Conducting the Annual Prudential Reporting Engagement
Audit of Annual Returns to APRA
The auditor is required to prepare a report that provides reasonable assurance on the life company’s annual returns to APRA, as specified in attachment A to LPS 310. In particular, the report must specify whether in all material respects, the auditor concludes the:
- annual returns are reliable in accordance with relevant prudential requirements; and
- prudential requirements in relation to the accounting for statutory funds have been met.
The report to the life company is addressed to the board of the life company.
Review of Internal Controls over Compliance with Prudential Requirements and Reliability of the Life Company’s Annual Returns
Under LPS 310, the auditor is required to express a conclusion, based on a review, as to whether anything has come to the attention of the auditor to cause the auditor to believe that, in all material respects:
- The life company has not implemented internal controls that are designed to ensure the life company has:
- complied with all applicable Prudential Requirements; and
- provided reliable data to APRA in the life company’s annual returns prepared under the FSCODA.
- The controls in paragraph 81(a) have not operated effectively throughout the financial year.
- The life company’s systems, procedures and internal controls relating to actuarial data integrity and financial reporting risks (the risks that incorrect source data will be used in completing the Annual returns under FSCODA) are not adequate and effective.
Gathering Assurance Evidence
The evaluation of whether the life company has implemented internal controls that are designed to achieve the relevant control objectives as set out in paragraph 81 above, is performed in the context of the auditor’s general understanding of the life company and its environment, the life company’s risk management practices, and its internal control and compliance framework, as obtained for the purpose of planning the engagement. This review is based on whether the life company has implemented internal controls that have been suitably designed to reduce to an acceptably low level, the risks that threaten achievement of the relevant control objectives.
The auditor generally adopts a ‘top down’ approach in gathering evidence, by making enquiries of key personnel, observing the life company’s operations, performing ‘walk through’ tests of controls, and inspecting relevant documentation, as appropriate, in order to achieve the following:
- Obtaining an understanding of the life company’s overall control environment and compliance framework.
- Identifying the internal compliance function(s) designed to ensure compliance with all applicable Prudential Requirements.
- Identifying policies, procedures and controls designed to ensure compliance with all applicable Prudential Requirements, by reviewing documents such as the life company’s Internal Capital Adequacy Assessment Process (ICAAP) Summary Statement and management declaration, Risk Management Framework, Risk Management Strategy and similar risk management policy documents issued by the life company in accordance with applicable prudential standards.
- Identifying the processes used by the Board of the life company to support its Risk Management Declaration to APRA as outlined in CPS 220 Risk Management (CPS 220).
- Identifying key Board and operational matters by reviewing the minutes of the life company’s Board, as well as minutes of any sub committees responsible, for example, for oversight of risk, compliance and audit, held during the year and enquiring about matters discussed and outcomes from Board decisions.
- Identifying the internal risk and compliance functions designed to oversee the provision of data to APRA in life company annual returns.
- Identifying significant processes for the preparation of life company annual returns e.g. ICAAP.
- Identifying the key controls over these significant processes that are designed to ensure that reliable data is provided to APRA in life company annual returns.
The above is not an exhaustive list of procedures that the auditor may perform in gathering evidence. An auditor’s professional judgement would be used as appropriate in the circumstances of the assurance engagement.
Life companies have different systems and procedures in place to monitor compliance with specific Prudential Standards. Projections and estimates are likely to be part of the monitoring process, as the preparation of a full financial report is unlikely to be practical on a daybyday or weekbyweek basis. Varying degrees of precision may exist therefore in applying the monitoring process. Notwithstanding these differences, such systems seek to ensure that life companies comply with all Prudential Standards on a continuous basis.
The way in which internal control is designed and implemented varies with a life company’s size and complexity. Smaller life companies may use less formal means and simpler processes to achieve their control objectives.
The auditor gathers evidence in response to assessed risks with a focus on identifying key controls within the control systems design. The auditor exercises professional judgement in determining the specific nature, timing and extent of review procedures to achieve the review objective.
