Considerations – Assurance on Specified ADI Reporting Forms
Application of AUASB Definition of “Accounting Records”
APS 310/3PS 310 requires the appointed auditor to provide two different levels of assurance over the reliability of a specific set of ADI Reporting Forms at the ADI’s financial year-end. The level of assurance required to be provided by the appointed auditor is determined by the source of the data included in the Reporting Forms. Data sourced from “accounting records”, requires a reasonable level of assurance. All other data requires a limited level of assurance.
“Accounting records”, is defined in paragraph 28(c) of this Guidance Statement and, ordinarily, includes all the data used by an ADI to prepare its accounting books and records, and to report the results of its operations and its financial position in its financial report on an annual or half-yearly basis (that is, the underlying evidence in support of the financial report). The expectation is, generally, that such data would be subject to rigorous internal controls.
However, the initial books of entry may also comprise other data which is stored alongside accounting data. Such data may not be used for financial management and financial reporting, and may not be subject to rigorous controls, and therefore fall outside the scope of the reasonable assurance opinion.
Data in ADI Reporting Forms may be sourced from systems that are not used to produce financial report information and are not readily reconcilable to financial report information. The initial entries to these systems may be the same as for the accounting records, but both the level of control over the systems and the amount of manipulation/aggregation of the data within such systems may result in the output being significantly different from the accounting records and not readily reconcilable back to these records.
The appointed auditor makes an assessment of whether or not a data item has been sourced from accounting records, by exercising professional judgement and referring to the definition of accounting records. The auditor carefully considers the source and the use of the data, and whether it is appropriately controlled and, therefore, capable of being subjected to procedures for obtaining sufficient appropriate evidence to support a reasonable assurance conclusion.
For Advanced ADIs, where the ADI’s risk management systems provide internal estimates for some or all of the risk components in determining capital, the capital reporting forms will include data items sourced from non-accounting records. Examples include measures for “probability of default” and “loss given default”.
Certain data items may have been sourced from a combination of both accounting and non-accounting records, for example, data sourced from accounting records that involve additional examination, computation, re-classification or segmentation using non-accounting data, and this may result in those data items being classified as sourced from non-accounting records and fall within the scope of the limited assurance engagement.
Where ADI Reporting Forms combine elements that are derived from accounting records and non-accounting records, the appointed auditor provides:
- reasonable assurance on information derived from the accounting records, for example, totals derived from the balance sheet such as values for assets, liabilities and derivatives, in the ADI Reporting Forms listed in (b) below; and
- limited assurance on the information derived from non-accounting records, for example:
- ADI Reporting Form ARF 117.0 Repricing Analysis: the repricing period allocations to time periods set out in the interest rate sensitivity tables (which are subjective).
- ADI Reporting Form ARF 112.1A Standardised Credit Risk – On-balance Sheet Assets: the risk rating for loans based on the loan-to-valuation ratio (LVR) where the security values are subject to variation over time.
Also see paragraph 160 below.
Segmentation of certain balances derived from the financial statements (accounting data) included in EFS Reporting Forms by counterparty economic sector, industrial classifications or facility purpose, are often reliant on counterparty provided information or may be subject to judgement in their application and, therefore, generally fall within the scope of the limited assurance engagement.
Identification of Financial Year-end ADI Reporting Forms
Identification of the year-end ADI Reporting Forms to be subjected to the reasonable and/or limited assurance engagement, requires careful consideration by the appointed auditor.
The initial submission of ADI Reporting Forms, to meet APRA’s reporting timetable, may be too soon in the ADI’s year-end process for the ADI to have processed all relevant year-end journals and adjustments. As a result, the ADI may have submitted revised Reporting Forms after the due reporting date. As the requirement is to report on the “reliability” of the year-end Reporting Forms, the auditor selects the most up to date (recent) Reporting Forms submitted to APRA, rather than the Reporting Forms initially submitted in accordance with APRA’s reporting timetable. The auditor conducts further procedures to ensure that the selected Reporting Forms include all relevant year-end journals and adjustments.
The ADI Reporting Forms which are the subject of the assurance report, are clearly identified in the assurance report. This may be achieved, for example, by:
- attaching the Reporting Forms to the assurance report; or
- noting the submission receipt number or time and date of submission of the Reporting Forms to APRA in the assurance report.
As noted in paragraph 155 of this Guidance Statement, certain ADI Reporting Forms may include data sourced from a combination of accounting and non-accounting records. The appointed auditor needs to clearly identify such data so that the intended user of the assurance report understands the level of assurance attached to each data item. This could be achieved in a number of ways, for example:
- Attaching the Reporting Forms to the assurance report and clearly identifying the level of assurance attached to each individual section (or data item) within each Reporting Form.
