This publication is co-funded by the European Union Banking Supervisors and External Auditors: Building a Constructive Relationship Supervisors’ Insights Centre for Financial Reporting Reform Governance Global Practice The World Bank Praterstrasse 31 1020 Vienna – Austria T: +43 (0)1 2170-700 F: +43 (0)1 2170-701 cfrr@worldbank.org www.worldbank.org/cfrr 2 This volume is a product of the staff of the International Bank for Reconstruction and Development/ The World Bank. The findings, interpretations, and conclusions expressed in this paper do not necessarily reflect the views of the Executive Directors of The World Bank or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Copyright © 2015 by Centre for Financial Reporting Reform, Governance Global Practice, The World Bank The material in this publication is copyrighted. Copying and/or transmitting portions or all of this work without permission may be a violation of applicable law. The International Bank for Reconstruction and Development/ The World Bank encourage dissemination of their work and will normally grant permission to reproduce portions of the work promptly. For permission to photocopy or reprint any part of this work, please send a request with complete information to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA, telephone 978-750-8400, fax 978-750-4470, http://www.copyright.com/. All other queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, The World Bank, 1818 H Street NW, Washington, DC 20433, USA, fax 202-522-2422, e-mail pubrights@ worldbank.org. 3 i Acknowledgments This publication records key findings from the World Bank Centre for Financial Reporting Reform (CFRR) survey – Financial supervisors and external auditors: building a constructive relationship. The survey was developed by a World Bank team of experts based on several workshop discussions among senior supervisors from the Europe and Central Asia (ECA) region, and to a greater extent, on recent literature, including the Basel Committee on Banking Supervision (BCBS) paper on the external audit of banks and the recent European Commission (EC) Directive and Regulation on statutory audit. The survey was conceived, realized and analyzed by a CFRR team led by Pascal Frerejacque, Senior Operations Officer, including Johanna Lincoln and Carla Loum with input from Shamim Diouman, all World Bank Consultants and with the editorial assistance of Denise Brettschneider, Susan Schroeder and Ecaterina Gusarova, under the supervision of Henri Fortin, Head, CFRR, World Bank and Global Lead for Corporate Governance and Financial Reporting, Governance Global Practice. Members of the European Banking Authority (EBA) Standing Committee on Accounting, Reporting and Auditing (SCARA) subgroup and participants in the World Bank-led REPARIS (The Road to Europe: Program of Accounting Reform and Institutional Strengthening) and STAREP (Strengthening Auditing and Reporting in Countries of the Eastern Partnership) programs, were invited to complete the survey questionnaire. The CFRR is very grateful to all survey respondents for their time and the quality of the information they provided. The team would also like to thank those who provided comments on the survey questionnaire and report: ►► Mike Edwards, Lead Financial Sector Specialist, Finance & Markets Global Practice, World Bank; ►► David Gruenberger, Head, Accounting & Regulatory Monitoring, Austrian Financial Market Authority; ►► Svetlana Klimenko, Lead Financial Management Specialist, Governance Global Practice, World Bank; ►► Gabriella Kusz, Consultant, Governance Global Practice, World Bank; ►► Juan Ortiz, Senior Financial Sector Specialist, Financial Sector Advisory Center, World Bank; ►► Marc Pickeur, retired Senior Advisor at the Prudential Policy and Financial Stability Department, National Bank of Belgium and Board Member of the International Auditing and Assurance Standards Board (IAASB); ►► Patricia Sucher, Technical Specialist in External Audit and Assurance, Prudential Policy Directorate, Bank of England; ►► Nic van der Ende, Accountancy Coordinator, Supervisory Policy Division, National Bank of the Netherlands; and ►► Erik van der Plaats, Senior Expert - Policy and Regulatory Advice,— Directorate-General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA), European Commission A special thanks also to the Regulation Department of the EBA for their extended support. We are grateful for the generous support provided by the European Union, the Austrian Development Cooperation, the Austrian Federal Ministry of Finance, the Swiss State Secretariat for Economic Affairs, and the Finance Ministry of the Grand Duchy of Luxembourg. ii iii Content 1 Index of acronyms 2 Preface 3 Executive summary 5 About the Report 7 Insight 1 - External audit in banks: Auditors’ work does contribute to the effective supervision of banks 25 Insight 2 - Channels of communication: Supervisors could engage more effectively with external auditors 37 Insight 3 - Topics of mutual interest: External auditors could contribute more on specific areas of interest to supervisors 49 Insight 4 - Supervisors’ input to audits: Supervisors do contribute to enhanced audit quality 65 Insight 5 - Other communications: Effective communication between audit and banking supervisors and audit committees does improve audit quality 75 Summary of the proposed policy actions 83 About the CFRR iv Index of acronyms A&A Accounting & Auditing AOB Audit Oversight Body AQR Audit Quality Review BCBS Basel Committee on Banking Supervision BCP Basel Core Principles CFRR Centre For Financial Reporting Reform SIBs Systemically Important Banks ECA Europe and Central Asia FYROM Former Yugoslav Republic of Macedonia IASB International Accounting Standards Board ICAAP Internal Capital Adequacy Assessment Process IESBA International Ethics Standards Board for Accountants IFAC International Federation of Accountants IFRS International Financial Reporting Standards ISA International Standards on Auditing ISQC International Standard on Quality Control LFAR Long Form Audit Report MoF Ministry of Finance MoU Memorandum of Understanding NOCLAR Non-Compliance with Laws And Regulations PIE Public Interest Entities SIFI Systemically Important Financial Institutions 1 Preface The 2008 financial crisis highlighted weaknesses in the risk management, control and governance processes of banks as well as in their statutory audit and financial supervision. This led to increased scrutiny of the respective roles and interactions of banking supervisors and external auditors who are key contributors to market discipline. Auditors ensure that financial information is transparent and reliable while supervisors provide confidence in the financial systems. Both supervisors and auditors allow market players to make informed decisions and contribute to financial stability. Since 2008, regulators and lawmakers have strived to address the shortcomings identified during the crisis by taking various initiatives to reform the international financial architecture In particular, a 2014 Basel Committee on Banking Supervision paper explored the interaction between supervisors and external auditors and linked their enhanced relationships with improved audit quality of banks’ financial statements and effective banking supervision. This report presents the findings of the survey conducted by the World Bank Centre for Financial Reporting Reform (CFRR) – Financial supervisors and external auditors: building a constructive relationship. The survey was sent to supervisors from the European Union and other countries in Eastern Europe, South Eastern Europe and the South Caucasus to explore practices that make better use of information provided by external auditors and influence the audit quality of banks’ financial statements. The report was developed after several workshop discussions amongst senior staff from central banks and banking regulatory agencies, who recognized the importance of an effective relationship to assist both supervisors and auditors in discharging their duties. Responses from 35 supervisory authorities suggest that stronger two-way interaction can improve the quality of external audits and enhance banking supervision. The report draws together some actionable insights which were highlighted by the survey for improving the relationship between supervisors and external auditors. These insights will be helpful to banking supervisors in developing their policies and will also provide guidance to assist them in managing their relationships with banks’ auditors. They can also serve as guidelines for defining the processes necessary to build enhanced auditing and supervision practices. 2 Executive summary The survey confirms that enhancing the relationship between supervisors and external auditors is a strategic imperative for both audit quality and the effective supervision of banks in the Insight 1: ECA region. The report offers a range of actionable insights to enhance both Auditors’ work does contribute to the audit quality and supervision regardless of the jurisdictional effective supervision of circumstances, the characteristics of the bank under supervision, banks or the supervisory model adopted. Supervisors and auditors possess complementary skills and knowledge. External auditors may participate in the supervisory process by performing additional work at the request of the supervisors, providing reasonable or limited assurance on a range of areas, such as: internal controls, IT systems, risk management, or prudential returns. For instance, supervisors have greater confidence in prudential returns when they are reconciled with audited financial statements. By reporting to supervisors, external auditors contribute to strengthening the supervisory process. Audit information is, however, not always reviewed during the regular inspection of banks and supervisors do not always have a good understanding of what an external audit comprises and how they can rely on auditors’ work. Practices vary across ECA in terms of the scope of auditors’ work, the extent of Insight 2: auditors’ contributions to the supervisory process, and the type of assurance they provide. Supervisors could engage Regular exchanges of information between external auditors and more effectively with banking supervisors enable both parties to perform their duties external auditors effectively. A strong and fruitful two-way relationship depends on the quality of interaction between auditors and supervisors. The objective is to have “the right discussions at the right level and at the right time”, using the most appropriate channels of communication so that supervisors can engage more effectively with external auditors. All supervisors surveyed meet with external auditors but meetings typically occur at a late stage, mainly after the audit work has been completed and the audit report has been issued. For most European supervisors, direct meetings with external auditors, without the bank’s management, are the preferred option. Confidentiality remains an issue in other jurisdictions. Few jurisdictions provide “safe haven” rules for auditors when reporting matters to supervisors. Finally, very few jurisdictions have a feedback system in place to assess and monitor the quality of the relationship between supervisors and auditors. Sharing information on a range of important accounting and auditing themes due to their complexity, materiality and/or Insight 3: judgment involved is crucial. At a crossroads between accounting and finance, topics covered under accounting standards for External auditors could financial instruments, such as loan valuation and provisioning contribute more on as well as the bank’s asset valuation, are key for both external specific areas of interest auditors and supervisors. Compliance with prudential regulations to supervisors and the consistency of disclosures in financial statements with published prudential information are also important. Finally, the 3 effectiveness of banks’ internal control, risk management and IT systems are essential inputs for assessing the bank’s risk profile and going concern assumption. External auditors may identify additional areas of interest to supervisors during the course of the audit. Supervisors can help improve the quality of financial information. They can provide an environment which supports the independence, objectivity and integrity of audit work. Supervisors can also enhance audit quality by sharing relevant information with external Insight 4: auditors. Supervisors do Responses show that most supervisors are empowered to contribute to enhanced regulate certain conditions of the appointment and rotation of audit quality external auditors, and the audit retendering process. In a few jurisdictions, supervisory authorities are also involved in monitoring and sanctioning auditors and their work. Often confidentiality rules prevent supervisors from communicating bank or industry specific information to external auditors. Audit committees and Audit Oversight Bodies (AOBs) contribute Insight 5: to enhanced audit quality through the effective oversight of external auditors’ work and their ability to form an opinion on banks’ financial statements. These institutions play a critical role Effective communication in building an appropriate framework for corporate governance between audit and banking supervisors and high-quality external audits. and audit committees Most banks are required to have an audit committee but does improve audit supervisors rarely meet the committee’s chair. The audit oversight quality systems are not always effective or even established. Overall, when they exists supervisors have connections with the AOB, whose role is to identify failures and weaknesses in banks’ external audits, and to examine the work of external auditors, imposing sanctions and/or remedial measures as necessary. 4 About the Report This report is based on a survey of banking supervisors conducted in Europe and the South Caucasus. Key facts The CFRR conducted a survey during the second half of 2014: Financial supervisors and external auditors: building a constructive relationship. Thirty-five countries in Europe responded to 44 questions. 