The auditor plans the engagement in accordance with the requirements of, and has regard to, guidance provided in AUASB standards ASA 805, ASA 300^[47] (as adapted), ASAE 3000, ASAE 3150, ASAE 3450 and ASRE 2405, as applicable. The auditor performs preliminary engagement activities to establish and document the overall assurance engagement strategy that sets the scope, timing and direction of the engagement, and guides the development of the engagement.

The appointed auditor obtains an understanding of the entity and its environment, including its internal control and compliance framework, and other assurance engagement circumstances, sufficient to:

1. identify and assess the risks of:
   1. material misstatements in subject matter information;
   2. material deficiencies or deviations in internal controls (in relation to the area of activity to be examined); and
   3. non-compliance with applicable Prudential Requirements; and
2. design and perform further evidence-gathering procedures.

In gaining an understanding of the entity and its environment, the appointed auditor can draw on knowledge gained as part of the annual financial statement audit conducted under the Corporations Act. However, this understanding needs to be updated and broadened to address the subject matters included in the scope of the prudential reporting assurance engagement, such as the controls in place to ensure compliance with all applicable prudential standards which are not otherwise considered as part of the annual financial statements audit.

AUASB standards ASA 315^[48] (as adapted), ASAE 3000, ASAE 3150 and ASAE 3450 provide examples of matters that may be considered, and procedures that may be performed, by the auditor in gaining this understanding. The auditor exercises professional judgement to determine the nature and extent of the understanding that is required.

When performing procedures to obtain an understanding of the entity and its environment, consideration of the following matters may be helpful:

• The size, business mix and complexity of the ADI or the ADI group it heads.
• Changes in the market environment.
• Whether the ADI is an Advanced or Standardised ADI.
• Whether the ADI is a foreign ADI.
• Governance and management functions within the ADI, including the respective roles and responsibilities attributed to the finance, risk management (including data risk management), compliance and internal audit functions.
• The risk culture.
• The reliability of reporting systems.
• The significance and complexity of the information technology environment and systems.
• The adequacy of systems and controls to identify, assess, manage, mitigate and monitor material risks.
• The compliance framework, processes and controls.
• History of non-compliance.
• Any (formal) communications between APRA and the ADI and/or the head of the ADI group, and the results of any supervisory visits conducted by APRA in relation to the engagement.
• Previous auditor’s reports, including the auditor’s report on the financial report, and related management letters.
• Recent reports prepared by other auditors appointed to report on any aspect of the ADI and/or the ADI group, including any reports issued in relation to the review of the RMF in accordance with CPS 220 requirements.
• The estimation and uncertainty inherent in applied measurement methodologies.
• Any bias inherent in adopted measurement methodologies.
• Work performed by the internal audit and compliance functions, and any reliance that may be placed on this work.
• Discussions with entity staff responsible for monitoring regulatory compliance, such as the ADI’s Chief Risk Officer and Compliance Officer.
• The auditor’s additional reporting responsibilities under the Banking Act.^[49]
• Changes since the last reporting period to:
  1. the requirements of relevant AUASB Standards; and
  2. applicable Prudential Requirements.

In identifying and assessing the risks of material misstatement, the auditor may need to consider the use of accounting estimates in the calculation of, for example, the ADI’s Prudential Capital Requirement (PCR)^[50], in accordance with the requirements and having regard to guidance provided in Auditing Standard ASA 540 Auditing Accounting Estimates and Related Disclosures. The nature, timing and extent of the risk assessment and further assurance procedures required by ASA 540 will vary in relation to the estimation uncertainty and the assessment of the related risks of material misstatement. ASA 540 may prove helpful in evaluating misstatements of accounting estimates and in identifying possible management bias. Whilst ASA 540 is primarily directed at the audit of accounting estimates, the auditor uses professional judgement in considering the applicability of ASA 540 to non-accounting estimates, such as non-financial data included in ADI Reporting Forms which may be subject to limited assurance.

Internal Controls and Compliance Framework

The auditor obtains an understanding of the entity’s internal controls, the system within which the controls operate and the control components within the system, that are relevant to the assurance engagement, having regard to the requirements and guidance provided in ASAE 3150.^[51]

The auditor obtains an understanding of the entity’s compliance framework, key elements of the framework, and compliance requirements that are relevant to the assurance engagement. AUASB Standard on Assurance Engagements ASAE 3100 Compliance Engagements includes information that the auditor may find useful in this regard.

