GS 012

This Guidance Statement has been formulated by the Auditing and Assurance Standards Board (AUASB), in consultation with the Australian Prudential Regulation Authority (APRA), to provide guidance to the appointed auditor of an Authorised Deposit-taking Institution (ADI) and/or appointed auditor of a Level 2 and/or Level 3 ADI group, reporting pursuant to the prudential reporting requirements specified by APRA in Prudential Standards APS 310 Audit and Related Matters (July 2019) (APS 310), 3PS 310 Audit and Related Matters (July 2017) (3PS 310) and APS 910 Financial Claims Scheme (July 2013) (APS 910).^[1]

This Guidance Statement includes references to prudential reporting requirements for ADIs and ADI groups, and their appointed auditors, as specified by APRA. “Level 1”, “Level 2” and “Level 3”, as applied in this Guidance Statement, have the meaning given in APRA Prudential Standards APS 001 Definitions (APS 001) and 3PS 001 Definitions (3PS 001).

1. In applying this Guidance Statement on a group basis, references to an ADI should be read as also referring to the head of a Level 2 or Level 3 group, as relevant. Where a Level 2 group operates within a Level 3 group, the head of the group is to be read as the head of the Level 3 group.
2. The term “ADI group” in this Guidance Statement will mean a Level 2 or a Level 3 group, as relevant, and will be used where requirements and guidance are common for Level 2 and Level 3 groups.

Registered Financial Corporations^[2]

This Guidance Statement provides guidance that may be considered and adapted as necessary in the circumstances, to assurance engagements undertaken pursuant to APRA Reporting Standard RRS 710.0 ABS/RBA Audit Requirements for Registered Financial Corporations – EFS collection (RRS 710.0), which applies to those Registered Financial Corporations (RFCs) required to report to APRA under the Economic and Financial Statistics (EFS) collection^[3], from 1 July 2019.

APRA collects statistical data from RFCs under the Financial Sector (Collection of Data) Act 2001 (FSCODA).^[4] RFCs are not prudentially regulated or supervised by APRA under the Banking Act 1959 (Banking Act) and APRA’s Prudential Standards do not apply to RFCs. Investors in RFCs do not have the right to priority of repayment that is conferred on depositors by section 13A of the Banking Act. Further, RFC products are not covered by the Financial Claims Scheme, which applies only to deposits held in protected accounts of ADIs.

This Guidance Statement is issued on 11 September 2020 by the AUASB and replaces GS 012 Prudential Reporting Requirements for Auditors of Authorised Deposit-taking Institutions, issued in June 2009.

Under the Banking Act, APRA is responsible for the prudential supervision and monitoring of prudential matters relating to ADIs, authorised non-operating holding companies (authorised NOHCs)^[5], and groups of bodies corporate which are their subsidiaries, in order to protect the interests of depositors of the ADIs and to promote financial system stability in Australia.

APRA formulates, promulgates and enforces prudential policy and practice through APRA Prudential Standards (APSs), which have the force of law. APRA may also issue non-enforceable Prudential Practice Guides (APGs) and other guidelines, to assist ADIs in complying with the requirements in its Prudential Standards and, more generally, to outline prudent practices in relation to certain elements of an ADI’s operations.^[6]

Prudentially regulated institutions, which includes ADIs, are required, under the FSCODA and Reporting Standards made under the FSCODA, to submit data to APRA as defined in APRA Reporting Forms and accompanying instructions. Some Reporting Forms are subject to assurance requirements.^[7]

The appointed auditor of an ADI and/or an ADI group has an important role to play in the prudential supervision process. Requirements for appointed auditors of ADIs and/or ADI groups to provide assurance reports on prudential matters to APRA are intended to assist APRA in assessing the reliability of information supplied to it by an ADI and/or an ADI group.

APRA also collects EFS data on behalf of the Australian Bureau of Statistics (ABS) and the Reserve Bank of Australia (RBA) (together, referred to as “the Agencies”), from ADIs and certain non-regulated corporations required to be registered under the FSCODA^[8].

EFS data is used by the Agencies for various purposes, including analysis, policy-making, compilation of key macroeconomic indicators for Australia, and as input to the national accounts to meet Australia’s international reporting obligations. This data may also be used by APRA for prudential purposes to promote financial system stability in Australia.

The FSCODA defines which categories of entities are registrable and also facilitates the collection of EFS data. Under the FSCODA, certain non-ADI lenders whose business activities in Australia includes the “provision of finance”^[9], or have been identified either individually or as a class of corporation specified by APRA, are required to be registered with APRA and to comply with requirements to submit EFS data to APRA.

EFS reporting requirements will depend on the size of an ADI or RFC. Based on thresholds included in APRA’s individual EFS Reporting Standards, larger ADIs and RFCs are required to report more detailed information, while smaller entities report less detailed information or do not report at all.

RRS 710.0 implements an assurance framework similar to that of APS 310/3PS 310 to RFCs.^[10]

The FCS for ADIs was put in place to protect the account-holders of locally incorporated ADIs from loss on their deposits, and to provide them with timely access to those deposits, in the event of an ADI becoming insolvent, up to a maximum amount guaranteed by the Australian Government. APRA is responsible for the administration of the FCS and for making payments to account-holders.^[11]

The audit [and review] of financial reports under the Corporations Act 2001 (Corporations Act) (where required) is directed towards obtaining sufficient appropriate evidence to form an opinion or conclusion, as applicable, on whether the financial report is presented fairly in accordance with the required financial reporting framework. The financial report audit [and review] is not designed to enable the appointed auditor to conclude in relation to the matters specified in APS 310, 3PS 310 and APS 910.

Prudential reporting requirements, imposed on the appointed auditor via the terms of engagement with an ADI, are in addition to the audit [and review] of financial reports required under the Corporations Act.

APS 310, 3PS 310 and APS 910 provide for two types of prudential reporting engagements to be conducted by the appointed auditor of an ADI and/or ADI group, namely:

1. annual prudential reporting engagements (routine reporting) - see paragraphs 48-57 of this Guidance Statement; and
2. special purpose engagements - see paragraphs 292-301 of this Guidance Statement.

APRA Prudential Standards may include further requirements for ‘independent’^[12] assurance engagements to be undertaken in relation to specific prudential matters.^[13] The appointed auditor of an ADI and/or ADI group may be engaged to undertake engagements of this type.

These requirements for independent assurance engagements are additional, and separate, to the APS 310, 3PS 310 and APS 910 annual prudential reporting requirements, and fall outside the scope of this Guidance Statement.

The responsibilities of the appointed auditor of an ADI and/or ADI group are contained in:

1. APS 310, 3PS 310 and APS 910;
2. other applicable APRA Prudential Requirements^[14], including the Banking Act, the FSCODA, and APRA Prudential and Reporting Standards;
3. applicable AUASB Standards; and
4. relevant ethical and professional standards.^[15]

(For an outline of the relevant reporting requirements applicable to the appointed auditor of an ADI and/or ADI group reporting pursuant to APS 310, 3PS 310 and APS 910, refer to the table in Appendix 1 to this Guidance Statement, entitled Outline of Auditor’s Reporting Requirements, Levels of Assurance, Subject Matter, Evaluation Criteria and Applicable AUASB Standards.)

In addition to the legislative and regulatory requirements imposed on appointed auditors, relevant AUASB Standards are applicable to assurance engagements under prudential standards:

1. Applicable Auditing Standards (ASAs), adapted as necessary in the circumstances of the engagement – when conducting a reasonable assurance engagement on historical financial information.

In applying Australian Auditing Standards to the engagement, the auditor has regard to any special considerations identified in ASA 805 Special considerations – Audits of single financial Statements and Specific Elements, Accounts or Items of a financial Statement, that may be relevant to the engagement.

2. Standard on Review Engagements (ASRE) ASRE 2405 Review of Historical Financial Information Other than a Financial Report (ASRE 2405) – when conducting a limited assurance engagement on historical financial information.
3. Standard on Assurance Engagements (ASAE) ASAE 3000 Assurance Engagements Other than Audits or Reviews of Historical Financial Information (ASAE 3000) – when conducting assurance engagements on subject matters other than historical financial information.
4. ASAE 3450 Assurance Engagements involving Corporate Fundraisings and/or Prospective Financial Information (ASAE 3450) – when conducting assurance engagements in relation to prospective financial information such as forecasts or projections.
5. ASAE 3150 Assurance Engagements on Controls (ASAE 3150) – when conducting assurance engagements in relation to internal controls.

(For an outline of the relevant AUASB Standards applicable to each part of the prudential assurance engagement, refer to Appendix 1 of this Guidance Statement.)

This Guidance Statement is to be read in conjunction with, and is not a substitute for referring to, the requirements and application and other explanatory material contained in AUASB Standards applicable to the prudential assurance engagement.

APRA places reliance on accounting and auditing standards to the extent that they do not conflict with Prudential Requirements applicable to the ADI. APS 310 and 3PS 310 requires appointed auditors, in meeting their role and responsibilities, to comply with the Auditing Standards and Guidance Statements issued by the AUASB, except where:

1. requirements are inconsistent, in which case the requirements of APS 310 and 3PS 310 will prevail; or
2. APRA otherwise specifies, in writing, to the ADI that alternative standards and guidance are to be used by the appointed auditor.

It is important that the appointed auditor of an ADI and/or ADI group recognises the additional responsibilities under sections 16B, 16BA and 16C of the Banking Act, imposed on any auditor of an ADI, an authorised NOHC, or their subsidiaries, to provide information to APRA upon request, or where the auditor possesses reportable information specified in that Act, or where the auditor considers that the provision of information would assist APRA in performing its functions under the Banking Act or the FSCODA.^[16]

Under section 70B of the Banking Act, Banking Act provisions will take precedence over any conflicting Corporations Act provisions. Therefore, any provisions made under the Banking Act governing auditor reporting to APRA will override any conflicting Corporations Act provisions which may apply to such reporting.

The use by ADIs and APRA of assurance reports prepared by appointed auditors need to be evaluated in the context of the inherent limitations of an assurance engagement and the subject matter of the engagement.^[17]

Both APS 310 and 3PS 310 warn that all persons involved in the provision of information (which includes the appointed auditor) are to note that it is an offence under subsections 137.1 and 137.2 of the Criminal Code Act 1995 to provide, whether directly or indirectly, false and misleading information to a Commonwealth entity, such as APRA.

For the purpose of this Guidance Statement, the following terms have the meanings attributed below:

‘Authorised Deposit-taking Institution’ (ADI) is defined in APS 001, to mean a body corporate authorised under section 9 of the Banking Act, to carry on banking business in Australia.^[18]

Reference in this Guidance Statement to an “ADI” will be taken, unless otherwise indicated, to include:

1. a “locally incorporated ADI”;
2. a “foreign ADI”; and
3. an “extended licenced entity”.^[19]

‘Appointed auditor’ means an independent auditor appointed by:

1. an ADI as an auditor for the purposes of APS 310 and APS 910; and
2. a Level 3 head as group auditor for the purposes of 3PS 310.

APS 310 and APS 910 allows for the appointed auditor to be the same auditor who audits an ADI for the purposes of the Corporations Act. Similarly, 3PS 310 allows for the Level 3 group auditor to be the same auditor who audits a Level 3 head for the purposes of the Corporations Act.

Under APS 310 and 3PS 310 separate auditors may be appointed to meet the APS 310 and 3PS 310 reporting requirements on a Level 1, Level 2 and Level 3 basis, and to undertake the different types of engagements provided for in these standards. APRA may also require that an ADI appoint another auditor, in addition to any auditor already appointed by the ADI, for the purposes of APS 310 and 3PS 310.

Therefore, it is possible for an ADI and ADI group to have more than one appointed auditor at any time, and for an APS 310/3PS 310 appointed auditor to be different from the auditor responsible for undertaking the financial report audit [and review] under the Corporations Act.

Where the Banking Act refers to “the auditor” of an ADI, this can be an auditor appointed for the purposes of APS 310 and/or 3PS 310, or another auditor, such as the auditor responsible for the audit [and review] of financial reports required under the Corporations Act.

Refer to APS 310 and 3PS 310 for further information on the use of group auditors, where the ADI is a member of a group.

‘Accounting records’ is defined in the AUASB Glossary as including “the records of initial accounting entries and supporting records, such as cheques and records of electronic fund transfers, invoices, contracts, the general and subsidiary ledgers, journal entries and other adjustments to the financial report that are not reflected in journal entries, and records such as work sheets and spreadsheets supporting cost allocations, computations, reconciliations and disclosures.”

For guidance on the application of the definition of “accounting records” to the assurance engagement, refer to paragraphs 148-156 of this Guidance Statement.

‘Advanced ADI’, means an ADI that has APRA’s approval to use an internal ratings-based approach to credit risk and/or an advanced measurement approach to operational risk, available under APRA Prudential Standards, for capital adequacy purposes.^[20]

ADIs choosing to adopt the advanced measurement approaches for the purpose of determining the ADI’s regulatory capital, require prior approval from APRA (APRA accreditation). Under the advanced approaches for measuring capital adequacy, an ADI is permitted to use its own quantitative risk estimates in calculating regulatory capital. This involves a greater use of internal modelling and other forms of statistical analysis, as well as qualitative assessment.

‘Authorised non-operating holding company’ (authorised NOHC), is defined in APS 001 to have the same meaning as under section 5 of the Banking Act.

‘ADI Reporting Form’ (or Data Collection Form), means a form used for the collection and reporting of information in relation to an ADI, as required to be provided to APRA by an ADI in accordance with APRA Reporting Standards made under the FSCODA.

‘Controls’ or ‘internal controls’, as used in this Guidance Statement, is defined in ASAE 3150 and generally encompasses the following components:

1. the control environment;
2. the ADI’s risk assessment process;
3. the information system, including the related business processes, relevant to financial and prudential reporting, and communication;
4. control activities; and
5. monitoring of controls.

‘Economic and Financial Statistics (EFS) Collection’, is defined in APRA Reporting Standard ARS 701.0 ABS/RBA Definitions for the EFS Collection, and comprises the EFS Reporting Standards and data collected under the EFS Reporting Standards.

‘Foreign ADI’, is defined in APS 001 to have the same meaning as under section 5 of the Banking Act. The terms “branch of a foreign bank” and “branch of a foreign ADI” are also used in APRA Reporting Standards and Reporting Forms when referring to a “foreign ADI” and refers to the foreign ADI’s Australian operations as if it was a stand-alone ADI.

Reference to a foreign ADI does not capture locally incorporated ADI subsidiaries of foreign banks, that is, a “foreign-owned ADI”.^[21]

‘Group’, is defined in APS 001 as reference to a corporate group that comprises of more than one company that are related bodies corporate within the meaning of section 50 of the Corporations Act.

