Federal Register of Legislation - Australian Government

Primary content

APS 310 Standards/Prudential (Banking & Insurance) as made
This instrument determines Prudential Standard APS 310 Audit and Related Matters.
Administered by: Treasury
General Comments: This instrument revokes Prudential Standard APS 310 Audit and Related Matters contained in Banking (prudential standard) determination No. 4 of 2008 - Prudential Standard APS 310 - Audit and Related Matters with effect from 1 January 2012.
Registered 20 Dec 2011
Tabling HistoryDate
Tabled HR07-Feb-2012
Tabled Senate07-Feb-2012
Date of repeal 01 Jan 2013
Repealed by Banking (prudential standard) determination No. 15 of 2012 - Prudential Standard APS 310 - Audit and Related Matters
Table of contents.

Banking (prudential standard) determination No. 8 of 2011

Prudential Standard APS 310 Audit and Related Matters

Banking Act 1959

 

I, Helen Rowell, delegate of APRA:

 

(a)        under subsection 11AF(3) of the Banking Act 1959 (the Act) REVOKE Prudential Standard APS 310 Audit and Related Matters made by Banking (prudential standard) determination No. 4 of 2008; and

 

(b)       under subsection 11AF(1) of the Act DETERMINE Prudential Standard APS 310 Audit and Related Matters, in the form set out in the Schedule, which applies to all ADIs and authorised NOHCs.

 

This instrument takes effect on 1 January 2012.

 

Dated: 20 December 2011

 

[Signed]

 

 

Helen Rowell

Executive General Manager

Supervisory Support Division

 

 

 


Interpretation

In this Determination:

ADI is short for authorised deposit-taking institution which has the meaning given in section 5 of the Act.

APRA means the Australian Prudential Regulation Authority.

authorised NOHC has the meaning given in section 5 of the Act.


Note 1  An ADI or authorised NOHC that does not comply with a standard may be issued with directions by APRA under paragraph 11CA(1)(a) of the Act.  Non-compliance with a direction is an offence attracting a penalty of up to 250 penalty units for a body corporate (currently $27,500) for each day that the offence continues.  Officers of the ADI or authorised NOHC may also be criminally liable (see section 11CG).


Schedule

 

Prudential Standard APS 310 Audit and Related Matters comprises the 13 pages commencing on the following page.


 

       

 

Prudential Standard APS 310

Audit and Related Matters

Objectives and key requirements of this Prudential Standard

This Prudential Standard sets out requirements for an authorised deposit-taking institution, and Level 2 group of which it is a member, to ensure that APRA has access to independent advice from an auditor relating to the operations, internal controls and information provided to APRA in respect of the institution and the Level 2 group.

Key requirements of this Prudential Standard, on a Level 1 and Level 2 basis, include:

(i)      the appointment of an auditor to undertake the functions set out in this Prudential Standard;

(ii)     the roles and responsibilities of the appointed auditor; and

(iii)    an authorised deposit-taking institution and authorised non-operating holding company must ensure that, as appropriate, the appointed auditor is able to fulfil its responsibilities in accordance with this Prudential Standard on a Level 1 and Level 2 basis.

 

 



Authority

1.            This Prudential Standard is made under section 11AF of the Banking Act 1959 (the Act).

Application

2.            This Prudential Standard applies to all authorised deposit-taking institutions (ADIs) under the Act.

3.            A reference to an ADI in this Prudential Standard will be taken, in the case of a locally-incorporated  ADI, as a reference to:

(a)           an ADI on a Level 1 basis; and

(b)          a group of which an ADI is a member on a Level 2 basis.

Level 1 and Level 2 have the meaning given in Prudential Standard APS 110 Capital Adequacy (APS 110), and the requirements applied on a Level 1 and Level 2 basis in this Prudential Standard, unless otherwise specified, are applied on the same basis as provided for in APS 110. In the case of a foreign ADI, a reference to an ADI in this Prudential Standard shall be taken to refer to the foreign ADI’s Australian operations as if they were a stand-alone ADI.  

4.            Where an ADI to which this Prudential Standard applies is a subsidiary of an authorised non-operating holding company (authorised NOHC), the authorised NOHC must ensure that the requirements in this Prudential Standard are met on a Level 2 basis. This includes ensuring that any immediate parent non-operating holding company (NOHC) of the ADI, its Board of directors (the Board) and senior management meet the requirements in this Prudential Standard.

