Banking (prudential standard) determination No. 10 of 2014
Prudential Standard APS 310 Audit and Related Matters
Banking Act 1959
I, Wayne Byres, delegate of APRA:
(a) under subsection 11AF(3) of the Banking Act 1959 (the Act) REVOKE Banking (prudential standard) determination No.15 of 2012 including Prudential Standard APS 310 Audit and Related Matters made under that Determination; and
(b) under subsection 11AF(1) of the Act DETERMINE Prudential Standard APS 310 Audit and Related Matters in the form set out in the attached Schedule, which applies to ADIs and authorised NOHCs to the extent provided in paragraphs 2 to 5 of the prudential standard.
This instrument takes effect on 1 January 2015.
Dated: 3 December 2014
In this instrument:
ADI has the meaning given in section 5 of the Act.
APRA means the Australian Prudential Regulation Authority.
authorised NOHC has the meaning given in section 5 of the Act.
Prudential Standard APS 310 Audit and Related Matters comprises the 13 pages commencing on the following page.
Prudential Standard APS 310
Audit and Related Matters
Objectives and key requirements of this Prudential Standard
This Prudential Standard requires an authorised deposit-taking institution (ADI) to ensure that APRA has access to independent advice from an auditor relating to the operations, internal controls and information provided to APRA in respect of that ADI. In addition, the standard sets out requirements for the roles and responsibilities of the appointed auditor.
The key requirements of this Prudential Standard, are that an ADI must, on a Level 1 and Level 2 basis:
(i) appoint an auditor to undertake the functions set out in this Prudential Standard; and
(ii) ensure that, as appropriate, the appointed auditor is able to fulfil its responsibilities in accordance with this Prudential Standard.
Table of contents
General requirements. 4
Fitness and propriety of the appointed auditor 5
Use of group auditors. 5
Obligations of an ADI 6
Internal audit 6
Meetings with the appointed auditor 7
Responsibilities of the appointed auditor 7
Reports by the appointed auditor 8
Routine reports. 8
Special purpose engagements. 9
Adjustments and exclusions. 10
Attachment A - Data Collections subject to reasonable and/or limited assurance 11
1. This Prudential Standard is made under section 11AF of the Banking Act 1959 (Banking Act).
2. This Prudential Standard applies to all authorised deposit-taking institutions (ADIs).
3. A reference to an ADI in this Prudential Standard will be taken, in the case of a locally-incorporated ADI, as a reference to:
(a) an ADI on a Level 1 basis; and
(b) a group of which an ADI is a member on a Level 2 basis.
4. In the case of a foreign ADI, a reference to an ADI in this Prudential Standard shall be taken to refer to the foreign ADI’s Australian operations as if it was a stand-alone ADI.
5. Where an ADI to which this Prudential Standard applies is a subsidiary of an authorised non-operating holding company (authorised NOHC), the authorised NOHC must ensure that the requirements in this Prudential Standard are met on a Level 2 basis. This includes ensuring that any immediate parent non-operating holding company (NOHC) of the ADI, its Board of directors (Board) and senior management meet the requirements in this Prudential Standard.
6. A reference to an intermediate holding company in this Prudential Standard means the immediate parent NOHC of an ADI. When applying this Prudential Standard on a Level 2 basis, a reference to an ADI will, where relevant, be taken to refer to an intermediate holding company or authorised NOHC at the head of a Level 2 group. Similarly, in a Level 2 context, references to the auditor, internal auditor, chief executive officer (CEO) or equivalent and other senior management, the Board and Board Audit Committee of an ADI must be taken to refer to equivalent persons of the intermediate holding company or authorised NOHC, as appropriate.
7. In the case of a foreign ADI, a reference to the Board or a Board Committee in this Prudential Standard will be taken to refer to the senior officer outside Australia to whom authority has been delegated in accordance with Prudential Standard CPS 510 Governance (CPS 510). For a foreign ADI, a reference to the CEO refers to the senior manager in Australia with overall responsibility for the conduct of the foreign ADI’s Australian operations.
8. Terms that are defined in Prudential Standard APS 001 Definitions (APS 001) appear in bold the first time they are used in this Prudential Standard.
9. This Prudential Standard applies to all operations and activities of an ADI.
10. For the purposes of this Prudential Standard, an ADI must appoint an auditor (the appointed auditor). The appointed auditor may be the same auditor who audits an ADI for the purposes of the Corporations Act 2001. Separate auditors may be appointed to meet the requirements in this Prudential Standard on a Level 1 and Level 2 basis, and to undertake the different engagements required by this Prudential Standard. APRA may also require, by notice in writing, that an ADI appoint another auditor, in addition to any auditor already appointed by the ADI, for the purposes of this Prudential Standard.
