For the purposes of this Prudential Standard, a Level 3 Head must appoint a group auditor. This ‘Appointed Auditor’ may be the same auditor who audits a Level 3 Head for the purposes of the Corporations Act 2001. Separate auditors may be appointed to undertake the different engagements provided for in this Prudential Standard. APRA may also require a Level 3 Head to appoint another auditor, in addition to any auditor already appointed by the Level 3 Head, for the purposes of this Prudential Standard.

A Level 3 Head must ensure that the terms of engagement of the Appointed Auditor are set out in writing in a legally binding contract between the Level 3 Head and the Appointed Auditor and that the terms of engagement:

require the Appointed Auditor to fulfil the roles and responsibilities of the Appointed Auditor as specified in this Prudential Standard and in the manner specified in this Prudential Standard; and

require the Appointed Auditor, in meeting its role and responsibilities, to comply with Australian Auditing and Assurance Standards and Guidance issued from time to time by the Auditing and Assurance Standards Board (AUASB) except where:

they are inconsistent with the requirements of this Prudential Standard, in which case this Prudential Standard prevails; or

APRA otherwise specifies to the Level 3 Head that alternative standards and guidance must be used by the Appointed Auditor.

A Level 3 Head must use all reasonable endeavours to ensure the Appointed Auditor complies with the terms of engagement contained in paragraphs 8(a) and 8(b) of this Prudential Standard.

For the purposes of this Prudential Standard, ‘reasonable assurance’ and ‘limited assurance’ have the meanings given in the Framework for Assurance Engagements issued by the AUASB.

The costs of preparing and submitting reports, documents and other material required by this Prudential Standard, whether routine or as part of a special purpose engagement (refer to paragraphs 26 to 31), must be borne by the Level 3 Head.

Persons involved in the provision of information (including the Appointed Auditor, officers and employees of a Level 3 Head and Level 3 institutions in the Level 3 group) must note that it is an offence under subsection 137.1 and 137.2 of the Criminal Code 1995 to provide, whether directly or indirectly, false and misleading information to a Commonwealth entity such as APRA.

A Level 3 Head must ensure that its Appointed Auditor:

is a fit and proper person in accordance with the Level 3 Head’s Fit and Proper Policy as required by Prudential Standard CPS 520 Fit and Proper, including those requirements that apply specifically to the auditor;

satisfies the auditor independence requirements in Prudential Standard CPS 510 Governance; and

is not subject to a direction or order issued under the Prudential Acts.[1]

A Level 3 Head, if requested by APRA, must within a reasonable time provide APRA with the Appointed Auditor’s terms of engagement and related instructions or correspondence, including management letters.

A Level 3 Head must ensure that the Appointed Auditor has access to all data, information, reports and staff of the Level 3 group that the Appointed Auditor reasonably believes is necessary to fulfil its role and responsibilities under this Prudential Standard. This includes access to the Board and Board Audit Committee of the Level 3 Head, and the auditors of Level 3 institutions in the Level 3 group as required.

A Level 3 Head must ensure that its Appointed Auditor is fully informed of all prudential requirements applicable to the Level 3 Head. Prudential requirements include requirements imposed by the Prudential Acts, regulations, prudential standards, the Financial Sector (Collection of Data) Act 2001 (FSCODA), reporting standards, conditions on authority and any other requirements imposed by APRA in relation to a Level 3 Head. In addition, the Level 3 Head must ensure that the Appointed Auditor is provided with any other information APRA has provided to the Level 3 Head that may assist the Appointed Auditor in fulfilling its role and responsibilities under this Prudential Standard.

A Level 3 Head must ensure that its Board or Board Audit Committee are provided with:

reports provided by the Appointed Auditor in accordance with this Prudential Standard, and any associated assessments and other material provided by an Appointed Auditor to the Level 3 Head on request;

commentary or responses provided by APRA to the Level 3 Head on reports provided by the Appointed Auditor, and any associated assessments and other material; and

any commentary or response on the reports, associated assessments and other material provided by the Appointed Auditor that are given by the Level 3 Head to APRA.

A Level 3 Head must ensure that the scope of its internal audit includes a review of the policies, processes and controls put in place by management to ensure compliance with APRA’s prudential requirements.

A Level 3 Head must allow its internal auditor to be represented in meetings with APRA, the Level 3 Head and its Appointed Auditor.

APRA’s liaison with an Appointed Auditor will normally be conducted under arrangements involving APRA, the Level 3 Head and the Appointed Auditor. APRA and an Appointed Auditor may meet, at any time, on a bilateral basis at the request of either party.