Following the evaluation of whether the life company has internal controls designed to achieve the relevant control objectives, the auditor performs review procedures to obtain evidence about whether these controls have operated as designed throughout the financial year. The auditor may consider how the controls were applied, the consistency with which they were applied, by whom they were applied and the period of time over which the controls were applied.
The review of operating effectiveness may include procedures such as:
- Enquiry of appropriate life company personnel (and obtaining written representations).
- Observation of the control process.
- Ascertaining whether the person(s) performing the control(s) possesses the necessary authority and competence to perform the control(s) effectively.
- Review of relevant documentation.
- ‘Walk through’ tests; and
- Limited re performance of the controls.
Interpretation of the word ‘reliable’ in the context of the review of controls over life company annual returns has practical limitations in some circumstances. For many life companies, it is only at the financial yearend (or for life companies that are disclosing entities, also at the half yearend) that all the necessary accounting adjustments, such as accruals, prepayments, provisioning and valuations, are prepared and subjected to audit or review. APRA accepts this position that annual returns prepared throughout the year are based on the life company’s normal accounting process.
The auditor makes enquires as to whether there were any changes in internal control, or other matters, subsequent to the financial yearend date and up to the date of the auditor’s assurance report, that may have an impact on the auditor’s conclusion about the effectiveness of internal controls, and obtains written representations from management relating to such matters.
Evaluation of Misstatements
Audit of Life Company Annual Returns
The auditor evaluates, individually and in the aggregate, whether uncorrected misstatements that have come to the auditor’s attention, are material to the reported information. Materiality is applied in the context of paragraphs 56-69 of this Guidance Statement.
In evaluating whether or not the specified life company annual returns, or data in annual returns, are, in all material respects, reliable and in accordance with the relevant APRA Prudential and Reporting Standards, the auditor exercises professional judgement, having regard to both the users and intended uses of the information in the annual returns.
The magnitude of a misstatement alone is only one factor used to assess the misstatement. The auditor evaluates each identified misstatement in the context of information relevant to users of the annual return, by considering qualitative factors and the circumstances in which each misstatement has been made. For example, in evaluating identified misstatements, the auditor has regard to factors such as the level of the life company’s buffer above the particular minimum prudential capital requirements (determined under periodic quantitative calculations) and the sensitivity of these buffers to fluctuations in the life company’s financial performance and position.
The auditor may designate an amount below which misstatements need not be aggregated, because the auditor expects that the aggregation of such amounts clearly would not have a material effect on the reported information. In doing so, the auditor considers that the materiality of misstatements involves qualitative as well as quantitative considerations and those misstatements of a relatively small amount could nevertheless have a material effect on the reported information.
A key concern with any misstatement within a life company’s annual returns is its potential impact on the life company’s ‘capital adequacy requirement’ that is determined in accordance with APRA’s prudential standards. This is taken into consideration by the auditor when evaluating whether a misstatement in the life company’s annual returns, has a material impact on the Prescribed Capital Amount.
The auditor may also consider LPS 112 Capital Adequacy: Measurement of Capital, where materiality in relation to capital adequacy must be evaluated and applied at the statutory fund level. The materiality of the statutory fund relative to the size of the company overall may be taken into account for the purposes of assessing the impact on the Prescribed Capital Amount.
In extremely rare circumstances, the auditor may conclude that information reported in life company annual return(s) in accordance with the relevant APRA Prudential and Reporting Standards is misleading. The auditor discusses the matter with management and, depending how it is resolved, determines whether, and how, to communicate the matter in the auditor’s assurance report.
Review of Internal Controls
The auditor evaluates, individually and in aggregate, whether internal control deficiencies that have come to the auditor’s attention are material. Materiality is to be applied in the context of paragraphs 67-69.
The auditor exercises professional judgement in evaluating the materiality of internal control deficiencies, having regard to the intended users of the auditor’s assurance report.