‘Head of the group’, means the head or parent entity of a Level 2 or Level 3 group, as relevant. Where a Level 2 group operates within a Level 3 group, a requirement expressed as applying to the head of the group, is to be read as applying to the “Level 3 head”.

‘Level 1’ ADI, means the ADI itself, as defined in APS 001 (see definition above).

‘Level 2’ ADI group, means the entities that comprise “Level 2”, as defined in APS 001.

‘Level 3’ group, as defined in APS 001 and 3PS 001, means the conglomerate group at the widest level and include all institutions determined by APRA to be members of a Level 3 group.

APRA may determine a Level 3 group where it considers that material activities are performed within the group across more than one prudentially regulated industry and/or in one or more non-prudentially regulated industries, to ensure that the ability of the group’s prudentially regulated institutions to meet their obligations to depositors, policy holders or registrable superannuation entity beneficiaries is not adversely impacted by risks emanating from the group, including its non-prudentially regulated institutions.

Generally, a conglomerate group will be headed by an ADI or an authorised NOHC and may include financial (APRA regulated^[22] and unregulated) as well as non-financial (commercial) entities.

Attachment A to APS 001 provides further information to inform the auditor’s understanding of what constitutes a conglomerate group for the purposes of reporting pursuant to APS 310 and 3PS 310.

‘Level 3 head’, is defined in 3PS 001 to mean:

1. an ADI or authorised NOHC under the Banking Act;
2. a general insurer or authorised NOHC under the Insurance Act; or
3. a life company or registered NOHC under the Life Insurance Act,

determined by APRA to be the head of a Level 3 group.

‘Limited assurance’, is defined in APS 001, in accordance with the AUASB’s Framework for Assurance Engagements.

‘Prudential Requirements’^[23], is defined in APS 001 and includes requirements imposed by:

1. the Banking Act;
2. Regulations (made under the Banking Act);
3. APRA Prudential Standards (made under the Banking Act);
4. the FSCODA;
5. APRA Reporting Standards (made under the FSCODA);
6. APRA conditions on the ADI’s authorisation; and
7. any other requirements imposed by APRA, in writing, in relation to an ADI.

‘Reasonable assurance’, is defined in APS 001, in accordance with the AUASB’s Framework for Assurance Engagements.

‘Routine reporting’, refers to the appointed auditor’s responsibility under APS 310, 3PS 310 and APS 910 to report to APRA and the ADI and/or Level 3 head, on an annual basis, in relation to the matters identified in paragraphs 48-57 of this Guidance Statement.

‘Specified ADI Reporting Forms’, means APRA ADI Reporting Forms listed in APS 310 Attachment A – Data Collections subject to reasonable and/or limited assurance.^[24]

‘Standardised ADI’, means an ADI that uses the standardised measurement approaches, available under APRA Prudential Standards, for capital adequacy purposes in respect of the whole of its operations. See also paragraph 28(d) above.

APRA liaison with an appointed auditor is conducted normally under tripartite arrangements involving APRA, the ADI and/or head of the group, and its appointed auditor(s). Any one of these parties may initiate meetings or discussions at any time, when considered necessary.^[25]

In the normal course, regular tripartite meetings are held to discuss the appointed auditor’s annual prudential assurance report(s), prepared pursuant to APS 310 and/or 3PS 310.

Notwithstanding the tripartite relationship, APRA and the appointed auditor may meet, at any time, on a bilateral basis at the request of either party. APRA may communicate with an auditor of an ADI and/or ADI group on a bilateral basis to obtain or discuss information for whatever reason(s) it considers appropriate.

Under APRA’s Prudential Standard CPS 510 Governance (CPS 510), an APRA-regulated entity is required to ensure that its internal policy and contractual arrangements do not explicitly or implicitly restrict or discourage auditors or other parties from communicating with APRA.

Governance

CPS 510 sets out the minimum requirements that any APRA-regulated institution and the head^[26] of a group must meet in order to promote strong and effective governance.

Under CPS 510, ultimate responsibility for oversight of the sound and prudent management of an APRA-regulated institution lies with its board of directors (Board), or equivalent.^[27] For an ADI group, this responsibility will rest with the Board (or equivalent) of the head of the group.

Risk Management

Under APRA’s Prudential Standard CPS 220 Risk Management, it is the responsibility of the Board and management of an ADI and the head of an ADI group to ensure that, respectively, the ADI and ADI group has prudent risk management practices.

CPS 220 requires an ADI and/or the head of an ADI group to maintain a Risk Management Framework (RMF) appropriate to the size, business mix and complexity of the ADI and/or ADI group, as applicable, to ensure the ADI and the ADI group manage risks arising from its business and continue to meet its obligations to depositors. The Board of an ADI is ultimately responsible for the ADI’s RMF and for oversight of its operation by management, in accordance with the requirements of CPS 220.

Refer to CPS 220 for further information on the key elements to be included in an ADI’s and/or ADI group’s RMF, including requirements regarding the use of group risk management where an ADI is part of an ADI group.

An ADI or head of an ADI group is required to submit to APRA an annual Risk Management Declaration in accordance with requirements set out in CPS 220 and Attachment A to CPS 220.

CPS 220 requires an ADI and/or head of an ADI group to notify APRA when it becomes aware of a significant breach of, or material deviation from its RMF, or that the RMF does not adequately address a material risk, as well as any material or prospective material changes to the size, business mix and complexity of its operations.

Responsibility to Appoint Independent Auditor

Under APS 310 and 3PS 310, an ADI and/or head of an ADI group is required to appoint, as appropriate, an auditor(s) and/or group auditor(s) to meet the prudential reporting requirements under APS 310, 3PS 310 and APS 910, as applicable. APS 310 sets out the eligibility criteria for the appointment of a Level 1 (the ADI) and Level 2 (the ADI group) auditor as well as the permitted use of group auditors where an ADI is a member of a Level 2 ADI group. 3PS 310 sets out the requirements in relation to the appointment of auditors for a Level 3 group.

APS 310 and 3PS 310 require an ADI and/or head of an ADI group to:

1. ensure its auditor satisfies the requirements of APS 310 and/or 3PS 310;^[28]
2. set out the terms of the engagement, including matters identified in APS 310 and/or 3PS 310, in a legally binding contract with its appointed auditor and to ensure the auditor complies with these terms; and
3. ensure its auditor undertakes the roles and responsibilities as specified in APS 310 and 3PS 310, as relevant.

Financial Claims Scheme

APRA issued APS 910 to assist ADIs to comply with the requirements of the FCS. It applies to all ADIs except for foreign ADIs and providers of purchased payment facilities.

Under APS 910, ADIs subject to APS 910 are required to implement systems and processes that allow it, to the extent practicable, to identify protected accounts for each account-holder, generate an aggregated view (“single customer view”) of each account-holder identified, and meet reporting, communications, testing and assurance requirements, which will enable APRA to pay out account-holders of the ADI in a timely and effective manner in the event of an ADI being declared subject to the FCS.^[29]

Under APS 910, the Board and senior management of an ADI are responsible for ensuring that appropriate policies and procedures are in place to ensure the integrity of the operations, internal controls and information required under APS 910. This includes, but is not limited to:

1. ensuring that the systems and data required by APS 910 are subjected to an independent limited assurance engagement, in accordance with the requirements stipulated in APS 910, and that this assurance be provided at the same time as the assurance required by APS 310, unless otherwise agreed by APRA; and
2. providing an attestation from the Chief Executive Officer in accordance with the requirements stipulated in APS 910.

Responsibility to keep Auditor Informed

Under APS 310 and 3PS 310, the ADI and/or head of the ADI group is required to ensure that its appointed auditor(s) is kept fully informed, including ensuring that the auditor:

1. has access to all data, information, reports and staff of the ADI and/or ADI group, which the appointed auditor reasonably believes is necessary to fulfil its role and responsibilities under APS 310 and/or 3PS 310. This includes, access to the Board and Board Committees of the ADI and head of the ADI group, internal auditors of the ADI and/or the ADI group, and auditors of entities in the group, as required;
2. is kept fully informed of all Prudential Requirements applicable to the ADI and/or head of the ADI group; and
3. is provided with any other information that APRA has provided to the ADI and/or head of the ADI group that may assist the appointed auditor in fulfilling its role and responsibilities under APS 310 and/or 3PS 310.

In relation to the ADI’s and/or ADI group’s responsibility to keep the auditor informed, the auditor includes these responsibilities clearly in the engagement letter and also requests management of the ADI and/or ADI group to sign an appropriate representation letter(s).^[30]

APS 310 and 3PS 310 require an ADI and/or the head of the ADI group, as applicable, to ensure its auditor:

1. satisfies the fitness and propriety requirements set out in Prudential Standard CPS 520 Fit and Proper;
2. satisfies the auditor independence requirements in CPS 510 ; and
3. is not subject to a direction issued under the Banking Act.

As such, the auditor will need to provide information to the entity to enable the ADI and/or head of the ADI group to comply with requirements.

For an outline of the relevant reporting requirements applicable to the appointed auditor of an ADI and/or ADI group reporting pursuant to APS 310, 3PS 310 and APS 910, refer to the table in Appendix 1 to this Guidance Statement, entitled Outline of Auditor’s Reporting Requirements, Levels of Assurance, Subject Matter, Evaluation Criteria and Applicable AUASB Standards.

Prudential Standards APS 310 and 3PS 310^[31]

Under APS 310 and 3PS 310^[32], the appointed auditor of an ADI and/or group auditor of an ADI group is required to report simultaneously to APRA and the Board (or Board Audit Committee) of the ADI and/or head of the ADI group, as appropriate,^[33] within three months^[34] of the end of the financial year, in relation to the following matters^[35]:

1. Assurance on Specified^[36] ADI Reporting Forms at the financial year-end:
   1. Reporting Forms with Data Sourced from Accounting Records
2. The appointed auditor is required to provide reasonable assurance that the information included in the Specified ADI Reporting Forms at the financial year-end, sourced from accounting records, is reliable and in accordance with the relevant APRA Prudential and Reporting Standards;
   2. Reporting Forms with Data Sourced from Non-Accounting Records
3. Unless otherwise indicated, in writing, by APRA, the appointed auditor is required to provide limited assurance that the information, included in the Specified ADI Reporting Forms at the financial year-end, sourced from non-accounting records, is reliable and in accordance with the relevant APRA Prudential and Reporting Standards;
   3. Reporting Forms with Data Sourced from a Combination of Accounting and Non-Accounting Records
4. Unless otherwise indicated, in writing, by APRA, the appointed auditor is required to provide reasonable assurance on information sourced from accounting records, and limited assurance that information sourced from non-accounting records, at the financial year-end, is reliable and in accordance with the relevant APRA Prudential and Reporting Standards.

2. Limited Assurance on Internal Controls addressing Compliance with Prudential Requirements and the Reliability of Data included in ADI Reporting Forms
   1. The appointed auditor is required to provide limited assurance that:

      1. the ADI and/or head of ADI group has implemented internal controls that are designed to ensure the ADI and/or head of the ADI group, as relevant, has:

         1. complied with all applicable Prudential Requirements; and

         2. provided reliable data to APRA in the Reporting Forms prepared under the FSCODA; and

      2. the controls in paragraph (b)(i) have operated effectively throughout the financial year.

3. Limited Assurance on Compliance with Prudential Requirements

   The appointed auditor is required to provide limited assurance, based on the appointed auditor’s work under (a) and (b) above^[37], that the ADI and/or the head of the ADI group, as relevant, has complied with all relevant Prudential Requirements under the Banking Act and the FSCODA, including compliance with APRA Prudential and Reporting Standards, during the financial year.^[38]

3PS 310 requires that reports, assessments and other material required under this standard make it clear where the auditor is referring to matters relating to the Level 3 head or the Level 3 group.

Under APS 310 and 3PS 310, it is the responsibility of the appointed auditor, as provided for in the required terms of engagement, to submit directly to APRA:

1. all reports required to be produced under APS 310 and 3PS 310; and
2. all assessments and other material associated with these reports, if requested by APRA.

Ordinarily, matters reported to APRA under paragraph 50 are also reported to the ADI and/or head of the ADI group to which the matter relates. However, APS 310 and 3PS 310 specifically prohibit the appointed auditor from notifying the ADI and/or head of the ADI group of, or from providing the ADI and/or head of the ADI group with, the documents referred to in paragraph 50, where:

1. the appointed auditor considers that by doing so the interests of depositors of the ADI or ADIs within the group would be jeopardised; or
2. there is a situation of mistrust between the appointed auditor and the Board of the ADI and/or head of the ADI group, or senior management of the ADI or ADI group.

In accordance with APS 310 and 3PS 310, an appointed auditor, whether as part of routine or special purpose engagements, must not place sole reliance on the work performed by APRA.

The appointed auditor of an ADI is required to attend all meetings with APRA related to APS 310 and 3PS 310, whether on a bilateral, tripartite or other basis, unless APRA indicates otherwise in writing.

Prudential Standard APS 910 Financial Claims Scheme

APS 910^[39] requires the appointed auditor, in accordance with APS 310, to provide limited assurance that:

1. the ADI^[40] has controls that are designed to ensure that Single Customer View (SCV) data as set out in APS 910 Attachment A, to the extent practicable, and FCS payment instruction and reporting information can be relied upon as being complete and accurate and in accordance with APS 910; and
2. these controls have operated effectively when tested.

APS 910 requirements are in addition to the APS 310 requirement for appointed auditors to perform a limited assurance engagement on controls implemented by the ADI to ensure compliance with all prudential requirements (which includes compliance with APS 910).

Generally, the APS 910 assurance engagement will be undertaken as part of the annual APS 310 assurance engagement on controls. APRA has indicated^[41] that, in circumstances where the APS 310/3PS 310 appointed auditor may not be in a position to undertake the APS 910 engagement, a different auditor from the same or a different audit firm will be able to carry out the APS 910 engagement, in accordance with the requirements of applicable AUASB Standards.^[42]

APRA requires the timing of the APS 910 assurance engagement to be aligned with the annual APS 310 assurance engagement. A separate assurance report for the APS 910 engagement is preferred, but the requirement is that this report be submitted to APRA at the same time as the APS 310 prudential assurance report.

The requirement to report pursuant to APRA’s annual prudential reporting requirements, is in addition to the audit [and review] of financial reports required under the Corporations Act, and is to be treated by the appointed auditor as a separate engagement.

The appointed auditor accepts the prudential reporting engagement only when satisfied that relevant ethical requirements relating to the assurance engagement have been met. The concept of independence is important to the appointed auditor’s compliance with the fundamental ethical principles of integrity and objectivity and the auditor is required to meet the independence requirements stipulated under both CPS 510 and Auditing Standard ASA 102^[43]. Furthermore, the auditor needs to satisfy the fitness and propriety requirements specified in CPS 520.

