Health Insurance (prudential standard) determination No. 8 of 2023
Prudential Standard HPS 310 Audit and Related Matters
Private Health Insurance (Prudential Supervision) Act 2015
I, Helen Rowell, a delegate of APRA:
(a) under subsection 92(5) of the Private Health Insurance (Prudential Supervision) Act 2015 (the PHIPS Act) revoke Health Insurance (prudential standard) determination No. 1 of 2019, including Prudential Standard HPS 310 Audit and Related Matters made under that Determination; and
(b) under subsection 92(1) of the PHIPS Act determine Prudential Standard HPS 310 Audit and Related Matters, in the form set out in the Schedule, which applies to all private health insurers.
This instrument commences on 1 July 2023.
Dated: 24 May 2023
[Signed]
Helen Rowell
Deputy Chair
Interpretation
In this instrument:
APRA means the Australian Prudential Regulation Authority.
private health insurer has the meaning given in section 4 of the PHIPS Act.
Schedule
Prudential Standard HPS 310 Audit and Related Matters, comprises the document commencing on the following page.
- This Prudential Standard is made under subsection 92(1) of the Private Health Insurance (Prudential Supervision) Act 2015 (the Act).
2. This Prudential Standard applies to all operations and activities of private health insurers registered under the Act.
3. All private health insurers must comply with this Prudential Standard in its entirety, unless otherwise expressly indicated.
4. This Prudential Standard applies to private health insurers from 1 July 2023.
5. Terms that are defined in Prudential Standard HPS 001 Definitions appear in bold the first time they are used in this Prudential Standard.
6. For the purposes of this Prudential Standard, a private health insurer must appoint an auditor (the Appointed Auditor).
7. A private health insurer must ensure the terms of engagement of the Appointed Auditor are set out in a legally binding contract between the private health insurer and the Appointed Auditor, including requirements that:
(a) the Appointed Auditor fulfils the roles and responsibilities of the Appointed Auditor as specified in this Prudential Standard and in the manner specified in this Prudential Standard;
(b) the Appointed Auditor, in meeting its role and responsibilities to comply with the relevant Standards and Guidance issued from time to time by the AUASB (AUASB standards and guidance) to the extent they are not inconsistent with this Prudential Standard. If they are inconsistent:
(i) this Prudential Standard prevails; or
(ii) APRA may notify the private health insurer, in writing, that alternative standards and guidance must be used by the Appointed Auditor.
8. A private health insurer must ensure its Appointed Auditor has access to all relevant data, information, reports and staff of the private health insurer that its Appointed Auditor reasonably believes are necessary to fulfil his or her responsibilities. This will include access to the private health insurer’s Board, Board Audit Committee and Internal Auditors, and any information APRA has provided to the private health insurer, as required.
9. A private health insurer must take all reasonable steps or make necessary arrangements to ensure its Appointed Auditor has access to contractors of the private health insurer that its Appointed Auditor reasonably believes are necessary to fulfil his or her responsibilities.
10. A private health insurer must ensure that its Appointed Auditor:
(a) is a fit and proper person in accordance with the private health insurer’s fit and proper policy as required by Prudential Standard CPS 520 Fit and Proper, including those requirements that apply specifically to the Appointed Auditor; and
(b) satisfies the Auditor independence requirements in Prudential Standard CPS 510 Governance; and
(c) satisfies the eligibility and independence criteria in the Corporations Act 2001.
11. A private health insurer must engage the Appointed Auditor to prepare an annual report that at a minimum, must address:
(a) reasonable assurance regarding:
(i) the annual financial statements of the private health insurer prepared in accordance with relevant Australian Accounting Standards issued by the Australian Accounting Standards Board (AASB);
(ii) the annual information, relating to the private health insurer, required under the reporting standards made by APRA under the Financial Sector (Collection of Data) Act 2001 (FSCODA) that are identified in Table 1 of Attachment A as requiring reasonable assurance;
(iii) the quarterly information, relating to the private health insurer, required under the reporting standards made by APRA under FSCODA that are identified in Table 2 of Attachment A as requiring reasonable assurance; and
(b) limited assurance regarding:
(i) the annual information, relating to the private health insurer, required under the reporting standards made by APRA under FSCODA that are identified in Attachment A as requiring limited assurance; and
(ii) the private health insurer’s systems, procedures and internal controls that are designed to ensure that the private health insurer has complied with all applicable prudential requirements are adequate, has operated effectively throughout the year of income, and has provided reliable data to APRA as required under the reporting standards prepared under FSCODA (including those provided quarterly and semi-annually, except those listed in Table 2 of Attachment A).
