Annual Prudential Review Report

Includes: Reporting Requirements (GPS 310: Attachment A – General Insurer or Attachment C – Insurance Group), Format of Reporting Requirements, Matters to Consider in Planning and Conducting the Review, Inherent Limitations of the Review, Materiality, Internal Audit, Existence of Controls Addressing Compliance with Prudential Requirements, Adequacy and Effectiveness of Controls Relating to Actuarial Data Integrity and Financial Reporting Risks, Compliance with RMS and REMS, Controls in place to ensure Reliability of Statistical and Financial Data, Policyholders’ Interests

Reporting Requirements (GPS 310: Attachment A – General Insurer or Attachment C – Insurance Group)

56

In accordance with GPS 310, the Appointed and Group Auditor are required to perform a review and provide the insurer or the parent entity of the insurance group with a report specifying the Appointed or Group Auditor’s review conclusions, namely whether:

  1. their existing systems, procedures and controls, that are kept up to date, which address the insurer or the insurance group’s compliance with all applicable Prudential Requirements;
  2. the insurer’s or the insurance group’s systems, procedures and controls relating to actuarial data integrity and financial reporting risks[19] are adequate and effective;
  3. the insurer or the insurance group has complied, in all significant respects, with its RMS and REMS;
  4. the insurer or the insurance group has systems, procedures and controls in place to ensure that reliable statistical and financial data are provided to APRA in the quarterly or semi annual returns required by APRA Reporting Standards; and
  5. there are matters which have come to the Appointed or Group Auditor’s attention which will, or are likely to, affect adversely the interests of policyholders of the insurer or the insurance group.

57

Where the Appointed or Group Auditor identifies instances of noncompliance with Prudential Requirements during the course of reviewing the insurer’s systems, procedures and controls, GPS 310 requires the review report to include details of these matters[20]. Refer to Part E of the Prudential Review Report in Appendix 3.

58

In accordance with GPS 310, the review report is to be on an annual basis and to cover the same period as the yearly statutory accounts and annual accounts, unless other arrangements between APRA and either the insurer or the insurance group and/or the Appointed or Group Auditor apply. The review report is to be issued on a timely basis so as to enable the insurer or the insurance group to submit the report to APRA on or before the day that the yearly statutory accounts or annual accounts are required to be submitted to APRA in accordance with APRA Reporting Standards[21].

59

The prudential review report is required to be addressed to those charged with governance of the insurer or the insurance group and must be based on a limited assurance engagement. The report is to indicate that it is limited to the use of the insurer or insurance group and APRA. In preparing the report, APRA requires the Appointed and Group Auditor to have regard to AUASB Standards and Guidance Statements, to the extent that these pronouncements are not inconsistent with the requirements of GPS 310.

60

The Appointed or Group Auditor undertakes the review engagement in accordance with ASAE 3000[22].

61

The Appointed or Group Auditor considers materiality in providing reports as per GPS 310 and in the reporting of exceptions (refer paragraphs 73 to 78).

62

Where the Appointed or Group Auditor determines it necessary to issue a modified review conclusion because of, for example, a significant breach of the RMS and the REMS or because of the existence of a material weakness in systems, procedures and controls reviewed, the Appointed or Group Auditor has regard to the requirements of, and guidance provided in, AUASB Standards on Review Engagements (ASREs) and Standards on Assurance Engagements (ASAEs), as appropriate.

63

Where the Appointed or Group Auditor becomes aware of material weaknesses in internal controls, compliance errors or irregularities highlighted during the review, the Appointed or Group Auditor reports these instances to an appropriate level of management of the insurer or parent entity on a timely basis[23].

64

Prior to issuing the Appointed or Group Auditor’s review report, the Appointed or Group Auditor obtains a written representation from the insurer or the insurance group’s management[24] which contains its assertions, for example, that the insurer or the insurance group has complied with its RMS and REMS during the period under review and that the Appointed or Group Auditor has been kept informed fully of all APRA’s Prudential Requirements applicable to the insurer or the insurance group. However, representations by management cannot be a substitute for other audit evidence that the Appointed or Group Auditor could reasonably expect to be available.