The appointed auditor and the ADI and/or head of the ADI group, as applicable, agree on the terms of the engagement for each discrete part of the assurance engagement, in accordance with the requirements contained in AUASB standards ASA 210^[44], ASAE 3000, ASAE 3150, ASAE 3450 and ASRE 2405. These arrangements have to be legally binding and include the required terms of engagement specified in APS 310/3PS 310.

An engagement letter^[45] confirms both the client’s and the appointed auditor’s understanding of the terms of the engagement, helping to avoid misunderstanding, and the appointed auditor’s acceptance of the appointment. Both parties sign the engagement letter to acknowledge that it is a legally binding contract.

The auditor may also use the engagement letter to clarify the respective roles of the ADI and/or the head of the ADI group, as appropriate, and the auditor. In particular, it is important to highlight in the engagement letter the entity’s responsibility to establish and maintain effective internal control to ensure compliance with Prudential Requirements and to ensure the reliability of data included in ADI Reporting Forms. As part of the acceptance of the prudential assurance engagement, the auditor may consider obtaining acknowledgement of this obligation from those charged with governance of the ADI and/or ADI group when obtaining agreement on the terms of the engagement.

For recurring engagements, the appointed auditor considers whether circumstances require the terms of the engagement to be revised and whether there is a need to re-confirm in writing the existing terms of the engagement. While the appointed auditor may decide not to re-confirm the terms of engagement each year, factors that may make it appropriate to do so include a recent change of senior management or those charged with governance, or any indication that the entity misunderstands the objectives and scope of the prudential reporting engagements.

APS 910 identifies additional requirements for ADIs and their appointed auditors, including a requirement for auditors to perform a limited assurance engagement on the ADI’s controls in relation to the SCV data and FCS payment instruction and reporting information. These requirements are in addition to the APS 310/3PS 310 requirement for auditors to perform a limited assurance engagement on controls implemented by the ADI to ensure compliance with all prudential requirements (which includes compliance with APS 910). The auditor may use the engagement letter to clarify the respective roles of the ADI and the appointed auditor. In particular, it is important to highlight the entity’s responsibility for ensuring the integrity of the operations, internal controls and information required under APS 910.

The engagement letter explains that any special purpose engagement of any aspect of the ADI’s business operations, prudential reporting, risk management systems or financial position, will constitute a separate engagement(s) and that the details of such engagement(s) will be the subject of a separate engagement letter(s).^[46]

The engagement letter furthermore clarifies that, in accordance with CPS 510, the appointed auditor is not to be a party to any contractual arrangements, or any understandings with an ADI, that seeks in any way to limit the auditor’s ability or willingness to communicate to APRA. APRA may liaise bilaterally with an appointed auditor and may, although not usually, request information directly from the appointed auditor. The appointed auditor notifies APRA of any attempts by an ADI to achieve such arrangements or understandings.

Refer to Appendix 2 of this Guidance Statement for an example engagement letter that reflects APRA reporting requirements as per APS 310 and APS 910. This letter includes examples of matters typically included in the engagement letter.

The auditor plans the engagement in accordance with the requirements of, and has regard to, guidance provided in AUASB standards ASA 805, ASA 300^[47] (as adapted), ASAE 3000, ASAE 3150, ASAE 3450 and ASRE 2405, as applicable. The auditor performs preliminary engagement activities to establish and document the overall assurance engagement strategy that sets the scope, timing and direction of the engagement, and guides the development of the engagement.

The appointed auditor obtains an understanding of the entity and its environment, including its internal control and compliance framework, and other assurance engagement circumstances, sufficient to:

1. identify and assess the risks of:
   1. material misstatements in subject matter information;
   2. material deficiencies or deviations in internal controls (in relation to the area of activity to be examined); and
   3. non-compliance with applicable Prudential Requirements; and
2. design and perform further evidence-gathering procedures.

In gaining an understanding of the entity and its environment, the appointed auditor can draw on knowledge gained as part of the annual financial statement audit conducted under the Corporations Act. However, this understanding needs to be updated and broadened to address the subject matters included in the scope of the prudential reporting assurance engagement, such as the controls in place to ensure compliance with all applicable prudential standards which are not otherwise considered as part of the annual financial statements audit.

AUASB standards ASA 315^[48] (as adapted), ASAE 3000, ASAE 3150 and ASAE 3450 provide examples of matters that may be considered, and procedures that may be performed, by the auditor in gaining this understanding. The auditor exercises professional judgement to determine the nature and extent of the understanding that is required.

When performing procedures to obtain an understanding of the entity and its environment, consideration of the following matters may be helpful:

• The size, business mix and complexity of the ADI or the ADI group it heads.
• Changes in the market environment.
• Whether the ADI is an Advanced or Standardised ADI.
• Whether the ADI is a foreign ADI.
• Governance and management functions within the ADI, including the respective roles and responsibilities attributed to the finance, risk management (including data risk management), compliance and internal audit functions.
• The risk culture.
• The reliability of reporting systems.
• The significance and complexity of the information technology environment and systems.
• The adequacy of systems and controls to identify, assess, manage, mitigate and monitor material risks.
• The compliance framework, processes and controls.
• History of non-compliance.
• Any (formal) communications between APRA and the ADI and/or the head of the ADI group, and the results of any supervisory visits conducted by APRA in relation to the engagement.
• Previous auditor’s reports, including the auditor’s report on the financial report, and related management letters.
• Recent reports prepared by other auditors appointed to report on any aspect of the ADI and/or the ADI group, including any reports issued in relation to the review of the RMF in accordance with CPS 220 requirements.
• The estimation and uncertainty inherent in applied measurement methodologies.
• Any bias inherent in adopted measurement methodologies.
• Work performed by the internal audit and compliance functions, and any reliance that may be placed on this work.
• Discussions with entity staff responsible for monitoring regulatory compliance, such as the ADI’s Chief Risk Officer and Compliance Officer.
• The auditor’s additional reporting responsibilities under the Banking Act.^[49]
• Changes since the last reporting period to:
  1. the requirements of relevant AUASB Standards; and
  2. applicable Prudential Requirements.

In identifying and assessing the risks of material misstatement, the auditor may need to consider the use of accounting estimates in the calculation of, for example, the ADI’s Prudential Capital Requirement (PCR)^[50], in accordance with the requirements and having regard to guidance provided in Auditing Standard ASA 540 Auditing Accounting Estimates and Related Disclosures. The nature, timing and extent of the risk assessment and further assurance procedures required by ASA 540 will vary in relation to the estimation uncertainty and the assessment of the related risks of material misstatement. ASA 540 may prove helpful in evaluating misstatements of accounting estimates and in identifying possible management bias. Whilst ASA 540 is primarily directed at the audit of accounting estimates, the auditor uses professional judgement in considering the applicability of ASA 540 to non-accounting estimates, such as non-financial data included in ADI Reporting Forms which may be subject to limited assurance.

Internal Controls and Compliance Framework

The auditor obtains an understanding of the entity’s internal controls, the system within which the controls operate and the control components within the system, that are relevant to the assurance engagement, having regard to the requirements and guidance provided in ASAE 3150.^[51]

The auditor obtains an understanding of the entity’s compliance framework, key elements of the framework, and compliance requirements that are relevant to the assurance engagement. AUASB Standard on Assurance Engagements ASAE 3100 Compliance Engagements includes information that the auditor may find useful in this regard.

Prudential Requirements generally require ADIs to have in place internal controls corresponding to their size and complexity, aimed at ensuring that:

1. risks are managed within prudent limits set by senior management and those charged with governance;
2. information provided to management and those charged with governance is adequate and timely; and
3. the ADI complies with applicable prudential and statutory requirements.

In addition to the general planning considerations, the auditor takes into consideration the following factors when planning the limited assurance engagement of the internal controls relevant to the assurance engagement:

• The size, business mix and complexity of the ADI and/or the ADI group, and specifically whether or not an ADI is an Advanced ADI^[52], as this will influence the degree of complexity impacting the control environment, compliance framework and control policies and processes.
• The overall compliance framework adopted to ensure compliance with all applicable Prudential Requirements, including controls, policies and processes, and consideration of whether or not these are appropriate given the size, business mix and complexity of the ADI and/or ADI group.
• The sufficiency and appropriateness of the ADI’s and/or ADI group’s Risk Management Systems descriptions and similar policy documents issued in accordance with specific Prudential Standards, and consideration of whether these are up to date and in sufficient detail to facilitate compliance with the relevant Prudential Standards.
• Matters relating to the ADI’s and/or the ADI group’s organisational structure and operating characteristics, and recent significant changes thereof, which could impact on relevant internal controls.
• Knowledge of internal controls obtained during other assurance engagements conducted in relation to the ADI and/or ADI group.
• The method adopted, and the process used, by the ADI and/or ADI group to develop risk information to be disclosed in ADI Reporting Forms.
• Previously communicated instances of material non-compliance with Prudential Requirements and/or material deficiencies and/or deviations in internal controls designed to ensure compliance with all applicable Prudential Requirements and the provision of reliable data to APRA in Reporting Forms, that have not been resolved.

The above is not meant to represent an exhaustive list and there may be other factors relevant to the specific circumstances of an ADI and/or ADI group.

In accordance with the requirements of the relevant AUASB Standards, the auditor designs and performs assurance procedures, the nature, timing and extent of which are responsive to the assessed risks of material misstatement, material deficiencies or deviations in controls or instances of material non-compliance, having regard to the level of assurance required, reasonable or limited, as appropriate. Determining the exact nature, timing and extent of procedures is a matter of professional judgment and will vary from one engagement to the next.

The table in Appendix 1 of this Guidance Statement provides an outline of the subject matter and criteria relevant to each part of the assurance engagement, as well as applicable AUASB Standards.

The level of assurance required to be provided by the auditor for Parts A and B of the engagement, is determined by the source of the data included in each Specified ADI Reporting Form. A reasonable level of assurance is required for data sourced from “accounting records”. A limited level of assurance is required for all other data. The definition of “accounting records”^[53] therefore needs to be applied with care. Paragraphs 148-156 below, provide guidance on the application of this definition.

The appointed auditor identifies the most recent year-end ADI Reporting Forms submitted to APRA. Further guidance is provided in paragraphs 157-161 below.

The appointed auditor is to note that, in relation to ADI Reporting Forms prepared under the FSCODA, there are additional Reporting Forms, beyond the Specific Reporting Forms listed in Attachment A to APS 310 (which is the subject matter for Parts A and B). These additional Reporting Forms are to be included in the scope of Part C of the assurance engagement, together with the Reporting Forms identified in Attachment A to APS 310.

The appointed auditor identifies, and obtains an understanding of, all the Prudential Requirements^[54] applicable to the specific ADI (including any additional guidance provided by APRA to the ADI), with particular attention to changes in these requirements during the reporting period. The auditor makes enquiries with respect to any requirements that are imposed in writing by APRA on a bilateral APRA-ADI basis, or in relation to conditions on the ADI’s authorisation, as these requirements may vary from one ADI to another.

Compliance with Prudential Requirements is broader than compliance with only the quantitative limits in APRA Prudential Standards (for example, capital requirements). The appointed auditor is required to provide assurance in relation to compliance with all relevant/applicable Prudential Requirements under the Banking Act and the FSCODA, including compliance with APRA Prudential and Reporting Standards.

The scope of the prudential assurance engagement therefore includes compliance with APRA Prudential Standards dealing with, for example, governance (CPS 510), risk management (CPS 220), public disclosure (APS 330), the Financial Claims Scheme (APS 910), and the APS 310/3PS 310 requirements relating to the appointment of the auditor and the use of group auditors.

In relation to an ADI’s responsibility to keep the appointed auditor informed of all APRA Prudential Requirements applicable to the ADI, the appointed auditor obtains written representations from those responsible.^[55]

Data collected in ADI Reporting Forms are primarily used by APRA for the purpose of prudential regulation and supervision of individual ADIs. The data may also be used by the RBA for the overall supervision of the stability of the financial system and for setting monetary policy, and by APRA, the ABS and the RBA to construct a range of important statistics. The auditor refers to ADI Reporting Forms and Instructions, and associated Prudential and Reporting Standards, for information regarding the nature and purpose of each individual ADI Reporting Form.

Data collected under the EFS Reporting Standards are primarily used by the ABS and RBA for analysis, publication and policy-making purposes. EFS data is used by the ABS to compile and publish key macroeconomic indicators, including Australia’s National Accounts and leading indicators of lending activity, which are used to monitor Australia’s growth. The RBA uses EFS data to construct and publish Australia’s monetary and credit aggregates, and for analytical and policy purposes. Data published by the ABS and RBA are also used by other policy makers and the wider public for research, analysis and policy making.^[56] Information collected under the EFS Reporting Standards may be used by APRA for prudential and publication purposes.

Requirements for auditors of ADIs to provide assurance reports on prudential matters to APRA are intended to assist APRA, and the Agencies, in assessing the reliability of information supplied to it by an ADI.

Auditors need to be aware that APRA has the power under subsection 56(5) of the Australian Prudential Regulation Authority Act 1998 to make “protected information” (which may include auditors’ reports or information extracted from such reports) available to another financial sector supervisory agency (for example, the RBA and Treasury), or any other specified agency (including foreign agencies), when APRA is satisfied such information will assist those agencies in performing its functions or exercising its powers.

The concept of reliability is to be viewed in the context of the reliability of the data for the intended use by the identified users.

Under the Australian Accounting Standards Board’s (AASB’s) Glossary of Defined Terms, information has the quality of reliability when it is free from material error and bias and can be depended upon by users to represent faithfully, and without material error and bias, the transactions or events that either it purports to represent or could reasonably be expected to represent.

In applying this concept of reliability to the prudential reporting engagement, information in ADI Reporting Forms is not to lead users to conclusions that serve the particular needs of an ADI. Furthermore, such information needs to be capable of reliable measurement.

APRA Prudential and Reporting Standards provide the frame of reference (benchmarks) for reasonably consistent evaluation or measurement, within the context of the auditor’s professional judgement, of the reliability of the information included in ADI Reporting Forms.

The appointed auditor identifies and obtains an understanding of the applicable Prudential Requirements that govern the preparation of data within ADI Reporting Forms, with particular attention to changes in these requirements during the reporting period under review. In addition to the Prudential and Reporting Standards issued by APRA, other Prudential Requirements, including the specific Reporting Form Instruction Guides, will also have an impact on the provision of reliable data to APRA under the FSCODA and, therefore, the appointed auditor has regard to all relevant Prudential Requirements when planning and conducting the engagement.

It is important that the appointed auditor obtains an understanding of how APRA Prudential and Reporting Standards differ from the financial reporting framework^[57] which are used to record data in the ADI’s accounting records.

