When planning and performing an assurance engagement, whether the engagement is being conducted under ASA 805, ASRE 2405, ASAE 3000 or ASAE 3100, the RSE auditor considers materiality.^[8] The materiality levels set (overall and performance materiality) will determine the nature, timing and extent of risk assessment and further assurance procedures to be performed on the subject matter, whether it be account balances or disclosures in the APRA annual returns under the FSCOD Act, internal controls or compliance matters. During the engagement the RSE auditor reassesses materiality if matters come to their attention that indicate that the basis on which materiality was assessed has changed.

In determining materiality, the RSE auditor applies professional judgement to understand and assess what factors might influence the decisions of the regulator and other intended users and the magnitude and nature of misstatements, nondisclosures or compliance breaches which may adversely affect decisions made by those users. Where particular types of accounts, disclosures or compliance matters may have a greater impact on the decisions of users, materiality may need to be set lower for those amounts or matters.

Materiality is determined in the same way whether the engagement is a reasonable or limited assurance engagement. The difference between limited and reasonable assurance engagements lies in the nature, timing and extent of evidence gathering procedures, which will differ in order to reduce the risk of a material misstatement or compliance breach remaining undetected to an acceptably low level, in the case of a reasonable assurance engagement, or to a limited level, in the case of a limited assurance engagement. The risk of material misstatements or compliance breaches in a limited assurance engagement is not reduced to the same extent as in a reasonable assurance engagement, because of the more limited nature, timing and extent of procedures conducted. In a limited assurance engagement, the RSE auditor seeks to obtain a meaningful level of assurance, which is likely to enhance the intended users’ confidence about the subject matter to a degree that is clearly more than inconsequential.

Although there is a greater risk that misstatements, control deficiencies or instances of noncompliance may not be detected in a limited assurance engagement than an reasonable assurance engagement, the judgement as to what is material is made by reference to the subject matter on which the auditor is reporting and the needs of those relying on that information, as opposed to the level of assurance obtained.

Reasonable and/or Limited Assurance on APRA Annual Returns

In applying ASA 320, ASA 805 and ASRE 2405, as appropriate, to individual APRA annual returns, the auditor has regard to the nature, purpose and use of the information included in each annual return. The collection and analysis of data in specified annual returns is a critical component of APRA’s supervisory function. APRA collects data from RSEs (and other APRAregulated entities) for a broad range of reasons some of which may include:

1. verify compliance with prudential requirements (e.g. solvency and adequacy of ORFR target amounts and tolerance limit requirements);
2. understand the operations of the entity and the industry;
3. identify emerging issues in both the entity and the industry;
4. pass on data to other government agencies; and
5. provide information on the finance sector to research organisations and the general public.

The RSE auditor determines:

1. materiality for the report or application as a whole and, if appropriate, materiality for particular classes of accounts or disclosures, for assessing misstatements; and
2. performance materiality, for assessing the risks of material misstatement and determining the nature, timing and extent of further procedures.

Materiality is to be addressed in the context of the RSE’s objectives relevant to the particular reporting standard being examined and whether the internal controls will reduce to an acceptable level the risks that threaten achievement of those objectives. These objectives are developed having regard to the protection of the interests of the members and beneficiaries as a whole and prospective members of the RSE. AASB 1031 Materiality may provide useful guidance to the RSE auditor with regard to matters likely to adversely affect the interests of members which generally relate to solvency and going concern assumptions.

Reasonable Assurance on Compliance

APRA expects the RSE auditor to consider each compliance requirement contained in paragraph 19(a)(iii) of SPS 310 individually when applying materiality considerations to form an audit opinion.

Where the RSE auditor identifies any instance whereby the requirements of paragraph 19(a)(iii) of SPS 310 or any other requirement of the law referred to in section 129 of the SIS Act has been contravened or is being contravened or is likely to be contravened, under the SIS Act the RSE auditor is required to report that noncompliance to the trustees of the RSE in writing. If the contravention may affect the interests of members or beneficiaries of the entity, then the RSE auditor is required under the SIS Act to report that instance of noncompliance to APRA.^[9]

Where the RSE licensee is already aware of a matter or instance of noncompliance, and has informed the trustee of the RSE of the matter or instance of noncompliance, the RSE auditor is not required under the SIS Act to report the matter or instance to the trustee of the RSE. The RSE auditor need not report the matter to APRA where the RSE auditor reasonably concludes that another RSE auditor or actuary has already appropriately communicated the noncompliance to APRA.^[10]

Matters or instances of noncompliance under section 129 of the SIS Act refer not only to past and present matters or instances but also reasonably possible future matters or instances that the RSE auditor may become aware of whilst conducting an audit or review for which they are engaged during any year of income.

