, which contains the auditor’s review conclusions providing limited assurance in relation to the matters specified in Attachment A to GPS 310 (refer paragraphs 56-108 and Appendix 3);
3. undertake a special purpose engagement, when requested by APRA in writing, of specific matters relating to the insurer’s operations, risk management or financial affairs, and to prepare a report in respect of that engagement (refer paragraphs 109-121); and
4. perform such other work considered necessary to fulfil the auditor’s responsibilities under the Prudential Standards.

Group Auditor

GPS 310 Attachment B requires on an annual basis, the Group Auditor to:

1. conduct a review of the group’s annual accounts and provide a report to the parent entity of the insurance group which contains the Group Auditor’s conclusion in relation to the limited assurance review (refer paragraphs 52-55 and Appendix 2);
2. undertake a review and prepare a report which contains the Group Auditor’s conclusions providing limited assurance in relation to the matters specified in Attachment C to GPS 310 (refer paragraphs 56-108 and Appendix 3);
3. undertake a special purpose engagement, when requested by APRA in writing, of specific matters relating to the insurance group’s operations, risk management or financial affairs, and to prepare a report in respect of that engagement (refer paragraphs 109-121); and
4. perform such other work considered necessary to fulfil the auditor’s responsibilities under the Prudential Standards.

The Appointed Auditor and the insurer agree on the terms of the engagement. In the case of an insurance group, the terms of engagement is between the Group Auditor and the parent entity of the insurance group. Such terms may be detailed in an engagement letter or other suitable form of written contract.

The requirement to audit the yearly statutory accounts of the insurer or review the annual accounts of the insurance group is in addition to the audit or review of financial reports required under the Corporations Act 2001 and is to be treated by the Appointed or Group Auditor as a separate audit engagement. In addition to the requirements of ASA 800, the Appointed or Group Auditor has regard to ASA 210 Agreeing the Terms of Audit Engagements when agreeing on the terms of the engagement with the insurer and/or insurance group.

The audit or review of financial reports required under the Corporations Act 2001 and the audit of the yearly statutory accounts or review of the annual accounts required under the Act are directed towards obtaining sufficient evidence to form an opinion or conclusion under the appropriate legislation. These audit and review procedures are not designed to enable the Appointed or Group Auditor to conclude on matters specified in paragraph 56 of this Guidance Statement. The requirement for an Appointed or Group Auditor to provide a review report under GPS 310 therefore constitutes a separate engagement with separate reporting requirements. The Appointed or Group Auditor has regard to ASAE 3000^[14] when agreeing on the terms of the review engagement.

It is important that those charged with governance of the insurer or insurance group are aware of the Appointed or Group Auditor’s obligations referred to in GPS 310 and of the implications for confidentiality. It is important also that the engagement letter includes a reference to the responsibility of those charged with governance of the insurer or insurance group for establishing and maintaining effective internal control.

The engagement letter explains that any special purpose engagement of specific matters relating to the insurer’s or insurance group’s operations, risk management or financial affairs, will constitute a separate engagement(s) and that the details of such engagement(s) will be the subject of a separate engagement letter(s).

Example engagement letters to accommodate APRA reporting requirements as per GPS 310 are set out in Appendix 4: General Insurer and Appendix 5: Level 2 Insurance Group of this Guidance Statement.

Section 49J of the Act, and GPS 310, include a requirement for the Appointed Auditor to audit the yearly statutory accounts of the insurer and to provide an auditor’s report to the insurer in relation to those accounts. GPS 310 requires the auditor’s report to include the auditor’s opinion on whether the yearly statutory accounts of the insurer present a true and fair view of the results of the insurer’s operations for the year and financial position at year end, in accordance with:

1. the provisions of the Act and APRA Prudential Standards, the Collection of Data Act and APRA Reporting Standards; and
2. to the extent that they do not contain any requirements that conflict with the aforementioned, Australian Accounting Standards and other mandatory professional reporting requirements in Australia; and
3. where the Appointed Auditor is unable to provide an auditor’s opinion as above, the opinion must be modified and include details of the relevant matters[15].

Under GPS 310, the auditor’s report, addressed to those charged with governance of the insurer, must be prepared on an annual basis. Furthermore, it must be submitted to the insurer within such time as to enable the insurer to provide the report to APRA on or before the day that the insurer’s yearly statutory accounts are required to be submitted to APRA in accordance with Reporting Standard GRS 001 Reporting Requirements^[16].

In preparing this auditor’s report, APRA requires the Appointed Auditor to have regard to relevant AUASB Standards and Guidance Statements, to the extent that these pronouncements are not inconsistent with the requirements of GPS 310.

ASA 800 establishes requirements and provides explanatory material in relation to the audit of special purpose financial reports.

An illustrative example of an auditor’s report on the yearly statutory accounts of an insurer can be found in Appendix 1.