APRA’s Prudential Practice Guide CPG 235 Managing Data Risk (CPG 235) may aid in the auditor’s understanding of the concept of reliability in the context of the assurance engagement. CPG 235 provides guidance to APRA regulated entities on managing data risk, including assessing data quality by reference to its fitness for use, that is, the degree to which data is relevant, appropriate for its intended purpose and meets business specifications.

Other determinants of data quality identified in CPG 235 include:

1. accuracy – the degree to which data is error free and aligns with what it represents;
2. completeness – the extent to which data is not missing and is of sufficient breadth and depth for the intended purpose;
3. consistency – the degree to which related data is in alignment with respect to dimensions such as definition, value, range, type and format, as applicable;
4. timelines – the degree to which data is up-to-date; and
5. availability - accessibility and usability of data when required.

EFS Collection

APRA’s Reporting Practice Guide RPG 702.0 ABS/RBA Data Quality for the EFS Collection (RPG 702.0) provides guidance to assist ADIs and RFCs required to submit EFS data to APRA, to meet the Agencies’ data quality requirements in relation to EFS Reporting Standards.

RPG 702.0 is to be read in conjunction with:

1. the EFS collection, including Reporting Standard ARS 701.0 ABS/RBA Definitions for the EFS Collection and Reporting Practice Guide RPG 701.0 ABS/RBA Reporting Concepts for the EFS Collection, which contains definitions of, and guidance on, the data to be reported to APRA and the Agencies; and
2. Prudential Practice Guide CPG 235.

RPG 702.0 outlines how the Agencies, as primary users, intend to use data collected under the EFS Reporting Standards. It informs EFS reporting entities of the significance of specific EFS data items for use by the Agencies and is designed to assist entities in meeting EFS quality control requirements by adapting data risk management practices outlined in CPG 235 for the EFS collection.

Although the Agencies expect all data collected by APRA on their behalf to be accurate, reporting entities are expected to use the data priority ranking^[58] included in RPG 702.0 as an indicator of the relative importance of the accuracy of these data items and, therefore, where to focus data quality management practices.

The tables in Attachment A to RPG 702.0 includes qualitative benchmarks to indicate the size of misreported data items that may impact the use of the data by the Agencies and thus would be considered a “reporting error” that needs to be notified to APRA. These benchmarks vary according to entity size^[59], type of data item^[60] and prioritisation of data^[61].

Benchmarks for entities defined as “large institutions” in RPG 702.0 recognise that reporting errors by a single large entity are more likely to impact industry aggregates due to their size, while benchmarks for the entities that are not large are aimed at identify reporting errors that could affect the industry aggregate results if occurring across several entities simultaneously.

RPG 702.0 includes specific guidance in relation to the:

1. application of judgement in identifying reportable errors for “standard” priority data items (that is, data items that is not of a “high” or “very high” priority);
2. application of benchmarks where data items is at, or very close to, zero;
3. application of benchmarks to volatile “flow” data items; and
4. the use of proxy methodologies for selected data items^[62].

The Agencies and APRA recognise that not all practices outlined in the guide will be relevant for every EFS reporting entity and that some aspects may vary depending upon the size, complexity and systems configuration of the EFS reporting entity.

The auditor considers materiality, in accordance with the requirements of AUASB Standards applicable to each section of the assurance engagement, when planning and performing the engagement. During the engagement the auditor re-assesses materiality if matters come to their attention that indicate that the basis on which materiality was assessed has changed.

For assurance purposes, materiality is determined in order to establish:

1. a tolerable level of misstatement in relation to financial and non-financial information included in ADI Reporting Forms, deficiencies or deviations in controls, or non-compliance with applicable Prudential Requirements;
2. the scope of assurance work to be performed; and
3. a reasonable basis for evaluating identified misstatements, deficiencies, deviations, or non-compliance.

In determining materiality levels, the auditor exercises professional judgement to understand and assess the factors that might influence the decisions of APRA and other intended users.^[63] Judgements about materiality are affected by quantitative and qualitative factors as well as consideration of the potential of misstatements, control deficiencies or deviations, or non-compliance that are individually immaterial but in the aggregate may adversely affect decisions made by those users. Where particular categories of data or compliance matters may have a greater impact on the decisions of users, materiality may need to be set at a lower level for those amounts or matters.

ASAE 3000 explains that, although there is a greater risk that misstatements, control deficiencies or deviations, or non-compliance may not be detected in a limited assurance engagement than a reasonable assurance engagement, the judgement as to what is material is made by reference to surrounding circumstances, the subject matter on which the auditor is reporting, and the needs of those relying on that information, as opposed to the level of assurance obtained. That is, for the same intended users and purpose, materiality for a reasonable and limited assurance engagement will be the same. In setting materiality levels, regardless of the subject matter or level of assurance, it is the auditor’s objective to reduce risk to an acceptable level in the circumstances of the assurance engagement.

Since the concept of materiality applies differently in the context of an engagement to provide assurance on information included in Reporting Forms, an engagement to provide assurance on internal controls, and for the purpose of reporting on compliance, it is considered separately below for each section of the engagement.

Reasonable and/or Limited Assurance on Specified^[64] ADI Reporting Forms (Parts A and B)

A misstatement in a Specified ADI Reporting Form, either individually or in aggregate with other misstatements, is considered material if the appointed auditor believes the intended users may be influenced by the misstatement of the information.

For the purpose of providing assurance on Specified ADI Reporting Forms, the auditor considers materiality, as appropriate, in accordance with the principles and guidance provided in AUASB standards:

1. ASA 320^[65], ASA 805 and ASRE 2405, as applicable, where the subject matter is historical financial information;
2. ASAE 3000, where the subject matter is information other than historical financial information; and
3. ASAE 3450, where the subject matter is prospective financial information.^[66]

In the absence of specific requirements issued by APRA, the Australian Accounting Standards Board’s Practice Statement 2 Making Materiality Judgements may provide a useful frame of reference to the auditor in determining materiality for the engagement.

ASA 320 and AASB Practice Statement 2 deal with materiality in the context of the financial statements taken as a whole and may be useful in setting materiality levels for relevant “Statement of Financial Performance” and “Statement of Financial Position” ADI Reporting Forms. As Australian Auditing Standards are written in the context of an audit of a financial report, they are to be adapted as necessary in the circumstances when applied to single financial statements or specific elements of a financial statement. Materiality determined for a single financial statement or for a specific element of a financial statement may be lower than the materiality determined for the financial report, which will impact the nature, timing and extent of assurance procedures and the evaluation of uncorrected misstatements.^[67]

For the purpose of reporting on the reliability of information included in Specified ADI Reporting Forms, the appointed auditor considers and applies materiality at the level of individual Reporting Forms^[68] or, if the auditor deems it to be more appropriate, the auditor may choose to set a specific materiality at the level of individual data items or categories of data included in Reporting Forms.

In applying the relevant AUASB Standards to individual ADI Reporting Forms, or data line items in Reporting Forms, the auditor has regard to the nature, purpose and use of the information included in each Reporting Form. The auditor refers to Reporting Forms and Instructions, and associated Prudential and Reporting Standards, for information regarding the nature and purpose of each individual ADI Reporting Form.

Materiality is to be addressed in the context of the entity’s objectives relevant to the ADI Reporting Form and Reporting Standard being examined and whether internal controls will reduce to an acceptable level the risks that threaten achievement of those objectives.^[69]

Where a Reporting Form includes historical and prospective financial information, as well as non-financial information,^[70] the auditor considers adopting a combination of methods and setting multiple materiality levels based on the information included in the Reporting Form. For example:

1. For historical financial information extracted from audited^[71] financial information, the auditor may:
   1. determine that the materiality levels used in the audit are acceptable/suitable for the purposes of the Reporting Form; or
   2. establish new materiality levels in accordance with the principles espoused in ASA 320 or ASRE 2405 and other relevant guidance, as applicable to the subject matter information and based on the amounts reported in the Reporting Form.
2. For non-financial information, materiality may be set with reference to the principles and guidance provided in ASAE 3000.
3. For prospective financial information, materiality may be set with reference to the principles and guidance provided in ASAE 3450.

In setting these differing materiality levels, the auditor takes into consideration qualitative and quantitative factors and the risk of issuing an inappropriate conclusion.

The appointed auditor’s preliminary assessment of materiality is based largely on quantitative factors. A percentage is often applied to a chosen benchmark as a starting point in determining materiality. The base and percentage may vary depending on the ADI Reporting Form in question and the nature of information included in each Reporting Form.

Matters likely to adversely affect the interests of depositors in ADIs are generally related to solvency and going concern assumptions. In the context of APRA’s prudential reporting requirements, the ADI’s “Prudential Capital Requirement” (PCR), as prescribed in Prudential Standard APS 110 Capital Adequacy, is an important consideration with respect to materiality. A key concern with any misstatement within a Reporting Form is therefore its potential impact on the ADIs capital base and capital adequacy ratio, that are determined in accordance with APRA’s Prudential Standards. This is taken into consideration by the appointed auditor when evaluating whether a misstatement in a Reporting Form, especially within the Capital Adequacy Reporting Forms, is material.

APRA has advised that a materiality threshold based on a 25 basis point impact on the Capital Adequacy Ratio may be applied in aggregate by the appointed auditor as a reasonable basis for determining quantitative materiality for Capital Adequacy Reporting Forms. This threshold may be used as indicative guidance only, in conjunction with the considerations described within this Guidance Statement, which includes consideration of qualitative factors. The appointed auditor exercises professional judgement when applying the threshold in specific circumstances. For example, a lower level of materiality may be appropriate as the level of surplus capital reduces.

The auditor exercises professional judgement to consider whether an alternative base, such as profit, revenue or assets, may be more appropriate when considering whether a misstatement within other non-capital types of reporting forms such as, but not limited to, the Statement of Financial Performance, Statement of Financial Position, Provisions and Impaired Assets and the liquidity reporting forms^[72], is material.

When considering materiality, the auditor considers the obligations under Prudential Requirements for ADIs and auditors of ADIs to report errors in ADI Reporting Forms to APRA, the criteria for resubmission of data previously submitted to APRA, and reporting breaches to APRA. For example, RPG 702.0 indicates that misreported EFS data items above the prescribed quantitative data quality benchmarks in Attachment A to RPG 702.0 should be notified to APRA. However, RPG 702.0 states these errors would not trigger automatic resubmission, as the Agencies will determine the need for resubmission. The auditor exercises professional judgement in using this guidance in scoping assurance work to be performed.

The auditor is mindful that RPG 702.0 is primarily directed at reporting entities and designed to assist these entities in meeting EFS quality control requirements and to tailor data risk management practices as outlined in CPG 235.^[73]

Whilst APRA and the Agencies expect auditors to consider the RPG 702.0 guidance in determining materiality thresholds for a prudential reporting assurance engagement, APRA has confirmed that the RPG 702.0 benchmarks do not establish new materiality requirements for assurance purposes relating to the EFS data collection.^[74]

The auditor sets materiality levels for the EFS collection based on the risk assessment for each EFS Reporting Form performed by the auditor. The priority ranking of data points included in RPG 702.0 may be helpful for the auditor in determining where to focus effort.

RPG 702.0 benchmarks and considerations may be more relevant to Part C of the engagement in setting materiality levels for reporting on the design and operating effectiveness of internal controls addressing the reliability of data routinely reported to APRA in ADI Reporting Forms. Refer to Part C below.

Auditors retain ultimate discretion in setting materiality levels for the assurance engagement and determining the scope of assurance procedures to be conducted, taking into consideration the risk of issuing an inappropriate assurance report.

Limited Assurance Engagement on Design, Implementation and Operating Effectiveness of Internal Controls (Part C)

Material deficiencies in the design and implementation of controls and material deviations in the operating effectiveness of controls are those which could reasonably be expected to influence relevant decisions of the intended users.

ASAE 3150 sets out the requirements and provides guidance to the auditor in applying materiality in the context of an assurance engagement on controls.

In accordance with ASAE 3150, the auditor shall identify a control or combination of controls as material if it is fundamental to the achievement of a control objective relevant to the scope of the engagement, and whether the internal controls will reduce to an acceptably low level, based on auditor judgement, the risks that threaten achievement of those objectives.

In assessing materiality, the appointed auditor has regard to the measures the ADI has adopted to ensure:

1. reliable data is provided to APRA in all ADI Reporting Forms prepared under the FSCODA; and
2. compliance with all applicable Prudential Requirements.

For the purpose of reporting on controls addressing the reliability of EFS data included in ADI Reporting Forms, the auditor determines materiality levels taking into consideration the needs and expectations of the users of the EFS collection, as outlined in RPG 702.0. RPG 702.0 informs reporting entities of the Agencies’ expectation that data reported in EFS collection should be of high quality, including to be accurate, complete and timely. RPG 702.0 provides guidance to reporting entities to meet data quality control requirements that require them to have in place systems, processes and controls to assure the reliability of reported information in relation to the EFS Reporting Standards. RPG 702.0 guidance is supported by CPG 235 which sets out guidance on how entities can manage data risk, including assessing data quality by reference to fitness for use.

Although the auditor retains discretion in setting materiality levels, the auditor is expected to take into consideration RPG 702.0’s priority ranking of data items and data quality benchmarks as part of the assessment of whether a reporting entity’s internal controls are designed appropriately and operating effectively to meet the RPG 702.0 thresholds required by the Agencies.

ASAE 3150 requires the auditor to reassess the materiality of the controls if matters come to their attention during the engagement which indicate that the basis on which the materiality of those controls was determined has changed.

Reporting on Compliance with Prudential Requirements (Part D)

Under APS 310 and 3PS 310 the appointed auditor is required to provide limited assurance that the ADI and/or group has complied, in all material respects, with all relevant Prudential Requirements. This conclusion is to be based on the auditor’s reasonable and limited assurance engagements undertaken to provide assurance in relation to Specified ADI Reporting Forms (Parts A and B) and internal controls (Part C).

For the purpose of reporting on compliance with Prudential Requirements, the appointed auditor considers materiality when evaluating the significance of identified instances of non-compliance with relevant Prudential Requirements (see paragraphs 249-258 of this Guidance Statement).

An appointed auditor gives further consideration as to whether the auditor has, or will be able to obtain, adequate knowledge and the required skills to undertake the engagement.

APS 310 and 3PS 310 prohibit an appointed auditor from placing sole reliance on the work performed by APRA, for example, as part of the initial accreditation process to be registered as an Advanced ADI. APRA expects appointed auditors to exercise their professional judgement and reach their own independent conclusions.

The nature and complexity of the ADI increases the likelihood that the appointed auditor may need to involve experts in the engagement. For example, obtaining an understanding of the process and assumptions used by an Advanced ADI to develop risk information, may require technical knowledge of risk measurement methodologies, which can be complex.