Format of Reporting Requirements

65

An illustrative example of an annual Prudential Review Report, prepared by the Appointed or Group Auditor in compliance with APRA annual reporting requirements, is set out in Appendix 3.

Matters to Consider in Planning and Conducting the Review

66

To assist in the effective and efficient operation of the reporting process, there is a need to avoid misunderstanding and to clarify what is required or can be achieved in providing the reports as per GPS 310. There is furthermore a need to avoid excessive or unwarranted work that is not cost beneficial to the regulatory process.

67

In a limited assurance engagement, the assurance practitioner’s conclusion is expressed in a form that conveys whether, based on the procedures performed and evidence obtained, matter(s) have come to the practitioner’s attention to cause them to believe the subject matter information is not materially misstated. The nature, timing, and extent of procedures performed in a limited assurance engagement is planned to obtain assurance that is, in the practitioner’s professional judgement, meaningful.

68

For the purpose of expressing a conclusion in the review report, the Appointed or Group Auditor, through limited procedures, obtains sufficient appropriate evidence to support the conclusion. These limited procedures comprise primarily of enquiries of the insurer’s or insurance group’s staff and analytical procedures. The nature, timing and extent of procedures deemed necessary by the Appointed or Group Auditor to reduce assurance engagement risk to an acceptable level, are a matter for the Appointed or Group Auditor’s professional judgement, taking into consideration the specific engagement circumstances.

69

The Appointed or Group Auditor is not required by GPS 310 to extend the scope of the review engagement in order to report to APRA matters which will, or are likely to, affect adversely the interests of policyholders of the insurer or insurance group, or instances in which the insurer or insurance group has not complied with all aspects of relevant Prudential Requirements, or in relation to the Appointed or Group Auditor’s obligations as regards nonroutine reporting requirements under sections 49A and 49B of the Act. Although there is no requirement for the Appointed or Group Auditor to perform any specific procedures to identify such matters required to be reported to APRA, during the course of the review engagement, the Appointed or Group Auditor exercises professional judgement and considers whether additional procedures are necessary in relation to these matters.

Inherent Limitations of the Review

70

While reviews involve the application of audit related skills and techniques, usually they do not involve many of the procedures performed during an audit. In an audit, as the auditor’s objective is to provide a reasonable, but not absolute, level of assurance on the truth and fairness of financial information, the auditor uses more extensive audit procedures than in a review. Review procedures do not provide all the evidence required in an audit and, consequently, the level of assurance provided is less than that given in an audit.

71

There are inherent limitations in any internal control structure. Furthermore, fraud, error or noncompliance with laws and regulations may occur and not be detected. As the systems, procedures and controls to ensure compliance with APRA Prudential Requirements are part of the insurer’s or insurance group’s operations, it is possible that either the inherent limitations of the internal control structure, or weaknesses in it, impact on the effective operation of the insurer’s or insurance group’s specific control procedures.

72

Projections of any evaluation of internal control procedures to future periods are subject to the risk that control procedures may become inadequate because of changes in conditions after the review reports are signed, or that the degree of compliance may deteriorate.

Materiality

73

In accordance with ASAE 3000, the Appointed or Group Auditor considers materiality when:

  1. determining the nature, timing and extent of review procedures;
  2. considering the effect of identified weaknesses in systems, procedures and controls designed to address compliance with Prudential Requirements and to enable the insurer or insurance group to report reliable financial and statistical information to APRA;
  3. evaluating the significance of identified breaches of the RMS and the REMS;
  4. reporting instances of non compliance with Prudential Requirements identified during the course of the review of the insurer’s or insurance group’s systems, procedures and controls; and
  5. reporting matters that will, or are likely to, affect adversely the interests of the policyholders of the insurer or insurance group.

74

Materiality is to be addressed in the context of the insurer’s or insurance group’s objectives relevant to the particular area of activity being examined (see paragraph 56) and whether the internal controls will reduce to an acceptable level the risks that threaten achievement of those objectives. These objectives are developed having regard to the protection of the interests of the policyholders and prospective policyholders of the insurer or insurance group.

