This Guidance Statement has been formulated by the Auditing and Assurance Standards Board (AUASB) to provide guidance to auditors on various matters relating to the audit of compliance plans of registered managed investment schemes established in accordance with the requirements of the Corporations Act 2001 (“the Act”).
Preamble
Authority Statement
The Auditing and Assurance Standards Board (AUASB) issues Guidance Statement GS 013 Special Considerations in the Audit of Compliance Plans of Managed Investment Schemes pursuant to section 227B of the Australian Securities and Investments Commission Act 2001, for the purposes of providing guidance on auditing and assurance matters.
This Guidance Statement is the reissuance of AGS 1052 Special Considerations in the Audit of Compliance Plans of Managed Investment Schemes (June 2002), with updated references to the Corporations Act 2001 and relevant ASIC Regulatory Guides to reflect subsequent regulatory changes affecting managed investment schemes. Further consideration of these changes will be undertaken by the AUASB as part of the future revision of this Guidance Statement.
This Guidance Statement provides guidance to assist the auditor to fulfil the objectives of the audit or assurance engagement. It includes explanatory material on specific matters for the purposes of understanding and complying with AUASB Standards. The auditor exercises professional judgement when using this Guidance Statement and needs to refer to the ASIC Regulatory Guides where relevant.
The Guidance Statement does not prescribe or create new mandatory Requirements.
Application
1
This Guidance Statement has been formulated by the Auditing and Assurance Standards Board (AUASB) to provide guidance to auditors on various matters relating to the audit of compliance plans of registered managed investment schemes established in accordance with the requirements of the Corporations Act 2001 (“the Act”).
Introduction
3
The auditor of a managed investment scheme compliance plan is required to adhere to the requirements contained in the Standards on Assurance Engagements, including ASAE 3100 Compliance Engagements. The AUASB recognises that the audit of compliance plans may give rise to a number of special audit considerations. Accordingly, this Guidance Statement has been developed to clarify the auditor’s responsibilities on such engagements, and to provide guidance to the auditor on additional factors which the auditor may consider when planning, conducting and reporting on the audit of a scheme’s compliance plan.
4
It is important to note that this Guidance Statement does not impose any responsibilities on the auditor of a managed investment scheme compliance plan beyond those which are imposed by Standards on Assurance Engagements and the requirements of the Act. Nonetheless, the provisions of the Act in this area may be augmented by Regulatory Guides (RGs) and any modifications to the Act effected by individual orders or class orders issued by the Australian Securities and Investments Commission (ASIC).
Legislative Background
5
The managed investments regulatory regime which is administered by ASIC, is contained in Chapter 5C of the Act. Part 5C.4 of Chapter 5C specifically deals with scheme compliance plans, and inter alia requires that each registered scheme have in place a compliance plan to ensure compliance with the scheme’s constitution and the Act.
Regulatory Requirements for Compliance Plans
Significance of Compliance Plans to the Registration of Schemes
6
Under section 601EB(1) of the Act, ASIC must register a managed investment scheme within the prescribed timeframe, unless it appears to ASIC that certain requirements of the Act as specified in that provision have not been met, including whether the scheme’s compliance plan meets the requirements of Part 5C.4 of the Act. Consequently, ASIC will review a scheme’s compliance plan before approving a scheme’s application for registration. ASIC Regulatory Guide RG 132 Managed investments: Compliance plans identifies the following approach which ASIC has stated it will adopt when reviewing the compliance plans of schemes prior to registration:
RG 132.14: We will actively assess compliance plans when we are deciding whether or not to register a scheme under s 601EB(1). We will consider, in the context of the type of scheme, whether the responsible entity has designed measures which adequately address the risks of not complying with its obligations. For example, a responsible entity must continuously monitor, review and audit the outcomes of its compliance activities. We will therefore assess whether the responsible entity’s arrangements for doing this are adequate.
7
RG 132 provides guidance to responsible entities on how to prepare a compliance plan and in particular, on the structured and systematic process which needs to be undertaken when developing such plans. Consequently, when reviewing a compliance plan for registration purposes, it is likely that ASIC considers matters outlined in RG 132 such as:
- the responsible entity’s obligations under the Act and the scheme’s constitution;
- the risks to ongoing compliance, given such matters as the nature of the scheme, its operating environment, its size, and the nature of its assets;
- the likelihood and potential impact of failing to achieve the outcomes intended by the Act and the scheme’s constitution;
- the appropriateness of the focus adopted in the compliance plan and the compliance measures in terms of stated outcomes; and
- the specific requirements of Part 5C.4 of the Act.
