GS 003

This Guidance Statement (GS) has been formulated by the Auditing and Assurance Standards Board (AUASB) to provide guidance to auditors conducting assurance engagements relating to Australian financial services licensees (Licensees) reporting in accordance with the requirements of Chapter 7 of the Corporations Act 2001 (the Act) and the associated Corporations Regulations 2001 (the Regulations).

This Guidance Statement is issued on 6 September 2022 by the AUASB and replaces GS 003 Audit and Review Requirements for Australian Financial Services Licensees under the Corporations Act 2001, issued in September 2015.

In order to provide financial services in Australia, a person or entity is required by the Act to either hold an Australian Financial Services Licence (AFSL) (a Licensee) or be an authorised representative of the AFSL holder. The Australian Securities and Investments Commission (ASIC) has responsibility for assessing and granting AFSLs on the basis of criteria set out in the Act^[1]. In addition, ASIC enforces financial and assurance requirements for Licensees to meet their obligations under the Act.

The assurance requirements relating to Licensees may give rise to a number of special assurance considerations. Accordingly, this Guidance Statement has been developed to identify, clarify and summarise the responsibilities which the auditor has with respect to conducting such assurance engagements, and to provide guidance to the auditor on additional factors which the auditor may consider when planning, conducting and reporting in relation to the assurance engagements of Licensees.

This Guidance Statement does not extend the responsibilities of the auditor beyond those which are imposed by Auditing Standards, Standards on Assurance Engagements (ASAEs), the requirements of the Act and the Regulations, applicable ASIC regulatory documents, class orders and legislative instruments.

This Guidance Statement is to be read in conjunction with, and is not a substitute for referring to the requirements and application and other explanatory material contained in:

1. The Auditing Standards;
2. Applicable Standards on Assurance Engagements, including ASAE 3000,^[2] ASAE 3100,^[3] ASAE 3150^[4] and ASAE 3450.^[5]
3. Applicable ASIC regulatory documents including Regulatory Guide 166 Licensing: Financial requirements (RG 166) reissued in July 2022 and Pro Forma 209 Australian financial services licence conditions (PF 209) reissued in July 2022; and
4. Applicable ASIC Class orders including ASIC Class Order CO 13/760 Financial Requirements for responsible entities and operators of investor directed portfolio services; CO 13/761 Financial requirements for custodial or depository service providers; and CO 12/752 Financial requirements for retail OTC derivative issuers.

This Guidance Statement should not be used as a checklist of issues to be considered by the auditor. Furthermore, it is not intended that this Guidance Statement limits or replaces the auditor’s professional judgement or limits the application of AUASB Standards on such engagements. AUASB Standards contain the basic principles and essential procedures to be applied to assurance engagements. Assurance engagement programs are to be designed by the auditor to meet the requirements of a Licensee's particular circumstances, giving careful consideration to the size and type of the Licensee and the adequacy of its internal control structure.

Legislative Background

The Financial Services Reform Act 2001 (FSR Act) and the overall AFS licensing regulatory regime, which is administered by ASIC, are operative for all Licensees under Chapter 7 of the Act.

The FSR Act provides a single licensing regime for financial advice and dealings in relation to financial products. The Act requires a person or an entity that operates a financial services business to hold an AFSL or be authorised by the Licensee.

For the purposes of this Guidance Statement, the following items have the meanings attributed below:

Auditor ― A registered company auditor^[6].

AUASB Standards ― Australian Auditing Standards and Standards on Assurance Engagements, Standards on Review Engagements and Standards on Related Services.

Assurance Engagement ― An engagement in which an auditor aims to obtain sufficient appropriate evidence in order to express a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the subject matter information (that is, the outcome of the measurement or evaluation of an underlying subject matter against criteria).

1. Reasonable assurance engagement ― An assurance engagement in which the auditor reduces engagement risk to an acceptably low level in the circumstances of the engagement as the basis for the auditor’s conclusion. The auditor’s conclusion is expressed in a form that conveys the auditor’s opinion on the outcome of the measurement or evaluation of the underlying subject matter against criteria.
2. Limited assurance engagement ― An assurance engagement in which the auditor reduces engagement risk to a level that is acceptable in the circumstances of the engagement but where that risk is greater than for a reasonable assurance engagement as the basis for expressing a conclusion in a form that conveys whether, based on the procedures performed and evidence obtained, a matter(s) has come to the auditor’s attention to cause the auditor to believe the subject matter information is materially misstated. The nature, timing, and extent of procedures performed in a limited assurance engagement is limited compared with that necessary in a reasonable assurance engagement but is planned to obtain a level of assurance that is, in the auditor’s professional judgment, meaningful. To be meaningful, the level of assurance obtained by the auditor is likely to enhance the intended users’ confidence about the subject matter information to a degree that is clearly more than inconsequential.

The Act^[7] requires the Licensee to prepare and lodge a profit and loss statement and balance sheet with ASIC. In addition, Licensees other than limited Licensees,^[8] are required^[9] to lodge an auditor’s report in a prescribed form with ASIC for each financial year. ASIC requires the Licensee’s financial statements to be attached to the form: Australian financial services licensee: profit and loss statement and balance sheet (FS70). The form also requires compliance with the accounting standards to the extent outlined in FS 70. Form FS70 can be found on the ASIC website www.asic.gov.au.

Section 989D(1) of the Act and regulation 7.8.14A of the Regulations require the Licensee to lodge FS70 and the form Auditor’s Report for AFS Licensee (FS71) with ASIC within the following timeframes:

1. if not a body corporate – the day that is two months after the end of that financial year;
2. if a body corporate that is a disclosing entity or a registered scheme – the day that is three months after the end of that financial year; or
3. if a body corporate that is not a disclosing entity or registered scheme – the day that is four months after the end of that financial year.

Many Licensees lodge annual financial reports and the auditor’s report under Chapter 2M of the Act (within three or four months of the financial year) with ASIC. The lodgement requirements under Chapter 2M and Part 7.8 of the Act are separate obligations, so it is necessary for Licensees to lodge financial statements under both provisions. The lodgement requirements under Chapter 2M of the Act apply to companies in general. Only the financial reports lodged under Chapter 2M are on public record. FS70 and FS71 contain information that is not required under Chapter 2M. Even if a Licensee is not required to lodge annual financial reports under Chapter 2M, they are still required to lodge FS70 and FS71 with ASIC under Part 7.8 of the Act.

