SPS 310 paragraph 19(b) states the auditor’s report at a minimum is required to provide:

1. limited assurance on:
   1. the APRA Annual Returns under FSCOD Act as outlined in Attachment B to SPS 310;
   2. the RSE licensee’s systems, procedures and internal controls that are designed to ensure that the RSE licensee has complied with all applicable prudential requirements, has provided reliable data to APRA as required under the reporting standards prepared under the FSCOD Act, and has operated effectively throughout the year of income;
   3. the RSE licensee’s compliance with its risk management framework^[20]; and
   4. the RSE licensee’s compliance with its ORFR strategy.^[21]

As stated in ASAE 3000, the level of assurance obtained in a limited assurance engagement is lower than in a reasonable assurance engagement, the procedures the RSE auditor performs in a limited assurance engagement vary in nature and timing from, and are less in extent than for, a reasonable assurance engagement.

There are inherent limitations in any internal control structure. Furthermore, fraud, error or noncompliance with laws and regulations may occur and not be detected. As the systems, procedures and controls to ensure compliance with APRA Prudential Requirements are part of the RSE’s operations, it is possible that either the inherent limitations of the internal control structure, or weaknesses in it, impact on the effective operation of RSE’s specific control procedures.

Projections of any evaluation of internal control procedures to future periods are subject to the risk that control procedures may become inadequate because of changes in conditions after the limited assurance report is signed, or that the degree of compliance may deteriorate.

In performing the limited assurance procedures to report on the APRA Annual Returns as specified in paragraph 92(a)(i) and reported under the Independent Auditor’s Limited Assurance Report on APRA Annual Returns and Compliance – Part 3(A) that incorporate historical financial information at a MySuper product level, the RSE auditor needs to consider the requirements in ASRE 2405.

The RSE auditor obtains evidence, as part of a systematic process directed by the risk assessment carried out during the planning phase of the engagement. The RSE auditor exercises professional judgement in determining the specific nature, timing and extent of limited assurance procedures to gather evidence on which to base the conclusion.

It is most likely the limited assurance procedures will include a review of specific controls aimed at ensuring the data in the APRA Annual Returns is reliable and prepared in accordance with APRA Prudential Standards and Reporting Standards. Limited assurance procedures may include analytical procedures, enquiry, limited testing of controls over the compilation of the APRA Annual Returns, limited testing of controls over the extraction of data from the underlying source systems and obtaining management representations.

If the RSE auditor has reason to believe that the historical financial information subject to limited assurance may be materially misstated, the RSE auditor shall carry out additional or more extensive procedures as are considered necessary to be able to express a limited assurance conclusion or to confirm that a modified report is required.

The RSE auditor shall evaluate, individually and in the aggregate, whether uncorrected misstatements that have come to the RSE auditor’s attention are material to the historical financial information.

In performing the limited assurance engagement on the compliance requirements as specified in paragraph 92(a)(ii), (iii) and (iv) and reported in the Independent Auditor’s Limited Assurance Report on APRA Annual Return and Compliance - Part 3(B) Compliance - (A),(B),(C) and (D), the RSE auditor is required to consider the requirements in ASAE 3000 and ASAE 3100 and other applicable standards on assurance engagements.

Limited Assurance on Systems, Procedures and Internal Controls (ASAE 3000 and applicable standards on assurance engagements)

Obtaining Evidence Regarding Design of Systems, Procedures and Controls

The RSE auditor needs to determine which of the systems, procedures and controls at the RSE licensee are necessary to achieve the control objectives relating to compliance with all applicable prudential requirements, reliable data under FSCOD Act and operating effectiveness throughout the period, and whether those controls are presented in the RSE licensee’s description of its reporting system or identified by the RSE auditor and whether those controls were suitably designed. This determination is likely to include:

1. identifying the risks that threaten the achievement of the identified control objectives; and
2. evaluating whether the controls as designed would be sufficient to mitigate those risks when operating effectively, in all material respects.

When evaluating the suitability of the design of a control, the RSE auditor considers the general understanding of the control activities as well as other components of control not within the scope of the engagement, such as knowledge of the control environment and information system, gained when planning the engagement. A deficiency in the control environment could undermine the effectiveness of controls, and this needs to be considered in assessing the suitability of the design of those controls.