Prudential Requirements generally require ADIs to have in place internal controls corresponding to their size and complexity, aimed at ensuring that:

1. risks are managed within prudent limits set by senior management and those charged with governance;
2. information provided to management and those charged with governance is adequate and timely; and
3. the ADI complies with applicable prudential and statutory requirements.

In addition to the general planning considerations, the auditor takes into consideration the following factors when planning the limited assurance engagement of the internal controls relevant to the assurance engagement:

• The size, business mix and complexity of the ADI and/or the ADI group, and specifically whether or not an ADI is an Advanced ADI^[52], as this will influence the degree of complexity impacting the control environment, compliance framework and control policies and processes.
• The overall compliance framework adopted to ensure compliance with all applicable Prudential Requirements, including controls, policies and processes, and consideration of whether or not these are appropriate given the size, business mix and complexity of the ADI and/or ADI group.
• The sufficiency and appropriateness of the ADI’s and/or ADI group’s Risk Management Systems descriptions and similar policy documents issued in accordance with specific Prudential Standards, and consideration of whether these are up to date and in sufficient detail to facilitate compliance with the relevant Prudential Standards.
• Matters relating to the ADI’s and/or the ADI group’s organisational structure and operating characteristics, and recent significant changes thereof, which could impact on relevant internal controls.
• Knowledge of internal controls obtained during other assurance engagements conducted in relation to the ADI and/or ADI group.
• The method adopted, and the process used, by the ADI and/or ADI group to develop risk information to be disclosed in ADI Reporting Forms.
• Previously communicated instances of material non-compliance with Prudential Requirements and/or material deficiencies and/or deviations in internal controls designed to ensure compliance with all applicable Prudential Requirements and the provision of reliable data to APRA in Reporting Forms, that have not been resolved.

The above is not meant to represent an exhaustive list and there may be other factors relevant to the specific circumstances of an ADI and/or ADI group.

In accordance with the requirements of the relevant AUASB Standards, the auditor designs and performs assurance procedures, the nature, timing and extent of which are responsive to the assessed risks of material misstatement, material deficiencies or deviations in controls or instances of material non-compliance, having regard to the level of assurance required, reasonable or limited, as appropriate. Determining the exact nature, timing and extent of procedures is a matter of professional judgment and will vary from one engagement to the next.

The table in Appendix 1 of this Guidance Statement provides an outline of the subject matter and criteria relevant to each part of the assurance engagement, as well as applicable AUASB Standards.

The level of assurance required to be provided by the auditor for Parts A and B of the engagement, is determined by the source of the data included in each Specified ADI Reporting Form. A reasonable level of assurance is required for data sourced from “accounting records”. A limited level of assurance is required for all other data. The definition of “accounting records”^[53] therefore needs to be applied with care. Paragraphs 148-156 below, provide guidance on the application of this definition.

The appointed auditor identifies the most recent year-end ADI Reporting Forms submitted to APRA. Further guidance is provided in paragraphs 157-161 below.

The appointed auditor is to note that, in relation to ADI Reporting Forms prepared under the FSCODA, there are additional Reporting Forms, beyond the Specific Reporting Forms listed in Attachment A to APS 310 (which is the subject matter for Parts A and B). These additional Reporting Forms are to be included in the scope of Part C of the assurance engagement, together with the Reporting Forms identified in Attachment A to APS 310.

The appointed auditor identifies, and obtains an understanding of, all the Prudential Requirements^[54] applicable to the specific ADI (including any additional guidance provided by APRA to the ADI), with particular attention to changes in these requirements during the reporting period. The auditor makes enquiries with respect to any requirements that are imposed in writing by APRA on a bilateral APRA-ADI basis, or in relation to conditions on the ADI’s authorisation, as these requirements may vary from one ADI to another.

Compliance with Prudential Requirements is broader than compliance with only the quantitative limits in APRA Prudential Standards (for example, capital requirements). The appointed auditor is required to provide assurance in relation to compliance with all relevant/applicable Prudential Requirements under the Banking Act and the FSCODA, including compliance with APRA Prudential and Reporting Standards.