The Licensee can apply to ASIC for an extension of time to lodge FS70 and FS71 under Section 989D(3) of the Act.

Financial Requirements for APRA Regulated Entities, Market and Clearing Participants

The base level financial requirements (refer paragraph 18) and other financial requirement conditions, as set out in ASIC Pro Forma 209 (PF 209), do not apply, but FS70 and FS71 are still required to be lodged with ASIC, if the Licensee is either:

1. a body regulated by the Australian Prudential Regulation Authority (APRA) as defined in Section 3(2) of the Australian Prudential Regulation Authority Act 1998;
2. a market participant (other than a principal trader, unless the principal trade is a registered market trader) as defined in Key Terms in RG 166 as an entity that is a participant of a financial market on which financial products are traded. Financial markets are operated by:
   1. ASX Limited (ASX market) that is required to comply with, and complies with, the rules of the ASIC Market Integrity Rules (ASX Market) 2010 that impose financial requirements, taking into account any waiver by ASIC;
   2. Cboe Australia Pty Limited (Cboe market) and APX markets that are required to comply with, and comply with, the rules of the ASIC Market Integrity Rules (Cboe Australia Market) 2011 and APX market 2013 that impose financial requirements, taking into account any waiver by ASIC; or
   3. Australian Securities Exchange Limited (ASX 24 market), that restricts its financial services business to participating in the ASX 24 market and incidental business^[10]; and is required to comply with, and complies with, the rules of the ASIC Market Integrity Rules (ASX 24 Market) 2010 that impose financial requirements, taking into account any waiver by ASIC; or
3. a clearing participant as defined in Key Terms in RG 166 as a Participant defined in section 761A of the Act in relation to a clearing and settlement facility (“CS facility”), where that facility is the licensed CS facility operated by:
   1. ASX Clear Pty Limited, and the Licensee is required to comply with, and complies with, the operating rules of ASX Clear Pty Limited that impose financial requirements, taking into account any waiver of those requirements by ASX Clear Pty Limited; or
   2. ASX Clear (Futures) Pty Limited, and the Licensee restricts its financial services business to participating in that CS facility and incidental business; and is required to comply with, and complies with, the operating rules of ASX Clear (Futures) Pty Limited that impose financial requirements, taking into account any waiver of those requirements by ASX Clear (Futures) Pty Limited.

Where a Licensee is a body regulated by APRA, PF 209 condition 27 requires the auditor’s opinion to state whether for the relevant period, the Licensee was a body regulated by APRA at the end of the financial year or for any period of time that ASIC requests. ASIC includes this licence condition confirmation as an Application Statement made under section 1 of FS71. The auditor completes the Application Statement in FS71.

Where a Licensee is a market participant or a clearing participant, PF 209 condition 28 requires the auditor’s opinion to state whether, during any part of the period for which the Licensee relied on being a market participant or clearing participant, the Licensee was a participant in the market conducted by:

1. ASX market;
2. ASX 24 market, and restricted its financial services business to participating in the ASX 24 market and incidental business;
3. Cboe market;
4. FEX market;
5. NSX market;
6. SSX market;
7. Licensed CS facility operated by ASX Clear Pty Limited; or
8. Licenced CS facility operated by ASX Clear (Futures) Pty Limited, and restricted its financial services business to participating in the licensed CS facility and incidental business.

ASIC includes this licence condition confirmation as an Application Statements made under section 1 of FS71. The auditor completes the Application Statements in FS71.

All Licensees that are not exempt from the base level financial requirements are required to comply with these requirements under the Act. The base level financial requirements (summarised in Appendix 3) include:

1. the solvency and positive net assets requirements;
2. the cash needs requirement (appendix 6), unless a tailored cash needs requirement applies (refer paragraph 20 and 21).

In addition, there are financial requirements specified in PF 209 and RG 166 for:

1. trustee companies providing traditional services (net tangible assets requirement, refer to PF 209 condition 19B and RG 166 Appendix 5);
2. issuers of margin lending facilities (net tangible assets requirement, refer to PF 209 condition 19A and RG 166 Appendix 6);
3. foreign exchange dealers (tier one capital requirement, refer to PF 209 condition 20 and RG 166 Appendix 7);
4. holding client money or property (tiered surplus liquid funds requirement, refer to PF 209 condition 21 and RG 166 Section C);
5. transacting with clients as principal (adjusted surplus liquid funds (ASLF) requirement, refer to PF 209 condition 22 and RG 166 Section D); and
6. reporting triggers for Licensees who are not APRA regulated and are not retail over the counter (OTC) derivative issuers (refer to PF 209 conditions 23 26 and RG 166.82).

Financial Requirements for Responsible Entities, Operators of Investor Directed Portfolio Services (IDPS), Custodial or Depository Service Providers, Retail OTC Derivative Issuers, Crowd Source Funding Intermediary and Corporate Director of Retail Collective Investment Vehicles

In addition to the standard solvency and positive net assets requirements specified in paragraph 18, tailored financial and assurance requirements apply to the following types of Licensees:

1. A responsible entity authorised to operate a managed investment scheme and IDPS operators.
2. Custodial or depository service providers.
3. Retail OTC derivative issuers.
4. Crowd-sourced funding intermediary (CSF).
5. Corporate Director of Retail Corporate Collective Investment Vehicles (CCIV).

Tailored financial and assurance requirements that apply to Licensees mentioned in paragraph 20 include:

1. tailored cash needs requirement (refer Appendix 4);
2. tailored net tangible assets (NTA) requirement;
3. tailored liquidity requirement; and
4. tailored assurance requirement (refer Appendix 5).

Refer Appendix 3 for more details and relevant regulatory references.

