Planning the Annual Prudential Reporting Engagement
The nature and extent of planning activities will vary with the engagement circumstances. Specific matters that may be considered by the auditor as part of the planning process include:
- The auditor’s understanding of the life company and its environment, including its internal control and compliance framework (see paragraphs 38-46).
- The auditor’s previous experience with the life company.
- The characteristics of the subject matter and the identified criteria (see paragraphs 47-53).
- The internal controls relating to actuarial data integrity and financial reporting risks and the reliability and accuracy of the underlying source data (see paragraph 40).
- The intended users of the auditor’s assurance report and their needs (see paragraphs 54-55).
- Materiality (see paragraphs 56-70).
- Engagement risk (see paragraphs 41-46).
- The appropriate assurance strategy to adopt for each part of the engagement and possible sources of evidence.
- Personnel and expertise requirements, including the nature and extent of experts’ involvement (see paragraphs 71-75).
- Work to be performed by another auditor (see paragraph 76).
- The activities of the internal audit function and the effect on audit and review procedures (see paragraphs 77-79).
- The auditor’s additional reporting responsibilities under the Life Act (see paragraphs 132-135).
Further guidance on planning an audit may be found in ASAE 3000 and ASA 300 Planning an Audit of a Financial Report (ASA 300).
The Auditor’s Understanding of the Life Company and its Environment, including its Internal Control and Compliance Framework
The auditor obtains an understanding of the life company and its environment, including its internal control and compliance framework, and other assurance engagement circumstances, sufficient to:
- identify and assess the risks of the subject matter information being materially misstated, that significant deficiencies in internal controls may exist (in relation to the area of activity to be examined), and/or that the life company may not be complying with applicable prudential requirements; and
- design and perform further evidence gathering procedures.
The auditor exercises professional judgement to determine the nature and extent of the understanding that is needed. When performing procedures to obtain an understanding of the life company and its environment, consideration of the following matters may be helpful:
- The size, nature and complexity of the life company and its activities.
- Any changes in the market environment.
- Governance and management functions within the life company, including the attitude, awareness and actions of those charged with governance and of management concerning the life company’s compliance with Prudential Requirements, and the respective roles and responsibilities attributed to the finance, risk management, compliance and internal audit functions.
- Relevant aspects of the life company’s risk management framework and systems applicable to the engagement, including the life company’s risk assessment process for identifying risks relevant to prudential reporting objectives and deciding on actions to address those risks through its risk management systems.
- The life company’s internal control relevant to the assurance engagement.
- The life company’s compliance framework, processes and controls (refer to ASAE 3100).
- The significance and complexity of the life company’s information technology environment and systems.
- Any formal communications between APRA and the life company, and the results of any supervisory visits conducted by APRA in relation to the engagement.
- Recent reports prepared by other assurance practitioners appointed to report on any aspect of the life company.
- Work performed by the internal audit, risk management and compliance functions, for example key findings, control deficiencies, compliance register or incident reporting, and any reliance that may be placed on this work.
- Discussions with life company staff responsible for monitoring regulatory compliance, such as the life company’s compliance officer or chief risk officer.
In addition to the general planning considerations, the auditor takes the following factors into account when planning the review of the life company’s internal controls relevant to the assurance engagement:
- The overall compliance framework adopted by the life company to ensure compliance with all applicable prudential requirements, including its controls, policies and processes, and consideration of whether or not these are appropriate given the size, nature and complexity of the life company.
- The sufficiency and appropriateness of the life company’s risk management strategy, including systems, policies and controls adopted in accordance with specific prudential standards, and consideration of whether these are up to date and in sufficient detail to facilitate compliance with the relevant prudential standards.
- Matters relating to the life company’s organisational structure and operating characteristics, and recent significant changes thereto, which could impact on the life company’s internal controls.
- Knowledge of the life company’s internal controls obtained during other assurance engagements conducted in relation to the life company.
- Previously communicated instances of material non compliance with prudential requirements and/or material deficiencies in internal controls designed to ensure compliance with all applicable prudential requirements and the provision of reliable data to APRA in annual returns that have and have not been resolved by the life company.
- In relation to actuarial data integrity and financial reporting risks the auditor may consider some of the following:
- Sufficiency of expert resources within the life company e.g. actuarial or financial analysis and modelling;
- Level/frequency of internal/external review of actuarial forecasting systems, models and associated controls;
- Complexity of the underlying IT systems and general IT controls including:
- storage and protection of data;
- number of source systems;
- system interfaces;
- data transfer processes;
- updating of actuarial data/key fields in the source systems; and
- end user computing controls in relation to spreadsheets or other business owned applications e.g. version control, integrity, password control and logic tests.