8
ASIC has the authority to withhold the scheme’s registration, until such time as any deficiencies in the compliance plan which it may have identified during the registration process are rectified by the responsible entity.
9
Section 601HE(1) of the Act enables the responsible entity to make changes to the compliance plan, to facilitate the updating of the compliance plan as circumstances change, or in the case that particular measures are found to be ineffective. Under section 601HE(2), ASIC may also require that the responsible entity make changes to the compliance plan in certain circumstances. Where modifications to the compliance plan are made or a compliance plan is repealed and replaced, the auditor ascertains that it is lodged with ASIC in accordance with the requirements of section 601HE(3).
Contents of the Compliance Plan
10
Section 601HA of the Act requires each registered scheme to have in place a compliance plan which sets out “adequate measures” that the responsible entity is to apply in operating the scheme to ensure compliance with the Act and the scheme’s constitution.
11
Specific matters which are identified in section 601HA that are to be included in compliance plans include arrangements for:
- the identification and custody of scheme property;
- the operation and functions of the scheme’s compliance committee, where required;
- the valuation of scheme property;
- ensuring the compliance plan is audited as required by section 601HG;
- ensuring adequate records are kept of the scheme’s operations; and
- compliance with other matters prescribed in the regulations.
12
RG 132 outlines considerations which a responsible entity is to take into account when preparing compliance plans in order to satisfy the requirements of section 601HA. RG 132 also emphasises that compliance plans for each scheme are to include compliance measures which provide clear links with the requirements of the Act and the scheme’s constitution. Such measures are to be set out in the compliance plan with sufficient clarity and detail to enable the responsible entity’s directors and where required, the compliance committee, as well as the compliance plan auditor to assess whether the responsible entity has complied with the compliance plan and the requirements of section 601HA.
13
RG 45 Mortgage schemes—improving disclosure for retail investors (September 2008) and RG 46 Unlisted property schemes—improving disclosure for retail investors (September 2008) expects compliance plans of the relevant schemes to contain adequate procedures to ensure disclosure against the benchmarks specified in the regulatory guides. The Act imposes various obligations on the responsible entity and its officers to ensure that the requirements of section 601HA are met. These obligations include:
- Section 601FC(1)(g) – which specifically requires the responsible entity of a registered scheme to ensure that the scheme’s compliance plan meets the requirements of section 601HA.
- Section 601FC(1)(h) – which requires the responsible entity to comply with the scheme’s compliance plan.
- Section 601JA(1) – which obliges the responsible entity to establish a compliance committee, if less than half of the directors of the responsible entity are external directors. Such a committee is inter alia required to monitor compliance with the compliance plan and assess the adequacy of the compliance plan in accordance with section 601JC(1).
- Notwithstanding the above, section 601FD(1)(f) places the onus on the officers of the responsible entity to take all steps that a reasonable person would take to ensure that the responsible entity complies with the compliance plan.
14
RG 132 expects the responsible entity, when preparing a compliance plan for the first time and continuously thereafter, to undertake a due diligence process to consider its responsibilities under the Act and the scheme’s constitution, identify risks of non-compliance and establish measures to address those risks. ASIC has benchmarked compliance plans for schemes within various industries and provided examples of better compliance plans for those schemes in the following regulatory guides:
- RG 116 Commentary on compliance plans: Agricultural industry schemes (April 2004).
- RG 117 Commentary on compliance plans: Financial asset schemes (April 2004)
- RG 118 Commentary on compliance plans: Contributory mortgage schemes (April 2004)
- RG 119 Commentary on compliance plans: Pooled mortgage schemes (April 2004).
- RG 120 Commentary on compliance plans: Property schemes (April 2004).
Compliance Structure
15
RG 132 sets out ASIC’s expectations of responsible entities when preparing compliance plans for registered schemes to meet the requirements of the Act. As identified in RG 132, the responsible entity is expected to continuously monitor the outcomes of its compliance activities in order to satisfy the requirements of section 601HA. To enable such monitoring and assessment to occur, the responsible entity is expected to establish and maintain compliance reporting structures to prevent, and where necessary to identify and respond to breaches of its compliance plan, and to promote what ASIC has described as a “culture of compliance”.
16
With regard to the above, ASIC has indicated that it expects such compliance structures to include clear procedures for recording and reporting on compliance, a complaints handling system[1], systems to identify, investigate and rectify recurring and systemic problems, and appropriately trained staff. The responsible entity is also expected to have adequate compliance measures in place for monitoring and maintaining an adequate level of control over any activities which it may outsource to external service providers.
