ASIC form FS70 is completed and lodged by the Licensee. The auditor does not have any reporting requirements in relation to FS70. The auditor inserts the date the FS70 was signed by the Licensee in Section 2 of FS71. In section 2 of FS71, the auditor confirms that the auditor’s report was prepared for the licensee, in order for the licensee to meet their obligation to lodge it with ASIC, in accordance with section 989B(3) of the Act. Section 2 of FS71 also requires the auditor to confirm whether the auditor’s report was qualified, otherwise modified or unmodified.

Section 990B(1) of the Act and regulation 7.8.16(1)(a) of the Regulations, requires the Licensee to ensure that at all times a registered company auditor who is not made ineligible through regulation 7.8.16 of the Regulations is engaged to audit the Licensee’s financial report.

The auditor complies with the requirements contained in ASAE 3000, ASAE 3100, ASAE 3150 and ASAE 3450 when agreeing on the terms of the Licensee’s assurance engagement in writing. Such terms may be outlined in an engagement letter,^[16]an example of which is provided in Appendix 1 to this Guidance Statement. ASA 210^[17] contains information that the auditor may find helpful when agreeing on the terms of the engagement in this context.

The auditor may also use the engagement letter to clarify the respective roles of the Licensee and the auditor. In particular, it is important to highlight in the engagement letter the Licensee’s obligation to establish and maintain effective internal control in relation to compliance with the requirements of the Act. It is the responsibility of the Licensee to comply with all the conditions under its AFSL, including all of the financial requirements. As part of the acceptance of the assurance engagement, the auditor may consider obtaining acknowledgment of this obligation from those charged with governance of the Licensee when obtaining agreement on the terms of the engagement.

The auditor plans the engagement in accordance with ASAE 3000, ASAE 3100, ASAE 3150 and ASAE 3450. In planning the auditor performs preliminary engagement activities to establish and document the overall assurance engagement strategy that sets the scope, timing and direction of the engagement, and guides the development of the engagement.

ASA 315^[18] contains information that the auditor may find helpful when obtaining an understanding of the entity and its environment, including its internal controls, to provide a basis for the identification and assessment of the risks of material misstatement in relation to financial requirements, compliance with the conditions of the Licensee’s AFSL and the requirements of Part 7.8 of the Act and operating effectiveness of controls whether due to fraud or error, sufficient to design and perform further audit procedures.

Understanding the Entity and its Environment

In gaining an understanding of the entity and its environment, the auditor can draw on knowledge gained as part of the annual financial statement audit, however this understanding needs to be updated and broadened to address the subject matters included in an engagement on AFSLs issued under the Act.

1. ASAE 3100^[19] provides a list of matters to be considered by the auditor in understanding the entity and the compliance framework with respect to the compliance section of the engagement;
2. ASAE 3150 provides a list of matters to be considered by the auditor in understanding the entity with respect to the controls section of the engagement; and
3. ASAE 3450 provides a list of matters to be considered by the auditor in understanding the entity with respect to projections and the cash requirements section of the engagement.

In planning the reasonable assurance sections of the engagement, the auditor will usually conduct the following procedures in obtaining that increased understanding and assessing risk: enquiries, analytical procedures, observation, inspection and reperformance.

For the limited assurance sections of the engagement the auditor does not normally develop the depth of understanding of internal controls in relation to those areas, as is required in a reasonable assurance engagement, and gaining an understanding may be limited to enquiries.

Identifying and Assessing Risks of Material Misstatements, Compliance Breaches or Control Deficiencies

The auditor of the Licensee may consider:

1. Key responsibilities and risks identified by the Licensee;
2. Reliability and processes of reporting systems established by the Licensee to implement the licence conditions; and
3. Adequacy of processes and systems established by the Licensee to monitor adherence to the licence conditions and the Act requirements. The auditor may obtain from management a copy of the licence conditions, together with any documentation of the procedures and processes which the Licensee has established to ensure compliance with those licence conditions.

In planning the assurance engagement and in assessing risk, the auditor considers matters including:

• The licence conditions.
• The nature and extent of any recent changes to the licence conditions and whether any detected breaches are deemed to be reportable in light of the revised licence conditions.
• The nature of and extent of any changes to the operations of the Licensee itself.
• Changes since the last reporting period to:
  1. the requirements of relevant AUASB Standards;
  2. the Act and Regulations; and
  3. relevant ASIC Regulatory Guides, Class Orders and Legislative Instruments.
• Reports and other documents submitted to the board of the Licensee regarding the operation of the licence and its compliance functions.
• Previous auditor’s reports, including the auditor’s report on the financial report of the Licensee, and related management letters.
• History of non-compliance with licence conditions.

Overall Responses to Assessed Risks of Material Misstatement in Financial Requirements, AFSL Compliance Breaches and Deficiencies in Controls

The auditor designs and performs further assurance procedures which are responsive to the assessed risks of material misstatement, material compliance breach or deficiency in controls. In obtaining reasonable assurance, the auditor chooses a combination of assurance procedures, which may include: inspection, observation, confirmation, recalculation, reperformance, analytical procedures and enquiry.