When planning to use the work of an auditor’s expert as evidence, the appointed auditor has regard to the requirements and guidance provided in, as appropriate, AUASB standards ASA 620^[75], ASAE 3000, ASAE 3150 and ASAE 3450.

Where an ADI has engaged or employed experts, for example where actuaries are used to determine amounts for inclusion in ADI Reporting Forms, which is derived using specialised techniques, the auditor applies, as appropriate, Auditing Standard ASA 500 Audit Evidence. ASA 500 sets out mandatory requirements and provides application and explanatory material on using the work of a management’s expert as audit evidence. The auditor may also find it helpful to refer to AUASB Guidance Statement GS 005 Evaluating the Appropriateness of a Management’s Expert’s Work.

Where the auditor appointed under APS 310/3PS 310 plans to use the work of another independent auditor, the appointed auditor:

1. for the reasonable assurance engagement in relation to historical financial information, complies with the requirements of Auditing Standard ASA 600 Special Considerations – Audits of a Group Financial Report, adapted as necessary; and
2. for other assurance, complies with the requirements of ASAE 3000. The principles espoused in ASA 600 may also provide helpful guidance.

CPS 510 requires all ADIs (including a foreign ADI in relation to its Australian business) and authorised NOHCs, to have in place an independent and adequately resourced internal audit function.^[76] APS 310 and 3PS 310 require an ADI and/or the head of an ADI group to ensure that the scope of internal audit includes a review of the policies, processes and controls put in place by management to ensure compliance with Prudential Requirements. CPS 510 requires that the objectives of the internal audit function include an evaluation of the adequacy and effectiveness of the financial and risk management framework of the ADI. CPS 220 includes further information on APRA’s requirements for the periodic review of the risk management framework by internal audit.

APRA expects the appointed auditor to consider the extent to which the work of the internal audit function is likely to be relevant in the context of the APS 310/3PS 310 assurance engagement.

Having regard to the requirements and guidance provided in AUASB standards ASA 610 Using the Work of Internal Auditors, ASAE 3000 and ASAE 3150, as relevant, the appointed auditor obtains an understanding of the activities and main findings of the internal audit function and perform a preliminary assessment, which may include, assessment of:

1. its impact on the system and the components of control within that system, including the control environment, risk assessment, information and communication, monitoring activities and control activities in relation to the system; and
2. its effect on the nature, timing or extent of the auditor’s assurance procedures.

The use of internal auditors to provide direct assistance is prohibited in assurance engagements undertaken in accordance with AUASB Standards. Direct assistance is the performance of assurance procedures under the direction, supervision and review of the independent external auditor. An effective internal audit function may enable the auditor to modify the nature and/or timing, and/or reduce the extent of assurance procedures performed but cannot eliminate them entirely.

Where the appointed auditor plans to use the work of the internal audit function, the auditor evaluates the adequacy of this work for the auditor’s purposes in accordance with the relevant AUASB standards. The appointed auditor remains responsible for obtaining sufficient appropriate evidence to support the auditor’s assurance engagement conclusions.

APS 310/3PS 310 requires the appointed auditor to provide two different levels of assurance over the reliability of a specific set of ADI Reporting Forms at the ADI’s financial year-end. The level of assurance required to be provided by the appointed auditor is determined by the source of the data included in the Reporting Forms. Data sourced from “accounting records”, requires a reasonable level of assurance. All other data requires a limited level of assurance.

“Accounting records”, is defined in paragraph 28(c) of this Guidance Statement and, ordinarily, includes all the data used by an ADI to prepare its accounting books and records, and to report the results of its operations and its financial position in its financial report on an annual or half-yearly basis (that is, the underlying evidence in support of the financial report). The expectation is, generally, that such data would be subject to rigorous internal controls.

However, the initial books of entry may also comprise other data which is stored alongside accounting data. Such data may not be used for financial management and financial reporting, and may not be subject to rigorous controls, and therefore fall outside the scope of the reasonable assurance opinion.

Data in ADI Reporting Forms may be sourced from systems that are not used to produce financial report information and are not readily reconcilable to financial report information. The initial entries to these systems may be the same as for the accounting records, but both the level of control over the systems and the amount of manipulation/aggregation of the data within such systems may result in the output being significantly different from the accounting records and not readily reconcilable back to these records.

The appointed auditor makes an assessment of whether or not a data item has been sourced from accounting records, by exercising professional judgement and referring to the definition of accounting records. The auditor carefully considers the source and the use of the data, and whether it is appropriately controlled and, therefore, capable of being subjected to procedures for obtaining sufficient appropriate evidence to support a reasonable assurance conclusion.

For Advanced ADIs, where the ADI’s risk management systems provide internal estimates for some or all of the risk components in determining capital, the capital reporting forms will include data items sourced from non-accounting records. Examples include measures for “probability of default” and “loss given default”.

Certain data items may have been sourced from a combination of both accounting and non-accounting records, for example, data sourced from accounting records that involve additional examination, computation, re-classification or segmentation using non-accounting data, and this may result in those data items being classified as sourced from non-accounting records and fall within the scope of the limited assurance engagement.

Where ADI Reporting Forms combine elements that are derived from accounting records and non-accounting records, the appointed auditor provides:

1. reasonable assurance on information derived from the accounting records, for example, totals derived from the balance sheet such as values for assets, liabilities and derivatives, in the ADI Reporting Forms listed in (b) below; and
2. limited assurance on the information derived from non-accounting records, for example:
   • ADI Reporting Form ARF 117.0 Repricing Analysis: the repricing period allocations to time periods set out in the interest rate sensitivity tables (which are subjective).
   • ADI Reporting Form ARF 112.1A Standardised Credit Risk – On-balance Sheet Assets: the risk rating for loans based on the loan-to-valuation ratio (LVR) where the security values are subject to variation over time.

Also see paragraph 160 below.

Segmentation of certain balances derived from the financial statements (accounting data) included in EFS Reporting Forms by counterparty economic sector, industrial classifications or facility purpose, are often reliant on counterparty provided information or may be subject to judgement in their application and, therefore, generally fall within the scope of the limited assurance engagement.

Identification of the year-end ADI Reporting Forms to be subjected to the reasonable and/or limited assurance engagement, requires careful consideration by the appointed auditor.

The initial submission of ADI Reporting Forms, to meet APRA’s reporting timetable, may be too soon in the ADI’s year-end process for the ADI to have processed all relevant year-end journals and adjustments. As a result, the ADI may have submitted revised Reporting Forms after the due reporting date. As the requirement is to report on the “reliability” of the year-end Reporting Forms, the auditor selects the most up to date (recent) Reporting Forms submitted to APRA, rather than the Reporting Forms initially submitted in accordance with APRA’s reporting timetable. The auditor conducts further procedures to ensure that the selected Reporting Forms include all relevant year-end journals and adjustments.

The ADI Reporting Forms which are the subject of the assurance report, are clearly identified in the assurance report. This may be achieved, for example, by:

1. attaching the Reporting Forms to the assurance report; or
2. noting the submission receipt number or time and date of submission of the Reporting Forms to APRA in the assurance report.

As noted in paragraph 155 of this Guidance Statement, certain ADI Reporting Forms may include data sourced from a combination of accounting and non-accounting records. The appointed auditor needs to clearly identify such data so that the intended user of the assurance report understands the level of assurance attached to each data item. This could be achieved in a number of ways, for example:

• Attaching the Reporting Forms to the assurance report and clearly identifying the level of assurance attached to each individual section (or data item) within each Reporting Form.
• Listing the Reporting Form and the individual sections (or data items) for which reasonable and limited assurance have been provided within the body of the assurance report under the section “Opinion and Conclusions”.
• Providing a detailed list in an attachment to the assurance report which clearly identifies the Reporting Form and the individual sections (or data items) for which reasonable and limited assurance have been provided.

Refer to Appendix 4 of this Guidance Statement for illustrative examples of possible approaches to identify subject matter subject to reasonable and limited assurance.

Where the ADI Reporting Form over which assurance is to be provided at the financial year-end is not the Reporting Form submitted on the due date in accordance with APRA’s reporting timetable, the appointed auditor needs to consider this issue when providing assurance on the design and operational effectiveness of controls over the reliability of Reporting Forms^[78].

Objective

The appointed auditor is required to provide reasonable assurance that information included in ADI Reporting Forms, as specified in Attachment A of APS 310, at the financial year-end, sourced from the ADI’s accounting records, is, in all material respects:

1. reliable; and
2. in accordance with the relevant APRA Prudential and Reporting Standards.

Refer to Part A of the Example Annual Prudential Assurance Report in Appendix 4 of this Guidance Statement.

AUASB Standards

In performing the reasonable assurance engagement on Specified ADI Reporting Forms, the auditor complies with all Australian Auditing Standards relevant to a reasonable assurance engagement of other historical financial information, adapted as necessary in the circumstances of the engagement. In applying these standards, the auditor has regard to any special considerations identified in ASA 805 that may be relevant to the engagement.

Obtaining Evidence

To identify the ADI Reporting Forms, or data items in a Reporting Form, that are to be subjected to the assurance engagement (the subject matter), the appointed auditor applies the definition of accounting records to each item of data within each Reporting Form as specified in Attachment A of APS 310.

Having identified the ADI Reporting Forms, or data items within a Reporting Form, that are to be subjected to the reasonable assurance engagement, the auditor obtains sufficient appropriate evidence as part of a dynamic and iterative process^[79], that includes:

• Obtaining an understanding of the Specified ADI Reporting Forms and individual data items included in these Reporting Forms, the intended use of the information included in the Reporting Forms by the intended users, and the Prudential Requirements applicable to the preparation and submission of Reporting Forms.
• Obtaining and understanding of the ADI’s overall framework for managing data risk and data quality.^[80]
• Obtaining an understanding of the ADI’s system of internal control, in particular, controls around managing data risk, and the compliance function relevant to the engagement and control objectives.
• Evaluating the controls over the preparation and compilation of Reporting Forms.
• Identifying and assessing the risk that information in Reporting Forms may be materially misstated.
• Responding to assessed risks and determining the nature, timing and extent of further evidence-gathering procedures.
• Performing further evidence-gathering procedures clearly linked to the identified risks.
• Evaluating the sufficiency and appropriateness of evidence.

The appointed auditor exercises professional judgement in determining the nature, timing and extent of reasonable assurance procedures to gather sufficient appropriate evidence on which to base the reasonable assurance opinion.

A controls based assurance approach is often the most appropriate approach to adopt in these circumstances. However, where the appointed auditor determines that a material weakness exists in the ADI’s internal controls designed to ensure reliable data is provided to APRA in Reporting Forms, and/or where the appointed auditor makes a determination based on effectiveness and/or efficiency, a substantive approach may be more appropriate (for example, for smaller Standardised ADIs).

Reasonable assurance procedures for obtaining evidence include, but are not limited to, testing of specific controls aimed at ensuring data in Reporting Forms is reliable and prepared in accordance with APRA Prudential Standards and Reporting Standards. Procedures may include a combination of enquiry and observation, testing of controls over the compilation of Reporting Forms, testing of controls over the extraction of data from the underlying accounting records (including all relevant year-end adjustments), and obtaining management representations.

The appointed auditor may decide to place reliance on work undertaken by the auditor appointed for the purpose of the audit of the general purpose financial report, required under the Corporations Act (the statutory audit), as the basis for opining on the reliability of the Specified ADI Reporting Forms, or data items included in these forms.^[81] However, the appointed auditor is still required to obtain additional evidence to ensure that the Reporting Forms, or data items in a Reporting Form:

1. have been appropriately extracted from the underlying accounting records (which were the subject of the statutory audit); and
2. are in accordance with APRA’s Prudential Standards and Reporting Standards (which may be different from the Australian Accounting Standards Framework used to record items in the ADI’s underlying accounting and statutory records).

Where reliance is being placed on work performed for the statutory audit, the appointed auditor assesses events occurring subsequent to the date of signing the statutory accounts, but before the date of issuing the auditor’s annual prudential assurance report, and takes this into consideration in forming the opinion issued in the report.

Materiality is to be applied as outlined in paragraphs 106-127 of this Guidance Statement.

Objective

The appointed auditor is required to express a conclusion, based on a limited assurance engagement, on whether anything has come to the auditor’s attention that causes the auditor to believe that information included in ADI Reporting Forms, as specified in Attachment A to APS 310, at the financial year-end, sourced from non-accounting records of the ADI, is not, in all material respects reliable and in accordance with the relevant APRA Prudential and Reporting Standards.

Refer to Part B of the Example Annual Prudential Assurance Report in Appendix 4 of this Guidance Statement.

AUASB Standards

The appointed auditor conducts the limited assurance engagement on Specified ADI Reporting Forms in accordance with:

1. ASRE 2405 - for historical financial information;
2. ASAE 3000 - for information other than historical financial information; and
3. ASAE 3450 - for prospective financial information.

Prospective financial information generally includes forecasts and projections based on assumptions made by the ADI, in accordance with a stated basis of preparation. ASAE 3450 sets out the responsibilities of an assurance practitioner undertaking an engagement to report on prospective financial information. It identifies specific considerations in the application of ASRE 2405 and/or ASAE 3000, which may apply in the engagement circumstances. ASAE 3450 does not override the requirements of ASRE 2405 or ASAE 3000 and it does not purport to deal with all engagement circumstances.

Obtaining Evidence

All ADI Reporting Forms, or data items within Reporting Forms, as specified in Attachment A of APS 310, that have been excluded under paragraphs 162-171 above as not having been sourced from accounting records, are included in this section as the subject matter for the limited assurance engagement.

Having identified the subject matter, the appointed auditor obtains evidence as part of a dynamic and iterative process directed by the risk assessment carried out during the planning phase of the engagement. The auditor exercises professional judgement in determining the specific nature, timing and extent of limited assurance procedures to gather evidence on which to base the conclusion.

The Part B limited assurance engagement is substantially less in scope than the reasonable assurance engagement undertaken in paragraphs 162-171 in order to provide reasonable assurance under Part A of the Auditor’s Annual Prudential Assurance Report. The limited assurance engagement procedures do not provide all the evidence required in a reasonable assurance engagement and, consequently, the level of assurance provided is less than that given in the reasonable assurance engagement.

Limited assurance procedures ordinarily include consideration of the process used to prepare Reporting Forms and the specific controls aimed at ensuring Reporting Forms, and data in Reporting Forms, are reliable and prepared in accordance with APRA Prudential Standards and Reporting Standards. Limited assurance procedures may include analytical procedures, enquiry, limited testing of controls over the compilation of Reporting Forms, limited testing of controls over the extraction of data from the underlying source systems and obtaining management representations.