See RG 139 Approval and oversight of external dispute resolution schemes.
Auditing the Compliance Plan
Who May Audit the Compliance Plan?
17
In accordance with section 601HG(1) of the Act, the responsible entity of a registered scheme is required to ensure that at all times a registered company auditor, an audit firm or an authorised audit company is engaged to audit compliance with the scheme’s compliance plan. Section 601HG(2) inter alia prohibits the auditor of the responsible entity’s financial report from also acting as the auditor of the compliance plan. However, section 601HG(2A) allows another auditor from the same firm or company to undertake the compliance plan audit of a scheme managed by the responsible entity. Furthermore, there is no prohibition on the compliance plan auditor from also performing the statutory audit of the scheme’s financial report.
Agreeing on the Terms of the Audit Engagement with the Responsible Entity
18
ASAE 3100 requires the auditor of the compliance plan to agree on the terms of the compliance plan audit engagement with the responsible entity, which are required to be recorded in writing by the auditor and forwarded to the responsible entity. Such terms may be outlined in an audit engagement letter.[2] The auditor has regard to the requirements of ASAE 3100 relevant on agreeing the terms of the assurance engagement and applies those requirements when agreeing on the terms of a compliance plan audit engagement.[3]
Or other suitable form of audit contract.
The procedures for agreeing the terms of an engagement relevant to a financial report audit engagement are contained in ASA 210 Terms of Audit Engagements, and may be helpful in determining procedures for agreeing the terms of an engagement applicable to a compliance plan audit engagement.
19
Other than matters covered by ASAE 3100, the engagement letter may also outline arrangements for liaison with the responsible entity’s compliance committee (if applicable), other compliance advisors, and other auditors, including the auditor of the responsible entity’s financial report and the auditor of the scheme’s financial report.
20
The compliance plan auditor may also use the engagement letter to clarify the respective roles of the responsible entity’s directors and the auditor, by contrasting the respective statutory responsibilities of the responsible entity and the compliance plan auditor under Part 5C.4 of the Act. In particular, it is important to highlight in the engagement letter the responsible entity’s obligation to establish and maintain an adequate compliance plan and have in place adequate measures and structures to ensure compliance with the Act and the scheme’s constitution. The auditor obtains acknowledgment of this obligation from the directors of the responsible entity when obtaining agreement on the terms of the compliance plan audit engagement. An example engagement letter illustrating such agreement is provided in Appendix 1 to this Guidance Statement.
Clarifying the Compliance Plan Auditors Role
Role of the Responsible Entity
21
Under the Act, the responsible entity is required to ensure that the scheme has a compliance plan which meets the requirements of section 601HA. This includes that the compliance plan must set out adequate measures that the responsible entity is to apply in operating the scheme to ensure compliance with the Act and the scheme’s constitution. The compliance plan, which is lodged with ASIC with the application to register as a managed investment scheme under section 601EA, must be signed by all the directors of the responsible entity under section 601HC and arrangements must be in place for the audit of the compliance plan under section 601HG. Section 601FD(1)(f) requires the directors of the responsible entity to take all steps that a reasonable person would take to ensure that the responsible entity complies with the Act, the scheme’s constitution and the scheme’s compliance plan.
Role of the Compliance Plan Auditor
22
The role of the compliance plan auditor under section 601HG(3) of the Act is to examine the scheme’s compliance plan and carry out an audit of the responsible entity’s compliance with the compliance plan for the financial year. Furthermore, the auditor of the compliance plan must give the responsible entity an audit report which states whether in the auditor’s opinion:
- the responsible entity has complied with the scheme’s compliance plan during the financial year; and
- the compliance plan continues to meet the requirements of Part 5C.4 of the Act.
The second part of the auditor’s opinion as stated in (b) above, is to be expressed “as at” the date of the end of the financial year.[4]
As the wording in section 601HG(3)(c)(ii) is ambiguous, the AUASB believes that the expression “continues to meet” may be interpreted to mean “as at” the end of the scheme’s financial year.
Inherent Limitations of Auditing Compliance with the Compliance Plan
23
Due to the nature of audit testing and other inherent limitations of an audit, together with the inherent limitations of a compliance plan and its related compliance measures, there is a possibility that a properly planned and executed audit will not detect all deficiencies in a scheme’s compliance plan. Accordingly, the audit opinion under section 601HG(3) is expressed in terms of reasonable assurance and cannot constitute a guarantee that the compliance plan is completely free from any deficiency, or that all compliance breaches have been detected.