The Appointed Auditor considers materiality in providing the auditor’s report and in reporting exceptions. In considering materiality, the Appointed Auditor exercises professional judgement, having regard to the requirements and guidance provided in ASA 320 Materiality in Planning and Performing an Audit. Australian Accounting Standard AASB 1031 Materiality may provide further useful guidance. In the context of APRA’s reporting requirements, the insurer’s Prudential Capital Requirement (PCR) as prescribed in Prudential Standard GPS 110 Capital Adequacy, is an important consideration with respect to materiality. However, the Appointed Auditor may need to consider whether an alternative base (such as profit, assets or revenue) is more appropriate.

In accordance with ASA 315 Identifying and Assessing Risks of Material Misstatement through Understanding the Entity and its Environment, the Appointed Auditor performs risk assessment procedures and related activities to obtain an understanding of the insurer and its environment, including the entity’s internal control. The PCR of an insurer is intended to take account of the full range of risks to which an insurer is exposed. The PCR for an insurer is determined under GPS 110 Capital Adequacy and includes but is not limited to consideration of the following:

1. the Insurance Risk Charge (IRC)
2. the Insurance Concentration Risk Charge (ICRC)
3. the Asset Risk Charge (ARC)
4. the Asset Concentration Risk Charge (ACRC)
5. the Operational Risk Charge (ORC)

In identifying and assessing the risks of material misstatement, the Appointed Auditor may need to consider the use of accounting estimates in the calculation of the insurer’s PCR under ASA 540 Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures and evaluate the degree of estimation uncertainty associated with any accounting estimates.

The degree of estimation uncertainty associated with an accounting estimate may be influenced by factors such as:

• The extent to which the accounting estimate depends on judgement.
• The sensitivity of the accounting estimate to changes in assumptions.
• The existence of recognised measurement techniques that may mitigate the estimation uncertainty (though the subjectivity of the assumptions used as inputs may nevertheless give rise to estimation uncertainty).
• The length of the forecast period, and the relevance of data drawn from past events to forecast future events.
• The availability of reliable data from external sources.
• The extent to which the accounting estimate is based on observable or unobservable inputs.

The degree of estimation uncertainty associated with an accounting estimate may influence the estimate’s susceptibility to bias.

Matters the Appointed Auditor considers in assessing the risks of material misstatement in an accounting estimate may also include:

• The actual or expected magnitude of an accounting estimate.
• The recorded amount of the accounting estimate (that is, management’s point estimate) in relation to the amount expected by the auditor to be recorded.
• Management’s documentation of the judgements involved in estimates, for example, assumptions, model risk and understanding and data quality.
• Outcomes of the sensitivity analysis performed on the assumptions by management.
• Adequacy and outcomes of the process adopted by the insurer in determining the PCR are appropriate as they relate to the insurer as a whole.
• Complexities and disclosures required for each component of risk under the insurer’s PCR calculation.
• Whether the models developed by management are using recognised measurement techniques and are independently reviewed and approved by appropriate personnel or an external expert.
• Reliance on and use of internally developed or externally sourced catastrophe models to estimate loss scenarios arising from different catastrophe events.
• Whether relevant and reliable controls are in place around the modelling process and the protection of model integrity.
• Whether management has used an expert in making the accounting estimate.
• Outcomes of the Appointed Actuary’s review and comment on the adequacy of the insurer’s ICRC calculation in its Financial Condition Report (FCR).
• Outcomes of the review of prior period accounting estimates.

The Appointed Auditor needs to consider the above factors and their impact on the audit approach and to use professional judgement in forming a view as to whether the accounting estimates are reliable.

In addressing the risks and accounting estimates associated with each of the areas in paragraph 46, the Appointed Auditor may need to consider performing further substantive procedures to respond to significant risks associated with estimation uncertainty.

The auditor uses professional judgement to assess whether there is sufficient evidence available to enable the auditor to form an opinion in relation to accounting estimates.

GPS 310 includes a requirement for the Group Auditor to review the annual accounts of the insurance group and to provide an auditor’s review report to the parent entity in relation to those annual accounts. GPS 310 requires the auditor’s review report to include the auditor’s conclusion on whether anything has come to the auditor’s attention that causes the Group Auditor to believe the annual accounts do not present a true and fair view of the results of the insurance group’s operations for the year and financial position at year end, in accordance with:

1. the provisions of the Act and APRA Prudential Standards, the Collection of Data Act and APRA Reporting Standards; and
2. to the extent that they do not contain any requirements that conflict with the aforementioned, Australian Accounting Standards and other mandatory professional reporting requirements in Australia.
3. GPS 310, where the Group Auditor is unable to provide an auditor’s conclusion as above, the conclusion must be modified and include details of the relevant matters^[17].

Under GPS 310, the auditor’s review report, addressed to those charged with governance of the group, must be prepared on an annual basis. Furthermore, it must be submitted to the parent entity of the insurance group within such time as to enable the parent entity to provide the report to APRA on or before the day that the group’s annual accounts are required to be submitted to APRA in accordance with Reporting Standard GRS 001 Reporting Requirements^[18].

In preparing this auditor’s review report, APRA requires the Group Auditor to have regard to relevant AUASB Standards and Guidance Statements, to the extent that these pronouncements are not inconsistent with the requirements of GPS 310.

An illustrative example of an auditor’s review report on the annual accounts of an insurance group can be found in Appendix 2.

