Authority
- This Prudential Standard is made under section 11AF of the Banking Act 1959 (Banking Act).
Application and commencement
2. This Prudential Standard applies to all authorised deposit-taking institutions (ADIs).
3. A reference to an ADI in this Prudential Standard will be taken, in the case of a locally-incorporated ADI, as a reference to:
(a) an ADI on a Level 1 basis; and
(b) a group of which an ADI is a member on a Level 2 basis.
4. In the case of a foreign ADI, a reference to an ADI in this Prudential Standard shall be taken to refer to the foreign ADI’s Australian operations as if it was a stand-alone ADI.
5. Where an ADI to which this Prudential Standard applies is a subsidiary of an authorised non-operating holding company (authorised NOHC), the authorised NOHC must ensure that the requirements in this Prudential Standard are met on a Level 2 basis. This includes ensuring that any immediate parent non-operating holding company (NOHC) of the ADI, its Board of directors (Board) and senior management meet the requirements in this Prudential Standard.
6. A reference to an intermediate holding company in this Prudential Standard means the immediate parent NOHC of an ADI. When applying this Prudential Standard on a Level 2 basis, a reference to an ADI will, where relevant, be taken to refer to an intermediate holding company or authorised NOHC at the head of a Level 2 group. Similarly, in a Level 2 context, references to the auditor, internal auditor, chief executive officer (CEO) or equivalent and other senior management, the Board and Board Audit Committee of an ADI must be taken to refer to equivalent persons of the intermediate holding company or authorised NOHC, as appropriate.
7. In the case of a foreign ADI, a reference to the Board or a Board Committee in this Prudential Standard will be taken to refer to the senior officer outside Australia to whom authority has been delegated in accordance with Prudential Standard CPS 510 Governance (CPS 510). For a foreign ADI, a reference to the CEO refers to the senior manager in Australia with overall responsibility for the conduct of the foreign ADI’s Australian operations.
8. This Prudential Standard commences on 1 January 2023.
Interpretation
9. Terms that are defined in Prudential Standard APS 001 Definitions (APS 001) appear in bold the first time they are used in this Prudential Standard.
10. Where this Prudential Standard provides for APRA to exercise a power or discretion, the power or discretion is to be exercised in writing.
11. In this Prudential Standard, unless the contrary intention appears, a reference to an Act, Regulations, Prudential Standard or Reporting Standard is a reference to the Act, Regulations, Prudential Standard or Reporting Standard as in force from time to time.
Scope
12. This Prudential Standard applies to all operations and activities of an ADI.
Adjustments and exclusions
13. APRA may adjust or exclude a specific prudential requirement in this Prudential Standard in relation to one or more specified ADIs or authorised NOHCs.
Previous exercise of discretion
14. An ADI or authorised NOHC must contact APRA if it seeks to place reliance, for the purposes of complying with this Prudential Standard, on a previous exemption or other exercise of discretion by APRA under a previous version of this Prudential Standard.
General requirements
15. For the purposes of this Prudential Standard, an ADI must appoint an auditor (the appointed auditor). The appointed auditor may be the same auditor who audits an ADI for the purposes of the Corporations Act 2001. Separate auditors may be appointed to meet the requirements in this Prudential Standard on a Level 1 and Level 2 basis, and to undertake the different engagements required by this Prudential Standard. APRA may also require, by notice in writing, that an ADI appoint another auditor, in addition to any auditor already appointed by the ADI, for the purposes of this Prudential Standard.
16. An ADI must set out the terms of engagement of the appointed auditor in a legally binding contract between the ADI and the appointed auditor. The ADI must ensure the terms of engagement:
(a) require the appointed auditor to fulfil the roles and responsibilities of the appointed auditor as specified in this Prudential Standard and in the manner specified in this Prudential Standard;
(b) require the appointed auditor, in meeting its role and responsibilities, to comply with the Auditing Standards and Guidance issued from time to time by the Auditing and Assurance Standards Board (AUASB) except where:
(i) they are inconsistent with the requirements of this Prudential Standard, in which case this Prudential Standard prevails; or
(ii) APRA otherwise specifies, in writing, to the ADI that alternative standards and guidance should be used by the appointed auditor; and
(c) refer the appointed auditor to the following provisions in the Banking Act:
(i) section 16B Auditors to give information to APRA on request;
(ii) section 16BA Requirement for auditors to give information about ADIs; and
(iii) Part VIA Protections in relation to information.
17. An ADI must use all reasonable endeavours to ensure the appointed auditor complies with the terms of engagement contained in paragraphs 16(a) and (b).