The scope of the prudential assurance engagement therefore includes compliance with APRA Prudential Standards dealing with, for example, governance (CPS 510), risk management (CPS 220), public disclosure (APS 330), the Financial Claims Scheme (APS 910), and the APS 310/3PS 310 requirements relating to the appointment of the auditor and the use of group auditors.

In relation to an ADI’s responsibility to keep the appointed auditor informed of all APRA Prudential Requirements applicable to the ADI, the appointed auditor obtains written representations from those responsible.^[55]

Data collected in ADI Reporting Forms are primarily used by APRA for the purpose of prudential regulation and supervision of individual ADIs. The data may also be used by the RBA for the overall supervision of the stability of the financial system and for setting monetary policy, and by APRA, the ABS and the RBA to construct a range of important statistics. The auditor refers to ADI Reporting Forms and Instructions, and associated Prudential and Reporting Standards, for information regarding the nature and purpose of each individual ADI Reporting Form.

Data collected under the EFS Reporting Standards are primarily used by the ABS and RBA for analysis, publication and policy-making purposes. EFS data is used by the ABS to compile and publish key macroeconomic indicators, including Australia’s National Accounts and leading indicators of lending activity, which are used to monitor Australia’s growth. The RBA uses EFS data to construct and publish Australia’s monetary and credit aggregates, and for analytical and policy purposes. Data published by the ABS and RBA are also used by other policy makers and the wider public for research, analysis and policy making.^[56] Information collected under the EFS Reporting Standards may be used by APRA for prudential and publication purposes.

Requirements for auditors of ADIs to provide assurance reports on prudential matters to APRA are intended to assist APRA, and the Agencies, in assessing the reliability of information supplied to it by an ADI.

Auditors need to be aware that APRA has the power under subsection 56(5) of the Australian Prudential Regulation Authority Act 1998 to make “protected information” (which may include auditors’ reports or information extracted from such reports) available to another financial sector supervisory agency (for example, the RBA and Treasury), or any other specified agency (including foreign agencies), when APRA is satisfied such information will assist those agencies in performing its functions or exercising its powers.

The concept of reliability is to be viewed in the context of the reliability of the data for the intended use by the identified users.

Under the Australian Accounting Standards Board’s (AASB’s) Glossary of Defined Terms, information has the quality of reliability when it is free from material error and bias and can be depended upon by users to represent faithfully, and without material error and bias, the transactions or events that either it purports to represent or could reasonably be expected to represent.

In applying this concept of reliability to the prudential reporting engagement, information in ADI Reporting Forms is not to lead users to conclusions that serve the particular needs of an ADI. Furthermore, such information needs to be capable of reliable measurement.

APRA Prudential and Reporting Standards provide the frame of reference (benchmarks) for reasonably consistent evaluation or measurement, within the context of the auditor’s professional judgement, of the reliability of the information included in ADI Reporting Forms.

The appointed auditor identifies and obtains an understanding of the applicable Prudential Requirements that govern the preparation of data within ADI Reporting Forms, with particular attention to changes in these requirements during the reporting period under review. In addition to the Prudential and Reporting Standards issued by APRA, other Prudential Requirements, including the specific Reporting Form Instruction Guides, will also have an impact on the provision of reliable data to APRA under the FSCODA and, therefore, the appointed auditor has regard to all relevant Prudential Requirements when planning and conducting the engagement.

It is important that the appointed auditor obtains an understanding of how APRA Prudential and Reporting Standards differ from the financial reporting framework^[57] which are used to record data in the ADI’s accounting records.

APRA’s Prudential Practice Guide CPG 235 Managing Data Risk (CPG 235) may aid in the auditor’s understanding of the concept of reliability in the context of the assurance engagement. CPG 235 provides guidance to APRA regulated entities on managing data risk, including assessing data quality by reference to its fitness for use, that is, the degree to which data is relevant, appropriate for its intended purpose and meets business specifications.

Other determinants of data quality identified in CPG 235 include:

1. accuracy – the degree to which data is error free and aligns with what it represents;
2. completeness – the extent to which data is not missing and is of sufficient breadth and depth for the intended purpose;
3. consistency – the degree to which related data is in alignment with respect to dimensions such as definition, value, range, type and format, as applicable;
4. timelines – the degree to which data is up-to-date; and
5. availability - accessibility and usability of data when required.

