Planning the Compliance Plan Audit
Materiality
27
The auditor considers materiality when:
- determining the nature, timing and extent of audit procedures; and
- evaluating the effect of identified compliance plan breaches or weaknesses in compliance measures.
28
Materiality is addressed in the context of the responsible entity’s compliance objectives, which are developed having regard to the protection of the interests of scheme members as a whole. Materiality considerations are therefore viewed within the context of setting out adequate measures that the responsible entity is to apply in operating the scheme to ensure compliance with the Act and the scheme’s constitution. In this respect, materiality is assessed for the compliance plan of each managed investment scheme being audited, relevant to the area of activity being examined, and whether the compliance measures in the compliance plan will reduce to an acceptably low level the risks that threaten achievement of those objectives and which otherwise could adversely affect the interests of scheme members.
29
The auditor is expected to report significant detected breaches, which either individually or collectively, the auditor judges to be material. The guidance on the meaning and application of the concept of materiality contained in ASAE 3100 is adapted by the compliance plan auditor, as appropriate, to the task of judging adherence to the compliance plan and conformity with the relevant provisions in Part 5C.4 of the Act. However, it is not possible to give a definitive view on what may constitute a material breach of a scheme’s compliance plan, other than to suggest that the auditor exercises appropriate professional judgement having regard to the responsible entity’s obligations to scheme members, together with the size, complexity and nature of a scheme’s activities when determining whether a breach is to be considered material.
30
As identified in ASAE 3100, when assessing materiality, the auditor considers qualitative factors as well as quantitative factors. The following are examples of qualitative factors that may be relevant:
- the specific requirements of the terms of the engagement;
- the significance of identified compliance plan breaches or weaknesses in compliance measures;
- the cost of alternative compliance measures relative to their likely benefit; and
- the length of time which an identified compliance breach was in existence.
Other Audit Planning Considerations
31
The auditor of the compliance plan considers:
- the adequacy of the measures set out in the compliance plan;
- key responsibilities and risks identified in the compliance plan;
- processes established by the responsible entity to implement the measures outlined in the compliance plan; and
- processes established by the responsible entity to monitor adherence to the compliance plan.
32
When evaluating the responsible entity’s adherence to the compliance plan and the ongoing adequacy of its measures, the auditor will need to obtain from management a copy of the plan and the detailed measures which it provides, together with a written description of the procedures and structures which the responsible entity has established to ensure compliance. RG 132 indicates that a scheme’s compliance plan needs to describe compliance activities in sufficient detail and certainty to enable the auditor to assess whether or not the plan has been complied with. Such information will be required by the auditor when designing audit procedures to assess whether the compliance measures and systems are operating effectively and are adequately managing compliance risks.
33
To further assist in the audit of the compliance plan, the auditor considers various matters when planning the audit, including:
- the scheme’s constitution;
- the Australian financial services licence held by the responsible entity and, in particular, any conditions imposed thereon. In this regard, the auditor may choose to examine details of the responsible entity’s licence application, in particular those sections relating to the nature of the scheme’s business and the compliance structure put in place by the responsible entity.
- the nature and extent of any recent changes to the scheme’s compliance plan and whether any detected breaches are deemed to be material in light of the revised compliance plan;
- the nature and extent of any changes to the operation of the scheme itself;
- changes to the Act and related regulations;
- reports and other documents submitted to the compliance committee and/or the board of the responsible entity regarding the operation of the scheme and its compliance functions; and
- previous auditor’s reports, including the auditor’s report on financial reports of the responsible entity, the scheme and other schemes operated by the responsible entity, and related management letters.
Other Matters to be Considered During the Audit of the Compliance Plan
34
As part of the audit of the compliance plan, the auditor considers the measures in the compliance plan which relate to the responsible entity’s monitoring of, and reporting on specific matters incorporated into the plan. Such a consideration may include, but is not limited to, the following matters:
- whether reporting to the board of directors or compliance committee by management on compliance matters is adequate in terms of the extent and frequency of reporting, having regard to the size and complexity of the scheme;
- whether compliance plan breaches are likely to be detected and reported by the monitoring systems that have been implemented by the responsible entity. Where breaches of compliance procedures have been detected, the auditor considers whether such breaches are material either in themselves, or where they are of a recurring nature and have not been rectified, whether their cumulative effect renders them to be a material non-compliance;
- identifying systems which the responsible entity uses to ensure that business units and staff comply with the measures in the compliance plan on a day to day basis. It is also important for the auditor to determine whether the systems and procedures which the responsible entity has in place under its compliance plan are able to correct the effects of significant compliance breaches of which management becomes aware; and
- whether the responsible entity has a process in place to identify and review the scheme’s compliance risks on a periodic basis so as to ensure that its compliance plan contains “adequate” measures and that it complies with the scheme’s constitution and the requirements in Part 5C.4 of the Act.
35
Some responsible entities may have a number of schemes with very similar compliance plans, electing (in some instances) to incorporate, into a compliance plan, the provisions of an existing compliance plan by reference. In such situations, the compliance plan auditor may choose to design and apply common audit tests and procedures across more than one scheme, as considered necessary in the circumstances. However, the compliance plan auditor ensures that the tests and procedures which are applied are representative across all schemes that incorporate the provisions of the incorporated (original) compliance plan, and that they provide sufficient and appropriate audit evidence to enable the expression of the auditor’s opinion on each scheme’s compliance plan as required by section 601HG(3) of the Act.
36
In addition, a responsible entity may choose to outsource various functions (e.g. information technology services or registry services) and engage external service providers. The responsible entity is expected to include measures in the compliance plan to supervise these service providers, given that the responsible entity is considered to be responsible under the Act both for the compliance of those activities which are performed by the responsible entity itself, as well as those functions which may be outsourced to external service providers.
37
In such circumstances, the compliance plan auditor audits compliance with the measures in the compliance plan relating to the supervision by the responsible entity of its service providers. However, the compliance plan auditor is not expected to conduct an audit of these service providers, as it is the obligation of the responsible entity and not the compliance plan auditor, to ensure that the service providers adhere to the responsible entity’s compliance plan for each scheme under its control. In this context, the auditor has particular regard to matters raised in ASA 402 Audit Considerations Relating to Entities Using Service Organisations and GS 007 Audit Implications of the Use of Service Organisations for Investment Management Services.