In accordance with GPS 310, the Appointed and Group Auditor are required to perform a review and provide the insurer or the parent entity of the insurance group with a report specifying the Appointed or Group Auditor’s review conclusions, namely whether:

1. their existing systems, procedures and controls, that are kept up to date, which address the insurer or the insurance group’s compliance with all applicable Prudential Requirements;
2. the insurer’s or the insurance group’s systems, procedures and controls relating to actuarial data integrity and financial reporting risks^[19] are adequate and effective;
3. the insurer or the insurance group has complied, in all significant respects, with its RMS and REMS;
4. the insurer or the insurance group has systems, procedures and controls in place to ensure that reliable statistical and financial data are provided to APRA in the quarterly or semi annual returns required by APRA Reporting Standards; and
5. there are matters which have come to the Appointed or Group Auditor’s attention which will, or are likely to, affect adversely the interests of policyholders of the insurer or the insurance group.

Where the Appointed or Group Auditor identifies instances of noncompliance with Prudential Requirements during the course of reviewing the insurer’s systems, procedures and controls, GPS 310 requires the review report to include details of these matters^[20]. Refer to Part E of the Prudential Review Report in Appendix 3.

In accordance with GPS 310, the review report is to be on an annual basis and to cover the same period as the yearly statutory accounts and annual accounts, unless other arrangements between APRA and either the insurer or the insurance group and/or the Appointed or Group Auditor apply. The review report is to be issued on a timely basis so as to enable the insurer or the insurance group to submit the report to APRA on or before the day that the yearly statutory accounts or annual accounts are required to be submitted to APRA in accordance with APRA Reporting Standards^[21].

The prudential review report is required to be addressed to those charged with governance of the insurer or the insurance group and must be based on a limited assurance engagement. The report is to indicate that it is limited to the use of the insurer or insurance group and APRA. In preparing the report, APRA requires the Appointed and Group Auditor to have regard to AUASB Standards and Guidance Statements, to the extent that these pronouncements are not inconsistent with the requirements of GPS 310.

The Appointed or Group Auditor undertakes the review engagement in accordance with ASAE 3000^[22].

The Appointed or Group Auditor considers materiality in providing reports as per GPS 310 and in the reporting of exceptions (refer paragraphs 73 to 78).

Where the Appointed or Group Auditor determines it necessary to issue a modified review conclusion because of, for example, a significant breach of the RMS and the REMS or because of the existence of a material weakness in systems, procedures and controls reviewed, the Appointed or Group Auditor has regard to the requirements of, and guidance provided in, AUASB Standards on Review Engagements (ASREs) and Standards on Assurance Engagements (ASAEs), as appropriate.

Where the Appointed or Group Auditor becomes aware of material weaknesses in internal controls, compliance errors or irregularities highlighted during the review, the Appointed or Group Auditor reports these instances to an appropriate level of management of the insurer or parent entity on a timely basis^[23].

Prior to issuing the Appointed or Group Auditor’s review report, the Appointed or Group Auditor obtains a written representation from the insurer or the insurance group’s management^[24] which contains its assertions, for example, that the insurer or the insurance group has complied with its RMS and REMS during the period under review and that the Appointed or Group Auditor has been kept informed fully of all APRA’s Prudential Requirements applicable to the insurer or the insurance group. However, representations by management cannot be a substitute for other audit evidence that the Appointed or Group Auditor could reasonably expect to be available.

An illustrative example of an annual Prudential Review Report, prepared by the Appointed or Group Auditor in compliance with APRA annual reporting requirements, is set out in Appendix 3.

To assist in the effective and efficient operation of the reporting process, there is a need to avoid misunderstanding and to clarify what is required or can be achieved in providing the reports as per GPS 310. There is furthermore a need to avoid excessive or unwarranted work that is not cost beneficial to the regulatory process.

In a limited assurance engagement, the assurance practitioner’s conclusion is expressed in a form that conveys whether, based on the procedures performed and evidence obtained, matter(s) have come to the practitioner’s attention to cause them to believe the subject matter information is not materially misstated. The nature, timing, and extent of procedures performed in a limited assurance engagement is planned to obtain assurance that is, in the practitioner’s professional judgement, meaningful.

For the purpose of expressing a conclusion in the review report, the Appointed or Group Auditor, through limited procedures, obtains sufficient appropriate evidence to support the conclusion. These limited procedures comprise primarily of enquiries of the insurer’s or insurance group’s staff and analytical procedures. The nature, timing and extent of procedures deemed necessary by the Appointed or Group Auditor to reduce assurance engagement risk to an acceptable level, are a matter for the Appointed or Group Auditor’s professional judgement, taking into consideration the specific engagement circumstances.

The Appointed or Group Auditor is not required by GPS 310 to extend the scope of the review engagement in order to report to APRA matters which will, or are likely to, affect adversely the interests of policyholders of the insurer or insurance group, or instances in which the insurer or insurance group has not complied with all aspects of relevant Prudential Requirements, or in relation to the Appointed or Group Auditor’s obligations as regards nonroutine reporting requirements under sections 49A and 49B of the Act. Although there is no requirement for the Appointed or Group Auditor to perform any specific procedures to identify such matters required to be reported to APRA, during the course of the review engagement, the Appointed or Group Auditor exercises professional judgement and considers whether additional procedures are necessary in relation to these matters.

