The year ended 31 December 2010 concludes the first year of reporting by external auditors under the revised Prudential Standard APS 310 Audit and Related Matters (APS 310). APRA has reviewed the quality of APS 310 auditor reports for authorised deposit-taking institutions (ADIs) received during 2010 and feedback on these reports was the subject of discussions with auditors at an APRA auditor liaison meeting in February 2011.
This letter seeks to clarify for auditors APRA’s expectations on the following matters:
- a General and Specific Observations appendix to the auditor’s report should be used to highlight any material internal control weaknesses or other reporting issues that are not qualifications;
- auditors should start from the premise that all data reported to APRA are sourced from accounting records and so require a reasonable assurance opinion;
- the ADI reporting form ARF 230.0 Commercial Property should be subject to a reasonable assurance sign-off by auditors;
- a qualified ‘except for’ opinion or a disclaimer of opinion should be issued in certain circumstances; and
- detail should be provided on the level of reliance by the external auditor on the work of internal audit in APS 310 reporting.
Further detail on these matters is set out in the attachment.
This letter is relevant for assurance engagements undertaken in relation to reporting periods commencing on or after 1 July 2011, although earlier adoption of the guidance is encouraged where this is possible. The letter should be read in conjunction with the Guidance Statement GS 012 Prudential Reporting Requirements for Auditors of Authorised Deposit-taking Institutions (GS 012) issued by the Auditing and Assurance Standards Board. APRA envisages that much of the material within the letter will be incorporated within a revision to GS 012 at a later date.
If you have any questions, please contact your APRA Responsible Supervisor.
1. General principle
Irrespective of the format of the report, a good quality report will show evidence of both objective and critical review. An example of this would be the identification of internal control deficiencies that may individually, or in aggregate, be material. The evaluation of the severity of a deficiency in internal controls depends on the auditor’s assessment of the likelihood of an underlying risk management / compliance breakdown that could lead to potential breaches of a prudential standard and other bases for qualifications in future. The auditor is not restricted to identifying internal control deficiencies in instances where a misstatement or non-compliance with a prudential requirement has actually occurred (refer to paragraphs 160-163 of GS 012).
2. Detail on the level of reliance on the work of internal audit and APRA reviews
The General Observations in the General and Specific Observations appendix (see Section B below) would include the scope of the audit and review and would normally allow supervisors to ascertain the extent of reliance on an ADI’s internal audit work and APRA reviews, to inform a judgment about whether there is over-reliance on these sources (refer to paragraphs 91-98 of GS 012).
It is good practice for an external auditor to provide a general commentary on areas where internal audit has been involved in the performance of audit procedures on which the external auditor has relied, and the extent of any reperformance work by the external auditor.
B. Use of appendices
1. Use of a ‘General and specific observations’ appendix
APRA recommends that a ‘General and specific observations’ appendix be used to highlight material internal control weaknesses and other reporting issues that are not current year qualifications, and also to update APRA on the status of previous qualifications and observations.
General observations are matters arising from the review and analysis of governance frameworks, behaviours, skills and performance of the ADI staff, which were obtained in gaining an understanding of the control environment and subsequent audit tasks.
Specific observations are the matters detected from the examination of the systems, internal controls and tests conducted in the course of the audit specific to the reported items and prudential compliance. These will include relevant material management letter points as previously reported.
This appendix forms the basis for auditors to report emerging issues and other relevant material information to APRA.
2. Appendix addressing qualifications
To assist it in monitoring the progress of institutions in remedying qualifications in the report, APRA suggests that auditors provide an appendix containing recommendations/observations and management responses to qualifications and observations.
3. Follow-up procedures
APRA expects that an ADI would establish procedures to ensure that it follows-up on remediation of prior auditor qualifications and observations, and would periodically advise its Responsible Supervisor of progress in this regard. APRA considers it good practice that the auditor includes details of follow-up reviews of outstanding issues in an appendix in the following year’s APS 310 report. This appendix would deal in particular with the success or otherwise of the remediation steps undertaken by the ADI.
4. Suggested format and order of APS 310 Reports
To achieve some consistency in the presentation of the various accompanying appendices, experience suggests that the following format is effective for ADIs, APRA supervisors and auditors.
