The auditor completes the Application Statements in section 1 of FS71. The Application Statements confirm the basis of the auditor’s completion of the FS71.

Section 2 of FS71 requires the auditor to confirm whether an auditor’s report on the financial statements was prepared separately to the FS71, and attached to the financial report lodged with the FS70, in order for the licensee to meet their obligation under section 989B(3) of the Act. In addition, the auditor confirms whether the report was qualified, otherwise modified or unmodified.

Section 2 of the FS71 audit report requires reasonable assurance on the control environment to achieve compliance with the requirements of Divisions 2, 3, 4, 4A, 5 and 6 of Part 7.8 of the Act and Division 7 of Part 7.8 other than section 991A. These provisions include:

• Dealing with clients’ money.
• Dealing with other property of clients.
• Special provisions relating to insurance.
• Obligations to report.
• Financial records, statements and audit.
• Other rules about conduct (i.e. giving priority to client orders, transmission of instructions through licensed markets, maintaining records of instruction, dealing with non licensees and employees).

Planning Assurance on Controls

In assessing the control environment, the auditor needs to determine which of the controls at the Licensee are necessary to achieve compliance with Divisions 2, 3, 4, 4A, 5 and 6 of Part 7.8 of the Act; and Division 7 of Part 7.8 of the Act (other than section 991A).

Where the auditor is unable to identify controls which are suitable or controls as designed are not suitable to achieve compliance with each requirement, if operating effectively, this may constitute a deficiency in relation to the suitability of design which would result in the controls being ineffective.

The auditor assesses the risk of the controls necessary to achieve the compliance requirements not operating effectively and uses professional judgement in determining the specific nature, timing and extent of procedures to be conducted.

Obtaining Evidence on Controls

Controls to achieve compliance with Division 2 of Part 7.8 subdivision A of the Act relating to handling of client money need to ensure:

• Client money is identified.
• An approved trust account is established for client money.
• Client money is paid into the trust account within one business day.
• Money is only withdrawn from the trust account in accordance with regulation 7.8.02 of the Regulations.
• Client and Licensee money is properly separated in accordance with regulation 7.8.01 of the Regulations.
• Interest on client money is treated in accordance with requirements.
• Surplus liquid funds requirements are met if client money is held.
• Appropriate processes for regularly reconciling the balances in the approved trust account. 

The auditor establishes whether the Licensee has controls to identify client money received to ensure a trust account is appropriately established. The auditor performs procedures to determine whether the Licensee has designed controls that are suitable to meet the relevant requirements and then tests that those controls have operated effectively throughout the period.

Controls to achieve compliance with Division 2 of Part 7.8 subdivision B of the Act relating to monies paid to a Licensee by way of a loan from a client, need to ensure:

• Loans from clients are appropriately identified.
• An approved trust account is established.
• Money borrowed is paid into the trust account within 1 business day.
• The terms and conditions of use of the loan and the purpose for which funds will be used is given to the client in a statement.
• Funds are only used for the specified purpose outlined in the terms and conditions or subsequently agreed to in writing.

The auditor establishes whether the Licensee has controls in place to identify when the Licensee has received a loan from a client to ensure a trust account is appropriately established. The auditor performs procedures to determine whether the Licensee has designed controls suitable to meet the relevant requirements; and then designs procedures to test that those controls have operated effectively throughout the period.

Controls to achieve compliance with Division 3 of Part 7.8 of the Act relating to the handling of property other than money given to the Licensee, need to ensure:

• Client property is identified.
• Deposits or registration of client property is in accordance with the requirements.
• Property is held as security only in permitted circumstances.
• Secured property is returned to the client within one business day of the client settling their obligation to the Licensee.
• Clients are provided with statements of property held as security every three months.

The auditor establishes whether the Licensee handles client property. The auditor determines whether the Licensee has designed controls suitable to meet the requirements relating to client property and then designs procedures to test that those controls have operated effectively throughout the period.

