Introduction

1.1 The Corporations Act 2001 (Corporations Act) requires certain types of companies, registered schemes, and bodies that hold enhanced disclosure securities to have their financial reports audited by a registered company auditor or an authorised audit company.²

1.2 In 2004 the Corporations Act and other laws were amended by the Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004 (CLERP 9 Act) to establish a broad regulatory framework governing audit oversight and independence arrangements.³ The explanatory memorandum stated:

Audited financial statements are an important part of the financial information that is available to the capital markets and an essential element of effective corporate governance. Auditor independence is fundamental to the credibility and reliability of auditors’ reports and in turn independent audits perform an important function in terms of capital market efficiency. There has been widespread concern about the efficacy of the audit function, including the independence of auditors, as a result of major corporate collapses in Australia and overseas, including HIH.⁴

1.3 The auditing of financial reports is intended to support market integrity and provide confidence in the reliability of financial reporting to users such as investors and regulators. A registered company auditor’s report provides an opinion to users of regulated entities’ financial reports as to whether the financial report:

• has been prepared in compliance with applicable accounting standards; and
• shows a true and fair view of the company’s financial position for the relevant financial year.⁵

1.4 The Corporations Act establishes a regulatory framework for registered company auditors in relation to independence and audit quality. Under this regulatory framework:

• the Australian Securities and Investments Commission (ASIC) is the regulator of the financial reporting and auditing requirements of the Corporations Act;
• the Auditing and Assurance Standards Board (AUASB) is responsible for issuing standards detailing the requirements and responsibilities of the auditors; and
• registered company auditors are responsible for:
  • maintaining independence by identifying conflict of interest situations and meeting requirements for auditor rotation;
  • ensuring audit quality by following recognised auditing standards;
  • publishing an audit transparency report;
  • lodging certain documents with ASIC, including an annual statement; and
  • complying with any additional conditions of registration set by ASIC.

1.5 ASIC defines audit quality in the following terms:

Audit quality refers to matters that contribute to the likelihood that the auditor will:

• achieve the fundamental objective of obtaining reasonable assurance that the financial report as a whole is free of material misstatement, and
• ensure material deficiencies detected are addressed or communicated through the audit report.

This includes appropriately challenging key accounting estimates and treatments that can materially affect the reported financial position and results.⁶

About registered company auditors

1.6 The Corporations Act requires registered company auditors to hold relevant qualifications, appropriate skills and be a capable, fit and proper person.⁷ Relevant qualifications comprise at least three years of accounting and auditing studies and at least two years of commercial law studies. Appropriate skills are demonstrated by either:

• meeting the Auditor Competency Standard for Registered Company Auditors over a three-to-five-year period of continuous assessment⁸; or
• undertaking appropriate practical experience involving at least 3,000 hours work in auditing under the direction of a registered company auditor, including undertaking audits required under the Corporations Act and 750 hours supervising audits of companies.

1.7 Authorised audit companies allow individual registered company auditors to incorporate. Incorporation supports individual registered company auditors to manage professional liability risks. To be registered as an authorised audit company under the Corporations Act:

• all directors of the company must be registered company auditors;
• the company’s ownership structure and voting rights must meet certain requirements; and
• adequate professional indemnity insurance must be held by the company.

1.8 Registered company auditors are not required to work at an authorised audit company. Registered company auditors may also work as an individual or as a partnership formed under state or territory legislation.

1.9 Registered company auditors are typically the most senior auditor on an audit engagement, and may supervise teams of auditors who are not registered company auditors.

1.10 Audits of financial reports completed by registered company auditors under the Corporations Act are one type of external auditing. Not all types of external audit and assurance work are required to be completed by a registered company auditor.

1.11 Between 2019–20 and 2023–24 there was a 16.8 per cent decline in the number of individual registered company auditors, while the number of authorised audit companies increased by 4.4 per cent (Table 1.1).

Table 1.1: Number of registered company auditors

Source: ANAO presentation of ASIC information.

1.12 Between 2019–20 and 2023–24, an average of 25,131 financial reports were lodged each financial year with ASIC (Table 1.2). Roughly 95 per cent of lodged financial reports are audited each year.

Table 1.2: Number of financial reports lodged with the Australian Securities and Investments Commission

Source: ANAO presentation of ASIC information.

About the Australian Securities and Investments Commission

1.13 ASIC is Australia’s corporate, markets, financial services, and consumer credit regulator. It is an independent statutory authority, established by the Australian Securities and Investments Commission Act 2001 (ASIC Act) and carries out most of its work under the Corporations Act. ASIC is a body corporate prescribed as a non-corporate Commonwealth entity for the purposes of the Public Governance, Performance and Accountability Act 2013 (PGPA Act). ASIC staff are engaged under the ASIC Act, not the Public Service Act 1999.

1.14 ASIC regulates registered company auditors in its role as Australia’s corporate regulator. These regulatory functions include:

• administering auditor registration, including registration applications, annual statements and de-registration;
• receiving registered company auditors’ breach notifications and contravention reporting;
• undertaking financial reporting and audit surveillances; and
• investigating potential non-compliance and taking enforcement action or referring matters to the disciplinary processes managed by the Companies Auditors Disciplinary Board (CADB).

1.15 ASIC’s total financial resourcing and staffing is summarised in Table 1.3. The equivalent of roughly 35 full-time staff, see paragraphs 2.2 to 2.6, is allocated to the regulation of registered company auditors.

Table 1.3: Australian Securities and Investments Commission’s total resourcing 2019–20 to 2024–25

Note a: Total resourcing includes departmental and administered resourcing. For example, total resourcing includes appropriation for administrative special appropriations. These are for payments of unclaimed monies, and refunds on administered revenue. These funds are not available to ASIC for regulatory activities that are eligible for cost recovery.

Source: ANAO presentation of ASIC portfolio budget statements.

1.16 Pursuant to an industry funding model, the Australian Government imposes a cost-recovery levy to recover costs for regulatory activities delivered to industry in the preceding year. The levy may not exceed the sum of all amounts appropriated⁹ by the Parliament for the relevant financial year, and certain regulatory activities (such as operating and maintaining a public register under the Corporations Act) are excluded by law from the calculation of costs to be recovered.¹⁰ Between 2021–22 and 2023–24 ASIC annually recovered between 73 and 89 per cent of its regulatory costs across all cost recovery activities (including registered company auditors). Table 1.4 summarises ASIC’s recovery of costs related to the regulation of registered company auditors.

Table 1.4: Australian Securities and Investments Commission cost recovery related to registered company auditors 2019–20 to 2023–24

Note a: Costs recovered from ‘registered company auditors’ and ‘auditors of disclosing entities’ industry subsectors, see paragraph 2.12.

Source: ANAO presentation of ASIC data.

1.17 Under the industry funding model, ASIC also charges fees to recover expenses associated with processing regulatory forms. Between 2019–20 and 2023–24 ASIC charged $426,004 for the processing of forms relevant to the regulation of registered company auditors. ASIC estimated the cost of processing these forms was $723,047.

Previous audits, inquiries and reviews

Auditor-General Report

1.18 In June 2023 Auditor-General Report No. 36 2022–23 Probity Management in Financial Regulators — Australian Securities and Investments Commission concluded ‘[p]robity management at the Australian Securities and Investments Commission (ASIC) was largely effective’.¹¹ ASIC agreed to a recommendation that it review the financial thresholds for declaring hospitality in its internal register of gifts, benefits and hospitality, and assessed in November 2023 that it had implemented this recommendation.

Parliamentary inquiries

1.19 In November 2024 the Parliamentary Joint Committee on Corporations and Financial Services (PJCCFS):

• recommended ASIC re-establish a program of random audit inspections, review audit files where conflicts of interest are identified, and increase resources to surveillance activities¹²;
• made six recommendations to the Australian Government for legislative reform including: requiring ASIC to publish inspection reports for individual audit firms; and enhancing ASIC’s power to take enforcement action against audit firms, not just individual registered company auditors¹³; and
• made two recommendations to the Australian Government to reform the CADB.¹⁴

1.20 The PJCCFS’s 2024 inquiry followed a completed inquiry into the regulation of auditing in 2020.¹⁵ The 2020 inquiry made 10 recommendations and published a dissenting report containing two additional recommendations. In July 2024 the Australian Government responded to all recommendations with this statement:

The Government notes this recommendation. However, given the passage of time since this report was tabled, a substantive Government response is no longer appropriate.¹⁶

1.21 The PJCCFS’s 2024 inquiry report assessed actions taken in response to the 2020 inquiry.¹⁷

1.22 As of September 2025, the Australian Government had not responded to the PJCCFS’s November 2024 recommendations.

Reviews by Australian Government entities

The Financial Reporting Council

1.23 In March 2019 the Financial Reporting Council¹⁸ published a report on Auditor Disciplinary Processes.¹⁹ This provided 18 recommendations, including that ASIC should be given the power to compel remediation of defective audits.²⁰

1.24 In April 2019 the Financial Reporting Council and the Auditing and Assurance Standards Board published a report on the perceptions of professional investors in 2019. The report concluded based on survey results that ‘professional investors do not consider audit quality as a matter of concern’.²¹

1.25 The Financial Reporting Council and the Auditing and Assurance Standards Board published reports on audit committee chairs’ perceptions of audit quality in 2018, 2021 and 2022. The reports relied on surveys of audit committee chairs from Australian Securities Exchange listed companies, not for profit entities, public sector entities and superannuation funds. The surveys indicated that audit committee chairs were ‘very satisfied with the quality of their external auditor’. The 2022 report also reported audit committee chairs’ views on ASIC audit surveillance activities (known as audit inspections at the time):

The general sentiment of the [audit committee chairs] was that some form of oversight and inspection process is a good thing …

However, many were critical of the inspection process and its subsequent reporting by ASIC and financial journalists.²²

1.26 The Financial Reporting Council’s November 2023 Oversight of Audit Quality in Australia — A Review report found:

auditors are subject to a robust set of professional standards designed to support the performance of high audit quality audits. However, the FRC considers that the system could benefit from more independent oversight to ensure all auditors are complying with the required standards.²³

1.27 The Financial Reporting Council made six recommendations. Two recommendations were directed to ASIC to expand audit surveillance activities and publish strategic plans for audit surveillances with key performance indicators. One recommendation was made to the professional accounting bodies in relation to their surveillance and disciplinary processes. Three recommendations were made to the Australian Government to make legislative reforms related to audit quality and auditor independence.