18. The costs of preparing and submitting reports, documents and other material required by this Prudential Standard, whether routinely or as part of a special purpose engagement, must be borne by the ADI.
19. Persons involved in the provision of information (including the appointed auditor, officers and employees of an ADI, authorised NOHC, immediate parent holding company and members of a Level 2 group to which an ADI belongs) should note that it is an offence under subsections 137.1 and 137.2 of the Criminal Code Act 1995 to provide, whether directly or indirectly, false and misleading information to a Commonwealth entity, such as APRA.
Fitness and propriety of the appointed auditor
20. An ADI must ensure that its appointed auditor:
(a) is a fit and proper person in accordance with the ADI’s fit and proper policy as required by Prudential Standard CPS 520 Fit and Proper, including those requirements that apply specifically to the auditor;
(b) satisfies the auditor independence requirements in CPS 510; and
(c) is not subject to a direction issued under subsection 17(2) of the Banking Act.
Use of group auditors
21. Where an ADI is a member of a Level 2 group and the group is headed by:
(a) the ADI, the appointed auditor may be used for both Level 1 and Level 2 purposes under this Prudential Standard; or
(b) an authorised NOHC or intermediate holding company, the auditor engaged by the authorised NOHC or intermediate holding company may be used as the appointed auditor for both the Level 1 and Level 2 purposes of this Prudential Standard. This is subject to the Board of the ADI, on a Level 1 basis, agreeing to this in writing and the Board of the ADI on a Level 1 basis, or its Board Audit Committee:
(i) being able to communicate directly with the appointed auditor;
(ii) being able to commission reports by the appointed auditor in relation to the ADI on a Level 1 basis; and
(iii) receiving copies of any report or, where requested, any associated assessments and other material, relating to the audit operations covering the ADI on a Level 1 basis undertaken by the appointed auditor in accordance with the requirements in this Prudential Standard.
Obligations of an ADI
22. An ADI, if requested by APRA, must within a reasonable time provide APRA with the terms of engagement, other instructions or correspondence, including management letters, that may have a bearing on the:
(a) scope or conduct of the work undertaken by the appointed auditor in accordance with this Prudential Standard; and
(b) form or content, including findings or opinions by the appointed auditor, or coverage of the reports provided in accordance with this Prudential Standard.
23. An ADI must ensure that the appointed auditor has access to all data, information, reports and staff of the ADI that the appointed auditor reasonably believes is necessary to fulfil its role and responsibilities under this Prudential Standard. This includes access to the ADI’s Board, Board Committees and internal auditors as required.
24. An ADI must ensure that its appointed auditor is fully informed of all prudential requirements applicable to the ADI. In addition, the ADI must ensure that the appointed auditor is provided with any other information APRA has provided to the ADI that may assist the appointed auditor in fulfilling its role and responsibilities under this Prudential Standard.
25. An ADI must ensure that the following are provided to its Board or Board Audit Committee (if not already sighted by the Board or Board Audit Committee):
(a) reports provided by the appointed auditor in accordance with this Prudential Standard, and any associated assessments and other material provided by an appointed auditor to the ADI on request;
(b) commentary or responses provided by APRA to the ADI on reports provided by the appointed auditor, and any associated assessments and other material; and
(c) any commentary or response on the reports, associated assessments and other material provided by the appointed auditor that are given to APRA by the ADI.
Internal audit
26. An ADI must ensure that the scope of internal audit includes a review of the policies, processes and controls put in place by management to ensure compliance with APRA’s prudential requirements.
27. An ADI must allow its internal auditor to be represented in tripartite meetings with APRA, the ADI and its appointed auditor.
Meetings with the appointed auditor
28. APRA liaison with an appointed auditor will normally be conducted under tripartite arrangements involving APRA, the ADI and the appointed auditor. Notwithstanding the tripartite relationship, APRA and an appointed auditor may meet, at any time, on a bilateral basis at the request of either party.
29. Where an ADI is part of a Level 2 group, APRA may meet with the ADI, the head entity of the Level 2 group and the appointed auditor and the internal auditor at the same time, or separately on a Level 1 and Level 2 basis, as APRA deems appropriate.
30. For the purposes of this Prudential Standard, it is the responsibility of an appointed auditor to attend all meetings with APRA related to this Prudential Standard, whether on:
(a) a bilateral basis between APRA and the appointed auditor; or
(b) a tripartite basis between APRA, the ADI and the appointed auditor; or
(c) any other basis which APRA may specify to the appointed auditor;
unless APRA indicates otherwise, in writing. It is also the responsibility of the appointed auditor to supply all information and documents requested by APRA relevant to the ADI.