The RSE auditor exercises professional judgement in considering materiality appropriate to the RSE’s circumstances, having regard to their obligations, the purpose and terms of the specific engagement, together with the size, business mix and complexity of the RSE’s business operations.

When considering materiality in relation to compliance, both quantitative factors, that is the magnitude of the amounts, the period of time between the required time for compliance and actual fulfilment of the requirement, whether the matter is part of a systemic issue and qualitative factors, such as how the information will be used or how close the reported amounts are to applicable thresholds, are taken into account by the RSE auditor.

Limited Assurance on Internal Controls and Compliance

In accordance with ASAE 3000 and other applicable assurance standards, when reviewing internal controls, the RSE auditor assesses materiality in the context of the RSE licensee’s objectives relevant to the particular area of activity being examined, and whether the internal controls will reduce to an acceptably low level, the risks that threaten achievement of those objectives.

In assessing materiality, the RSE auditor has regard to the measures the RSE licensee has adopted to ensure:

1. compliance with all applicable prudential requirements;
2. reliable data is provided to APRA in all APRA Annual Returns prepared under the FSCOD Act; and
3. there operating effectiveness throughout the year of income.

ASAE 3100 sets out the requirements and provides guidance to the RSE auditor in applying materiality in the context of a compliance engagement.

Overall Materiality

Performance materiality is usually set below the overall materiality so that the aggregated uncorrected or undetected misstatements is not likely to exceed overall materiality. If only one source is reported, it may be appropriate for performance materiality to be set at the same amount as overall materiality. It is not simply a mechanical calculation but involves the exercise of professional judgement.

Overall, materiality and performance materiality, including the percentages and tolerances on which they are based, are documented in the engagement plan.

When identifying and assessing risks of material misstatement or compliance breach as a basis for designing and performing further assurance procedures, the RSE auditor does so at the reporting standard level or the individual compliance requirement level, and for reasonable assurance engagements, also at the assertion level for material classes of transactions, accounts, disclosures or compliance matters.

Factors impacting the risk assessment for engagements under SPS 310 may include:

1. the reliability of the reporting systems;
2. the risk culture of the RSE;
3. the adequacy of systems and controls to identify, assess, manage, mitigate and monitor material risks;
4. history of non compliance by the RSE licensee;
5. reported concerns regarding the RSE licensee as communicated by APRA;
6. the estimation and uncertainty inherent in the measurement methodologies applied by the RSE;
7. any bias inherent in the measurement methodologies adopted by the RSE;
8. level of change in the RSE licensee's business operation’s or environment.

The RSE auditor designs and performs further assurance procedures which are responsive to assessed risks of material misstatement or material compliance breach. The assurance procedures performed on any particular engagement is a matter of professional judgement and the nature, timing and extent of procedures will vary widely due to the different circumstances of each engagement. The RSE auditor chooses a combination of assurance procedures, which may include: inspection, observation, confirmation, recalculation, reperformance, analytical procedures and enquiry. Irrespective of the assessed risks of material misstatement or material compliance breach, the RSE auditor designs and performs test of details for each material source of accounts, class of transaction, disclosures or compliance matter. In designing these tests the RSE auditor needs to consider the risks of material understatement, particularly with respect to immaterial amounts reported, or risk of material omission.

Work Effort for a Limited versus Reasonable Assurance Engagement

ASAE 3000 clearly differentiates between the work which is required to be conducted for a limited versus a reasonable assurance engagement. However, the nature, timing and extent of evidence gathering procedures which are conducted in any given circumstance is a matter of professional judgement and is determined in response to the RSE auditor’s determination of materiality, the risk assessment and the results of the procedures conducted in response to assessed risks. As the level of assurance obtained in a limited assurance engagement is lower than in a reasonable assurance engagement, the procedures the RSE auditor will perform will vary in nature from and will be less in extent than for a reasonable assurance engagement. In a limited assurance engagement procedures primarily involve enquiries and substantive analytical procedures and may not include tests of controls.