While reviews involve the application of audit related skills and techniques, usually they do not involve many of the procedures performed during an audit. In an audit, as the auditor’s objective is to provide a reasonable, but not absolute, level of assurance on the truth and fairness of financial information, the auditor uses more extensive audit procedures than in a review. Review procedures do not provide all the evidence required in an audit and, consequently, the level of assurance provided is less than that given in an audit.

There are inherent limitations in any internal control structure. Furthermore, fraud, error or noncompliance with laws and regulations may occur and not be detected. As the systems, procedures and controls to ensure compliance with APRA Prudential Requirements are part of the insurer’s or insurance group’s operations, it is possible that either the inherent limitations of the internal control structure, or weaknesses in it, impact on the effective operation of the insurer’s or insurance group’s specific control procedures.

Projections of any evaluation of internal control procedures to future periods are subject to the risk that control procedures may become inadequate because of changes in conditions after the review reports are signed, or that the degree of compliance may deteriorate.

In accordance with ASAE 3000, the Appointed or Group Auditor considers materiality when:

1. determining the nature, timing and extent of review procedures;
2. considering the effect of identified weaknesses in systems, procedures and controls designed to address compliance with Prudential Requirements and to enable the insurer or insurance group to report reliable financial and statistical information to APRA;
3. evaluating the significance of identified breaches of the RMS and the REMS;
4. reporting instances of non compliance with Prudential Requirements identified during the course of the review of the insurer’s or insurance group’s systems, procedures and controls; and
5. reporting matters that will, or are likely to, affect adversely the interests of the policyholders of the insurer or insurance group.

Materiality is to be addressed in the context of the insurer’s or insurance group’s objectives relevant to the particular area of activity being examined (see paragraph 56) and whether the internal controls will reduce to an acceptable level the risks that threaten achievement of those objectives. These objectives are developed having regard to the protection of the interests of the policyholders and prospective policyholders of the insurer or insurance group.

In addition to the guidance provided in ASAE 3000 and other relevant ASAEs, the Appointed and Group Auditor may find ASA 320 helpful when assessing materiality. However, it is not possible to give a definitive view on what may constitute, for example, a material breach of Prudential Requirements or a material control weakness. The Appointed and Group Auditor exercises professional judgement in considering materiality appropriate to the insurer’s or insurance group’s circumstances, having regard to their obligations, the purpose and terms of the specific engagement, together with the size, complexity and nature of their activities.

AASB 1031 may provide useful guidance to the Appointed and Group Auditor also. Matters likely to adversely affect the interests of policyholders are related generally to solvency and going concern assumptions. In the context of APRA’s reporting requirements, the insurer’s PCR is therefore an important consideration with respect to materiality. However, the auditor needs to consider whether alternative bases such as profit, assets or revenue may be more appropriate.

For the purpose of paragraphs 93-101, the significance of a matter is to be judged by the Appointed or Group Auditor in the context in which it is being considered, taking into account both quantitative and qualitative factors. This may, for example, include consideration of the significance in terms of the potential impact of the noncompliance with the RMS and the REMS rather than the actual impact. Where the Appointed or Group Auditor considers that noncompliance potentially could be significant to the insurer or insurance group as a whole and/or to policyholder interests, or where the matter may be considered as important by APRA in performing its functions under the Act, then that is a matter to be reported to APRA.

Reference to section 49A(7)^[25] of the Act, which defines the term ‘significant’ in the context of matters to be notified to APRA by the Appointed or Group Auditor (as part of the auditor’s nonroutine reporting requirements – refer paragraph 124), provides helpful guidance when considering the significance of matters in relation to the insurer’s RMS and REMS.

CPS 510 requires an insurer or insurance group^[26] to have in place an independent and adequately resourced internal audit function^[27]. CPS 510 and APRA Prudential Practice Guide GPG 200 Risk Management set out the requirements and provide guidance to insurers and insurance groups in relation to internal audit.

GPS 220 requires an insurer’s or insurance group’s RMF to be reviewed by operationally independent, appropriately trained and competent staff. Commonly, this evaluation of the adequacy and effectiveness of the RMF, which includes a review of the insurer’s or insurance group’s risk management function (or role), RMS and internal control system, will be undertaken by the internal audit function.

Auditing Standard ASA 610 Using the Work of Internal Auditors, sets out the requirements and provides guidance to the auditor in considering the activities of the internal audit function and evaluating the effect, if any, on audit procedures.

The Appointed or Group Auditor is required to express a conclusion as to whether anything has come to their attention that causes them to believe that the insurer or insurance group does not have systems, procedures and controls in place, that are kept up-to-date, to address the insurer’s or insurance group’s compliance with all applicable Prudential Requirements (refer Part A of the Prudential Review Report as per Appendix 3). Items included under ‘Prudential Requirements’ are listed in paragraph 16 of this Guidance Statement.

