Matters to Consider in Planning the Annual Prudential Reporting Engagement
68
The auditor plans the engagement in accordance with the requirements of, and has regard to, guidance provided in AUASB standards ASA 805, ASA 300[47] (as adapted), ASAE 3000, ASAE 3150, ASAE 3450 and ASRE 2405, as applicable. The auditor performs preliminary engagement activities to establish and document the overall assurance engagement strategy that sets the scope, timing and direction of the engagement, and guides the development of the engagement.
69
The appointed auditor obtains an understanding of the entity and its environment, including its internal control and compliance framework, and other assurance engagement circumstances, sufficient to:
- identify and assess the risks of:
- material misstatements in subject matter information;
- material deficiencies or deviations in internal controls (in relation to the area of activity to be examined); and
- non-compliance with applicable Prudential Requirements; and
- design and perform further evidence-gathering procedures.
Understanding the Entity and its Environment
70
In gaining an understanding of the entity and its environment, the appointed auditor can draw on knowledge gained as part of the annual financial statement audit conducted under the Corporations Act. However, this understanding needs to be updated and broadened to address the subject matters included in the scope of the prudential reporting assurance engagement, such as the controls in place to ensure compliance with all applicable prudential standards which are not otherwise considered as part of the annual financial statements audit.
71
AUASB standards ASA 315[48] (as adapted), ASAE 3000, ASAE 3150 and ASAE 3450 provide examples of matters that may be considered, and procedures that may be performed, by the auditor in gaining this understanding. The auditor exercises professional judgement to determine the nature and extent of the understanding that is required.
72
When performing procedures to obtain an understanding of the entity and its environment, consideration of the following matters may be helpful:
- The size, business mix and complexity of the ADI or the ADI group it heads.
- Changes in the market environment.
- Whether the ADI is an Advanced or Standardised ADI.
- Whether the ADI is a foreign ADI.
- Governance and management functions within the ADI, including the respective roles and responsibilities attributed to the finance, risk management (including data risk management), compliance and internal audit functions.
- The risk culture.
- The reliability of reporting systems.
- The significance and complexity of the information technology environment and systems.
- The adequacy of systems and controls to identify, assess, manage, mitigate and monitor material risks.
- The compliance framework, processes and controls.
- History of non-compliance.
- Any (formal) communications between APRA and the ADI and/or the head of the ADI group, and the results of any supervisory visits conducted by APRA in relation to the engagement.
- Previous auditor’s reports, including the auditor’s report on the financial report, and related management letters.
- Recent reports prepared by other auditors appointed to report on any aspect of the ADI and/or the ADI group, including any reports issued in relation to the review of the RMF in accordance with CPS 220 requirements.
- The estimation and uncertainty inherent in applied measurement methodologies.
- Any bias inherent in adopted measurement methodologies.
- Work performed by the internal audit and compliance functions, and any reliance that may be placed on this work.
- Discussions with entity staff responsible for monitoring regulatory compliance, such as the ADI’s Chief Risk Officer and Compliance Officer.
- The auditor’s additional reporting responsibilities under the Banking Act.[49]
- Changes since the last reporting period to:
- the requirements of relevant AUASB Standards; and
- applicable Prudential Requirements.
73
In identifying and assessing the risks of material misstatement, the auditor may need to consider the use of accounting estimates in the calculation of, for example, the ADI’s Prudential Capital Requirement (PCR)[50], in accordance with the requirements and having regard to guidance provided in Auditing Standard ASA 540 Auditing Accounting Estimates and Related Disclosures. The nature, timing and extent of the risk assessment and further assurance procedures required by ASA 540 will vary in relation to the estimation uncertainty and the assessment of the related risks of material misstatement. ASA 540 may prove helpful in evaluating misstatements of accounting estimates and in identifying possible management bias. Whilst ASA 540 is primarily directed at the audit of accounting estimates, the auditor uses professional judgement in considering the applicability of ASA 540 to non-accounting estimates, such as non-financial data included in ADI Reporting Forms which may be subject to limited assurance.
Internal Controls and Compliance Framework
74
The auditor obtains an understanding of the entity’s internal controls, the system within which the controls operate and the control components within the system, that are relevant to the assurance engagement, having regard to the requirements and guidance provided in ASAE 3150.[51]
75
The auditor obtains an understanding of the entity’s compliance framework, key elements of the framework, and compliance requirements that are relevant to the assurance engagement. AUASB Standard on Assurance Engagements ASAE 3100 Compliance Engagements includes information that the auditor may find useful in this regard.