Reporting Framework

Licensees are required to lodge their annual financial report and Form FS70 with ASIC. From 1 July 2021 ASIC has updated the financial reporting requirements of Licensees in Form FS 70. Licensees reporting under Chapter 2M and Chapter 7 of the Corporations Act 2001 will be required to prepare general purpose financial statements (GPFS). Subject to some transitional arrangements, from years commencing 1 July 2021, special purpose financial statements (SPFS) will no longer be able to be prepared^[11]. Instead, Licensees will prepare either Tier 1 or Tier 2 GPFS depending on whether they meet the definition of public accountability set out in AASB 1053 Application of Tiers of Australian Accounting Standards^[12]. However, ASIC also specifies that certain licensees are required to prepare Tier 1 GPFS^[13].

ASIC has issued Instrument 2017/307 ASIC Corporations (Financial Reporting: Natural Person Licensees) on reporting requirements for Licensees who are natural persons. A natural person is defined as an individual, as opposed to a company, partnership or trustee. Instrument 2017/307 states that where the licensee is a natural person, the licensee may exclude from the profit and loss statement, the revenue and expense that do not relate to any business of the licensee or all the revenue and expenses that do not relate to a financial services business of the licensee.

Alternatively, a natural person licensee can choose not to rely on Instrument 2017/307 and instead include in a profit and loss statement all of their revenues and expenses, whether personal or business. The relief under Instrument 2017/307 is confined to the preparation of the profit and loss statement. ASIC requires a natural person licensee to still prepare a balance sheet that discloses all of their assets and liabilities, including their personal assets and liabilities and the assets and liabilities of any other business.

The FS71 auditor’s report requires:

1. Confirmation as to whether an auditor’s report on the financial report was prepared separately to the FS71, in order to meet the licensee’s obligation to lodge it with ASIC in accordance with section 989B(3) of the Act, and attached to the financial report lodged with the FS70 (see section 2 of FS71).
2. Reasonable assurance on the following matters as stated in Regulation 7.8.13(2) of the Regulations (included within section 2 of FS71):
   1. the effectiveness of internal controls used by the Licensee to comply with:
      • Divisions 2, 3, 4, 4A,^[14] 5 and 6 of Part 7.8 of the Act; and
      • Division 7 of Part 7.8 of the Act other than section 991A; and
   2. whether each account required by sections 981B and 982B of the Act to be maintained by the Licensee has been operated and controlled in accordance with those sections; and
   3. whether all necessary records, information and explanations were received from the Licensee.
3. Reasonable assurance that the Licensee complies with the specific financial requirements under the licence; and a combination of reasonable and limited assurance in relation to the relevant cash needs requirements either as outlined in:
   1. Appendix 4 and 5 if the Licensee is a responsible entity, an operator of IDPS, a custodial, a depository service provider or a retail OTC derivative issuer, that is subject to tailored cash and audit requirements (included within sections 4 and sections 6-8 of FS71); or
   2. Appendix 6 if the Licensee is not a body regulated by APRA or a market or clearing participant or a body subject to tailored cash and audit requirements (refer paragraph 18(b)) (included within sections 4 and 5 of FS71).
4. A report that there are no matters that should have been reported to ASIC in accordance with section 990K of the Act during or since the financial year that have not previously been reported to ASIC, other than the matters detailed in FS71 (section 13 of FS71).

ASIC Pro Forma 209 Australian financial services licence conditions (PF 209), reissued in July 2022, sets out the standard licence conditions which subject to individual circumstances, will usually be applied to licences authorising a person to provide financial services under the AFSL. It is important that the individual AFSL conditions are examined carefully so that the appropriate reporting and auditing obligations are met.

In addition, ASIC Class Orders CO 12/752, CO 13/76 and CO 13/761 set out the financial requirements applicable to specific categories of Licensees. It is important that these tailored requirements are examined carefully so that the appropriate financial and auditing obligations are met.

Exemptions From Lodging Form FS71

The holder of a limited AFSL is not required to lodge FS71 with ASIC. Regulation 7.8.12A and 7.8.13A of the Regulations exempts limited Licensees^[15] from lodging an auditor’s report with ASIC, but requires the lodgement of a compliance certificate with ASIC. Under sections 989B(1) and 989B(2) of the Act, limited Licensees are still required to prepare and lodge with ASIC, a profit and loss statement and balance sheet in the approved form FS70 within the required timeframes. Where the licensee holds a limited AFSL for part of the financial year but holds a full license for the remainder of the year, the FS71 is required to be completed for the part of the year for which the full licence is held.

A foreign Authorised Deposit-taking Institution (“ADI”) which holds the AFSL that has relief under Instrument 2016/186 ASIC Corporations (Foreign Licensees and ADIs), is not required to lodge FS71 with ASIC. It is exempt from the requirements of section 989B of the Act, where equivalent reports prepared for the overseas regulator of the foreign ADI are lodged with ASIC at least once in every calendar year and at intervals of not more than 15 months.

Where the foreign ADI is also regulated by APRA and the AFSL contains condition 27 in PF 209, then it is necessary for the foreign ADI to lodge an audit report (even if the foreign ADI is exempt under Instrument 2016/186), that states whether for the relevant period, on a reasonable assurance basis, the Licensee was a body regulated by APRA at the end of the financial year or for any period of time that ASIC requests. This is because the APRA regulation confirmation requirement is in addition to Section 989B of the Act or Instrument 2016/186. The format of this audit report does not need to be in accordance with FS71. To avoid any processing problems, ASIC requires the audit report to be lodged and accompanied by a letter identifying the Licensee, licence number and financial year, and clearly stating the reasons why FS71 has not been lodged. ASIC requires this letter to include reference to the instrument and to the requirement for a report pursuant to the relevant licence condition.

Instrument 2016/186, issued 24 March 2016 provides that a foreign company AFSL holder can lodge accounts prepared for their home regulator with ASIC to meet their AFSL requirements. As a result the foreign company does not have to comply with regulations made for the purposes of sections 988A, 988B, 988D(a) and 988F of the Act and hence is not required to lodge FS70 or FS71.