The Appointed or Group Auditor reviews whether the high level controls over systems and procedures pertinent to the Prudential Requirements, as documented in the RMS and the REMS, exist and whether the insurer or insurance group has in place a periodic review process to ensure that relevant systems, procedures and controls remain uptodate at all times. Existence is addressed normally when evaluating the design of controls during the planning phase of the review.

As part of the review, the Appointed or Group Auditor obtains an understanding of the insurer’s or insurance group’s compliance framework, which may include the following key elements:

• Procedures for identifying and updating compliance obligations.
• Staff training and awareness programs.
• Procedures for assessing the impact of compliance obligations on the insurer’s or insurance group’s key business activities.
• Controls embedded within key business processes to ensure compliance with obligations.
• Processes to identify and monitor the implementation of further mitigating actions required to ensure that compliance obligations are met.
• A monitoring plan to test key compliance controls on a periodic basis and to report exceptions.
• Procedures for identifying, assessing and reporting compliance incidents and breaches.
• Periodic sign off by management as to compliance with obligations.
• A compliance governance structure that establishes responsibility for the oversight of compliance control activities with those charged with governance, typically a Board Audit, Risk Management or Compliance Committee.

Insurers and insurance groups have different systems and procedures in place to monitor compliance with specific Prudential Standards. Projections and estimates are likely to be part of the monitoring process, as the preparation of a full financial report is unlikely to be practical on a daybyday or weekbyweek basis. Varying degrees of precision may exist therefore in applying the monitoring process. Notwithstanding these differences, such systems seek to ensure that insurers or insurance groups comply with all Prudential Standards on a continuous basis.

As part of the Appointed or Group Auditor’s review of whether systems, procedures and controls exist to address compliance with the relevant statutory and regulatory requirements and conditions on the insurer’s or insurance group’s authority to carry on insurance business, or other conditions imposed by APRA in relation to their operations, including bilateral APRA insurer requirements and conditions, the Appointed or Group Auditor makes enquiries of the insurer or group management as to (but not limited to):

• The nature of authorisation to carry on general insurance business under section 12 of the Act.
• Conditions or changes in conditions imposed by APRA on the section 12 authorisation.
• Exemption granted by APRA to the insurer or insurance group in relation to specific sections of the Act.
• Directions by APRA to the insurer or insurance group under the Act in relation to compliance with a Prudential Standard where there has been a breach of the Standard or is likely to be a breach.
• Directions issued by APRA to the insurer or insurance group under section 62 of the Act in the context of an investigation.
• Any variations and/or exclusions exercised by APRA under the Prudential Standards.
• Formal correspondence issued to an insurer or insurance group in relation to an APRA prudential visit/review.

As part of the review, the Appointed or Group Auditor performs review procedures that they consider necessary in relation to the insurer’s or insurance group’s systems, procedures and controls which address compliance with all applicable Prudential Requirements, including but not limited to the following sections of the Act:

• Authorisation under section 12 of the Act^[28].
• Conditions imposed under section 13 of the Act.
• Directions issued by APRA pursuant to sections 7, 35, 49L, 49Q and 62 of the Act.
• Other specified matter(s).

Conditions on the insurer’s or insurance group’s authority to carry on insurance business may vary from one insurer or insurance group to another and the Appointed or Group Auditor makes enquiries with respect to conditions imposed on the insurer or insurance group by APRA.

In relation to Prudential Requirements specified in writing by APRA, the Appointed or Group Auditor of an insurer or insurance group limits the review to the Prudential Requirements specified in writing by APRA of which they are aware.

While the Appointed or Group Auditor is not expected to review the design or operating effectiveness of control procedures, during the course of the review, they may become aware of material control weaknesses which the Appointed or Group Auditor reports to an appropriate level of management of the insurer or insurance group.

The Appointed or Group Auditor is required to express a conclusion as to whether anything has come to their attention that causes them to believe that the insurer’s or insurance group’s systems, procedures and controls relating to actuarial data integrity and financial reporting risks^[29] are not adequate and effective to address the risk of material error in the APRA returns. Refer Part B of the Prudential Review Report as per Appendix 3.

The Appointed or Group Auditor reviews whether systems, procedures and controls in place are adequate and operating effectively to ensure that source data used for actuarial valuations and completion of returns to APRA in accordance with the requirements of the Collection of Data Act, are accurate, complete, consistent with the accounting records of the insurer or insurance group, and a true representation of the transactions for the year and the financial position of the insurer or insurance group. The Appointed or Group Auditor performs review procedures covering the period to obtain evidence regarding the continuity of systems, procedures and controls in place for the period under review.

The Appointed or Group Auditor is required to express a conclusion as to whether anything has come to their attention that causes them to believe that the insurer or insurance group has not complied, in all significant respects (refer paragraphs 77-78), with its RMS and REMS^[30]. Refer Part C of the Prudential Review Report as per Appendix 3.

The objective of the Appointed or Group Auditor’s review of the insurer’s or insurance group’s compliance with its RMS and REMS is whether they have complied substantially with key policies, procedures, structures and controls documented in the RMS and the REMS for the period under review. There is no expectation that the Appointed or Group Auditor expresses assurance on the adequacy of the RMS and the REMS.