- Listing the Reporting Form and the individual sections (or data items) for which reasonable and limited assurance have been provided within the body of the assurance report under the section “Opinion and Conclusions”.
- Providing a detailed list in an attachment to the assurance report which clearly identifies the Reporting Form and the individual sections (or data items) for which reasonable and limited assurance have been provided.
Refer to Appendix 4 of this Guidance Statement for illustrative examples of possible approaches to identify subject matter subject to reasonable and limited assurance.
Where the ADI Reporting Form over which assurance is to be provided at the financial year-end is not the Reporting Form submitted on the due date in accordance with APRA’s reporting timetable, the appointed auditor needs to consider this issue when providing assurance on the design and operational effectiveness of controls over the reliability of Reporting Forms.
Reasonable Assurance on Specified ADI Reporting Forms - Data Sourced from Accounting Records (APS 310/3PS 310 - Part A)
The appointed auditor is required to provide reasonable assurance that information included in ADI Reporting Forms, as specified in Attachment A of APS 310, at the financial year-end, sourced from the ADI’s accounting records, is, in all material respects:
- reliable; and
- in accordance with the relevant APRA Prudential and Reporting Standards.
Refer to Part A of the Example Annual Prudential Assurance Report in Appendix 4 of this Guidance Statement.
In performing the reasonable assurance engagement on Specified ADI Reporting Forms, the auditor complies with all Australian Auditing Standards relevant to a reasonable assurance engagement of other historical financial information, adapted as necessary in the circumstances of the engagement. In applying these standards, the auditor has regard to any special considerations identified in ASA 805 that may be relevant to the engagement.
To identify the ADI Reporting Forms, or data items in a Reporting Form, that are to be subjected to the assurance engagement (the subject matter), the appointed auditor applies the definition of accounting records to each item of data within each Reporting Form as specified in Attachment A of APS 310.
Having identified the ADI Reporting Forms, or data items within a Reporting Form, that are to be subjected to the reasonable assurance engagement, the auditor obtains sufficient appropriate evidence as part of a dynamic and iterative process, that includes:
- Obtaining an understanding of the Specified ADI Reporting Forms and individual data items included in these Reporting Forms, the intended use of the information included in the Reporting Forms by the intended users, and the Prudential Requirements applicable to the preparation and submission of Reporting Forms.
- Obtaining and understanding of the ADI’s overall framework for managing data risk and data quality.
- Obtaining an understanding of the ADI’s system of internal control, in particular, controls around managing data risk, and the compliance function relevant to the engagement and control objectives.
- Evaluating the controls over the preparation and compilation of Reporting Forms.
- Identifying and assessing the risk that information in Reporting Forms may be materially misstated.
- Responding to assessed risks and determining the nature, timing and extent of further evidence-gathering procedures.
- Performing further evidence-gathering procedures clearly linked to the identified risks.
- Evaluating the sufficiency and appropriateness of evidence.
The appointed auditor exercises professional judgement in determining the nature, timing and extent of reasonable assurance procedures to gather sufficient appropriate evidence on which to base the reasonable assurance opinion.
A controls based assurance approach is often the most appropriate approach to adopt in these circumstances. However, where the appointed auditor determines that a material weakness exists in the ADI’s internal controls designed to ensure reliable data is provided to APRA in Reporting Forms, and/or where the appointed auditor makes a determination based on effectiveness and/or efficiency, a substantive approach may be more appropriate (for example, for smaller Standardised ADIs).
Reasonable assurance procedures for obtaining evidence include, but are not limited to, testing of specific controls aimed at ensuring data in Reporting Forms is reliable and prepared in accordance with APRA Prudential Standards and Reporting Standards. Procedures may include a combination of enquiry and observation, testing of controls over the compilation of Reporting Forms, testing of controls over the extraction of data from the underlying accounting records (including all relevant year-end adjustments), and obtaining management representations.
The appointed auditor may decide to place reliance on work undertaken by the auditor appointed for the purpose of the audit of the general purpose financial report, required under the Corporations Act (the statutory audit), as the basis for opining on the reliability of the Specified ADI Reporting Forms, or data items included in these forms. However, the appointed auditor is still required to obtain additional evidence to ensure that the Reporting Forms, or data items in a Reporting Form:
- have been appropriately extracted from the underlying accounting records (which were the subject of the statutory audit); and
- are in accordance with APRA’s Prudential Standards and Reporting Standards (which may be different from the Australian Accounting Standards Framework used to record items in the ADI’s underlying accounting and statutory records).