76
Prudential Requirements generally require ADIs to have in place internal controls corresponding to their size and complexity, aimed at ensuring that:
- risks are managed within prudent limits set by senior management and those charged with governance;
- information provided to management and those charged with governance is adequate and timely; and
- the ADI complies with applicable prudential and statutory requirements.
77
In addition to the general planning considerations, the auditor takes into consideration the following factors when planning the limited assurance engagement of the internal controls relevant to the assurance engagement:
- The size, business mix and complexity of the ADI and/or the ADI group, and specifically whether or not an ADI is an Advanced ADI[52], as this will influence the degree of complexity impacting the control environment, compliance framework and control policies and processes.
- The overall compliance framework adopted to ensure compliance with all applicable Prudential Requirements, including controls, policies and processes, and consideration of whether or not these are appropriate given the size, business mix and complexity of the ADI and/or ADI group.
- The sufficiency and appropriateness of the ADI’s and/or ADI group’s Risk Management Systems descriptions and similar policy documents issued in accordance with specific Prudential Standards, and consideration of whether these are up to date and in sufficient detail to facilitate compliance with the relevant Prudential Standards.
- Matters relating to the ADI’s and/or the ADI group’s organisational structure and operating characteristics, and recent significant changes thereof, which could impact on relevant internal controls.
- Knowledge of internal controls obtained during other assurance engagements conducted in relation to the ADI and/or ADI group.
- The method adopted, and the process used, by the ADI and/or ADI group to develop risk information to be disclosed in ADI Reporting Forms.
- Previously communicated instances of material non-compliance with Prudential Requirements and/or material deficiencies and/or deviations in internal controls designed to ensure compliance with all applicable Prudential Requirements and the provision of reliable data to APRA in Reporting Forms, that have not been resolved.
The above is not meant to represent an exhaustive list and there may be other factors relevant to the specific circumstances of an ADI and/or ADI group.
Overall Responses to Assessed Risks of Material Misstatements, Control Deficiencies and Deviations, and Non-Compliance
78
In accordance with the requirements of the relevant AUASB Standards, the auditor designs and performs assurance procedures, the nature, timing and extent of which are responsive to the assessed risks of material misstatement, material deficiencies or deviations in controls or instances of material non-compliance, having regard to the level of assurance required, reasonable or limited, as appropriate. Determining the exact nature, timing and extent of procedures is a matter of professional judgment and will vary from one engagement to the next.
Characteristics of Subject Matter and Identified Evaluation Criteria
79
The table in Appendix 1 of this Guidance Statement provides an outline of the subject matter and criteria relevant to each part of the assurance engagement, as well as applicable AUASB Standards.
80
The level of assurance required to be provided by the auditor for Parts A and B of the engagement, is determined by the source of the data included in each Specified ADI Reporting Form. A reasonable level of assurance is required for data sourced from “accounting records”. A limited level of assurance is required for all other data. The definition of “accounting records”[53] therefore needs to be applied with care. Paragraphs 148-156 below, provide guidance on the application of this definition.
81
The appointed auditor identifies the most recent year-end ADI Reporting Forms submitted to APRA. Further guidance is provided in paragraphs 157-161 below.
82
The appointed auditor is to note that, in relation to ADI Reporting Forms prepared under the FSCODA, there are additional Reporting Forms, beyond the Specific Reporting Forms listed in Attachment A to APS 310 (which is the subject matter for Parts A and B). These additional Reporting Forms are to be included in the scope of Part C of the assurance engagement, together with the Reporting Forms identified in Attachment A to APS 310.
83
The appointed auditor identifies, and obtains an understanding of, all the Prudential Requirements[54] applicable to the specific ADI (including any additional guidance provided by APRA to the ADI), with particular attention to changes in these requirements during the reporting period. The auditor makes enquiries with respect to any requirements that are imposed in writing by APRA on a bilateral APRA-ADI basis, or in relation to conditions on the ADI’s authorisation, as these requirements may vary from one ADI to another.