EFS Collection

APRA’s Reporting Practice Guide RPG 702.0 ABS/RBA Data Quality for the EFS Collection (RPG 702.0) provides guidance to assist ADIs and RFCs required to submit EFS data to APRA, to meet the Agencies’ data quality requirements in relation to EFS Reporting Standards.

RPG 702.0 is to be read in conjunction with:

1. the EFS collection, including Reporting Standard ARS 701.0 ABS/RBA Definitions for the EFS Collection and Reporting Practice Guide RPG 701.0 ABS/RBA Reporting Concepts for the EFS Collection, which contains definitions of, and guidance on, the data to be reported to APRA and the Agencies; and
2. Prudential Practice Guide CPG 235.

RPG 702.0 outlines how the Agencies, as primary users, intend to use data collected under the EFS Reporting Standards. It informs EFS reporting entities of the significance of specific EFS data items for use by the Agencies and is designed to assist entities in meeting EFS quality control requirements by adapting data risk management practices outlined in CPG 235 for the EFS collection.

Although the Agencies expect all data collected by APRA on their behalf to be accurate, reporting entities are expected to use the data priority ranking^[58] included in RPG 702.0 as an indicator of the relative importance of the accuracy of these data items and, therefore, where to focus data quality management practices.

The tables in Attachment A to RPG 702.0 includes qualitative benchmarks to indicate the size of misreported data items that may impact the use of the data by the Agencies and thus would be considered a “reporting error” that needs to be notified to APRA. These benchmarks vary according to entity size^[59], type of data item^[60] and prioritisation of data^[61].

Benchmarks for entities defined as “large institutions” in RPG 702.0 recognise that reporting errors by a single large entity are more likely to impact industry aggregates due to their size, while benchmarks for the entities that are not large are aimed at identify reporting errors that could affect the industry aggregate results if occurring across several entities simultaneously.

RPG 702.0 includes specific guidance in relation to the:

1. application of judgement in identifying reportable errors for “standard” priority data items (that is, data items that is not of a “high” or “very high” priority);
2. application of benchmarks where data items is at, or very close to, zero;
3. application of benchmarks to volatile “flow” data items; and
4. the use of proxy methodologies for selected data items^[62].

The Agencies and APRA recognise that not all practices outlined in the guide will be relevant for every EFS reporting entity and that some aspects may vary depending upon the size, complexity and systems configuration of the EFS reporting entity.

The auditor considers materiality, in accordance with the requirements of AUASB Standards applicable to each section of the assurance engagement, when planning and performing the engagement. During the engagement the auditor re-assesses materiality if matters come to their attention that indicate that the basis on which materiality was assessed has changed.

For assurance purposes, materiality is determined in order to establish:

1. a tolerable level of misstatement in relation to financial and non-financial information included in ADI Reporting Forms, deficiencies or deviations in controls, or non-compliance with applicable Prudential Requirements;
2. the scope of assurance work to be performed; and
3. a reasonable basis for evaluating identified misstatements, deficiencies, deviations, or non-compliance.

In determining materiality levels, the auditor exercises professional judgement to understand and assess the factors that might influence the decisions of APRA and other intended users.^[63] Judgements about materiality are affected by quantitative and qualitative factors as well as consideration of the potential of misstatements, control deficiencies or deviations, or non-compliance that are individually immaterial but in the aggregate may adversely affect decisions made by those users. Where particular categories of data or compliance matters may have a greater impact on the decisions of users, materiality may need to be set at a lower level for those amounts or matters.

ASAE 3000 explains that, although there is a greater risk that misstatements, control deficiencies or deviations, or non-compliance may not be detected in a limited assurance engagement than a reasonable assurance engagement, the judgement as to what is material is made by reference to surrounding circumstances, the subject matter on which the auditor is reporting, and the needs of those relying on that information, as opposed to the level of assurance obtained. That is, for the same intended users and purpose, materiality for a reasonable and limited assurance engagement will be the same. In setting materiality levels, regardless of the subject matter or level of assurance, it is the auditor’s objective to reduce risk to an acceptable level in the circumstances of the assurance engagement.

Since the concept of materiality applies differently in the context of an engagement to provide assurance on information included in Reporting Forms, an engagement to provide assurance on internal controls, and for the purpose of reporting on compliance, it is considered separately below for each section of the engagement.

