Federal Register of Legislation - Australian Government

Primary content

APS 310 Standards/Prudential (Banking & Insurance) as made
This instrument determines Prudential Standard APS 310 to ensure that high quality information is provided by ADIs' to APRA.
Administered by: Treasury
General Comments: Prudential Standard APS 310 - Audit & Related Arrangements for Prudential Reporting (08/09/2000) contained in Banking Act 1959 - Prudential Standard APS 310 - Audit & Related Arrangements for Prudential Reporting (08/09/2000) was revoked by Banking (prudential standard) determination No. 4 of 2008 - Prudential Standard APS 310 - Audit and Related Matters with effect from 1 January 2009.
Registered 18 Sep 2006
Gazetted 20 Sep 2000
Date of repeal 09 Aug 2013
Repealed by Treasury (Spent and Redundant Instruments) Repeal Regulation 2013


Prudential Standard

APS 310 - Audit & Related Arrangements

for Prudential Reporting


This standard aims to ensure the high quality of information provided by ADIs to APRA.  It also specifies requirements for a management attestation by ADIs in respect of the effectiveness and adequacy of their risk management processes.




1.             APRA’s supervisory process depends on prudential information[1] provided by ADIs[2].  APRA needs to be assured of the accuracy and integrity of the information provided to be confident that its judgements about the ADI’s management practices and compliance with prudential requirements are well-informed and soundly based.  Arrangements with an ADI’s external auditors operate to enhance the credibility of the information provided.

2.             Liaison with an ADI’s external auditor will normally be conducted under tripartite arrangements involving APRA, the ADI and its external auditor.  In the normal course, regular tripartite meeting will be held to discuss the external auditor’s reports and any matters arising from the external auditor’s review.  However, any one of the three parties can initiate meetings or discussions at any time should it consider necessary.  Notwithstanding the tripartite relationship, an ADI’s external auditor and APRA may, in exceptional circumstances as required under the Banking Act 1959, engage with each other on a bilateral basis.

3.             An ADI should keep its external auditor fully informed of APRA’s prudential requirements for the ADI.  This includes passing to the external auditor any relevant information from its communications with APRA, as well as other relevant information provided by APRA to the ADI from time to time (such as the release of new Prudential Standards or subsequent changes to any existing Prudential Standards).


Risk Management Systems

4.             It is the responsibility of an ADI’s board and management to ensure that the ADI meets prudential and statutory requirements and has management practices to limit risks to prudent levels.  The risk management practices must be detailed in risk management systems descriptions which should be regularly reviewed and updated (at least annually) to take account of changing circumstances.

5.             An ADI is required to provide APRA with high level descriptions of its key risk management systems covering all major areas of risks and keep APRA informed of all material changes to their risk management systems descriptions as they are made.

6.             Within 3 months[3] of its annual balance date, an ADI should provide APRA with a “declaration” from the chief executive, endorsed by the board or in the case of a foreign ADI, by a senior officer from outside Australia with responsibility for overseeing the Australian operations.

7.             The “declaration” should attest that, for the financial year past,:

(a)          the board and management have identified the key risks facing the ADI;

(b)         the board and management have established systems to monitor and manage those risks including, where appropriate, by setting and requiring adherence to a series of prudent limits, and by adequate and timely reporting processes;

(c)         these risk management systems are operating effectively and are adequate having regard to the risks they are designed to control; and 

(d)         the risk management systems descriptions provided to APRA are accurate and current.

8.             If an ADI feels it needs to qualify the declaration prescribed in paragraph 7, it would need to explain the reasons for the qualifications, as well as provide plans for corrective action.


Audit Committee

9.             The board of a locally incorporated ADI should establish an Audit Committee made up of a majority of non-executive directors (the Chairman of the board would not normally chair the Committee) to monitor compliance with the board policies, as well as prudential and statutory requirements.  The Audit Committee should, as a minimum, oversee the ADI’s financial reporting, internal and external audits, and appointment of the external auditor.

10.        The Audit Committee should review the external auditor’s engagement every year, including inquiring of their independence in accordance with Statement of Auditing Practice AUP 32 “Audit Independence”.


Internal Audit

11.        Locally incorporated ADIs should have a comprehensive and independent internal audit process for reviewing and testing their internal controls and risk management systems.  The scope of the internal audit should include a review of the processes and controls put in place by management to ensure compliance with APRA’s prudential requirements.

12.        Where the scale of an ADI’s operations does not justify maintaining a full time internal audit function, the ADI should agree alternative review arrangements with APRA.  Internal auditors should be represented in tripartite meetings with APRA, the ADI and its external auditor.


Role of External Auditors

13.        External auditors should, within 3 months[4] of the annual balance date of an ADI, provide simultaneously to APRA and the Audit Committee, or in the case of foreign ADIs, the senior country managers, a report up to the latest balance date detailing the external auditor’s opinions[5] as to whether:

(a)          the ADI has observed all the prudential standard requirements which APRA has set for the ADI;

(b)         the statistical and financial data provided by the ADI to APRA are reliable;

(c)         the ADI has complied with statutory banking requirements, any conditions on the authority to carry on banking business, and any other conditions imposed by APRA in relation to the ADI’s operations; and

(d)         there are any matters which, in the auditor’s opinion, may have the potential to prejudice materially the interests of depositors of the ADI.

14.        Management Letters relating to work undertaken by the auditor which have a bearing on the auditor’s opinions as required in paragraph 13 should accompany the report.

15.        APRA may, in consultation with an ADI, request its external auditor or, where appropriate, other external auditors to undertake a specific review of a particular aspect of the ADI’s operations or risk management system.  The cost of specific reviews will be borne by the ADI.

16.        The specific reviews will be conducted along the lines of an “Engagement to Perform Agreed-Upon Procedures” (refer Auditing Standard 904).  The report of such reviews should be submitted to APRA and the ADI simultaneously, within 3 months after the review is commissioned.

17.        In addition to the requirements of this Standard, the Banking Act 1959 (“the Act”) requires an auditor of an ADI to inform APRA if the auditor has reasonable grounds for believing that:

(a)          the ADI is insolvent, or there is a significant risk that the ADI will become insolvent; or

(b)         the ADI has failed to comply with a prudential standard, a requirement under the Act or the regulations, a direction under Division 1BA of Part II or a condition of its section 9 authority; or

(c)         an existing or proposed state of affairs may materially prejudice the interests of depositors of the ADI.

18.        Under the Act, APRA may, by notice in writing, require an auditor of an ADI to provide information about the ADI if APRA considers that the provision of the information will assist APRA in performing its functions under the Act.


1     This includes statutory and prudential returns, financial statements and risk management system descriptions.

[2]     For the purpose of this Standard, reference to “an ADI” or “ADIs” includes locally incorporated ADIs and foreign ADIs (branches), unless otherwise indicated.

[3]     4 months for non-disclosing entities.

[4]     See footnote 3.

[5]     External auditors should consult the Auditing Guidance Statement in preparing their report to APRA.