The above is not meant to represent an exhaustive list and there may be other factors relevant to the specific circumstances of a life company.
In accordance with ASA 315 Identifying and Assessing Risks of Material Misstatement through Understanding the Entity and its Environment, the auditor performs risk assessment procedures and related activities to obtain an understanding of the life company and its environment. The Prudential Capital Requirement (PCR) of a life company is intended to take account of the range of risks to which a typical life company is exposed. The PCR for a life company, a statutory fund or a general fund is determined under LPS 110 Capital Adequacy and includes but is not limited to consideration of the following:
- the Insurance Risk Charge (IRC)
- the Asset Risk Charge (ARC)
- the Asset Concentration Risk Charge (ACRC)
- the Operational Risk Charge (ORC)
In identifying and assessing the risks of material misstatement, the auditor may need to consider the use of accounting estimates in the calculation of the life company’s PCR under ASA 540 Auditing Accounting Estimates, Including Fair Value Accounting Estimates, and Related Disclosures and evaluate the degree of estimation uncertainty associated with any accounting estimates.
The degree of estimation uncertainty associated with an accounting estimate may be influenced by factors such as:
- The extent to which the accounting estimate depends on judgement.
- The sensitivity of the accounting estimate to changes in assumptions.
- The existence of recognised measurement techniques that may mitigate the estimation uncertainty (though the subjectivity of the assumptions used as inputs may nevertheless give rise to estimation uncertainty).
- The length of the forecast period, and the relevance of data drawn from past events to forecast future events.
- The availability of reliable data from external sources.
- The extent to which the accounting estimate is based on observable or unobservable inputs.
- The degree of estimation uncertainty associated with an accounting estimate may influence the estimate’s susceptibility to bias.
Matters the auditor considers in assessing the risks of material misstatement in an accounting estimate may also include:
- The actual or expected magnitude of an accounting estimate.
- The recorded amount of the accounting estimate (that is, management’s point estimate) in relation to the amount expected by the auditor to be recorded.
- Management’s documentation of the judgements involved in estimates, for example, assumptions, model risk and understanding and data quality.
- Outcomes of the sensitivity analysis performed on the assumptions by management.
- Adequacy and outcomes of the process adopted by the life company in determining the PCR is appropriate as it relates to the life company as a whole.
- Complexities and disclosures required for each component of risk under the life company’s PCR calculation.
- Whether the models developed by management are using recognised measurement techniques and are independently reviewed and approved by appropriate personnel or an external expert.
- Reliance on and use of internally developed or externally sourced models to estimate scenarios arising from movements in future mortality, morbidity, longevity, servicing expenses, lapses and other insurance risks.
- Whether relevant and reliable controls are in place around the modelling process and the protection of model integrity.
- Whether management has used an expert in making the accounting estimate.
- The effectiveness of the controls and processes relied upon in setting the best estimate assumptions and insurance risk stress margins underlying the life company’s PCR calculation.
- Outcomes of the Appointed Actuary’s Financial Condition Report (FCR) and any impacts they may have on accounting estimates.
- Outcomes of the review of prior period accounting estimates.
The auditor considers the above factors and their impact on the audit approach and uses professional judgement in forming a view as to whether the accounting estimates are reliable.
In addressing the risks and accounting estimates associated with each of the areas in paragraph 41, the auditor may need to consider performing further substantive procedures to respond to significant risks associated with estimation uncertainty.
The auditor uses professional judgement to assess whether there is sufficient evidence available to enable the auditor to form an opinion in relation to accounting estimates.
The Characteristics of the Subject Matter and the Identified Criteria
The auditor identifies the most recent yearend life company annual returns submitted to APRA for audit.
The auditor identifies, and obtains an understanding of, all the prudential requirements (refer to definition under paragraph 17) applicable to the specific life company (including any additional guidance provided by APRA to the life company), with particular attention to changes in these requirements during the reporting period. The auditor makes enquiries with respect to any requirements that are imposed in writing by APRA on the life company, or in relation to conditions on the life company’s authorisation, as these requirements may vary from one life company to another.
Compliance with prudential requirements (see paragraphs 27(a) and 27(b) of this Guidance Statement) is broader than compliance with only the quantitative limits in APRA Prudential Standards (for example, capital adequacy requirements). The auditor is required to obtain reasonable assurance in relation to the preparation of the annual return(s) in accordance with the Life Act, the FSCODA Act 2001 and the applicable APRA reporting standards (refer Auditor’s Opinion in Appendix 1 Part A).
