Considerations – Assurance on Controls
Limited Assurance on Controls to ensure Compliance with Prudential Requirements and Reliability of ADI Reporting Forms (APS 310/3PS 310 – Part C)
The appointed auditor is required to express a conclusion, based on a limited assurance engagement, whether anything has come to the attention of the auditor to cause the auditor to believe that, in all material respects:
- the ADI has not implemented internal controls that are designed to ensure the ADI has:
- complied with all applicable Prudential Requirements; and
- provided reliable data to APRA in the ADI Reporting Forms prepared under the FSCODA; and
- these controls have not operated effectively throughout the financial year.
Refer to Part C of the Example Annual Prudential Assurance Report in Appendix 4 of this Guidance Statement. APRA has advised that the form and content of this example report is adequate for the purpose of reporting under APS 310/3PS 310.
The appointed auditor conducts the limited assurance engagement related to internal controls in accordance with ASAE 3150.
Based on the auditor’s understanding of the ADI and/or ADI group and its environment, risk management practices in place, and the internal control and compliance framework, as obtained for the purpose of planning the engagement, the auditor performs assurance procedures to respond to assessed risks in order to obtain limited assurance to support the auditor’s conclusion.
The auditor generally adopts a ‘top down’ approach in gathering evidence by, for example, making enquiries of key personnel, observing the entity’s operations, performing ‘walk-through’ tests of controls, and inspecting relevant documentation, in order to achieve the following:
- obtaining an understanding of the ADI’s overall control environment and compliance framework;
- identifying the systems, structures, policies, procedures and controls designed to ensure compliance with all applicable Prudential Requirements, by reviewing documents such as the ADI’s RMS and similar policy documents prepared by the ADI in accordance with applicable Prudential Standards;
- identifying the processes used by the entity to support the Board’s annual declaration to APRA on risk management (“Risk Management Declaration”);
- identifying the internal compliance functions designed to oversee the provision of data to APRA in ADI Reporting Forms;
- identifying key controls over data risk management as stipulated by CPG 235;
- identifying significant processes for the preparation of ADI Reporting Forms; and
- identifying the key controls over these significant processes that are designed to ensure that reliable data is provided to APRA in ADI Reporting Forms.
The above is not an exhaustive list, nor is it intended to direct the auditor as to the conclusion over the ADI’s internal controls.
The way in which internal control is designed and implemented varies with an ADI’s size and complexity. Smaller ADIs may use less formal means and simpler processes to achieve their objectives.
Materiality is to be applied as outlined in paragraphs 106-110 and 128-134 of this Guidance Statement.
Design of Controls
The auditor determines which of the controls at the entity are necessary to achieve the relevant control objectives and whether those controls were suitably designed. Under ASAE 3150, this determination includes:
- identifying the risks that threaten achievement of the control objectives;
- evaluating whether the controls as designed would be sufficient to mitigate those risks when operating effectively, in all material respects; and
- evaluating whether any changes in controls as designed during the period would be sufficient to mitigate those risks, in all material respects.
In assessing the suitability of the design of controls, ASAE 3150 requires the auditor, at a minimum, to:
- make enquiries of management or others within the entity regarding how the controls are designed to operate; and
- examine the design specifications or documentation.
If the auditor becomes aware of a matter(s) that causes the auditor to believe that a material deficiency in the design of controls may exist, ASAE 3150 requires the auditor to design and perform additional assurance procedures until the auditor has obtained sufficient appropriate evidence to conclude on whether the design is suitable. However, the performance of such additional procedures shall not convert the engagement to a reasonable assurance engagement.
Implementation of Controls
The auditor obtains sufficient appropriate evidence that the controls identified as necessary to achieving the identified control objectives, were implemented as designed as at the specified date. The auditor’s evaluation of the design of controls may influence the nature, timing and extent of assurance procedures related to implementation.
ASAE 3150 requires that:
- the auditor’s assurance procedures include, at a minimum, making enquiries and observation.