44 questions to 85% response 35 countries supervisors rate in ECA The 44 questions were organized around four themes: Practice of external Exchange of information audit in banks between supervisors and external auditors 10 22 4 8 Perception of the Involvement with quality of external audit committees/institutions by supervisors that oversee the audit function Results have been aggregated across three regional groups: ►► European supervisors (EU + Norway): Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Romania, Slovenia, Spain, Sweden, United Kingdom (UK) ►► REPARIS supervisors: Albania, Bosnia and Herzegovina, FYR of Macedonia, Montenegro, Serbia ►► STAREP supervisors: Armenia, Azerbaijan, Moldova, Georgia 5 Guidance on how to read and use the report On a thematic basis, the report includes a list of survey findings and possible actions for supervisors to consider. These actions are only suggestions and/or reported good practices which supervisors may implement in their jurisdiction when interacting with external auditors. The list is by no means exhaustive and is only provided as a guide or example for potential implementation by supervisors. When implementing these actions, supervisors and external auditors should also take into account the following key points: 1. The actions do not change the respective roles and responsibilities of the supervisor, the external auditor or the bank’s management. The supervised bank should remain the main source of information. 2. The actions do not supersede international standards on auditing, international financial reporting standards, international best practices on corporate governance or Basel Core Principles especially in the areas of independence and accountability of external auditors and the bank’s management. 3. The key objectives of the actions are: ►► Building or strengthening a communication and interaction process between supervisors and auditors; ►► Ensuring that the interaction between supervisors and external auditors are ongoing and conducted in a systematic and structured manner; ►► Maintaining a communication between supervisors and auditors that is both critical and constructive; ►► Providing a basis for a better and more detailed mutual understanding of the underlying issues and risks in the banks and the banking sector; and ►► Informing the work of supervisors and auditors to contribute to enhanced financial stability. 6 Insight 1 External audit in banks Auditors’ work does contribute to the effective supervision of banks Supervisors and auditors possess complementary skills and knowledge. External auditors may participate in the supervisory process by performing additional work at the request of the supervisors, providing reasonable or limited assurance on a range of areas such as: internal controls, IT systems, risk management, or prudential returns. The reporting of external auditors to supervisors contributes to strengthening the supervisory process. For instance, supervisors have greater confidence in prudential returns when they are reconciled with audited financial statements. Audit information is, however, not always reviewed during the regular inspection of banks and supervisors do not always have a good understanding of what an external audit comprises and how they can rely on auditors’ work. Practices vary across ECA in terms of the scope of auditors’ work, the extent of auditors’ contributions to the supervisory process, and the type of assurance they provide. 7 What is an external audit? “One element that seems difficult is informing supervisors (mostly without accounting background) about the roles and responsibilities of auditors.” - National Bank of the Netherlands Responses to the survey show that in many countries, if not most, supervisors are not fully aware of where the responsibilities of external auditors start and where they end. This confusion among supervisors creates many direct and indirect issues which prevent effective communication and fruitful cooperation and collaboration between supervisors and external auditors. In some cases, it generates suspicion and a lack of trust between all parties. This can be partly explained by the fact that there is no widely accepted definition of what an external audit is. The definition below has been formulated based on the objective of ISA 200, Overall Objectives of the Independent Auditor and the Conduct of an Audit in Accordance with International Standards on Auditing. What is an external audit? An external audit is a process by which an independent external auditor will obtain sufficient appropriate audit evidence to give reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework, and to report on the financial statements in accordance with the auditor’s findings. Reasonable assurance is a high, but not absolute level of assurance. The independent opinion enhances the degree of confidence of intended users in the financial statements. Role of external auditors vis-a-vis the supervisory function In order to support the supervisory process, banking supervisors often ask external auditors to perform tasks in addition to the audit of financial statements, and to provide a limited or reasonable assurance on additional areas, such as internal controls, prudential returns, etc. Extent of use of external auditors Sixty-eight percent of supervisors may ask external auditors to perform additional tasks outside the scope of the audit, with 56% of them stating that this is a legal requirement. Some supervisors are only allowed to request additional work via the bank under supervision. Other supervisors are not allowed to delegate any tasks to external auditors. 8 “For institutions under the Commission de Surveillance du Secteur Financier prudential supervision, we may set rules regarding the scope of the audit mandate and the content of the reports and written comments of the approved external auditor, without prejudice to the legal provisions governing the content of the statutory auditors’ report.” - Commission de Surveillance du Secteur Financier of Luxembourg Type of tasks outside the scope of external audit Some supervisory authorities are empowered to ask external auditors to perform any type of tasks outside the scope of the audit. However, the scope of the audit differs depending on the jurisdiction. Below is a list of additional tasks that have been cited, in order of recurrence and indicating whether it is a legal requirement (LR) or just common practice (CP): NEVER in the scope of the audit ►► Conducting special audits (i.e. those conducted to detect potential or suspected irregularities, errors or frauds); (LR) ►► Verifying that items with a particular supervisory interest are registered correctly in the financial statements and/or in the corresponding supervisory returns (i.e. correct breakdown of credit risk items, impaired assets, expected losses in the context of a business combination...); (CP) ►► Conducting risk assessment, asset quality review and stress tests directed by the ECB during the asset quality review process; (LR) ►► Complying with own funds requirements; (LR) ►► Examining account balances and whether they are pledged or encumbered; (CP) ►► Reviewing the Internal Capital Adequacy Assessment Process (ICAAP); (LR) ►► Monitoring the orderly unwinding of the bank. (LR) SOMETIMES in the scope of the audit ►► Preparing a Long-Form Audit Report or special appendix to financial statements; (LR) ►► Reporting on any topic related to the organization of the bank, its activities and financial structure, including the adequacy and efficiency of its internal control system, the security of its information system, risk management and governance systems. (LR and CP) ALWAYS in the scope of the audit ►► Auditing of financial statements. (LR) 9 Example 1: Tasks outside the scope of audit that can be requested by the Central Bank of Ireland The Central Bank (Supervision & Enforcement) Act 2013 introduced a provision for the Central Bank requesting external auditors to provide assurance over areas concerning: ►► Administrative or accounting procedures; ►► Internal control mechanisms; ►► Risk management; ►► Organizational structure; and ►► Governance of regulated financial service providers. Prior to 2013, Section 27E of the Central Bank Act 1997 provided the Central Bank with the ability to commission a report from the external auditor of any regulated financial service provider on any of the following: ►► The service provider’s accounting records; ►► The systems (if any) that the service provider has in place to ensure that the service provider acts prudently in the interests of its members (if a company or firm) and the interests of those to whom the service provider provides financial services; ►► Any other matter in respect of which the Bank requires information about the service provider, or the service provider’s activities, to enable the Central Bank to perform its function. About 60% of supervisors, mainly European, have asked external auditors to perform additional tasks outside the given scope of the audit in the last five years.1 In about 80% of these cases, the bank under supervision pays for work outside the scope of the audit requested by supervisors.2 For another 10% it the supervisory authority pays. For the remaining 10%, the cost can be split between the bank and the supervisory authority, depending on the task requested. Type of assurance provided by external auditors: reasonable assurance, and limited assurance Supervisors were asked in an open-ended question to describe the areas/topics beyond the audit of financial statements on which the external auditors are required to provide a reasonable assurance and those on which auditors would provide a limited assurance. The statistics below are calculated based on the recurrence of responses received to this open-ended question and percentages may not accurately represent current auditing obligations for banks:3 1 Calculated based on recurrence 2 Ibid 3 Answers to this qualitative question are ranked based on their recurrence. 10 A reasonable assurance is required on: Topics Recurrence Internal controls 31% Risk management 20% IT systems 17% Annual regulatory/prudential report 17% Valuation 11% Organizational structure and/or governance 9% In addition, some jurisdictions require reasonable assurance on: asset quality, reserve, provision, and adequacy and accuracy of information passed from the branch to headquarters. A limited assurance is required on: Topics Recurrence Interim financial statements 9% Internal controls 9% Interim profit, when included in the bank’s own funds 6% Valuation 6% Additional areas with limited assurance include: semi-annual regulatory/prudential reports, remuneration and benefits received by management, special reports on related party agreements and commitments, environmental and social information, administrative or accounting procedures, loan loss provisioning, and on the bank’s deposit function for the client’s assets. One respondent mentioned that there should be limited assurance on the internal audit and compliance function of the bank. For some supervisors the issuance of a reasonable or limited assurance is related to the size of the financial institution. Furthermore, the topics and frequency of reasonable or limited assurance engagements may vary depending on the situation, the audit firm’s agreement with the bank, and/ or specific requirements from the supervisor. Example 2: The Austrian additional Annex to the Auditor’s Report “AP-VO”4 According to the Austrian Banking Act, effective as of 2014, external auditors of banks are obliged to audit an additional appendix (prudential report) together with the external audit of financial statements. Depending on the size of the credit institution, external auditors will have to issue a reasonable or limited assurance on the effectiveness of internal controls in various areas (i.e. funds, liquidity, special risks, money laundering law and compliance rules, etc.). This appendix is not published, but submitted to the supervisor with the auditor’s report within six months of the date of the financial statements. The Financial Market Authority issued a regulation defining the form and layout of this appendix. 4 Based on responses collected and the Austrian Federal Banking Act (Bankwesengesetz – BWG), Art. 63 para. 4 and 5. https://www.fma.gv.at/typo3conf/ext/dam_download/secure.php?u=0&file=2660&t=1421844110&hash=a22f73f54f555cc78e849187dcfff798 11 External auditors’ reporting to banking supervisors Long-Form Audit report Supervisors may ask auditors to submit a Long-Form Audit Report elaborating on the external audit of financial statements and on special prudential supervisory requirements. This report can be an effective tool in the supervision of financial institutions, helping to support reliable financial reporting and underpinning market confidence. If presented in a consistent format, the Long-Form Audit report can facilitate comparison across banks. Survey results show that only a few jurisdictions legally require external auditors to submit a Long- Form Audit Report. This report is not public and is sometimes perceived as part of the scope of the statutory audit. Example 3: The Long-Form Audit Report in Germany5 In Germany, external auditors are required to submit a Long-Form Audit Report to the supervisory board. This report is not available to the public and is a useful tool to monitor management. This report must include: General Findings ►► Comments on the general situation of the bank and going concern assessment (based on the audited records and management report); ►► Facts and significant risks that affect the future development and existence of the bank; ►► Any irregularities or violations of statutory provisions or the articles of incorporation by representatives or employees of the bank. Basis of the External Audit ►► Subject, nature and scope of the external audit; ►► Applied Accounting and Auditing Standards; ►► Confirmation of the external auditor’s independence. Accounting Policy Decisions ►► Accounting methods, substantial bases of valuation and changes thereof; ►► Exercise of accounting and measurement options; ►► Use of discretion, estimation and judgment; ►► Structuring measures (“window dressing” transactions); ►► Any material disclosures not already in the notes. 