5.            Where the immediate parent NOHC of an ADI is a holding company that is a subsidiary of, but is not itself, an authorised NOHC, the Level 2 group will constitute the immediate parent NOHC and any ADI and other members of a Level 2 group as defined in APS 110. A reference to an intermediate holding company in this Prudential Standard means the immediate parent NOHC of an ADI in this situation.

6.            When applying this Prudential Standard on a Level 2 basis, a reference to an ADI will, where relevant, be taken to refer to an intermediate holding company or authorised NOHC at the head of a Level 2 group. Similarly, in a Level 2 context, references to the auditor, internal auditor, chief executive officer (CEO) or equivalent and other senior management, the Board and Board Audit Committee of an ADI should be taken to refer to equivalent persons of the intermediate holding company or authorised NOHC, as appropriate.

7.            In the case of a foreign ADI, a reference to the Board or Board Audit Committee in this Prudential Standard will be taken to refer to the senior officer outside Australia to whom authority has been delegated in accordance with Prudential Standard APS 510 Governance (APS 510).  For a foreign ADI, a reference to the CEO refers to the senior manager in Australia with overall responsibility for the conduct of the foreign ADI’s Australian operations.

Scope

8.            This Prudential Standard applies to all operations and activities of an ADI.

General requirements

9.            For the purposes of this Prudential Standard, an ADI must appoint an auditor.  This auditor (appointed auditor) may be the same auditor who audits an ADI for the purposes of the Corporations Act 2001. Separate auditors may be appointed to meet the requirements in this Prudential Standard on a Level 1 and Level 2 basis, and to undertake the different engagements provided for in this Prudential Standard. APRA may also require, by notice in writing, that an ADI appoint another auditor, in addition to any auditor already appointed by the ADI, for the purposes of this Prudential Standard.  

10.        An ADI must set out the terms of engagement of the appointed auditor in a legally binding contract between the ADI and the appointed auditor. The ADI must ensure the terms of engagement:

(a)           require the appointed auditor to fulfil the roles and responsibilities of the appointed auditor as specified in this Prudential Standard and in the manner specified in this Prudential Standard;

(b)          require the appointed auditor, in meeting its role and responsibilities, to comply with the Auditing Standards and  Guidance issued from time to time by the Auditing and Assurance Standards Board (AUASB) except where:

(i)      they are inconsistent with the requirements of this Prudential Standard, in which case this Prudential Standard prevails, or

(ii)     APRA otherwise specifies, in writing, to the ADI that alternative standards and guidance should be used by the appointed auditor;  and

(c)           refer the appointed auditor to the following provisions in the Act:

(i)                 section 16B Auditors to give information to APRA on request;

(ii)               section 16BA Requirements for auditors to give information about ADIs; and

(iii)             Part VIA Protection in relation to information in the Act.

11.        An ADI must use all reasonable endeavours to ensure the appointed auditor complies with the terms of engagement contained in paragraphs 10(a) and (b).

12.        For the purposes of this Prudential Standard, reasonable assurance and limited assurance are defined in accordance with the Framework for Assurance Engagements issued by the AUASB (the Framework).

13.        The costs of preparing and submitting reports, documents and other material required by this Prudential Standard, whether routine or as part of a special purpose engagement, must be borne by the ADI.

14.        Persons involved in the provision of information (including the appointed auditor, officers and employees of an ADI, authorised NOHC, immediate parent holding company and members of a Level 2 group to which an ADI belongs) should note that it is an offence under subsection 137.1 and 137.2 of the Criminal Code 1995 to provide, whether directly or indirectly, false and misleading information to a Commonwealth entity, such as APRA.

Fitness and propriety of the appointed auditor

15.        An ADI must ensure that its appointed auditor:

(a)           is a fit and proper person in accordance with the ADI’s fit and proper policy as required by Prudential Standard APS 520 Fit and Proper, including those requirements that apply specifically to the auditor;

(b)          satisfies the auditor independence requirements in APS 510; and

(c)           is not subject to a direction issued under section 17(2) of the Act.

Use of group auditors

16.        Where an ADI is a member of a Level 2 group and the group is headed by:

(a)           the ADI, the appointed auditor may be used for both Level 1 and Level 2 purposes under this Prudential Standard; or

(b)          an authorised NOHC or intermediate holding company, the auditor engaged by the authorised NOHC or intermediate holding company may be used as the appointed auditor for both the Level 1 and Level 2 purposes of this Prudential Standard. This is subject to the Board of the ADI, on a Level 1 basis, agreeing to this in writing and the Board of the ADI on a Level 1 basis, or its Board Audit Committee:

(i)            being able to communicate directly with the appointed auditor;

(ii)          being able to commission reports by the appointed auditor in relation to the ADI on a Level 1 basis; and

(iii)        receiving copies of any report or, where requested, any associated assessments and other material, relating to the audit operations covering the ADI on a Level 1 basis undertaken by the appointed auditor in accordance with the requirements in this Prudential Standard.