- If the auditor determines that additional assurance procedures, such as the inspection of records and documentation, are required to dispel or confirm a suspicion that a material deficiency in the implementation of controls exists, the performance of such additional procedures shall not convert the engagement to a reasonable assurance engagement.
- When designing and performing tests of implementation, the auditor determines whether controls implemented depend upon other controls (indirect controls) and, if so, whether it is necessary to obtain evidence supporting the implementation of those indirect controls.
Operating Effectiveness of Controls
Following the evaluation of whether the ADI has internal controls designed to achieve the relevant control objectives, the appointed auditor performs assurance procedures to obtain evidence about whether these controls have operated as designed throughout the financial year. The auditor may consider how the controls were applied, the consistency with which they were applied, by whom they were applied and the period over which the controls were applied.
In accordance with ASAE 3150, when reporting on operating effectiveness over the period, the auditor tests those controls that the auditor has determined are necessary to achieve the relevant control objectives, and assess their operating effectiveness throughout the period. The auditor’s evaluation of the design of controls may influence the nature, timing and extent of tests of operating effectiveness. Evidence obtained in prior engagements about the satisfactory operation of “material controls” (as defined in the standard) in the prior periods does not provide a basis for a reduction in testing of those controls, even if it is supplemented with evidence obtained during the current period.
Assurance procedures to obtain evidence on operating effectiveness may include discussion with entity personnel (and obtaining written representations), observation of the system in operation, walk-through for an appropriate number of instances of material controls in operation, and ascertaining whether the person(s) performing the control(s) possesses the necessary authority and competence to perform the control(s) effectively, to identify any deviations from the specified design. The auditor may also consider limited re-performance of controls.
Alternatively, under ASAE 3150, the results of exception reporting, monitoring or other management controls may be examined to provide evidence about the operation of the control rather than directly testing it.
ASAE 3150 requires the auditor to apply professional judgement in determining the specific nature, timing and extent of procedures to be conducted, which will depend on the assessed risks of material deviations in the operating effectiveness of controls. If the auditor determines that additional assurance procedures are required to dispel or confirm a suspicion that a material deviation in the operating effectiveness of controls exists, the performance of such additional procedures shall not convert the engagement to a reasonable assurance engagement.
ASAE 3150 requires that where control procedures have changed during the period subject to examination, the auditor tests the operating effectiveness of both the superseded control(s) and the new control(s) and consider whether the new controls have been in place for a sufficient period to assess their effectiveness.
Although the auditor may consider the results of any tests of the operating effectiveness of controls conducted by the internal audit function when evaluating operating effectiveness, the auditor remains responsible for obtaining sufficient appropriate evidence to support the auditor’s conclusion and, if appropriate, corroborate the results of such tests.
The appointed auditor enquires whether there were any changes in internal control, or other matters, subsequent to the financial year-end date and up to the date of the appointed auditor’s assurance report, that may have an impact on the auditor’s conclusion about the effectiveness of internal controls, and obtains written representations from management relating to such matters.
Interpretation of the word “reliable” in the context of reporting on controls in place to ensure reliable data is provided to APRA in ADI Reporting Forms throughout the financial reporting period, has practical limitations in some circumstances. For many ADIs, it is only at the financial year-end (or for ADIs that are disclosing entities, also at the half year-end) that all the necessary accounting adjustments, such as accruals, prepayments, provisioning and valuations, are prepared and subjected to audit or review. APRA is aware of this position and has indicated it accepts ADI Reporting Forms prepared throughout the year based on the ADI’s normal accounting process.
For further requirements and guidance in relation to obtaining evidence on operating effectiveness of controls, including on the use of sampling for selecting controls for testing operating effectiveness over a period, refer to ASAE 3150.
For an Advanced ADI, the appointed auditor furthermore considers the ADI’s internal controls over the risk measurement models used to meet the requirements of specific Prudential Standards and to generate certain risk data provided to APRA in ADI Reporting Forms.
The appointed auditor undertakes an appropriate risk assessment of the controls over these models within the context of the stated assurance engagement objective, and plans the assurance engagement accordingly.