5 Bundesministerium der Justiz, Audit Regulatory Committee, Long-Form Audit Report in Germany, March 2011. http://ec.europa.eu/internal_market/auditing/docs/committees/pres1-03-03-11_en.pdf 12 Risk Management and Internal Control ►► In the case of listed banks: whether the executive management has implemented sufficient risk management and internal control systems. Distinguishing between the New Audit Report and the Long-Form Audit Report The New Audit Report6 The new and revised Auditor Reporting standards are responsive to calls from investors and other users of audited financial statements for more informative and relevant auditors’ reports based on the external audit that was performed. These standards include new ISA 701, Communicating Key Audit Matters in the Independent Auditor’s Report, and a number of revised ISAs, including ISA 700 (Revised), Forming an Opinion and Reporting on Financial Statements, and ISA 570 (Revised), Going Concern. Examples of reports illustrating various circumstances are included in the new and revised Auditor Reporting standards. These will be effective for external audits of financial statements for periods ending on or after December 15, 2016. The New Audit Report is in the public domain and is currently a legal requirement for listed entities only. Intended benefits of the New Audit Report: ►► Enhanced communication between auditors and investors, as well as those charged with corporate governance; ►► Increased user confidence in auditors’ reports and financial statements; ►► Increased transparency, audit quality, and enhanced information value; ►► Increased attention by management and financial statement preparers to disclosures referencing the auditor’s report; ►► Renewed auditor focus on matters to be reported that could result in an increase in professional skepticism; ►► Enhanced financial reporting in the public interest. The Long-Form Audit Report The Long-Form Audit Report (LFAR) is a separate document prepared by auditors for banks’ 6 The International Federation of Accountants, Reporting on Audited Financial Statements – New and Revised Auditor Reporting Standards and Related Conforming Amendments, January 2015. http://www.ifac.org/publications-resources/reporting-audited-financial-statements-new-and-revised-auditor-reporting-stan 13 supervisors only and is not in the public domain. The LFAR is prepared in some countries only and is a requirement of the banking regulators, not the IAASB. The LFAR contains: ►► Audit assignment and the basis of the external audit; ►► General findings; ►► Financial statement based on reporting (including regulatory requirements); ►► Risk (including risk management and risk tolerance); ►► Business organization and comprehensive bank management. The LFAR is not published in the public domain and is only intended for the use of the client and the banking regulators. Right to report and duty to report The auditors’ right to report general findings and results and their duty to report significant findings (error, weakness of internal control), and/or any material fraud discovered during the external audit are important factors that, if used effectively, could strengthen the supervisory process. The duty to report usually applies at the level of the bank’s headquarters, branches, and to legal entities with which the bank has close links. Importantly, external auditors should be able to use their right to report freely, without their professional responsibility being at risk. However, at this juncture, only a few jurisdictions provide for limitation of the external auditors’ liability when these matters are reported in good faith and are believed to be relevant to the functions of the supervisor. “The Central Bank (Supervision & Enforcement) Act 2013 provides for limitation of liability in reporting of certain matters by external auditors to the Central Bank.” - Central Bank of Ireland General findings and results ►► A discussion of general audit findings prior to signature of the audit opinion is common practice for only 11% of supervisors; ►► No jurisdictions report a legal requirement for such a discussion; ►► Fifty-four percent of supervisors never discuss general findings and results of the external audit prior to signature of the audit opinion; ►► In total, 34% mentioned that such discussions occur when deemed necessary, mainly when findings and results fall within the scope of the external auditors’ right to report or when external auditors are facing a ‘complicated’ case. Others mentioned that such discussions take place occasionally if requested by the external auditors and/or depending on the timing of the meeting with external auditors. 14 “Bank external auditors do not generally discuss their findings but there is a special reporting duty in some cases (i.e. the credit institution will not be able to fulfill its obligations or continue as a going concern, material violations of the law, etc.).” - Austrian Financial Market Authority Significant findings In almost all jurisdictions, external auditors are required to disclose significant findings (error, weakness of internal control) discovered during their audit: when this is not a legal requirement (83%), it is a common practice (14%). Do the external auditors in your jurisdiction inform the banking supervisors immediately in case of other significant findings (error, weakness of internal control) during the audit? Jurisdictions that require a Long-Form Audit report usually have provisions for the disclosure of significant findings as well. Some supervisors mentioned that significant findings are usually disclosed in the management letter, which is forwarded to the supervisory authority together with comments from the bank’s management. “The external auditor has a duty to report in writing to the Czech National Bank any facts which may indicate any breaches of the legislation governing banks’ activities, have a material negative impact on its economy, etc.” - Czech National Bank In general, external auditors have a duty to report the following matters to supervisory authorities in writing and as soon as possible: ►► The occurrence, or suspected occurrence, of non-compliance with laws and regulations; ►► Any finding which has a significant impact on the bank’s financial position, administrative organization, internal controls, or ability to continue as a going concern; 15 ►► If the external auditor is planning to qualify the bank’s financial statements, issues a modified/ qualified opinion or a negative opinion; and ►► When management and/or those charged with governance fail to take corrective actions. The Importance of the Management Letter7 Key features A modern audit follows a risk-based approach, which focuses on the risks of material misstatements and how the audited entity mitigates these risks through its internal control system. The management letter is a key output of the audit addressed to management in which the deficiencies and weaknesses in a bank’s organizational structure are identified and eventual recommendations from external auditors on how to improve these internal control issues are presented. The bank’s management usually provides a written response to the external auditor’s remarks which is integrated into the management letter. The follow-up audit work should assess the progress made by the bank to implement the recommendations of the initial audit or fix the problems highlighted in the management letter. The management letter is often shared with supervisors and is also a key topic for discussions between external auditors and audit committees. Importance for supervisors The management letter details weaknesses in internal controls that could cause a material misstatement in the financial statement. Thus this document raises important points and summarizes the key areas for the attention of banking supervisors. Material Fraud Overall, external auditors are required by law to disclose any material fraud detected during their audit to banking regulators (94%). However, a limited number of jurisdictions specifically mention fraud and criminal offence as a triggering event in their legislation. “The auditing company shall immediately notify the Governor in writing if, during the audit, it finds out that a bank’s solvency or liquidity is compromised and the bank operates, and/or has operated, contrary to the regulations. This requirement applies also to legal entities with which the bank has close links.” - National Bank of the FYR of Macedonia 7 Based on the Office of the Auditor General of Canada, 8020 - Recommandations et réponses de l’entité, November 2014. http://www.oag-bvg.gc.ca/internet/methodologie/audit-de-performance/manuel/8020.shtm 16 If material fraud is detected in a bank’s financial statement during the external audit, are the external auditors required by law to disclose this information to banking supervisors? Supervisors’ access to audit information Most supervisors have access to auditors’ reports, external auditors’ management letters, and reports to the audit committees. Most of them have no access to auditors’ working papers: ►► Access to audit information is a legal entitlement for 43% of supervisors. Twenty-nine percent have no access to these documents since they are the legal property of external auditors and covered by confidentiality rules. ►► Among the supervisors who have access to audit information, 96% have access to the auditors’ report, 81% to the management letter and 54% to other documents that may be relevant for the conduct of supervisory activities. ►► The survey finds that 58% of supervisors have access to the report to the audit committee and a limited number of them have access to the minutes of audit committee meetings. ►► A review of audit information is a legal requirement for only 19% of the supervisors. Fifty percent of the supervisors do not review audit information as part of their regular inspection of banks. Do banking supervisors have access to audit information? 17 Type of audit information banking supervisors have access to: Is the supervisory authority involved in the inspection of audit information as part of the regular inspection of banks? Perceptions of external auditors How supervisors perceive external auditors in their jurisdiction is important in order to gauge the quality of external audits and therefore the quality of banks’ financial statements used by different stakeholders. External auditors’ capacity vs. supervisors’ capacity Thirty-three percent of supervisors believe that the capacity of external auditors (knowledge, number of staff, etc.) is comparable with theirs.8 8 Answers to this open-ended question are ranked based on their recurrence and are not always mutually exclusive. 18 Thirteen percent cannot compare, mainly because they are not involved in oversight activities and are unable to judge the capacity of external auditors objectively. The remaining 54% believe that the capacity of supervisors and external auditors differs. “There is a trend whereby the number of staff with an accountancy background diminishes rather than increases. The need for accountancy knowledge, however, is increasing, so a tension has been identified. It appears difficult to find staff who are capable of developing skills on the borderline of accountancy and prudential supervisory knowledge.” - National Bank of the Netherlands Skill set Almost all supervisors agree that external auditors have the appropriate skill sets to audit banks in their jurisdictions. External auditors are usually perceived to be IFRS/ISA experts. To support their answers, supervisors note that: ►► It is usually Big 4 companies that are involved in the audit of banks in their jurisdictions. Supervisors assume that these audit firms have the appropriate skill set and can ask their international network of experts for help when necessary; and ►► There is a strict appointment process of external auditors in which supervisors are involved. Other supervisors state that their response is subjective because appraisal or other types of quality control of external auditors is the prerogative of another entity in charge of audit oversight in which they are not involved. “There is a limited number of audit companies who audit banks. All these companies belong to international networks which can use experts when necessary.” - Estonian Financial Supervision Authority Use of professional judgment Sixty-nine percent of supervisors are satisfied with the professional judgment of external auditors of banks. Another 29% are sometimes satisfied because there are cases in which: ►► Supervisors disagree with the external auditors’ judgment: the recognition and valuation of financial assets was cited as a reason for disagreement, especially loans and receivables as well as the auditors’ opinion on the bank’s going concern; ►► The judgment of external auditors is influenced too much by the management of the bank; ►► There is room for improvement, especially in areas such as IT audit and valuation. 19 One supervisor expressed dissatisfaction with external auditors using their professional judgment because they do not practice enough professional skepticism when interpreting IFRS requirements, and they sometimes prefer to accommodate their clients’ views. “We appreciate the support of external auditors in the process of banking regulation and supervision.” - National Bank of Moldova “In the past, there were a few occasions when the National Bank of Serbia was not satisfied with both external auditors’ professional judgment and communication with supervisors regarding the going concern issue.” - National Bank of Serbia 20 Survey findings and possible actions Survey findings Possible actions Capacity of supervisors ►► Providing on-going training on ISA and IFRS to staff at the supervisory authority. Supervisors face capacity constraints in terms of staffing and accounting and auditing training. Supervisors do not always have a good understanding of what an external audit consists of and how they can rely on auditors’ work. Duty and right to report ►► Updating regulations to include examples of instances and events when external auditors External auditors do not always have must report bank-specific information directly the statutory duty to disclose significant to supervisors (statutory duty to report). findings and fraud encountered during the Examples may include when external auditors course of their audit (statutory duty to detect significant findings, fraud or going report). concern issues during the course of the audit or Furthermore, not all the jurisdictions when management uses significant accounting provide safe haven rules for auditors when judgment which materially affects the bank’s reporting matters to supervisors that do results and position; not give rise to a statutory duty to report ►► Creating safe haven rules to allow auditors but may, nevertheless, be relevant to the to share bank-specific information with the supervisor’s exercise of his/her functions supervisors on matters that fall outside the (right to report). scope of the duty to report if communicated in good faith, and if reasonably believed to be relevant to the supervisor in order to conduct his/her functions (right to report); ►► For matters that give rise to the right to report, it is normally appropriate for the auditor to request in writing that those charged with governance in the bank bring these matters to the attention of the supervisor. If those charged with governance fail to inform the supervisor of the matters in a timely manner, the auditor shall report them directly to the supervisor; 21 Survey findings Possible actions ►► Requesting access to documents supporting the audit findings regarding identified or suspected non-compliance with laws and regulations, going concern issues, key risks faced by the bank in the short-term and medium-term, and areas when judgment and assumptions are used by management. In general, supervisors should be able to access any type of audit information that they judge relevant to the supervision of the bank. Documents could include minutes of discussions held with management and those in charge of governance, audit committee minutes, audit working papers, etc.; ►► Referring to the guidelines proposed by the International Ethics Standards Board for Accountants’ (IESBA) in its recent exposure draft. These guidelines specify how external auditors should respond to some proven or alleged cases of non-compliance with laws and regulations (NOCLAR).9 Extent of use of external auditors ►► Exchanging information with the external auditors on a continuous basis and before About 70% of supervisors can ask external planning the statutory audit. This would help auditors to perform additional tasks outside supervisors and external auditors to establish the scope of the audit. jointly which additional work the external auditors would be required to perform outside the scope of the statutory audit. 