11. An ADI must set out the terms of engagement of the appointed auditor in a legally binding contract between the ADI and the appointed auditor. The ADI must ensure the terms of engagement:
(a) require the appointed auditor to fulfil the roles and responsibilities of the appointed auditor as specified in this Prudential Standard and in the manner specified in this Prudential Standard;
(b) require the appointed auditor, in meeting its role and responsibilities, to comply with the Auditing Standards and Guidance issued from time to time by the Auditing and Assurance Standards Board (AUASB) except where:
(i) they are inconsistent with the requirements of this Prudential Standard, in which case this Prudential Standard prevails; or
(ii) APRA otherwise specifies, in writing, to the ADI that alternative standards and guidance should be used by the appointed auditor; and
(c) refer the appointed auditor to the following provisions in the Banking Act:
(i) section 16B Auditors to give information to APRA on request;
(ii) section 16BA Requirements for auditors to give information about ADIs; and
(iii) Part VIA Protections in relation to information.
12. An ADI must use all reasonable endeavours to ensure the appointed auditor complies with the terms of engagement contained in paragraphs 11(a) and (b).
13. For the purposes of this Prudential Standard, reasonable assurance and limited assurance are defined in accordance with the Framework for Assurance Engagements issued by the AUASB (the Framework).
14. The costs of preparing and submitting reports, documents and other material required by this Prudential Standard, whether routinely or as part of a special purpose engagement, must be borne by the ADI.
15. Persons involved in the provision of information (including the appointed auditor, officers and employees of an ADI, authorised NOHC, immediate parent holding company and members of a Level 2 group to which an ADI belongs) should note that it is an offence under subsections 137.1 and 137.2 of the Criminal Code Act 1995 to provide, whether directly or indirectly, false and misleading information to a Commonwealth entity, such as APRA.
Fitness and propriety of the appointed auditor
16. An ADI must ensure that its appointed auditor:
(a) is a fit and proper person in accordance with the ADI’s fit and proper policy as required by Prudential Standard CPS 520 Fit and Proper, including those requirements that apply specifically to the auditor;
(b) satisfies the auditor independence requirements in CPS 510 ; and
(c) is not subject to a direction issued under section 17(2) of the Banking Act.
Use of group auditors
17. Where an ADI is a member of a Level 2 group and the group is headed by:
(a) the ADI, the appointed auditor may be used for both Level 1 and Level 2 purposes under this Prudential Standard; or
(b) an authorised NOHC or intermediate holding company, the auditor engaged by the authorised NOHC or intermediate holding company may be used as the appointed auditor for both the Level 1 and Level 2 purposes of this Prudential Standard. This is subject to the Board of the ADI, on a Level 1 basis, agreeing to this in writing and the Board of the ADI on a Level 1 basis, or its Board Audit Committee:
(i) being able to communicate directly with the appointed auditor;
(ii) being able to commission reports by the appointed auditor in relation to the ADI on a Level 1 basis; and
(iii) receiving copies of any report or, where requested, any associated assessments and other material, relating to the audit operations covering the ADI on a Level 1 basis undertaken by the appointed auditor in accordance with the requirements in this Prudential Standard.
Obligations of an ADI
18. An ADI, if requested by APRA, must within a reasonable time provide APRA with the terms of engagement, other instructions or correspondence, including management letters, that may have a bearing on the:
(a) scope or conduct of the work undertaken by the appointed auditor in accordance with this Prudential Standard; and
(b) form or content, including findings or opinions by the appointed auditor, or coverage of the reports provided in accordance with this Prudential Standard.
19. An ADI must ensure that the appointed auditor has access to all data, information, reports and staff of the ADI that the appointed auditor reasonably believes is necessary to fulfil its role and responsibilities under this Prudential Standard. This includes access to the ADI’s Board, Board Committees and internal auditors as required.
20. An ADI must ensure that its appointed auditor is fully informed of all prudential requirements applicable to the ADI. Prudential requirements include requirements imposed by the Act, regulations, prudential standards, the Financial Sector (Collection of Data) Act 2001 (FSCODA), reporting standards, conditions on authority and any other requirements imposed by APRA, in writing, in relation to an ADI. In addition, the ADI must ensure that the appointed auditor is provided with any other information APRA has provided to the ADI that may assist the appointed auditor in fulfilling its role and responsibilities under this Prudential Standard.