75

In addition to the guidance provided in ASAE 3000 and other relevant ASAEs, the Appointed and Group Auditor may find ASA 320 helpful when assessing materiality. However, it is not possible to give a definitive view on what may constitute, for example, a material breach of Prudential Requirements or a material control weakness. The Appointed and Group Auditor exercises professional judgement in considering materiality appropriate to the insurer’s or insurance group’s circumstances, having regard to their obligations, the purpose and terms of the specific engagement, together with the size, complexity and nature of their activities.

76

AASB 1031 may provide useful guidance to the Appointed and Group Auditor also. Matters likely to adversely affect the interests of policyholders are related generally to solvency and going concern assumptions. In the context of APRA’s reporting requirements, the insurer’s PCR is therefore an important consideration with respect to materiality. However, the auditor needs to consider whether alternative bases such as profit, assets or revenue may be more appropriate.

77

For the purpose of paragraphs 93-101, the significance of a matter is to be judged by the Appointed or Group Auditor in the context in which it is being considered, taking into account both quantitative and qualitative factors. This may, for example, include consideration of the significance in terms of the potential impact of the noncompliance with the RMS and the REMS rather than the actual impact. Where the Appointed or Group Auditor considers that noncompliance potentially could be significant to the insurer or insurance group as a whole and/or to policyholder interests, or where the matter may be considered as important by APRA in performing its functions under the Act, then that is a matter to be reported to APRA.

78

Reference to section 49A(7)[25] of the Act, which defines the term ‘significant’ in the context of matters to be notified to APRA by the Appointed or Group Auditor (as part of the auditor’s nonroutine reporting requirements – refer paragraph 124), provides helpful guidance when considering the significance of matters in relation to the insurer’s RMS and REMS.

Internal Audit

79

CPS 510 requires an insurer or insurance group[26] to have in place an independent and adequately resourced internal audit function[27]. CPS 510 and APRA Prudential Practice Guide GPG 200 Risk Management set out the requirements and provide guidance to insurers and insurance groups in relation to internal audit.

80

GPS 220 requires an insurer’s or insurance group’s RMF to be reviewed by operationally independent, appropriately trained and competent staff. Commonly, this evaluation of the adequacy and effectiveness of the RMF, which includes a review of the insurer’s or insurance group’s risk management function (or role), RMS and internal control system, will be undertaken by the internal audit function.

81

Auditing Standard ASA 610 Using the Work of Internal Auditors, sets out the requirements and provides guidance to the auditor in considering the activities of the internal audit function and evaluating the effect, if any, on audit procedures.

Existence of Controls Addressing Compliance with Prudential Requirements

82

The Appointed or Group Auditor is required to express a conclusion as to whether anything has come to their attention that causes them to believe that the insurer or insurance group does not have systems, procedures and controls in place, that are kept up-to-date, to address the insurer’s or insurance group’s compliance with all applicable Prudential Requirements (refer Part A of the Prudential Review Report as per Appendix 3). Items included under ‘Prudential Requirements’ are listed in paragraph 16 of this Guidance Statement.

83

The Appointed or Group Auditor reviews whether the high level controls over systems and procedures pertinent to the Prudential Requirements, as documented in the RMS and the REMS, exist and whether the insurer or insurance group has in place a periodic review process to ensure that relevant systems, procedures and controls remain uptodate at all times. Existence is addressed normally when evaluating the design of controls during the planning phase of the review.

84

As part of the review, the Appointed or Group Auditor obtains an understanding of the insurer’s or insurance group’s compliance framework, which may include the following key elements:

  • Procedures for identifying and updating compliance obligations.
  • Staff training and awareness programs.
  • Procedures for assessing the impact of compliance obligations on the insurer’s or insurance group’s key business activities.
  • Controls embedded within key business processes to ensure compliance with obligations.
  • Processes to identify and monitor the implementation of further mitigating actions required to ensure that compliance obligations are met.
  • A monitoring plan to test key compliance controls on a periodic basis and to report exceptions.
  • Procedures for identifying, assessing and reporting compliance incidents and breaches.
  • Periodic sign off by management as to compliance with obligations.
  • A compliance governance structure that establishes responsibility for the oversight of compliance control activities with those charged with governance, typically a Board Audit, Risk Management or Compliance Committee.

