SPS 310 paragraph 19(a) states the RSE auditor’s report at a minimum is required to provide:

1. reasonable assurance:
   1. on the APRA Annual Returns under FSCOD Act as outlined in Attachment B to SPS 310; and
   2. compliance with provisions of the SIS Act, SIS Regulations, Corporations Act, Corporations Regulations, FSCOD Act, and additional conditions imposed under section 29EA of the SIS Act.

In performing the reasonable assurance engagement on the annual APRA Annual Returns of the RSE, the RSE auditor is required to comply with all Australian Auditing Standards relevant to a reasonable assurance engagement of other historical financial information.

Audit Evidence

The RSE auditor obtains sufficient appropriate audit evidence^[17] as part of a systematic process, that includes:

1. obtaining an understanding of the specified APRA annual returns and individual data items included in these annual returns (subject matter), the intended use of the information included in the annual returns by the intended users, and the prudential requirements applicable to the preparation and submission of the annual returns.
2. obtaining an understanding of the RSE licensee’s system of internal control and the compliance function.
3. evaluating the controls over the preparation and compilation of the APRA annual returns.
4. assessing the risk that information in the APRA annual returns may be materially misstated.
5. responding to assessed risks and determining the nature, timing and extent of further evidence gathering procedures.
6. performing further evidence gathering procedures clearly linked to the identified risks.
7. evaluating the sufficiency and appropriateness of evidence.

The RSE auditor exercises professional judgement in determining the nature, timing and extent of reasonable assurance procedures to gather sufficient appropriate evidence on which to base the reasonable assurance opinion.

A controls based assurance approach is often the most appropriate approach to adopt in these circumstances. However, where the RSE auditor determines that a material weakness exists in the RSE licensee’s internal controls designed to ensure reliable data is provided to APRA in the APRA Annual Returns, and/or where the RSE auditor makes a determination based on effectiveness and/or efficiency, a substantive approach may be more appropriate.

Reasonable assurance procedures for obtaining audit evidence include, but are not limited to, testing of specific controls aimed at ensuring the data in the APRA annual returns is reliable and prepared in accordance with APRA Prudential Standards and Reporting Standards. Reasonable assurance procedures may include observation, inspection, confirmation, recalculation, reperformance, analytical procedures, enquiry, obtaining independent corroborating information, testing of controls over the compilation of the APRA annual returns, testing of controls over the extraction of data from the underlying accounting records (including all relevant yearend adjustments) and obtaining management representations.

Evaluation of Findings

The RSE auditor evaluates, individually and in the aggregate, whether uncorrected misstatements that have come to the RSE auditor’s attention, are material to the reported information.^[18] Materiality is to be applied in the context of paragraphs 38-44 of this Guidance Statement.

In evaluating whether or not the specified data in the APRA annual returns, is, in all material respects, reliable and in accordance with the relevant APRA prudential and reporting standards, the RSE auditor exercises professional judgement, having regard to both the user and intended uses of the information in the APRA annual returns.

The magnitude of a misstatement alone is only one factor used to assess the materiality of a misstatement. The RSE auditor evaluates each identified misstatement in the context of information relevant to users of the APRA annual return, by considering qualitative factors and the circumstances in which each misstatement has been made.

The RSE auditor may designate an amount below which misstatements need not be aggregated, because the RSE auditor expects that the aggregation of such amounts clearly would not have a material effect on the reported information. In doing so, the RSE auditor needs to consider the fact that the materiality of misstatements involves qualitative as well as quantitative considerations and that misstatements of a relatively small amount could nevertheless have a material effect on the reported information.

In circumstances where the RSE auditor may conclude that information reported by the RSE licensee is not in accordance with the relevant APRA Prudential reporting standards. The RSE auditor discusses the matter with management and, depending how it is resolved, determines whether, and how, to communicate the matter in the auditor’s reasonable assurance report.

In performing the audit on the compliance requirements as specified above in paragraph 71 and reported under Part 2 - Independent Auditor’s Reasonable Assurance report on APRA Annual Return and Compliance: Part (B) Compliance, the RSE auditor is required to consider the requirements in ASAE 3000 and ASAE 3100.