24
There are also practical limitations in requiring an auditor to perform a continuous examination of the compliance plan, and form an opinion that the entity has complied at all times with the Act during the period covered by the compliance plan audit report. However, the auditor performs tests periodically throughout the financial year to obtain evidence and have reasonable assurance that the measures complied with the written descriptions and were adequate throughout the period under examination.
Reporting on Whether the Compliance Plan “Continues to Meet” the Requirements of Part 5C.4 of the Corporations Act
25
The requirements of the Act relating to reporting on whether the compliance plan “continues to meet” the requirements of Part 5C.4, including matters under section 601HA(1), are stated in broad terms. Such requirements are augmented by the examples and guidance in the Annexure to RG 132 and the additional expectation that compliance plan auditors consider whether the compliance plan is adequate to ensure compliance with the disclosure and advertising obligations of RG 45 for mortgage schemes and RG 46 for unlisted property schemes. The auditor uses such criteria to assess the appropriateness of the design of the compliance measures contained in a scheme’s compliance plan.
26
The compliance plan auditor considers how the responsible entity has satisfied itself that the scheme's compliance plan and the measures within it continue to be appropriate throughout the financial year. The Annexure to RG 132 provides general guidance about various matters which may be considered by responsible entities when developing the scheme's compliance plan. In addition, ASIC has benchmarked compliance plans for various industry schemes and provided examples of better compliance plans for those types of schemes in RG 116, RG 117, RG 118, RG 119 and RG 120. The compliance plan auditor may also consider these matters when planning and undertaking a compliance plan audit. However, as compliance plans will vary between different responsible entities and their respective managed investment schemes, it will be necessary for the auditor to apply professional judgement when applying audit procedures and evaluating compliance plans and the design of compliance measures, having regard to the size and complexity of the particular managed investment scheme under examination.
Planning the Compliance Plan Audit
Materiality
27
The auditor considers materiality when:
- determining the nature, timing and extent of audit procedures; and
- evaluating the effect of identified compliance plan breaches or weaknesses in compliance measures.
28
Materiality is addressed in the context of the responsible entity’s compliance objectives, which are developed having regard to the protection of the interests of scheme members as a whole. Materiality considerations are therefore viewed within the context of setting out adequate measures that the responsible entity is to apply in operating the scheme to ensure compliance with the Act and the scheme’s constitution. In this respect, materiality is assessed for the compliance plan of each managed investment scheme being audited, relevant to the area of activity being examined, and whether the compliance measures in the compliance plan will reduce to an acceptably low level the risks that threaten achievement of those objectives and which otherwise could adversely affect the interests of scheme members.
29
The auditor is expected to report significant detected breaches, which either individually or collectively, the auditor judges to be material. The guidance on the meaning and application of the concept of materiality contained in ASAE 3100 is adapted by the compliance plan auditor, as appropriate, to the task of judging adherence to the compliance plan and conformity with the relevant provisions in Part 5C.4 of the Act. However, it is not possible to give a definitive view on what may constitute a material breach of a scheme’s compliance plan, other than to suggest that the auditor exercises appropriate professional judgement having regard to the responsible entity’s obligations to scheme members, together with the size, complexity and nature of a scheme’s activities when determining whether a breach is to be considered material.
30
As identified in ASAE 3100, when assessing materiality, the auditor considers qualitative factors as well as quantitative factors. The following are examples of qualitative factors that may be relevant:
- the specific requirements of the terms of the engagement;
- the significance of identified compliance plan breaches or weaknesses in compliance measures;
- the cost of alternative compliance measures relative to their likely benefit; and
- the length of time which an identified compliance breach was in existence.
Other Audit Planning Considerations
31
The auditor of the compliance plan considers:
- the adequacy of the measures set out in the compliance plan;
- key responsibilities and risks identified in the compliance plan;
- processes established by the responsible entity to implement the measures outlined in the compliance plan; and
- processes established by the responsible entity to monitor adherence to the compliance plan.
32
When evaluating the responsible entity’s adherence to the compliance plan and the ongoing adequacy of its measures, the auditor will need to obtain from management a copy of the plan and the detailed measures which it provides, together with a written description of the procedures and structures which the responsible entity has established to ensure compliance. RG 132 indicates that a scheme’s compliance plan needs to describe compliance activities in sufficient detail and certainty to enable the auditor to assess whether or not the plan has been complied with. Such information will be required by the auditor when designing audit procedures to assess whether the compliance measures and systems are operating effectively and are adequately managing compliance risks.