- APS 310 report
- Appendix 1: Scope limitations and other qualifications. This may also be included in the body of the audit report.
- Appendix 2: Reporting forms listing: accounting and non-accounting records. APRA’s preference is for a summary schedule to be included in Appendix 2 that lists the specific title, number and date submitted of each relevant ADI reporting form, based on those specified in Attachment A of APS 310, and indicates whether such forms contain information sourced from accounting records and/or non-accounting records.
The date that each relevant ADI reporting form was submitted, as required in Appendix 4 "Example Auditor's Report" of GS 012, would be disclosed in the summary schedule. The auditor can obtain the return submission date advised by APRA for each relevant ADI reporting form from the ADI for this purpose.
In addition, the relevant reporting forms should be attached where the auditor is not preparing a sole Part A or Part B Opinion, i.e. the form is subject to a partial Part A or Part B Opinion or a Scope Limitation. The individual sections/items subject to the auditor’s Part A Opinion, Part B Opinion or Limitation on Scope should be clearly identified.
- Appendix 3: Recommendations and management responses to qualifications (as above)
- Appendix 4: General and specific observations (as above)
- Appendix 5: Management letter (used in some instances as an alternative to Appendix 4)
C. Data sourced from accounting/non-accounting records
1. Consistency in approaches across audit firms
It has become evident that there are differences between audit firms and within firms as to whether the data in the respective forms originate from accounting or non-accounting records. This was based on a review of most banks and a selection of several credit unions, building societies and branches of foreign banks. The inconsistency relates to the classification of data reported in the forms listed in Attachment A of APS 310 as part of the APRA data collections, where the data may be sourced only from accounting records, only from non-accounting records, or a combination of accounting and non-accounting records (‘the relevant reporting forms’).
APRA’s preferred approach is that firms classify most of the relevant reporting forms as the ‘Part A’ classification (data sourced from accounting records). This approach is supported in paragraph 104 of GS 012: ‘APRA’s expectation is that most of the information reported in the ADI Reporting Forms specified in Attachment A to APS 310, fall within the scope of the reasonable assurance opinion (Part A of the Auditor’s Prudential Assurance Report).’
2. Guiding principles in approaches
As a general rule, auditors should start with the premise that all data reported in the relevant reporting forms are sourced from accounting records and are to be regarded as ‘Part A’ data sourced from accounting records. In line with paragraph 104 of GS 012, APRA’s expectation is that most of the information reported in the ADI reporting forms specified in Attachment A to APS 310 fall within the scope of the reasonable assurance opinion (Part A of the Auditor’s Annual Prudential Assurance Report).
The broad characteristics of data sourced from accounting records include the following:
- the data reported in the relevant reporting forms can be reconciled without material adjustments to data in the financial report. This includes nil reporting forms where reasonable assurance can still be provided that the form should be nil;
- the data ordinarily include all data used by an ADI to manage its financial affairs and to report the results of its operations and its financial position in its financial report (refer to paragraphs 100 and 101 of GS 012). It is usual practice that much of the key data reported to APRA will also be reported to management in managing the ADI’s financial affairs;
- the data include data items that involve additional examination, computation, re-classification or segmentation (refer to paragraph 107 of GS 012); and
- the auditor is able to obtain sufficient appropriate audit evidence to provide reasonable assurance that the data sourced from accounting records are not materially misstated.
Please refer to Table 1 for examples of reporting forms for ‘standardised’ ADIs that are to be regarded as ‘Part A’ forms. (Please refer to paragraph 106 of GS 012 for guidance relating to ‘advanced’ ADIs and data derived from risk management systems, which may be treated as being sourced from non-accounting records).
3. Observations on ADI reporting forms to be generally regarded as ‘Part A’ forms
APRA would generally expect commercial property exposures and impaired asset data to be regularly reviewed by management in managing an ADI’s financial affairs. Therefore, the related ADI reporting forms should generally be regarded as ‘Part A’ forms.
ARF 230.0 Commercial Property
ADIs are only required to submit this form on a semi-annual basis (as at the last day of September and March). Many auditors do not include this form in the APS 310 audit for entities with 30 June year-ends.