Assessment of Design Deficiencies

Where the RSE auditor is unable to identify controls which are suitable or controls as designed are not suitable to achieve a control objective, if operating effectively, this may constitute a deficiency in relation to the suitability of design.

Obtaining Evidence of Operating Effectiveness of Controls

In a limited assurance engagement the nature, timing and extent of tests of operating effectiveness, are usually limited to discussion with entity personnel and observation of the system in operation for deviations from the specified design. This may involve observation of, and enquiring about the operation of the controls for a small number of transactions or events.

The RSE auditor applies professional judgement in determining the specific nature, timing and extent of procedures to be conducted in a limited assurance engagement, which will depend on the assessed risks of significant deficiencies in the operating effectiveness of controls. If the RSE auditor determines that additional assurance procedures are required to dispel or confirm a suspicion that a significant control deficiency exists, the performance of such additional procedures does not convert the engagement to a reasonable assurance engagement as they relate to the reduction of risk to an acceptable level with respect to that matter alone.

When designing and performing tests of controls, the RSE auditor considers whether:

1. Performing other procedures in combination with enquiry to obtain evidence about:
   1. how the control was applied;
   2. the consistency with which the control was applied; and
   3. by whom or by what means the control was applied; and
   4. the period of time over which the controls were applied; and
2. Controls to be tested depend upon other controls (indirect controls) and, if so, whether it is necessary to obtain evidence supporting the operating effectiveness of those indirect controls.

When determining the extent of tests of controls, the RSE auditor considers matters including the characteristics of the population to be tested, which includes the nature of controls, the frequency of their application (for example, monthly, daily, a number of times per day), and the expected rate of deviation. Some procedures operate continuously while others operate only at particular times, for example, yearend close off procedures. The tests of operating effectiveness need to be performed over a period of time that is adequate to determine that the control procedures are operating effectively over the period of intended reliance.

Where control procedures have changed during the period subject to examination, the RSE auditor tests the operating effectiveness of both the superseded control(s) and the new control(s) and considers whether the new controls have been in place for a sufficient period to assess their effectiveness.

The RSE auditor generally adopts a ‘top down’ approach in gathering evidence, by making enquiries of key personnel, observing the RSE licensee’s operations, performing ‘walk through’ tests of controls, obtaining written representations and inspecting relevant documentation, as appropriate, in order to achieve the following:

1. obtaining an understanding of the RSE licensee’s overall control environment and compliance framework.
2. ascertaining whether the person(s) performing the control(s) possesses the necessary authority and competence to perform the control(s) effectively.
3. identifying the internal compliance function(s) designed to ensure compliance with all applicable prudential requirements.
4. identifying policies, procedures and controls designed to ensure compliance with all applicable Prudential Requirements, by reviewing documents such as the RSE licensee’s RMF, RMS and similar risk management policy documents issued by the RSE licensee in accordance with applicable prudential standards.
5. identifying the processes used by the Board of the RSE licensee to support its Risk Management Declaration to APRA as outlined in SPS 220.
6. identifying key Board and operational matters by reviewing the minutes of the RSE licensee’s Board, as well as minutes of any sub committees responsible, for example, for oversight of compliance and audit, held during the year and enquiring about matters discussed and outcomes from the RSE licensee’s Board decisions.
7. identifying the internal compliance functions designed to oversee the provision of data to APRA in the RSE licensee’s APRA Annual Returns.
8. identifying significant processes for the preparation of the RSE licensee’s APRA Annual Returns.
9. identifying the key controls over these significant processes that are designed to ensure that reliable data is provided to APRA in the RSE licensee’s APRA Annual Returns.

The above is not an exhaustive list, nor is it intended to direct the RSE auditor as to the conclusion over the RSE licensee’s internal controls.

RSE licensees have different systems and procedures in place to monitor compliance with specific prudential standards. Financial projections and estimates are likely to be part of the monitoring process, as the preparation of a full financial report is unlikely to be practical on a daybyday or weekbyweek basis. Varying degrees of precision may exist therefore in applying the monitoring process. Notwithstanding these differences, such systems seek to ensure that RSE licensee complies with all prudential standards on a continuous basis.

The way in which internal control is designed and implemented varies with a RSE licensee’s size and complexity. Smaller RSE licensee’s may use less formal means and simpler processes to achieve their control objectives.