12. For the purposes of this Prudential Standard, ‘reasonable assurance’ and ‘limited assurance’ are defined in accordance with the Framework for Assurance Engagements issued by the AUASB.
13. A private health insurer must ensure that the Appointed Auditor, when preparing a report or assessment required under this Prudential Standard (whether as part of routine or special purpose engagement):
(a) does so on the basis that APRA may rely upon the report in the performance of its functions under the Act; and
(b) exercises independent judgement and not place sole reliance on the work performed by APRA.
14. A private health insurer must ensure its Appointed Auditor, or an auditor appointed under paragraph 21 (special purpose engagement auditor), retains all working papers and other documentation in relation to the prudential requirements of the private health insurer for a period of seven years from the date of the report to which the working papers or documentation relate. Where requested to do so in writing by APRA, the private health insurer must direct the auditor to provide the working papers and other documentation to APRA.
15. A private health insurer must submit the Appointed Auditor’s report to APRA, addressing matters referred to in paragraph 11, within three months after the end of the year of income to which the report relates.
16. The private health insurer must ensure that the Appointed Auditor provides the Appointed Auditor’s report to the Board of the private health insurer within sufficient time to enable the private health insurer to submit the report to APRA, as specified in paragraph 15.
17. A private health insurer, if requested by APRA, must within a reasonable time provide APRA with the terms of engagement, other instructions to, or correspondence with the Appointed Auditor, including management letters, that may have a bearing on:
(a) the scope or conduct of the work undertaken by the Appointed Auditor in accordance with this Prudential Standard; and
(b) the form, content (including findings made or opinions expressed by the Appointed Auditor) or coverage of the reports provided by the Appointed Auditor in accordance with this Prudential Standard.
18. APRA liaison with an Appointed Auditor will normally be conducted under tripartite arrangements involving APRA, the private health insurer and the Appointed Auditor. Notwithstanding the tripartite relationship, a private health insurer must ensure that the Appointed Auditor is not prevented from meeting with APRA on a bilateral basis if requested by either party.
19. Persons involved in the provision of information should note that it is a serious offence under subsection 137.1 and 137.2 of the Criminal Code 1995 to provide, whether directly or indirectly, false or misleading documents or information to a Commonwealth entity such as APRA.
20. APRA may require the private health insurer, by notice in writing, to engage its Appointed Auditor to:
(a) undertake a special purpose engagement relating to matters set out in writing by APRA relating to the private health insurer’s operations, risk management or financial affairs; and
(b) prepare a report in respect of that engagement.
21. A private health insurer may engage an auditor other than the Auditor appointed under paragraph 6 to conduct a special purpose engagement, but only where this is agreed to by APRA and the Auditor satisfies the criteria set out in paragraph 10.
22. A private health insurer must require an auditor appointed for a special purpose engagement to address limited assurance on the matters upon which the auditor is required to report unless otherwise determined by APRA and advised to the private health insurer in writing.
23. A private health insurer must require an auditor appointed for a special purpose engagement to submit, within three months of the date of the notice commissioning the report, an auditor’s report simultaneously to APRA and to the Board of the private health insurer, unless otherwise determined by APRA.
24. A private health insurer must require an auditor appointed for a special purpose engagement to modify the report referred to in paragraph 22 for breaches relating to the matters upon which the Auditor is required to report which, in the Auditor’s professional opinion, are material. In forming an opinion as to whether a breach is material, the private health insurer must require the auditor to have regard to relevant AUASB standards and guidance.
25. The cost of a special purpose engagement will be borne by the private health insurer.
26. APRA may, by notice in writing to a private health insurer, adjust or exclude a specific requirement in this Prudential Standard in relation to that private health insurer.
27. A private health insurer must contact APRA if it seeks to place reliance, for the purposes of complying with this Prudential Standard, on a previous exemption or other exercise of discretion made by APRA under a previous Prudential Standard.
