Prudential Standard
APS 310 - Audit & Related Arrangements
for Prudential Reporting
Objective
This standard aims to ensure the high quality of information provided by ADIs to APRA. It also specifies requirements for a management attestation by ADIs in respect of the effectiveness and adequacy of their risk management processes.
Index
Principles
Overview
1. APRA’s supervisory process depends on prudential information provided by ADIs. APRA needs to be assured of the accuracy and integrity of the information provided to be confident that its judgements about the ADI’s management practices and compliance with prudential requirements are well-informed and soundly based. Arrangements with an ADI’s external auditors operate to enhance the credibility of the information provided.
2. Liaison with an ADI’s external auditor will normally be conducted under tripartite arrangements involving APRA, the ADI and its external auditor. In the normal course, regular tripartite meeting will be held to discuss the external auditor’s reports and any matters arising from the external auditor’s review. However, any one of the three parties can initiate meetings or discussions at any time should it consider necessary. Notwithstanding the tripartite relationship, an ADI’s external auditor and APRA may, in exceptional circumstances as required under the Banking Act 1959, engage with each other on a bilateral basis.
3. An ADI should keep its external auditor fully informed of APRA’s prudential requirements for the ADI. This includes passing to the external auditor any relevant information from its communications with APRA, as well as other relevant information provided by APRA to the ADI from time to time (such as the release of new Prudential Standards or subsequent changes to any existing Prudential Standards).
Index
Risk Management Systems
4. It is the responsibility of an ADI’s board and management to ensure that the ADI meets prudential and statutory requirements and has management practices to limit risks to prudent levels. The risk management practices must be detailed in risk management systems descriptions which should be regularly reviewed and updated (at least annually) to take account of changing circumstances.
5. An ADI is required to provide APRA with high level descriptions of its key risk management systems covering all major areas of risks and keep APRA informed of all material changes to their risk management systems descriptions as they are made.
6. Within 3 months of its annual balance date, an ADI should provide APRA with a “declaration” from the chief executive, endorsed by the board or in the case of a foreign ADI, by a senior officer from outside Australia with responsibility for overseeing the Australian operations.
7. The “declaration” should attest that, for the financial year past,:
(a) the board and management have identified the key risks facing the ADI;
(b) the board and management have established systems to monitor and manage those risks including, where appropriate, by setting and requiring adherence to a series of prudent limits, and by adequate and timely reporting processes;
(c) these risk management systems are operating effectively and are adequate having regard to the risks they are designed to control; and
(d) the risk management systems descriptions provided to APRA are accurate and current.
8. If an ADI feels it needs to qualify the declaration prescribed in paragraph 7, it would need to explain the reasons for the qualifications, as well as provide plans for corrective action.
Index
Audit Committee
9. The board of a locally incorporated ADI should establish an Audit Committee made up of a majority of non-executive directors (the Chairman of the board would not normally chair the Committee) to monitor compliance with the board policies, as well as prudential and statutory requirements. The Audit Committee should, as a minimum, oversee the ADI’s financial reporting, internal and external audits, and appointment of the external auditor.
10. The Audit Committee should review the external auditor’s engagement every year, including inquiring of their independence in accordance with Statement of Auditing Practice AUP 32 “Audit Independence”.
Index
Internal Audit
11. Locally incorporated ADIs should have a comprehensive and independent internal audit process for reviewing and testing their internal controls and risk management systems. The scope of the internal audit should include a review of the processes and controls put in place by management to ensure compliance with APRA’s prudential requirements.
12. Where the scale of an ADI’s operations does not justify maintaining a full time internal audit function, the ADI should agree alternative review arrangements with APRA. Internal auditors should be represented in tripartite meetings with APRA, the ADI and its external auditor.
Index
Role of External Auditors
13. External auditors should, within 3 months of the annual balance date of an ADI, provide simultaneously to APRA and the Audit Committee, or in the case of foreign ADIs, the senior country managers, a report up to the latest balance date detailing the external auditor’s opinions as to whether:
(a) the ADI has observed all the prudential standard requirements which APRA has set for the ADI;
(b) the statistical and financial data provided by the ADI to APRA are reliable;
(c) the ADI has complied with statutory banking requirements, any conditions on the authority to carry on banking business, and any other conditions imposed by APRA in relation to the ADI’s operations; and
(d) there are any matters which, in the auditor’s opinion, may have the potential to prejudice materially the interests of depositors of the ADI.
14. Management Letters relating to work undertaken by the auditor which have a bearing on the auditor’s opinions as required in paragraph 13 should accompany the report.
15. APRA may, in consultation with an ADI, request its external auditor or, where appropriate, other external auditors to undertake a specific review of a particular aspect of the ADI’s operations or risk management system. The cost of specific reviews will be borne by the ADI.
16. The specific reviews will be conducted along the lines of an “Engagement to Perform Agreed-Upon Procedures” (refer Auditing Standard 904). The report of such reviews should be submitted to APRA and the ADI simultaneously, within 3 months after the review is commissioned.
17. In addition to the requirements of this Standard, the Banking Act 1959 (“the Act”) requires an auditor of an ADI to inform APRA if the auditor has reasonable grounds for believing that:
(a) the ADI is insolvent, or there is a significant risk that the ADI will become insolvent; or
(b) the ADI has failed to comply with a prudential standard, a requirement under the Act or the regulations, a direction under Division 1BA of Part II or a condition of its section 9 authority; or
(c) an existing or proposed state of affairs may materially prejudice the interests of depositors of the ADI.
18. Under the Act, APRA may, by notice in writing, require an auditor of an ADI to provide information about the ADI if APRA considers that the provision of the information will assist APRA in performing its functions under the Act.
Index