APRA Prudential Standard GPS 310 – Audit and Related Matters – Overview and Summary of Requirements
The APRA Prudential Standard GPS 310 requires Authorized Deposit-taking Institutions (ADIs) to provide the Australian Prudential Regulation Authority (APRA) access to independent advice from an auditor on matters relating to ADI operations and internal control processes.
The standard also details requirements that relating to the auditors’ roles and responsibilities.
1. Applicability
- The standard applies to all operations and activities of ADIs, including an ADI on level 1 basis and a group of which ADI is a level 2 member
- Foreign ADI’s Australian operations will be considered as a stand-alone ADI
- ADIs that are a part of a Non-Operating Holding Company (NOHC) are considered dealt with on a Level 2 basis
2. General Requirements
- The ADI must appoint an auditor who can be the same auditor who audits the ADI for the Corporations Act 2001 or another independent auditor.
- The auditor must ensure that:
- He/she complies with the Auditing and Assurance Standards Board (AUASB) except where they are inconsistent with requirements of prudential standards or when specified by the APRA
- He/she should give information to the APRA on request
- The cost of preparing and submitting reports, routine or special, must be borne by the ADI
- Information provided to the APRA must be complete and accurate – providing false and misleading data/information is a criminal offense
- The Auditor must satisfy the ADI’s fit and proper policy
3. Group Auditors
- When an ADI is a member of a Level 2 group and the group is headed by the ADI, both Level 1 and Level 2 purpose auditors may be used
- When an ADI is a member of a Level 2 group and the group is headed by an NOHC, both Level 1 and Level 2 purpose auditors may be used subject to approval by the Board in writing
4. Obligations of an ADI
An ADI:
- Must provide the APRA with all required information including the terms and conditions of the agreement with the auditor
- Must ensure that the appointed auditor has access to all data and information, reports and staff as and when needed
- Must ensure that the appointed auditor is fully informed of all prudential requirements and relevant Acts
- Must provide its Board with auditor reports and APRA comments and responses
- Must include review of policies, processes and controls for risk management in internal audit requirements
- Must allow the internal auditor to be represented in the tripartite meetings with APRA, ADI and Appointed Auditor
5. Risk Management Systems
- The Board must ensure that the ADI meets the statutory and prudential risk management requirements
- The APRA must be provided with a high level description of the key risk management policies and systems by the ADI
- The APRA must be provided with a declaration from the CEO within three months of the annual balance date of the ADI. This declaration must
- Identify the key risks of the ADI or Level 2 Group as appropriate
- Identify key risks of the foreign ADI’s operations in Australia in case of a foreign ADI
- Attest that systems have been established to manage and monitor risks
- Certify that risk management systems are working effectively and are adequately designed to control risks
- Attest that descriptions of risk management systems provided to the APRA are current and accurate
- The declaration must be complemented by an explanation from the CEO that has been endorsed by the Board
- If an ADI is the head of a Level 2 Group, the CEO’s explanations and declarations endorsed by the Board may deal with both the ADI on a Level 1 and Level 2 basis in the same document
- If the Level 2 group is headed by an entity other than an ADI, separate declarations and explanations must be provided by the CEO of:
- The ADI (covering the ADI on a Level 1 basis), endorsed by the Board
- The head entity (on a level 2 basis), endorsed by the entity’s Board
6. Appointed Auditor Responsibilities and Reports
- The appointed auditor must submit all reports directly to the APRA
- All assessments and other materials related to the report also must be directly submitted to the APRA
- The appointed auditor must refrain from notifying or providing information to the ADI if there is a possibility of:
- Jeopardizing the interests of depositors of the ADI
- A situation of mistrust between the auditor and the ADI Board or Senior Management
- The appointed auditor must not place sole reliance on work done by the APRA
- For a Level 2 group, the auditor must prepare reports, assessments and other related material based on either:
- both the ADI on a Level 1 basis and the Level 2 group provided it is clear where the appointed auditor is referring to matters relating to the ADI or the Level 2 group OR
- the ADI on a Level 1 basis and Level 2 group separately
- The auditor must submit to both the ADI Board and the APRA, within 3 months of the end of the financial year of the ADI, reports on:
- matters relating to APRA data collections
- internal controls at both Level 1 and Level 2 group
- The report on data collection must be:
- for those collections where the data are sourced only from accounting records: the auditor must provide reasonable assurance that the information is reliable and compliant with prudential standards
- for those collections where the data are sourced only from non-accounting records – auditor must give limited assurance about reliability and compliance of the information
- for those collections where the data are sourced from a combination of accounting and non-accounting records – auditor must provide reasonable assurance about the reliability and compliance of this information
- The auditor must provide limited assurance that ADI has internal controls that are compliant with prudential standards and has provided reliable data to the APRA in reporting forms
- The auditor must also provide limited assurance that these internal controls have performed effectively through the financial year
Special Purpose Engagements
- The APRA can require an ADI to appoint an auditor to provide a report on the ADI’s operations, prudential reporting, risk management systems or financial position
- The auditor in such instances may be the ADI’s existing external auditor or a new one
- The ADI will receive a notice in writing from the APRA requiring such an action to be taken
- The auditor will be required to submit the report within 3 months of the date of commissioning the report to both the APRA and the ADI Board.
Additional Resources
Compliance Trainings
Pregnancy in the Workplace: Strategies to Protect Your Organization from Pregnancy Discrimination Claims
By - Christopher W. Olmsted
On Demand Access Anytime
By - Christopher W. Olmsted
On Demand Access Anytime
How to Vet an IRB: Expose and Fix Problems Before They Threaten Your Trial
By - Madhavi Diwanji
On Demand Access Anytime
By - Madhavi Diwanji
On Demand Access Anytime
Compliance Standards
You Recently Viewed