If the return is not submitted at the entity’s balance date, the most recent return submitted should be included in the APS 310 report, as per paragraph 61 of GS 012 that states: ‘The appointed auditor identifies the most recent year-end ADI Reporting Forms submitted to APRA for audit and/or review.’ APRA considers it essential that this form is subject to normal year-end audit procedures and reasonable assurance is provided on the most recent return submitted. Enabling such audit work may require the ADI to implement additional ‘year-end’ accounting and reconciliation processes.
ARF 220.0 Impaired Facilities
It is a matter for the auditor’s professional judgement as to whether to categorise the data reported as ‘security held’ as ‘Part A’ (data sourced from accounting records) or as ‘Part B (data sourced from non-accounting records). Paragraph 15 of AASB 7 Financial Instruments: Disclosures (AASB 7) requires disclosure of the fair value of the collateral held, or the fair value of collateral sold or repledged, and the terms and conditions associated with the entity’s use of collateral.
In relation to financial assets that are either past due or impaired, AASB 7 paragraph 37(c) provides that fair values need not be disclosed (only a description provided) when it is impracticable1 to do so i.e. the collateral collection and recording systems are not sufficiently robust.
Some ADIs have commented in their recent financial statements that it has not been practicable to determine the fair values of collateral held against certain past due loans. If the value of ‘security held’ cannot be reconciled without material adjustments to financial report disclosures, this item of data should be deemed to be data sourced from non-accounting records.
4. Exceptions to the general rule
Either a qualified ‘except for’ opinion (in practice a limitation of scope usually results in this type of opinion) or a disclaimer of opinion (in extremely rare circumstances) may be expressed in circumstances when a scope limitation exists and the auditor has exhausted all effective alternative means of obtaining sufficient appropriate audit evidence to provide reasonable assurance on the data sourced from accounting records.
APRA’s expectation is that a qualified ‘except for’ opinion should only be expressed in instances where there are one or two types of data in a form, or one or two issues across a number of forms, for which sufficient appropriate audit evidence cannot be obtained in order to form an opinion in relation to the specified information, and where nearly all other data items in the relevant reporting form/s are classified as being data sourced from accounting records. If there are many types of data in a form for which sufficient appropriate audit evidence cannot be obtained to provide a basis for the opinion, and the auditor concludes that the possible effects on the APS 310 report of undetected misstatements, if any, could be both material and pervasive, then the auditor should disclaim an opinion. If such a disclaimer of opinion is being considered, it is recommended that the auditor advise the APRA Responsible Supervisor as it is likely to indicate a breakdown of internal controls. There are also considerations for breach reporting obligations under section 16BA of the Banking Act 1959.
Please refer to Table 2 for some examples of scope limitations, and refer to paragraphs 7(b), 9, 10, 23 and other paragraphs as applicable in the Auditing Standard ASA 705 Modifications to the Opinion in the Independent Auditor's Report.
5. Data sourced from non-accounting records – ‘Part B’ classification
There are instances where the data reported in the relevant reporting forms are the output of systems that are not used by an ADI for financial management and financial reporting, and are not readily reconcilable to financial report information (refer to paragraph 102 and 106 of GS 012).
The broad characteristics of data sourced from non-accounting records include the following:
- the data cannot be reconciled to the data in the financial report and are not used to manage the financial affairs of the ADI. The data may be used by management as part of risk assessment and the risk management process;
- in limited instances, data used by an ADI to manage its financial affairs are to be regarded as data sourced from non-accounting records. Loan-to-valuation ratios on which risk-rating for loans are based is one example. In such instances, data are reported based on definitions provided by APRA that are not necessarily identical to the concepts defined in the Australian Accounting Standards for related assets, liabilities and equity items; and
- in relation to reporting forms for ‘advanced’ ADIs, the data are sourced from internal risk measurement models (refer to paragraphs 106 and 132-135 of GS 012).
APRA’s expectation is that the auditor would provide a brief summary paragraph, in Appendix 2 after the summary schedule of reporting forms, containing reasons for coming to the view that data are sourced from non-accounting records. (Please refer to paragraph 103 of GS 012 for more guidance on the auditor’s responsibility to make an assessment of whether or not a data item has been sourced from accounting records). It is not APRA’s intention to enforce any particular approach for individual reporting forms, but rather to develop its position concerning the types of opinions that are appropriate given the information and reasons put forward by the auditor.