Where reliance is being placed on work performed for the statutory audit, the appointed auditor assesses events occurring subsequent to the date of signing the statutory accounts, but before the date of issuing the auditor’s annual prudential assurance report, and takes this into consideration in forming the opinion issued in the report.
The appointed auditor is required to express a conclusion, based on a limited assurance engagement, on whether anything has come to the auditor’s attention that causes the auditor to believe that information included in ADI Reporting Forms, as specified in Attachment A to APS 310, at the financial year-end, sourced from non-accounting records of the ADI, is not, in all material respects reliable and in accordance with the relevant APRA Prudential and Reporting Standards.
Refer to Part B of the Example Annual Prudential Assurance Report in Appendix 4 of this Guidance Statement.
Prospective financial information generally includes forecasts and projections based on assumptions made by the ADI, in accordance with a stated basis of preparation. ASAE 3450 sets out the responsibilities of an assurance practitioner undertaking an engagement to report on prospective financial information. It identifies specific considerations in the application of ASRE 2405 and/or ASAE 3000, which may apply in the engagement circumstances. ASAE 3450 does not override the requirements of ASRE 2405 or ASAE 3000 and it does not purport to deal with all engagement circumstances.
All ADI Reporting Forms, or data items within Reporting Forms, as specified in Attachment A of APS 310, that have been excluded under paragraphs 162-171 above as not having been sourced from accounting records, are included in this section as the subject matter for the limited assurance engagement.
Having identified the subject matter, the appointed auditor obtains evidence as part of a dynamic and iterative process directed by the risk assessment carried out during the planning phase of the engagement. The auditor exercises professional judgement in determining the specific nature, timing and extent of limited assurance procedures to gather evidence on which to base the conclusion.
The Part B limited assurance engagement is substantially less in scope than the reasonable assurance engagement undertaken in paragraphs 162-171 in order to provide reasonable assurance under Part A of the Auditor’s Annual Prudential Assurance Report. The limited assurance engagement procedures do not provide all the evidence required in a reasonable assurance engagement and, consequently, the level of assurance provided is less than that given in the reasonable assurance engagement.
Limited assurance procedures ordinarily include consideration of the process used to prepare Reporting Forms and the specific controls aimed at ensuring Reporting Forms, and data in Reporting Forms, are reliable and prepared in accordance with APRA Prudential Standards and Reporting Standards. Limited assurance procedures may include analytical procedures, enquiry, limited testing of controls over the compilation of Reporting Forms, limited testing of controls over the extraction of data from the underlying source systems and obtaining management representations.
If the auditor has reason to believe that the subject matter information subject to limited assurance may be materially misstated, AUASB Standards require that the auditor carry out additional or more extensive procedures as are considered necessary to be able to express a limited assurance conclusion or to confirm that a modified report is required.
Under the advanced approaches for measuring capital adequacy, an Advanced ADI is permitted to use its own quantitative risk estimates in calculating regulatory capital. This involves a greater use of internal risk measurement models that generate the credit risk, operational risk, market risk and interest rate risk in the banking book (instead of the standardised risk assessments used by Standardised ADIs). As a result, under the advanced approaches, a smaller proportion of information contained in APRA’s Capital Adequacy Reporting Forms is derived from accounting records.
At the planning stage of the engagement, the appointed auditor decides on the appropriate assurance approach to adopt in order to gather evidence to reduce the assurance engagement risk to an acceptable low level to provide limited assurance in relation to the reliability of Reporting Forms, or data items in a Reporting Form, which are sourced from the internal risk measurement models.
A controls based assurance approach is often the most appropriate approach to adopt in these circumstances. The appointed auditor gathers evidence regarding the internal control structure, and that key controls around the risk measurement models, as identified during the planning phase of the audit, are operating effectively to support the assurance conclusion.
In concluding on any data produced from the internal risk measurement models, the appointed auditor cannot place sole reliance on work performed by APRA, as part of the initial accreditation process for becoming an Advanced ADI or in any subsequent reviews undertaken by APRA.
For a listing of ADI Reporting Forms to be subjected to the reasonable and/or limited assurance engagement, refer to APS 310 Attachment A – Data Collections subject to reasonable and/or limited assurance. The requirements are different for Standardised, Advanced and Foreign ADIs.
For example, refer to APRA Prudential Standard CPS 220 Risk Management, APRA Prudential Practice Guide CPG 235 Managing Data Risk and APRA Reporting Practice Guide RPG 702.0 ABS/RBA Data Quality for the EFS Collection.