84
Compliance with Prudential Requirements is broader than compliance with only the quantitative limits in APRA Prudential Standards (for example, capital requirements). The appointed auditor is required to provide assurance in relation to compliance with all relevant/applicable Prudential Requirements under the Banking Act and the FSCODA, including compliance with APRA Prudential and Reporting Standards.
The scope of the prudential assurance engagement therefore includes compliance with APRA Prudential Standards dealing with, for example, governance (CPS 510), risk management (CPS 220), public disclosure (APS 330), the Financial Claims Scheme (APS 910), and the APS 310/3PS 310 requirements relating to the appointment of the auditor and the use of group auditors.
85
In relation to an ADI’s responsibility to keep the appointed auditor informed of all APRA Prudential Requirements applicable to the ADI, the appointed auditor obtains written representations from those responsible.[55]
Identified Users and Intended Use of Appointed Auditor’s Assurance Report
86
Data collected in ADI Reporting Forms are primarily used by APRA for the purpose of prudential regulation and supervision of individual ADIs. The data may also be used by the RBA for the overall supervision of the stability of the financial system and for setting monetary policy, and by APRA, the ABS and the RBA to construct a range of important statistics. The auditor refers to ADI Reporting Forms and Instructions, and associated Prudential and Reporting Standards, for information regarding the nature and purpose of each individual ADI Reporting Form.
87
Data collected under the EFS Reporting Standards are primarily used by the ABS and RBA for analysis, publication and policy-making purposes. EFS data is used by the ABS to compile and publish key macroeconomic indicators, including Australia’s National Accounts and leading indicators of lending activity, which are used to monitor Australia’s growth. The RBA uses EFS data to construct and publish Australia’s monetary and credit aggregates, and for analytical and policy purposes. Data published by the ABS and RBA are also used by other policy makers and the wider public for research, analysis and policy making.[56] Information collected under the EFS Reporting Standards may be used by APRA for prudential and publication purposes.
88
Requirements for auditors of ADIs to provide assurance reports on prudential matters to APRA are intended to assist APRA, and the Agencies, in assessing the reliability of information supplied to it by an ADI.
89
Auditors need to be aware that APRA has the power under subsection 56(5) of the Australian Prudential Regulation Authority Act 1998 to make “protected information” (which may include auditors’ reports or information extracted from such reports) available to another financial sector supervisory agency (for example, the RBA and Treasury), or any other specified agency (including foreign agencies), when APRA is satisfied such information will assist those agencies in performing its functions or exercising its powers.
Reliability of Information and Data Quality
90
The concept of reliability is to be viewed in the context of the reliability of the data for the intended use by the identified users.
91
Under the Australian Accounting Standards Board’s (AASB’s) Glossary of Defined Terms, information has the quality of reliability when it is free from material error and bias and can be depended upon by users to represent faithfully, and without material error and bias, the transactions or events that either it purports to represent or could reasonably be expected to represent.
92
In applying this concept of reliability to the prudential reporting engagement, information in ADI Reporting Forms is not to lead users to conclusions that serve the particular needs of an ADI. Furthermore, such information needs to be capable of reliable measurement.
93
APRA Prudential and Reporting Standards provide the frame of reference (benchmarks) for reasonably consistent evaluation or measurement, within the context of the auditor’s professional judgement, of the reliability of the information included in ADI Reporting Forms.
94
The appointed auditor identifies and obtains an understanding of the applicable Prudential Requirements that govern the preparation of data within ADI Reporting Forms, with particular attention to changes in these requirements during the reporting period under review. In addition to the Prudential and Reporting Standards issued by APRA, other Prudential Requirements, including the specific Reporting Form Instruction Guides, will also have an impact on the provision of reliable data to APRA under the FSCODA and, therefore, the appointed auditor has regard to all relevant Prudential Requirements when planning and conducting the engagement.
95
It is important that the appointed auditor obtains an understanding of how APRA Prudential and Reporting Standards differ from the financial reporting framework[57] which are used to record data in the ADI’s accounting records.
96
APRA’s Prudential Practice Guide CPG 235 Managing Data Risk (CPG 235) may aid in the auditor’s understanding of the concept of reliability in the context of the assurance engagement. CPG 235 provides guidance to APRA regulated entities on managing data risk, including assessing data quality by reference to its fitness for use, that is, the degree to which data is relevant, appropriate for its intended purpose and meets business specifications.