Please refer to Table 3 for some examples of data sourced from a combination of accounting and non-accounting records – i.e. ‘Part A and Part B’ classification.
D. Qualifications and scope limitations
Qualifications from previous years’ reports need not be reiterated in the current report unless the matters have not been addressed in the current year in a timely manner.
The ‘General and specific observations’ appendix will be used to update APRA on the status of previous qualifications (see section B above).
||Why Part A|
|ARF 110.0 Captial Adequacy
||Section A: Contains items derived from the balance sheet.
||Sections B-D: Contains items requiring additional calculations in associated forms that are deemed to be sourced from accounting records per paragraph 107 of GS 012.|
|ARF 114.0 Standardised - Operational Risk
||All line items
||The assets reported in Sections A and B, and the income and income adjustments reported in Section C, are all derived from accounting records. Section D contains derived fields that are deemed to be sourced from accounting records per paragraph 107 of GS 012|
|ARF 118.0 Off-Balance Sheet Business
||All line items
||Derivative amounts and liquidity support facilities derived from the balance sheet and notes to the financial statements.|
||Why Part A
Qualified 'except for' opinion
|ARF 220.0 Impaired Facilities
All line items with the exception of:
- the balances by Australian residency status; and
- ‘security held’ if the value is not reconcilable to the financial report (Part B opinion may apply).
|APS 220 requires ADIs to classify their impaired facilities as (1) non accrual items, (2) restructured items or (3) other assets acquired through security enforcement (including other real estate owned) –reclassification based on prudential assumptions and criteria is deemed by paragraphs 100 and 107 of GS 012 to be data sourced from accounting records.
||Segmentation of asset and liability balances by Australian residency status - not feasible to obtain sufficient and appropriate audit evidence to reconfirm residency status and classification after the initial customer application process.|
|ARF 230.0 Commercial Property
||All line items
||The dissection of exposures according to the type of commercial property market/catergories is re-classification or segmentation that is deemed by paragraphs 100 and 107 of GS 012 to be data sourced from accounting records.
|ARF 320.0/321.0/3 22.0/323.0 Statement of Financial Position
||All items with the exception of asset and liability balances sepmented by Australian residency status in ARF 320.0
||the dissection of loans and deposits by categories including households and private incorporated businesses is re-classification or segmentation that is deemed by paragraphs 100 and 107 of GS 012 to be data sourced from accounting records.
||ARF 320.0 only: Segmentation of asset and liability balances by Australian residency status - not feasible to obtain sufficient and appropriate audit evidence to reconfirm residency status and classification after the initial customer application process.|
|ARF 330.0 Statement of Financial Performance
||All items can be agreed to the accounting records.
||Reasonable assurance on data sourced from accounting records and limited assurance on data sourced from non-accounting records |
||Part A items
||Why Part A
||Why Part 8|
|ARF 112.1A Standardised Credit Risk - On-balance Sheet Exposures
||All items in Column 1 'Exposures before CRM' except for all the items listed at 4. Class IV - Claims secured against eligible residential mortgages
||The balance sheet values in total by asset class could be agreed to the accounting records.
||Column 2 'Exposures after CRM' and all the items listed at 4. Class IV - Claims secured against eligible residential mortgages: the risk-rating for loans based on the loan-to-valuation ratio (LVR) and the Credit Risk Mitigation (CRM) rechniques used by the ADI are based on criteria that are not recorded in accounting records (per paragraph 108 of GS 012).|
|ARF 117.0 Repricing Analysis
||All items in Column 1
||The amounts can be agreed to the accounting records.
||Other columns except for Column 1: Assumptions used for th allocated fo the balances into the time buckets if not using contractual maturity i.e. the amount of principal of than item that is expected to reprice during that time period (per paragraph 108 of GS 012).|
1. AASB Glossary of Defined Terms states: ‘Applying a requirement is impracticable when the entity cannot apply it after making every reasonable effort to do so.’