The Financial Regulator Assessment Authority

1.28 In July 2022 the Financial Regulator Assessment Authority²⁴ (FRAA) concluded an effectiveness and capability review of ASIC, which examined ASIC’s strategic prioritisation, planning, decision-making and its surveillance and licensing functions. The FRAA reported:

The FRAA considers that ASIC is generally effective and capable in the areas reviewed, although there are important opportunities to enhance its performance.²⁵

1.29 The FRAA report made recommendations for ASIC to improve its data capability, stakeholder engagement, performance monitoring and skill sets.²⁶

The Department of the Treasury

1.30 In June 2023, the Department of the Treasury (Treasury) concluded a review of ASIC’s industry funding model, and reported:

broadly the settings of the ASIC [industry funding model] remain appropriate and substantial changes to the model should not be made … the costs recovered through the [industry funding model] (including enforcement costs) remains appropriate and should not be removed from the model to be budget-funded instead.²⁷

Australian Law Reform Commission

1.31 In November 2023 the Australian Law Reform Commission (ALRC) issued the final report for its inquiry into the simplification of the legislative framework for corporations and financial services regulation. The inquiry found ‘corporations and financial services legislation is unnecessarily complex’.²⁸ Across three reports, the ALRC presented 58 recommendations to the Australian Government to reform corporations and financial services legislation.

1.32 The ALRC inquiry recommended reforms to provisions of the Corporations Act relating to registered company auditors:

A range of other provisions in corporations and financial services legislation have an incoherent legislative hierarchy, with excessively prescriptive primary legislation and poorly designed delegated legislation. This makes them suitable candidates for reform in accordance with the recommended legislative model. In particular, provisions regulating financial reports and audit in Chapter 2M of the Corporations Act could be restructured to move material into a Scoping Order and to create what may be known as the ‘Financial Reporting and Audit Rules’. This would help reduce the prescriptiveness of the primary legislation and better highlight the core norms and obligations in Chapter 2M of the Act.²⁹

Rationale for undertaking the audit

1.33 Audited financial statements provide important information for capital markets and are essential for effective corporate governance. ASIC is responsible for regulatory functions designed to ensure registered company auditors meet independence and quality requirements related to audits of financial reports under the Corporations Act.

1.34 This audit was conducted to provide assurance to Parliament on the effectiveness of ASIC’s oversight of registered company auditors. This audit was identified as a priority by the Joint Committee of Public Accounts and Audit for the 2024–25 Annual Audit Work Program.

Audit objective, criteria and scope

1.35 The audit objective was to assess the effectiveness of ASIC’s oversight of registered company auditors.

1.36 To form a conclusion against the objective, the ANAO adopted the following high-level criteria:

• Have appropriate arrangements been established to support regulatory activities?
• Is the regulatory approach effective?

1.37 The audit did not assess:

• policy or regulatory design matters, including those in the scope of the Australian Government’s review of the regulation of accounting, auditing and consulting services being led by Treasury³⁰;
• matters not directly related to ASIC’s regulation of registered company auditors performing audits of financial reports under the ASIC Act and the Corporations Act, such as other forms of auditing³¹ or consulting activities provided by entities who are also registered company auditors; and
• the effectiveness of ASIC’s regulation of the preparers of financial reports.

Audit methodology

1.38 The audit methodology included:

• examination and analysis of ASIC’s internal records;
• meetings with ASIC officials and professional accounting bodies; and
• analysis of publicly available material from Australian Government bodies, professional accounting bodies and proceedings of the Australian Parliament.

1.39 Australian Government entities largely give the ANAO electronic access to records by consent, in a form useful for audit purposes. On 2 July 2025 ASIC advised the ANAO that it was unable to voluntarily provide certain information requested by the ANAO due to privacy obligations. On 3 July 2025, the ANAO exercised powers pursuant to section 33 of the Auditor-General Act 1997 to enable ASIC to provide the requested information.

1.40 The audit was open to contributions from the public between December 2024 and June 2025. The ANAO received and considered matters raised in contributions from six entities and five individuals.³²

1.41 The ANAO instituted arrangements for this audit to manage risks to independence arising from ASIC’s role as a quality reviewer of ANAO financial statements audits between 2018 and 2024. These arrangements are outlined in Appendix 3.

1.42 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $671,176.

1.43 The team members for this audit were Joshua Francis, Michael McGillion, Renae Lowden, Liset Campos-Manrique, Yu Wen Wong, Madigan Paine, Zhou Li, Li Lin and David Tellis.

2.1 The Australian Government’s Regulatory Policy, Practice & Performance Framework provides six principles for the implementation of regulation and regulatory management, including that regulation should be integrated into existing regulatory systems; be targeted and risk-based; and be outcomes-focused.

Are appropriate governance arrangements in place?

Organisational structure and oversight

2.2 ASIC does not administer regulatory functions for registered company auditors as a discrete business area within the agency. Instead, ASIC is structured into functional work areas and the regulation of registered company auditors is divided between these areas on a functional basis. Key functions relating to the regulation of registered company auditors are undertaken by the Regulation and Supervision Group and the Enforcement and Compliance Group.

2.3 The Regulation and Supervision Group includes:

• licensing and registration business units, administering registered company auditors and other licensing and registration frameworks that apply to ASIC’s regulated population; and
• financial reporting and audit business units, responsible for activities including monitoring and surveillance of registered company auditors, stakeholder engagement and providing subject matter expertise on registered company auditors to other business units within ASIC.

2.4 Table 2.1 depicts the total nominal staffing of the Regulation and Supervision Group, as well as the level of staffing allocated to three branches to perform regulatory activities relating to registered company auditors, as recorded in ASIC’s 2024–25 business plan.

Table 2.1: Regulation and Supervision Group full time equivalent staff allocations — 2024–25

Note a: This branch was renamed Sustainability, Financial Reporting and Audit in February 2025.

Note b: These staff members have duties that extend beyond registered company auditors.

Source: ANAO analysis of ASIC business planning information from June 2024.

2.5 ASIC provided the ANAO with analysis of the number of staff that have worked on the financial reporting and audit surveillance program over the past five financial years, taking into account restructures that occurred during that period. ASIC’s analysis indicated that the function currently has lower staff numbers than previous years (Table 2.2).³³

Table 2.2: Australian Securities and Investments Commission analysis of staff working on financial reporting and audit surveillance 2020–21 to 2024–25

Note a: Average staffing levels (ASLs) for 2024–25 are reported as at January 2025.

Source: ANAO presentation of ASIC information.

2.6 Within the Enforcement and Compliance Group, a team of nine staff are responsible for progressing investigations or enforcement actions in response to suspected registered company auditor misconduct.

2.7 Both the Regulation and Supervision Group and Enforcement and Compliance Group are overseen by the Commission, which is a non-executive governing body comprising the ASIC Chair, Deputy Chair and three Commissioners. The Commission sets ASIC’s regulatory strategy and oversees ASIC’s performance against the strategy. The Commission’s oversight of regulatory activities is undertaken in part through three ancillary committees (whose membership comprises the full Commission assisted by other attendees).³⁴ Table 2.3 depicts the number and nature of decisions taken by the Commission in relation to registered company auditors between July 2019 and February 2025.

Table 2.3: Commission committee meetings recorded outcomes between July 2019 and February 2025

Source: ANAO analysis of ASIC provided committee papers.

2.8 The Commission, together with the Chair in the Chair’s capacity as Accountable Authority for ASIC, is responsible for setting ASIC’s annual corporate plan. ASIC’s corporate plans from 2019–20 to 2023–24 integrated ASIC’s regulation of registered company auditors into ASIC’s broader strategic plans:

• in 2024–25, as a key activity contributing to the achievement of a strategic priority ‘drive consistency and transparency across markets and products’;
• in 2023–24, 2022–23 and 2019–20 as a key activity not connected to any specific strategic priority; and
• in 2021–22 and 2020–21, as a key activity contributing to the achievement of strategic priorities relating to maintaining financial system resilience and stability during the COVID-19 pandemic and promoting the subsequent economic recovery.

Budgeting and cost recovery

2.9 As depicted in Figure 2.1, ASIC’s resourcing is determined each year by the Australian Government through the Budget, allocated pursuant to ASIC’s portfolio budget statements, and partially recovered retrospectively through a cost-recovery levy.³⁵

Figure 2.1: The Australian Securities and Investments Commission’s resourcing cycle

Source: ANAO presentation of ASIC information.

2.10 Between 2018–19 and 2023–24 ASIC made efforts to secure additional funding specifically to support regulatory activities for registered company auditors.

• ASIC received approval for an additional $2.2 million in regulatory activities in relation to registered company auditors over four years from 2018–19 to 2021–22 and to recover this through ASIC’s industry funding model³⁶; and
• ASIC worked with the Department of the Treasury (Treasury) to develop a proposal for additional funding for registered company auditors regulatory activities for the 2024–25 Federal Budget, however the Australian Government decided to defer the proposal.

2.11 ASIC has an internal business planning process that allocates resourcing for the purpose of regulating registered company auditors to business units on a functional basis alongside resourcing for similar regulatory activities undertaken by that business unit.

Cost recovery

2.12 ASIC’s cost-recovery levy³⁷ is applied to two subsectors related to registered company auditors depicted in Table 2.4. Submissions received by the ANAO from stakeholders in these sectors expressed views that the link between ASIC’s regulatory activities and the levy charged could be more transparent.

Table 2.4: Cost-recovery subsectors related to registered company auditors

Source: ANAO presentation of ASIC information.

2.13 ASIC primarily calculates the regulatory expenditure to be cost-recovered from these subsectors based on ASIC timesheet data that records staff time directly spent on regulating registered company auditors and a cost allocation model that attributes indirect costs for these regulatory activities. Between 2019–20 to 2023–24, ASIC levied $44.5 million in regulatory expenses upon the two subsectors relating to registered company auditors. Indirect costs of $19.1 million accounted for 42.9 per cent of total expenses recovered (Table 2.5, note c).

Table 2.5: Regulatory expenses recovered from registered company auditors and auditors of disclosing entities from 2019–20 to 2023–24

Note a: Totals may not sum due to rounding.

Note b: Other regulatory activities include industry engagement, education, guidance and policy advice.

Note c: Indirect costs include governance, central strategy and legal, IT support, operations support, property and corporate services and capital expenditure, less costs funded by own-source revenue.

Source: ANAO analysis, based on ASIC documentation.