97
Other determinants of data quality identified in CPG 235 include:
- accuracy – the degree to which data is error free and aligns with what it represents;
- completeness – the extent to which data is not missing and is of sufficient breadth and depth for the intended purpose;
- consistency – the degree to which related data is in alignment with respect to dimensions such as definition, value, range, type and format, as applicable;
- timelines – the degree to which data is up-to-date; and
- availability - accessibility and usability of data when required.
EFS Collection
98
APRA’s Reporting Practice Guide RPG 702.0 ABS/RBA Data Quality for the EFS Collection (RPG 702.0) provides guidance to assist ADIs and RFCs required to submit EFS data to APRA, to meet the Agencies’ data quality requirements in relation to EFS Reporting Standards.
99
RPG 702.0 is to be read in conjunction with:
- the EFS collection, including Reporting Standard ARS 701.0 ABS/RBA Definitions for the EFS Collection and Reporting Practice Guide RPG 701.0 ABS/RBA Reporting Concepts for the EFS Collection, which contains definitions of, and guidance on, the data to be reported to APRA and the Agencies; and
- Prudential Practice Guide CPG 235.
100
RPG 702.0 outlines how the Agencies, as primary users, intend to use data collected under the EFS Reporting Standards. It informs EFS reporting entities of the significance of specific EFS data items for use by the Agencies and is designed to assist entities in meeting EFS quality control requirements by adapting data risk management practices outlined in CPG 235 for the EFS collection.
101
Although the Agencies expect all data collected by APRA on their behalf to be accurate, reporting entities are expected to use the data priority ranking[58] included in RPG 702.0 as an indicator of the relative importance of the accuracy of these data items and, therefore, where to focus data quality management practices.
102
The tables in Attachment A to RPG 702.0 includes qualitative benchmarks to indicate the size of misreported data items that may impact the use of the data by the Agencies and thus would be considered a “reporting error” that needs to be notified to APRA. These benchmarks vary according to entity size[59], type of data item[60] and prioritisation of data[61].
103
Benchmarks for entities defined as “large institutions” in RPG 702.0 recognise that reporting errors by a single large entity are more likely to impact industry aggregates due to their size, while benchmarks for the entities that are not large are aimed at identify reporting errors that could affect the industry aggregate results if occurring across several entities simultaneously.
104
RPG 702.0 includes specific guidance in relation to the:
- application of judgement in identifying reportable errors for “standard” priority data items (that is, data items that is not of a “high” or “very high” priority);
- application of benchmarks where data items is at, or very close to, zero;
- application of benchmarks to volatile “flow” data items; and
- the use of proxy methodologies for selected data items[62].
105
The Agencies and APRA recognise that not all practices outlined in the guide will be relevant for every EFS reporting entity and that some aspects may vary depending upon the size, complexity and systems configuration of the EFS reporting entity.
Materiality
106
The auditor considers materiality, in accordance with the requirements of AUASB Standards applicable to each section of the assurance engagement, when planning and performing the engagement. During the engagement the auditor re-assesses materiality if matters come to their attention that indicate that the basis on which materiality was assessed has changed.
107
For assurance purposes, materiality is determined in order to establish:
- a tolerable level of misstatement in relation to financial and non-financial information included in ADI Reporting Forms, deficiencies or deviations in controls, or non-compliance with applicable Prudential Requirements;
- the scope of assurance work to be performed; and
- a reasonable basis for evaluating identified misstatements, deficiencies, deviations, or non-compliance.
108
In determining materiality levels, the auditor exercises professional judgement to understand and assess the factors that might influence the decisions of APRA and other intended users.[63] Judgements about materiality are affected by quantitative and qualitative factors as well as consideration of the potential of misstatements, control deficiencies or deviations, or non-compliance that are individually immaterial but in the aggregate may adversely affect decisions made by those users. Where particular categories of data or compliance matters may have a greater impact on the decisions of users, materiality may need to be set at a lower level for those amounts or matters.