The appointed auditor obtains an understanding of any deficiencies in the models, identified either by APRA, the ADI, or through any independent review, and how such deficiencies have been addressed by the ADI.
In concluding on the controls over internal risk models, the appointed auditor cannot place sole reliance on the work performed by APRA during the accreditation process to become an Advanced ADI, or on reports issued as a result of any independent review required under specific Prudential Standards dealing with credit risk, operational risk, market risk and interest rate risk in the banking book. Under these Standards, APRA may require Advanced ADIs to obtain an independent review of the use of any internal models, statistical techniques, other methods relevant to estimating or assessing risks, and risk data inputs used.
The appointed auditor reviews any reports issued as a result of independent reviews. In drawing a conclusion on whether to use these reports, the appointed auditor has regard to the level of independence of the reviewer, and their qualifications and competency to carry out such a review. In making this assessment, the appointed auditor complies with the requirements of ASAE 3000 and ASAE 3150.
The appointed auditor makes enquiries about the overall system controls over such models, including controls that ensure the consistency and integrity of the models.
Assurance procedures over the models would ordinarily include a review of:
- the control environment and general controls, including the IT function; and
- change controls (including limited testing).
Assurance procedures of data produced from the risk measurement models would ordinarily include a review of:
- the key controls over inputs to the models; and
- how management review and use the data outputs from the models in ADI Reporting Forms.
Such assurance procedures may include making enquiries of management and persons operating the control(s), assessing whether such persons have the appropriate degree of skill and authority to effectively operate the control(s), observation, ‘walk through’ tests, limited re-performance and analytical review of the resulting Reporting Forms, or data items in a Reporting Form.
Limited Assurance on Controls addressing Generation of SCV Data and FCS Payment Instruction and Reporting Information (APS 910)
The appointed auditor is required to express a conclusion, based on a limited assurance engagement, whether anything has come to the attention of the auditor to cause the auditor to believe that, for the financial year, in all material respects:
- the ADI has not implemented internal controls that are designed to ensure that SCV data as set out in APS 910 Attachment A, to the extent practicable, and FCS payment instruction and reporting information can be relied upon as being complete and accurate and in accordance with APS 910; and
- these controls have not operated effectively when tested.
Refer to Appendix 5 of this Guidance Statement for an Example Annual Prudential Assurance Report for engagements undertaken pursuant to APS 910.
The appointed auditor conducts the limited assurance engagement for APS 910 related to internal controls in accordance with ASAE 3150.
Obtaining Assurance Evidence
Under APS 310/3PS 310, the appointed auditor is required to perform a limited assurance engagement on the design, implementation and operating effectiveness of internal controls to ensure compliance with all Prudential Requirements, which includes compliance with the requirements of APS 910.
APS 910 identifies additional requirements for the appointed auditor to perform a limited assurance engagement on an ADI’s controls to ensure that SCV data as set out in APS 910 Attachment A, to the extent practicable, and FCS payment instruction and reporting information can be relied upon as being complete and accurate and produced in a timely manner in accordance with the requirements specified in APS 910.
Appendix 5 (see Attachment 3 to the example report, entitled: Control Objectives and Evaluation Criteria) of this Guidance Statement outlines the applicable control objectives for the engagement, used by the auditor to evaluate the ADI’s compliance with APS 910 requirements.
In practice, the auditor’s annual APS 310/3PS 310 assurance engagement on controls (Part C) factors in all APS 910 requirements with which the ADI is expected to be compliant. This approach allows the timing of the APS 910 engagement to be aligned with routine assurance work undertaken pursuant to APS 310/3PS 310.
Limited assurance procedures selected depend on the auditor’s judgement, including assessment of the risks of a material breakdown in controls. In making those risk assessments, the auditor considers internal control systems and compliance functions relevant to ensuring compliance with APS 910 and, specifically, the requirements in relation to SCV data and FCS payment instruction and reporting information, in order to design limited assurance procedures that are appropriate in the circumstances.