2.14 ASIC also advises on its website that direct costs may be attributed by analysing team structures and output.³⁸ As shown in Figure 2.2, ASIC data showed a decrease in timesheet hours for supervision and surveillance activities for registered company auditors in 2022–23 and 2023–24 while direct costs increased in 2023–24. In August 2025, ASIC advised the ANAO that following an organisational restructure it was able to ‘reprofile’ $1.8 million previously accounted as indirect costs³⁹ to direct costs for supervision and surveillance. ASIC further advised that the figure of $1.8 million was calculated based on full-time equivalent positions rather than individual time recording.

Figure 2.2: Hours recorded for registered company auditor supervision and surveillance activities 2019–20 to 2023–24

Source: ANAO presentation of ASIC data.

2.15 Similarly, ASIC data showed a decrease in timesheet hours for ‘enforcement’ for registered company auditor activities in 2022–23 and 2023–24 compared to previous years while direct costs increased (see Figure 2.3). In August 2025 ASIC advised the ANAO that supplier expenses made up a higher proportion of direct costs for enforcement in 2023–24.

Figure 2.3: Hours recorded for registered company auditor enforcement activities 2019–20 to 2023–24

Source: ANAO presentation of ASIC data.

2.16 The cost-recovery levy is estimated at the start of the year and may be adjusted if actual costs differ due to variations in the activities performed by ASIC and the size of the regulated population.⁴⁰ Submissions received by the ANAO from stakeholders expressed a desire for ASIC to provide greater transparency around the reasons for variance between estimated and actual levies.

2.17 Prior to 2025, ASIC reported publicly on the main drivers of variance for subsectors where the variance from the previous year was both greater than 10 per cent and exceeded $2 million. Regulatory cost variations for registered company auditors prior to 2025 have not been the subject of public reporting because, while the variations have exceeded 10 per cent each year, the total variance did not exceed the $2 million threshold.

2.18 ASIC advised the ANAO in May 2025 that annual variance reporting would use a reduced variance reporting threshold of $1 million for the 2024–25 variance reporting cycle. Based on previous variances, this change will result in information on variance drivers being reporting for registered company auditors.⁴¹

2.19 ASIC also charges a fee to lodge four forms relevant to the regulation of registered company auditors, such as an application to become a registered company auditor (see paragraph 3.2). ASIC estimates its costs for processing the four registered company auditor regulatory forms covered by fees for service between 2019–20 and 2023–24 were $723,047. The fees collected by ASIC for these forms were $426,004.

2.20 Treasury’s 2023 review of ASIC’s industry funding model found generally that:

Fee amounts no longer align with government policy that fees are set to recover the efficient cost to ASIC. Total fee revenue now only partially recovers ASIC’s costs of providing these services, with the shortfall being taxpayer funded.⁴²

2.21 ASIC confirmed in August 2025 that costs for registered company auditor forms are under-recovered, but advised it is a decision for the Australian Government whether to introduce legislation to change the fee structure.

Probity management

Entity level arrangements

2.22 ASIC’s entity level probity arrangements apply to the regulation of registered company auditors.⁴³ ASIC completed three internal audits in 2024–25 regarding ASIC’s management of conflicts of interest, trading on the restricted entity list, and gifts, benefits and hospitality. These reports identified issues with ASIC’s policy framework, internal disclosure reporting system, guidance and training for staff and a lack of detective controls. ASIC’s internal audits made 43 recommendations⁴⁴:

• 36 of which were agreed to by ASIC management;
• four recommendations were partially agreed to; and
• three recommendations were disagreed.

2.23 In response to the internal audit reports ASIC is reviewing its policies and training, developing a plan to use detective controls and considering a redesign of the disclosure reporting system. As at June 2025, ASIC had updated its internal gifts, benefits and hospitality policy, and other actions to address the internal audit findings were ongoing.

2.24 ASIC’s probity arrangements include a process for monitoring gifts, benefits and hospitality. ASIC’s internal gifts, benefits and hospitality register from September 2023 to March 2025 recorded 340 declarations. The ANAO reviewed this register and identified six declarations related to entities which were considered to have a link to the regulation of registered company auditors. These declarations were all for attendance at catered events. The six declarations were managed in accordance with ASIC’s conflict of interest policy on gifts, benefit and hospitality.

2.25 ASIC publicly reports on gifts, benefits and hospitality that have been accepted. For each three-month period since December 2019 to March 2025 ASIC has published 44 Portable Document Format (PDF) documents listing the gifts, benefits and hospitality valued over $100 accepted by ASIC Commissioners and ASIC staff.⁴⁵

2.26 Publishing information in separate PDFs is not consistent with the Office of the Australian Information Commission’s Principles on open public sector information Principle 5: Discoverable and useable information.⁴⁶ Presenting this information in separate PDFs results in the information about gifts, benefits and hospitality not being easily discovered or searchable, which limits stakeholders’ ability to review this information.

Arrangements specific to regulation of registered company auditors

2.28 ASIC additionally maintains a list of staff in the Regulation and Supervision Group (responsible for performing audit surveillances) who have disclosed conflicts of interests such as having previously worked for a regulated entity. As at 27 January 2025, this list recorded 31 declarations made by 17 staff in relation to 13 regulated entities.

2.29 The list is used informally by ASIC’s senior managers to ensure staff do not review audit files for regulated entities which previously employed the staff member (within five years if a partner, and within two years otherwise) or regulated entities that employ a close family member as a partner. These parameters are specified in an internal policy that has not been in force since November 2022. ASIC advised the ANAO the same process is still observed in practice as it is consistent with ASIC’s conflict of interest policy.

2.30 ANAO tested whether case officers who had conducted audit surveillances of a regulated entity were recorded in the Regulation and Supervision Group conflict of interest list in relation to that entity. Between 2019–20 to 2023–24, 10 out of the 17 staff that declared a conflict of interest were case officers of regulated entities that were the subject of the declaration. Further review showed that for nine of the ten staff sufficient time had passed to avoid a conflict of interest, and for the remaining staff member there was insufficient documentation to demonstrate whether the staff member had been a partner in the regulated entity (in which case a conflict could have arisen) or not (in which case sufficient time had passed).

2.31 Prior to October 2025, ASIC did not document consideration of independence and conflicts of interest when conducting audit file surveillances. ASIC advised ANAO in August 2025 that consideration of conflicts of interest was conducted verbally during the planning of each individual audit surveillance. In October 2025, ASIC updated its audit file surveillance templates so that consideration of conflicts of interest would be documented for each surveillance.

Stakeholder communications

2.32 ASIC’s 2021 Statement of Intent includes statements about: providing clear guidance and communications; guidance to regulated populations about good practice; and taking feedback into account.

2.33 ASIC publishes three types of guidance material on its website:

• regulatory guides, which provide information on how ASIC exercises its powers, interprets the law and guidance for regulated entities;
• information sheets, which provide concise guidance on a specific process or compliance issue or an overview of detailed guidance; and
• reports, which describe ASIC activities, including research, surveillance and compliance.

2.34 At May 2025, ASIC’s website contained 87 pieces of guidance related to registered company auditors (Appendix 5, Table A.3) and 134 media releases, articles or speeches related to registered company auditors (Appendix 5, Table A.4).

Workforce training and qualifications

2.35 Principle one of the Department of Finance’s Resource Management Guide 128: Regulator Performance (RMG 128) requires regulators to actively build staff capability, including ensuring staff have the relevant knowledge and capacity to complete their duties.

2.36 ASIC maintains a capability framework for staff training which consists of three complementary capability sets (core, technical and leadership). Under this framework:

• ASIC staff are assigned seven focus core capabilities and two to five technical capabilities based on their role and can choose to add additional capabilities for development;
• ASIC staff complete mandatory capability checkpoints which track their proficiency level against the capabilities assigned to their role;
• checkpoint data is collated into organisational, group and team capability snapshots with the aim to identify ASIC’s organisational strengths and gaps, inform workforce planning and learning strategies, and enable ongoing measurement of ASIC’s capability development; and
• ASIC staff can also join internal professional networks, including the Accountant and Auditor Network, to share knowledge and skills. ASIC advised the ANAO in June 2025 that this network has 171 registered members as at 3 June 2025.

2.37 ASIC maintains an online learning and development platform with training resources designed to align to the capability framework. This framework includes an ‘Accountant/Auditor’ capability set which requires capabilities in industry and ethical standards, financial reporting and audit practice, and insolvency law and practice. ASIC provides continuing professional development opportunities for accounting and audit professionals within ASIC, including an annual audit standards update which has had 211 completions between 1 July 2019 and 3 June 2025.

2.38 ASIC provided the ANAO with June 2024 position descriptions for roles in financial reporting and audit business area which included the following requirements:

• a tertiary qualification in accounting;
• a professional accounting body qualification (CA ANZ, CPA or IPA), or progression towards this for lower-level officers;
• practical auditing experience⁴⁷; and
• knowledge of corporate law, accounting and auditing standards.

2.39 ASIC advised the ANAO in October 2025 that these requirements are tested during ASIC’s recruitment process and are monitored through annual staff performance and development discussions.

Ministerial Statements of Expectations and Regulator Statements of Intent

2.40 ASIC’s most recent Ministerial Statement of Expectations was issued in 2021.⁴⁸ ASIC responded to the Statement of Expectations with a Regulator Statement of Intent, and both statements are published on ASIC’s website.⁴⁹ The Statement of Intent commits ASIC to actions that are in line with principles set out in RMG 128, including:

• identifying and reducing misconduct risk through well-targeted and proportionate supervision, surveillance and enforcement activities;
• engaging with stakeholders openly and transparently;
• providing appropriate guidance so that regulated entities have clarity and certainty about how ASIC will exercise its powers; and
• complying with relevant Australian Government policies, frameworks and guidance.

2.41 The 2021 Statements of Expectations and Intent do not contain any specific reference to the regulation of registered company auditors.

2.42 RMG 128 sets out that ‘[Statements of expectations] should be refreshed with every change in minister, change in regulator leadership, change in Commonwealth policy or every two years’.⁵⁰ By this standard, ASIC’s Statements of Expectations and Intent have been due to be refreshed since 2022. ASIC advised the ANAO in October 2024 that it was working with Treasury on draft refreshed statements but had no visibility on discussions between Treasury and the Minister’s office.⁵¹ As at October 2025, Treasury was yet to advise the Minister to issue a new statement of expectations for ASIC.

Is the regulatory approach informed by assessments of compliance and regulatory risks?