109
ASAE 3000 explains that, although there is a greater risk that misstatements, control deficiencies or deviations, or non-compliance may not be detected in a limited assurance engagement than a reasonable assurance engagement, the judgement as to what is material is made by reference to surrounding circumstances, the subject matter on which the auditor is reporting, and the needs of those relying on that information, as opposed to the level of assurance obtained. That is, for the same intended users and purpose, materiality for a reasonable and limited assurance engagement will be the same. In setting materiality levels, regardless of the subject matter or level of assurance, it is the auditor’s objective to reduce risk to an acceptable level in the circumstances of the assurance engagement.
110
Since the concept of materiality applies differently in the context of an engagement to provide assurance on information included in Reporting Forms, an engagement to provide assurance on internal controls, and for the purpose of reporting on compliance, it is considered separately below for each section of the engagement.
Reasonable and/or Limited Assurance on Specified[64] ADI Reporting Forms (Parts A and B)
111
A misstatement in a Specified ADI Reporting Form, either individually or in aggregate with other misstatements, is considered material if the appointed auditor believes the intended users may be influenced by the misstatement of the information.
112
For the purpose of providing assurance on Specified ADI Reporting Forms, the auditor considers materiality, as appropriate, in accordance with the principles and guidance provided in AUASB standards:
- ASA 320[65], ASA 805 and ASRE 2405, as applicable, where the subject matter is historical financial information;
- ASAE 3000, where the subject matter is information other than historical financial information; and
- ASAE 3450, where the subject matter is prospective financial information.[66]
In the absence of specific requirements issued by APRA, the Australian Accounting Standards Board’s Practice Statement 2 Making Materiality Judgements may provide a useful frame of reference to the auditor in determining materiality for the engagement.
113
ASA 320 and AASB Practice Statement 2 deal with materiality in the context of the financial statements taken as a whole and may be useful in setting materiality levels for relevant “Statement of Financial Performance” and “Statement of Financial Position” ADI Reporting Forms. As Australian Auditing Standards are written in the context of an audit of a financial report, they are to be adapted as necessary in the circumstances when applied to single financial statements or specific elements of a financial statement. Materiality determined for a single financial statement or for a specific element of a financial statement may be lower than the materiality determined for the financial report, which will impact the nature, timing and extent of assurance procedures and the evaluation of uncorrected misstatements.[67]
114
For the purpose of reporting on the reliability of information included in Specified ADI Reporting Forms, the appointed auditor considers and applies materiality at the level of individual Reporting Forms[68] or, if the auditor deems it to be more appropriate, the auditor may choose to set a specific materiality at the level of individual data items or categories of data included in Reporting Forms.
115
In applying the relevant AUASB Standards to individual ADI Reporting Forms, or data line items in Reporting Forms, the auditor has regard to the nature, purpose and use of the information included in each Reporting Form. The auditor refers to Reporting Forms and Instructions, and associated Prudential and Reporting Standards, for information regarding the nature and purpose of each individual ADI Reporting Form.
116
Materiality is to be addressed in the context of the entity’s objectives relevant to the ADI Reporting Form and Reporting Standard being examined and whether internal controls will reduce to an acceptable level the risks that threaten achievement of those objectives.[69]
117
Where a Reporting Form includes historical and prospective financial information, as well as non-financial information,[70] the auditor considers adopting a combination of methods and setting multiple materiality levels based on the information included in the Reporting Form. For example:
- For historical financial information extracted from audited[71] financial information, the auditor may:
- determine that the materiality levels used in the audit are acceptable/suitable for the purposes of the Reporting Form; or
- establish new materiality levels in accordance with the principles espoused in ASA 320 or ASRE 2405 and other relevant guidance, as applicable to the subject matter information and based on the amounts reported in the Reporting Form.
- For non-financial information, materiality may be set with reference to the principles and guidance provided in ASAE 3000.
- For prospective financial information, materiality may be set with reference to the principles and guidance provided in ASAE 3450.
In setting these differing materiality levels, the auditor takes into consideration qualitative and quantitative factors and the risk of issuing an inappropriate conclusion.
118
The appointed auditor’s preliminary assessment of materiality is based largely on quantitative factors. A percentage is often applied to a chosen benchmark as a starting point in determining materiality. The base and percentage may vary depending on the ADI Reporting Form in question and the nature of information included in each Reporting Form.