In evaluating the severity of identified internal control deficiencies, the auditor having regard to materiality, considers:
- the likelihood that the relevant internal controls may fail to prevent or detect:
- non compliance with a Prudential Requirement;
- a misstatement in the data being provided to APRA in life company annual returns;
- misstatements in actuarial data used in financial reporting;
- the significance of the potential resulting non compliance with a Prudential Requirement in the context of the life company’s overall compliance with applicable Prudential Requirements;
- the magnitude of the potential misstatement that could result from the internal control deficiency in the information reported in the life company annual returns; and
- the magnitude of the potential misstatement that could result from a deficiency in internal control over the adequacy and effectiveness of actuarial data integrity and financial reporting risks.
The evaluation of the severity of a deficiency in internal control does not depend on whether a misstatement or noncompliance with a Prudential Requirement has actually occurred, but rather the likelihood that the life company’s controls may fail to prevent or detect a material misstatement or material noncompliance with a Prudential Requirement.
Reporting on Compliance with Prudential Requirements
The auditor is required under LPS 310 to express a conclusion, based on the audit or review(s) conducted under paragraphs 80-103 above, as to whether anything has come to the attention of the auditor to cause the auditor to believe that, during the financial year, the life company has not complied, in all material respects, with all applicable Prudential Requirements in the Life Act and the FSCODA, including compliance with APRA Prudential and Reporting Standards.
Under sections 88 and 88A of the Life Act, auditors are required to report to APRA when the auditor believes the life company or its directors may have contravened the Life Act or to assist APRA to perform its functions under the Life Act (refer to paragraphs 28, 132-136 of this Guidance Statement for further detail).
The auditor considers materiality when assessing the significance of identified instances of noncompliance with relevant Prudential Requirements.
In order to conclude on a life company’s compliance with all applicable Prudential Requirements, the auditor considers the existence of relevant matters that may indicate instances of noncompliance, throughout the reporting period and up to the date of signing the auditor’s assurance report.
The auditor complies with the requirements of Auditing Standard ASA 560 Subsequent Events (ASA 560), as appropriate, which may include the following audit procedures:
- Reading minutes of the life company’s Board, as well as minutes of any sub committees responsible, for example, for oversight of risk, compliance and audit, held after balance date and enquiring about matters discussed at these meetings for which minutes are not yet available.
- Examining the life company’s breach registers up to the date of the auditor’s assurance report.
- Enquiring of the life company’s management as to whether any subsequent events have occurred which might represent non compliance with applicable Prudential Requirements.
Prior to issuing the Auditor’s Annual Prudential Assurance Report, the auditor obtains written representations, as are considered appropriate to matters specific to the life company, from the party responsible for the life company.
Inherent Limitations of the Engagement
As the systems, procedures and controls to ensure compliance with Prudential Requirements are part of the life company’s operations, it is possible that either the inherent limitations of the internal control structure, or weaknesses in it, may impact on the effective operation of the life company’s specific control procedures. Furthermore, fraud, error or noncompliance with laws and regulations may occur and not be detected.
Due to the nature of audit and review procedures and other inherent limitations of an audit and review, there is a possibility that a properly planned and executed audit or review may not detect all errors or omissions in life company annual returns, deficiencies in controls, or instances of noncompliance with Prudential Requirements.
An audit provides reasonable assurance and cannot constitute a guarantee that the information included in life company annual returns specified in Attachment A to LPS 310, sourced from accounting records, is reliable, or that all instances of noncompliance with relevant APRA Prudential and Reporting Standards have been detected.
While reviews involve the application of audit related skills and techniques, usually they do not involve many of the procedures performed during an audit. In an audit, as the auditor’s objective is to provide a high, but not absolute, level of assurance on the reliability of information included in life company annual returns, the auditor uses more extensive audit procedures than in a review. Review procedures, therefore, do not provide all the evidence required in an audit and, consequently, the level of assurance obtained is less than that in an audit.
The auditor performs procedures appropriate to provide limited assurance in relation to internal controls existing at the review date, and whether those controls have operated as documented throughout the financial year.
This should include any reference to amendments set out in letters from APRA to Registered Life Companies and Appointed Auditors.
Refer to LPS 100 Solvency, LPS 110 Capital Adequacy and LPS 112 Capital Adequacy: Measurement of Capital.
Management and, where appropriate, those charged with governance of the life company.