RG 166.8 also states that if the Licensee is prudentially regulated overseas, they can apply to ASIC for relief from the financial requirements. ASIC will give this relief on a case by case basis if they are satisfied that the applicant is regulated in a way that is comparable to regulation by APRA for entities of that kind. If applicable, ASIC will consider the extent to which the relevant foreign prudential regulation is consistent with the Basel Committee guidelines for regulating deposit taking institutions.

ASIC form FS70 is completed and lodged by the Licensee. The auditor does not have any reporting requirements in relation to FS70. The auditor inserts the date the FS70 was signed by the Licensee in Section 2 of FS71. In section 2 of FS71, the auditor confirms that the auditor’s report was prepared for the licensee, in order for the licensee to meet their obligation to lodge it with ASIC, in accordance with section 989B(3) of the Act. Section 2 of FS71 also requires the auditor to confirm whether the auditor’s report was qualified, otherwise modified or unmodified.

Section 990B(1) of the Act and regulation 7.8.16(1)(a) of the Regulations, requires the Licensee to ensure that at all times a registered company auditor who is not made ineligible through regulation 7.8.16 of the Regulations is engaged to audit the Licensee’s financial report.

The auditor complies with the requirements contained in ASAE 3000, ASAE 3100, ASAE 3150 and ASAE 3450 when agreeing on the terms of the Licensee’s assurance engagement in writing. Such terms may be outlined in an engagement letter,^[16]an example of which is provided in Appendix 1 to this Guidance Statement. ASA 210^[17] contains information that the auditor may find helpful when agreeing on the terms of the engagement in this context.

The auditor may also use the engagement letter to clarify the respective roles of the Licensee and the auditor. In particular, it is important to highlight in the engagement letter the Licensee’s obligation to establish and maintain effective internal control in relation to compliance with the requirements of the Act. It is the responsibility of the Licensee to comply with all the conditions under its AFSL, including all of the financial requirements. As part of the acceptance of the assurance engagement, the auditor may consider obtaining acknowledgment of this obligation from those charged with governance of the Licensee when obtaining agreement on the terms of the engagement.

The auditor plans the engagement in accordance with ASAE 3000, ASAE 3100, ASAE 3150 and ASAE 3450. In planning the auditor performs preliminary engagement activities to establish and document the overall assurance engagement strategy that sets the scope, timing and direction of the engagement, and guides the development of the engagement.

ASA 315^[18] contains information that the auditor may find helpful when obtaining an understanding of the entity and its environment, including its internal controls, to provide a basis for the identification and assessment of the risks of material misstatement in relation to financial requirements, compliance with the conditions of the Licensee’s AFSL and the requirements of Part 7.8 of the Act and operating effectiveness of controls whether due to fraud or error, sufficient to design and perform further audit procedures.

Understanding the Entity and its Environment

In gaining an understanding of the entity and its environment, the auditor can draw on knowledge gained as part of the annual financial statement audit, however this understanding needs to be updated and broadened to address the subject matters included in an engagement on AFSLs issued under the Act.

1. ASAE 3100^[19] provides a list of matters to be considered by the auditor in understanding the entity and the compliance framework with respect to the compliance section of the engagement;
2. ASAE 3150 provides a list of matters to be considered by the auditor in understanding the entity with respect to the controls section of the engagement; and
3. ASAE 3450 provides a list of matters to be considered by the auditor in understanding the entity with respect to projections and the cash requirements section of the engagement.

In planning the reasonable assurance sections of the engagement, the auditor will usually conduct the following procedures in obtaining that increased understanding and assessing risk: enquiries, analytical procedures, observation, inspection and reperformance.

For the limited assurance sections of the engagement the auditor does not normally develop the depth of understanding of internal controls in relation to those areas, as is required in a reasonable assurance engagement, and gaining an understanding may be limited to enquiries.

Identifying and Assessing Risks of Material Misstatements, Compliance Breaches or Control Deficiencies

The auditor of the Licensee may consider:

1. Key responsibilities and risks identified by the Licensee;
2. Reliability and processes of reporting systems established by the Licensee to implement the licence conditions; and
3. Adequacy of processes and systems established by the Licensee to monitor adherence to the licence conditions and the Act requirements. The auditor may obtain from management a copy of the licence conditions, together with any documentation of the procedures and processes which the Licensee has established to ensure compliance with those licence conditions.

In planning the assurance engagement and in assessing risk, the auditor considers matters including:

• The licence conditions.
• The nature and extent of any recent changes to the licence conditions and whether any detected breaches are deemed to be reportable in light of the revised licence conditions.
• The nature of and extent of any changes to the operations of the Licensee itself.
• Changes since the last reporting period to:
  1. the requirements of relevant AUASB Standards;
  2. the Act and Regulations; and
  3. relevant ASIC Regulatory Guides, Class Orders and Legislative Instruments.
• Reports and other documents submitted to the board of the Licensee regarding the operation of the licence and its compliance functions.
• Previous auditor’s reports, including the auditor’s report on the financial report of the Licensee, and related management letters.
• History of non-compliance with licence conditions.

Overall Responses to Assessed Risks of Material Misstatement in Financial Requirements, AFSL Compliance Breaches and Deficiencies in Controls

The auditor designs and performs further assurance procedures which are responsive to the assessed risks of material misstatement, material compliance breach or deficiency in controls. In obtaining reasonable assurance, the auditor chooses a combination of assurance procedures, which may include: inspection, observation, confirmation, recalculation, reperformance, analytical procedures and enquiry.

ASAE 3000 clearly differentiates between the objectives of a limited versus a reasonable assurance engagement and provides detail around the sufficiency of audit evidence on which to base conclusions. The nature, timing and extent of evidence gathering procedures which are conducted in any given circumstance is a matter of professional judgement and is determined in response to the auditor’s determination of materiality, risk assessment and the results of the procedures conducted in response to assessed risks. As the level of assurance obtained in a limited assurance engagement is lower than in a reasonable assurance engagement, the procedures the auditor will perform will vary in nature from and will be less in extent than for a reasonable assurance engagement. In a limited assurance engagement procedures primarily involve enquiries and substantive analytical procedures and may not include tests of controls (except where the subject matter is controls).