Controls to achieve compliance with Division 4 of Part 7.8 of the Act relating to the receipt of client monies by Licensees who are insurance brokers and agents of general and/or life insurance contracts, but not the actual insurer, need to ensure:

• Client insurance money is identified.
• Insurance money is paid over to the insurer in accordance with the requirements

The auditor determines whether the Licensee has designed suitable controls for handling client monies in accordance with the requirements and designs procedures to test that those controls are operating effectively throughout the period.

No controls are required to achieve compliance with Division 5 of Part 7.8 of the Act which makes provision for the regulations to impose reporting requirements in relation to money to which Division 2 or 3 applies, or to a Licensee dealing in derivatives, as currently, there are no regulations relating to this Division.

Division 6 of Part 7.8 of the Act relates to financial records, statements and audit. The auditor determines whether the Licensee has suitable controls to meet the relevant requirements and then designs procedures to test that these controls are operating effectively throughout the period.

Division 7 of Part 7.8 of the Act (other than section 991A) relates to other rules about conduct in licensed markets. The auditor considers firstly whether the legislation is applicable to the Licensee. If the legislation is applicable, the auditor determines whether the Licensee has suitable controls to meet the relevant requirements and then designs procedures to test that these controls are operating effectively throughout the period.

The FS71 audit report requires a combination of reasonable assurance opinions and limited assurance conclusions on the Licensee’s compliance with prescribed financial requirements and other relevant legislation. The auditor identifies the relevant financial requirements by referring to the licence conditions.

Audit evidence for the matters requiring reasonable assurance may be gathered through a combination of enquiry and observation, tests of controls, substantive testing and representations from management. Audit evidence for the matters requiring limited assurance may be limited to enquiries. The amount of evidence from each source is a matter for the auditor’s professional judgement. The nature and extent of procedures will be based on the complexity of the Licensee, nature of their business, risk assessment and level of assurance required. When auditing compliance with the Licensee’s financial requirements throughout the period, it is important for the auditor to:

1. understand how the Licensee derives their calculations, so the auditor can conclude as to whether this method is in accordance with the requirements;
2. ascertain whether all the calculations prepared during the period demonstrate a compliant position; and
3. test a sample of calculations for accuracy based on underlying financial information.

Cash Needs Requirement – Assurance Considerations

ASIC requires reasonable assurance and limited assurance on the entity’s compliance with the Licensee’s financial requirements throughout the year, not just at year-end. Hence, evidence-gathering procedures will need to include an understanding of the processes adopted by the Licensee to confirm compliance throughout the year, such as formal policies, monthly calculations, use of standard calculation templates and monitoring by the Licensee’s board or appropriate delegate. The auditor considers testing to be performed on a sample basis depending on the assessment of effectiveness of controls. The auditor applies the requirements of ASAE 3450 when obtaining assurance over projections.

If the Licensee has adopted Option 1 for the cash needs requirement or is subject to a tailored cash needs requirement, the auditor considers compliance throughout the period with the cash holding requirement in Part (e) of the Option 1 definition, or with the cash holding requirement per the applicable ASIC Class Order (CO 12/752, CO 13/760 or CO 13/761).

The auditor considers obtaining the cash flow projections throughout the relevant period and determines whether the cash flow projections are either:

1. a projection of the Licensee’s cash flows over at least the next three months based on the Licensee’s reasonable estimate of what is likely to happen over this term (Option 1);
2. a projection of the Licensee’s cash flows over at least the next three months based on the Licensee’s estimate of what would happen if the Licensee’s ability to meet its liabilities over the projected term (including any liabilities the Licensee might incur during the term of the projection) is adversely affected by commercial contingencies taking into account all contingencies that are sufficiently likely for a reasonable Licensee to plan how they might manage them (Option 2); or
3. a projection of the Licensee’s cash flows over at least the next 12 months based on the Licensee’s reasonable estimate over what is likely to happen over this term and is approved at least quarterly by those charged with governance (tailored cash needs requirements).