119
Matters likely to adversely affect the interests of depositors in ADIs are generally related to solvency and going concern assumptions. In the context of APRA’s prudential reporting requirements, the ADI’s “Prudential Capital Requirement” (PCR), as prescribed in Prudential Standard APS 110 Capital Adequacy, is an important consideration with respect to materiality. A key concern with any misstatement within a Reporting Form is therefore its potential impact on the ADIs capital base and capital adequacy ratio, that are determined in accordance with APRA’s Prudential Standards. This is taken into consideration by the appointed auditor when evaluating whether a misstatement in a Reporting Form, especially within the Capital Adequacy Reporting Forms, is material.
120
APRA has advised that a materiality threshold based on a 25 basis point impact on the Capital Adequacy Ratio may be applied in aggregate by the appointed auditor as a reasonable basis for determining quantitative materiality for Capital Adequacy Reporting Forms. This threshold may be used as indicative guidance only, in conjunction with the considerations described within this Guidance Statement, which includes consideration of qualitative factors. The appointed auditor exercises professional judgement when applying the threshold in specific circumstances. For example, a lower level of materiality may be appropriate as the level of surplus capital reduces.
121
The auditor exercises professional judgement to consider whether an alternative base, such as profit, revenue or assets, may be more appropriate when considering whether a misstatement within other non-capital types of reporting forms such as, but not limited to, the Statement of Financial Performance, Statement of Financial Position, Provisions and Impaired Assets and the liquidity reporting forms[72], is material.
122
When considering materiality, the auditor considers the obligations under Prudential Requirements for ADIs and auditors of ADIs to report errors in ADI Reporting Forms to APRA, the criteria for resubmission of data previously submitted to APRA, and reporting breaches to APRA. For example, RPG 702.0 indicates that misreported EFS data items above the prescribed quantitative data quality benchmarks in Attachment A to RPG 702.0 should be notified to APRA. However, RPG 702.0 states these errors would not trigger automatic resubmission, as the Agencies will determine the need for resubmission. The auditor exercises professional judgement in using this guidance in scoping assurance work to be performed.
123
The auditor is mindful that RPG 702.0 is primarily directed at reporting entities and designed to assist these entities in meeting EFS quality control requirements and to tailor data risk management practices as outlined in CPG 235.[73]
124
Whilst APRA and the Agencies expect auditors to consider the RPG 702.0 guidance in determining materiality thresholds for a prudential reporting assurance engagement, APRA has confirmed that the RPG 702.0 benchmarks do not establish new materiality requirements for assurance purposes relating to the EFS data collection.[74]
125
The auditor sets materiality levels for the EFS collection based on the risk assessment for each EFS Reporting Form performed by the auditor. The priority ranking of data points included in RPG 702.0 may be helpful for the auditor in determining where to focus effort.
126
RPG 702.0 benchmarks and considerations may be more relevant to Part C of the engagement in setting materiality levels for reporting on the design and operating effectiveness of internal controls addressing the reliability of data routinely reported to APRA in ADI Reporting Forms. Refer to Part C below.
127
Auditors retain ultimate discretion in setting materiality levels for the assurance engagement and determining the scope of assurance procedures to be conducted, taking into consideration the risk of issuing an inappropriate assurance report.
Limited Assurance Engagement on Design, Implementation and Operating Effectiveness of Internal Controls (Part C)
128
Material deficiencies in the design and implementation of controls and material deviations in the operating effectiveness of controls are those which could reasonably be expected to influence relevant decisions of the intended users.
129
ASAE 3150 sets out the requirements and provides guidance to the auditor in applying materiality in the context of an assurance engagement on controls.
130
In accordance with ASAE 3150, the auditor shall identify a control or combination of controls as material if it is fundamental to the achievement of a control objective relevant to the scope of the engagement, and whether the internal controls will reduce to an acceptably low level, based on auditor judgement, the risks that threaten achievement of those objectives.
131
In assessing materiality, the appointed auditor has regard to the measures the ADI has adopted to ensure:
- reliable data is provided to APRA in all ADI Reporting Forms prepared under the FSCODA; and
- compliance with all applicable Prudential Requirements.
132
For the purpose of reporting on controls addressing the reliability of EFS data included in ADI Reporting Forms, the auditor determines materiality levels taking into consideration the needs and expectations of the users of the EFS collection, as outlined in RPG 702.0. RPG 702.0 informs reporting entities of the Agencies’ expectation that data reported in EFS collection should be of high quality, including to be accurate, complete and timely. RPG 702.0 provides guidance to reporting entities to meet data quality control requirements that require them to have in place systems, processes and controls to assure the reliability of reported information in relation to the EFS Reporting Standards. RPG 702.0 guidance is supported by CPG 235 which sets out guidance on how entities can manage data risk, including assessing data quality by reference to fitness for use.