Threats and harms risk assessments

2.45 ASIC maintains a threats and harms register which is used to track strategic regulatory risks. On an ongoing basis, ASIC staff identify emerging regulatory risks and submit them to the register including an assessment of the risk. The threats identified (or carried over) each financial year are compiled into a report annually which is used to inform business planning for the following financial year. Table 2.6 illustrates the number of risks identified and assessed by ASIC each financial year.

Table 2.6: Number of active risks registered in the threats and harms risk register as at February 2025

Source: ANAO analysis of ASIC data.

2.46 Over the past three years ASIC has tracked two risks relating to registered company auditors: a lack of skilled auditors resulting in poor audit quality and a decline in market confidence and investor losses; and poor audit quality resulting in declining market confidence and potential investor losses. Both risks align with ASIC’s regulatory outcomes for registered company auditors (see paragraph 2.60). The actions ASIC is taking to manage these two risks are summarised in Table 2.7.

Table 2.7: Australian Securities and Investments Commission 2024–25 risk ratings and controls for threats and harms related to the regulation of registered company auditors

Source: ANAO presentation of ASIC documentation.

Strategic business planning

2.47 Prior to 2025–26, to decide on its annual business plan ASIC itemised business-as-usual and project activities proposed to be conducted in the coming financial year. ASIC used the list to prioritise activities and allocate agency resources based on considerations such as whether activities are connected to a strategic priority set out in the ASIC Corporate Plan, whether sufficient resources are available, whether the activity is required by law, and an assessment of the risk of not conducting the activity.

2.48 The assessment of risk for each activity did not explicitly incorporate risk ratings determined in the threats and harms register, but the list could record a unique identifier for a specific threat or harm against a specific proposed activity. The ANAO reviewed business activities planned for 2024–25 to see if the two threats or harms identified for registered company auditors were recorded against any proposed business activities. Both threats or harms were linked to a 2024–25 business activity.

2.49 The assessment of risk for each activity extended beyond regulatory risks to include operational, reputational and other risks. ASIC business planning guidance did not specify the type of risk to be assessed. Five activities related to registered company auditors in the 2024–25 business planning process, including two that were linked to specific threats and harms for registered company auditors, assessed regulatory risks such as ‘ongoing issues with audit quality and conduct of audit firms’. These risks were categorised as ‘reputational’ (three activities), ‘effectiveness’ (one activity) or ‘financial’/’compliance and integrity’ (one activity).

2.50 ASIC introduced a streamlined business planning approach for 2025–26.

2.51 The ANAO did not assess the streamlined business planning process as this was not implemented before the ANAO’s audit fieldwork concluded. ASIC advised the ANAO in November 2025 that the revised approach compiled risk information at a group (i.e. less granular) level, rather than activity level (more granular). ASIC advised this change was based on an assessment, endorsed by the Chief Risk Officer, that compiling more granular risk information in the business planning tool was duplicative of the threats and harms process (see paragraph 2.45) and not useful in practice for agency-level strategic planning.

2.52 The resource management framework also tracked whether the effort applied to a proposed activity will be increasing, maintaining, or decreasing.

Risk-based targeting of regulatory monitoring

2.53 ASIC selects audit files for individual surveillances based on the following risk factors:

• ASIC’s current focus areas;
• current accounting and auditing issues;
• ASIC regulatory intelligence, including mandatory reporting of suspected contraventions of the Corporations Act 2001 lodged by registered company auditors⁵⁵; and
• findings from ASIC’s financial reporting surveillances.⁵⁶

2.54 ASIC records the primary reason for selecting an audit file for a surveillance. As shown in Table 2.8, since 2021–22 between 71 per cent to 87 per cent of ASIC’s audit surveillances have targeted entities identified as high risk (labelled as ‘Audit Surveillance Program Targeted or Intel’) compared to previous years which involved a mix of risk-based and thematic targeting.

Table 2.8: Primary reason for targeting individual audit files for surveillance

Note a: These audit files are selected on information from financial reporting surveillances or alignment with focus areas of the Audit Surveillance Program.

Note b: These reasons are: Australian Financial Services License; Significant Market Capitalisation; High Risk Industry; Flagship Client; Going Concern Issue; Small firm, Target as not cover by Audit Surveillance Program; Internal Referral; Previous Audit Surveillance; New Accounting Standards; US Issuer; Market Intelligence; and Media.

Note c: These are recorded as ‘Other’ by ASIC.

Source: ANAO presentation of ASIC data.

2.55 In May 2025 ASIC announced that it would increase the number of audit files reviewed in 2025–26 and would include some audit files selected on a random basis.⁵⁷

2.56 Other than the concepts presented in Information Sheet 224: ASIC financial reporting and audit surveillance program⁵⁸, ASIC does not have internal procedural documentation that guides how ASIC operationalises this approach for selecting individual audits for surveillance.

Has performance monitoring and reporting of regulatory outcomes been established?

Annual performance statements

2.57 ASIC is required to prepare annual performance statements which provide information about ASIC’s performance in achieving its purposes, pursuant to the Public Governance, Performance and Accountability Act 2013. The measurement and assessment of performance must be in accordance with the method set out in ASIC’s corporate plan for that year, and ASIC’s portfolio budget statements.⁵⁹ As discussed in paragraph 2.8, ASIC’s corporate plans since 2019–20 have incorporated the regulation of registered company auditors as a key activity, but not always in connection with ASIC’s strategic priorities.

2.58 In December 2024, ASIC’s audit and risk committee received an internal audit report which concluded that changes to ASIC’s performance reporting framework were necessary to ensure ASIC adequately reported its performance against its statutory objectives set out in the Australian Securities and Investments Commission Act 2001.⁶⁰ ASIC advised the ANAO in June 2025 that a program of work to respond to the report’s findings was underway and that ASIC’s 2025–26 Corporate Plan would contain revised performance measures to address the findings of the internal audit report, with implementation expected to be complete by the 2026–27 reporting period. ASIC further advised the ANAO:

However, we have concerns with specific performance reporting measures for individual subsectors such as registered company auditors [as it] would be impractical to have a range of performance measures for each of the 52 subsectors that ASIC regulates. Introducing individual measures for each of these sectors goes against the guidance material that quality should be emphasised over quantity. Department of Finance guidance (RMG 131) states the best performance information will be provided by the smallest set of measures that is comprehensive enough to cover the main things that affect an activity’s performance. Further, although guidance material does not specify a best practice number of measures, the guidance does state that the number should be manageable and meaningful, for the size and complexity of the entity. In our view developing and reporting on measures for each of our 52 sub sectors would not meet this guidance.

2.59 ASIC’s 2025–26 Corporate Plan was published in August 2025. ASIC advised the ANAO in October 2025:

• consistent with previous advice to ANAO, the Corporate Plan would not provide specific performance information in relation to the achievement of regulatory outcomes for registered company auditors;
• certain performance measures under Key Activity 1 (Enforcement and Compliance) and 2 (Regulation and Supervision) will measure performance in 2025–26 in relation to the regulation of registered company auditors together with other regulatory functions; and
• ASIC intends to report additional performance information beyond the performance measures detailed in the Corporate Plan in the appendices of its 2025–26 Annual Report or in other public reporting.

Program-level performance monitoring

2.60 ASIC has articulated its regulatory outcomes for registered company auditors in public facing guidance, which articulates two aims that contribute to ASIC’s statutory purpose of promoting the confident and informed participation of investors and consumers in the financial system:

The objective of our financial reporting and audit surveillance program is to promote confident and informed participation by investors and consumers in the financial system. Our aim is to improve the quality of financial reporting to ensure financial reports have been prepared in accordance with the law. We also aim to promote the improvement and maintenance of audit quality.⁶¹

2.61 ASIC does not have mechanisms to assess whether financial report quality and audit quality are being improved and maintained, or whether such improvement and maintenance is attributable to ASIC’s regulatory interventions. In April 2025, ASIC advised the ANAO:

ASIC does not assess audit quality at the population level directly [i.e. across the whole population]. Our surveillance work tests the quality of a small sample of audit files and the surveillance work of the Strategic Surveillance and Data team tests the compliance of a sample of auditors with their independence and conflict of interest obligations.

2.62 ASIC publicly reports on its regulatory activities for registered company auditors annually in its annual report and through other publications intended to inform the regulated population (see paragraph 3.56). The performance metrics included in these reports from 2019–20 to 2023–24 are summarised in Appendix 4. These performance metrics provide activity and output-based performance information, which do not assist a reader to evaluate whether ASIC’s activities and outputs are resulting in improvements in the quality of financial reporting or improvements and maintenance of audit quality.

Does the Australian Securities and Investments Commission effectively regulate registration of company auditors?

3.1 The registration of company auditors is intended to impose minimum standards of competency and integrity on registered company auditors.⁶² ASIC performs the following tasks to administer the registration of company auditors:

• processing and assessing applications for registration;
• monitoring ongoing compliance with registration requirements; and
• monitoring the resignation and removal of registered company auditors from audit engagements.

Design of registration application and assessment processes

3.2 Individuals apply for registration as a registered company auditor either online or by posting a physical form to ASIC with supporting material and paying a $338 fee.⁶³ The application process for an authorised audit company is similar⁶⁴ but the fee is $3,429. ASIC uses Microsoft SharePoint records management system to store documents, linked to an activity in ASIC’s Auditor Licensing System (ALiS), which operates on the Lotus Notes system. ASIC is currently upgrading its information systems, aiming to improve user experience and reliability. This includes plans to decommission Lotus Notes and move to ASIC’s Microsoft Dynamics Customer Relationship Management system (CRM) between 2025–26 to 2027–28.

3.3 Applications for registration are assessed by a licensing team within the Regulation and Supervision Group.⁶⁵ ASIC has produced procedural guidance and worksheets to govern the way the team reviews and assesses applications for registered company auditors and authorised audit companies.

3.4 ASIC conducts an initial completeness check and will assess an application only after receiving a fully complete form with all required supporting material and the application fee. If an application is incomplete or contains errors ASIC may refuse to receive the application for lodgement and will refund the application fee. In these circumstances, applicants are able to reapply.

3.5 If the ASIC analyst forms a view that the application does not satisfy the requirements of the Corporations Act 2001 (Corporations Act), the applicant is asked to provide further information. If the applicant is still unable to meet the requirements, they have the opportunity to appear at a hearing to make submissions and give evidence. The applicant will be notified in writing and be provided with reasons if refusal follows. Applicants may apply to the Administrative Review Tribunal (formerly the Administrative Appeals Tribunal) for review of ASIC’s decision.

