Role and Responsibilities of the Appointed Auditor
Those Who May Conduct the Assurance Engagement
46
APS 310 and 3PS 310 require an ADI and/or the head of the ADI group, as applicable, to ensure its auditor:
- satisfies the fitness and propriety requirements set out in Prudential Standard CPS 520 Fit and Proper;
- satisfies the auditor independence requirements in CPS 510 ; and
- is not subject to a direction issued under the Banking Act.
As such, the auditor will need to provide information to the entity to enable the ADI and/or head of the ADI group to comply with requirements.
Annual Prudential Reporting Requirements (Routine Reporting)
47
For an outline of the relevant reporting requirements applicable to the appointed auditor of an ADI and/or ADI group reporting pursuant to APS 310, 3PS 310 and APS 910, refer to the table in Appendix 1 to this Guidance Statement, entitled Outline of Auditor’s Reporting Requirements, Levels of Assurance, Subject Matter, Evaluation Criteria and Applicable AUASB Standards.
Prudential Standards APS 310 and 3PS 310[31]
48
Under APS 310 and 3PS 310[32], the appointed auditor of an ADI and/or group auditor of an ADI group is required to report simultaneously to APRA and the Board (or Board Audit Committee) of the ADI and/or head of the ADI group, as appropriate,[33] within three months[34] of the end of the financial year, in relation to the following matters[35]:
- Assurance on Specified[36] ADI Reporting Forms at the financial year-end:
- Reporting Forms with Data Sourced from Accounting Records
- The appointed auditor is required to provide reasonable assurance that the information included in the Specified ADI Reporting Forms at the financial year-end, sourced from accounting records, is reliable and in accordance with the relevant APRA Prudential and Reporting Standards;
- Reporting Forms with Data Sourced from Non-Accounting Records
- Unless otherwise indicated, in writing, by APRA, the appointed auditor is required to provide limited assurance that the information, included in the Specified ADI Reporting Forms at the financial year-end, sourced from non-accounting records, is reliable and in accordance with the relevant APRA Prudential and Reporting Standards;
- Reporting Forms with Data Sourced from a Combination of Accounting and Non-Accounting Records
- Unless otherwise indicated, in writing, by APRA, the appointed auditor is required to provide reasonable assurance on information sourced from accounting records, and limited assurance that information sourced from non-accounting records, at the financial year-end, is reliable and in accordance with the relevant APRA Prudential and Reporting Standards.
- Limited Assurance on Internal Controls addressing Compliance with Prudential Requirements and the Reliability of Data included in ADI Reporting Forms
- The appointed auditor is required to provide limited assurance that:
-
the ADI and/or head of ADI group has implemented internal controls that are designed to ensure the ADI and/or head of the ADI group, as relevant, has:
-
complied with all applicable Prudential Requirements; and
-
provided reliable data to APRA in the Reporting Forms prepared under the FSCODA; and
-
-
the controls in paragraph (b)(i) have operated effectively throughout the financial year.
-
- The appointed auditor is required to provide limited assurance that:
- Limited Assurance on Compliance with Prudential Requirements
The appointed auditor is required to provide limited assurance, based on the appointed auditor’s work under (a) and (b) above[37], that the ADI and/or the head of the ADI group, as relevant, has complied with all relevant Prudential Requirements under the Banking Act and the FSCODA, including compliance with APRA Prudential and Reporting Standards, during the financial year.[38]
49
3PS 310 requires that reports, assessments and other material required under this standard make it clear where the auditor is referring to matters relating to the Level 3 head or the Level 3 group.
50
Under APS 310 and 3PS 310, it is the responsibility of the appointed auditor, as provided for in the required terms of engagement, to submit directly to APRA:
- all reports required to be produced under APS 310 and 3PS 310; and
- all assessments and other material associated with these reports, if requested by APRA.
51
Ordinarily, matters reported to APRA under paragraph 50 are also reported to the ADI and/or head of the ADI group to which the matter relates. However, APS 310 and 3PS 310 specifically prohibit the appointed auditor from notifying the ADI and/or head of the ADI group of, or from providing the ADI and/or head of the ADI group with, the documents referred to in paragraph 50, where:
- the appointed auditor considers that by doing so the interests of depositors of the ADI or ADIs within the group would be jeopardised; or
- there is a situation of mistrust between the appointed auditor and the Board of the ADI and/or head of the ADI group, or senior management of the ADI or ADI group.
52
In accordance with APS 310 and 3PS 310, an appointed auditor, whether as part of routine or special purpose engagements, must not place sole reliance on the work performed by APRA.
53
The appointed auditor of an ADI is required to attend all meetings with APRA related to APS 310 and 3PS 310, whether on a bilateral, tripartite or other basis, unless APRA indicates otherwise in writing.
Prudential Standard APS 910 Financial Claims Scheme
54
APS 910[39] requires the appointed auditor, in accordance with APS 310, to provide limited assurance that:
- the ADI[40] has controls that are designed to ensure that Single Customer View (SCV) data as set out in APS 910 Attachment A, to the extent practicable, and FCS payment instruction and reporting information can be relied upon as being complete and accurate and in accordance with APS 910; and
- these controls have operated effectively when tested.
55
APS 910 requirements are in addition to the APS 310 requirement for appointed auditors to perform a limited assurance engagement on controls implemented by the ADI to ensure compliance with all prudential requirements (which includes compliance with APS 910).
56
Generally, the APS 910 assurance engagement will be undertaken as part of the annual APS 310 assurance engagement on controls. APRA has indicated[41] that, in circumstances where the APS 310/3PS 310 appointed auditor may not be in a position to undertake the APS 910 engagement, a different auditor from the same or a different audit firm will be able to carry out the APS 910 engagement, in accordance with the requirements of applicable AUASB Standards.[42]
57
APRA requires the timing of the APS 910 assurance engagement to be aligned with the annual APS 310 assurance engagement. A separate assurance report for the APS 910 engagement is preferred, but the requirement is that this report be submitted to APRA at the same time as the APS 310 prudential assurance report.
Refer to APS 310 and 3PS 310 for detail requirements.
See APS 310, paragraphs 35-36 and 3PS 310, paragraphs 26-27.
Or, for a foreign ADI, a senior officer outside Australia to whom authority has been delegated in accordance with CPS 510, for overseeing the Australian operations.
For a non-disclosing ADI, the relevant period is four months.
Subject to paragraph 51 of this Guidance Statement.
For a listing of APRA Reporting Forms to be subjected to the assurance engagement, refer to APRA Prudential Standard APS 310 Attachment A – Data Collections subject to reasonable and/or limited assurance. The requirements are different for Standardised, Advanced and Foreign ADIs.
APS 310 and 3PS 310 do not include a requirement for the appointed auditor to carry out additional work to satisfy the auditor with respect to this requirement to report on compliance with relevant Prudential Requirements.
Refer also to section 16BA of the Banking Act which requires the auditor to immediately notify APRA of certain matters, and to notify APRA as soon as is practicable about certain other matters.
See APS 910, paragraph 27.
APS 910 does not apply to foreign ADIs and providers of purchased payment facilities.
Refer to APRA’s website: https://www.apra.gov.au/financial-claims-scheme-frequently-asked-technical-questions-for-authorised-deposit-taking, under section 2 Audit and attestation (Questions 2.1 and 2.3, June 2014).
See paragraph 142 of this Guidance Statement.