85

Insurers and insurance groups have different systems and procedures in place to monitor compliance with specific Prudential Standards. Projections and estimates are likely to be part of the monitoring process, as the preparation of a full financial report is unlikely to be practical on a daybyday or weekbyweek basis. Varying degrees of precision may exist therefore in applying the monitoring process. Notwithstanding these differences, such systems seek to ensure that insurers or insurance groups comply with all Prudential Standards on a continuous basis.

86

As part of the Appointed or Group Auditor’s review of whether systems, procedures and controls exist to address compliance with the relevant statutory and regulatory requirements and conditions on the insurer’s or insurance group’s authority to carry on insurance business, or other conditions imposed by APRA in relation to their operations, including bilateral APRA insurer requirements and conditions, the Appointed or Group Auditor makes enquiries of the insurer or group management as to (but not limited to):

  • The nature of authorisation to carry on general insurance business under section 12 of the Act.
  • Conditions or changes in conditions imposed by APRA on the section 12 authorisation.
  • Exemption granted by APRA to the insurer or insurance group in relation to specific sections of the Act.
  • Directions by APRA to the insurer or insurance group under the Act in relation to compliance with a Prudential Standard where there has been a breach of the Standard or is likely to be a breach.
  • Directions issued by APRA to the insurer or insurance group under section 62 of the Act in the context of an investigation.
  • Any variations and/or exclusions exercised by APRA under the Prudential Standards.
  • Formal correspondence issued to an insurer or insurance group in relation to an APRA prudential visit/review.

87

As part of the review, the Appointed or Group Auditor performs review procedures that they consider necessary in relation to the insurer’s or insurance group’s systems, procedures and controls which address compliance with all applicable Prudential Requirements, including but not limited to the following sections of the Act:

  • Authorisation under section 12 of the Act[28].
  • Conditions imposed under section 13 of the Act.
  • Directions issued by APRA pursuant to sections 7, 35, 49L, 49Q and 62 of the Act.
  • Other specified matter(s).

88

Conditions on the insurer’s or insurance group’s authority to carry on insurance business may vary from one insurer or insurance group to another and the Appointed or Group Auditor makes enquiries with respect to conditions imposed on the insurer or insurance group by APRA.

89

In relation to Prudential Requirements specified in writing by APRA, the Appointed or Group Auditor of an insurer or insurance group limits the review to the Prudential Requirements specified in writing by APRA of which they are aware.

90

While the Appointed or Group Auditor is not expected to review the design or operating effectiveness of control procedures, during the course of the review, they may become aware of material control weaknesses which the Appointed or Group Auditor reports to an appropriate level of management of the insurer or insurance group.

Adequacy and Effectiveness of Controls Relating to Actuarial Data Integrity and Financial Reporting Risks

91

The Appointed or Group Auditor is required to express a conclusion as to whether anything has come to their attention that causes them to believe that the insurer’s or insurance group’s systems, procedures and controls relating to actuarial data integrity and financial reporting risks[29] are not adequate and effective to address the risk of material error in the APRA returns. Refer Part B of the Prudential Review Report as per Appendix 3.

92

The Appointed or Group Auditor reviews whether systems, procedures and controls in place are adequate and operating effectively to ensure that source data used for actuarial valuations and completion of returns to APRA in accordance with the requirements of the Collection of Data Act, are accurate, complete, consistent with the accounting records of the insurer or insurance group, and a true representation of the transactions for the year and the financial position of the insurer or insurance group. The Appointed or Group Auditor performs review procedures covering the period to obtain evidence regarding the continuity of systems, procedures and controls in place for the period under review.

Compliance with RMS and REMS

93

The Appointed or Group Auditor is required to express a conclusion as to whether anything has come to their attention that causes them to believe that the insurer or insurance group has not complied, in all significant respects (refer paragraphs 77-78), with its RMS and REMS[30]. Refer Part C of the Prudential Review Report as per Appendix 3.

94

The objective of the Appointed or Group Auditor’s review of the insurer’s or insurance group’s compliance with its RMS and REMS is whether they have complied substantially with key policies, procedures, structures and controls documented in the RMS and the REMS for the period under review. There is no expectation that the Appointed or Group Auditor expresses assurance on the adequacy of the RMS and the REMS.