The auditor considers establishing how often and when the cash flow projection is updated to ensure it continuously covers at least the next three months (or 12 months for tailored cash needs requirement).

The auditor obtains the Licensee’s documented assumptions used to prepare the cash flow projections and checks whether the assumptions have been correctly applied in preparing the projections. This may include ensuring that the documented assumptions on the timing of cash flows have been correctly applied to budgeted revenues, expenses and capital expenditure.

Based on the cash flow projections already obtained, the auditor considers whether there is evidence that the cash flow assumptions are not appropriately documented or that the projections do not demonstrate that the Licensee had access as needed to sufficient financial resources at all times in compliance with paragraphs (b) and (d) of either the Option 1 or Option 2 definitions or paragraphs 3(c) or 3(e)(i) of the tailored cash needs requirements of ASIC Class Orders CO 12/752, 13/760 or 13/761 throughout the period. The auditor considers whether the documentation is sufficient to enable the auditor to ascertain whether the assumptions have been correctly applied in preparing the projections. This may involve reviewing the documentation of budget assumptions if the cash flow documentation does not stand alone. The auditor may consider the use of specialists in this area.

Based on reviewing the assumptions in line with the auditor’s knowledge of the business and on enquiries of management, the auditor considers whether there is evidence that the assumptions used are unreasonable. This may involve obtaining an understanding of the Licensee’s budgeting process if budgets are used to prepare the cash flow projections or considering the historical accuracy of the assumptions in predicting actual cash flows.

If the licensee relies on Option 2, the auditor reviews the reasonableness of the assumptions based on the auditor’s knowledge of the business and on enquiries of management.

Under Option 3, where the Licensee does not prepare a cash flow projection, but instead relies on a financial commitment from an Australian ADI, or comparable foreign institution, (under licence condition 13(c)(iii)) the audit report is required to contain a statement about whether the licensee has obtained an enforceable and unqualified commitment to pay on demand from time to time an unlimited amount to the licensee, or the amount for which the licensee is liable to its creditors at the time of demand to the licensee’s creditors or a trustee for the licensee’s creditors.

Where the Licensee is a subsidiary of an Australian ADI or ASICapproved prudentially regulated body that does not prepare cash flow projections, on the basis of its expectation concerning the adequacy of resources (under licence condition 13(c)(iv)), the audit report is required to contain a statement about whether the auditor has any reason to believe that the basis for selecting the assumptions documented by the Licensee in forming the expectation is unreasonable.

Where the Licensee uses group cash flow projections to meet the cash needs requirement, on the basis of alternative A (under licence condition 13(c)(v)), the auditor is required to include an audit opinion on whether the parent entity has provided an enforceable and unqualified commitment to pay on demand an unlimited amount to the Licensee, or to meet the Licensee’s liabilities (including any additional liabilities that the Licensee might incur while the commitment applies).

In addition, when relying on the Group cash flow projections under licence condition 13(c)(v), the licensee auditor considers the requirement for the parent entity auditor to provide a separate opinion modelled on the Option 1 or 2 audit requirement and that this auditor’s report is required to be submitted at the same time as the FS71 opinion (under licence condition 13(c)(v)(D)).

Where the Licensee relies on alternative B (under licence condition 13(d)(v)), the auditor’s report is required to contain a statement about whether the auditor has any reason to believe that the documented basis for selecting the assumptions, on which the Licensee’s expectation concerning the adequacy of the resources required under alternative B, is unreasonable.

FS71 requires limited assurance on risk management systems (RMS) to ensure ongoing compliance with financial requirements. Section 912A(1)(h) of the Act requires the Licensee to have adequate RMS. To satisfy this obligation, ASIC expects that the RMS will specifically deal with the risk that the Licensee’s financial resources will not be adequate to ensure that they are able to carry on their business in compliance with their licence obligations. RMS are a form of control and accordingly the requirements of ASAE 3150 are applied in obtaining assurance over these systems.