Responsibilities of the appointed auditor
31. It is the responsibility of an appointed auditor to submit directly to APRA:
(a) all reports required to be produced under this Prudential Standard; and
(b) all assessments and other material associated with the reports, if requested by APRA.
Such reports, assessments and other material must be prepared by the appointed auditor on the basis that APRA may rely upon them in the performance of its functions under the Act.
32. The responsibilities of an appointed auditor include an obligation to refrain from notifying the ADI of, or from providing the ADI with, the documents referred to in paragraph 31, where:
(a) the appointed auditor considers that by doing so the interests of depositors of the ADI would be jeopardised; or where
(b) there is a situation of mistrust between the appointed auditor and the Board or senior management of the ADI.
33. As part of its responsibilities, an appointed auditor in preparing reports, whether as part of routine or special purpose engagements, must not place sole reliance on the work performed by APRA.
Reports by the appointed auditor
34. Where there is a Level 2 group, then unless otherwise instructed in writing by APRA, reports, assessments and other material required by this Prudential Standard must be prepared on one or the other of the following bases, as the appointed auditor considers appropriate:
(a) both the ADI on a Level 1 basis and the Level 2 group provided it is clear where the appointed auditor is referring to matters relating to the ADI or the Level 2 group; or
(b) the ADI on a Level 1 basis and Level 2 group separately.
Routine reports
35. The responsibilities of the appointed auditor include reporting simultaneously (subject to paragraph 32) to APRA and the ADI’s Board (or Board Audit Committee), within three months of the end of the financial year of the ADI, on:
(a) the matters relating to APRA data collections; and
(b) internal controls at both Level 1 and the Level 2 group;
as referred to in paragraph 36. For this purpose, APRA data collections means any data collected in accordance with the Financial Sector (Collection of Data) Act 2001 (FSCODA).
36. An appointed auditor’s responsibilities must specifically include reporting on:
APRA data collections referred to in Attachment A covering the financial year
(a) for those collections where the data are sourced only from accounting records – the appointed auditor must provide reasonable assurance that the information in these collections at the financial year-end is reliable and in accordance with the relevant prudential standards and reporting standards;
(b) for those collections where the data are sourced only from non-accounting records – unless otherwise indicated by APRA, in writing, the appointed auditor must provide limited assurance that the information in these collections at the financial year-end is reliable and in accordance with the relevant prudential standards and reporting standards;
(c) for those collections where the data are sourced from a combination of accounting and non-accounting records – unless otherwise indicated by APRA, in writing, the appointed auditor must provide reasonable assurance for information sourced from accounting records, and limited assurance that information sourced from non-accounting records at the financial year-end is reliable. This must be in accordance with the relevant prudential standards and reporting standards;
Internal controls relating to prudential requirements
(d) The appointed auditor must provide limited assurance that the ADI has controls that are designed to ensure the ADI:
(i) has complied with all applicable prudential requirements;
(ii) has provided reliable data to APRA in the reporting forms prepared under the FSCODA,
and, in relation to (i) and (ii), the appointed auditor must also provide limited assurance that these controls have operated effectively throughout the financial year.
Compliance with prudential requirements
The report must take the form of limited assurance, based on the appointed auditor's work in (a) to (d) above, that the ADI has complied with all relevant prudential requirements under the Act and the FSCODA, including compliance with prudential standards and reporting standards during the financial year[4].
37. The reporting requirements in paragraph 36 only apply to audit engagements undertaken for the purposes of this Prudential Standard. Where an auditor is engaged for the purposes of another Prudential Standard, the engagement must ensure that the requirements of that other Prudential Standard are addressed.
Special purpose engagements
38. APRA may require an ADI, by notice in writing, to appoint an auditor, who may be the existing appointed auditor or another auditor, to provide a report on a particular aspect of the ADI’s operations, prudential reporting, risk management systems or financial position. A special purpose engagement report will normally only be requested following consultation with the ADI. APRA may, however, request such a report without prior consultation with an ADI.
39. The responsibilities of the appointed auditor for a special purpose engagement include an obligation to provide limited assurance on the matters upon which the appointed auditor is required to report, unless otherwise determined by APRA, and advised to the ADI, by notice in writing.
40. Under the responsibilities of an appointed auditor for a special purpose engagement, the auditor's report must be submitted, within three months of the date of the notice commissioning the report, simultaneously to APRA and to the Board (or Board Audit Committee) of the ADI, unless otherwise determined by APRA, and advised to the ADI, by notice in writing (subject to paragraph 32).