If the auditor has reason to believe that the subject matter information subject to limited assurance may be materially misstated, AUASB Standards require that the auditor carry out additional or more extensive procedures as are considered necessary to be able to express a limited assurance conclusion or to confirm that a modified report is required.

Materiality is to be applied as outlined in paragraphs 106-127 of this Guidance Statement.

Advanced ADIs

Under the advanced approaches for measuring capital adequacy, an Advanced ADI is permitted to use its own quantitative risk estimates in calculating regulatory capital. This involves a greater use of internal risk measurement models that generate the credit risk, operational risk, market risk and interest rate risk in the banking book (instead of the standardised risk assessments used by Standardised ADIs). As a result, under the advanced approaches, a smaller proportion of information contained in APRA’s Capital Adequacy Reporting Forms is derived from accounting records.

At the planning stage of the engagement, the appointed auditor decides on the appropriate assurance approach to adopt in order to gather evidence to reduce the assurance engagement risk to an acceptable low level to provide limited assurance in relation to the reliability of Reporting Forms, or data items in a Reporting Form, which are sourced from the internal risk measurement models.

A controls based assurance approach is often the most appropriate approach to adopt in these circumstances. The appointed auditor gathers evidence regarding the internal control structure, and that key controls around the risk measurement models, as identified during the planning phase of the audit, are operating effectively to support the assurance conclusion.

In concluding on any data produced from the internal risk measurement models, the appointed auditor cannot place sole reliance on work performed by APRA, as part of the initial accreditation process for becoming an Advanced ADI or in any subsequent reviews undertaken by APRA.

Objective

The appointed auditor is required to express a conclusion, based on a limited assurance engagement, whether anything has come to the attention of the auditor to cause the auditor to believe that, in all material respects:

1. the ADI has not implemented internal controls that are designed to ensure the ADI has:
   1. complied with all applicable Prudential Requirements; and
   2. provided reliable data to APRA in the ADI Reporting Forms prepared under the FSCODA; and
2. these controls have not operated effectively throughout the financial year.

Refer to Part C of the Example Annual Prudential Assurance Report in Appendix 4 of this Guidance Statement. APRA has advised that the form and content of this example report is adequate for the purpose of reporting under APS 310/3PS 310.

AUASB Standards

The appointed auditor conducts the limited assurance engagement related to internal controls in accordance with ASAE 3150.

Obtaining Evidence

Based on the auditor’s understanding of the ADI and/or ADI group and its environment, risk management practices in place, and the internal control and compliance framework, as obtained for the purpose of planning the engagement, the auditor performs assurance procedures to respond to assessed risks in order to obtain limited assurance to support the auditor’s conclusion.

The auditor generally adopts a ‘top down’ approach in gathering evidence by, for example, making enquiries of key personnel, observing the entity’s operations, performing ‘walk-through’ tests of controls, and inspecting relevant documentation, in order to achieve the following:

• obtaining an understanding of the ADI’s overall control environment and compliance framework;
• identifying the systems, structures, policies, procedures and controls designed to ensure compliance with all applicable Prudential Requirements, by reviewing documents such as the ADI’s RMS and similar policy documents prepared by the ADI in accordance with applicable Prudential Standards;
• identifying the processes used by the entity to support the Board’s annual declaration to APRA on risk management (“Risk Management Declaration”^[82]);
• identifying the internal compliance functions designed to oversee the provision of data to APRA in ADI Reporting Forms;
• identifying key controls over data risk management as stipulated by CPG 235;
• identifying significant processes for the preparation of ADI Reporting Forms; and
• identifying the key controls over these significant processes that are designed to ensure that reliable data is provided to APRA in ADI Reporting Forms.

The above is not an exhaustive list, nor is it intended to direct the auditor as to the conclusion over the ADI’s internal controls.

The way in which internal control is designed and implemented varies with an ADI’s size and complexity. Smaller ADIs may use less formal means and simpler processes to achieve their objectives.

Materiality is to be applied as outlined in paragraphs 106-110 and 128-134 of this Guidance Statement.

Design of Controls

The auditor determines which of the controls at the entity are necessary to achieve the relevant control objectives and whether those controls were suitably designed. Under ASAE 3150, this determination includes:

1. identifying the risks that threaten achievement of the control objectives;
2. evaluating whether the controls as designed would be sufficient to mitigate those risks when operating effectively, in all material respects; and
3. evaluating whether any changes in controls as designed during the period would be sufficient to mitigate those risks, in all material respects.

In assessing the suitability of the design of controls, ASAE 3150 requires the auditor, at a minimum, to:

1. make enquiries of management or others within the entity regarding how the controls are designed to operate; and
2. examine the design specifications or documentation.

If the auditor becomes aware of a matter(s) that causes the auditor to believe that a material deficiency in the design of controls may exist, ASAE 3150 requires the auditor to design and perform additional assurance procedures until the auditor has obtained sufficient appropriate evidence to conclude on whether the design is suitable. However, the performance of such additional procedures shall not convert the engagement to a reasonable assurance engagement.

Implementation of Controls

The auditor obtains sufficient appropriate evidence that the controls identified as necessary to achieving the identified control objectives, were implemented as designed as at the specified date. The auditor’s evaluation of the design of controls may influence the nature, timing and extent of assurance procedures related to implementation.

ASAE 3150 requires that:

1. the auditor’s assurance procedures include, at a minimum, making enquiries and observation.
2. If the auditor determines that additional assurance procedures, such as the inspection of records and documentation, are required to dispel or confirm a suspicion that a material deficiency in the implementation of controls exists, the performance of such additional procedures shall not convert the engagement to a reasonable assurance engagement.
3. When designing and performing tests of implementation, the auditor determines whether controls implemented depend upon other controls (indirect controls) and, if so, whether it is necessary to obtain evidence supporting the implementation of those indirect controls.

Operating Effectiveness of Controls

Following the evaluation of whether the ADI has internal controls designed to achieve the relevant control objectives, the appointed auditor performs assurance procedures to obtain evidence about whether these controls have operated as designed throughout the financial year. The auditor may consider how the controls were applied, the consistency with which they were applied, by whom they were applied and the period over which the controls were applied.

In accordance with ASAE 3150, when reporting on operating effectiveness over the period, the auditor tests those controls that the auditor has determined are necessary to achieve the relevant control objectives, and assess their operating effectiveness throughout the period. The auditor’s evaluation of the design of controls may influence the nature, timing and extent of tests of operating effectiveness. Evidence obtained in prior engagements about the satisfactory operation of “material controls” (as defined in the standard) in the prior periods does not provide a basis for a reduction in testing of those controls, even if it is supplemented with evidence obtained during the current period.

Assurance procedures to obtain evidence on operating effectiveness may include discussion with entity personnel (and obtaining written representations), observation of the system in operation, walk-through for an appropriate number of instances of material controls in operation, and ascertaining whether the person(s) performing the control(s) possesses the necessary authority and competence to perform the control(s) effectively, to identify any deviations from the specified design. The auditor may also consider limited re-performance of controls.

Alternatively, under ASAE 3150, the results of exception reporting, monitoring or other management controls may be examined to provide evidence about the operation of the control rather than directly testing it.

ASAE 3150 requires the auditor to apply professional judgement in determining the specific nature, timing and extent of procedures to be conducted, which will depend on the assessed risks of material deviations in the operating effectiveness of controls. If the auditor determines that additional assurance procedures are required to dispel or confirm a suspicion that a material deviation in the operating effectiveness of controls exists, the performance of such additional procedures shall not convert the engagement to a reasonable assurance engagement.

ASAE 3150 requires that where control procedures have changed during the period subject to examination, the auditor tests the operating effectiveness of both the superseded control(s) and the new control(s) and consider whether the new controls have been in place for a sufficient period to assess their effectiveness.

Although the auditor may consider the results of any tests of the operating effectiveness of controls conducted by the internal audit function when evaluating operating effectiveness, the auditor remains responsible for obtaining sufficient appropriate evidence to support the auditor’s conclusion and, if appropriate, corroborate the results of such tests.

The appointed auditor enquires whether there were any changes in internal control, or other matters, subsequent to the financial year-end date and up to the date of the appointed auditor’s assurance report, that may have an impact on the auditor’s conclusion about the effectiveness of internal controls, and obtains written representations from management relating to such matters.

Interpretation of the word “reliable” in the context of reporting on controls in place to ensure reliable data is provided to APRA in ADI Reporting Forms throughout the financial reporting period, has practical limitations in some circumstances. For many ADIs, it is only at the financial year-end (or for ADIs that are disclosing entities, also at the half year-end) that all the necessary accounting adjustments, such as accruals, prepayments, provisioning and valuations, are prepared and subjected to audit or review. APRA is aware of this position and has indicated it accepts ADI Reporting Forms prepared throughout the year based on the ADI’s normal accounting process.

For further requirements and guidance in relation to obtaining evidence on operating effectiveness of controls, including on the use of sampling for selecting controls for testing operating effectiveness over a period, refer to ASAE 3150.

Advanced ADIs

For an Advanced ADI, the appointed auditor furthermore considers the ADI’s internal controls over the risk measurement models used to meet the requirements of specific Prudential Standards and to generate certain risk data provided to APRA in ADI Reporting Forms.

The appointed auditor undertakes an appropriate risk assessment of the controls over these models within the context of the stated assurance engagement objective, and plans the assurance engagement accordingly.

The appointed auditor obtains an understanding of any deficiencies in the models, identified either by APRA, the ADI, or through any independent review, and how such deficiencies have been addressed by the ADI.

In concluding on the controls over internal risk models, the appointed auditor cannot place sole reliance on the work performed by APRA during the accreditation process to become an Advanced ADI, or on reports issued as a result of any independent review required under specific Prudential Standards dealing with credit risk, operational risk, market risk and interest rate risk in the banking book^[83]. Under these Standards, APRA may require Advanced ADIs to obtain an independent review of the use of any internal models, statistical techniques, other methods relevant to estimating or assessing risks, and risk data inputs used.^[84]

The appointed auditor reviews any reports issued as a result of independent reviews. In drawing a conclusion on whether to use these reports, the appointed auditor has regard to the level of independence of the reviewer, and their qualifications and competency to carry out such a review. In making this assessment, the appointed auditor complies with the requirements of ASAE 3000 and ASAE 3150.^[85]

The appointed auditor makes enquiries about the overall system controls over such models, including controls that ensure the consistency and integrity of the models.

Assurance procedures over the models would ordinarily include a review of:

1. the control environment and general controls, including the IT function; and
2. change controls (including limited testing).

Assurance procedures of data produced from the risk measurement models would ordinarily include a review of:

1. the key controls over inputs to the models; and
2. how management review and use the data outputs from the models in ADI Reporting Forms.

Such assurance procedures may include making enquiries of management and persons operating the control(s), assessing whether such persons have the appropriate degree of skill and authority to effectively operate the control(s), observation, ‘walk through’ tests, limited re-performance and analytical review of the resulting Reporting Forms, or data items in a Reporting Form.

Objective

The appointed auditor is required to express a conclusion, based on a limited assurance engagement, whether anything has come to the attention of the auditor to cause the auditor to believe that, for the financial year, in all material respects:

1. the ADI has not implemented internal controls that are designed to ensure that SCV data as set out in APS 910 Attachment A, to the extent practicable, and FCS payment instruction and reporting information can be relied upon as being complete and accurate and in accordance with APS 910; and
2. these controls have not operated effectively when tested.

Refer to Appendix 5 of this Guidance Statement for an Example Annual Prudential Assurance Report for engagements undertaken pursuant to APS 910.

AUASB Standards

The appointed auditor conducts the limited assurance engagement for APS 910 related to internal controls in accordance with ASAE 3150.

Obtaining Assurance Evidence

Under APS 310/3PS 310, the appointed auditor is required to perform a limited assurance engagement on the design, implementation and operating effectiveness of internal controls to ensure compliance with all Prudential Requirements^[86], which includes compliance with the requirements of APS 910.

APS 910 identifies additional requirements for the appointed auditor to perform a limited assurance engagement on an ADI’s controls to ensure that SCV data as set out in APS 910 Attachment A, to the extent practicable, and FCS payment instruction and reporting information can be relied upon as being complete and accurate and produced in a timely manner in accordance with the requirements specified in APS 910.

Appendix 5 (see Attachment 3 to the example report, entitled: Control Objectives and Evaluation Criteria) of this Guidance Statement outlines the applicable control objectives for the engagement, used by the auditor to evaluate the ADI’s compliance with APS 910 requirements.

In practice, the auditor’s annual APS 310/3PS 310 assurance engagement on controls (Part C) factors in all APS 910 requirements with which the ADI is expected to be compliant. This approach allows the timing of the APS 910 engagement to be aligned with routine assurance work undertaken pursuant to APS 310/3PS 310.

Limited assurance procedures selected depend on the auditor’s judgement, including assessment of the risks of a material breakdown in controls. In making those risk assessments, the auditor considers internal control systems and compliance functions relevant to ensuring compliance with APS 910 and, specifically, the requirements in relation to SCV data and FCS payment instruction and reporting information, in order to design limited assurance procedures that are appropriate in the circumstances.

The limited assurance engagement in relation to APS 910 controls may include making enquiries of management and those responsible for the controls, examination of design specifications and documentation on a sample basis, observation of implementation and operation of the controls, events or business routines implemented by the ADI, as well as testing practices and results, ‘walkthrough’ of controls, and review of reports required under APS 910^[87].

In applying the terms “complete” and “accurate” to the controls engagement, the auditor has regard to definitions and guidance provided by APRA in CPG 235. Refer to Appendix 5 of this Guidance Statement (see Attachment 3 to the example report, entitled: Control Objectives and Evaluation Criteria).

For guidance on how the term “to the extent practicable” is to be interpreted, the auditor refers to guidance provided by APRA in its August 2013 Information Paper: Financial Claims Scheme for authorised deposit-taking institutions and under Financial Claims Scheme Frequently Asked Technical Questions for ADIs, which can be accessed on APRA’s website.^[88] Refer to Appendix 5 of this Guidance Statement (see Attachment 4 to the example report, entitled: Additional Guidance).

The phrase “to the extent practicable” applies to those limited circumstances and/or customers where it may not be possible or practical for an ADI to meet all the requirements of APS 910 or the Banking Act, despite best endeavours.^[89] Where possible, it is expected that the underlying assurance objective be met in full. This guidance is principle-based and does not limit the application of the auditor’s professional judgement.

