1. This Prudential Standard is made under section 34C of the Superannuation Industry (Supervision) Act 1993 (SIS Act).
2. This Prudential Standard applies to all registrable superannuation entity (RSE) licensees (RSE licensees) and RSE auditors.
3. This Prudential Standard commences on 30 June 2023.
Interpretation
4. Where this Prudential Standard provides for APRA to exercise a power or discretion, the power or discretion is to be exercised in writing.
5. An RSE licensee must annually appoint an RSE auditor for each RSE within the RSE licensee’s business operations as soon as practicable but, in any event, no later than the last day of each year of income to which the appointment relates.[2]
6. Where an RSE licensee is a member of a group[3], the auditor engaged by that group may also be engaged as the RSE auditor for an RSE within the RSE licensee’s business operations under this Prudential Standard, provided that auditor meets all relevant requirements of this Prudential Standard.
7. An RSE licensee must set out the terms of engagement of the RSE auditor in a legally binding contract between the RSE licensee and the RSE auditor. The RSE auditor must comply with the terms of engagement. The terms of engagement must:
(a) require the RSE auditor to fulfil the roles and responsibilities of the RSE auditor as specified in this Prudential Standard and in the manner specified in this Prudential Standard;
(b) require the RSE auditor, in meeting his or her role and responsibilities, to comply with relevant standards and guidance statements issued by the Auditing and Assurance Standards Board (AUASB) (relevant AUASB standards and guidance) to the extent that they are not inconsistent with the requirements of this Prudential Standard and other prudential requirements.[4] If they are inconsistent:
(i) this Prudential Standard prevails; or
(ii) APRA may notify the RSE licensee in writing that alternative standards and guidance must be used by the RSE auditor; and
(c) refer the RSE auditor to the relevant provisions in the SIS Act.[5]
8. An RSE licensee must use all reasonable endeavours to ensure that the RSE auditor complies with the terms of engagement contained in paragraph 7.
9. An RSE licensee must use all reasonable endeavours to assist the RSE auditor in being fully informed of all prudential requirements applicable to the RSE licensee.
10. An RSE licensee must ensure that the RSE auditor has access to all data, information, reports and staff in respect of the RSE licensee’s business operations that the RSE auditor reasonably believes necessary to fulfil his or her role and responsibilities under the SIS Act and this Prudential Standard. This must include access to the Board of the RSE licensee (the Board)[6], Board Audit Committee, internal auditor(s) and any information APRA has provided to the RSE licensee, as required by the RSE auditor.
11. An RSE licensee must ensure that its RSE auditor:
(a) is not disqualified under section 130D of the SIS Act;
(b) satisfies the eligibility criteria in Prudential Standard SPS 520 Fit and Proper (SPS 520) as applicable to an RSE auditor;
(c) is a fit and proper person in accordance with the RSE licensee’s Fit and Proper Policy as required by SPS 520, including those requirements that apply specifically to the RSE auditor; and
(d) satisfies the auditor independence requirements in Prudential Standard SPS 510 Governance.
12. An RSE licensee must ensure that the RSE auditor provides a report to the Board on each audit of the operations of each RSE within the RSE licensee’s business operations, for each year of income (the auditor’s report) that complies with this Prudential Standard.[7] The RSE auditor must provide the report required under this paragraph to the RSE licensee. The audit required under this paragraph must also cover the operations of the RSE licensee in respect of that RSE.
13. An RSE licensee must ensure that the RSE auditor provides the auditor’s report to the Board within sufficient time to enable the RSE licensee to submit the report to APRA within three months after the end of the year of income to which the report relates. The RSE auditor must provide the report to the RSE licensee within that time. The report submitted to APRA by the RSE licensee must either be the original or a true copy. If the report is a true copy it must be verified by:
(a) if the RSE licensee is a body corporate — at least two directors of the body corporate; or
(b) if the RSE licensee is a group of individual trustees — at least two of those trustees.
14. An RSE licensee must ensure that the auditor’s report is completed in respect of the RSE’s whole year of income, even if the RSE was transferred, in whole or in part, to the RSE licensee from another RSE licensee during that year of income.
15. If an RSE was wound up during the year of income to which the report relates, an RSE licensee must ensure that the auditor’s report covers the period from the start of the RSE’s year of income to the date the RSE was wound up and is completed no later than within three months after the end of the year of income to which the report relates.
16. Where an RSE licensee has more than one RSE within its business operations, the RSE licensee must ensure that an RSE auditor completes a separate auditor’s report in respect of each RSE.
17. Notwithstanding the requirement for a separate report for each RSE set out in paragraph 16, an RSE licensee may engage an RSE auditor to prepare a single auditor’s report covering some or all of any small APRA funds (SAFs) within its business operations[8], provided that:
(a) the RSE licensee, consistent with its obligations under the SIS Act, the governing rules and Prudential Standard SPS 220 Risk Management (SPS 220), is satisfied that its risk management strategy adequately covers each of the SAFs covered by the single auditor’s report;
(b) the auditor’s report is unmodified;
(c) each SAF has been individually audited in accordance with relevant AUASB standards and guidance; and
(d) the RSE licensee provides APRA with a listing of the SAFs covered by the single auditor’s report.
