There is a perception in the SMSF industry that once a data feed is in place, there is nothing left for an auditor to do.
While technology has provided enormous benefits through the automation of repetitive SMSF audit tasks, an SMSF auditor is still required to meet all the auditing standards and ensure regulatory compliance.
We know that data feeds come in all shapes and sizes. The best ones provide a peer-to-peer (or direct) connection between the administration platform and the financial institution that are encrypted, secure and unable to be intercepted.
Other data feeds come from emails, screen scraping or optical character recognition solutions that are less reliable and not necessarily free from transcription errors.
It is up to the SMSF auditor to document their knowledge of how the feed works during the audit planning stage to identify whether additional testing is required.
Understanding the type of data feed in place is critical to SMSF audit integrity and ensuring the data feeds are error free.
Here are five reasons why a data feed isn’t an SMSF audit.
- Auditing Standards
The auditor’s obligations under the auditing standards are the same irrespective of the technology used. ASA 500 and ASAE 3100 require the auditor to obtain sufficient and appropriate audit evidence on which to base their opinion.
For example, the SMSF auditor is required to confirm that the bank account is in the correct name. To verify this, the auditor has to request additional evidence from the SMSF trustees such as a bank statement as data feeds do not include this information.
- Conflict of Interest
A conflict of interest may arise where a (low-cost) SMSF auditor accepts the data feed on face value. This happens where profit margins are so tight there’s no time to conduct a proper audit.
Even worse is the situation where a client refuses to provide bank statements, leaving the SMSF auditor facing the option of accepting the data feed or lose the fee.
Cash and cash equivalents are an SMSF’s most liquid asset and carry a high risk of fraud.
With SMSF auditors now shying away from requesting bank audit certificates due to high fees and red tape, it’s even more important to scrutinise data feeds carefully.
- How Reliable is an ASAE 3402 Report?
Where an ASAE 3402 report is available, there is a general misapprehension that an SMSF auditor is no longer required to test data feeds.
Nothing could be further from the truth. An ASAE 3402 Type 1 report describes the design of the controls used in the platform only.
An ASAE 3402 Type 2 Report, on the other hand, covers the implementation and effectiveness of controls for the platform.
The reality is that an ASAE 3402 Report ignores data feeds altogether and solely focuses on the operations of the platform. The report provides comfort that the entity is processing data feeds correctly.
The benefit of an ASAE 3402 report, however, means that an SMSF auditor may reduce the amount of substantive testing where a Type 2 Report is available.
- Testing Data Feeds
Relying on a data feed is only possible where the SMSF auditor has undertaken rigorous, independent testing to help them understand both the data feeds and the controls of the SMSF administration platform.
As a starting point, the exhaustive process of testing a data feed requires reviewing the platform’s plans, policies, procedures, schematics, reports, correspondence, system logs and other relevant technical information.
It also involves high-level testing to determine the accuracy of the feeds, testing that the assets exist, the assets are in the fund name, and the balance is the same as the fund’s financials.
The testing must be done on statistically significant sample sizes to conclude there are no material errors and only then can reliance be placed on the data feeds.
Additionally, testing must be ongoing for both existing and new providers to be confident in forming an opinion on whether the fund data is acceptable at an individual fund level.
The testing process undertaken by audit firms, such as ASF Audits, involves significant time and resources to be able to rely on data feeds as part of their audit process.
- Not All SMSF Assets Have Data Feeds
While assets such as cash, listed shares, and managed funds are capable of being set up with direct data feeds, some assets may never be able to have direct feeds.
These include property, related trusts, unlisted companies and personal use items all of which still require SMSF auditors to follow standard auditing procedures.
There is no doubt that technology provides significant time and cost savings across some, but not all, fund investments.
The anomaly is that technology can’t mitigate the obligations imposed on both SMSF auditors and advisers by their professional bodies and the Regulator.
The ATO has already flagged the problem of SMSF auditors relying too heavily on automated platforms and ignoring a fund’s regulatory compliance issues.
That’s why it is essential to engage with an SMSF audit firm who understands how the technology and data feeds work to ensure future fund compliance.