The Appointed or Group Auditor’s review of compliance with the RMS and the REMS may include the following procedures:

• Obtaining an understanding of the RMF and the process to identify material risks.
• Reviewing the relevant RMS and the REMS to confirm that they are up to date and approved by the insurer or insurance group.
• Reviewing the processes (including monitoring and reporting procedures) the insurer or insurance group has in place to ensure ongoing compliance with the RMS and the REMS. The Appointed or Group Auditor may find reference to paragraph 84 useful in this regard. It identifies some of the key elements that may form part of an insurer’s or insurance group’s compliance framework.
• Reviewing the evidence supporting the insurer’s or insurance group’s attestation in the APRA Annual Return in relation to compliance with the RMS and the REMS.

As part of the Appointed or Group Auditor’s review, they may consider the measures in place which relate to the insurer’s or insurance group’s monitoring of, and reporting on, specific matters incorporated into the RMS and the REMS. Such a review may include the following matters:

• Whether breaches of the RMS and the REMS have been detected and reported by the monitoring systems. When breaches have been detected, whether such breaches are significant either in themselves or, when they are of a recurring nature and have not been rectified, whether their cumulative effect renders them to be a significant non compliance.
• Identifying systems which they use to ensure that business units and staff comply with the measures in the RMS and the REMS on a day to day basis.

As part of the review of compliance with the RMS and the REMS, the Appointed or Group Auditor may seek the following types of information and documentation:

• Copies of the RMS and the REMS that applied during the period covered by the review.
• Details of changes to the RMS and the REMS and related policies and procedures and the reasons for the revisions.
• Documentation that identifies and describes the policies, procedures and structures that are in place to manage identified risks and representations that such policies, procedures and structures have been complied with.
• Minutes of the meetings of those charged with governance and sub committees responsible for monitoring compliance with aspects of the RMS and the REMS.
• Internal and external incident and breach reports, breach and complaints registers and follow up action taken to the extent that recorded items may indicate a failure to comply with the RMS and the REMS.
• Internal audit reports.
• Certifications made by the insurer or insurance group and relevant supporting documentation to substantiate compliance with the RMS and the REMS during the reporting period.
• Other supporting evidence to confirm that the controls identified in the RMS and the REMS have been in place during the reporting period.

The above is not meant to represent an exhaustive list and there may be other evidence that is relevant to the specific circumstances of each insurer.

There are practical limitations in requiring the Appointed or Group Auditor to express a conclusion as to the insurer’s or insurance group’s compliance at all times with the RMS and the REMS during the review period. However, the Appointed or Group Auditor performs review procedures to the extent that the Appointed or Group Auditor considers to be appropriate in order to obtain sufficient appropriate evidence as to the insurer’s or insurance group’s compliance with the written descriptions within the RMS and the REMS throughout the period under review.

While the Appointed or Group Auditor is not expected to review the adequacy of the RMS and the REMS, during the course of the review the Appointed or Group Auditor may become aware of significant deficiencies in the RMS and the REMS which they report to an appropriate level of the insurer’s or insurance group’s management.

The auditor lists any key strategies included in the RMS and the REMS provided to APRA by the insurer or insurance group, but not reviewed by them as a consequence of a circumstance that makes the review impractical (for example, any period for which the strategy has not been in place).

The Group Auditor of an insurance group should also be aware of Attachment D to GPS 220 in so far as it may relate to adjustments to prudential requirements for insurance groups.

The Appointed Auditor of an insurer, or the Group Auditor of the insurance group is required to express a conclusion as to whether anything has come to the auditor’s attention that causes the auditor to believe that the insurer or insurance group does not have systems, procedures and controls in place to ensure that reliable statistical and financial data are provided by the insurer or insurance group in Quarterly or Semi-Annual Returns to APRA, as required by APRA Reporting Standards. Refer Part D of the Prudential Review Report, as per Appendix 3.

Interpretation of the word ‘reliable’ in the context of paragraph 102, requires mutual understanding in that it has practical limitations in the present circumstances. For many insurers or insurance groups, it is at reporting periodend only that the insurer’s or insurance group’s accounts, including all the appropriate adjustments for accruals, prepayments, provisioning and valuations, are prepared. Some insurers or insurance groups report their results halfyearly also, and therefore would incorporate the necessary adjustments, but generally an audit is not carried out on these balances unless the insurer or insurance group requires an audit rather than a review of the halfyear financial report.

APRA expects review procedures to include limited tests of control in relation to the compilation of the required statistical and financial information included in the APRA Quarterly or SemiAnnual Returns, to the extent the Appointed or Group Auditor considers appropriate. This involves, at a minimum, test checking from the Quarterly or SemiAnnual Returns to the insurer’s or insurance group’s general ledger or appropriate subledger or subsystem but does not extend to auditing the financial or statistical information presented in the Quarterly or SemiAnnual Returns.