The RSE auditor gathers evidence in response to assessed risks with a focus on identifying key controls within the control systems design. The RSE auditor exercises professional judgement in determining the specific nature, timing and extent of limited assurance procedures to obtain sufficient appropriate evidence to reach a limited assurance conclusion.

Interpretation of the word ‘reliable’ in the context of limited assurance on controls over the RSE licensee’s APRA Annual Returns has practical limitations in some circumstances. For many RSE licensee’s, it is only at the financial yearend (or for RSE licensee’s that are disclosing entities, also at the half yearend) that all the necessary accounting adjustments, such as accruals, prepayments, provisioning and valuations, are prepared and subjected to audit or review.

The RSE auditor enquires about whether there were any changes in internal control, or other matters, subsequent to the financial yearend date and up to the date of the RSE auditor’s assurance report, that may have an impact on the RSE auditor’s conclusion about the effectiveness of internal controls, and obtains written representations from management relating to such matters.

Nature and Cause of Deviations in Operating Effectiveness

The RSE auditor investigates the nature and cause of any deviations from the design identified in the operation of the controls and determines whether:

1. identified deviations are within the expected rate of deviation and are acceptable; therefore, the testing that has been performed provides an appropriate basis for concluding that the control is operating effectively throughout the specified period;
2. additional testing of the control or of other controls is necessary to reach a conclusion on whether the controls relative to a particular control objective are operating effectively throughout the specified period; or
3. the testing that has been performed provides an appropriate basis for concluding that the control did not operate effectively throughout the specified period.

Limited Assurance on RMF(SPS 220)

The objective of the RSE auditor’s limited assurance engagement on the RSE licensee’s compliance with its RMF is whether they have complied substantially with systems, structures, policies, processes and controls documented in the RMF and which are intended to identify, assess, manage, mitigate and monitor material risks that may affect the RSE licensee’s ability to meet its obligations to beneficiaries for the period covered by the engagement. There is no expectation that the RSE auditor expresses assurance on the adequacy of the specific controls of the RMF.

The RSE auditor’s limited assurance engagement on the compliance with the RMF may include the following procedures:

• Obtaining an understanding of the RMF and the process to identify material risks.
• Reviewing the RMF to determine at a high level whether it is broadly consistent with the minimum components outlined in SPS 220 and with the minimum material risk requirements as outlined in SPS 220.
• Reviewing the evidence to support the RSE licensee’s maintenance of adequate financial, human and technical resources as outlined in SPS 220.
• Reviewing the relevant risk appetite statement and RMS to confirm that they are up to date and approved by the RSE licensee Board.
• Reviewing the processes (including monitoring and reporting procedures) the RSE licensee has in place to ensure ongoing compliance with the RMF and RMS. Reference to work performed on the RSE licensee’s systems, procedures and controls to ensure compliance with prudential requirements may be useful in this circumstance.
• Reviewing the evidence supporting the RSE’s licensee’s attestation in the Risk Management Declaration in relation to compliance with the RMF and RMS.

The RSE auditor may consider the measures in place which relate to the RSE licensee’s monitoring of, and reporting on, specific matters incorporated into the RMF. Such a review may include the following matters:

• Whether breaches of the RMF have been detected and reported by the monitoring systems. When breaches have been detected, whether such breaches are significant either in themselves or, when they are of a recurring nature and have not been rectified, whether their cumulative effect renders them to be a significant non compliance matter.
• Identifying systems which they use to ensure that business units and staff comply with the measures in the RMF on a day to day basis.

As part of the limited assurance engagement on compliance with the RMF, the RSE auditor may seek the following types of information and documentation:

• Copies of the RMF documents that set out the RSE licensee’s RMF during the period.
• Details of changes to the RMF and the RMS and related policies and procedures and the reasons for the revisions.
• Copies of the risk appetite statement and RMS that applied during the period covered by the engagement.
• Copies of the comprehensive review report of the RMF performed at least every three years by an operationally independent competent person.
• Copies of the RSE licensee’s attestation in the Risk Management Declaration in relation to compliance with the RMF and RMS and any supporting evidence.
• Documentation that identifies and describes the systems, policies, procedures and structures that are in place to manage identified risks and representations that such systems, policies, procedures and structures have been complied with during the period.
• Minutes of the meetings of TCWG and sub committees responsible for monitoring compliance with aspects of the RMF and the RMS.
• Internal and external incident and breach reports, breach and complaints registers and follow up action taken to the extent that recorded items may indicate a failure to comply with the RMF and the RMS.
• Internal audit reports.
• Certifications made by the RSE licensee and relevant supporting documentation to substantiate compliance with the RMF and the RMS during the reporting period.
• Other supporting evidence to confirm that the controls identified in the RMF and the RMS have been in place during the reporting period.