9 International Ethics Standards Board for Accountants, Responding to Non-Compliance with Laws and Regulations, May 2015. http://www.ifac.org/system/files/publications/files/IESBA-Non-Compliance-with-Laws-Regulations-Exposure-Draft.pdf 22 Survey findings Possible actions Long-Form Audit Report ►► Requesting external auditors to prepare an annual LFAR for Domestic Systemically Important Currently, very few supervisors request Banks (SIBs). This would include details of the a Long-Form Audit Report from external audit methodology and its limitations and key auditors. findings on the going concern or key risks faced by the bank, and additional appropriate information (e.g. recommended remedial actions); ►► The LFAR should be submitted on a timely basis to the supervisors to enable them to take appropriate action in due time; ►► The scope and content of the LFAR should be flexible to reflect changes within the banking sector and within the bank and should be discussed between the auditors and the supervisors; ►► Establishing together with auditors a list of specific financial reporting issues to be covered in the LFAR, based on the risk profile of the bank and its business model; ►► Conducting face-to-face discussions with the external auditors, the bank’s management, the chair of both the audit committee and the risk committee in order to gain a detailed understanding of the key findings and issues highlighted in the LFAR with a view to finding timely and appropriate remedial actions. 23 24 Insight 2 Channels of communication Supervisors could engage more effectively with external auditors Regular exchanges of information between external auditors and banking supervisors enable both parties to perform their duties effectively. A strong and fruitful two-way relationship depends on the quality of interaction between auditors and supervisors. The objective is to have “the right discussions at the right level and at the right time”10, using the most appropriate channels of communication so that supervisors can engage more effectively with external auditors. All supervisors surveyed meet with external auditors but meetings typically occur at a late stage, mainly after the audit work has been completed and the audit report has been issued. For most European supervisors, direct meetings with external auditors without the bank’s management, are the preferred option. Confidentiality remains an issue in other jurisdictions. Few jurisdictions provide “safe haven” rules for auditors when reporting matters to supervisors. Finally, very few jurisdictions have a feedback system in place to assess and monitor the quality of the relationship between supervisors and auditors. 10 Financial Services Authority & Financial Reporting Council, Enhancing the auditor’s contribution to prudential regulation, 2010. https://www.frc.org.uk/getattachment/5cadee47-6422-46f0-b692-b3f377544769/FSA-FRC-Discussion-Paper-Enhancing-the-auditor-s-c.aspx 25 Intensity and frequency of communication The survey finds that all supervisors meet with external auditors: ►► Sixty-six percent meet auditors on an ad-hoc basis, or using a proportionate approach when communicating with external auditors. Some supervisors stated that ad-hoc contact should always be possible to discuss issues that require urgent attention. ►► Thirty-one percent of supervisors meet the external auditor only once per year. “We have introduced trilateral meetings twice a year for large banks and once a year for other banks (with exceptions for small banks). Besides, we meet three times a year with the financial sector committees of the Dutch Association of Accountants (NBA), and we meet with senior management of audit firms (big 4) on a subsector basis (banks, insurers and pension funds). We also meet with the board of the NBA once a year to discuss matters of strategic nature.” - National Bank of the Netherlands In a proportionate risk-based approach towards the relationship between supervisors and external auditors, a greater supervisory effort is directed to banks that are classified as Systemically Important Banks (SIBs). For example, the Basel Committee on Banking Supervision (BCBS) specifies that the implementation of their principles, including those concerning the relationship between supervisors and external auditors, should be “proportionate to the size, complexity, structure, economic significance and risk profile of the bank and the group (if any) to which it belongs” and “should be applied in accordance with the national legislation and corporate governance structures applicable in each country”.11 The survey shows that 49% of supervisors exchange information with external auditors more than once a year. Very often this means that the exchange of information takes place on an ad-hoc basis, determined by the specific circumstances of a bank. Thirty-seven percent of supervisors report that they exchange information only once a year. This is the case, for example, with the Danish Financial Supervisory Authority (FSA) which receives a Long- Form Audit Report from external auditors every year, while external auditors receive a copy of most of the communication between the bank and the Danish FSA. Fourteen percent of supervisors never exchange information with external auditors. “Since we started communicating with external auditors on a more regular basis, we found more use for the information obtained from external auditors in our supervisory tasks.” - National Bank of the FYR of Macedonia 11 Basel Committee on Banking Supervision, External audits of banks, 2014. http://www.bis.org/publ/bcbs280.htm 26 Example 1: The use of a proportionate approach when communicating with external auditors: the National Bank of Belgium (NBB) The NBB uses a proportionate approach when interacting with external auditors based on the risk profile of the bank, its size, and whether it is headquartered in Belgium. A set of criteria determines Systemically Important Financial Institutions (SIFI). SIFI meetings are conducted every quarter, whereas non-SIFI meetings are only conducted once per year. The NBB delegation includes more senior staff for meetings with SIFI. The NBB sends a copy of most of the communication between the NBB and the bank to the external auditor. Formal vs. informal channels of communication Dialogue between external auditors and supervisors can be established through both formal (e.g. official written communication, official meetings, etc.) and informal (e.g. telephone conversations, informal meetings, emails, etc.) channels of communication. Supervisors and external auditors should generally use the most appropriate communication channel applicable to the circumstances and sensitivity of the issues discussed. The survey shows that 54% of European supervisors only use formal channels for communicating with external auditors. Another 42% of European supervisors report using an equal mix of both formal and informal channels. The majority of REPARIS (60%) and STAREP (75%) supervisors use formal and informal channels in equal measures. According to the survey, choosing one channel over another depends on: ►► The relative importance of the communication exchanged: informal channels such as emails and telephone calls can be used for minor issues to be discussed with external auditors. More senior supervisors are generally involved in discussing more critical issues; ►► The seniority level of the users: at the highest level, i.e. for top management, communication is generally more formal whereas more junior staff tend to use more informal channels of communication, irrespective of the content of the communication. “We currently benefit from a long lasting investment in the relation between supervisors and auditors. Without this investment both parties suffer from mistrust and miscommunication resulting in formal approaches or even defensive / non collaborative approaches. We started to engage with auditors on a sector or subsector level, with topics of common interest. Then we entered into a phase in which we had to define roles and responsibilities, and had to set up protocols for proper communications. After a number of years, the next phase of ‘trust’ and ‘mutual understanding’ started to grow. In this phase it is possible to be critical to each other without affecting the relationship. We have invested heavily in this communication structure for over 10 years, and we are sure that we have to keep ‘investing’.” - National Bank of the Netherlands 27 The most common channels of communication that banking supervisors and external auditors use to communicate: Despite a certain level of formality, most supervisors stressed that they enjoyed good cooperation with external auditors in their jurisdiction. Timing of communication within the audit process Supervisors were asked at which stages of the audit process they exchanged information with external auditors. The majority believe that the best timing for meetings with external auditors is at the planning stage of the audit (72%) and before the issuance of the audit opinion (69%). This contrasts with the current practices in which most of the communication takes place after the issuance of the audit opinion (62%). There are many reasons for promoting discussions as early as possible in the planning stage of the audit. The Financial Supervisory Authority of Finland reports that it shares information with external auditors at the planning stage because it affects the audit’s planning and, in some cases, the scope of the external audit of a bank. The Financial Supervisory Authority of Sweden finds that holding discussions about risks at an early stage of the audit process improves its own risk assessment of the bank, and contributes to closer cooperation between external auditors and supervisors. Scheduling discussions just before the audit opinion is issued also has advantages; it allows both supervisors and auditors to share findings and evaluate their impacts. The Bank of Italy and the National Bank of the FYR of Macedonia report that this helps auditors take supervisory findings into account when forming their audit opinion, and, in some cases, can trigger corrections. Conclusions on areas that require substantial accounting judgment have already been reached when the external audit process is almost complete; it is then too late to start discussing or challenging auditors’ key accounting treatments, assumptions and methodologies. 28 During which phases of the audit process do the external auditor and banking regulator currently exchange information? In your view, during which phases of the audit process SHOULD the external auditor and banking regulator exchange information? Meeting in the presence of bank management or not Supervisors still often meet with auditors in the presence of the bank’s management, but for more open conversations some supervisors prefer to meet directly with the auditors. Confidentiality, however, remains an issue in certain jurisdictions: ►► Sixty-three percent of supervisors conduct both direct meetings with external auditors, and meetings with external auditors and the bank under supervision; ►► European supervisors tend to favor direct meetings with external auditors over meetings in the presence of the bank. Direct meetings between supervisors and auditors give both parties the 29 opportunity to discuss certain matters without the presence of the bank (for example issues related to the corporate governance of the bank); ►► Direct meetings with external auditors are not very common in STAREP jurisdictions. Half of STAREP supervisors meet external auditors only in the presence of the bank, compared with 20% of REPARIS supervisors. This is mainly due to legal provisions on confidentiality and banking secrecy in some jurisdictions, which allow meetings to take place only in the presence of the bank; ►► In most of the jurisdictions, these meetings are conducted using a proportionate risk-based approach. In a few jurisdictions, the frequency and timing of these meetings are regulated, with specific requirements including more frequent meetings for SIBs. Type of meetings that banking supervisors conduct: Circumstances under which trilateral meetings are necessary European supervisors prefer discussing some matters directly with external auditors, without the presence of the bank under supervision. The presence of the bank in meetings can, however, be necessary in specific circumstances. The majority of banking supervisors prefer the bank to be present when there are disagreements between the bank and the other parties, especially if the disagreements have an impact on the bank’s risk profile. The bank can provide clarifications and a better understanding of the specific situation under discussion. Examples given include the going concern (Financial Supervisory Authority of Finland); and internal controls and measures undertaken by the bank in order to meet supervisory requirements (National Bank of the Netherlands and National Bank of the FYR of Macedonia). In addition, the National Bank of Georgia reports that trilateral meetings can be helpful for supervisors 30 to better understand the relationship and information sharing processes between the bank and its external auditors. Some supervisors find it important for these meetings to take place at the conclusion of the external audit to discuss major audit findings (UK Prudential Regulatory Authority and Polish Financial Supervision Authority). Others stress the importance of the bank’s presence during the planning stage in order to provide both auditors and supervisors with a comprehensive update of the bank’s business activities and material changes since the previous external audit (Central Bank of Ireland). Communication with audit committees Meetings between the banking supervisors, external auditors, and chairs of the audit committees are not common for European supervisors (19%) and are non-existent in REPARIS and STAREP jurisdictions. (See page 65 for more information.) Assessing the quality of interaction through a feedback process Globally, very few supervisors have a feedback system to assess the quality of their relationship with external auditors. Regional comparisons show that 15% of European jurisdictions have implemented a feedback process whereas no such system has been initiated yet in REPARIS or STAREP jurisdictions. When a feedback process exists, it tends to be informal except in the case of the United Kingdom, which recently formalized the manner in which it obtains feedback on the quality of the relationship between auditors and supervisors. The Swedish Financial Supervisory Authority, the National Bank of the Netherlands and the UK Prudential Regulatory Authority are the only institutions that regularly request feedback from both supervisors and external auditors, at the level of the professional body and individual audit firms. Example 2: The feedback system on the quality of the auditor-supervisor dialogue in the UK12 The first report on the quality of the external auditor-supervisor relationship was provided to the Prudential Regulation Authority (PRA) Board in July 2014. It was based on a survey for the year to 31 March 2014 of supervisors of the largest firms, as well as feedback obtained from the auditors. 