Audit Evidence

In a compliance engagement, evidence may be gathered through enquiry and observation, tests of controls, substantive testing, and representations received from management.^[19] The amount of evidence from each source which is assessed by the RSE auditor to constitute sufficient, reliable evidence to reduce compliance engagement risk to an acceptable level is a matter for the RSE auditor’s professional judgement.

In a compliance engagement, sufficient appropriate evidence is obtained as part of an iterative, systematic engagement process involving:

1. obtaining an understanding of the RSE licensee’s business operations and its compliance environment which includes the key elements of the entity’s compliance framework;
2. obtaining an understanding of the prudential requirements, and other engagement circumstances which, includes obtaining an understanding of internal controls over the preparation of the subject matter, evaluation of design, implementation and testing the effectiveness of controls that are relevant to the engagement;
3. obtaining an understanding of the internal compliance function where appropriate and any relevant testing of compliance controls performed as part of that function during the period. Evaluating the results of this testing and the level of reliance that can be placed on this work and the impact on further control and substantive procedures;
4. based on the understanding acquired under (a), (b) and (c), assessing the risks that the RSE licensee may be non compliant with requirements as specified under Part 2 - Independent Auditor’s Reasonable Assurance report on APRA Annual Return and Compliance: Part (B) Compliance;
5. responding to assessed risks, including developing overall responses, and determining the nature, timing and extent of further procedures; and
6. performing further evidence gathering procedures clearly linked to the identified compliance engagement risks, using a combination of inspection, observation, confirmation, recalculation, re performance and enquiry. Such further evidence gathering procedures may involve substantive procedures, including obtaining corroborating information from sources independent of the entity, and depending on the nature of the activity or subject matter, tests of the operating effectiveness of controls.

In a compliance engagement the RSE auditor normally performs a combination of evidence gathering procedures that reflect a strategy to obtain planned levels of assurance from testing of the compliance framework, controls and substantive testing. It is unlikely that sufficient assurance may be obtained from only performing one type of testing. The type and extent of these procedures will be based on the complexity of the RSE licensee, nature of the business operations and initial risk assessment. The types of procedures that may be undertaken are:

1. walk throughs and controls testing in key risk areas;
2. substantive testing; and
3. enquiries of management and representations.

The results of the above testing are evaluated by the RSE auditor to ensure the evidence gathered is sufficient and appropriate for the purposes of the reasonable assurance engagement.

Evaluation of Findings

Where the RSE auditor becomes aware of material deficiencies in the RSE licensee’s compliance framework they assess the impact on the risk of noncompliance with the prudential requirements as specified in Part 2 - Independent Auditor’s Report on APRA Annual Return and Compliance: Part (B) Compliance, and the implication for planning and performing the engagement.

If the RSE auditor becomes aware of material deficiencies in the compliance framework for example:

• a limited or inadequate monitoring plan for key compliance controls over the period; and/or
• a lack of staff training and awareness of the need to identify, assess and report compliance breaches

the RSE auditor needs to consider the following implications:

• risk of non compliance being increased;
• amount and type of evidence gathering procedures to obtain sufficient appropriate evidence; and
• reporting of material deficiencies to the responsible party and the intended users.

The RSE auditor will evaluate any compliance breach with the prudential requirements to determine if the breach is material, and how this may impact on the RSE auditor’s planned engagement approach.

The RSE auditor normally considers the following factors in evaluating if a breach of the compliance requirements by the entity, is material:

1. size, complexity and nature of the entity’s activities;
2. nature of the breach – one off or systemic;
3. evidence of a robust compliance framework in place to detect, rectify and report compliance breaches;
4. commonly accepted practice within the relevant industry;
5. regulatory, legislative or contractual requirements;
6. impact on the decisions of the intended users and stakeholders of the entity; and
7. specific terms of the compliance engagement.

If APRA has an approved form as specified under SPS 310, the auditor’s report must be in the approved form. APRA may under SPS 310 provide approved forms in relation to the reporting requirements under paragraphs 19, 21, 22 and 23 of SPS 310 as well as other requirements as the prudential regulator deems appropriate.

Refer to apra.gov.au website (Superannuation/Reporting Framework) for the latest version of the Prudential Standard SPS 310 Audit and Related Matters – Audit Report Form. This form is reviewed and updated annually as required by APRA.