21. An ADI must ensure that the following are provided to its Board or Board Audit Committee (if not already sighted by the Board or Board Audit Committee):
(a) reports provided by the appointed auditor in accordance with this Prudential Standard, and any associated assessments and other material provided by an appointed auditor to the ADI on request;
(b) commentary or responses provided by APRA to the ADI on reports provided by the appointed auditor, and any associated assessments and other material; and
(c) any commentary or response on the reports, associated assessments and other material provided by the appointed auditor that are given to APRA by the ADI.
22. An ADI must ensure that the scope of internal audit includes a review of the policies, processes and controls put in place by management to ensure compliance with APRA’s prudential requirements.
23. An ADI must allow its internal auditor to be represented in tripartite meetings with APRA, the ADI and its appointed auditor.
Meetings with the appointed auditor
24. APRA liaison with an appointed auditor will normally be conducted under tripartite arrangements involving APRA, the ADI and the appointed auditor. Notwithstanding the tripartite relationship, APRA and an appointed auditor may meet, at any time, on a bilateral basis at the request of either party.
25. Where an ADI is part of a Level 2 group, APRA may meet with the ADI, the head entity of the Level 2 group and the appointed auditor and the internal auditor at the same time, or separately on a Level 1 and Level 2 basis, as APRA deems appropriate.
26. For the purposes of this Prudential Standard, it is the responsibility of an appointed auditor to attend all meetings with APRA related to this Prudential Standard, whether on:
(a) a bilateral basis between APRA and the appointed auditor; or
(b) a tripartite basis between APRA, the ADI and the appointed auditor; or
(c) any other basis which APRA may specify to the appointed auditor;
unless APRA indicates otherwise, in writing. It is also the responsibility of the appointed auditor to supply all information and documents requested by APRA relevant to the ADI.
Responsibilities of the appointed auditor
27. It is the responsibility of an appointed auditor to submit directly to APRA:
(a) all reports required to be produced under this Prudential Standard; and
(b) all assessments and other material associated with the reports, if requested by APRA.
Such reports, assessments and other material must be prepared by the appointed auditor on the basis that APRA may rely upon them in the performance of its functions under the Act.
28. The responsibilities of an appointed auditor include an obligation to refrain from notifying the ADI of, or from providing the ADI with, the documents referred to in paragraph 27, where:
(a) the appointed auditor considers that by doing so the interests of depositors of the ADI would be jeopardised; or where
(b) there is a situation of mistrust between the appointed auditor and the Board or senior management of the ADI.
29. As part of its responsibilities, an appointed auditor in preparing reports, whether as part of routine or special purpose engagements, must not place sole reliance on the work performed by APRA.
Reports by the appointed auditor
30. Where there is a Level 2 group, then unless otherwise instructed in writing by APRA, reports, assessments and other material required by this Prudential Standard must be prepared on one or the other of the following bases, as the appointed auditor considers appropriate:
(a) both the ADI on a Level 1 basis and the Level 2 group provided it is clear where the appointed auditor is referring to matters relating to the ADI or the Level 2 group; or
(b) the ADI on a Level 1 basis and Level 2 group separately.
31. The responsibilities of the appointed auditor include reporting simultaneously (subject to paragraph 28) to APRA and the ADI’s Board (or Board Audit Committee), within three months of the end of the financial year of the ADI, on:
(a) the matters relating to APRA data collections; and
(b) internal controls at both Level 1 and the Level 2 group;
as referred to in paragraph 32. For this purpose, APRA data collections means any data collected in accordance with the FSCODA.
32. An appointed auditor’s responsibilities must specifically include reporting on:
APRA data collections referred to in Attachment A covering the financial year
(a) for those collections where the data are sourced only from accounting records – the appointed auditor must provide reasonable assurance that the information in these collections at the financial year-end is reliable and in accordance with the relevant prudential standards and reporting standards;
(b) for those collections where the data are sourced only from non-accounting records – unless otherwise indicated by APRA, in writing, the appointed auditor must provide limited assurance that the information in these collections at the financial year-end is reliable and in accordance with the relevant prudential standards and reporting standards;
(c) for those collections where the data are sourced from a combination of accounting and non-accounting records – unless otherwise indicated by APRA, in writing, the appointed auditor must provide reasonable assurance for information sourced from accounting records, and limited assurance that information sourced from non-accounting records at the financial year-end is reliable. This must be in accordance with the relevant prudential standards and reporting standards;
Internal controls relating to prudential requirements
(d) The appointed auditor must provide limited assurance that the ADI has controls that are designed to ensure the ADI:
(i) has complied with all applicable prudential requirements;
(ii) has provided reliable data to APRA in the reporting forms prepared under the FSCODA;
and, in relation to (i) and (ii), the appointed auditor must also provide limited assurance that these controls have operated effectively throughout the financial year.