95

The Appointed or Group Auditor’s review of compliance with the RMS and the REMS may include the following procedures:

  • Obtaining an understanding of the RMF and the process to identify material risks.
  • Reviewing the relevant RMS and the REMS to confirm that they are up to date and approved by the insurer or insurance group.
  • Reviewing the processes (including monitoring and reporting procedures) the insurer or insurance group has in place to ensure ongoing compliance with the RMS and the REMS. The Appointed or Group Auditor may find reference to paragraph 84 useful in this regard. It identifies some of the key elements that may form part of an insurer’s or insurance group’s compliance framework.
  • Reviewing the evidence supporting the insurer’s or insurance group’s attestation in the APRA Annual Return in relation to compliance with the RMS and the REMS.

96

As part of the Appointed or Group Auditor’s review, they may consider the measures in place which relate to the insurer’s or insurance group’s monitoring of, and reporting on, specific matters incorporated into the RMS and the REMS. Such a review may include the following matters:

  • Whether breaches of the RMS and the REMS have been detected and reported by the monitoring systems. When breaches have been detected, whether such breaches are significant either in themselves or, when they are of a recurring nature and have not been rectified, whether their cumulative effect renders them to be a significant non compliance.
  • Identifying systems which they use to ensure that business units and staff comply with the measures in the RMS and the REMS on a day to day basis.

97

As part of the review of compliance with the RMS and the REMS, the Appointed or Group Auditor may seek the following types of information and documentation:

  • Copies of the RMS and the REMS that applied during the period covered by the review.
  • Details of changes to the RMS and the REMS and related policies and procedures and the reasons for the revisions.
  • Documentation that identifies and describes the policies, procedures and structures that are in place to manage identified risks and representations that such policies, procedures and structures have been complied with.
  • Minutes of the meetings of those charged with governance and sub committees responsible for monitoring compliance with aspects of the RMS and the REMS.
  • Internal and external incident and breach reports, breach and complaints registers and follow up action taken to the extent that recorded items may indicate a failure to comply with the RMS and the REMS.
  • Internal audit reports.
  • Certifications made by the insurer or insurance group and relevant supporting documentation to substantiate compliance with the RMS and the REMS during the reporting period.
  • Other supporting evidence to confirm that the controls identified in the RMS and the REMS have been in place during the reporting period.

 

The above is not meant to represent an exhaustive list and there may be other evidence that is relevant to the specific circumstances of each insurer.

98

There are practical limitations in requiring the Appointed or Group Auditor to express a conclusion as to the insurer’s or insurance group’s compliance at all times with the RMS and the REMS during the review period. However, the Appointed or Group Auditor performs review procedures to the extent that the Appointed or Group Auditor considers to be appropriate in order to obtain sufficient appropriate evidence as to the insurer’s or insurance group’s compliance with the written descriptions within the RMS and the REMS throughout the period under review.

99

While the Appointed or Group Auditor is not expected to review the adequacy of the RMS and the REMS, during the course of the review the Appointed or Group Auditor may become aware of significant deficiencies in the RMS and the REMS which they report to an appropriate level of the insurer’s or insurance group’s management.

100

The auditor lists any key strategies included in the RMS and the REMS provided to APRA by the insurer or insurance group, but not reviewed by them as a consequence of a circumstance that makes the review impractical (for example, any period for which the strategy has not been in place).

101

The Group Auditor of an insurance group should also be aware of Attachment D to GPS 220 in so far as it may relate to adjustments to prudential requirements for insurance groups.

Controls in place to ensure Reliability of Statistical and Financial Data

102

The Appointed Auditor of an insurer, or the Group Auditor of the insurance group is required to express a conclusion as to whether anything has come to the auditor’s attention that causes the auditor to believe that the insurer or insurance group does not have systems, procedures and controls in place to ensure that reliable statistical and financial data are provided by the insurer or insurance group in Quarterly or Semi-Annual Returns to APRA, as required by APRA Reporting Standards. Refer Part D of the Prudential Review Report, as per Appendix 3.