33
To further assist in the audit of the compliance plan, the auditor considers various matters when planning the audit, including:
- the scheme’s constitution;
- the Australian financial services licence held by the responsible entity and, in particular, any conditions imposed thereon. In this regard, the auditor may choose to examine details of the responsible entity’s licence application, in particular those sections relating to the nature of the scheme’s business and the compliance structure put in place by the responsible entity.
- the nature and extent of any recent changes to the scheme’s compliance plan and whether any detected breaches are deemed to be material in light of the revised compliance plan;
- the nature and extent of any changes to the operation of the scheme itself;
- changes to the Act and related regulations;
- reports and other documents submitted to the compliance committee and/or the board of the responsible entity regarding the operation of the scheme and its compliance functions; and
- previous auditor’s reports, including the auditor’s report on financial reports of the responsible entity, the scheme and other schemes operated by the responsible entity, and related management letters.
Other Matters to be Considered During the Audit of the Compliance Plan
34
As part of the audit of the compliance plan, the auditor considers the measures in the compliance plan which relate to the responsible entity’s monitoring of, and reporting on specific matters incorporated into the plan. Such a consideration may include, but is not limited to, the following matters:
- whether reporting to the board of directors or compliance committee by management on compliance matters is adequate in terms of the extent and frequency of reporting, having regard to the size and complexity of the scheme;
- whether compliance plan breaches are likely to be detected and reported by the monitoring systems that have been implemented by the responsible entity. Where breaches of compliance procedures have been detected, the auditor considers whether such breaches are material either in themselves, or where they are of a recurring nature and have not been rectified, whether their cumulative effect renders them to be a material non-compliance;
- identifying systems which the responsible entity uses to ensure that business units and staff comply with the measures in the compliance plan on a day to day basis. It is also important for the auditor to determine whether the systems and procedures which the responsible entity has in place under its compliance plan are able to correct the effects of significant compliance breaches of which management becomes aware; and
- whether the responsible entity has a process in place to identify and review the scheme’s compliance risks on a periodic basis so as to ensure that its compliance plan contains “adequate” measures and that it complies with the scheme’s constitution and the requirements in Part 5C.4 of the Act.
35
Some responsible entities may have a number of schemes with very similar compliance plans, electing (in some instances) to incorporate, into a compliance plan, the provisions of an existing compliance plan by reference. In such situations, the compliance plan auditor may choose to design and apply common audit tests and procedures across more than one scheme, as considered necessary in the circumstances. However, the compliance plan auditor ensures that the tests and procedures which are applied are representative across all schemes that incorporate the provisions of the incorporated (original) compliance plan, and that they provide sufficient and appropriate audit evidence to enable the expression of the auditor’s opinion on each scheme’s compliance plan as required by section 601HG(3) of the Act.
36
In addition, a responsible entity may choose to outsource various functions (e.g. information technology services or registry services) and engage external service providers. The responsible entity is expected to include measures in the compliance plan to supervise these service providers, given that the responsible entity is considered to be responsible under the Act both for the compliance of those activities which are performed by the responsible entity itself, as well as those functions which may be outsourced to external service providers.
37
In such circumstances, the compliance plan auditor audits compliance with the measures in the compliance plan relating to the supervision by the responsible entity of its service providers. However, the compliance plan auditor is not expected to conduct an audit of these service providers, as it is the obligation of the responsible entity and not the compliance plan auditor, to ensure that the service providers adhere to the responsible entity’s compliance plan for each scheme under its control. In this context, the auditor has particular regard to matters raised in ASA 402 Audit Considerations Relating to Entities Using Service Organisations and GS 007 Audit Implications of the Use of Service Organisations for Investment Management Services.
The Auditors Report on the Compliance Plan Audit
38
Prior to issuing the auditor’s report on the compliance plan audit, the auditor seeks a written representation from the directors of the responsible entity which contains their assertions that the responsible entity has complied with the scheme’s compliance plan during the financial year, and that the plan continues to meet the requirements of Part 5C.4 of the Act.
39
Section 601HG(3) requires the auditor to give their auditor’s report to the current responsible entity, therefore the auditor’s report is addressed to the scheme’s responsible entity. In addition, section 601HG(7) requires the responsible entity to lodge the auditor’s report with ASIC at the same time as the financial statements and reports of the scheme are lodged with ASIC.
40
When reporting on the matters required by section 601HG(3), the auditor follows the requirements contained in ASAE 3100. If the auditor is required to modify the auditor’s report because of a material breach of the compliance plan or because of some ongoing material weakness in compliance measures, the auditor applies the requirements in ASAE 3100 when drafting the modified auditor’s report. Examples of auditor’s reports that may be appropriate for this type of engagement are included in Appendix 2 to this Guidance Statement.