 

Obligations of an ADI

17.        An ADI, if requested by APRA, must within a reasonable time provide APRA with the terms of engagement, other instructions or correspondence, including management letters, that may have a bearing on the:

(a)     scope or conduct of the work undertaken by the appointed auditor in accordance with this Prudential Standard; and

(b)     form or content, including findings or opinions by the appointed auditor, or coverage of the reports provided in accordance with this Prudential Standard.

18.        An ADI must ensure that the appointed auditor has access to all data, information, reports and staff of the ADI that the appointed auditor reasonably believes is necessary to fulfil its role and responsibilities under this Prudential Standard. This includes access to the ADI’s Board, Board Audit Committee and internal auditors as required.

19.        An ADI must ensure that its appointed auditor is fully informed of all prudential requirements applicable to the ADI. Prudential requirements include requirements imposed by the Act, regulations, prudential standards, the Financial Sector (Collection of Data) Act 2001 (FSCODA), reporting standards, conditions on authority and any other requirements imposed by APRA, in writing, in relation to an ADI. In addition, the ADI must ensure that the appointed auditor is provided with any other information APRA has provided to the ADI that may assist the appointed auditor in fulfilling its role and responsibilities under this Prudential Standard.

20.        An ADI must ensure that the following are provided to its Board or Board Audit Committee (if not already sighted by the Board or Board Audit Committee):

(a)           reports provided by the appointed auditor in accordance with this Prudential Standard, and any associated assessments and other material provided by an appointed auditor to the ADI on request;

(b)          commentary or responses provided by APRA to the ADI on reports provided by the appointed auditor, and any associated assessments and other material; and

(c)           any commentary or response on the reports, associated assessments and other material provided by the appointed auditor that are given by the ADI to APRA.

Internal audit

21.        An ADI must ensure that the scope of internal audit includes a review of the policies, processes and controls put in place by management to ensure compliance with APRA’s prudential requirements.

22.        An ADI must allow its internal auditor to be represented in tripartite meetings with APRA, the ADI and its appointed auditor.

Risk management systems

23.        It is the responsibility of an ADI’s Board and management to ensure that the ADI meets prudential and statutory requirements and has management practices to limit risks to prudent levels. The ADI’s risk management practices must be detailed in descriptions of risk management systems that must be regularly reviewed and updated, at least annually, to take account of changing circumstances.

24.        An ADI is required to provide APRA with high-level descriptions of its key risk management systems covering all major areas of risk, and to inform APRA of all material changes to the ADI’s risk management systems descriptions when they are made.

25.        Within three months[1] of its annual balance date, an ADI must provide APRA with a declaration from its CEO endorsed by the Board.

26.        The Board and CEO must, as part of the declaration, attest that for the financial year:

(a)           they have identified the key risks of the ADI or Level 2 group, as appropriate, and in the case of a foreign ADI the key risks of the foreign ADI’s operations conducted in Australia;

(b)          they have established systems to monitor and manage those risks including, where appropriate, by setting and requiring adherence to a series of prudent limits, and by adequate and timely reporting processes;

(c)           the risk management systems are operating effectively and are adequate having regard to the risks they are designed to control; 

(d)          the descriptions of risk management systems provided to APRA are accurate and current; and

(e)           the Prudential Disclosures required under Prudential Standard APS 330 Capital Adequacy: Public Disclosure of Prudential Information are reliable.

27.        An ADI must ensure that the CEO provides an explanation, endorsed by the Board, of any qualifications made to the CEO’s declaration in paragraph 25, including plans for corrective actions to address any deficiencies identified in the risk management systems.

28.        Where an ADI is the head of a Level 2 group, the declaration or explanations provided by the CEO of the ADI and endorsed by the Board of the ADI may deal with both the ADI on a Level 1 basis and the Level 2 group in the same document. Such a document must, however, clearly provide for separate attestations for the ADI on a Level 1 basis and for the Level 2 group.

29.        In the event that a Level 2 group is headed by an entity other than an ADI, there must be separate declarations and explanations by the CEO of:

(a)           the ADI, endorsed by the Board of the ADI, covering the ADI on a Level 1 basis; and

(b)          the entity heading the Level 2 group, endorsed by the Board of that entity, covering the Level 2 group.