Reasonable and/or Limited Assurance on Specified^[64] ADI Reporting Forms (Parts A and B)

A misstatement in a Specified ADI Reporting Form, either individually or in aggregate with other misstatements, is considered material if the appointed auditor believes the intended users may be influenced by the misstatement of the information.

For the purpose of providing assurance on Specified ADI Reporting Forms, the auditor considers materiality, as appropriate, in accordance with the principles and guidance provided in AUASB standards:

1. ASA 320^[65], ASA 805 and ASRE 2405, as applicable, where the subject matter is historical financial information;
2. ASAE 3000, where the subject matter is information other than historical financial information; and
3. ASAE 3450, where the subject matter is prospective financial information.^[66]

In the absence of specific requirements issued by APRA, the Australian Accounting Standards Board’s Practice Statement 2 Making Materiality Judgements may provide a useful frame of reference to the auditor in determining materiality for the engagement.

ASA 320 and AASB Practice Statement 2 deal with materiality in the context of the financial statements taken as a whole and may be useful in setting materiality levels for relevant “Statement of Financial Performance” and “Statement of Financial Position” ADI Reporting Forms. As Australian Auditing Standards are written in the context of an audit of a financial report, they are to be adapted as necessary in the circumstances when applied to single financial statements or specific elements of a financial statement. Materiality determined for a single financial statement or for a specific element of a financial statement may be lower than the materiality determined for the financial report, which will impact the nature, timing and extent of assurance procedures and the evaluation of uncorrected misstatements.^[67]

For the purpose of reporting on the reliability of information included in Specified ADI Reporting Forms, the appointed auditor considers and applies materiality at the level of individual Reporting Forms^[68] or, if the auditor deems it to be more appropriate, the auditor may choose to set a specific materiality at the level of individual data items or categories of data included in Reporting Forms.

In applying the relevant AUASB Standards to individual ADI Reporting Forms, or data line items in Reporting Forms, the auditor has regard to the nature, purpose and use of the information included in each Reporting Form. The auditor refers to Reporting Forms and Instructions, and associated Prudential and Reporting Standards, for information regarding the nature and purpose of each individual ADI Reporting Form.

Materiality is to be addressed in the context of the entity’s objectives relevant to the ADI Reporting Form and Reporting Standard being examined and whether internal controls will reduce to an acceptable level the risks that threaten achievement of those objectives.^[69]

Where a Reporting Form includes historical and prospective financial information, as well as non-financial information,^[70] the auditor considers adopting a combination of methods and setting multiple materiality levels based on the information included in the Reporting Form. For example:

1. For historical financial information extracted from audited^[71] financial information, the auditor may:
   1. determine that the materiality levels used in the audit are acceptable/suitable for the purposes of the Reporting Form; or
   2. establish new materiality levels in accordance with the principles espoused in ASA 320 or ASRE 2405 and other relevant guidance, as applicable to the subject matter information and based on the amounts reported in the Reporting Form.
2. For non-financial information, materiality may be set with reference to the principles and guidance provided in ASAE 3000.
3. For prospective financial information, materiality may be set with reference to the principles and guidance provided in ASAE 3450.

In setting these differing materiality levels, the auditor takes into consideration qualitative and quantitative factors and the risk of issuing an inappropriate conclusion.

The appointed auditor’s preliminary assessment of materiality is based largely on quantitative factors. A percentage is often applied to a chosen benchmark as a starting point in determining materiality. The base and percentage may vary depending on the ADI Reporting Form in question and the nature of information included in each Reporting Form.

Matters likely to adversely affect the interests of depositors in ADIs are generally related to solvency and going concern assumptions. In the context of APRA’s prudential reporting requirements, the ADI’s “Prudential Capital Requirement” (PCR), as prescribed in Prudential Standard APS 110 Capital Adequacy, is an important consideration with respect to materiality. A key concern with any misstatement within a Reporting Form is therefore its potential impact on the ADIs capital base and capital adequacy ratio, that are determined in accordance with APRA’s Prudential Standards. This is taken into consideration by the appointed auditor when evaluating whether a misstatement in a Reporting Form, especially within the Capital Adequacy Reporting Forms, is material.

APRA has advised that a materiality threshold based on a 25 basis point impact on the Capital Adequacy Ratio may be applied in aggregate by the appointed auditor as a reasonable basis for determining quantitative materiality for Capital Adequacy Reporting Forms. This threshold may be used as indicative guidance only, in conjunction with the considerations described within this Guidance Statement, which includes consideration of qualitative factors. The appointed auditor exercises professional judgement when applying the threshold in specific circumstances. For example, a lower level of materiality may be appropriate as the level of surplus capital reduces.