Assurance Considerations

ASAE 3150 requires the auditor to perform procedures to determine whether the Licensee has designed controls that are suitable to meet the requirements of section 912A(1)(h) in that they comprise adequate RMS and then designs procedures to test that these controls have operated effectively throughout the period. Having regard to the risk of inadequate financial resources, these procedures may include:

• Obtaining an understanding of the RMS and the process to identify material risks;
• Consideration as to whether a formal documented RMS exists, although the formality and extent of the processes required will depend on the size, nature and complexity of the business; and
• Obtaining periodic calculations of compliance with financial requirements, and consideration of processes that may exist to identify and address matters that may arise between these periodic calculations that have the potential to cause non compliance with the financial requirements, although the extent of these processes will depend on how much of a buffer the Licensee has above the requirements and the sensitivity of these buffers to fluctuations in the performance and financial position of the Licensee.

As the auditor’s conclusion is on the RMS as a whole, there is no expectation that the auditor expresses assurance conclusions on the adequacy of the specific controls of the RMS.

As part of the limited assurance procedures, the auditor may seek the following types of information and documentation:

• Copies of the RMS documents that set out the Licensee’s RMS during the period.
• Documentation that identifies and describes the systems, policies and procedures that are in place to manage identified risks.
• Management representations of compliance with identified systems, policies, procedures and structures.
• Minutes of the meetings of those responsible for monitoring compliance with aspects of the RMS.
• Internal audit reports (if applicable).
• Certifications, if made by the Licensee, and relevant supporting documentation to substantiate compliance with the RMS during the reporting period.
• Other supporting evidence to confirm that the controls identified in the RMS have been in place during the reporting period.

The above is not meant to represent an exhaustive list and there may be other evidence that is relevant to the specific circumstances of each Licensee.

FS71 requires a statement about any matter referred to in section 990K(2) of the Act and covers the financial reporting period and up until the date the FS71 auditor’s report is signed. This section 990K(2) statement only deals with those matters that have not already been reported by the auditor as required under section 990K(1). Given the 7 day reporting time frame under section 990K, it is likely that for most matters, the auditor would not wait until they lodge FS71 to report matters to ASIC. The section 990K(2) statement is not part of the opinion section in FS71.

Reporting of section 990K matters is not required under section 13 of FS71 if the matter:

• Has already been reported separately by the auditor to ASIC;
• Is included in section 2-10 of FS71 as a basis for a modified opinion/conclusion;
• Is included in section 11 of FS71 as a non-material matter.

Section 990K(2) requires a report to be given in relation to any matter that, in the opinion of the auditor:

1. has adversely affected, is adversely affecting or may adversely affect the ability of the Licensee to meet the Licensee’s obligations as a Licensee; or
2. constitutes or may constitute a contravention of:
   1. a provision of Subdivision A or B of Division 2 of the Act (or a provision of regulations made for the purposes of such a provision);
   2. a provision of Division 3 of the Act (or a provision of regulations made for the purposes of such a provision);
   3. a condition of the Licensee’s licence; or
3. constitutes an attempt to unduly influence, coerce, manipulate or mislead the auditor in the conduct of the audit.

Assurance Considerations

If the auditor becomes aware of the matters under section 990K(2) during the course of the audit of the financial report, performing work on FS71 or undertaking other audit work (e.g. Managed Investment Scheme compliance plan audits), they have an obligation to report on them. If the auditor becomes aware of a section 990K(2) matter that is outside the Act sections subject to the engagement, the auditor is required to report on these section 990K(2) matters but has no obligation to conduct procedures specifically to identify those matters.

Apart from the requirement to report section 990K(2) breaches in FS71, section 990K(1) requires auditors to report such breaches to ASIC (and the Licensee and any relevant market or clearing authority e.g. ASX for stockbrokers) within 7 days of becoming aware of the matter. Auditors consider this obligation at all times of the year, but particularly during the planning, interim and final stages of their audits. The Licensee is required to report all ‘reportable situations^[21]’ including deemed significant matters (breaches or likely breaches that are significant) as soon as practicable and within 30 days of becoming aware there are reasonable grounds to believe a reportable situation has arisen as required by section 912DAA. The auditor is expected to report breaches even if the Licensee has already reported same.