Meetings with the appointed auditor

30.        APRA liaison with an appointed auditor will normally be conducted under tripartite arrangements involving APRA, the ADI and the appointed auditor. Notwithstanding the tripartite relationship, APRA and an appointed auditor may meet, at any time, on a bilateral basis at the request of either party.

31.        Where an ADI is part of a Level 2 group, APRA may meet with the ADI, the head entity of the Level 2 group and the appointed auditor and the internal auditor at the same time, or separately on a Level 1 and Level 2 basis, as APRA deems appropriate. 

32.        For the purposes of this Prudential Standard, it is the responsibility of an appointed auditor to attend all meetings with APRA related to this Prudential Standard, whether on:

(a)     a bilateral basis between APRA and the appointed auditor; or

(b)     a tripartite basis between APRA, the ADI and the appointed auditor; or

(c)     any other basis which APRA may specify to the appointed auditor;

unless APRA indicates otherwise in writing. It is also the responsibility of an appointed auditor to supply all information and documents requested by APRA relevant to the ADI.

Responsibilities of the appointed auditor

33.        It is the responsibility of an appointed auditor to submit directly to APRA:

(a)          all reports required to be produced under this Prudential Standard;  and

(b)         all assessments and other material associated with the reports, if requested by APRA.

Such reports, assessments and other material must be prepared by the appointed auditor on the basis that APRA may rely upon them in the performance of its functions under the Act.

34.        The responsibilities of an appointed auditor include an obligation to refrain from notifying the ADI of, or from providing the ADI with, the documents referred to in paragraph 33, where:

(a)           the appointed auditor considers that by doing so the interests of depositors of the ADI would be jeopardised; or where  

(b)          there is a situation of mistrust between the appointed auditor and the Board or senior management of the ADI.

35.        As part of its responsibilities, an appointed auditor in preparing reports, whether as part of routine or special purpose engagements, must not place sole reliance on the work performed by APRA.

Reports by the appointed auditor

36.        Where there is a Level 2 group, then unless otherwise instructed in writing by APRA, reports, assessments and other material required by this Prudential Standard must be prepared on one or the other of the following bases, as the appointed auditor considers appropriate:

(a)           both the ADI on a Level 1 basis and the Level 2 group provided it is clear where the appointed auditor is referring to matters relating to the ADI or the Level 2 group; or

(b)          the ADI on a Level 1 basis and Level 2 group separately.

Routine reports

37.        The responsibilities of the appointed auditor include reporting simultaneously (subject to paragraph 34) to APRA and the ADI’s Board (or Board Audit Committee), within three months of the end of the financial year of the ADI,[2] on:

(a)           the matters relating to APRA data collections; and

(b)          internal controls at both Level 1 and the Level 2 group;

as referred to in paragraph 38. For this purpose, APRA data collections means any data collected in accordance with the FSCODA.

38.        An appointed auditor’s responsibilities must specifically include reporting on:

APRA data collections referred to in Attachment A covering the financial year

(a)           for those collections where the data are sourced only from accounting records – the appointed auditor must provide reasonable assurance that the information in these collections at the financial year-end is reliable and in accordance with the relevant prudential standards and reporting standards;

(b)          for those collections where the data are sourced only from non-accounting records – unless otherwise indicated by APRA, in writing, the appointed auditor must provide limited assurance that the information in these collections at the financial year-end is reliable and in accordance with the relevant prudential standards and reporting standards;

(c)           for those collections where the data are sourced from a combination of accounting and non-accounting records – unless otherwise indicated by APRA, in writing, the appointed auditor must provide reasonable assurance for information sourced from accounting records, and limited assurance that information sourced from non-accounting records at the financial year-end is reliable. This must be in accordance with the relevant prudential standards and reporting standards;

Internal controls relating to prudential requirements

(d)          The appointed auditor must provide limited assurance that the ADI has controls that are designed to ensure the ADI:

(i)            has complied with all applicable prudential requirements;

(ii)          has provided reliable data to APRA in the reporting forms prepared under the FSCODA;

and, in relation to (i) and (ii), the appointed auditor must also provide limited assurance that these controls have operated effectively throughout the financial year.

Compliance with prudential requirements

(e)           The report must take the form of limited assurance, based on the appointed auditor's work in (a) to (d) above, that the ADI has complied with all relevant prudential requirements under the Act and the FSCODA, including compliance with prudential standards and reporting standards during the financial year.[3]

39.        The reporting requirements in paragraph 38 only apply to audit engagements undertaken for the purposes of this Prudential Standard. Where an auditor is engaged for the purposes of another Prudential Standard, the engagement must ensure that the requirements of that other Prudential Standard are addressed.

