Evaluation of Findings
Reporting on Specified ADI Reporting Forms
The auditor accumulates uncorrected misstatements identified during the engagement, other than those that are clearly trivial, for the purpose of evaluating whether, individually or in aggregate, they are material to the reported information. Materiality is to be applied in the context of paragraphs 106-127 of this Guidance Statement.
In evaluating whether uncorrected misstatements in Specified ADI Reporting Forms are material, the appointed auditor complies with the requirements of AUASB standards ASA 450, ASRE 2405, ASAE 3000 and ASAE 3450, as applicable. The appointed auditor exercises professional judgement, having regard to both the user and intended users of the information in the Reporting Forms, and taking into consideration the risk of issuing an inappropriate assurance report.
The magnitude of a misstatement alone is only one factor used to assess the misstatement. The appointed auditor evaluates each identified misstatement in the context of information relevant to users of the Reporting Form, by considering qualitative factors and the circumstances in which each misstatement has been made. For example, in evaluating identified misstatements, the appointed auditor has regard to factors such as the level of the ADI’s buffer above the particular minimum Prudential Requirements (determined under periodic quantitative calculations) and the sensitivity of these buffers to fluctuations in the ADI’s financial performance and position.
The appointed auditor may designate an amount below which misstatements would be clearly trivial and need not be accumulated, because the auditor expects that the accumulation of such amounts clearly would not have a material effect on the reported subject matter information. In doing so, the appointed auditor needs to consider the fact that the materiality of misstatements involves qualitative as well as quantitative considerations and that misstatements of a relatively small amount could nevertheless have a material effect on the reported information.
In evaluating whether identified misstatements are material, the auditor will consider the criteria used by APRA and the Agencies to determine the need for resubmission of data. For example, in accordance with RPG 702.0 guidance, reporting entities are to notify APRA of all reporting errors based on the data quality benchmarks specified in RPG 702.0 and states that, depending on the size of the reporting entity and the potential impact on the Agencies’ use of the data, APRA, in consultation with the Agencies, may require the data to be resubmitted.
Further, where errors have occurred in relation to EFS reporting that exceed the RPG 702.0 data quality benchmarks, this may be indicative of a control environment that is not appropriately designed or operating effectively. In these instances, the auditor would be expected to assess the nature of the error, whether deficiencies in the control environment contributed to the error, and what subsequent changes have occurred (if any) to address such deficiencies. Where such deficiencies exist, the significance of these would need to be considered against Parts A, B and C of the APS 310/3PS 310 opinion and conclusions.
In circumstances where the appointed auditor conclude that information reported in ADI Reporting Forms is not in accordance with the relevant APRA Prudential and Reporting Standards, the appointed auditor discusses the matter with management and, depending how it is resolved, determines whether, and how, to communicate the matter in the auditor’s assurance report.
Reporting on Internal Controls
ASAE 3150 sets out the requirements and provides guidance to the appointed auditor to assist in evaluating evidence and forming a conclusion on controls.
In accordance with ASAE 3150, the appointed auditor accumulates uncorrected:
- deficiencies in the suitability of the design of controls to achieve the relevant control objectives;
- deficiencies in the implementation of controls as designed; and
- deviations in the operating effectiveness of controls as designed.
The appointed auditor evaluates, individually and in aggregate, whether internal control deficiencies and deviations that have come to the auditor’s attention are material. The auditor exercises professional judgement, having regard to the intended users of the auditor’s assurance report. Materiality is to be applied in the context of paragraphs 106-110 and 128- 134 of this Guidance Statement.
In evaluating the severity of identified internal control deficiencies, the appointed auditor considers, based on materiality:
- the likelihood that the relevant internal controls may fail to prevent or detect:
- non-compliance with a Prudential Requirement; or
- a misstatement in the data being provided to APRA in ADI Reporting Forms; and
- the magnitude of the potential resulting non-compliance with a Prudential Requirement on the ADI’s overall compliance with applicable Prudential Requirements; and
- the magnitude of the potential misstatement resulting from the internal control deficiency on the information reported in the ADI Reporting Forms.
The evaluation of the severity of a deficiency in internal control does not depend on whether a misstatement or non-compliance with a Prudential Requirement has actually occurred, but rather the likelihood that the ADI’s controls may fail to prevent or detect a material misstatement or material non-compliance with a Prudential Requirement.
As noted above, the auditor is not required to use RPG 702.0 benchmarks as materiality thresholds for planning the scope of the assurance engagement. However, where the auditor identifies reporting errors as defined by RPG 702.0 it is expected that this be taken into consideration in assessing the adequacy of the design, implementation, and operating effectiveness of controls around data quality.
The auditor considers how the ADI has incorporated RPG 702.0 thresholds and other relevant guidance, for example CPG 235, into their data risk management processes. Should an ADI identify errors that have occurred in relation to EFS reporting that exceed the data quality benchmarks, this may be indicative of a control environment that is not appropriately designed, implemented or operating effectively to ensure entities have provided reliable data to APRA. In these instances, the auditor would be expected to assess the nature of the error, whether deficiencies in the control environment contributed to the error, and what subsequent changes have occurred (if any) to address such deficiencies and/or deviations. Where such deficiencies exist, the significance of these would need to be considered against Parts A, B and C of the APS 310/3PS 310 opinion and conclusions.