12 Bank of England, Prudential Regulation Authority, extract from the Engagement between external auditors and supervisors and commencing the PRA’ s disciplinary powers over external auditors and actuaries – Consultation Paper CP8/15., February 2015. http://www.bankofengland.co.uk/pra/Pages/publications/cp/2015/cp815.aspx 31 To gather feedback from supervisors, the PRA used an electronic survey and follow up meetings. The survey questions sought to obtain feedback on: ►► The frequency and timing of scheduled or formal auditor-supervisor meetings; ►► The quality of those meetings; and ►► Whether the broader relationship was such that supervisors believe that auditors would contact them proactively, informally, outside scheduled meetings, to disclose emerging concerns. To obtain the auditors’ perspectives, each auditor was asked to provide the PRA with its overall assessment of the quality of the external auditor-supervisor relationship as input to the report. To help ensure that the auditors’ findings were comparable with the results of the supervisors’ survey, the PRA shared the list of firms covered in the survey as well as the full suite of survey questions to the supervisors with the auditors. ... Following the survey and report on the quality of auditor-supervisor dialogue in summer 2014, the following actions were undertaken: ►► Discussions took place with each external auditor to emphasize the overall messages from the report; ►► Presentations were provided to partners and managers of the large external audit firms on the results of the survey and feedback from supervisors and involved discussions about what the PRA expects from external auditors under the PRA Code. This will apply to all future survey results. ►► More regular training is being provided for supervisors on auditor- supervisor engagement, with a focus on how they might better understand the work of auditors as well as encouraging a more open and in-depth dialogue. ... The PRA uses biannual bilaterals with the senior financial services partners of the largest external audit firms ... to give and receive feedback on the external auditor-supervisor engagement compared to the PRA Code and hence the level of co-operation is kept under constant review. 32 Survey findings and possible actions Survey findings Possible actions Proportionate risk-based approach ►► Developing formal criteria to define SIBs and set up a clear process for systematic and About half of the supervisors use a regular interactions and communication with proportionate risk-based approach when their external auditors; communicating with external auditors. ►► Engaging with external auditors to obtain sufficient information about the audit process and audit findings in a timely manner to assist the supervisory process; ►► Conducting systematic one-on-one meetings with the chairman of the audit committee of each bank in a structured manner with a clear and relevant agenda, and clearly identified outcomes and follow-up actions. Timing and frequency of communication ►► Building a constructive and effective relationship with external auditors with external auditors by setting up a joint framework of engagement that will include Sixty-two percent of the supervisors the terms and scope of communication and communicate with external auditors after interaction in a systematic, frequent and timely the audit opinion has been issued. Most manner; supervisors meet external auditors on an ad-hoc basis when required. Some also ►► Meeting and exchanging information with the hold regular meetings with auditors. external auditors formally, informally or on an ad-hoc basis to avoid routine meetings and focus on current and medium term risks and issues that may affect the banking sector and the bank; ►► The exchange of information should be regular and flexible to discuss material and relevant risks and events during and after the audit and should take place in addition to pre-scheduled meetings among the supervisors, the bank and the external auditors; ►► The exchange of information should be part of, and embedded in the supervisory 33 Survey findings Possible actions process rather than just an additional item on the checklist of the supervisor. It should be conducted in a structured manner, with a relevant agenda and clearly identified outcomes and follow-up actions. Channels of communication ►► Using as applicable: Generally, supervisors either use formal ►► Formal (meetings with external auditors channels or an equal mix of both formal with or without the bank under supervision, and informal channels when communicating meetings with external auditors and the with external auditors. chair of the audit committee) and informal channels (telephone calls, emails etc.); ►► Oral (meetings, calls, etc.) and written communication (official letters, exchange of a Long-Form Audit Report, etc.); ►► Ad-hoc meetings and meetings with predefined timing; regular contact will slowly help build open cooperation based on trust; ►► The primary relationship holders, namely the audit firm partner and the supervisor team leader. Other colleagues and staff from their respective teams and/ or experts should also be involved in the communication and exchange of information process at the working levels. 34 Survey findings Possible actions Feedback process ►► Setting up a formal feedback process within the supervisory authority which may include Eighty-six percent of supervisors do not an anonymous survey sent to supervisors have a feedback system for assessing the who take part in the meetings with external quality of the relationship with external auditors to assess the quality of the meetings auditors. and relationships between the supervisors and the external auditors. ►► The feedback should assess the limits of the relationship and areas of improvements such as increasing the frequency of meetings, exchanging more pertinent information and discussing more specific issues relevant to the bank rather than focusing on high level and general issues on a routine basis with no added value to the supervisory process. 35 36 Insight 3 Topics of mutual interest External auditors could contribute more on specific areas of interest to supervisors Sharing information on a range of important accounting and auditing themes due to their complexity, materiality and/or judgment involved is crucial. At a crossroads between accounting and finance, topics covered under accounting standards for financial instruments, such as loan valuation and provisioning as well as the bank’s asset valuation, are key for both external auditors and supervisors. Compliance with prudential regulations and the consistency of disclosures in financial statements with published prudential information are also important. Finally, the effectiveness of banks’ internal control, risk management and IT systems are essential inputs for assessing the bank’s risk profile and going concern assumption. External auditors may identify additional areas of interest to supervisors during the course of the audit. 37 Areas of risk Most supervisors communicate with external auditors on areas of risk for individual banks, either as a common practice (46%) or on a case-by-case basis using a proportionate risk-based approach (34%). Communication on areas of risk is a legal requirement in only one instance. “We practice the so-called Three-Way-Dialogues (trilateral) in which risk areas are being discussed between the institution (internal audit and/or management), external auditor and supervisor.” - National Bank of the Netherlands Information on areas of risk is exchanged either through written communication or informally during meetings when: ►► Supervisors think a specific area of risk has been neglected by external auditors; ►► It is appropriate to discuss a specific risk area with external auditors before issuing any sanction to a bank; and/or ►► External auditors need this information to perform their audit. Nineteen percent of European and 25% of STAREP supervisors reported that supervisors do not communicate on areas of risk with external auditors. Confidentiality was cited as a reason for not doing so. “National legislation does not provide for the sharing of information by the banking supervisors to the external auditors.” - Bank of Italy Does your institution communicate with the external auditors on general and specific areas of risk for individual banks? 38 Accounting policies While discussions with external auditors vary according to the jurisdiction, the characteristics and circumstances of the bank under supervision, and the supervisory model adopted, the survey responses show that: ►► Loan valuation and provisioning are at the top of the agenda for European and REPARIS supervisors; ►► Annual financial statements are the main topic of discussion for STAREP (100%) and rank second in REPARIS (80%) jurisdictions. The role of audit committees is the least discussed topic. Regional trends reveal that: ►► For European supervisors, the second most discussed issue is the asset valuation of the banks; annual financial statements together with the effectiveness of internal controls and risk management came third; ►► For REPARIS supervisors, financial statements rank second (80%), followed by the management letter and the effectiveness of internal controls (60%), and banks’ asset valuation and risk management rank fourth (40%) ►► For STAREP supervisors, after annual financial statements all other topics, with the exception of audit committees, rank second (75%). Issues typically discussed with external auditors during the course of the audit 39 These topics are discussed in some jurisdictions only on an exceptional basis, mainly when questions about the accounting treatment of specific transactions are raised, or when negligence or weaknesses are identified. Often these topics are not discussed specifically during the course of the audit but on an ad-hoc basis, when necessary for the work of the supervisor. Other possible topics of discussion mentioned include: ►► The going concern assumption; ►► Significant banking transactions; ►► The bank’s compliance with the legal framework; ►► The banking license; ►► The adequacy of information provided by branches to their head office; and ►► Bancassurance. Prudential returns Banks are responsible for ensuring that the data they submit in their regulatory returns are complete and accurate. Regulatory returns, including data on liquidity, capital, capital requirements and large exposures, are used by supervisors as an input for their supervisory activities. Assurance engagement on prudential returns For almost half of the supervisors, external auditors contribute to supervisory work by either providing limited or reasonable assurance on prudential returns as part of a legal requirement. For 9% the provision of limited or reasonable assurance on prudential returns is common practice. For a further 20% it is undertaken as necessary, mainly on an ad-hoc basis at the request of the supervisor. A closer look at regional trends shows that a limited or reasonable assurance on prudential returns is a legal requirement in 80% of the REPARIS jurisdictions versus 46% in European jurisdictions, and 25% in STAREP jurisdictions. “The external auditor must audit the solvency ratio.” - Polish Financial Supervision Authority (UKNF) External auditors do not provide a limited or reasonable assurance on prudential returns in 23% of the jurisdictions. The Bank of Spain reports that external auditors might only be asked to check the consistency of accounting figures contained in certain prudential returns with accounting registers reviewed within the scope of the audit, and in some cases include it in the Long-Form Audit Report. “Prudential returns must be reviewed by external auditors, but without requirement for formal reporting in accordance with audit or other assurance standards. External auditors should report any findings in the Management Letter and submit it to the National Bank of Serbia.” - National Bank of Serbia 40 Does the external auditor provide assurance engagement on prudential returns? Reconciliation with prudential returns “Using so-called “prudential filters” accounting figures under IFRS are reconciled to prudential returns.” - Bank of Lithuania Only 32% of European supervisors have reconciliation with prudential capital elements audited or reviewed by external auditors in their financial statements. This number is higher for REPARIS and STAREP jurisdictions, with 80% and 67% respectively. Depending on the jurisdiction, the reconciliation between the year-end balance sheet and the prudential returns balance sheet is either a requirement or a recommendation. Do financial statements include reconciliation with prudential capital elements audited by external auditors? 