Compliance with prudential requirements
(e) The report must take the form of limited assurance, based on the appointed auditor's work in (a) to (d) above, that the ADI has complied with all relevant prudential requirements under the Act and the FSCODA, including compliance with prudential standards and reporting standards during the financial year.
33. The reporting requirements in paragraph 32 only apply to audit engagements undertaken for the purposes of this Prudential Standard. Where an auditor is engaged for the purposes of another Prudential Standard, the engagement must ensure that the requirements of that other Prudential Standard are addressed.
Special purpose engagements
34. APRA may require an ADI, by notice in writing, to appoint an auditor, who may be the existing appointed auditor or another auditor, to provide a report on a particular aspect of the ADI’s operations, prudential reporting, risk management systems or financial position. A special purpose engagement report will normally only be requested following consultation with the ADI. APRA may, however, request such a report without prior consultation with an ADI.
35. The responsibilities of the appointed auditor for a special purpose engagement include an obligation to provide limited assurance on the matters upon which the appointed auditor is required to report, unless otherwise determined by APRA, and advised to the ADI, by notice in writing.
36. Under the responsibilities of an appointed auditor for a special purpose engagement, the auditor's report must be submitted, within three months of the date of the notice commissioning the report, simultaneously to APRA and to the Board (or Board Audit Committee) of the ADI, unless otherwise determined by APRA, and advised to the ADI, by notice in writing (subject to paragraph 28).
Adjustments and exclusions
37. APRA may, by notice in writing to an ADI or authorised NOHC, adjust or exclude a specific prudential requirement in this Prudential Standard in relation to that institution.
Data Collections subject to reasonable and/or limited assurance
This Attachment is not a complete listing of all ADI data collections, only those reporting forms collected under FSCODA that are subject to audit testing for the purposes of this Prudential Standard.
APRA ADI reporting form
1. Capital Adequacy
ARF 110.0 Capital Adequacy
ARF 112.1A Standardised Credit Risk – On-balance Sheet Exposures
ARF 112.2A Standardised Credit Risk – Off-balance Sheet Exposures
ARF 113.0A to 113.0D FIRB (excluding Specialised Lending)
ARF 113.0E FIRB Specialised Lending
ARF 113.1A to ARF 113.1D AIRB (excluding Specialised Lending)
ARF 113.1E AIRB Specialised Lending
ARF 113.2 IRB Specialised Lending Supervisory Slotting
ARF 113.3A to ARF 113.3D IRB Retail
ARF 113.4 IRB – Other assets, claims and exposures
ARF 114.0 Standardised – Operational Risk
ARF 115.0A to ARF 115.0C Advanced Measurement Approaches to Operational Risk
ARF 116.0 Market Risk
ARF 117.0 Repricing Analysis
ARF 117.1 Interest Rate Risk in the Banking Book
ARF 118.0 Off-balance Sheet Business
ARF 120.0 Standardised – Securitisation
ARF 120.1A to ARF 120.1C IRB – Securitisation
ARF 120.2 Securitisation – Supplementary Items
2. Statement of Financial Performance
ARF 330.0 Statement of Financial Performance
3. Statement of Financial Position
ARF 320.0 Statement of Financial Position – Domestic
ARF 321.0 Statement of Financial Position – Offshore Operations
ARF 322.0 Statement of Financial Position – Consolidated
ARF 323.0 Statement of Financial Position – Licensed
4. Provisions and Impaired Assets
ARF 220.0 Impaired Assets
ARF 220.3 Prescribed Provisioning
ARF 220.5 Movements in Provisions for Impairment
ARF 221.0 Large Exposures
ARF 222.0 Exposures to Related Entities
ARF 230.0 Commercial Property
 For non-disclosing entities the relevant period is four months.
 With respect to any matters of non-compliance, an appointed auditor should note section 16BA of the Act requires the auditor to immediately notify APRA of certain matters and to notify APRA as soon as practicable about certain other matters.
 Refer to section 11AF(2) of the Banking Act.