3.6 No applicant has appeared before an ASIC hearing since 2011. ASIC records show eight cases between 2004 and 2011 which progressed to an ASIC hearing. The ASIC delegate upheld the application refusal in seven of these cases, with one matter resulting in registration as a company auditor. One of the refused applications was appealed before the Administrative Appeals Tribunal in 2006, which overturned ASIC’s refusal.⁶⁶

Guidance for applicants registering to be company auditors under the Corporations Act

3.7 ASIC’s company auditor registration process is consistent with requirements outlined in Resource Management Guide 128: Regulator Performance (RMG 128) to have transparent external accountability practices, providing a clear rationale about compliance costs and to provide clear guidance to help regulated entities as best practices.⁶⁷

3.8 ASIC has produced a specific regulatory guide⁶⁸ that outlines the documentation ASIC requires to assess applications for registered company auditors and authorised audit companies under the Corporations Act and explains factors ASIC will consider in making an assessment. The guide’s appendices include the preferred format for registered company auditor supporting documents and methods to determine minimum professional indemnity insurance amounts. The ASIC website also includes tips for applying for company auditor registration and checklists for prospective applicants.

Australian Securities and Investments Commission’s processes for registering company auditors under the Corporations Act

3.9 The Corporations Act and Corporations Regulations 2001 establish the requirements for registering company auditors and authorised audit companies. ASIC’s registration assessment processes ensure the requirements for registering company auditors provided by section 1280 of the Corporations Act are assessed (Table 3.1). ASIC’s procedures largely ensure the requirements for registering authorised audit companies provided by section 1299B of the Corporations Act are assessed, with two issues (Table 3.2).

Table 3.1: Consistency of procedures with requirements for registered company auditors

Key: ◆ Consistent with requirement ▲ Partly consistent with requirement ■ Inconsistent with requirement.

Source: ANAO analysis of ASIC documentation.

Table 3.2: Consistency of procedures with requirements for authorised audit companies

Key: ◆ Consistent with requirement ▲ Partly consistent with requirement ■ Inconsistent with requirement.

Note a: See analysis in paragraph 3.10.

Note b: See analysis in paragraph 3.11.

Source: ANAO analysis of ASIC documentation.

3.10 Subsection 1299B(c) of the Corporations Act requires a majority of votes that may be cast at a general meeting of a company belong to registered company auditors. While ASIC requests information addressing this from the applicant and applicants must confirm their compliance with this requirement for their form to be accepted, ASIC’s internal assessment worksheet does not require assessors to check this disclosure is accurate.

3.11 ASIC policies and procedures contained out-dated references to ‘externally-administered body corporate’. The Insolvency Law Reform Act 2016 replaced the term ‘externally-administered body corporate’ with ‘chapter 5 body corporate’ and extended the scope of this term to include body corporates that are under restructuring or have made a restructuring plan. Despite the outdated terminology, ASIC’s procedures required staff to confirm whether an applicant is under external administration, including restructuring. In March 2025 ASIC updated its internal procedures to refer to ‘chapter 5 body corporate’ and advised the ANAO that ASIC Regulatory Guide 180 ‘will be amended in due course’.

Australian Securities and Investments Commission’s assessments of registered company auditor applications

3.13 Of the 1,064 applications ASIC received between 2016–17 and 2023–24, 826 were approved (77.6 per cent), 15 were not accepted for lodgement (1.4 per cent) and 223 were withdrawn by the applicant (21 per cent). ASIC has not refused an application after it was accepted for lodgement since June 2012.

3.14 In practice, ASIC largely follows the work steps outlined in its internal policies and procedures for assessing applications, with three issues identified in a representative sample of 26 applications reviewed by ANAO (Table 3.3).

Table 3.3: Compliance with internal procedures for registering company auditors and authorised audit companies

Key: ◆ Appropriately completed ▲ Some issues with completion ■ Not completed effectively.

Note a: See analysis in paragraph 3.15.

Note b: See analysis in paragraph 3.16.

Note c: Assessment of ASIC’s compliance with this service charter measure is based on analysis of the 26 tested applications, not ASIC’s overall performance against the measure (see paragraph 3.37 for further details).

Source: ANAO analysis of ASIC documentation.

3.15 Half of the applications within the representative sample of 26 analysed by ANAO were not recorded in ASIC’s internal spreadsheet register used for resource allocation and tracking ongoing matters. There was no evidence of correspondence advising the applicant their application had been accepted for lodgement for seven of the 23 applications tested by ANAO where this was applicable.⁷⁰ ASIC’s existing plans to upgrade its IT systems to improve information management and user experience discussed in paragraph 3.2 are intended to address issues such as these.

3.16 Out of the sample of 26 applications, seven related to authorised audit companies. Three of the seven applications did not contain documentation that evidence provided by the applicant to meet the voting rights requirement was reviewed by the analyst. ASIC’s internal procedures do not require assessors to independently verify that information provided by applicants about voting rights is correct.

Ongoing monitoring of registered company auditor and authorised audit company obligations

3.17 The Corporations Act requires registered company auditors and authorised audit companies to lodge an annual statement in the prescribed form within one month of the anniversary of the company auditor’s registration.⁷¹ These forms require disclosures of ongoing compliance with registration requirements and conditions. In 2023–24 ASIC received 3,162 annual statements, representing 93.3 per cent of the 3,390 registered company auditors and authorised audit companies recorded in that year (see Table 3.4). Collectively these statements disclosed eight disciplinary actions⁷² and 487 instances of auditor resignation or removal (see paragraphs 3.31 to 3.36). No convictions⁷³ or non-compliance with conditions of registration imposed by ASIC were disclosed in 2023–24. For the period 2019–20 to 2023–24, between 19.8 to 25.2 per cent of annual statements each year were lodged late.

Table 3.4: Annual statement lodgements from 2019–20 to 2023–24 by registered company auditors and authorised audit companies

Note a: As reported in ASIC (Supervisory Cost Recovery Levy — Annual Determination) instruments for 2019–20 to 2023–24.

Source: ANAO analysis of ASIC documentation.

Failure to lodge annual statements or pay levies

3.18 Prior to February 2024, the Regulation and Supervisory Group and the Registry and Intelligence Group shared duties for managing registered company auditors that have not lodged an annual statement or paid their industry funding levy. ASIC advised the ANAO in April 2025 that its process for managing registered company auditor annual statement lodgement was as follows.

• ASIC aimed to send registered company auditors ‘several’ reminders via email, phone or mail in regard to their outstanding annual statements or industry funding levies.
• A final letter was sent advising the company auditor their registration will be cancelled if they did not take action to comply within 21 days.
• If the registered company auditor had an outstanding levy after this period the matter could be recommended to the ASIC delegate to cancel the registration, or if the levy was paid but no annual statement lodged it could be referred to the enforcement team to consider a Companies Auditors Disciplinary Board (CADB) referral.

3.19 Since February 2024, this process has been managed by the Enforcement and Compliance Group and matters of non-compliance with registered company auditor obligations are now referred to the Regulatory Triage Committee to determine if the referral should be actioned through ASIC’s investigation and enforcement processes (see paragraph 3.79).

3.20 From 2019–20 to 2023–24 enforcement actions against registered company auditors for outstanding annual statements or levies⁷⁴ have resulted in 27 voluntary deregistrations following a CADB referral of the matter and 51 registration cancellations (Table 3.5). ASIC advised the ANAO in April 2025 auditors with outstanding annual reports may also voluntarily deregister before an application to the CADB is made.

Table 3.5: Enforcement action against auditors for outstanding annual statements or levies

Note a: ASIC undertook a project in 2021 targeting registered company auditors who had outstanding industry funding levy payments or annual statements. ASIC referred 36 annual statement related matters to the CADB in 2020–21, which cancelled 9 registrations. The remaining 27 referrals were withdrawn by ASIC after the registered company auditors voluntarily deregistered (see Table 3.18).

Source: ASIC data.

Auditor transparency reports

3.21 The Corporations Act requires individual registered company auditors, audit firms and authorised audit companies to lodge transparency reports with ASIC. The reports must also be published on the auditor’s website if the auditor has conducted ten or more audits in the past reporting year on entities that are listed companies, listed registered schemes, authorised deposit taking institutions or insurance providers.⁷⁵ Annual transparency reports must include:

• a description of the auditor’s governance structure (applicable only to authorised audit companies);
• a description of the auditor’s internal quality control system;
• a statement on the effectiveness of the internal quality control system (applicable only to authorised audit companies);
• a statement on the auditor’s independence practices; and
• financial information for the reporting auditor.⁷⁶

3.22 For 2023–24, 30 transparency reports were lodged with ASIC, one of which was lodged late by less than a month. For 2022–23, 33 transparency reports were received (67.3 per cent of an expected number of 49), 13 of which were late by less than a month. ASIC maintains a list of firms it expects will lodge transparency reports each financial year, but does not follow up with firms that do not lodge as expected.

3.23 ASIC does not have a documented process for reviewing transparency reports. ASIC advised the ANAO in April 2025:

Due to the prioritisation of the audit surveillances, we don’t, as a matter of course, verify the information in every Transparency report lodged with ASIC, but from time to time we do review the information in the reports.

3.24 ASIC undertook a review of 17 auditor transparency reports as part of its audit surveillance activities in the 2023–24 surveillance period. In ASIC Report 799 ASIC’s oversight of financial reporting and audit 2023–24, ASIC reported that all 17 reports complied with minimum requirements. ASIC further reported that many reports were not easily readable or comparable, had limited usability, frequently contained marketing or sales information rather than information on audit quality, and were not easily located on firm websites.⁷⁷

3.25 ASIC provided the ANAO with underlying analysis for four of the seventeen reports, which documented ASIC’s assessment that these four transparency reports met the requirements of the Corporations Act and were free of materially false or misleading information. ASIC’s documentation of its analysis for the remaining 13 reviews was not sufficient to show how ASIC arrived at its conclusion about the utility of auditor transparency reports.

Removing company auditors from the register

3.27 Registered company auditors and authorised audit companies are required to notify ASIC within 21 days when they voluntarily cease to practice as a registered company auditor. ASIC’s Registry Interactions and Services Team circulates a list of registered company auditors that have ceased to practice weekly within ASIC to determine if there are any concerns or outstanding matters. Provided there are no outstanding matters ASIC will cancel the registration, update the register and send a cancellation letter to the company auditor. Cessation is effective from the date it is processed in ALiS.