41 “A detailed report on the composition of own funds and risk-weighted assets calculated in compliance with the prudential regulation is required. In this detailed report, all the lines from the audited balance sheet can be identified. Since the external auditor is obliged to verify the completeness, accuracy and compliance of the bank’s prudential returns as of year-end, a reconciliation is indirectly performed.” - National Bank of the FYR of Macedonia IT audit An information technology audit is an audit of a bank’s IT systems, its governance and management arrangements and its operations and related processes. It informs the bank’s management on existing and potential IT risks and deficiencies, thus enabling management to take remedial actions. An IT audit requires specific competence and skills and this work does not fall within the traditional scope of the auditor’s work. An IT audit can be performed in addition to the audit of financial statements by audit firms that have the capacity to conduct this exercise. Otherwise the bank may need to call upon the expertise of an external IT consulting firm. IT audit remains however a topic of mutual interest for both banking supervisors and external auditors. Information systems are a key component of a bank’s operational risk profile and are also essential to achieve high-quality financial reporting. “External auditors are obliged to perform IT audits. They have to assess the state of the information system and the adequacy of information system management. The assessment (grade) is descriptive and ranges from completely satisfactory to completely unsatisfactory. In 2010, the Croatian National Bank published a document which defines its expectations for the information system audit performed by external auditors, with details on IT audit process, IT audit report structure and the role of credit institutions.” - Croatian National Bank The IT audit is regularly shared with supervisors in 37% of the jurisdictions. In 11% of those, it is a legal requirement as the IT audit is either part of the scope of the audit (for example, it is included in the annual Long-Form Audit Report) or commissioned by the supervisory authority. For the remaining 26%, it is just common practice. “This assessment of the bank’s IT systems security is an integral part of the large package of documents (Long-Form Audit Report) required to be prepared by the auditor of the bank.” - National Bank of the FYR of Macedonia 42 In another 37% of the jurisdictions, findings are shared only when elements of the IT audit reveal weaknesses in the control system that could significantly impact the operations and the financial position of the bank. “The external auditor will share the information (i) if the IT-audit was performed at the request of the supervisor, (ii) if the IT-audit has revealed a decision, fact or development that can significantly influence the financial position, administrative organization (including the organization of the accounts) or internal control system of the financial institution, or (iii) if the results of the IT-audit are part of the report of the external auditor that deals with the internal control-system of the financial institution.” - National Bank of Belgium In the remaining 26% of jurisdictions the IT audit is not shared with supervisors. When external auditors perform an IT audit, do they share the results with banking supervisors? Audit strategy and plan Discussion of the audit strategy and plan Sixty-three percent of supervisors do not discuss the audit strategy and plan with external auditors. Even if it is not a legal requirement, 23% of the supervisors regularly discuss it with auditors, when: ►► The bank under supervision is a SIB; ►► The information is used to assess risks posed by banks to financial stability; or ►► The audit strategy and plan is used as input to the supervisory work plan. 43 Do supervisors discuss their audit Is the audit strategy and plan strategy and plan with external communicated/transmitted auditors? to supervisors by the external auditors? Yes, it is a legal requirement (0%) Yes, it is a legal requirement (6%) Yes, it is common practice (23%) Yes, it is common practice (6%) Sometimes (14%) Sometimes (14%) No (63%) No (74%) “The information obtained from the external audit provides input to the National Bank of Belgium’s own supervisory work plan.” - National Bank of Belgium In 14% of the jurisdictions there is occasional discussion, essentially when there are specific concerns or when an extraordinary audit has been commissioned by the supervisory authority. In some jurisdictions, supervisors can specify the areas that they expect external auditors to cover during the audit. “We direct the external auditor’s attention to certain areas of concern that are expected to be covered or analyzed in depth during the next audit.“ - Central Bank of Cyprus Transmission of the audit strategy and plan In 74% of the jurisdictions, the audit strategy and plan is not transmitted to supervisors. It is a legal requirement for only 6%. For the remaining 20%, it is either a common practice for SIBs, or an ad-hoc arrangement. 44 “An audit firm is required to deliver an annual audit plan for each credit institution to the Croatian National Bank, indicating the areas of focus, the audit methodology, as well as the envisaged duration of audit.” - Croatian National Bank Communication on significant changes in the audit strategy and plan Overall, external auditors are not required to communicate significant changes to supervisors. Only two respondents mentioned that external auditors are required to communicate changes in their plan and strategy, for example when there are changes in the legislation (laws and sub legislation, ISA, IFRS, etc.) and/or special requirements for the extension/adjustment of the audit plans. Discussion topics according to the French prudential regulator L’Autorité de Contrô le Prudentiel et de Résolution (ACPR)13 Accounting topics ►► Significant aspects of accounting practices: ►► Implementation of new accounting standards; ►► Changes in accounting practices; ►► Adequacy of information in the appendix to the financial statements. ►► Accounting estimates: ►► Review of significant accounting estimates, including those lacking objective data and involving a judgment; ►► Adequacy of the valuation process and model used with the generally accepted accounting principles; ►► Assessment of the factors likely to influence and/or guide the judgment of management and their choice between several options in the valuation process; ►► Assessment of the reasonableness of the assumptions chosen and results obtained; ►► Adequacy of information in the appendix to the financial statements. ►► Assessment of the analysis made by the management and the external auditors with regards to the banks’ ability to continue as a going concern; 13 L’Autorité de Contrô le Prudentiel et de Résolution (ACPR)/ Compagnie Nationale des Commissaires aux Comptes (CNCC), Guide des relations ACPR – Commissaires aux comptes, ACPR/CNCC, October 2014. https://acpr.banque-france.fr/fileadmin/user_upload/acp/Agrements_et_autorisations/311014_Guide_ACPR_CNCC.pdf This implements BCBS Guidelines on the timing and examples of content of meetings between supervisors and external auditors. 45 ►► Summary of audit adjustments used and not disclosed and an estimation of their materiality; ►► Documentation of internal control weaknesses identified during the financial reporting process; ►► Compliance and reliability of financial information with regard to reporting requirements, risks, and exercised judgments discussed at prior meetings. Specific difficulties or particularities of the year, non-recurring items ►► Significant difficulties encountered during the audit; ►► Circumstances that led to a change in the audit mission plan; ►► Work carried out due to significant non-recurring and complex transactions requiring an expert opinion; ►► Significant topics that were the subject of considerable discussions with the management; ►► Likelihood of the issuance of a qualified opinion. Audit committee ►► Key points that will be communicated to the audit committee; ►► Involvement of the audit committee in overseeing the preparation of the financial statement and its appendix, including the quality of the relationship with the external auditors. Other possible topics of discussion ►► Information on other entities of the banking group under supervision that is available to the supervisor and communicated by other supervisory authorities; ►► Evidence that the prudential information might not be consistent with the financial statements; ►► Evidence that the valuation process of assets and liabilities of the bank under supervision might not be in line with the accounting framework and/or regulations; ►► Evidence of a failure of the control environment or flaws in the internal control process; ►► Evidence of a failure in internal audit, risk management and compliance. 46 Survey findings and possible actions Survey findings Possible actions Audit planning and process ►► Meeting with external auditors during the planning stage to discuss specific areas within Few supervisors discuss the audit strategy the scope or outside the scope of the audit and plan with external auditors. Changes which regulators would like them to focus on in those plans are not systematically during the course of the audit; communicated to supervisors. ►► Exchanging information and findings identified during and after the audit for the current and previous financial year and discussing whether or not they are in line with the expectations of external auditors and supervisors; ►► Using the audit strategy and plan as input to the supervisory work plan; ►► Discussing the audit plan and strategy specifically with external auditors of SIBs. The external auditors should share the audit plan and strategy with supervisors upon request. Accounting policies ►► Discussing with external auditors the processes to obtain a detailed understanding of internal Loan valuation and loan loss provisioning, controls and assumptions used in the valuation and more generally the bank’s asset process to ensure that supervisors can critically valuation, and the effectiveness of financial assess whether they are relevant, reliable and controls were topics of particular interest are being used consistently by the bank; for supervisors to discuss with external auditors. ►► Requesting adequate independent validation and verification of the valuation framework and controlling procedures by either internal or external experts; ►► Holding discussions with external auditors to obtain a clear understanding of the impairment charges and other credit risk provisions in order to assess the charges and the provisions in a critical manner. 47 Survey findings Possible actions Prudential returns ►► Requesting external auditors to review the reconciliation of prudential own funds with Reconciliation between prudential capital accounting capital; elements and audited financial statements is often not subject to an audit. Prudential ►► Requesting external auditors to review and returns are often not reviewed by auditors. assess banks’ internal controls for preparing the prudential returns in the regulatory reporting system; ►► Requiring external auditors to report to supervisors in a timely manner when weaknesses or breaches have been identified. 48 Insight 4 Supervisors’ input to audits Supervisors do contribute to enhanced audit quality Supervisors can help improve the quality of financial information. They can provide an environment which supports the independence, objectivity and integrity of audit work. Supervisors can also enhance audit quality by sharing relevant information with external auditors. Responses show that most supervisors are empowered to regulate certain conditions of the appointment and rotation of external auditors, and the audit retendering process. In a few jurisdictions, supervisory authorities are also involved in monitoring and sanctioning auditors and their work. Often confidentiality rules prevent supervisors from communicating bank or industry specific information to external auditors. 49 Audits are conducted under a framework of professional standards and regulations covering auditing, ethics and financial reporting. The environment in which audit firms and auditors operate significantly affects audit quality. National audit laws and regulations provide a framework that supports the independence, objectivity and integrity of audit work. At a national level, relevant auditing standards and quality control procedures need to be adopted to ensure that external auditors perform high- quality external audits which enhance the reliability of banks’ financial statements. Financial supervisors have an important role to play in ensuring that auditing standards and measures to safeguard auditors’ independence are applied consistently in their jurisdiction. Adoption of international standards Carrying out external audits in accordance with ISA and complying with the International Standard on Quality Control (ISQC 1) for the audit firm’s quality control procedures “provide the foundation for a disciplined approach to auditing, by performing a risk assessment, planning, audit procedures and ultimately forming and expressing an opinion.”14 International Standards on Auditing ISA are adopted in most of the jurisdictions: either in the local language with an approved translation by the International Federation of Accountants (IFAC) or in the English version issued by the IAASB. In some cases, national auditing standards are applied instead, but they are broadly compliant with ISA. International Standards on Auditing (ISA)15 UK and Ireland apply ISA adopted and International Standards unamended on Auditing (UK and Ireland), which are ISA adopted with add- based on ISA and ons are used with the ISA not formally permission of IFAC. adopted French Auditing Standards are broadly compliant with ISA 14 International Federation of Accountants (IFAC), A framework for audit quality: Key Elements that Create an Environment for Audit Quality, February 2014. https://www.ifac.org/publications-resources/framework-audit-quality-key-elements-create-environment-audit-quality 15 Map based on responses collected, and on the FEE survey “Overview of ISA adoption in the European Union”, April 