Under APS 910, the appointed auditor is required to perform limited assurance procedures to evaluate whether the ADI’s controls operated effectively when tested by the ADI in accordance with the testing requirements specified in APS 910^[90]. In addition, APRA guidance states that, when conducting the audit, the auditor must undertake their own tests of the controls and must provide limited assurance that, when tested by the auditor, the controls operated effectively. The auditor will need to collect sufficient and appropriate evidence when forming their conclusions about the ADI’s controls.^[91]

Prudential Requirements for foreign ADIs (branches) may differ from those of locally incorporated ADIs^[93] and, consequently, these are considered by the appointed auditor. For example, foreign ADIs are not required to report in Australia with respect to branch capital adequacy. However, the Banking Act authority restricts the source and quantum of deposits that foreign ADIs may accept. In addition, APRA has set guidelines relating to the manner in which foreign ADIs inform depositors of the requirements of the Banking Act that do not apply to those ADIs. The appointed auditor reports to APRA on the foreign ADI’s compliance with all relevant Prudential Requirements.

APRA requires the appointed auditor of a foreign ADI to conform to APS 310^[94] and other relevant Prudential Requirements as they apply to foreign ADIs. The appointed auditor of a foreign ADI considers the individual engagement requirements and circumstances at the foreign ADI when interpreting the guidance contained in this Guidance Statement.

As part of the requirements under APS 310, the appointed auditor of a foreign ADI (branch) is required to provide reasonable assurance over data sourced from accounting records, included in ADI Reporting Forms such as the “Statement of Financial Performance” and “Statement of Financial Position”^[95]

As a foreign ADI is not required to prepare a financial report under the Corporations Act, there is no requirement for a statutory financial report audit to be undertaken. Therefore, the accounting records of a foreign ADI would not generally be subjected to a full scope audit, unless the branch is included in the scope of the foreign ADI group audit, where the audit arrangements will be driven by head office audit requirements and applying materiality relevant to the entire group.

Since, generally, the appointed auditor of a foreign ADI has incomplete knowledge of the overseas operations of the foreign ADI, and would not have undertaken the statutory financial report audit of the foreign ADI, the appointed auditor considers the following additional matters (this is not a complete list):

• The reliance to be placed on work performed by overseas auditors (such as comfort or assurance in relation to systems and processes hosted offshore which impact the foreign ADI’s (branch’s) prudential reporting) and the requirements of ASA 600.
• The financial reporting framework applied by the foreign ADI for head office (group) reporting and whether adjustments are required to comply with APRA Prudential Requirements.
• Assessing materiality for APRA prudential reporting purposes, which may differ from materiality considerations for the purpose of head office (group) reporting.
• The requirements of Auditing Standard ASA 705 Modifications to the Opinion in the Independent Auditor’s Report, in particular, where sufficient appropriate evidence cannot be obtained.
• In the first year of reporting, the requirements of Auditing Standard ASA 510 Initial Audit Engagements – Opening Balances, in particular, with respect to the level of assurance which can be provided over opening balances.

The auditor accumulates uncorrected misstatements identified during the engagement, other than those that are clearly trivial, for the purpose of evaluating whether, individually or in aggregate, they are material to the reported information. Materiality is to be applied in the context of paragraphs 106-127 of this Guidance Statement.

In evaluating whether uncorrected misstatements in Specified ADI Reporting Forms are material, the appointed auditor complies with the requirements of AUASB standards ASA 450^[96], ASRE 2405, ASAE 3000 and ASAE 3450, as applicable. The appointed auditor exercises professional judgement, having regard to both the user and intended users of the information in the Reporting Forms, and taking into consideration the risk of issuing an inappropriate assurance report.

The magnitude of a misstatement alone is only one factor used to assess the misstatement. The appointed auditor evaluates each identified misstatement in the context of information relevant to users of the Reporting Form, by considering qualitative factors and the circumstances in which each misstatement has been made. For example, in evaluating identified misstatements, the appointed auditor has regard to factors such as the level of the ADI’s buffer above the particular minimum Prudential Requirements (determined under periodic quantitative calculations) and the sensitivity of these buffers to fluctuations in the ADI’s financial performance and position.

The appointed auditor may designate an amount below which misstatements would be clearly trivial and need not be accumulated, because the auditor expects that the accumulation of such amounts clearly would not have a material effect on the reported subject matter information.^[97] In doing so, the appointed auditor needs to consider the fact that the materiality of misstatements involves qualitative as well as quantitative considerations and that misstatements of a relatively small amount could nevertheless have a material effect on the reported information.

In evaluating whether identified misstatements are material, the auditor will consider the criteria used by APRA and the Agencies to determine the need for resubmission of data. For example, in accordance with RPG 702.0 guidance, reporting entities are to notify APRA of all reporting errors based on the data quality benchmarks specified in RPG 702.0 and states that, depending on the size of the reporting entity and the potential impact on the Agencies’ use of the data, APRA, in consultation with the Agencies, may require the data to be resubmitted.

Further, where errors have occurred in relation to EFS reporting that exceed the RPG 702.0 data quality benchmarks, this may be indicative of a control environment that is not appropriately designed or operating effectively. In these instances, the auditor would be expected to assess the nature of the error, whether deficiencies in the control environment contributed to the error, and what subsequent changes have occurred (if any) to address such deficiencies. Where such deficiencies exist, the significance of these would need to be considered against Parts A, B and C of the APS 310/3PS 310 opinion and conclusions.

In circumstances where the appointed auditor conclude that information reported in ADI Reporting Forms is not in accordance with the relevant APRA Prudential and Reporting Standards, the appointed auditor discusses the matter with management and, depending how it is resolved, determines whether, and how, to communicate the matter in the auditor’s assurance report.

ASAE 3150 sets out the requirements and provides guidance to the appointed auditor to assist in evaluating evidence and forming a conclusion on controls.

In accordance with ASAE 3150, the appointed auditor accumulates uncorrected:

1. deficiencies in the suitability of the design of controls to achieve the relevant control objectives;
2. deficiencies in the implementation of controls as designed; and
3. deviations in the operating effectiveness of controls as designed.

The appointed auditor evaluates, individually and in aggregate, whether internal control deficiencies and deviations that have come to the auditor’s attention are material. The auditor exercises professional judgement, having regard to the intended users of the auditor’s assurance report. Materiality is to be applied in the context of paragraphs 106-110 and 128- 134 of this Guidance Statement.

In evaluating the severity of identified internal control deficiencies, the appointed auditor considers, based on materiality:

1. the likelihood that the relevant internal controls may fail to prevent or detect:
   1. non-compliance with a Prudential Requirement; or
   2. a misstatement in the data being provided to APRA in ADI Reporting Forms; and
2. the magnitude of the potential resulting non-compliance with a Prudential Requirement on the ADI’s overall compliance with applicable Prudential Requirements; and
3. the magnitude of the potential misstatement resulting from the internal control deficiency on the information reported in the ADI Reporting Forms.

The evaluation of the severity of a deficiency in internal control does not depend on whether a misstatement or non-compliance with a Prudential Requirement has actually occurred, but rather the likelihood that the ADI’s controls may fail to prevent or detect a material misstatement or material non-compliance with a Prudential Requirement.

As noted above, the auditor is not required to use RPG 702.0 benchmarks as materiality thresholds for planning the scope of the assurance engagement. However, where the auditor identifies reporting errors as defined by RPG 702.0 it is expected that this be taken into consideration in assessing the adequacy of the design, implementation, and operating effectiveness of controls around data quality.

The auditor considers how the ADI has incorporated RPG 702.0 thresholds and other relevant guidance, for example CPG 235, into their data risk management processes. Should an ADI identify errors that have occurred in relation to EFS reporting that exceed the data quality benchmarks, this may be indicative of a control environment that is not appropriately designed, implemented or operating effectively to ensure entities have provided reliable data to APRA. In these instances, the auditor would be expected to assess the nature of the error, whether deficiencies in the control environment contributed to the error, and what subsequent changes have occurred (if any) to address such deficiencies and/or deviations. Where such deficiencies exist, the significance of these would need to be considered against Parts A, B and C of the APS 310/3PS 310 opinion and conclusions.

EFS reporting introduces new concepts and data that may not, historically, have been subject to an ADI’s risk management framework in accordance with the expectations of RPG 702.0 and CPG 235. Therefore, whilst an ADI may have implemented additional processes and controls that address the reliability of information for the front book, for example, loans originated since the implementation of EFS reporting, the accuracy of the back book (existing portfolio) with respect to RPG 702.0 and CPG 235 remains uncertain. In these instances, the auditor will need to assess the significance of the matter and its impact on Parts B and C of the APS 310 conclusion.

Resubmission of data and reporting forms by an entity will require the auditor to exercise professional judgement, taking into consideration the nature and cause of the resubmission, in evaluating whether misstatements are material or if the resubmissions are indicative of a control environment that is not appropriately designed, implemented or operating effectively to ensure entities have provided reliable data to APRA.

Generally, the occurrence of even a single resubmission of a material nature due to error, or multiple non-material resubmissions of a recurring nature, may indicate a weak or inadequate control environment exists and, hence, may require modification of the Part C conclusion and, potentially, also the Part A opinion and Part B conclusion, where the impacted forms include Specified ADI Reporting Forms.

Notwithstanding, there may be instances where an ADI will resubmit reporting forms for reasons other than an error associated with its reporting process, such as changes or clarifications in APRA interpretations. Where resubmissions are not the result of errors, the auditor may determine that there is no impact on the opinion, with reporting of resubmissions limited to an appendix to the APS 310/3PS 310 report.

Where material breakdowns in controls are identified which results in a modification^[98] to Part C of the auditor’s conclusion, the auditor will need to assess the impact on procedures performed under Parts A and B of the APS 310/3PS 310 engagement. There may be instances where the auditor is able to perform additional substantive procedures to address the risks associated with a control deficiency and/or deviation that will support an unmodified opinion for Parts A and B of the report, but result in a qualification to Part C.

The auditor accumulates instances of non-compliance, other than those that are clearly trivial, identified in undertaking the reasonable and limited assurance engagements on Specified ADI Reporting Forms (Parts A and B) and the limited assurance engagement on internal controls (Part C), in order to form a conclusion.

The APS 310/3PS 310 requirement to report matters of non-compliance to APRA on an annual basis, is in addition to the reporting obligations under section 16BA of the Banking Act, which requires certain matters to be reported to APRA immediately and certain other matters to be reported to APRA as soon as is practicable.^[99]

In determining whether a failure to comply with Prudential Requirements is or will be significant, the appointed auditor considers the factors listed in subsection 16BA(7) of the Banking Act, namely:

1. the number or frequency of similar failures;
2. the impact the failure has or will have on the ADI’s ability to conduct its business;
3. the extent to which the failure indicates that the ADI’s arrangements to ensure compliance with the Banking Act, the Prudential Standards or the Regulations might be inadequate;
4. the actual or potential financial loss arising, or that will arise from the failure, to the depositors of the ADI or to the ADI; and
5. any matters prescribed by the Regulations for the purposes of this subsection of the Banking Act.

The significance of a matter is to be judged by the appointed auditor in the context in which it is being considered, taking into account both quantitative and qualitative factors. This may, for example, include consideration of the significance of the potential impact of the non-compliance rather than the actual impact.

Furthermore, it is possible that an instance of non-compliance, which is not significant in isolation, may become so when considered in totality with other identified instances of non-compliance.

Where the appointed auditor considers identified instances of non-compliance as being potentially significant to the ADI as a whole and/or to its depositors’ interests, or where the matter may be considered important by APRA in performing its functions under the Act, then the identified instance of non-compliance is a matter to be reported to APRA.

Matters likely to prejudice materially the interests of depositors are related generally to capital adequacy, solvency and going concern matters, for example, the ADI’s compliance with minimum capital levels as per APRA Prudential Standard APS 110. In assessing whether the interests of depositors may be prejudiced materially, the appointed auditor considers not only a single activity or a single deficiency in isolation, as depositors’ interests may be prejudiced materially by a number of activities or deficiencies which, although not individually material, do amount to a material threat when considered in totality. Similarly, it is possible that a breach in compliance, although not significant in isolation, may become so when considered in the context of other possible breaches.

In order to conclude on an ADI’s and/or ADI group’s compliance with all relevant Prudential Requirements, the appointed auditor considers the existence of relevant matters, that may indicate instances of non-compliance, throughout the reporting period and up to the date of signing the auditor’s assurance report.

The appointed auditor’s review of subsequent events may include the following procedures:

• reading minutes of the ADI’s Board, as well as minutes of any sub committees responsible, for example, for risk, compliance and audit, held after balance date and enquiring about matters discussed at these meetings for which minutes are not yet available;
• examining the ADI’s breach registers up to the date of the auditor’s assurance report; and
• enquiring of the ADI’s management as to whether any subsequent events have occurred which might represent non-compliance with relevant Prudential Requirements.

The appointed auditor reports instances of significant non-compliance which have not previously been reported to APRA by the appointed auditor. This will include matters the ADI indicated it was notifying, and which an auditor relied upon as a reason for the auditor not notifying APRA.^[100]

Due to the inherent limitations of any internal control and compliance framework it is possible that, even if controls are suitably designed and operating effectively, the control objectives may not be achieved and that fraud, errors, or non-compliance with Prudential Requirements may occur and not be detected. As the systems, procedures and controls to ensure compliance with Prudential Requirements are part of the ADI’s operations, it is possible that either the inherent limitations of the internal control structure, or weaknesses in it, may impact on the effective operation of the ADI’s specific control procedures.

Further, due to the nature of assurance engagement procedures and other inherent limitations of a these engagements, there is a possibility that a properly planned and executed engagement may not detect all errors or omissions in ADI Reporting Forms, deficiencies and/or deviations in controls, or instances of non-compliance with Prudential Requirements.

As explained in ASAE 3000, a limited assurance engagement is substantially less in scope than a reasonable assurance engagement. In a reasonable assurance engagement, as the auditor’s objective is to provide a high, but not absolute, level of assurance, the auditor uses more extensive audit procedures than in a limited assurance engagement. A limited assurance engagement therefore does not provide all the evidence required in a reasonable assurance engagement and, consequently, the level of assurance provided is less than that given in a reasonable assurance engagement.

The appointed auditor performs procedures appropriate to provide limited assurance in relation to internal controls existing at the date of the engagement, and whether those controls have operated as documented throughout the financial year. Projections of any evaluation of internal control procedures or compliance measures to future periods are subject to the risk that control procedures may become inadequate because of changes in conditions after the auditor’s annual prudential assurance report is signed, or that the degree of compliance may deteriorate. Furthermore, assurance engagement procedures on accounting records and data relied on for reporting and compliance are not performed continuously throughout the period and procedures performed are undertaken on a test basis only.

Consequently, there are inherent limitations on the level of assurance that can be provided.

Prior to issuing the auditor’s annual prudential assurance report, the appointed auditor considers obtaining written representations^[101] from responsible management and, where appropriate, those charged with governance of the ADI and/or ADI group, as are considered appropriate to matters specific to the ADI and/or ADI group. Separate representation letters may be requested for the purposes of reporting under APS 310, 3PS 310 and APS 910.