Although procedures in a limited assurance engagement will be more limited in nature, timing and extent than for a reasonable assurance engagement, ASAE 3000, ASAE 3100 and ASAE 3150 require additional procedures to be conducted if the auditor becomes aware of a matter which causes them to believe the subject matter may be materially misstated or there may be material compliance breaches or control deficiencies. The auditor may conduct procedures more akin to a reasonable assurance engagement on this particular matter in order to satisfy themselves that either the subject matter is not materially misstated, it is materially compliant or the controls are operating effectively, in all material respects.

In a reasonable assurance engagement, procedures may include tests of controls as well as substantive testing.  When conducting a reasonable assurance engagement, if the auditor is able to obtain evidence that the controls they wish to rely on are operating effectively, then the nature, timing and extent of substantive testing may be reduced or modified. If reliance is to be placed on the operating effectiveness of controls throughout the period, then testing will need to cover that period. Alternatively, if the identified controls are not operating effectively, then the nature, timing or extent of substantive testings will need to be increased or modified.

The auditor considers materiality when determining the nature, timing and extent of assurance procedures. The objectives of setting materiality are to establish:

1. A tolerable level of misstatement in relation to financial requirements, deficiency in controls, or non-compliance with AFSL conditions;
2. The scope of assurance work to be performed; and
3. A reasonable basis for evaluating identified misstatements, deficiencies, or non-compliance.

Materiality is addressed in the context of the Licensee’s auditor’s objectives, which are developed having regard to the reasonable expectations of issues that would likely influence the decisions of the user(s).

The auditor sets materiality in accordance with ASAE 3000, ASAE 3100, ASAE 3150 and ASAE 3450. ASA 320^[20] contains information that the auditor may find helpful in this context. In considering materiality the auditor exercises professional judgement having regard to the Licensee’s obligations, together with the size, complexity and nature of the Licensee’s activities. The auditor develops separate materiality levels for each section of the engagement as follows:

1. For the compliance sections of the engagement, materiality is set in accordance with requirements in ASAE 3000 and ASAE 3100;
2. For the controls sections on of the engagement, materiality is in accordance with requirements in ASAE 3150; and
3. For projections under the cash needs requirements, materiality is set in accordance with requirements in ASAE 3450.

As identified in ASAE 3000, ASAE 3100, ASAE 3150 and ASAE 3450, when assessing materiality, the auditor considers qualitative factors as well as quantitative factors.

Materiality is determined in the same way whether the engagement is a reasonable or limited assurance engagement. The difference between reasonable and limited assurance engagements lies in the nature, timing and extent of evidence gathering procedures, which will differ in order to reduce the risk of a material misstatement, compliance breach or control deficiency remaining undetected to an acceptably low level, in the case of a reasonable assurance engagement, or to a limited level, in the case of a limited assurance engagement. The risk of material misstatements, compliance breaches or control deficiency in a limited assurance engagement is not reduced to the same extent as in a reasonable assurance engagement, because of the more limited nature, timing and extent of procedures conducted. In a limited assurance engagement, the auditor seeks to obtain a meaningful level of assurance, which is likely to enhance the intended users’ confidence about the subject matter to a degree that is clearly more than inconsequential.

When determining materiality, the auditor considers ASIC Regulatory Guide RG 34 Auditor’s obligations: Reporting to ASIC that contains information on the obligations of an auditor of a Licensee in terms of breach reporting and ASIC Regulatory Guide RG 78 Breach reporting by AFS licensees and credit licensees that contains information on Licensees breach reporting obligations.

Although there is a greater risk that misstatements, control deficiencies or noncompliance may not be detected in a limited assurance engagement than a reasonable assurance engagement, the judgement as to what is material is made by reference to the subject matter on which the auditor is reporting and the needs of those relying on that information, as opposed to the level of assurance obtained.

Other Immaterial Matters Requiring Reporting to ASIC

An auditor may have concluded that it is appropriate to issue an unmodified opinion or conclusion but during the course of the engagement may have identified non-material matters. The auditor is not expected to modify their audit approach to detect such matters, however non-material matters that may come to the auditor’s attention as a result of their audit procedures in relation to:

• Report on internal controls and required accounts (section 2, FS71)
  • Specified internal controls not being effective; or
  • Required accounts not being operated or controlled as required; and/or
• Report on records, information and explanations (section 2, FS71)
  • Necessary records, information and explanations not received from the licensee; and/or
• Licensee not compliant with matters referred to in the auditor’s opinions included in sections 4-10 of FS71 including:
  • Compliance with financial or other conditions of the licence;
  • Compliance with requirements of the Act;
  • Whether the licensee had the required cash flow projections;
  • Whether the projections were correctly calculated;
  • Whether the basis of assumptions used was unreasonable;
  • Whether the licensee had adequate RMSs

These non-material matters are included in section 11 of FS71 unless they have already been reported to ASIC under section 990K of the Act or have been included elsewhere in FS71.

The auditor completes the Application Statements in section 1 of FS71. The Application Statements confirm the basis of the auditor’s completion of the FS71.

Section 2 of FS71 requires the auditor to confirm whether an auditor’s report on the financial statements was prepared separately to the FS71, and attached to the financial report lodged with the FS70, in order for the licensee to meet their obligation under section 989B(3) of the Act. In addition, the auditor confirms whether the report was qualified, otherwise modified or unmodified.

Section 2 of the FS71 audit report requires reasonable assurance on the control environment to achieve compliance with the requirements of Divisions 2, 3, 4, 4A, 5 and 6 of Part 7.8 of the Act and Division 7 of Part 7.8 other than section 991A. These provisions include:

• Dealing with clients’ money.
• Dealing with other property of clients.
• Special provisions relating to insurance.
• Obligations to report.
• Financial records, statements and audit.
• Other rules about conduct (i.e. giving priority to client orders, transmission of instructions through licensed markets, maintaining records of instruction, dealing with non licensees and employees).

Planning Assurance on Controls

In assessing the control environment, the auditor needs to determine which of the controls at the Licensee are necessary to achieve compliance with Divisions 2, 3, 4, 4A, 5 and 6 of Part 7.8 of the Act; and Division 7 of Part 7.8 of the Act (other than section 991A).