In relation to a life company’s responsibility to keep the auditor informed of all APRA prudential requirements applicable to the life company, the auditor obtains written representations from those responsible (see paragraphs 109-110).
APRA Prudential and Reporting Standards provide the criteria for evaluation or measurement, within the context of the auditor’s professional judgement, of the reliability of the information included in life company annual returns.
The auditor identifies and obtains an understanding of the applicable prudential requirements that govern the preparation of data within life company annual returns, with particular attention to changes in these requirements during the reporting period under review. In addition to the Prudential and Reporting Standards issued by APRA, other Prudential Requirements, including the life company Reporting Form Instruction Guides, will have an impact on the provision of reliable data to APRA under the FSCODA and, therefore, the auditor has regard to all relevant Prudential Requirements when planning and conducting the engagement.
It is important that the auditor obtains an understanding of how APRA Prudential Standards and APRA Reporting Standards differ from the financial reporting framework (Australian Accounting Standards), which determines data recorded in the life company’s accounting records.
The Intended Users of the Auditor’s Assurance Report and Their Needs
Data collected in a life company annual return(s) is primarily used by APRA to ensure that:
- the regulated entity has met the requirements of all prudential standards and other statutory and regulatory requirements;
- statistical and financial data provided to APRA is reliable; and
- other matters that could materially prejudice/adversely affect the interests of policyholders are concluded upon.
APRA has the power under subsection 56(5) of the Australian Prudential Regulation Authority Act 1998 to make ‘protected information’ (which may include auditors’ reports or information extracted from such reports) available to another financial sector supervisory agency (for example, the Reserve Bank of Australia (RBA), the Australian Bureau of Statistics (ABS) and the Australian Securities and Investments Commission (ASIC), or any other ‘specified’ agency (including foreign agencies), when APRA is satisfied such information will assist those agencies in performing their functions or exercising their powers.
The auditor considers materiality when:
- determining the nature, timing and extent of audit and review procedures;
- evaluating the effect of uncorrected misstatements identified in life company annual returns;
- evaluating the effect of identified deficiencies in internal controls designed to ensure:
- compliance with Prudential Requirements; and
- reliable data is provided in the life company annual returns; and
- integrity of actuarial data;
- assessing the significance of identified instances of non compliance with relevant Prudential Requirements.
Determining materiality involves the exercise of professional judgement. Judgements about materiality are made in light of relevant circumstances, and are affected by quantitative and qualitative factors as well as consideration of the potential impact of misstatements, control deficiencies and/or instances of noncompliance that are individually immaterial but in the aggregate may be of concern.
Since the concept of materiality is applied differently in the context of an audit or review of financial and other information, a review of internal controls, and for the purpose of reporting on a life company’s compliance with Prudential Requirements, it is considered separately below in paragraphs 67-69.
Although there is a greater risk that misstatements, control deficiencies or instances of noncompliance may not be detected in a review than in an audit, the judgement as to what is material is made by reference to the subject matter on which the auditor is reporting and the needs of those relying on that information, as opposed to the level of assurance obtained.
Audit of Life Company Annual Returns
The principles of assessing materiality for the purpose of expressing an opinion on a life company’s annual returns (an audit), will generally be similar to that applying to the audit of a financial report.
For the purposes of the audit of life company annual returns, the auditor considers materiality, as appropriate, under Auditing Standard ASA 320 Materiality in Planning and Performing an Audit (ASA 320).
Misstatements in the life company annual returns, either individually or in aggregate with other misstatements, are considered material if the auditor believes the intended users (refer paragraphs 54-55) may be influenced by the misstatement(s) of the information.
ASA 320 deals with materiality in the context of the financial statements taken as a whole. For the purpose of reporting on the reliability of information included in specified life company annual returns, the auditor considers and applies materiality at the level of individual annual returns, or data items, as appropriate.
In applying ASA 320 and ASAE 3000, as appropriate, to individual annual returns, the auditor has regard to the nature, purpose and use of the information included in each annual return. The collection and analysis of data in specified annual returns is a critical component of APRA’s supervisory function. APRA collects data from life companies and friendly societies (and other APRA regulated entities) in order to:
- verify compliance with prudential requirements (e.g. solvency and capital requirements);
- understand the operations of the company and the industry;
- identify emerging issues in both the company and the industry;
- pass on data to other government agencies; and
- provide information on the finance sector to research organisations and the general public.