133
Although the auditor retains discretion in setting materiality levels, the auditor is expected to take into consideration RPG 702.0’s priority ranking of data items and data quality benchmarks as part of the assessment of whether a reporting entity’s internal controls are designed appropriately and operating effectively to meet the RPG 702.0 thresholds required by the Agencies.
134
ASAE 3150 requires the auditor to reassess the materiality of the controls if matters come to their attention during the engagement which indicate that the basis on which the materiality of those controls was determined has changed.
Reporting on Compliance with Prudential Requirements (Part D)
135
Under APS 310 and 3PS 310 the appointed auditor is required to provide limited assurance that the ADI and/or group has complied, in all material respects, with all relevant Prudential Requirements. This conclusion is to be based on the auditor’s reasonable and limited assurance engagements undertaken to provide assurance in relation to Specified ADI Reporting Forms (Parts A and B) and internal controls (Part C).
136
For the purpose of reporting on compliance with Prudential Requirements, the appointed auditor considers materiality when evaluating the significance of identified instances of non-compliance with relevant Prudential Requirements (see paragraphs 249-258 of this Guidance Statement).
Personnel and Expertise Requirements, Including the Nature and Extent of Experts’ Involvement
137
An appointed auditor gives further consideration as to whether the auditor has, or will be able to obtain, adequate knowledge and the required skills to undertake the engagement.
138
APS 310 and 3PS 310 prohibit an appointed auditor from placing sole reliance on the work performed by APRA, for example, as part of the initial accreditation process to be registered as an Advanced ADI. APRA expects appointed auditors to exercise their professional judgement and reach their own independent conclusions.
139
The nature and complexity of the ADI increases the likelihood that the appointed auditor may need to involve experts in the engagement. For example, obtaining an understanding of the process and assumptions used by an Advanced ADI to develop risk information, may require technical knowledge of risk measurement methodologies, which can be complex.
141
Where an ADI has engaged or employed experts, for example where actuaries are used to determine amounts for inclusion in ADI Reporting Forms, which is derived using specialised techniques, the auditor applies, as appropriate, Auditing Standard ASA 500 Audit Evidence. ASA 500 sets out mandatory requirements and provides application and explanatory material on using the work of a management’s expert as audit evidence. The auditor may also find it helpful to refer to AUASB Guidance Statement GS 005 Evaluating the Appropriateness of a Management’s Expert’s Work.
Work Performed by Another Auditor
142
Where the auditor appointed under APS 310/3PS 310 plans to use the work of another independent auditor, the appointed auditor:
- for the reasonable assurance engagement in relation to historical financial information, complies with the requirements of Auditing Standard ASA 600 Special Considerations – Audits of a Group Financial Report, adapted as necessary; and
- for other assurance, complies with the requirements of ASAE 3000. The principles espoused in ASA 600 may also provide helpful guidance.
Internal Audit
143
CPS 510 requires all ADIs (including a foreign ADI in relation to its Australian business) and authorised NOHCs, to have in place an independent and adequately resourced internal audit function.[76] APS 310 and 3PS 310 require an ADI and/or the head of an ADI group to ensure that the scope of internal audit includes a review of the policies, processes and controls put in place by management to ensure compliance with Prudential Requirements. CPS 510 requires that the objectives of the internal audit function include an evaluation of the adequacy and effectiveness of the financial and risk management framework of the ADI. CPS 220 includes further information on APRA’s requirements for the periodic review of the risk management framework by internal audit.
144
APRA expects the appointed auditor to consider the extent to which the work of the internal audit function is likely to be relevant in the context of the APS 310/3PS 310 assurance engagement.
145
Having regard to the requirements and guidance provided in AUASB standards ASA 610 Using the Work of Internal Auditors, ASAE 3000 and ASAE 3150, as relevant, the appointed auditor obtains an understanding of the activities and main findings of the internal audit function and perform a preliminary assessment, which may include, assessment of:
- its impact on the system and the components of control within that system, including the control environment, risk assessment, information and communication, monitoring activities and control activities in relation to the system; and
- its effect on the nature, timing or extent of the auditor’s assurance procedures.