3.28 ASIC has power to cancel or suspend an individual registered company auditor’s registration if they fail to pay the industry funding levy within 12 months of its due date. ASIC can cancel or suspend an authorised audit company’s registration if it ceases to be eligible for registration or fails to comply with any conditions of registration, or on the company’s own request. A registered company auditor’s registration may be cancelled or suspended on other grounds by the CADB (see paragraph 3.89).

3.29 ASIC maintains a searchable register of registered company auditors and authorised audit companies on its website.⁷⁸ ASIC produces a dataset from the register of company auditors each month, so that it can be published with configurable chart and table viewing options.⁷⁹

3.30 As at 11 March 2025, all company auditors that have ceased to be registered since 1 July 2004 have been removed from ASIC’s public register and dataset, as required by the Corporations Act.

Resignation and removal as the auditor of a reporting entity

3.31 Once appointed to audit the financial statements for a company, a registered company auditor may only withdraw from that engagement if the auditor is removed by the company or if the auditor resigns from the engagement following certain steps prescribed by the Corporations Act. Both resignation and removal require written notice of the change to be provided to ASIC. Between 2019–20 and 2023–24 ASIC received 3,289 applications for resignation and 1,283 applications for removal of company auditors (Table 3.6).

Table 3.6: Public company resignation and removal applications 2019–20 to 2023–24

Note a: ASIC advised the ANAO in July 2025 the increase in applications recorded in 2023–24 is attributable to a change in process. Prior to September 2023, ASIC did not record a paper-based application as having been received if the application was incomplete or lodged by the wrong auditor.

Source: ANAO analysis of ASIC documentation.

3.32 Resignation is contingent on consent from ASIC, unless the entity is a proprietary company or small company limited by guarantee. ASIC must notify the registered company auditor and the company if it consents to the resignation ‘as soon as practicable’ after receiving notice of resignation from an auditor.⁸⁰

3.33 The Corporations Act does not specify the matters ASIC is to consider when determining if consent will be granted. ASIC has issued guidance which states it will consider:

• any threats to auditor independence;
• the impact of the timing of the change on effective completion of the audit; and
• the statutory right of members of a public company to decide on the appointment of a new registered company auditor at an annual general meeting.⁸¹

3.34 The guidance also provides examples of situations in which ASIC will generally consent to resignation or withhold consent. For example, the guide provides ASIC will generally not consent if concerns are raised by the outgoing registered company auditor about a disagreement with management or the directors of the public company or if the auditor becomes aware their resignation is connected with ‘opinion shopping’.

3.35 Table 3.7 details the reasons ASIC refused consent for an auditor to resign each year from 2019–20 to 2023–24.

Table 3.7: Auditor resignation applications refused by the Australian Securities and Investments Commission 2019–20 to 2023–24

Note a: ASIC advised the ANAO in July 2025 the increase in administrative refusals recorded in 2023–24 is attributable to a change in process. Prior to September 2023, ASIC did not record a paper-based application as having been received if the application was incomplete or lodged by the wrong auditor.

Note b: See paragraphs 3.33 to 3.34.

Source: ANAO analysis of ASIC’s dataset.

3.36 Unlike resignation, removal of a registered company auditor by the reporting entity does not require ASIC’s consent.⁸² Removal of an auditor under the Corporations Act can be actioned by resolution of the company at a general meeting, provided notice of intention for removal was lodged with ASIC.

Timeliness of registration actions

3.37 ASIC’s service charter establishes publicly reported targets regarding the timeliness of the most common interactions ASIC has with regulated populations.⁸³ The charter has fifteen service standards, including one related to registering as an auditor. This service standard provides that ASIC aims to make a decision to grant or refuse an application for registration as a registered company auditor or authorised audit company within 28 days of receiving a complete application. The service charter notes some applications may take longer ‘if they raise complex or new policy issues, or if you don’t give us all the information we need.’ Stakeholder submissions received by the ANAO expressed concerns about the timeliness of registration decisions. Table 3.8 depicts ASIC’s performance against this service charter measure from 2019–20 to 2023–24.

3.38 ASIC reports its performance against the service charter in its annual reports. Annual reports from 2019–20 to 2023–24 included results for decisions on registration applications for registered company auditors, authorised audit companies and a self-managed superannuation fund auditors as a single measure. This presentation as a single measure does not align with the service charter standard which does not include self-managed superannuation fund auditors. Table 3.8 shows ANAO’s analysis of ASIC’s performance against this service measure exclusive of self-managed superannuation fund auditors.

Table 3.8: Australian Securities and Investments Commission performance against auditor registration service charter measure 2019–20 to 2023–24 (registered company auditors and authorised audit companies)

Note a: At 9 May 2025 there were nine ongoing applications beyond the 28-day target, including three matters which extended beyond 100 days.

Source: ANAO analysis of ASIC documentation.

3.39 The 28-day service level standard has not been updated since ASIC first introduced its service charter in 2006–07. ASIC was unable to provide the ANAO with the basis for specifying 28 days as the relevant standard for timeliness.

3.40 ASIC’s service standard target captures ASIC’s initial interaction with company auditors when they are first registering. ASIC does not publicly report on the timeliness of any of its ongoing interactions with registered company auditors following this initial registration, such as auditor cessation, resignation and removal.

Performance monitoring related to registered company auditor cessation

3.41 ASIC has internal performance indicators to process voluntary cessations within 28 days and involuntary cessations within one day. ASIC’s performance against these measures is not publicly reported. Between 2019–20 to 2023–24, ASIC met its performance indicator for involuntary cessations and did not meet the performance indicator for voluntary cessations (Table 3.9). ASIC monitored performance against its internal target using a manually compiled spreadsheet.

Table 3.9: Registered company auditor cessations 2019–20 to 2023–24 by processing date

Source: ANAO analysis of ASIC documentation.

Performance monitoring related to registered company auditor resignation and removal

3.42 ASIC does not report against a performance measure for processing registered company auditor resignation and removal applications. Stakeholder submissions received by the ANAO raised concerns with the timeliness of processing auditor resignation and removal applications. Table 3.10 and Table 3.11 show the time taken by ASIC to finalise applications for consent to resign and notices of company removal from 2019–20 to 2023–24.

Table 3.10: Days taken to finalise applications for resignation as a registered company auditor 2019–20 to 2023–24

Source: ANAO analysis of ASIC documentation.

Table 3.11: Days taken to finalise applications for removal as a registered company auditor 2019–20 to 2023–24

Source: ANAO analysis of ASIC documentation.

3.43 ASIC states on its website that registered company auditors should apply for consent to resign at least four weeks prior to the intended date of the change. From 2019–20 to 2023–24 ASIC finalised 56.6 per cent of resignations within seven days of receiving the application, while 44.7 per cent of removals were finalised in this time. During this period, 84.7 per cent of resignation applications were finalised within 28 days and 77.8 per cent of removals were finalised in that time. On average, resignations took 12.8 days to finalise, while removals took 18.6 days.

Does the Australian Securities and Investments Commission effectively monitor audit quality through its surveillance activities?

Overview of the Australian Securities and Investments Commission’s audit surveillance activities

3.46 Since 2022–23, ASIC has used the term ‘audit surveillances’ to refer to activities previously known as ‘audit firm inspections’ or ‘audit inspections’ that involve the review of key audit areas of individual audit files to assess compliance with auditing standards and the Corporations Act. ASIC states publicly that the aim of its audit surveillance program is to ‘promote the improvement and maintenance of audit quality’.⁸⁴ ASIC allocates the majority of its registered company auditor related staffing resources to conducting audit surveillances. Table 3.12 summarises ASIC’s reported audit surveillances activity between 2019–20 to 2023–24.

Table 3.12: Australian Securities and Investments Commission reporting of individual audit surveillances 2019–20 to 2023–24

Note a: ASIC conducted 63 audit surveillances in total in 2019–20. Ten of these surveillances were of unlisted entities and were not included in public reporting for that financial year. Surveillances of unlisted companies were included in reporting for subsequent years.

Note b: See Box 1 for a discussion on ASIC’s changed approach to audit surveillances from 2022–23.

Source: ANAO summary of ASIC reports.

3.47 ASIC is not restricted to reviewing key audit areas of audit files through audit surveillances, and can undertake complementary activities to monitor audit quality and propriety. Table 3.13 lists complementary activities reported by ASIC in its corporate plans, media releases, and annual reporting for the 2019–20 to 2023–24 surveillance periods. These included thematic surveillances⁸⁵ examining specific aspects of audit quality including audit firm governance and root cause analysis, establishing and maintaining a culture of audit quality, and implementation of audit quality frameworks.

Table 3.13: Additional registered company auditor surveillance information presented in public reporting on audit surveillance

Note a: Auditing Standard Quality Management 1 (ASQM 1) is an auditing standard issued by the Auditing and Assurance Standards Board regarding Quality Management for Firms that Perform Audits or Reviews of Financial Reports and Other Financial Information, or Other Assurance or Related Services Engagements.

Source: ANAO summary of ASIC reporting.

Design and implementation of audit surveillances

3.48 Table 3.14 summarises ASIC’s process for conducting audit surveillances and ANAO’s analysis of whether:

• ASIC’s procedures and templates for undertaking individual audit surveillances are appropriate for achieving ASIC’s objectives;
• the procedures and templates are followed in practice, based on a randomly selected sample of 15 individual audit surveillances⁸⁶ from a population of 183 individual audit surveillances conducted in the 2019–20 to 2023–24 surveillance periods; and
• matters identified by ASIC are addressed by registered company auditors, based on a randomly selected sample of 10 ‘Comments Forms’ (the document ASIC uses to issue adverse findings to a registered company auditor) from the 26 audits rated as inadequate by ASIC in the surveillance periods between 2019–20 and 2023–24.

Table 3.14: Australian National Audit Office assessment of design and implementation of individual audit surveillances

Key: ◆ No issues identified ▲ Some matters identified ■ Issues identified.

Source: ANAO analysis.

Audit surveillance file rating criteria

3.49 Following the conclusion of the audit surveillance assessment, ASIC applies an internal ‘file rating’ to the audit of either ‘good’, ‘adequate’, ‘poor’ or ‘inadequate’.