103

Interpretation of the word ‘reliable’ in the context of paragraph 102, requires mutual understanding in that it has practical limitations in the present circumstances. For many insurers or insurance groups, it is at reporting periodend only that the insurer’s or insurance group’s accounts, including all the appropriate adjustments for accruals, prepayments, provisioning and valuations, are prepared. Some insurers or insurance groups report their results halfyearly also, and therefore would incorporate the necessary adjustments, but generally an audit is not carried out on these balances unless the insurer or insurance group requires an audit rather than a review of the halfyear financial report.

104

APRA expects review procedures to include limited tests of control in relation to the compilation of the required statistical and financial information included in the APRA Quarterly or SemiAnnual Returns, to the extent the Appointed or Group Auditor considers appropriate. This involves, at a minimum, test checking from the Quarterly or SemiAnnual Returns to the insurer’s or insurance group’s general ledger or appropriate subledger or subsystem but does not extend to auditing the financial or statistical information presented in the Quarterly or SemiAnnual Returns.

Policyholders’ Interests

105

The Appointed or Group Auditor is required to express a conclusion as to whether anything has come to their attention that causes the Appointed or Group Auditor to believe that there are matters which, in the Appointed or Group Auditor’s opinion, will, or are likely to, affect adversely the interests of the policyholders[31] of the insurer or insurance group. Matters likely to adversely affect the interests of the policyholders are related generally to solvency issues and going concern assumptions, for example, the insurer’s or insurance group’s compliance with PCR as per Prudential Standard GPS 110 Capital Adequacy. Refer Part E of the Prudential Review Report, as per Appendix 3.

106

The Appointed or Group Auditor will report to APRA on the basis of information obtained during the course of the Appointed Auditor’s financial report audit under the Corporations Act 2001, the audit of the yearly statutory accounts or the Group Auditor’s review of the annual accounts prepared in accordance with the Act, additional review procedures undertaken for APRA reporting purposes, and current knowledge of the insurer’s or insurance group’s affairs at the time of issuing the report.

107

The Appointed Auditor of a foreign insurer is unlikely to have complete knowledge of the overseas operations of the parent or related entities of the foreign insurer. The Appointed Auditor may not have had responsibility for the financial report audit of the foreign insurer. As a result, the Appointed Auditor is limited in the level of information that can be provided with respect to foreign insurer policyholders’ interests.

108

Where a situation described at paragraph 107 exists, the Appointed Auditor of a foreign insurer is not expected to expand the scope of the review engagement in order to meet the reporting requirements of GPS 310, or to be aware of all material issues or events that are outside the Australian operations of the foreign insurer. Rather, in meeting APRA’s reporting requirements, the Appointed Auditor reports the scope of any financial report audit work performed with respect to the foreign insurer and, where the Appointed Auditor has conducted no financial report audit, reports only on matters that come to the Appointed Auditor’s attention during the course of the Appointed Auditor’s work in relation to APRA’s additional reporting requirements.

19

The risks that incorrect source data will be used in completing returns to APRA in accordance with the Collection of Data Act.

20

Whether or not the insurer and/or insurance group has reported the non compliance to APRA.

21

Refer to GRS 001 for specific requirements in relation to reporting periods.

22

AUASB Standards on Review Engagements (ASREs), Standards on Assurance Engagements (ASAEs) and this Guidance Statement may provide helpful information to assist the auditor in conducting the review.

23

Reference to Auditing Standard ASA 260 Communication with Those Charged With Governance may provide useful guidance in this regard.

24

Matters for consideration and an illustrative example of a representation letter relevant to an audit engagement are contained in Auditing Standard ASA 580 Representations, which may be helpful in determining representations applicable to the review engagement.

25

Section 49A(7) of the Act is effective from 1 January 2008.

26

This will include a foreign insurer in relation to its Australian business.

27

Under CPS 510, APRA may approve alternative arrangements where APRA is satisfied that they will achieve the same objectives.

28

Or in the case of an authorised non operating holding company (NOHC), section 18 of the Act.

29

Refer to paragraphs 22-24 and Appendix 6 for a description of, and Prudential Requirements in relation to, the RMS and REMS documents.

30

Refer to paragraphs 22 24 and Appendix 6 for a description of, and Prudential Requirements in relation to, the RMS and REMS documents.

31

Reference to policyholders relates to a class of policyholders rather than to individual policyholders.