146
The use of internal auditors to provide direct assistance is prohibited in assurance engagements undertaken in accordance with AUASB Standards. Direct assistance is the performance of assurance procedures under the direction, supervision and review of the independent external auditor. An effective internal audit function may enable the auditor to modify the nature and/or timing, and/or reduce the extent of assurance procedures performed but cannot eliminate them entirely.
147
Where the appointed auditor plans to use the work of the internal audit function, the auditor evaluates the adequacy of this work for the auditor’s purposes in accordance with the relevant AUASB standards. The appointed auditor remains responsible for obtaining sufficient appropriate evidence to support the auditor’s assurance engagement conclusions.
ASA 300 Planning an Audit of a Financial Report.
See paragraphs 19-27 of ASA 315 Identifying and Assessing the Risks of Material Misstatement, issued in February 2020. This standard is operative for financial reporting periods commencing on or after 15 December 2021, with early adoption permitted.
See paragraphs 302-307 of this Guidance Statement.
As prescribed in APRA Prudential Standard APS 110 Capital Adequacy.
In particular, paragraphs 37 and 38 of ASAE 3150.
The way in which internal control is designed and implemented varies with an ADI’s size and complexity. Specifically, smaller Standardised ADIs may use less formal means and simpler processes and procedures to achieve control objectives.
See paragraph 28(c) of this Guidance Statement.
See paragraph 28(q) of this Guidance Statement.
See paragraphs 264-266 of this Guidance Statement.
See APRA Reporting Practice Guide RPG 702.0 ABS/RBA Data Quality for the EFS Collection.
Under Australian Accounting Standards.
RPG 702.0 identifies three data priority categories: “standard”, “high” and “very high”.
Whether the entity is a “large institution” or not as defined in RPG 702.0.
Whether a data item is a “stock” or “flow” item as defined in RPG 702.0.
RPG 702.0 prioritises data into the following categories: “standard”, “high” and “very high”.
See APRA Reporting Practice Guide RPG 701.0 ABS/RBA Reporting Concepts for the EFS Collection.
See paragraphs 86-89 of this Guidance Statement.
For a listing of ADI Reporting Forms to be subjected to the reasonable and/or limited assurance engagement, refer to APS 310 Attachment A – Data Collections subject to reasonable and/or limited assurance. The requirements are different for Standardised, Advanced and Foreign ADIs.
ASA 320 Materiality in Planning and Performing an Audit.
For example, in relation to liquidity disclosures included in ADI Reporting Forms ARF 210.1A and 210.1B Liquidity Coverage Ratio.
See ASA 805.
Where a particular data item appears in multiple ADI Reporting Forms subject to different levels of materiality, the auditor ensures the work performed is appropriate and sufficient to meet the lowest level of materiality. For example, materiality may be set for a balance sheet-based reporting form. However, the appointed auditor may need to consider the potential impact of misstatements in the balance sheet on profit and loss based reporting forms, which by their nature may have lower materiality thresholds.
For example, the objective of the Capital Adequacy series of ADI Reporting Forms will be on protection of the interests of depositors in ADIs.
For example, as part of the EFS collection.
For example, the audit of a financial report under the Corporations Act.
For example, when determining a quantitative materiality threshold for the liquidity reporting forms (ARF 210.1A, ARF 210.1B and ARF 210.6), the auditor exercises professional judgement when determining an appropriate base for both the Liquidity Coverage Ratio and the Net Stable Funding Ratio, such as the surplus liquidity above the minimum regulatory thresholds.
That is, a reporting entity’s precision thresholds for reporting data to APRA. The auditor considers relevant guidance and commentary provided by APRA – refer to APRA’s website: https://www.apra.gov.au/economic-and-financial-statistics-frequently-asked-questions.
The benchmarks included for ADIs in RPG 702.0 may be more granular than the materiality levels required to be applied in undertaking the reasonable and limited assurance engagements required under APS 310 to report on data included in Specified ADI Reporting Forms at the financial year-end.
ASA 620 Using the Work of an Auditor’s Expert.
Under CPS 510, APRA may approve alternative arrangements where APRA is satisfied that it will achieve the same objectives.