For the purposes of this Prudential Standard, it is the responsibility of an Appointed Auditor to attend all meetings with APRA related to this Prudential Standard, whether:

on a bilateral basis between APRA and the Appointed Auditor;

between APRA, the Level 3 Head and the Appointed Auditor; or

on any other basis which APRA may specify to the Appointed Auditor,

unless APRA indicates otherwise. It is also the responsibility of an Appointed Auditor to supply all information and documents requested by APRA relevant to the Level 3 Head and Level 3 group.

It is the responsibility of an Appointed Auditor to submit directly to APRA:

all reports required to be produced under this Prudential Standard; and

all assessments and other material associated with the reports, if requested by APRA.

Such reports, assessments and other material must be prepared by the Appointed Auditor on the basis that APRA may rely upon them in the performance of its functions under the Prudential Acts.

The responsibilities of an Appointed Auditor include an obligation to refrain from notifying the Level 3 Head of, or from providing the Level 3 Head with, the documents referred to in paragraph 22 of this prudential standard, where:

the Appointed Auditor considers that by doing so the interests of depositors, policyholders or RSE beneficiaries of prudentially regulated institutions within the Level 3 group would be jeopardised; or

there is a situation of mistrust between the Appointed Auditor and the Board of the Level 3 Head or senior management of the Level 3 group.

As part of its responsibilities, an Appointed Auditor in preparing reports, whether as part of routine or special purpose engagements (refer to paragraphs 26 to 31), must not place sole reliance on the work performed by APRA.

Unless otherwise instructed by APRA, reports, assessments and other material required by this Prudential Standard must make it clear where the Appointed Auditor is referring to matters relating to the Level 3 Head or the Level 3 group.

The responsibilities of the Appointed Auditor include reporting simultaneously (subject to paragraph 23) to APRA and the Board or Board Audit Committee of the Level 3 Head, within three months of the end of the financial year of the Level 3 Head[2], on:

matters relating to APRA data collections; and

internal controls at a Level 3 basis,

as referred to in paragraph 27. For this purpose, ‘APRA data collections’ means any data collected in accordance with FSCODA.

An Appointed Auditor’s responsibilities must specifically include reporting as follows:

for those collections where the data are sourced only from accounting records – the Appointed Auditor must provide reasonable assurance that the information in these collections at the financial year-end is reliable and in accordance with the relevant prudential standards and reporting standards;

for those collections where the data are sourced only from non-accounting records – unless otherwise indicated by APRA, the Appointed Auditor must provide limited assurance[3] that the information in these collections at the financial year-end is reliable and in accordance with the relevant prudential standards and reporting standards;

for those collections where the data are sourced from a combination of accounting and non-accounting records – unless otherwise indicated by APRA, the Appointed Auditor must provide reasonable assurance for information sourced from accounting records, and limited assurance[4] that information sourced from non-accounting records at the financial year-end is reliable. This must be in accordance with the relevant prudential standards and reporting standards;

an Appointed Auditor must provide limited assurance that the Level 3 Head has controls that are designed to ensure that the Level 3 Head:

has complied with all applicable prudential requirements; and

has provided reliable data to APRA in the reporting forms prepared under FSCODA,

and, in relation to (i) and (ii), the Appointed Auditor must also provide limited assurance that these controls have operated effectively throughout the financial year; and

a report must take the form of limited assurance, based on the Appointed Auditor’s work in (a) to (d) above, that the Level 3 Head has complied with all relevant prudential and reporting requirements under the Prudential Acts and FSCODA, including compliance with prudential standards and reporting standards during the financial year.[5]

The reporting requirements in paragraph 27 only apply to audit engagements undertaken for the purposes of this Prudential Standard. Where an auditor is engaged for the purposes of another Prudential Standard, the engagement must ensure that the requirements of that other Prudential Standard are met.

APRA may require a Level 3 Head to appoint an auditor, who may be the existing Appointed Auditor or another auditor (which may be determined by APRA), to provide a report on a particular aspect of the Level 3 group’s operations, prudential reporting, risk management systems or financial position. Such a report will normally only be required following consultation with the Level 3 Head. APRA may, however, require such a report without prior consultation with the Level 3 Head.

The responsibilities of an Appointed Auditor for a special purpose engagement include an obligation to provide limited assurance on the matters upon which the Appointed Auditor is required to report, unless otherwise determined by APRA and advised to the Level 3 Head.

Under the responsibilities of an Appointed Auditor for a special purpose engagement, the auditor’s report must be submitted within three months of the date of the notice commissioning the report, simultaneously to APRA and to the Board (or Board Audit Committee) of the Level 3 Head, unless otherwise determined by APRA and advised to the Level 3 Head (subject to paragraph 23).

APRA may adjust or exclude a specific requirement in this Prudential Standard in relation to the Level 3 Head.[6]