The Appointed or Group Auditor is required to express a conclusion as to whether anything has come to their attention that causes the Appointed or Group Auditor to believe that there are matters which, in the Appointed or Group Auditor’s opinion, will, or are likely to, affect adversely the interests of the policyholders^[31] of the insurer or insurance group. Matters likely to adversely affect the interests of the policyholders are related generally to solvency issues and going concern assumptions, for example, the insurer’s or insurance group’s compliance with PCR as per Prudential Standard GPS 110 Capital Adequacy. Refer Part E of the Prudential Review Report, as per Appendix 3.

The Appointed or Group Auditor will report to APRA on the basis of information obtained during the course of the Appointed Auditor’s financial report audit under the Corporations Act 2001, the audit of the yearly statutory accounts or the Group Auditor’s review of the annual accounts prepared in accordance with the Act, additional review procedures undertaken for APRA reporting purposes, and current knowledge of the insurer’s or insurance group’s affairs at the time of issuing the report.

The Appointed Auditor of a foreign insurer is unlikely to have complete knowledge of the overseas operations of the parent or related entities of the foreign insurer. The Appointed Auditor may not have had responsibility for the financial report audit of the foreign insurer. As a result, the Appointed Auditor is limited in the level of information that can be provided with respect to foreign insurer policyholders’ interests.

Where a situation described at paragraph 107 exists, the Appointed Auditor of a foreign insurer is not expected to expand the scope of the review engagement in order to meet the reporting requirements of GPS 310, or to be aware of all material issues or events that are outside the Australian operations of the foreign insurer. Rather, in meeting APRA’s reporting requirements, the Appointed Auditor reports the scope of any financial report audit work performed with respect to the foreign insurer and, where the Appointed Auditor has conducted no financial report audit, reports only on matters that come to the Appointed Auditor’s attention during the course of the Appointed Auditor’s work in relation to APRA’s additional reporting requirements.

In addition to APRA’s annual prudential reporting requirements, the Appointed or Group Auditor may be requested by the insurer or insurance group, under GPS 310, to undertake a special purpose engagement in relation to matters specified by APRA in writing, relating to the insurer’s or insurance group’s operations, risk management or financial affairs, and to prepare a report in respect of that engagement[32].

APRA requires such special purpose engagements to be completed in accordance with relevant AUASB Standards and Guidance Statements, to the extent that these pronouncements are not inconsistent with the requirements of GPS 310.

Under GPS 310, the Appointed or Group Auditor’s special purpose engagement report is required to be submitted to APRA and the insurer or insurance group simultaneously, within three months of the engagement being commissioned, unless APRA grants an extension of time in writing.

APRA may meet with the insurer and its Appointed Auditor or the insurance group and the Group Auditor, periodically to discuss the auditor’s report and to agree on the area(s) to be examined. Timing of these trilateral meetings is negotiated with the insurer and the Appointed Auditor or the insurance group and the Group Auditor, at the initiative of APRA. The area(s) to be examined may vary among insurers or insurance groups.

The Appointed or Group Auditor may be requested to perform any of the following types of engagements:

1. an audit (reasonable assurance);
2. a review (limited assurance); and/or
3. agreed upon procedures (no assurance).

It must be appreciated that the Appointed Auditor of an insurer or the Group Auditor of an insurance group, does not evaluate all aspects of the internal control structure and systems of controls when performing an audit or review of financial reports required under the Corporations Act 2001 and is therefore not in a position to express an opinion on the adequacy of the systems of accounting and internal control taken as a whole.

The APRA requirement for an Appointed or Group Auditor to undertake a special purpose engagement in a selected area of the insurer’s or insurance group’s operations, constitutes a separate engagement and reporting. The Appointed or Group Auditor undertakes the engagement in accordance with ASAE 3000 and having due regard to relevant Auditing Standards (ASAs), ASREs, ASAEs and Standards on Related Services (ASRSs).

Due to the nature of audit testing and review procedures, and other inherent limitations of audits and reviews, together with the inherent limitations of all control systems, there is a possibility that a properly planned and executed audit or review will not detect all deficiencies in relation to the insurer’s or insurance group’s operations, risk management or financial affairs.

The extent of reporting matters that could be improved depends on the Appointed or Group Auditor’s judgement. Materiality is to be addressed in the context of the insurer’s or insurance group’s objectives relevant to the particular area of activity being examined and whether the internal controls will reduce to an acceptable level the risks that threaten achievement of those objectives. Minor omissions, weaknesses and failures are not required to be reported upon. Matters that are commented on are those which, in the view of the Appointed or Group Auditor, indicate individually or collectively that the objectives of the system may not be achieved. Materiality is addressed in paragraphs 73-78.

The report is to be restricted to the parties that have agreed to the terms of the special purpose engagement, namely those charged with governance and management of the insurer or insurance group, and APRA.

The format of the special purpose engagement report will vary depending on the type of engagement; that is, an audit (reasonable assurance), a review (limited assurance) or agreedupon procedures (no assurance), as well as the topic and the findings. The Appointed or Group Auditor has regard to the requirements, guidance and illustrative examples of reports provided in ASAs, ASREs, ASAEs and ASRSs, as applicable, when preparing the special purpose engagement report.