The auditor exercises professional judgement to consider whether an alternative base, such as profit, revenue or assets, may be more appropriate when considering whether a misstatement within other non-capital types of reporting forms such as, but not limited to, the Statement of Financial Performance, Statement of Financial Position, Provisions and Impaired Assets and the liquidity reporting forms^[72], is material.

When considering materiality, the auditor considers the obligations under Prudential Requirements for ADIs and auditors of ADIs to report errors in ADI Reporting Forms to APRA, the criteria for resubmission of data previously submitted to APRA, and reporting breaches to APRA. For example, RPG 702.0 indicates that misreported EFS data items above the prescribed quantitative data quality benchmarks in Attachment A to RPG 702.0 should be notified to APRA. However, RPG 702.0 states these errors would not trigger automatic resubmission, as the Agencies will determine the need for resubmission. The auditor exercises professional judgement in using this guidance in scoping assurance work to be performed.

The auditor is mindful that RPG 702.0 is primarily directed at reporting entities and designed to assist these entities in meeting EFS quality control requirements and to tailor data risk management practices as outlined in CPG 235.^[73]

Whilst APRA and the Agencies expect auditors to consider the RPG 702.0 guidance in determining materiality thresholds for a prudential reporting assurance engagement, APRA has confirmed that the RPG 702.0 benchmarks do not establish new materiality requirements for assurance purposes relating to the EFS data collection.^[74]

The auditor sets materiality levels for the EFS collection based on the risk assessment for each EFS Reporting Form performed by the auditor. The priority ranking of data points included in RPG 702.0 may be helpful for the auditor in determining where to focus effort.

RPG 702.0 benchmarks and considerations may be more relevant to Part C of the engagement in setting materiality levels for reporting on the design and operating effectiveness of internal controls addressing the reliability of data routinely reported to APRA in ADI Reporting Forms. Refer to Part C below.

Auditors retain ultimate discretion in setting materiality levels for the assurance engagement and determining the scope of assurance procedures to be conducted, taking into consideration the risk of issuing an inappropriate assurance report.

Limited Assurance Engagement on Design, Implementation and Operating Effectiveness of Internal Controls (Part C)

Material deficiencies in the design and implementation of controls and material deviations in the operating effectiveness of controls are those which could reasonably be expected to influence relevant decisions of the intended users.

ASAE 3150 sets out the requirements and provides guidance to the auditor in applying materiality in the context of an assurance engagement on controls.

In accordance with ASAE 3150, the auditor shall identify a control or combination of controls as material if it is fundamental to the achievement of a control objective relevant to the scope of the engagement, and whether the internal controls will reduce to an acceptably low level, based on auditor judgement, the risks that threaten achievement of those objectives.

In assessing materiality, the appointed auditor has regard to the measures the ADI has adopted to ensure:

1. reliable data is provided to APRA in all ADI Reporting Forms prepared under the FSCODA; and
2. compliance with all applicable Prudential Requirements.

For the purpose of reporting on controls addressing the reliability of EFS data included in ADI Reporting Forms, the auditor determines materiality levels taking into consideration the needs and expectations of the users of the EFS collection, as outlined in RPG 702.0. RPG 702.0 informs reporting entities of the Agencies’ expectation that data reported in EFS collection should be of high quality, including to be accurate, complete and timely. RPG 702.0 provides guidance to reporting entities to meet data quality control requirements that require them to have in place systems, processes and controls to assure the reliability of reported information in relation to the EFS Reporting Standards. RPG 702.0 guidance is supported by CPG 235 which sets out guidance on how entities can manage data risk, including assessing data quality by reference to fitness for use.

Although the auditor retains discretion in setting materiality levels, the auditor is expected to take into consideration RPG 702.0’s priority ranking of data items and data quality benchmarks as part of the assessment of whether a reporting entity’s internal controls are designed appropriately and operating effectively to meet the RPG 702.0 thresholds required by the Agencies.

ASAE 3150 requires the auditor to reassess the materiality of the controls if matters come to their attention during the engagement which indicate that the basis on which the materiality of those controls was determined has changed.