Where the auditor is unable to identify controls which are suitable or controls as designed are not suitable to achieve compliance with each requirement, if operating effectively, this may constitute a deficiency in relation to the suitability of design which would result in the controls being ineffective.

The auditor assesses the risk of the controls necessary to achieve the compliance requirements not operating effectively and uses professional judgement in determining the specific nature, timing and extent of procedures to be conducted.

Obtaining Evidence on Controls

Controls to achieve compliance with Division 2 of Part 7.8 subdivision A of the Act relating to handling of client money need to ensure:

• Client money is identified.
• An approved trust account is established for client money.
• Client money is paid into the trust account within one business day.
• Money is only withdrawn from the trust account in accordance with regulation 7.8.02 of the Regulations.
• Client and Licensee money is properly separated in accordance with regulation 7.8.01 of the Regulations.
• Interest on client money is treated in accordance with requirements.
• Surplus liquid funds requirements are met if client money is held.
• Appropriate processes for regularly reconciling the balances in the approved trust account. 

The auditor establishes whether the Licensee has controls to identify client money received to ensure a trust account is appropriately established. The auditor performs procedures to determine whether the Licensee has designed controls that are suitable to meet the relevant requirements and then tests that those controls have operated effectively throughout the period.

Controls to achieve compliance with Division 2 of Part 7.8 subdivision B of the Act relating to monies paid to a Licensee by way of a loan from a client, need to ensure:

• Loans from clients are appropriately identified.
• An approved trust account is established.
• Money borrowed is paid into the trust account within 1 business day.
• The terms and conditions of use of the loan and the purpose for which funds will be used is given to the client in a statement.
• Funds are only used for the specified purpose outlined in the terms and conditions or subsequently agreed to in writing.

The auditor establishes whether the Licensee has controls in place to identify when the Licensee has received a loan from a client to ensure a trust account is appropriately established. The auditor performs procedures to determine whether the Licensee has designed controls suitable to meet the relevant requirements; and then designs procedures to test that those controls have operated effectively throughout the period.

Controls to achieve compliance with Division 3 of Part 7.8 of the Act relating to the handling of property other than money given to the Licensee, need to ensure:

• Client property is identified.
• Deposits or registration of client property is in accordance with the requirements.
• Property is held as security only in permitted circumstances.
• Secured property is returned to the client within one business day of the client settling their obligation to the Licensee.
• Clients are provided with statements of property held as security every three months.

The auditor establishes whether the Licensee handles client property. The auditor determines whether the Licensee has designed controls suitable to meet the requirements relating to client property and then designs procedures to test that those controls have operated effectively throughout the period.

Controls to achieve compliance with Division 4 of Part 7.8 of the Act relating to the receipt of client monies by Licensees who are insurance brokers and agents of general and/or life insurance contracts, but not the actual insurer, need to ensure:

• Client insurance money is identified.
• Insurance money is paid over to the insurer in accordance with the requirements

The auditor determines whether the Licensee has designed suitable controls for handling client monies in accordance with the requirements and designs procedures to test that those controls are operating effectively throughout the period.

No controls are required to achieve compliance with Division 5 of Part 7.8 of the Act which makes provision for the regulations to impose reporting requirements in relation to money to which Division 2 or 3 applies, or to a Licensee dealing in derivatives, as currently, there are no regulations relating to this Division.

Division 6 of Part 7.8 of the Act relates to financial records, statements and audit. The auditor determines whether the Licensee has suitable controls to meet the relevant requirements and then designs procedures to test that these controls are operating effectively throughout the period.

Division 7 of Part 7.8 of the Act (other than section 991A) relates to other rules about conduct in licensed markets. The auditor considers firstly whether the legislation is applicable to the Licensee. If the legislation is applicable, the auditor determines whether the Licensee has suitable controls to meet the relevant requirements and then designs procedures to test that these controls are operating effectively throughout the period.

The FS71 audit report requires a combination of reasonable assurance opinions and limited assurance conclusions on the Licensee’s compliance with prescribed financial requirements and other relevant legislation. The auditor identifies the relevant financial requirements by referring to the licence conditions.

Audit evidence for the matters requiring reasonable assurance may be gathered through a combination of enquiry and observation, tests of controls, substantive testing and representations from management. Audit evidence for the matters requiring limited assurance may be limited to enquiries. The amount of evidence from each source is a matter for the auditor’s professional judgement. The nature and extent of procedures will be based on the complexity of the Licensee, nature of their business, risk assessment and level of assurance required. When auditing compliance with the Licensee’s financial requirements throughout the period, it is important for the auditor to:

1. understand how the Licensee derives their calculations, so the auditor can conclude as to whether this method is in accordance with the requirements;
2. ascertain whether all the calculations prepared during the period demonstrate a compliant position; and
3. test a sample of calculations for accuracy based on underlying financial information.

Cash Needs Requirement – Assurance Considerations

ASIC requires reasonable assurance and limited assurance on the entity’s compliance with the Licensee’s financial requirements throughout the year, not just at year-end. Hence, evidence-gathering procedures will need to include an understanding of the processes adopted by the Licensee to confirm compliance throughout the year, such as formal policies, monthly calculations, use of standard calculation templates and monitoring by the Licensee’s board or appropriate delegate. The auditor considers testing to be performed on a sample basis depending on the assessment of effectiveness of controls. The auditor applies the requirements of ASAE 3450 when obtaining assurance over projections.

If the Licensee has adopted Option 1 for the cash needs requirement or is subject to a tailored cash needs requirement, the auditor considers compliance throughout the period with the cash holding requirement in Part (e) of the Option 1 definition, or with the cash holding requirement per the applicable ASIC Class Order (CO 12/752, CO 13/760 or CO 13/761).