Following the determination by APRA of the specific area to be examined, the Appointed or Group Auditor, APRA and the insurer or insurance group agree on the terms of the engagement. It is in the interests of both the insurer or insurance group and the Appointed or Group Auditor that an engagement letter is compiled to help avoid misunderstandings with respect to the engagement. When agreeing on the terms of the engagement, the Appointed or Group Auditor has regard to the requirements of ASAs, ASREs, ASAEs and ASRSs, as applicable.

To ensure that there is a clear understanding regarding the terms of the engagement, the following are examples of matters to be agreed:

• APRA is to identify the scope of the insurer’s or insurance group’s operations, risk management or financial affairs to be the subject of the engagement.
• APRA is to identify clearly whether the engagement is an audit, review or agreed upon procedures engagement.
• The Appointed or Group Auditor, APRA and the insurer or insurance group are to agree on the objectives of the engagement, key features and criteria of the area to be examined, and the period to be covered by the engagement.
• For an agreed upon procedures engagement, the Appointed or Group Auditor, APRA and the insurer or insurance group are to agree on the nature and extent of procedures to be performed.

It is important that the Appointed or Group Auditor of an insurer, an authorised nonoperating holding company (NOHC), or a subsidiary of an insurer or authorised NOHC, understands the additional responsibilities in relation to nonroutine reporting to APRA, imposed under sections 49, 49A and 49B of the Act.

Under section 49 of the Act, APRA may give written notice to a person who is, or who has been, the Appointed or Group Auditor of either an insurer, an authorised NOHC, or a subsidiary of an insurer or authorised NOHC, to provide information about such entities to APRA if APRA considers that the provision of such information will assist APRA in performing its functions under the Act.^[33]

Section 49A of the Act identifies matters of which APRA needs to be notified

1. immediately (for example, where an existing or proposed state of affairs may prejudice materially the interests of policyholders); and
2. as soon as is practicable^[34] (for example, where an insurer’s or insurance group’s failure to comply with the Prudential Standards or a condition of its authorisation is or will be significant).^[35]

These matters are to be reported to APRA in writing. When an Appointed or Group Auditor contravenes this section of the Act, the Appointed or Group Auditor will be guilty of an offence under the Act.

Section 49B of the Act provides that a person who is, or who has been, the Appointed or Group Auditor of either an insurer, an authorised NOHC or a subsidiary of an insurer or authorised NOHC, may provide information about such entities to APRA if the person considers that the provision of that information to APRA will assist APRA in performing its functions under the Act or the Collection of Data Act.

GPS 310 requires the Appointed or Group Auditor, in assessing whether the interests of policyholders may be prejudiced materially^[36], to consider not only a single activity or a single deficiency in isolation, as policyholders’ interests may be prejudiced materially by a number of activities or deficiencies which, although not individually material, do amount to a material threat when considered in totality.

In circumstances where the Appointed or Group Auditor has reasonable grounds to believe that the interests of policyholders are, or are likely to be compromised, the Appointed or Group Auditor may need to consider the whistle blowing provisions in both the Act and CPS 520.

GPS 310 requires matters reported to APRA by an Appointed or Group Auditor also to be reported to the insurer or insurance group to which the matter relates, unless the Appointed or Group Auditor considers that by doing so the interests of policyholders would be jeopardised, or where a situation of mistrust between an Appointed or Group Auditor and those charged with governance or senior management of the insurer or insurance group exists.

In relation to reporting under sections 49A and 49B of the Act, there is no requirement for the Appointed or Group Auditor of an insurer or insurance group to carry out additional work to satisfy themselves with respect to the above matters. Thus, subject to the reporting requirements as per GPS 310, the Appointed or Group Auditor is not required to extend the scope of the work to ascertain that the insurer or insurance group is complying with all aspects of all applicable Prudential Requirements. If the Appointed or Group Auditor becomes aware of any of the matters identified under sections 49A and 49B of the Act, the Appointed or Group Auditor brings the matter(s) to the attention of an appropriate level of management and those charged with governance of the insurer or insurance group. If the response provided by the insurer or insurance group is unsatisfactory, the Appointed or Group Auditor is obliged to report the matter(s) to APRA in a timely manner, having regard to materiality as described in paragraphs 73-78.

Section 49C of the Act and GPS 310 include provisions to protect an Appointed or Group Auditor providing information to APRA, in good faith and without negligence, from any action, claim or demand by, or any liability to, any other person in respect of the information.

CPS 510 requires all locally incorporated insurers and authorised NOHCs to have a Board Audit Committee. CPS 510 sets out the specific requirements with respect to the size, composition, responsibilities and powers of the Board Audit Committee.

Although the type of engagement to which this Guidance Statement relates is not in relation to the audit of a financial report under the Corporations Act 2001, guidance on matters of governance interest that the Appointed or Group Auditor considers communicating to the Audit Committee can be found in ASA 260 Communication with Those Charged With Governance^[37].

As this Guidance Statement relates to Australian legislative and regulatory requirements, there is no equivalent International Practice Statement (IPNS) to this Guidance Statement.