Special purpose engagements

40.        APRA may require an ADI, by notice in writing, to appoint an auditor, who may be the existing appointed auditor or another auditor, to provide a report on a particular aspect of the ADI’s operations, prudential reporting, risk management systems or financial position. A special purpose engagement report will normally only be requested following consultation with the ADI. APRA may, however, request such a report without prior consultation with an ADI.

41.        The responsibilities of the appointed auditor for a special purpose engagement  include an obligation to provide limited assurance on the matters upon which the appointed auditor is required to report, unless otherwise determined by APRA, and advised to the ADI by notice in writing.

42.        Under the responsibilities of an appointed auditor for a special purpose engagement, the auditor's report must be submitted, within three months of the date of the notice commissioning the report, simultaneously to APRA and to the Board (or Board Audit Committee) of the ADI, unless otherwise determined by APRA, and advised to the ADI by notice in writing (subject to paragraph 34).

Adjustments and exclusions

43.        APRA may, by notice in writing to an ADI or authorised NOHC, adjust or exclude a specific prudential requirement in this Prudential Standard in relation to that institution.[4]

Transition arrangements

44.        This Prudential Standard applies to an ADI from the commencement of its first financial year (within the meaning of the Corporations Act 2001) beginning on or after 1 January 2009. An ADI must comply with Prudential Standard APS 310 Audit & Related Arrangements for Prudential Reporting determined on 8 September 2000, notwithstanding its revocation, in relation to a financial year commencing before 1 January 2009.

 

        


Attachment A – Data Collections subject to reasonable and/or limited assurance

This Attachment is not a complete listing of all ADI data collections, only those reporting forms collected under FSCODA that are subject to audit testing for the purposes of this Prudential Standard.

Description

APRA ADI reporting form

Standardised

Advanced

Foreign ADI

1. Capital Adequacy

ARF 110.0 Capital Adequacy

 

 

ARF 112.1A Standardised Credit Risk – On-balance Sheet Exposures

 

 

 

ARF 112.2A Standardised Credit Risk – Off-balance Sheet Exposures

 

 

ARF 113.0A to 113.0D FIRB (excluding Specialised Lending)

 

 

 

ARF 113.0E FIRB Specialised Lending

 

 

 

ARF 113.1A to ARF 113.1D AIRB (excluding Specialised Lending)

 

 

 

ARF 113.1E AIRB Specialised Lending

 

 

 

ARF 113.2  IRB Specialised Lending Supervisory Slotting

 

 

 

ARF 113.3A to ARF 113.3D IRB Retail

 

 

 

ARF 113.4 IRB – Other assets, claims and exposures

 

 

 

ARF 114.0 Standardised – Operational Risk

 

 

 

ARF 115.0A to ARF 115.0C Advanced Measurement Approaches to Operational Risk

 

 

 

ARF 116.0 Market Risk

 

 

ARF 117.0 Repricing Analysis

 

ARF 117.1 Interest Rate Risk in the Banking Book

 

 

 

ARF 118.0 Off-balance Sheet Business

 

ARF 120.0 Standardised – Securitisation

 

 

ARF 120.1A to ARF 120.1C IRB – Securitisation

 

 

 

ARF 120.2 Securitisation – Supplementary Items

 

2. Statement of Financial Performance

ARF 330.0 Statement of Financial Performance

3. Statement of Financial Position

ARF 320.0 Statement of Financial Position – Domestic

 

ARF 321.0 Statement of Financial Position – Offshore Operations

 

 

ARF 322.0 Statement of Financial Position – Consolidated

 

 

ARF 323.0 Statement of Financial Position – Licensed

 

4. Provisions and Impaired Assets

ARF 220.0 Impaired Assets

 

ARF 220.3 Prescribed Provisioning

 

ARF 220.5 Movements in Provisions for Impairment

 

ARF 221.0 Large Exposures

 

ARF 222.0 Exposures to Related Entities

 

ARF 230.0 Commercial Property

 



[1]     For non-disclosing entities the relevant period is four months.

[2]           For non-disclosing entities the relevant period is four months.

[3]           With respect to any matters of non-compliance, an appointed auditor should note section 16BA of the Act requires the auditor to immediately notify APRA of certain matters and to notify APRA as soon as practicable about certain other matters.

[4]           Refer to section 11AF(2) of the Act.