The auditor considers obtaining the cash flow projections throughout the relevant period and determines whether the cash flow projections are either:

1. a projection of the Licensee’s cash flows over at least the next three months based on the Licensee’s reasonable estimate of what is likely to happen over this term (Option 1);
2. a projection of the Licensee’s cash flows over at least the next three months based on the Licensee’s estimate of what would happen if the Licensee’s ability to meet its liabilities over the projected term (including any liabilities the Licensee might incur during the term of the projection) is adversely affected by commercial contingencies taking into account all contingencies that are sufficiently likely for a reasonable Licensee to plan how they might manage them (Option 2); or
3. a projection of the Licensee’s cash flows over at least the next 12 months based on the Licensee’s reasonable estimate over what is likely to happen over this term and is approved at least quarterly by those charged with governance (tailored cash needs requirements).

The auditor considers establishing how often and when the cash flow projection is updated to ensure it continuously covers at least the next three months (or 12 months for tailored cash needs requirement).

The auditor obtains the Licensee’s documented assumptions used to prepare the cash flow projections and checks whether the assumptions have been correctly applied in preparing the projections. This may include ensuring that the documented assumptions on the timing of cash flows have been correctly applied to budgeted revenues, expenses and capital expenditure.

Based on the cash flow projections already obtained, the auditor considers whether there is evidence that the cash flow assumptions are not appropriately documented or that the projections do not demonstrate that the Licensee had access as needed to sufficient financial resources at all times in compliance with paragraphs (b) and (d) of either the Option 1 or Option 2 definitions or paragraphs 3(c) or 3(e)(i) of the tailored cash needs requirements of ASIC Class Orders CO 12/752, 13/760 or 13/761 throughout the period. The auditor considers whether the documentation is sufficient to enable the auditor to ascertain whether the assumptions have been correctly applied in preparing the projections. This may involve reviewing the documentation of budget assumptions if the cash flow documentation does not stand alone. The auditor may consider the use of specialists in this area.

Based on reviewing the assumptions in line with the auditor’s knowledge of the business and on enquiries of management, the auditor considers whether there is evidence that the assumptions used are unreasonable. This may involve obtaining an understanding of the Licensee’s budgeting process if budgets are used to prepare the cash flow projections or considering the historical accuracy of the assumptions in predicting actual cash flows.

If the licensee relies on Option 2, the auditor reviews the reasonableness of the assumptions based on the auditor’s knowledge of the business and on enquiries of management.

Under Option 3, where the Licensee does not prepare a cash flow projection, but instead relies on a financial commitment from an Australian ADI, or comparable foreign institution, (under licence condition 13(c)(iii)) the audit report is required to contain a statement about whether the licensee has obtained an enforceable and unqualified commitment to pay on demand from time to time an unlimited amount to the licensee, or the amount for which the licensee is liable to its creditors at the time of demand to the licensee’s creditors or a trustee for the licensee’s creditors.

Where the Licensee is a subsidiary of an Australian ADI or ASICapproved prudentially regulated body that does not prepare cash flow projections, on the basis of its expectation concerning the adequacy of resources (under licence condition 13(c)(iv)), the audit report is required to contain a statement about whether the auditor has any reason to believe that the basis for selecting the assumptions documented by the Licensee in forming the expectation is unreasonable.

Where the Licensee uses group cash flow projections to meet the cash needs requirement, on the basis of alternative A (under licence condition 13(c)(v)), the auditor is required to include an audit opinion on whether the parent entity has provided an enforceable and unqualified commitment to pay on demand an unlimited amount to the Licensee, or to meet the Licensee’s liabilities (including any additional liabilities that the Licensee might incur while the commitment applies).

In addition, when relying on the Group cash flow projections under licence condition 13(c)(v), the licensee auditor considers the requirement for the parent entity auditor to provide a separate opinion modelled on the Option 1 or 2 audit requirement and that this auditor’s report is required to be submitted at the same time as the FS71 opinion (under licence condition 13(c)(v)(D)).

Where the Licensee relies on alternative B (under licence condition 13(d)(v)), the auditor’s report is required to contain a statement about whether the auditor has any reason to believe that the documented basis for selecting the assumptions, on which the Licensee’s expectation concerning the adequacy of the resources required under alternative B, is unreasonable.

FS71 requires limited assurance on risk management systems (RMS) to ensure ongoing compliance with financial requirements. Section 912A(1)(h) of the Act requires the Licensee to have adequate RMS. To satisfy this obligation, ASIC expects that the RMS will specifically deal with the risk that the Licensee’s financial resources will not be adequate to ensure that they are able to carry on their business in compliance with their licence obligations. RMS are a form of control and accordingly the requirements of ASAE 3150 are applied in obtaining assurance over these systems.

Assurance Considerations

ASAE 3150 requires the auditor to perform procedures to determine whether the Licensee has designed controls that are suitable to meet the requirements of section 912A(1)(h) in that they comprise adequate RMS and then designs procedures to test that these controls have operated effectively throughout the period. Having regard to the risk of inadequate financial resources, these procedures may include:

• Obtaining an understanding of the RMS and the process to identify material risks;
• Consideration as to whether a formal documented RMS exists, although the formality and extent of the processes required will depend on the size, nature and complexity of the business; and
• Obtaining periodic calculations of compliance with financial requirements, and consideration of processes that may exist to identify and address matters that may arise between these periodic calculations that have the potential to cause non compliance with the financial requirements, although the extent of these processes will depend on how much of a buffer the Licensee has above the requirements and the sensitivity of these buffers to fluctuations in the performance and financial position of the Licensee.

As the auditor’s conclusion is on the RMS as a whole, there is no expectation that the auditor expresses assurance conclusions on the adequacy of the specific controls of the RMS.

As part of the limited assurance procedures, the auditor may seek the following types of information and documentation:

• Copies of the RMS documents that set out the Licensee’s RMS during the period.
• Documentation that identifies and describes the systems, policies and procedures that are in place to manage identified risks.
• Management representations of compliance with identified systems, policies, procedures and structures.
• Minutes of the meetings of those responsible for monitoring compliance with aspects of the RMS.
• Internal audit reports (if applicable).
• Certifications, if made by the Licensee, and relevant supporting documentation to substantiate compliance with the RMS during the reporting period.
• Other supporting evidence to confirm that the controls identified in the RMS have been in place during the reporting period.

The above is not meant to represent an exhaustive list and there may be other evidence that is relevant to the specific circumstances of each Licensee.