There is a potential conflict between the auditor’s obligation to report any breaches^[22] and the Licensee’s obligation to report all ‘reportable situations’ to ASIC. An opinion or conclusion is not provided on the 990K statement in the FS71. The auditor separately considers whether a matter reported in the statement also impacts the audit opinion within the FS71 report.

As the section 990K(2) statement specifically covers both the financial year and the period between the end of the financial year and the date of signing the FS71 auditor’s report (unlike the other reporting requirements in FS71), the auditor is obliged to formally consider the existence of relevant matters up to the date of signing the report. To determine the existence of such matters, the auditor considers matters including:

• Reading minutes of the meetings of those charged with governance, and compliance, audit and executive committees, held after the reporting date, and enquiring about matters discussed at meetings for which minutes are not yet available.
• Obtaining copies of all correspondence with ASIC and any other relevant regulators up to the date of signing.
• Enquiring of management as to whether any subsequent events have occurred which might represent matters referred to under section 990K(2).

Due to the nature of audit testing and other inherent limitations of an audit, together with the inherent limitations of the Licensee and its related licence conditions, there is a possibility that a properly planned and executed audit will not detect all breaches of the Licensee’s licence conditions. Accordingly, the audit conclusion under section 989B(3) of the Act is expressed in terms of reasonable or limited assurance (as appropriate) and cannot constitute a guarantee that all compliance breaches have been detected.

There are also practical limitations in requiring an auditor to perform a continuous examination of the Licensee and form an opinion or conclusion that the entity has complied at all times with the Act during the period covered by the auditor’s report. However, the auditor performs tests periodically throughout the financial year to obtain evidence and obtain reasonable assurance that the compliance measures complied with the written descriptions and were adequate throughout the period under examination.

Prior to issuing the FS71 audit report, the auditor considers obtaining a written representation from the directors of the Licensee which includes their assertions that the Licensee has complied with the licence conditions during the financial year and up to the date the FS71 audit report is signed, and that the Licensee continues to meet the requirements of Part 7.8 of the Act. In obtaining and using these written representations, the auditor complies with the requirements of, as appropriate, ASAE 3000, ASAE 3100, ASAE 3150 and ASAE 3450. An example management representation letter is contained in Appendix 2.

The FS71 audit report is an ASIC prescribed form and can be found on the ASIC website www.asic.gov.au. ASIC requires form FS71 to be lodged in the prescribed form and that no modifications or deletions are made, unless consented to by ASIC.

It is important to check the ASIC website to ensure that the latest version of FS71 is adopted.

Under ASAE 3000, ASAE 3100, ASAE 3150 and ASAE 3450 the auditor communicates relevant matters of governance interest arising from the engagement to those charged with governance on a timely basis. In addition, Auditing Standards ASA 260^[23] and ASA 265^[24] contains information that the auditor may find useful when communicating with those charged with governance. Examples of such matters may include:

• The general approach and overall scope of the engagement, or any additional requirements.
• Fraud or information that indicates that fraud may exist.
• Significant deficiencies in internal controls identified during the engagement. A significant deficiency in internal controls means a deficiency or combination of deficiencies in internal controls that, in the auditor’s professional judgement is of sufficient importance to merit the attention of those charged with governance.
• Disagreements with management about matters that, individually or in aggregate, could be significant to the engagement.
• Compliance breaches.
• Expected modifications to the auditor’s report.

The auditor informs those charged with governance of the Licensee of any uncorrected misstatements/non-compliance , other than those which are clearly trivial, aggregated by the auditor during and pertaining to the engagement that were considered to be immaterial, both individually and in the aggregate, to the assurance engagement.