The above is not meant to represent an exhaustive list and there may be other evidence that is relevant to the specific circumstances of each RSE licensee.

There are practical limitations in requiring the RSE auditor to express a conclusion as to the RSE licensee’s compliance at all times with the RMF during the engagement period. However, the RSE auditor performs limited assurance procedures to the extent that the RSE auditor considers appropriate in order to obtain sufficient appropriate evidence as to the RSE licensee’s compliance with the written descriptions within the RMF and the RMS throughout the period covered by the engagement.

While the RSE auditor is not expected to review the adequacy of the RMF and the RMS, during the course of the limited assurance engagement the RSE auditor may become aware of significant deficiencies in the RMF and the RMS which they report to an appropriate level of the RSE licensee’s management.

Limited Assurance on Operational Risk Financial Requirement (ORFR) Strategy (SPS 114)

The objective of the RSE auditor’s limited assurance engagement on the RSE licensee’s ORFR strategy is to ascertain whether the RSE licensee has complied with the policies, procedures and strategy contained within the ORFR strategy. There is no expectation that the RSE auditor expresses assurance on the adequacy of the specific contents of the ORFR strategy.

The RSE auditor’s limited assurance engagement on the compliance with the ORFR strategy may include the following procedures:

• Reviewing the ORFR strategy to determine at a high level whether it is broadly consistent with the minimum components as outlined in SPS 114.
• Obtaining an understanding of the ORFR target amount and the process to identify operational risks within the RSE licensee’s business operations.
• Reviewing the documented strategy that sets out the RSE licensee’s approach to determining, implementing, managing, monitoring and maintaining the ORFR target amount and in turn observing adherence to this approach. Reference to work already performed on the RSE licensee’s compliance with maintaining an operational risk reserve at the required target amount in accordance with its ORFR strategy may be useful in this circumstance.
• Reviewing the policies, procedures and controls in place to manage the financial resources held to meet the ORFR target amount and to ensure it remains at an appropriate level and is invested and deployed in accordance with the documented strategy.
• Reviewing the evidence supporting the RSE’s licensee’s attestation in the Risk Management Declaration in relation to compliance with all prudential requirements.

As part of the limited assurance engagement on compliance with the ORFR strategy, the RSE auditor may seek the following types of information and documentation:

• Copies of the ORFR strategy document that applied during the period covered by the engagement.
• Details of changes to the ORFR strategy and related policies and procedures and the reasons for the revisions.
• Minutes of the meetings of TCWG and sub committees responsible for monitoring compliance with the ORFR strategy.
• Internal and external breach reports, breach registers and follow up action taken to the extent that recorded items may indicate a failure to comply with the ORFR strategy target amount and the need to implement a replenishment plan.
• Copies of the RSE licensee’s attestation in the Risk Management Declaration in relation to compliance with all prudential requirements and any supporting evidence.

The above is not meant to represent an exhaustive list and there may be other evidence that is relevant to the specific circumstances of each RSE licensee.

While the RSE auditor is not expected to review the adequacy of the ORFR (or target amount), during the course of the limited assurance engagement the RSE auditor may become aware of significant deficiencies in the ORFR target amount or policies, procedures and controls over the ORFR strategy which they report to an appropriate level of the RSE licensee’s management.

If APRA has an approved form as specified under SPS 310, the RSE auditor’s limited assurance report must be in the approved form. APRA may under SPS 310 provide approved forms in relation to the reporting requirements under paragraphs 19, 21, 22 and 23 of SPS 310 as well as other requirements as the prudential regulator deems appropriate.

Refer to apra.gov.au website (Superannuation/Reporting Framework) for the latest version of the Prudential Standard SPS 310 Audit and Related Matters – Audit Report Form. This form is reviewed and updated annually as required by APRA.