FS71 requires a statement about any matter referred to in section 990K(2) of the Act and covers the financial reporting period and up until the date the FS71 auditor’s report is signed. This section 990K(2) statement only deals with those matters that have not already been reported by the auditor as required under section 990K(1). Given the 7 day reporting time frame under section 990K, it is likely that for most matters, the auditor would not wait until they lodge FS71 to report matters to ASIC. The section 990K(2) statement is not part of the opinion section in FS71.

Reporting of section 990K matters is not required under section 13 of FS71 if the matter:

• Has already been reported separately by the auditor to ASIC;
• Is included in section 2-10 of FS71 as a basis for a modified opinion/conclusion;
• Is included in section 11 of FS71 as a non-material matter.

Section 990K(2) requires a report to be given in relation to any matter that, in the opinion of the auditor:

1. has adversely affected, is adversely affecting or may adversely affect the ability of the Licensee to meet the Licensee’s obligations as a Licensee; or
2. constitutes or may constitute a contravention of:
   1. a provision of Subdivision A or B of Division 2 of the Act (or a provision of regulations made for the purposes of such a provision);
   2. a provision of Division 3 of the Act (or a provision of regulations made for the purposes of such a provision);
   3. a condition of the Licensee’s licence; or
3. constitutes an attempt to unduly influence, coerce, manipulate or mislead the auditor in the conduct of the audit.

Assurance Considerations

If the auditor becomes aware of the matters under section 990K(2) during the course of the audit of the financial report, performing work on FS71 or undertaking other audit work (e.g. Managed Investment Scheme compliance plan audits), they have an obligation to report on them. If the auditor becomes aware of a section 990K(2) matter that is outside the Act sections subject to the engagement, the auditor is required to report on these section 990K(2) matters but has no obligation to conduct procedures specifically to identify those matters.

Apart from the requirement to report section 990K(2) breaches in FS71, section 990K(1) requires auditors to report such breaches to ASIC (and the Licensee and any relevant market or clearing authority e.g. ASX for stockbrokers) within 7 days of becoming aware of the matter. Auditors consider this obligation at all times of the year, but particularly during the planning, interim and final stages of their audits. The Licensee is required to report all ‘reportable situations^[21]’ including deemed significant matters (breaches or likely breaches that are significant) as soon as practicable and within 30 days of becoming aware there are reasonable grounds to believe a reportable situation has arisen as required by section 912DAA. The auditor is expected to report breaches even if the Licensee has already reported same.

There is a potential conflict between the auditor’s obligation to report any breaches^[22] and the Licensee’s obligation to report all ‘reportable situations’ to ASIC. An opinion or conclusion is not provided on the 990K statement in the FS71. The auditor separately considers whether a matter reported in the statement also impacts the audit opinion within the FS71 report.

As the section 990K(2) statement specifically covers both the financial year and the period between the end of the financial year and the date of signing the FS71 auditor’s report (unlike the other reporting requirements in FS71), the auditor is obliged to formally consider the existence of relevant matters up to the date of signing the report. To determine the existence of such matters, the auditor considers matters including:

• Reading minutes of the meetings of those charged with governance, and compliance, audit and executive committees, held after the reporting date, and enquiring about matters discussed at meetings for which minutes are not yet available.
• Obtaining copies of all correspondence with ASIC and any other relevant regulators up to the date of signing.
• Enquiring of management as to whether any subsequent events have occurred which might represent matters referred to under section 990K(2).

Due to the nature of audit testing and other inherent limitations of an audit, together with the inherent limitations of the Licensee and its related licence conditions, there is a possibility that a properly planned and executed audit will not detect all breaches of the Licensee’s licence conditions. Accordingly, the audit conclusion under section 989B(3) of the Act is expressed in terms of reasonable or limited assurance (as appropriate) and cannot constitute a guarantee that all compliance breaches have been detected.

There are also practical limitations in requiring an auditor to perform a continuous examination of the Licensee and form an opinion or conclusion that the entity has complied at all times with the Act during the period covered by the auditor’s report. However, the auditor performs tests periodically throughout the financial year to obtain evidence and obtain reasonable assurance that the compliance measures complied with the written descriptions and were adequate throughout the period under examination.

Prior to issuing the FS71 audit report, the auditor considers obtaining a written representation from the directors of the Licensee which includes their assertions that the Licensee has complied with the licence conditions during the financial year and up to the date the FS71 audit report is signed, and that the Licensee continues to meet the requirements of Part 7.8 of the Act. In obtaining and using these written representations, the auditor complies with the requirements of, as appropriate, ASAE 3000, ASAE 3100, ASAE 3150 and ASAE 3450. An example management representation letter is contained in Appendix 2.

The FS71 audit report is an ASIC prescribed form and can be found on the ASIC website www.asic.gov.au. ASIC requires form FS71 to be lodged in the prescribed form and that no modifications or deletions are made, unless consented to by ASIC.

It is important to check the ASIC website to ensure that the latest version of FS71 is adopted.

Under ASAE 3000, ASAE 3100, ASAE 3150 and ASAE 3450 the auditor communicates relevant matters of governance interest arising from the engagement to those charged with governance on a timely basis. In addition, Auditing Standards ASA 260^[23] and ASA 265^[24] contains information that the auditor may find useful when communicating with those charged with governance. Examples of such matters may include:

• The general approach and overall scope of the engagement, or any additional requirements.
• Fraud or information that indicates that fraud may exist.
• Significant deficiencies in internal controls identified during the engagement. A significant deficiency in internal controls means a deficiency or combination of deficiencies in internal controls that, in the auditor’s professional judgement is of sufficient importance to merit the attention of those charged with governance.
• Disagreements with management about matters that, individually or in aggregate, could be significant to the engagement.
• Compliance breaches.
• Expected modifications to the auditor’s report.

The auditor informs those charged with governance of the Licensee of any uncorrected misstatements/non-compliance , other than those which are clearly trivial, aggregated by the auditor during and pertaining to the engagement that were considered to be immaterial, both individually and in the aggregate, to the assurance engagement.

There is no equivalent International Standard on Auditing or International Auditing Practice Statement to this Guidance Statement.