The limited assurance engagement in relation to APS 910 controls may include making enquiries of management and those responsible for the controls, examination of design specifications and documentation on a sample basis, observation of implementation and operation of the controls, events or business routines implemented by the ADI, as well as testing practices and results, ‘walkthrough’ of controls, and review of reports required under APS 910.
In applying the terms “complete” and “accurate” to the controls engagement, the auditor has regard to definitions and guidance provided by APRA in CPG 235. Refer to Appendix 5 of this Guidance Statement (see Attachment 3 to the example report, entitled: Control Objectives and Evaluation Criteria).
For guidance on how the term “to the extent practicable” is to be interpreted, the auditor refers to guidance provided by APRA in its August 2013 Information Paper: Financial Claims Scheme for authorised deposit-taking institutions and under Financial Claims Scheme Frequently Asked Technical Questions for ADIs, which can be accessed on APRA’s website. Refer to Appendix 5 of this Guidance Statement (see Attachment 4 to the example report, entitled: Additional Guidance).
The phrase “to the extent practicable” applies to those limited circumstances and/or customers where it may not be possible or practical for an ADI to meet all the requirements of APS 910 or the Banking Act, despite best endeavours. Where possible, it is expected that the underlying assurance objective be met in full. This guidance is principle-based and does not limit the application of the auditor’s professional judgement.
Under APS 910, the appointed auditor is required to perform limited assurance procedures to evaluate whether the ADI’s controls operated effectively when tested by the ADI in accordance with the testing requirements specified in APS 910. In addition, APRA guidance states that, when conducting the audit, the auditor must undertake their own tests of the controls and must provide limited assurance that, when tested by the auditor, the controls operated effectively. The auditor will need to collect sufficient and appropriate evidence when forming their conclusions about the ADI’s controls.
See Attachment A to APRA Prudential Standard CPS 220 Risk Management.
For example, APS 117 Capital Adequacy: Interest Rate Risk in the Banking Book (Advanced ADIs) includes a requirement for an independent review of the ADI’s interest rate risk in the banking book management framework and measurement system, both initially at the time that approval is sought from APRA to use the model and, thereafter, on an ongoing basis (at least once every three years or when a material change is made to the framework).
The scope of an independent review of an Advanced ADI’s risk management framework, may cover the following:
- the accuracy of the analytics underlying the calculation of the risk adjusted regulatory capital, the outputs of the risk measurement model and the consistency of this methodology;
- assessment of the reasonableness of any assumptions made in the risk measurement model;
- the accuracy and adequacy of documentation supporting the quantitative aspects of the risk measurement system; and
- the continuing appropriateness and adequacy of the risk modelling approach given industry developments in the modelling of risk.
The scope of an independent review of the risk data inputs to the internal risk models (to ensure the continued quality of the data and the effectiveness of internal controls) ordinarily includes an assessment of the controls surrounding the data collection and maintenance processes, as well as data inspection.
For example, refer to paragraph 20 of APS 910 and the Approved forms for payments and reports: Financial Claims Scheme for authorised-deposit-taking institutions (August 2013).
Refer to APRA’s website, https://www.apra.gov.au/industries/authorised-deposit-taking-institutions:
- Information Paper: Financial Claims Scheme for authorised deposit-taking institutions, August 2013, paragraph 37 on page 11.
- Financial Claims Scheme – Frequently Asked Technical Questions for ADIs, under Section 3 Clearance (Question 3.1, March 2014) and Section 12 – Single Customer View (SCV) (Question 12.2, March 2014).
For example, where an ADI has been unable to obtain or update data required to be provided by a retail customer, and the ADI has exhausted all practical steps to contact the customer.
See paragraph 25 of APS 910, which requires an ADI to undertake testing in accordance with a testing schedule specified by APRA in writing. Guidance on “when tested” can be found on APRA’s website: https://www.apra.gov.au/financial-claims-scheme-frequently-asked-technical-questions-for-authorised-deposit-taking under Question 13.2.
Refer to APRA’s website: https://www.apra.gov.au/financial-claims-scheme-frequently-asked-technical-questions-for-authorised-deposit-taking, Question 2.4 (November 2013).