3.50 ASIC advised the ANAO in June 2025 that this file rating system was developed when the surveillance program first commenced and it is not used for public reporting. The file rating system is not used in a systematic way to track whether audit surveillances are producing remedial or deterrent effects that positively affect audit quality.⁸⁷

3.51 ASIC advised the ANAO in April 2025 that:

1. Around 2013 to 2015 ASIC conducted follow-up surveillances on audit files with significant findings, but this practice was ceased due to an assessment that the cost of follow-up reviews outweighed the benefits and there would be greater benefit in using those resources to review new files;
2. ASIC monitors the implementation of remedial actions in response to significant findings in audit surveillances at the six largest firms through regular industry liaison about audit quality initiatives; and
3. ASIC would consider conducting follow-up reviews in 2025–26.⁸⁸

3.52 Principle 4 of the Regulatory Policy, Practice and Performance framework provides that regulators should plan for, collect and use data to build a strong evidence base that can be used to evaluate whether regulation is achieving its desired outcomes.

Communicating the results of audit surveillances

3.56 ASIC’s public reporting provides an overview of its audit surveillance findings⁸⁹ in annual public reporting including the number of findings, the key audit area where findings arose and a summary of the conduct leading to the finding.

3.57 ASIC developed communications plans for the release of the financial reporting and audit surveillance reporting for 2022–23 and 2023–24. These communications plans were presented to ASIC Commissioners as part of the processes described at paragraph 2.7.

3.58 Both communications plans set out the objectives, target audience, key considerations, key messages, timetable for release of reporting, and sample questions and answers to respond to stakeholders. The 2022–23 plan focused on ensuring stakeholders understood changes to ASIC’s financial reporting and audit surveillance approach and explaining this change in approach. The 2023–24 plan highlighted ASIC’s areas of focus and explained findings of ASIC’s surveillance program.

3.59 These communication strategies did not include any performance reporting regarding the effectiveness of previous communication activities to registered company auditors or any mechanisms for measuring the performance of the proposed communications activities.

Auditor independence project 2024–25

3.61 ASIC’s 2024–25 auditor surveillance activities included a project on auditor independence. ASIC announced the independence surveillance project with a media release on 30 October 2024⁹⁰, and correspondence to registered company auditors and the Chief Executive Officer equivalent positions in the six largest networks of audit firms.

3.62 The project’s objectives were to provide deterrence messaging to the industry, request information from auditors and take action where issues are identified in relation to independence and conflicts of interest, and to undertake a review of root cause issues of independence issues at a firm level.

3.63 As at 7 July 2025, ASIC’s status reports indicate it had taken the following actions for the independence surveillance project:

• developed a data model for targeting registered company auditors;
• assessed results from the targeting model alongside public and internal information about the identified registered company auditors to determine if notices seeking further information should be issued;
• issued notices to 48 auditors;
• met with the ‘Big 6’ audit firms and completed initial analysis of their policies and procedures; and
• commenced referring potential breaches to ASIC’s Regulatory Triage Committee.

3.64 The ANAO did not assess the outcomes of the independence surveillance project as the project was not finalised before the ANAO’s audit fieldwork concluded. In October 2025 ASIC published its findings from the project together with a statement of action taken by ASIC in response to its findings.⁹¹

Does the Australian Securities and Investments Commission take appropriate action to respond to identified non-compliance?

3.65 ASIC’s 2021 statement of intent states that ASIC aims to use its full suite of regulatory tools in a targeted and proportionate way. ASIC has issued public guidance that articulates its approach to enforcement, including statements that ASIC is selective about the matters it pursues to ensure it uses its limited resources to effectively target misconduct.⁹² ASIC is unable to formally investigate all matters that come to its attention.

3.66 The ANAO examined how ASIC follows through on identified non-compliance by registered company auditors across a range of responses from less intrusive (such as working with an entity to achieve voluntarily remediation of deficiencies) to more intrusive (such as formal investigation leading to criminal penalties).

Voluntary remedial actions in response to ‘negative’ findings

3.67 ANAO reviewed 10 randomly selected ‘Comments Forms’ for the 26 audits rated as ‘inadequate’ by ASIC between 2019–20 and 2023–24 (Table 3.15). ASIC’s file rating system states further action must be considered by ASIC when a file is rated as inadequate but does not set out requirements for further action from the relevant auditors. ASIC’s procedures state the following criteria are relevant to files rated as ‘inadequate’:

• failed to comply with mandatory requirement(s) of auditing and ethical standards;
• significant concerns with sufficiency and quality of audit evidence;
• very significant concerns in other areas of the file; and
• concerns likely to contribute to issuance of inadequate report.

3.68 ASIC issues the ‘Comments Form’ to the registered company auditor at the end of an audit surveillance. The ‘Comments Form’ sets out the ‘negative’ findings and the registered company auditor’s response, including a statement outlining if the registered company auditor agrees, notes or disagrees with ASIC’s findings and the actions which it proposes to take to address ASIC’s findings.

3.69 The results of this analysis are presented in Table 3.15. For the 48 separately identifiable findings in the 10 comment forms:

• the registered company auditors disagreed with ASIC in relation to 35 of these findings;
• no remedial action was proposed by the registered company auditor for 14 of these findings;
• 33 of the 34 actions proposed by registered company auditors in response to ASIC’s findings were minor responses, such as proposing an additional review relevant to the finding in future audits or ‘considering’ updates to templates or procedures; and
• one response proposed internal disciplinary action.

3.70 One of these 10 surveillances reviewed was referred to ASIC investigation for follow-up; the outcome of this investigation was a decision that no further enforcement action be taken.

Table 3.15: Registered company auditors’ responses and actions proposed in response to the Australian Securities and Investments Commission for 10 surveillances where file was assessed as ‘inadequate’

Source: ANAO analysis.

3.71 ASIC’s CRM information system has the functionality to track remedial actions arising from regulatory activities, such as actions registered company auditors commit to take in response to ASIC’s surveillance activities. ASIC does not use this functionality to track actions registered company auditors commit to implement.

Issuing an audit deficiency report

3.72 Under Part 3, Division 5A of the ASIC Act, ASIC has the power to issue an audit deficiency report in relation to a registered company auditor that has demonstrated compliance failures or significant weaknesses in audit quality. The legislated process requires ASIC to:

• notify the auditor of the identified audit deficiency and to set out any remedial action that ASIC thinks necessary to remedy the deficiency;
• invite the auditor to make a written submission within a six-month period identifying remedial action taken or proposed to be taken to remedy the deficiency; and
• after six months, assess if the auditor has taken appropriate action to remedy the deficiency, and if this is not the case consider preparing a private or public report setting out the details of the matter.

3.73 ASIC has no internal procedures to govern how audit deficiency report powers are exercised, and has not exercised these powers since they were enacted in 2012.

3.74 The Australian Parliament grants regulatory powers to regulators because there is a need for those powers. The relevant explanatory memorandum states that audit deficiency reports will ‘improve confidence in the capital markets through increased transparency in the audit process’ and ‘[provide] a strong incentive for an audit firm to make prompt improvements in overall audit quality’.⁹³ Redesigning audit surveillance procedures to consider an audit deficiency report process where deficiencies are identified would:

• improve the follow-up of audit surveillances where deficiencies were identified and provide auditors with an incentive to follow through with remedial changes; and
• where deficiencies are not remediated, assist ASIC to sanction deficient conduct (where this is an appropriate alternative to prosecution) and communicate this outcome to markets in a transparent manner.

Investigations

3.77 The ASIC Act provides ASIC with powers to conduct an investigation when it has reason to suspect a contravention of the Corporations Act or other laws involving the affairs of a body corporate.⁹⁵

3.78 ASIC identifies matters for investigation by analysing regulatory intelligence such as contravention reports⁹⁶ and other reports of misconduct⁹⁷, the outcome of audit surveillances (see paragraph 3.46) as well as information received from other government agencies and stakeholders (such as disciplinary actions by professional accounting bodies, see paragraphs 3.93 to 3.94).

3.79 The Regulatory Insights and Assessment team within ASIC’s Registry and Intelligence Group determines if a matter raised in regulatory intelligence should be referred to ASIC’s Regulatory Triage Committee. The Committee comprises senior executives from across ASIC’s regulatory groups and determines whether matters require enforcement and compliance action.

3.80 Information Sheet 151⁹⁸ and ASIC’s referral and assessment criteria for the Regulatory Triage Committee identify factors ASIC considers when selecting matters for formal investigation and possible enforcement action. These are: areas of significant harm; broader public benefit; issues specific to the case; and alternatives to formal investigation.

Investigation process

3.81 Table 3.16 below sets out the steps taken by ASIC when completing an investigation of a registered company auditor.

Table 3.16: Summary of Australian Securities and Investments Commission’s process for investigating registered company auditors

Source: ANAO analysis of ASIC documentation.

Enforcement

3.82 ASIC has included strategic enforcement priorities in its 2024–25 Corporate Plan into decision making for enforcement actions against registered company auditors through the assessment criteria used by Regulatory Triage Committee, Matter Management Group and Commission Enforcement Committee. ASIC evaluates whether its enforcement priorities are met through both internal and public reporting.

3.83 ASIC may pursue enforcement outcomes through criminal proceedings, civil proceedings or administrative and other enforcement action. ASIC has published the factors it may consider in deciding which enforcement action to pursue.¹⁰⁰

3.84 Enforcement actions available to ASIC in relation to registered company auditors include:

• writing a warning letter to the entity;
• reaching a negotiated outcome, such as the company auditor voluntarily ceasing registration;
• issuing an audit deficiency notification and report under the ASIC Act¹⁰¹;
• issuing an infringement notice under the Corporations Act;
• accepting a court enforceable undertaking;
• imposing conditions on the company auditor’s registration;
• cancelling or suspending an individual registered company auditor’s registration if they fail to pay the industry funding levy within 12 months of its due date; and
• referring the individual for disciplinary action to the CADB (See paragraph 3.89 to 3.92).

3.85 ASIC has internal guidance for staff undertaking these enforcement actions, with two exceptions: writing a warning letter; and issuing audit deficiency notifications and reports (see paragraphs 3.72 to 3.76).

Investigation and enforcement outcomes

3.86 From 2019–20 to 2023–24 ASIC commenced 95 investigations into registered company auditors, with 68 investigations relating to annual statement or outstanding levy matters. During this same period, ASIC recorded a total of 89 enforcement outcomes, 78 of which originated from an annual statement or outstanding levy matter identified within ASIC. Two criminal actions were taken against registered company auditors and one against a related authorised audit company, leading to fines totalling $52,000 (Table 3.17).

Table 3.17: Registered company auditor enforcement outcomes 2019–20 to 2023–24, by source of referral

Note a: Investigations may be related to more than one registered company auditor or result in more than one enforcement outcome.