The auditor’s preliminary assessment of materiality is based largely on quantitative factors. A percentage is often applied to a chosen benchmark as a starting point in determining materiality. The base and percentage may vary depending upon the life company annual return in question.
The auditor has regard to alternative bases such as profit, revenue or assets when considering whether a misstatement within a life company’s annual returns such as the Statement of Financial Position, Income Statement, Summary of Revenue and Expenses or Retained Profits, is material.
Review of Internal Controls
In accordance with ASAE 3000, when reviewing internal controls, the auditor assesses materiality in the context of the life company’s objectives relevant to the particular area of activity being examined, and whether the internal controls will reduce to an acceptably low level, the risks that may threaten the achievement of the control objectives – in this case compliance with prudential requirements and integrity of actuarial data.
In assessing materiality, the auditor has regard to the measures the life company has adopted to ensure:
- reliable data is provided to APRA in all of the life company’s annual returns prepared under the FSCODA;
- compliance with all applicable Prudential Requirements; and
- integrity of actuarial data.
ASAE 3100 sets out the requirements and provides guidance to the auditor in applying materiality in the context of a compliance engagement.
Reporting on Compliance with Prudential Requirements and Actuarial Data Integrity
LPS 310 requires the auditor to provide limited assurance that the life company has suitably designed systems, procedures and controls to ensure the life company has complied, in all material respects, with all applicable Prudential Requirements (see paragraph 27(b) of this Guidance Statement). The auditor considers materiality when evaluating the significance of identified instances of noncompliance with relevant Prudential Requirements (refer to paragraphs 93-99). For further guidance in relation to the controls and appropriate audit evidence (refer to paragraphs 81 –92) and the evaluation of findings by the auditor (refer to paragraphs 101-103).
Personnel and Expertise Requirements, Including the Nature and Extent of Experts’ Involvement
An auditor gives further consideration as to whether the auditor has, or will be able to obtain, adequate knowledge and the required skills to undertake the engagement.
LPS 310 prohibits auditors from placing sole reliance on the work performed by APRA. As required by professional ethical requirements, auditors exercise their professional judgement and reach their own conclusions when undertaking any assurance engagement.
The nature and complexity of the life company determines whether the auditor may need to involve experts in the engagement. When conducting this type of engagement, there are a number of considerations that need to be addressed by the auditor in relation to the use of, for example, an actuarial expert:
- whether there is an expert appointed by management or those charged with governance (management’s expert) under the requirements outlined in LPS 320 Actuarial and Related Matters (LPS 320), in which case ASAE 3000 will need to be considered;
- whether there is a requirement for an auditor’s expert (auditor’s expert) in which case ASA 620 Using the Work of an Auditor’s Expert (ASA 620) and ASAE 3000 will need to be considered; and
- where the engagement team includes actuarial experts.
Under the Life Act, a life company must appoint an appointed actuary (management’s expert as defined by ASA 620). One of the key requirements to be met by the appointed actuary is to complete a financial condition report on the life company. As outlined in LPS 320, this is the minimum requirement for a life company or a friendly society.
The complexity and nature of the life company may warrant the use of both a management’s expert and an auditor’s expert on the same engagement. Generally this is the case for the larger more complex life companies, however, in the case of a friendly society the management’s expert may be able to provide the auditor with sufficient appropriate audit/review evidence.
The life company auditor also liaises with the life company appointed actuary with regard to the requirements of s80(2) of the Life Act in order for the auditor to obtain assurance that the income and outgoings apportionments have been made equitably and in accordance with generally accepted accounting principles (refer to paragraph 133).
Work Performed by Another Auditor
Where the auditor plans to use the work of another independent auditor or assurance practitioner, the auditor:
The Activities of the Internal Audit Function and the Effect on Audit and Review Procedures
CPS 510 requires all life companies (including an eligible foreign life insurance companies (EFLICs), to have in place an independent and adequately resourced internal audit function.
CPS 510 requires that the objectives of the internal audit function include an evaluation of the adequacy and effectiveness of the financial and risk management framework of the life company.
In considering the activities of the internal audit function and evaluating the effect, if any, on audit and review procedures, the auditor:
Further guidance on this area is available in GS 005 Using the Work of a Management’s Expert (to be issued in January 2015).
Under CPS 510, APRA may approve alternative arrangements where APRA is satisfied that it will achieve the same objectives.