These written representations are generally in the form of a representation letter. In obtaining and using these written representations, the appointed auditor complies with the requirements of, as appropriate, AUASB standards ASA 580^[102], ASRE 2405, ASAE 3000, ASAE 3150 and ASAE 3450.

Refer to Appendix 3 of this Guidance Statement for an illustrative example of the format of a representation letter, as well as examples of representations that may be considered appropriate in the specific engagement circumstances.

It is the responsibility of the appointed auditor to make the ADI aware, as soon as practicable, of any identified material misstatements in ADI Reporting Forms, material deficiencies and/or deviations in internal controls and instances of material non-compliance arising from the prudential reporting engagement.

Such communications are made as soon as practicable, either orally or in writing. The appointed auditor’s decision whether to communicate orally or in writing ordinarily is affected by factors such as the nature, sensitivity and significance of the matter to be communicated and the timing of the communications. If the information is communicated orally, the appointed auditor needs to document the communication.

When, in the appointed auditor’s judgement, those charged with governance do not respond appropriately within a reasonable period of time, the appointed auditor considers whether to modify the auditor’s annual prudential assurance report.

It is important that the appointed auditor understands their additional statutory responsibilities to report certain matters to APRA under the Banking Act. Failure to notify APRA as required represents criminal offences, which attracts criminal penalties.^[103]

Material findings (misstatements, control deficiencies and/or deviations and non-compliance) are reported to APRA and the ADI’s Board (or Board Audit Committee) as modifications to the appointed auditor’s assurance report.

Under Auditing Standard ASA 260 Communication with Those Charged With Governance, ASA 265 Communicating Deficiencies in Internal Control to Those Charged with Governance and Management and ASAE 3000, the appointed auditor communicates relevant matters of governance interest arising from the engagement to those charged with governance on a timely basis. Examples of such matters may include:

• The general approach and overall scope of the engagement, or any additional requirements.
• Fraud or information that indicates that fraud may exist.
• Significant deficiencies and/or deviations in internal controls identified during the engagement. A significant deficiency is a deficiency or combination of deficiencies in internal control relevant to the engagement that, although not material, in the appointed auditor’s professional judgement is of sufficient importance to merit the attention of those charged with governance.
• Disagreements with management about matters that, individually or in aggregate, could be significant to the engagement.
• Expected modifications to the auditor’s prudential assurance report.

The appointed auditor informs those charged with governance of the ADI of those uncorrected misstatements, other than clearly trivial amounts, aggregated by the appointed auditor during and pertaining to the engagement that were considered to be immaterial, both individually and in the aggregate, to the assurance engagement.

Under APS 310 and 3PS 310, if requested by APRA, the appointed auditor submits directly to APRA all assessments and other material associated with the auditor’s report, such as management letters issued by the appointed auditor to the ADI which contain material findings relating to the auditor’s prudential assurance report(s).

The appointed auditor evaluates the evidence obtained in conducting the assurance engagement as the basis for the auditor’s opinion/conclusions as required under APS 310, 3PS 310 and APS 910, as applicable.

If the appointed auditor:

1. concludes that a material misstatement, internal control deficiency or deviation, and/or non-compliance exists; or
2. is unable to obtain sufficient appropriate assurance evidence to conclude whether a material misstatement, internal control deficiency or deviation, and/or non-compliance may exist,

the appointed auditor modifies the auditor’s opinion/conclusions, and includes a clear description of the reasons in the assurance report, in accordance with the requirements of, as appropriate, ASA 705 and other applicable AUASB Standards.^[104]

As required under APS 310, 3PS 310 and APS 910, the appointed auditor of an ADI and ADI Group generally reports simultaneously to APRA and the ADI’s Board (or Board Audit Committee)^[105], within three^[106] months of the end of the financial year of the ADI.

In accordance with the requirements of APS 310 and 3PS 310, where an ADI is the head entity of a Level 2 or Level 3 group, the auditor issues either separate reports for, as applicable, Level 1, Level 2 and Level 3, or a combined report for the ADI (head entity) and the group. The auditor’s report must make it clear where the auditor is referring to matters relating to the ADI (head entity) or the group.

To avoid the possibility of the assurance report being used for purposes for which it was not intended, the appointed auditor ordinarily indicates in the auditor’s report the purpose for which the report is prepared and any restrictions on its distribution and use.

The appointed auditor prepares the prudential assurance report(s) in accordance with the relevant AUASB Standards applicable to each part of the engagement. AUASB Standards do not prescribe a standardised format for reporting on all assurance engagements. Instead, these Standards identify the basic elements required to be included in the assurance report. The ‘short form’ auditor’s report ordinarily includes only the basic elements. In relation to reasonable and limited assurance subject matters of this Guidance Statement, APRA has prescribed the form of the assurance report.

When expressing an opinion on historical financial information prepared in accordance with a compliance framework, ASA 805 would ordinarily require the auditor's opinion to state that the subject matter is prepared, in all material respects, in accordance with the applicable reporting framework.^[107] However, as APRA’s Prudential Standards mandate that the appointed auditor must provide an opinion on whether the financial information included in the Part A Specified ADI Reporting Forms is reliable and in accordance with the relevant APRA Prudential Standards and Reporting Standards, this form of opinion has been adopted in the Appendix 4 assurance report.

ASA 805 also requires that application of the financial reporting framework result in a presentation that provides adequate disclosures to enable the intended users to understand the information conveyed in the report.^[108] The general concept of reliability would not ordinarily be adequate to satisfy the requirements of ASA 805. However, as set out in paragraphs 93-97 of this Guidance Statement, APRA has specified a frame of reference for the auditor to evaluate the concept of reliability for the purposes of forming an opinion on the Part A Specified ADI Reporting Forms.

The principles set out in paragraphs 281 and 282 also apply to the appointed auditor’s conclusion on the financial information included in the Part B Specified ADI Reporting Forms, where the auditor is required to provide limited assurance, in accordance with the reporting requirements of ASRE 2405^[109], that such information is reliable and in accordance with the relevant APRA Prudential and Reporting Standards.

APRA has agreed the prescribed form of the assurance report for the purposes of APS 310/3PS 310 and APS 910. In particular as it pertains to Part C and the application of ASAE 3150 requirements, as it may not be practicable for the appointed auditor to fully identify the controls subject to Part C of the APS 310/3PS 310 engagement in the assurance report to the level of detail specified in ASAE 3150, the prescribed form does not require these elements of ASAE 3150^[110]. ASAE 3000 and ASAE 3150 permit an alternative form of assurance report where this is prescribed by regulation and the intended users would not misunderstand the alternative form.^[111] As APRA has agreed the prescribed form and is also the intended user, the form of the assurance reports set out in Appendices 4 and 5 is taken to be in accordance with the requirements of ASAE 3000 and ASAE 3150.

Assurance reports are tailored to the specific assurance engagement circumstances. Although not specifically required, the appointed auditor may consider it appropriate to include other information and explanations that do not directly affect the auditor’s opinion/conclusions, but provide additional useful information to the users (that is, a ‘long form’ style of reporting).^[112] The inclusion of this information depends on its significance to the needs of the intended users. The following are examples of additional information that may be considered for inclusion:

• Disclosure of materiality considerations (materiality levels) applied.
• Significant findings or exceptions relating to aspects of the assurance engagement.
• Recommendations.

The appointed auditor needs to ensure that this additional information is clearly separated from the auditor’s opinion/conclusions, and worded in a manner to ensure that it does not affect the opinion/conclusions. This can be achieved, for example, by including any additional information in a:

1. separate appendix to the auditor’s short form assurance report; or
2. separate section of the auditor’s short form assurance report, under an appropriate heading.^[113].

This will enable users to clearly distinguish this additional information from the auditor’s responsibility to report on the matters identified in APS 310/3PS 310 and APS 910, if applicable.

Refer to Appendix 4 of this Guidance Statement for an illustrative example of the auditor’s annual prudential assurance report, prepared pursuant to APRA’s APS 310 and 3PS 310 annual reporting requirements. The format and content of this report has been approved by APRA as adequate for the purpose of reporting under APS 310/3PS 310.

APS 910 Assurance Report

APRA requires the timing of the annual APS 910 engagement to be aligned with the annual APS 310 engagement. Although there will be some overlap between APS 310/3PS 310 and APS 910 engagements, APRA’s preference is that separate reports be prepared for the APS 310/3PS 310 and APS 910 engagements. APRA indicated that this would facilitate clearer communication with respect to APS 910 matters. The requirement is for these reports to be submitted to APRA at the same time.

Therefore, all APS 910 requirements (compliance and controls) are aggregated into a separate APS 910 auditor’s report and, to avoid duplication, are excluded from the APS 310 report.

Where the APS 910 auditor’s report is modified, this is referred to in the APS 310/3PS 310 auditor’s report and may lead to a modification of the APS 310/3PS 310 auditor’s report.

Refer to Appendix 5 of this Guidance Statement for an illustrative example of the auditor’s annual prudential assurance report, prepared pursuant to APRA’s APS 910 annual reporting requirements. The format and content of this report has been approved by APRA as adequate for the purpose of reporting under APS 910.

APRA Prudential Reporting Requirements

APRA may require an ADI, by notice in writing, to appoint an auditor, who may be the existing auditor or another auditor, as specified in APRA’s notice, to undertake an assurance engagement of:

1. under APS 310/3PS 310, a particular aspect of the ADI’s and/or the ADI group’s operations, prudential reporting, risk management systems or financial position; and/or
2. under APS 910, an ADI’s SCV systems and data, and the systems used to generate and transmit FCS payment instruction and reporting information.

The APRA requirement for an auditor to undertake a special purpose engagement constitutes a separate reporting engagement. The details of the engagement will normally be the subject of a specific request from APRA to the ADI. A separate engagement letter will be issued based on that request.

The appointed auditor’s special purpose engagement assurance report is generally to be submitted simultaneously to APRA and those charged with governance of the ADI and/or ADI group, within three months of the date of the notice commissioning the report, unless otherwise determined by APRA, and advised to the ADI by notice in writing.

Terms of the Engagement

Following the determination by APRA of the specific area to be examined, the appointed auditor, APRA and the ADI agree on the terms of the engagement in accordance with the requirements of applicable AUASB Standards. These arrangements are legally binding and include the required terms of engagement specified in APS 310, 3PS 310 and APS 910, as appropriate.

The appointed auditor accepts the engagement only when satisfied that relevant ethical requirements relating to the assurance engagement have been met. The concept of independence is important to the appointed auditor’s compliance with the fundamental ethical principles of integrity and objectivity and the auditor must be able to meet the independence requirements stipulated under both CPS 510 and ASA 102. Furthermore, the auditor needs to satisfy the fitness and propriety requirements specified in CPS 520.

An engagement letter^[114] confirms both the client’s and the appointed auditor’s understanding of the terms of the engagement, helping to avoid misunderstanding, and the auditor’s acceptance of the appointment. Both parties sign the engagement letter to acknowledge that it is a legally binding contract.

To ensure that there is a clear understanding regarding the terms of the engagement, the following are examples of matters to be agreed:

• APRA is to identify the scope of the ADI’s operations, prudential reporting, risk management or financial position to be the subject of the engagement.
• The appointed auditor, APRA and the ADI are to agree on the objectives of the engagement, key features and criteria of the area(s) to be examined, and the period to be covered by the engagement.
• APRA is to identify clearly the level of assurance required, that is, limited or reasonable assurance.
• The format of reports required (for example, long and/or short form reports) or other communication of results of the engagement.
• Responsibility of those charged with governance for the subject matter of the engagement.
• Understanding of the inherent limitations of an assurance engagement.

Format of Reporting Requirements

The appointed auditor has regard to the requirements, guidance and illustrative examples of reports provided in relevant AUASB Standards - ASAs, ASREs and ASAEs, as applicable, when preparing the special purpose assurance report. These Standards do not require a standardised format for special purpose reporting under APS 310, 3PS 310 or APS 910. Instead, these Standards identify the basic elements to be included in the auditor’s report. The format of the special purpose assurance report may vary depending on the type of engagement: that is, reasonable or limited assurance, as well as the subject matter and the findings.

Ordinarily, the appointed auditor adopts a long form style of reporting and the report may include a description of the terms of the engagement, materiality considerations applied, the assurance approach, findings relating to particular aspects of the engagement and, in some cases, recommendations.

The appointed auditor’s assurance report is to be restricted to the parties that have agreed to the terms of the special purpose engagement, namely the ADI and APRA, as well as other parties that APRA is lawfully entitled to share the information with.

It is important that the auditor of an ADI recognises and understands their additional responsibilities under sections 16B, 16BA and 16C of the Banking Act, imposed on any auditor^[115] of an ADI, an authorised NOHC, or their subsidiaries, to provide information to APRA upon request, or where the auditor possesses reportable information specified in that Act, or where the auditor considers that the provision of information would assist APRA in performing its functions under the Banking Act or the FSCODA. Failure to notify APRA as required represent criminal offences, which attracts criminal penalties.^[116]

Under the Banking Act, these matters are to be reported to APRA in writing and within specified time periods.

Sections 16B, 16BA and 16C of the Banking Act is applicable to all and any auditor of an ADI, authorised NOHCs, or their subsidiaries, not only to auditors appointed by an ADI to meet the prudential requirements under APS 310.

In relation to reporting under sections 16B and 16BA of the Banking Act, there is no requirement for the appointed auditor of an ADI to carry out additional work to satisfy the auditor with respect to the above matters. The appointed auditor reports to APRA on the basis of, for example:

1. information obtained during the course of the auditor’s financial report audit [and review] under the Corporations Act;
2. additional reasonable and limited assurance procedures undertaken for APRA prudential reporting purposes (pursuant to APS 310 and 3PS 310, or in accordance with the requirements of another specific APRA Prudential Standard);
3. other audit work undertaken at the ADI (for example, Australian Financial Services Licence audits); and
4. the appointed auditor’s current knowledge of the ADI’s affairs at the time of issuing the auditor’s assurance report.

In circumstances where the appointed auditor identifies that a reportable matter may exist, the auditor carries out such additional work as considered appropriate, to determine whether the facts and circumstances provide reasonable grounds for believing that the matter does in fact exist. In reaching this conclusion, the auditor exercises professional judgement and seeks appropriate legal advice if necessary.

The ADI may also notify APRA of the matter(s) identified by the appointed auditor, and provide details of any action(s) taken, or to be taken, in response. However, such notification by the ADI does not relieve the appointed auditor of the statutory obligation to report directly to APRA.

As this Guidance Statement relates to Australian legislative requirements, there is no equivalent International Standard on Auditing or International Auditing Practice Note to this Guidance Statement.