Although procedures in a limited assurance engagement will be more limited in nature, timing and extent than for a reasonable assurance engagement, ASAE 3000 and ASAE 3100^[11] require additional procedures to be conducted if the RSE auditor becomes aware of a matter which causes them to believe the subject matter may be materially misstated or there may be a material compliance breach. The RSE auditor may conduct procedures more akin to a reasonable assurance engagement on this particular matter in order to satisfy themselves that either the subject matter is not likely to be materially misstated or noncompliant or it is materially misstated or noncompliant.

In a reasonable assurance engagement, procedures will include tests of controls as well as tests of detail. When conducting a reasonable assurance engagement, if the RSE auditor is able to obtain evidence that the controls they wish to rely on are operating effectively, then the nature, timing and extent of tests of details may be reduced or modified. If reliance is to be placed on the operating effectiveness of controls throughout the period, then testing will need to cover that period. Alternatively, if the identified controls are not operating effectively, then the nature, timing or extent of tests of details will need to be increased or modified.

ASA 805, ASRE 2405, ASAE 3000 and ASAE 3100^[12] require the RSE auditor to obtain an understanding of the entity and its environment and identify and assess the risk of material misstatement or compliance breach in order to plan the engagement. In gaining this understanding, the RSE auditor can draw on knowledge gained as part of the annual financial statement audit^[13] conducted under the SPS 310, however this understanding would need to be updated^[14] and broadened to meet the requirements of an SPS 310 engagement. ASAE 3100^[15] provides a list of matters to be considered by the RSE auditor in understanding the entity and the compliance framework. It is likely the RSE auditor will conduct the following procedures in obtaining that increased understanding and assessing risk: enquiries, analytical procedures and observation and inspection.

For a limited assurance engagement, the RSE auditor does not normally develop the depth of understanding of internal controls as is required in a reasonable assurance engagement and so gaining that understanding may be limited to enquiries.

The assessment of risk is directed at identifying those risks that may result in either the subject matter being materially misstated, or, for a compliance engagement, the existence of material breaches of the relevant requirements.

Considerations relating to the RSE Licensee using a service organisation

In auditing the RSE licensee, it is likely that the RSE auditor will consider service organisations providing services such as administration and custody. Such organisations typically provide Type 1 or Type 2 service organisation auditor's report under ASA 402 Audit Considerations Relating to an Entity Using a Service Organisation.

In accordance with ASA 402, the RSE auditor would obtain an understanding of the following:

1. the nature of the services provided by the service organisation and the significance of those services to the RSE licensee, including the effect thereof on the RSE licensee’s internal control;
2. the nature and materiality of the transactions processed or accounts or financial reporting processes affected by the service organisation (and subservice organisation, where applicable);
3. the degree of interaction between the activities of the service organisation and those of the RSE licensee;
4. the nature of the relationship between the RSE licensee and the service organisation, including the relevant contractual terms for the activities undertaken by the service organisation; and
5. the design and implementation of relevant controls at the RSE licensee that relate to the services provided by the service organisation, including those that are applied to the transactions processed by the service organisation.

Where audit evidence over relevant assertions is to be obtained from either a Type 1 or Type 2 service organisation auditor's report under ASA 402, the RSE auditor needs to:

1. evaluate the service auditor's professional competence and independence from the service organisation; and
2. evaluate the adequacy of the standards under which the Type 1 or 2 service auditor's report is to be/was issued.

Where audit evidence relating to controls design, implementation and operating effectiveness is to be obtained from either a Type 1 or Type 2 service organisation auditor's report under ASA 402, the RSE auditor needs to:

1. determine whether complementary user entity controls identified by the service organisation are relevant to the RSE licensee; and
2. to the extent they are relevant, obtain an understanding of whether the user entity has designed and implemented such controls and, if so, plan to test their operating effectiveness, as appropriate.

SPS 510 requires the RSE to have in place an independent and adequately resourced internal audit function.^[16] SPS 510 and APRA Prudential Practice Guide SPG 200 Risk Management set out the requirements and provide guidance to RSEs in relation to internal audit.

When the RSE auditor is considering the scope and work involved in assurance engagements under SPS 310, APRA expects the RSE auditor to consider the extent to which the work of the internal audit function is likely to be relevant in the context of the engagement. Auditing Standard ASA 610 Using the Work of Internal Auditors, sets out the requirements and provides guidance to the RSE auditor in considering the activities of the internal audit function and evaluating the effect, if any, on audit procedures.