EFS reporting introduces new concepts and data that may not, historically, have been subject to an ADI’s risk management framework in accordance with the expectations of RPG 702.0 and CPG 235. Therefore, whilst an ADI may have implemented additional processes and controls that address the reliability of information for the front book, for example, loans originated since the implementation of EFS reporting, the accuracy of the back book (existing portfolio) with respect to RPG 702.0 and CPG 235 remains uncertain. In these instances, the auditor will need to assess the significance of the matter and its impact on Parts B and C of the APS 310 conclusion.
Resubmission of data and reporting forms by an entity will require the auditor to exercise professional judgement, taking into consideration the nature and cause of the resubmission, in evaluating whether misstatements are material or if the resubmissions are indicative of a control environment that is not appropriately designed, implemented or operating effectively to ensure entities have provided reliable data to APRA.
Generally, the occurrence of even a single resubmission of a material nature due to error, or multiple non-material resubmissions of a recurring nature, may indicate a weak or inadequate control environment exists and, hence, may require modification of the Part C conclusion and, potentially, also the Part A opinion and Part B conclusion, where the impacted forms include Specified ADI Reporting Forms.
Notwithstanding, there may be instances where an ADI will resubmit reporting forms for reasons other than an error associated with its reporting process, such as changes or clarifications in APRA interpretations. Where resubmissions are not the result of errors, the auditor may determine that there is no impact on the opinion, with reporting of resubmissions limited to an appendix to the APS 310/3PS 310 report.
Where material breakdowns in controls are identified which results in a modification to Part C of the auditor’s conclusion, the auditor will need to assess the impact on procedures performed under Parts A and B of the APS 310/3PS 310 engagement. There may be instances where the auditor is able to perform additional substantive procedures to address the risks associated with a control deficiency and/or deviation that will support an unmodified opinion for Parts A and B of the report, but result in a qualification to Part C.
Reporting on Compliance with Prudential Requirements
The auditor accumulates instances of non-compliance, other than those that are clearly trivial, identified in undertaking the reasonable and limited assurance engagements on Specified ADI Reporting Forms (Parts A and B) and the limited assurance engagement on internal controls (Part C), in order to form a conclusion.
The APS 310/3PS 310 requirement to report matters of non-compliance to APRA on an annual basis, is in addition to the reporting obligations under section 16BA of the Banking Act, which requires certain matters to be reported to APRA immediately and certain other matters to be reported to APRA as soon as is practicable.
In determining whether a failure to comply with Prudential Requirements is or will be significant, the appointed auditor considers the factors listed in subsection 16BA(7) of the Banking Act, namely:
- the number or frequency of similar failures;
- the impact the failure has or will have on the ADI’s ability to conduct its business;
- the extent to which the failure indicates that the ADI’s arrangements to ensure compliance with the Banking Act, the Prudential Standards or the Regulations might be inadequate;
- the actual or potential financial loss arising, or that will arise from the failure, to the depositors of the ADI or to the ADI; and
- any matters prescribed by the Regulations for the purposes of this subsection of the Banking Act.
The significance of a matter is to be judged by the appointed auditor in the context in which it is being considered, taking into account both quantitative and qualitative factors. This may, for example, include consideration of the significance of the potential impact of the non-compliance rather than the actual impact.
Furthermore, it is possible that an instance of non-compliance, which is not significant in isolation, may become so when considered in totality with other identified instances of non-compliance.
Where the appointed auditor considers identified instances of non-compliance as being potentially significant to the ADI as a whole and/or to its depositors’ interests, or where the matter may be considered important by APRA in performing its functions under the Act, then the identified instance of non-compliance is a matter to be reported to APRA.
Matters likely to prejudice materially the interests of depositors are related generally to capital adequacy, solvency and going concern matters, for example, the ADI’s compliance with minimum capital levels as per APRA Prudential Standard APS 110. In assessing whether the interests of depositors may be prejudiced materially, the appointed auditor considers not only a single activity or a single deficiency in isolation, as depositors’ interests may be prejudiced materially by a number of activities or deficiencies which, although not individually material, do amount to a material threat when considered in totality. Similarly, it is possible that a breach in compliance, although not significant in isolation, may become so when considered in the context of other possible breaches.
In order to conclude on an ADI’s and/or ADI group’s compliance with all relevant Prudential Requirements, the appointed auditor considers the existence of relevant matters, that may indicate instances of non-compliance, throughout the reporting period and up to the date of signing the auditor’s assurance report.
The appointed auditor’s review of subsequent events may include the following procedures:
- reading minutes of the ADI’s Board, as well as minutes of any sub committees responsible, for example, for risk, compliance and audit, held after balance date and enquiring about matters discussed at these meetings for which minutes are not yet available;
- examining the ADI’s breach registers up to the date of the auditor’s assurance report; and
- enquiring of the ADI’s management as to whether any subsequent events have occurred which might represent non-compliance with relevant Prudential Requirements.
The appointed auditor reports instances of significant non-compliance which have not previously been reported to APRA by the appointed auditor. This will include matters the ADI indicated it was notifying, and which an auditor relied upon as a reason for the auditor not notifying APRA.
Refer to section 16BA of the Banking Act.
Under subsections 16BA(5) and 16BA(10) of the Banking Act, an auditor is not required to notify APRA of matters that have been brought to the auditor’s attention by the ADI, where the auditor is informed that APRA has been notified of the matter in writing by the ADI and the auditor has no reason to disbelieve the ADI.