2015. http://www.fee.be/images/publications/auditing/ISA_in_Europe_overview_Jan_2015.pdf 50 International Standard on Quality Control Globally, 89% of the supervisors reported that ISQC 1 is applied in their jurisdiction. Regionally, 92% of European jurisdictions apply this international standard. This is also the case for 80% and 75% of REPARIS and STAREP jurisdictions respectively. Measures to safeguard auditors’ independence A country’s institutional framework should establish ethical or legal arrangements to safeguard auditors’ independence from the audited entity. These arrangements typically include audit firm rotation and audit retendering which address independence issues and limit the threat to auditors’ objectivity that may arise when they spend extended periods of service with the same entity. Rotation of external audit firms The rotation of audit firms is of paramount importance in addressing the overfamiliarity and potential lack of independence resulting from long audit tenures. Most European jurisdictions do not require the mandatory rotation of external audit firms but have requirements for rotating key audit partners. In Italy and Croatia16 audit firm rotation is required with nine and seven year mandates respectively. Some jurisdictions report a “voluntary rotation” among the Big 4 for the statutory audit of SIBs. Is rotation of external audit firms of banks required in your jurisdiction? The rotation of audit firms is a more common practice in REPARIS and STAREP jurisdictions than in the EU, with predominantly short rotation periods: 16 Republic of Croatia, Ministry of Finance, Audit Act, art. 14, art. 26a. http://www.javni-nadzor-revizije.hr/english/Act_Amending_Audit_Act.pdf 51 ►► Eighty percent of REPARIS and 50% of STAREP jurisdictions have rotation periods of five years or less; ►► Twenty percent of REPARIS and 25% of STAREP jurisdictions have rotation periods of between five and ten years. REPARIS supervisors who already enforce mandatory rotations of five years or less state that they do not recommend changing a practice that has worked well. In STAREP, key audit partner rotation is preferred over audit firm rotation, with decreasing costs cited as a reason. Others recommend rotation only when there is a threat to the independence of external auditors. Audit retendering Tendering is an effective way for companies to assess whether they are using the external auditor most appropriate to their needs, without precluding the reappointment of the incumbent if that firm is demonstrably the best qualified to undertake the audit. Retendering can also bring reductions in audit fees, although sometimes to levels that are not consistent with high-quality external audits. The survey reveals that 85% of the jurisdictions do not require audit retendering, meaning that the same external auditor can be reappointed without going through a mandatory tender process. Retendering is a requirement only in Norway. It is a common practice in a few jurisdictions such as in Finland. In some jurisdictions there is a regular validation process of external auditors instead through: ►► A yearly appointment of the external auditor confirmed at the annual general meeting; ►► An assessment by the supervisory authority, which usually has the power to object to the appointment of external auditors. EU audit reform legislation – Requirements for rotation and retendering17 Audit firm rotation and audit retendering From June 2016 onwards, Public Interest Entities (PIEs) will be required to change their audit firms after a maximum 10-year mandate. The 10-year mandate can be extended up to 10 additional years if tenders are carried out, and by up to 14 additional years in case of a joint audit. In some exceptional circumstances, supervisors are empowered to extend the term once for a further two years at the request of the audited entity. There is the possibility to adopt a shorter rotation term. Rotation of key audit partners The EU legislation requires the key audit partners of PIEs to rotate at least every seven years with a cooling off period of three years. Opinions differ on the benefits of retendering. The National Bank of Georgia reports that mandatory retendering would increase switching rates of external auditors, encourage lower audit fees, and 17 EU legislation providing a new EU regulatory framework for statutory audit was adopted in 2014 and will apply to the first financial year starting on or after mid-June 2016. 52 foster competition in audit markets. It can also be a useful tool for monitoring selection criteria and the appointment of external auditors. In this respect, the Bank of Slovenia advocates retendering periods of not less than three years. The Bulgarian National Bank indicates that it would prefer less retendering unless there is evidence of improper behavior of external auditors. Furthermore, some supervisors mentioned that the cost of requiring frequent rotations of the audit firm usually outweighs the benefits. Supervisors’ influence on the appointment of external auditors Which one of the following applies to your institution in relation to the initial appointment of the external auditor: Most supervisors are either directly or indirectly ‘involved’ in the appointment of external auditors of banks in their jurisdictions. Survey findings show that: ►► Only four supervisory authorities can pre-select a list of external auditors for banks; thirty-one percent of supervisors must approve the external auditor selected by the bank; ►► Fifty-seven percent of supervisors can object to the appointment of the selected external auditor; a closer look at regional trends reveals that this power is granted to 80% of REPARIS and 100% of STAREP supervisors; ►► Seven supervisory authorities, all from the EU, have no involvement in the appointment of external auditors. ►► Twenty-three percent of supervisors state that they have additional powers and can: ►► Appoint another auditor for the bank. This power is usually exercised when external auditors show a lack of competence or when they fail to meet the code of ethics obligations. The audit 53 is then performed by another external auditor selected by the supervisor and usually at the bank’s expense. In some cases supervisors might also set the remuneration of the newly selected external auditor; or ►► Require a joint audit. Such audits of banks are only mandatory in France. “In the last five years, we objected to the appointment of four auditors (one because they breached the internal rotation rule, the others because they did not perform audits with the care required).” - Austrian Financial Market Authority Example 1: Mandatory joint audit in France for companies that prepare consolidated financial statements A joint audit is the audit of a company by two or more audit firms. Only one single auditor’s report is produced. The responsibility for issuing an audit is shared by all joint auditors, and work is allocated between audit firms, with each audit firm reviewing the work performed by the other. By allowing the selection of two audit firms, it provides further assurance that the audit opinion is complete (i.e. increasing the number of crosschecks between audit firms improves audit quality). When appointment terms are staggered, it facilitates a smooth rotation of audit firms (i.e. knowledge and understanding of the bank’s operations are retained while the risk of over familiarity is mitigated). Audit firms should also have more leverage to report jointly inappropriate bank management financial reporting practices. Criteria for appointing banks’ external auditors18 The survey suggests that there are no common selection criteria for the appointment of external auditors across Europe and Central Asia. When specific criteria are set, they are formulated directly by the bank’s management, the bank’s audit committee; supervisory board members; or by supervisors in some jurisdictions (i.e. when a special registration or certification is required). Also of interest: ►► Supervisors mentioned that the selection of external auditors should be proportionate to the banks’ needs, complexity and size; ►► Only one supervisor stated that external auditors/audit firms should be capable of developing good working relationships with the supervisory authority by agreeing for example to take part in trilateral meetings with the bank and supervisory authority; ►► Only one supervisor referred to specific criteria related to the cost of audit work. 18 Participants were asked in an open-ended question what appointment criteria external auditors of banks must fulfil in their jurisdictions. Appointment criteria disclosed by respondents are organized according to their recurrence. 54 Criteria Recurrence Being a registered/certified external auditor19 51% Professional experience 51% i.e. having a minimum number of years and/or chargeable hours performing successful audits Qualification and competence 46% Holding professional qualifications and appropriate education is cited by 35%, respecting the continuous learning obligation by 15%, having competences and skills in IFRS/ISA by 12% Reputation and ethics19 40% i.e. not being convicted of financial crimes or disciplinary measures in a certain period prior to the appointment, having qualities such as integrity, honesty, ethics, good reputation and keeping confidentiality Independence 31% With six percent stating that external auditors must submit a written statement of their independence Bank-specific knowledge 29% i.e. in-depth knowledge of the specific activities and risks related to the banking sector; requirement to have a certain number of years of experience/chargeable hours spent providing audit services at usually more than one bank; bank-specific training and continuous education requirements Quality of the audit process 26% i.e. being properly organized, having an appropriate audit team composition with the relevant capacity and resources, applying an appropriate audit methodology and filing system, showing evidence of audit quality Knowledge of the law and regulations19 11% Example 2: Appointment criteria in Denmark In Denmark external auditors of banks are obliged to be certified by the Danish Financial Supervisory Authority (FSA). According to certification requirements, external auditors should, inter alia: 1. Demonstrate that they have performed at least 1,500 chargeable hours auditing financial institutions, financial holding companies, pension funds or alternative investment funds within the past five years. Of these chargeable hours, 1,000 must include audit services to at least three banks. All of these hours should be realized after being authorized as a state public accountant and 50% of them as a signing auditor or audit team manager; 2. Document that they fulfill applicable training requirements for auditors of banks; 3. Not have had a case with the Disciplinary Board on Auditors (DDBA) within the last five years; 4. Not have been subject to criminal liability for violating financial legislation or other relevant legislation, including legislation abroad. The Danish FSA considers whether the offense involves a risk that the external auditor might be unable to fulfill his/her duties or role in a satisfactory manner; 19 Although these elements were not cited by a majority of supervisors, they are generally part of their legal requirements. 55 5. Not have displayed or engaged in conduct which gives the FSA reason to believe that the external auditor will not carry out his/her function or position adequately. In judging the appropriateness of the behavior, emphasis is placed on the FSA’s objective to maintain confidence in the financial sector. “External auditors shall pass qualification exams on general audit at the Ministry of Finance and on banks’ specific audit at the National Bank. During these exams and interviews, the National Bank has the opportunity to assess the main criteria related to knowledge, experience and qualifications.” - National Bank of Moldova Review and monitoring of the external auditors’ appointment Ninety-four percent of supervisors do not conduct interviews to review the appointment of the external auditor. This is either the role of other institutions (e.g. audit committees) or the capabilities of the auditors are evaluated through written examinations during the external auditor’s initial licensing process. Some supervisors are reassured because SIBs are usually audited by the Big 4, whom they believe are sufficiently familiar with the banking sector and related regulatory requirements. With this in mind, some jurisdictions even apply less stringent banking-specific appointment criteria to the Big 4 compared to small local audit firms. Some supervisors receive annual confirmation that no measures have been taken against an appointed external auditor. Ad-hoc meetings with external auditors are also cited as a way of assessing external auditors. “Ad hoc meetings with the auditor could be a part of the assessment process whether there are no grounds for the rejection of an auditor selected by a bank.” - Czech National Bank The monitoring and sanctioning role of supervisors Over banks’ financial reporting Market authorities have the power to sanction and monitor only those banks that are listed. Their powers may precede and exceed those of the supervisors. Survey results show that 83% of banking supervisors have the power to hold the bank directly accountable for material weaknesses in its financial statements. The bank’s management is responsible for the following: 56 ►► Accurate and timely disclosure of information to the public; ►► Preparation of financial statements in accordance with the law and appropriate financial reporting requirements; and ►► Establishment of internal control mechanisms suitable for banks’ range of activities. “In general, we trust the external auditor´s opinion. But if material weaknesses having an impact on banking regulations and obligations become obvious, banks can be held accountable.” - Austrian Financial Market Authority In some jurisdictions, the supervisor can impose sanctions directly on the bank under supervision, or on individuals responsible for the breach, proportionate to the magnitude and severity of violations (dismissal, fines, cancellation of banking license, etc.). “For non-compliance with the Credit Institution Law, the Financial and Capital Market Commission may impose sanctions (e.g. warnings, fines, removal from the position and cancellation of license). The sanctions can be imposed on individuals responsible for the breach, including management.” - Financial and Capital Market Commission of Latvia In other jurisdictions, mainly jurisdictions in which bank sanctions are applied by another institution (i.e. AOBs, market authorities), banking supervisors can indirectly sanction material weaknesses in financial statements with requirements related to the application of capital regulations. “We may sanction inaccuracies in the financial statements through the application of the capital regulation (e.g. an insufficient loan impairment amount could be compensated by a required higher amount of regulatory capital).” - National Bank of Belgium Can the banking regulator hold the bank accountable for material weaknesses in its financial statements? 