ASAE 3000 clearly differentiates between the objectives of a limited versus a reasonable assurance engagement and provides detail around the sufficiency of audit evidence on which to base conclusions. The nature, timing and extent of evidence gathering procedures which are conducted in any given circumstance is a matter of professional judgement and is determined in response to the auditor’s determination of materiality, risk assessment and the results of the procedures conducted in response to assessed risks. As the level of assurance obtained in a limited assurance engagement is lower than in a reasonable assurance engagement, the procedures the auditor will perform will vary in nature from and will be less in extent than for a reasonable assurance engagement. In a limited assurance engagement procedures primarily involve enquiries and substantive analytical procedures and may not include tests of controls (except where the subject matter is controls).

Although procedures in a limited assurance engagement will be more limited in nature, timing and extent than for a reasonable assurance engagement, ASAE 3000, ASAE 3100 and ASAE 3150 require additional procedures to be conducted if the auditor becomes aware of a matter which causes them to believe the subject matter may be materially misstated or there may be material compliance breaches or control deficiencies. The auditor may conduct procedures more akin to a reasonable assurance engagement on this particular matter in order to satisfy themselves that either the subject matter is not materially misstated, it is materially compliant or the controls are operating effectively, in all material respects.

In a reasonable assurance engagement, procedures may include tests of controls as well as substantive testing.  When conducting a reasonable assurance engagement, if the auditor is able to obtain evidence that the controls they wish to rely on are operating effectively, then the nature, timing and extent of substantive testing may be reduced or modified. If reliance is to be placed on the operating effectiveness of controls throughout the period, then testing will need to cover that period. Alternatively, if the identified controls are not operating effectively, then the nature, timing or extent of substantive testings will need to be increased or modified.

The auditor considers materiality when determining the nature, timing and extent of assurance procedures. The objectives of setting materiality are to establish:

1. A tolerable level of misstatement in relation to financial requirements, deficiency in controls, or non-compliance with AFSL conditions;
2. The scope of assurance work to be performed; and
3. A reasonable basis for evaluating identified misstatements, deficiencies, or non-compliance.

Materiality is addressed in the context of the Licensee’s auditor’s objectives, which are developed having regard to the reasonable expectations of issues that would likely influence the decisions of the user(s).

The auditor sets materiality in accordance with ASAE 3000, ASAE 3100, ASAE 3150 and ASAE 3450. ASA 320^[20] contains information that the auditor may find helpful in this context. In considering materiality the auditor exercises professional judgement having regard to the Licensee’s obligations, together with the size, complexity and nature of the Licensee’s activities. The auditor develops separate materiality levels for each section of the engagement as follows:

1. For the compliance sections of the engagement, materiality is set in accordance with requirements in ASAE 3000 and ASAE 3100;
2. For the controls sections on of the engagement, materiality is in accordance with requirements in ASAE 3150; and
3. For projections under the cash needs requirements, materiality is set in accordance with requirements in ASAE 3450.

As identified in ASAE 3000, ASAE 3100, ASAE 3150 and ASAE 3450, when assessing materiality, the auditor considers qualitative factors as well as quantitative factors.

Materiality is determined in the same way whether the engagement is a reasonable or limited assurance engagement. The difference between reasonable and limited assurance engagements lies in the nature, timing and extent of evidence gathering procedures, which will differ in order to reduce the risk of a material misstatement, compliance breach or control deficiency remaining undetected to an acceptably low level, in the case of a reasonable assurance engagement, or to a limited level, in the case of a limited assurance engagement. The risk of material misstatements, compliance breaches or control deficiency in a limited assurance engagement is not reduced to the same extent as in a reasonable assurance engagement, because of the more limited nature, timing and extent of procedures conducted. In a limited assurance engagement, the auditor seeks to obtain a meaningful level of assurance, which is likely to enhance the intended users’ confidence about the subject matter to a degree that is clearly more than inconsequential.

When determining materiality, the auditor considers ASIC Regulatory Guide RG 34 Auditor’s obligations: Reporting to ASIC that contains information on the obligations of an auditor of a Licensee in terms of breach reporting and ASIC Regulatory Guide RG 78 Breach reporting by AFS licensees and credit licensees that contains information on Licensees breach reporting obligations.

Although there is a greater risk that misstatements, control deficiencies or noncompliance may not be detected in a limited assurance engagement than a reasonable assurance engagement, the judgement as to what is material is made by reference to the subject matter on which the auditor is reporting and the needs of those relying on that information, as opposed to the level of assurance obtained.

Other Immaterial Matters Requiring Reporting to ASIC

An auditor may have concluded that it is appropriate to issue an unmodified opinion or conclusion but during the course of the engagement may have identified non-material matters. The auditor is not expected to modify their audit approach to detect such matters, however non-material matters that may come to the auditor’s attention as a result of their audit procedures in relation to:

• Report on internal controls and required accounts (section 2, FS71)
  • Specified internal controls not being effective; or
  • Required accounts not being operated or controlled as required; and/or
• Report on records, information and explanations (section 2, FS71)
  • Necessary records, information and explanations not received from the licensee; and/or
• Licensee not compliant with matters referred to in the auditor’s opinions included in sections 4-10 of FS71 including:
  • Compliance with financial or other conditions of the licence;
  • Compliance with requirements of the Act;
  • Whether the licensee had the required cash flow projections;
  • Whether the projections were correctly calculated;
  • Whether the basis of assumptions used was unreasonable;
  • Whether the licensee had adequate RMSs

These non-material matters are included in section 11 of FS71 unless they have already been reported to ASIC under section 990K of the Act or have been included elsewhere in FS71.