APRA's revised prudential standard on audit requirements for ADIs (APS 310) requires that APRA be provided with “independent advice” from an ADI's auditor in relation to its operations and risk control environment, as well as assurance that data provided to APRA are reliable.
The prudential standard applies to financial years beginning on or after 1 January 2009.
Within three months of its annual balance date, an ADI must provide APRA with a risk management declaration from its CEO endorsed by the Board.
Key requirements of the prudential standard include:
- ADIs must formally appoint an auditor for prudential purposes (which can be the same as the auditor employed for financial statement audits). APRA may require (by notice in writing) than an ADI appoint another auditor in addition to existing auditors for the purposes of this standard.
- The auditor’s terms of engagement must be set out in legally binding contract between the ADI and appointed auditor, including compliance with the standard, Auditing Standards and Guidance issued by the Auditing and Assurance Standards Board.
- The appointed auditor must meet APRA's fit and proper and independence requirements.
- The Board and CEO must, as part of the risk management declaration, attest that for the financial year:
(a) they have identified the key risks of the ADI;
(b) they have established systems to monitor and manage those risks including, where appropriate, by setting and requiring adherence to a series of prudent limits, and by adequate and timely reporting processes;
(c) the risk management systems are operating effectively and are adequate having regard to the risks they are designed to control; and
(d) the descriptions of risk management systems provided to APRA are accurate and current.