Note b: Of the 53 registration cancellations recorded, 42 were cancelled by ASIC due to outstanding levies (see Table 3.5), 10 were cancelled as a result of CADB decisions (see Table 3.18) and one auditor’s registration was cancelled by a court enforceable undertaking obtained by ASIC.

Source: ANAO analysis of ASIC documentation.

Australian Securities and Investments Commission investigations and enforcement action arising from audit surveillances

3.87 During the period from 2019–20 to 2023–24 ASIC initiated six investigations in relation to potential auditor misconduct matters identified in audit surveillances. Two investigations were linked to surveillances with a file rating of ‘inadequate’, ASIC’s most severe file rating. One investigation was from a file rated ‘adequate’.¹⁰² Three investigations arose from audit surveillances which were not assigned a file rating because a ‘letter of preliminary concerns’ had been issued or an enforcement referral had already been made.

3.88 Five investigations resulted in an outcome of no further action. Two of these investigations found insufficient evidence to establish a breach of Corporations Act and one determined no further action was required as internal sanctions¹⁰³ had already been made against the registered company auditor by their firm. One investigation arising from audit surveillance findings was referred to the CADB and resulted in the suspension of the company auditor’s registration via enforceable undertaking.¹⁰⁴ There were no other enforcement outcomes linked to matters identified through ASIC’s annual audit surveillance program arising from 2019–20 to 2023–24 (see Table 3.17 for further details regarding enforcement outcomes).

Referrals to the Companies Auditors Disciplinary Board

3.89 CADB is an independent statutory body that hears applications referred by ASIC regarding the conduct of registered company auditors.¹⁰⁵ The CADB has the power to cancel or suspend the registration of a company auditor and may impose other sanctions. CADB decisions are published on its website.¹⁰⁶

3.90 Applications to the CADB are usually prepared by a team in ASIC’s Enforcement and Compliance Group after receiving an internal referral. ASIC drafts a statement of facts and contentions to file with the CADB and serve on the relevant registered company auditor.

3.91 The CADB finalised a total of 45 cases from 2019–20 to 2023–24 and did not dismiss any matters referred by ASIC during this period (Table 3.18).

Table 3.18: Outcomes from matters referred to the Companies Auditors Disciplinary Board by ASIC 2019–20 to 2023–24

Note a: These matters were withdrawn by ASIC primarily due to the registered company auditors voluntarily cancelling their registration after receiving notification of the CADB proceedings.

Note b: There was an increase in CADB cases in 2020–21, with 36 of the 37 matters referred by ASIC that year relating to registered company auditors who had failed to lodge their annual statements that year (see paragraph 3.17 regarding annual statements).

Source: ANAO analysis of CADB annual reports.

3.92 Decisions from the CADB may be appealed to the Federal Court of Australia or Administrative Review Tribunal (formerly the Administrative Appeals Tribunal).¹⁰⁷ As at 2 July 2025, there have been four court judgments related to CADB decisions for registered company auditors.¹⁰⁸ Two of these concerned a challenge to the CADB’s decision making powers and were dismissed.¹⁰⁹

Disciplinary actions taken by professional accounting bodies

3.93 Professional accounting bodies relevant to registered company auditors in Australia include the Institute of Public Accountants (IPA), Chartered Accountants Australia and New Zealand (CA ANZ) and Certified Practicing Accountants (CPA). Not all members of these bodies are auditors. These organisations provide specific qualifications to their members and require members to comply with a code of conduct. Members in breach may be subjected to disciplinary actions.¹¹⁰

3.94 The ANAO analysed disciplinary actions reported by these three professional bodies from 1 January 2019 to 2 May 2025 and identified 580 cases, eight of which involved registered company auditors. A record of the misconduct found by the professional bodies was identified on ASIC’s CRM system for all registered company auditor disciplinary matters.

3.95 In April 2025 ASIC advised the ANAO that it is working with professional accounting bodies to improve information sharing arrangements about enforcement and disciplinary matters.

Cooperation and information sharing with international regulators

3.96 ASIC has cooperation agreements with international organisations and foreign regulators to share information regarding investigations, compliance and surveillance, policy research, delegations and licensing, due diligence and general referrals.¹¹¹

Enforcement actions from the United States Public Company Accounting Oversight Board

3.97 The Public Company Accounting Oversight Board (PCAOB) is responsible for overseeing the audits of public companies, brokers and dealers in the United States of America (US).¹¹² Australian auditors and audit firms undertaking audits related to US public companies are covered by the PCAOB’s regulatory activities.

3.98 The PCAOB website lists 219 enforcement actions taken between 1 July 2019 and 31 June 2025.¹¹³ These include five enforcement actions concerning Australian audit firms.¹¹⁴ The PCAOB notified ASIC in regard to one of these matters when the sanction decision was published. The agreement between ASIC and the PCAOB allows for cooperation, information sharing and notifying the other party of sanctions relevant to their jurisdiction.¹¹⁵ ASIC advised the ANAO in July 2025 this agreement was not used in these matters.

3.100 ASIC also advised the ANAO in July 2025 that it considered taking enforcement action in two of these PCAOB matters and determined no further action was required in both cases. ASIC considered both these matters for referral to enforcement within two months of the relevant PCAOB decisions.

Appendix 1 Entity responses

Australian Securities and Investments Commission

Department of the Treasury

Appendix 2 Improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s corporate plan states that the ANAO’s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

• ASIC reduced the industry funding model variance reporting threshold to $1 million for the 2024–25 variance reporting cycle (see paragraphs 2.17 and 2.18).
• ASIC advised the ANAO in March 2025 that it will update the terminology in its authorised audit company registration assessment procedures and guidance to reflect amendments to the Corporations Act 2001 in 2016.
• Recommendation 11 of the 2024 Parliamentary Joint Committee on Corporations and Financial Services report, Ethics and Professional Accountability: Structural Challenges in the Audit, Assurance and Consultancy Industry concerned the selection of audit files for inspection (see paragraph 1.19). The ASIC Commission Regulatory Committee proposed a response to this recommendation in February 2025, stating they intend to conduct random audit surveillances in 2025–26 and are recruiting six additional staff in 2024–25.
• ASIC announced on 19 May 2025 it will undertake an increased number of audit files surveillances and will review a random selection of files in 2025–26.¹¹⁶ This announcement did not identify the size of the increase and no increase in resourcing was announced.
• In August 2024 ASIC began a project to address concerns regarding registered company auditor independence and conflict of interest obligations (see paragraphs 3.61 to 3.64). ASIC published its findings from the project in October 2025 as the ANAO’s audit report was being finalised.
• Minor administrative corrections in record keeping during ANAO testing of matters reported in chapter 3.
• ASIC removed a 2010 media release related to enforcement action against a registered company auditor, which had remained on ASIC’s website contrary to ASIC policy (outlined in Information Sheet 152: Public comment on ASIC’s regulatory activities¹¹⁷) to remove information on enforcement actions after 10 years.
• In October 2025 ASIC amended internal procedural templates so that consideration of conflicts of interest for individual audit surveillances would be documented (see paragraph 2.31).
• In August 2025 ASIC communicated directly to the largest six audit firms that it would monitor how auditors and audit firms address findings from ASIC’s 2025–26 audit surveillance program and where appropriate consider using audit deficiency report powers. In October 2025 ASIC issued Report REP 819 ASIC’s oversight of financial reporting and audit 2024–25 which contained similar statements (see paragraph 3.76).

Appendix 3 Independence management

The Australian Securities and Investments Commission’s Annual Audit Quality Review Program of the Australian National Audit Office’s financial statements audit files

1. Since 2018, at the ANAO’s request ASIC has conducted an Annual Audit Quality Review Program (annual reviews) related to ANAO’s financial statements audit files for selected Australian Government entities. Between 2018 and 2021, the annual reviews also examined aspects of ANAO’s quality management framework, including management of independence and application of root cause analysis. More information on these annual reviews, including ASIC’s reports and the ANAO’s responses are available on the ANAO’s website.¹¹⁸

2. During the planning to determine if this performance audit would commence, both the ANAO and ASIC identified a perceived threat to each entities’ independence may arise from the ANAO undertaking a performance audit related to activities ASIC performs at the ANAO. The actual risk to independence was considered low by the ANAO.

3. The following additional treatments were put in place to manage threats to independence arising from the ANAO undertaking a performance audit of the regulation of company auditors while ASIC conducts annual reviews of ANAO financial statements files¹¹⁹:

• ASIC and the ANAO agreed for ASIC not to undertake reviews of the ANAO financial statements audit files for 2024–25.
• An internal separation was set up between ANAO officials working with ASIC on the annual reviews and the ANAO performance audit team.

Australian National Audit Office officials who are registered company auditors

4. ANAO officials who are registered company auditors in their own right — i.e. those who have become registered through sections 1279 and 1280 of the Corporations Act 2001 (Corporations Act) — and are therefore subject to the regulatory activities examined in this performance audit were not involved in the performance audit.

5. Under section 1281 of the Corporations Act the Auditor-General for Australia and ANAO officials delegated by the Auditor-General for Australia are taken to be registered as an auditor for the purposes of applying chapter 2M of the Corporations Act. The Auditor-General for Australia and ANAO officials delegated under section 1281 have not been subject to any of the ASIC regulatory activities examined in this performance audit.

Appendix 4 Australian Securities and Investments Commission annual reporting of performance information related to the regulation of registered company auditors 2019–20 to 2023–24

Table A.2: Summary of performance information in program-level annual reports 2019–20 to 2023–24

Note a: This table does not assess other program-level reporting such as quarterly or six-monthly regulatory or enforcement updates, firm-specific reports of findings, or reports on the outcomes of thematic reviews.

Source: ANAO, based on ASIC public reporting.

Appendix 5 Material published on the Australian Securities and Investments Commission’s website related to the regulation of registered company auditors

Table A.3: Regulator guidance published on the Australian Securities and Investments Commission website as at 20 May 2025

Source: ANAO summary of ASIC guidance available from ASIC, Find a regulatory document, https://asic.gov.au/regulatory-resources/find-a-document/find-a-regulatory-document [accessed 20 May 2025].

Table A.4: Content related to registered company auditors available from the Australian Securities and Investments Commission’s newsroom as at 20 May 2025

Source: ANAO analysis of results returned from ASIC’s newsroom available from https://asic.gov.au/newsroom/search/?tag=auditors [accessed 20 May 2025].