18. Where an RSE licensee is part of a group, to the extent that the auditor’s report only relates to the RSE licensee itself, an RSE auditor may prepare that part of the auditor’s report (and any other documents required to be provided or maintained under this Prudential Standard) on whichever of the following bases the RSE auditor considers appropriate:
(a) both the RSE licensee and the group, provided it is clear where the RSE auditor is referring to matters relating to the RSE licensee or the group; or
(b) the RSE licensee on a standalone basis, separate to the group.
19. At a minimum, the auditor’s report, which must be prepared by the RSE auditor, must provide:
(a) reasonable assurance addressing:
(i) annual financial statements of each RSE prepared in accordance with relevant Australian Accounting Standards issued by the Australian Accounting Standards Board;
(ii) the annual information, relating to each RSE, required under the reporting standards made by APRA under the FSCOD Act that are identified in Attachment A as requiring reasonable assurance; and
(iii) compliance with provisions of the SIS Act, SIS Regulations, Corporations Act, Corporations Regulations 2001, FSCOD Act, and additional conditions imposed under s. 29EA of the SIS Act, that are specified in a form approved under paragraph 20; and
(b) limited assurance addressing:
(i) the annual information, relating to each RSE, required under the reporting standards made by APRA under the FSCOD Act that are identified in Attachment A as requiring limited assurance;
(ii) the RSE licensee’s systems, procedures and internal controls that are designed to ensure that the RSE licensee has complied with all applicable prudential requirements, has provided reliable data to APRA as required under the reporting standards prepared under the FSCOD Act, and has operated effectively throughout the year of income; and
(iii) the RSE licensee’s compliance with its risk management framework.[9]
For the purposes of this Prudential Standard, ‘reasonable assurance’ and ‘limited assurance’ are defined in accordance with relevant AUASB standards and guidance.
20. If APRA has approved a form (the approved form) under this paragraph for the auditor’s report, the auditor’s report must be in the approved form. APRA may approve a form that provides for, among other requirements, the requirements outlined in paragraphs 19 and 21 to 23 inclusive.[10]
21. An RSE auditor must modify the opinion contained in the auditor’s report for breaches of any provisions which, in the RSE auditor’s professional opinion, are material. In forming an opinion as to whether a breach is material, the RSE auditor must refer to relevant AUASB standards and guidance.
22. When preparing a report or assessment required under the SIS Act or this Prudential Standard (whether as part of routine or special purpose engagement), an RSE auditor must:
(a) do so on the basis that APRA may rely upon the report in the performance of its functions under the SIS Act; and
(b) exercise independent judgement and not place sole reliance on work performed by APRA.
23. An RSE auditor must retain all working papers and other documentation in relation to the prudential requirements of the RSE for a period of at least five years after the end of year of income.[11] Where requested to do so in writing by APRA, the RSE auditor must provide the working papers and other documentation to APRA.
24. An RSE licensee must bear the costs of preparing and submitting reports, documents and other material required by this Prudential Standard.
25. An RSE licensee must facilitate meeting arrangements requested by APRA, including ensuring attendance by the RSE auditor. APRA liaison on audit-related matters will normally be conducted under tripartite arrangements involving APRA, the RSE licensee and the RSE auditor. APRA may also meet, at any time, the internal auditor (where applicable) and, where an RSE licensee is part of a group, the head entity of the group.
26. APRA may require an RSE licensee, by notice in writing, to appoint an auditor, who may be the existing RSE auditor or another auditor, as specified in APRA’s notice, to provide a report on a particular aspect of the RSE licensee’s business operations, prudential requirements or the risk management framework.
27. An auditor appointed for a special purpose engagement must provide limited assurance on the matters upon which the auditor is required to report unless otherwise determined by APRA and advised to the RSE licensee in writing.
28. An auditor appointed for a special purpose engagement must submit, within three months of the date of the notice commissioning the report, an auditor’s report simultaneously to APRA and to the Board, unless otherwise determined by APRA.
29. An auditor must modify the report referred to in paragraph 26 for breaches relating to the matters upon which the auditor is required to report which, in the auditor’s professional opinion, are material. In forming an opinion as to whether a breach is material, the auditor must refer to relevant AUASB standards and guidance.
30. APRA may adjust or exclude a specific requirement in this Prudential Standard in relation to:
(a) a particular RSE licensee of an RSE;
(b) a particular connected entity of an RSE licensee of an RSE;
(c) specified RSE licensees of RSEs; or
(d) specified connected entities of RSE licensees of RSEs.
Previous exercise of discretion
31. An RSE licensee must contact APRA if it seeks to place reliance, for the purposes of complying with this Prudential Standard, on a previous exercise of discretion by APRA under a previous version of this Prudential Standard.