Are ADIs who wish to become accredited data recipients (ADRs) exempt from the requirement for an ASAE 3150 assurance report? The streamlined ADR application does not ask for such a report.
The Rules do not appear to exempt ADIs from the requirement to provide ongoing assurance reports. For example, CDR Rules Schedule 1, rule 2.1(3) says:
The accredited person must provide an assurance report to the Data Recipient Accreditor within 3 months after the end of:
(a) the reporting period after the initial reporting period; and
(b) every second reporting period thereafter;
that covers the reporting period.
On this basis, are ADIs required to:
1) Provide an ASAE 3150 assurance report during accreditation?
2) Provide ongoing ASAE 3150 assurance reports as per Schedule 1, Rule 2.1(3)?
ADIs are not required to provide an assurance report as part of their accreditation application. ADIs are eligible for the streamlined accreditation process, with the criteria being that they are an ADI. The information that will be requested as part of the streamlined accreditation application can be viewed via our sample application form.
Under the current version of the CDR Rules, an accredited data recipient (regardless of whether they are an ADI or not) is required to comply with ongoing reporting obligations under Schedule 1 of the CDR Rules. This means they are required to provide ongoing assurance reports to the Data Recipient Accreditor as referred to under clause 2.1 (3) of Part 2, Schedule 1 of the CDR Rules. Schedule 1 of the CDR Rules also requires an accredited data recipient to provide ongoing attestation statements.