Reporting on Compliance with Prudential Requirements (Part D)

Under APS 310 and 3PS 310 the appointed auditor is required to provide limited assurance that the ADI and/or group has complied, in all material respects, with all relevant Prudential Requirements. This conclusion is to be based on the auditor’s reasonable and limited assurance engagements undertaken to provide assurance in relation to Specified ADI Reporting Forms (Parts A and B) and internal controls (Part C).

For the purpose of reporting on compliance with Prudential Requirements, the appointed auditor considers materiality when evaluating the significance of identified instances of non-compliance with relevant Prudential Requirements (see paragraphs 249-258 of this Guidance Statement).

An appointed auditor gives further consideration as to whether the auditor has, or will be able to obtain, adequate knowledge and the required skills to undertake the engagement.

APS 310 and 3PS 310 prohibit an appointed auditor from placing sole reliance on the work performed by APRA, for example, as part of the initial accreditation process to be registered as an Advanced ADI. APRA expects appointed auditors to exercise their professional judgement and reach their own independent conclusions.

The nature and complexity of the ADI increases the likelihood that the appointed auditor may need to involve experts in the engagement. For example, obtaining an understanding of the process and assumptions used by an Advanced ADI to develop risk information, may require technical knowledge of risk measurement methodologies, which can be complex.

When planning to use the work of an auditor’s expert as evidence, the appointed auditor has regard to the requirements and guidance provided in, as appropriate, AUASB standards ASA 620^[75], ASAE 3000, ASAE 3150 and ASAE 3450.

Where an ADI has engaged or employed experts, for example where actuaries are used to determine amounts for inclusion in ADI Reporting Forms, which is derived using specialised techniques, the auditor applies, as appropriate, Auditing Standard ASA 500 Audit Evidence. ASA 500 sets out mandatory requirements and provides application and explanatory material on using the work of a management’s expert as audit evidence. The auditor may also find it helpful to refer to AUASB Guidance Statement GS 005 Evaluating the Appropriateness of a Management’s Expert’s Work.

Where the auditor appointed under APS 310/3PS 310 plans to use the work of another independent auditor, the appointed auditor:

1. for the reasonable assurance engagement in relation to historical financial information, complies with the requirements of Auditing Standard ASA 600 Special Considerations – Audits of a Group Financial Report, adapted as necessary; and
2. for other assurance, complies with the requirements of ASAE 3000. The principles espoused in ASA 600 may also provide helpful guidance.

CPS 510 requires all ADIs (including a foreign ADI in relation to its Australian business) and authorised NOHCs, to have in place an independent and adequately resourced internal audit function.^[76] APS 310 and 3PS 310 require an ADI and/or the head of an ADI group to ensure that the scope of internal audit includes a review of the policies, processes and controls put in place by management to ensure compliance with Prudential Requirements. CPS 510 requires that the objectives of the internal audit function include an evaluation of the adequacy and effectiveness of the financial and risk management framework of the ADI. CPS 220 includes further information on APRA’s requirements for the periodic review of the risk management framework by internal audit.

APRA expects the appointed auditor to consider the extent to which the work of the internal audit function is likely to be relevant in the context of the APS 310/3PS 310 assurance engagement.

Having regard to the requirements and guidance provided in AUASB standards ASA 610 Using the Work of Internal Auditors, ASAE 3000 and ASAE 3150, as relevant, the appointed auditor obtains an understanding of the activities and main findings of the internal audit function and perform a preliminary assessment, which may include, assessment of:

1. its impact on the system and the components of control within that system, including the control environment, risk assessment, information and communication, monitoring activities and control activities in relation to the system; and
2. its effect on the nature, timing or extent of the auditor’s assurance procedures.

The use of internal auditors to provide direct assistance is prohibited in assurance engagements undertaken in accordance with AUASB Standards. Direct assistance is the performance of assurance procedures under the direction, supervision and review of the independent external auditor. An effective internal audit function may enable the auditor to modify the nature and/or timing, and/or reduce the extent of assurance procedures performed but cannot eliminate them entirely.

Where the appointed auditor plans to use the work of the internal audit function, the auditor evaluates the adequacy of this work for the auditor’s purposes in accordance with the relevant AUASB standards. The appointed auditor remains responsible for obtaining sufficient appropriate evidence to support the auditor’s assurance engagement conclusions.