57 Over the work of external auditors Investigation of failure/weakness Fifty-eight percent of European supervisors are not directly involved in the investigation of failures or weaknesses in the conduct of external audits of banks. However, 31% of European supervisors are indirectly involved through their engagement with a separate regulatory body responsible for audit oversight. By contrast, 40% of REPARIS and 50% of STAREP supervisors are legally empowered to investigate failures or weaknesses in the conduct of external audit of banks. Supervisors usually evaluate the auditor’s report during on-site inspections and are empowered to request additional explanations from the external auditor to investigate whether the audit was performed in line with required standards. In general, greater involvement of supervisory authorities in the investigation of failures (or weaknesses) in the external audit of banks can be linked to: ►► The absence of an AOB in the jurisdiction (6%) or a newly created AOB; ►► The fact that the supervisor is also the AOB (6%) or a member of the AOB (32%). “The Bank Supervision Department of the National Bank of Serbia (NBS) has a strong interest in being involved in the continuous monitoring of the quality of audit of banking institutions. In that respect the NBS can be involved (either by initiating or being consulted on) the investigation of audit failures (or weaknesses) of banking institutions conducted by the Chamber of Certified Auditors.”- National Bank of Serbia Is the supervisory institution involved in the investigation of failures or weaknesses in the conduct of the external audit of banks’ financial statements? 58 Imposing sanctions Fifty-four percent of European supervisors are not involved in imposing sanctions against external auditors, 31% have the legal ability to impose sanctions directly (mainly the ability to revoke or suspend the external auditor) and the remaining 15% are indirectly involved in decisions on sanctions since they are either consulted on this matter or refer the violation to the competent authority. In Italy, although supervisors are not involved in imposing sanctions against external auditors, they can impose fines if the legal duty to report is breached. STAREP supervisors are not involved in imposing sanctions against external auditors, whereas 80% of REPARIS supervisors are legally entitled to do so. REPARIS supervisors can reject the auditor’s report and require that another external auditor repeat the audit at the bank’s expense. Is your institution involved in imposing sanctions against external auditors? Taking remedial and corrective actions Sixty-six percent of supervisors are not legally required to refer violations to the body in charge of disciplinary action for external auditors, nor are they consulted on remedial and corrective actions. In some jurisdictions, however, referring violations is common practice because one representative of the supervisory authority is a member of the AOB (Serbia and Moldova) or there is a general duty to cooperate among supervisory authorities and to report violations identified in the performance of each authority’s legal mandate (Spain). Information that supervisors could provide to external auditors Information provided by supervisors to external auditors (at both the firm and sector level) is covered by professional secrecy. However, in order to promote a “two-way dialogue” and contribute to audit quality, supervisors could share information relevant to the conduct of the audit with external auditors. 59 Example 3: Information that supervisors could provide to external auditors20 General accounting topics: ►► Assessments of the quality of published financial statements, the appendixes and areas identified for improvement; ►► Views on the appropriateness of accounting judgments and materiality thresholds used. Risks: ►► Views of existing and/or upcoming macro- and micro-economic risks that banks might face. These could include global systemic risks, such as liquidity and refinancing problems. Other risks could include those related to the valuation of certain financial instruments or technical provisions, credit risk level on certain portfolios or the level of impairment attached to some asset classes. Views on the bank’s loan loss provisioning could include, whenever possible, a comparison with other institutions on an unnamed basis; ►► Information on issues such as governance, risk management, compliance framework and internal control that have a potential impact on the quality of financial reporting and regulatory information produced by the bank. For this purpose, the supervisor might share findings derived from his/her on-site inspections; ►► Measures implemented by the supervisor to prevent or limit the consequences or generalization of an identified risk. Regulatory and accounting developments: ►► The prudential treatment of a new type of product or operation and its eventual impact on accounting; ►► Views on the interactions of new regulatory requirements with financial reporting practices and requirements; ►► Information on potential issues identified and related to the application of new accounting standards or reporting practices. For example, the eventual impact of the accounting treatment of a new type of financial instrument or financial transaction as well as the impact of the new standard on regulatory requirements; ►► Significant disagreements on the application of a new accounting, regulatory or prudential standard by the bank under supervision; ►► Information on the progress of prudential regulation projects and the perspective of supervisors on accounting regulation projects. 20 This list is not meant to be exhaustive and presents only suggestions inspired by the following: Basel Committee on Banking Supervision, External audits of banks, March 2014. http://www.bis.org/publ/bcbs280.pdf. L’Autorité de Contrô le Prudentiel et de Résolution (ACPR)/ Compagnie Nationale des Commissaires aux Comptes, Guide des relations ACPR – Commissaires aux comptes, ACPR/CNCC, October 2014. https://acpr.banque-france.fr/fileadmin/user_upload/acp/Agrements_et_autorisations/311014_Guide_ACPR_CNCC.pdf 60 Other: ►► Correspondence between the supervisor and the bank’s management, including certain instructions and minutes of meetings; ►► Any intervention from the supervisor; ►► Feedback on publications from the accounting profession; ►► In general, all items that could have a material impact on banks’ financial statements. Restrictions on exchange of information and “gateway” rules Is there any legal restriction regarding information that supervisors can share with the external auditors? EU + Norway STAREP REPARIS Yes No Globally, for 54% of the jurisdictions, there is no legal restriction to supervisors sharing information with external auditors. However, regional trends show that only 25% of STAREP supervisors can share information with external auditors. Many jurisdictions have confidentiality rules in place. Sometimes, the bank’s permission is required prior to sharing information with external auditors. Some jurisdictions provide exceptions where bank-specific information can be shared with external auditors when the information-sharing will assist the external auditor in conducting a quality audit and, in turn, assist the supervisor in his/her supervisory function. “Supervisors have, by law, the choice to share information with external auditors, but are not required. Sometimes supervisors have knowledge of circumstances that can endanger “solutions” when discussed with auditors. In such cases supervisors do not share this sensitive information. However, if the information has or could have a direct influence on the auditors’ opinion, the supervisor will share this information with external auditors.” - National Bank of the Netherlands 61 Survey findings and possible actions Survey findings Possible actions Information sharing from supervisors ►► Creating “gateway” rules to allow the sharing to external auditors of information with external auditors. This information can be bank specific, industry Confidentiality rules can prevent specific and related to current and emerging supervisors from sharing information with risks. The objective is to help auditors conduct external auditors, which can have negative a better quality audit and which, in turn, could impacts on the supervision of banks. contribute to the supervisory process. Appointment of external auditors of ►► Setting up a principles-based framework banks in line with international best practices for the selection, appointment and removal of Responses show that most supervisors external auditors; have some form of oversight responsibility over the appointment of external auditors ►► Ensuring that the process for the selection (i.e. the right to pre-select, approve/ and appointment of external auditors is fair, remove or to commission an independent objective, transparent, independent of the audit). bank’s management, and well documented; ►► Encouraging the appointment of external auditors who are able and willing to develop good working relationships and dialogue with supervisors; ►► Reviewing and monitoring regularly the conditions of an external auditor’s appointment to ensure the two previous conditions are adhered to. 62 Survey findings Possible actions Audit firm rotation ►► Setting up a framework for the rotation of external auditors in line with international Results show that mandatory audit firm best practices to ensure independence and rotations are scarce while the majority of avoid a conflict of interest. According to the supervisors currently enforce compulsory Basel Committee on Banking Supervision Core key audit partner rotations. Principles for Effective Banking Supervision, the supervisor determines whether banks rotate their external auditors (either the firm or individuals within the firm) from time to time; ►► Requesting that the appropriate criteria have been used to select the key audit partner by the relevant parties; ►► Continuously monitoring audit quality especially during transition periods. Audit retendering ►► Reviewing the retendering process on a regular basis and ensuring that there is a clear policy In most jurisdictions, the same external for retendering and clear, well-documented auditor can be reappointed without going criteria for selection, and transparency through a mandatory tender process. regarding reappointment. 63 Extract from the Basel Core Principles (BCP) for Effective Banking Supervision - Principle 27 on financial reporting and external audit21 A snapshot of some essential criteria: ►► The supervisor holds the bank’s board and management responsible for ensuring that financial statements are prepared in accordance with accounting policies and practices that are widely accepted internationally. Furthermore, the financial statements should be supported by recordkeeping systems in order to produce adequate and reliable data. ►► The supervisor holds the bank’s board and management responsible for ensuring that the financial statements issued annually to the public bear an independent external auditor’s opinion. This will be the result of an audit conducted in accordance with internationally accepted auditing practices and standards. ►► The supervisor has the power to reject and rescind the appointment of an external auditor who is deemed to have inadequate expertise or independence, or is not subject to, or does not adhere to, established professional standards. ►► The supervisor determines whether banks rotate their external auditors (either the firm or individuals within the firm) from time to time. 21 Core Principles for Effective Banking Supervision, BCBS, 2012. http://www.bis.org/publ/bcbs230.pdf 64 Insight 5 Other communications Effective communication between audit and banking supervisors and audit committees does improve audit quality Audit committees and Audit Oversight Bodies (AOBs) contribute to enhanced audit quality through the effective oversight of external auditors’ work and their ability to form an opinion on banks’ financial statements. These institutions play a critical role in building an appropriate framework for corporate governance and high-quality external audits. Most banks are required to have an audit committee but supervisors rarely meet the committee’s chair. The audit oversight systems are not always effective or even established. Overall, when they exist supervisors have connections with the AOB, whose role is to identify failures and weaknesses in banks’ external audits, and to examine the work of external auditors, imposing sanctions and/or remedial measures as necessary. 65 Supervisors’ relationship with Audit Oversight Bodies In general, supervisors meet with AOBs when these bodies exist. Public oversight of external auditors is of paramount importance for enhancing the quality and reliability of audit work. It also increases the accountability of external auditors and audit firms. Ninety-four percent of supervisors confirmed the existence of an AOB in their jurisdiction. In 76% of the jurisdictions, the authority in charge of audit quality reviews is also the AOB. In accordance with its mission of the public oversight of auditors, the AOB is involved in the investigation of failures and weaknesses in the conduct of the external audit of banks’ financial statements and in imposing sanctions and/or remedial actions against external auditors, as reported by banking supervisors. Is there a formal relationship between banking supervisors and the AOB? High-quality external audits of banks are best achieved with appropriate support from, and adequate interactions between, auditors and supervisors, and other bodies overseeing the external audit function. The survey finds a variety of relationships between the supervisor and the AOB: ►► The supervisor is also the AOB in 6% of the jurisdictions (Luxembourg and Norway); ►► For half of REPARIS and STAREP jurisdictions and 27% of EU jurisdictions, the supervisor is a member of the AOB. In these jurisdictions, the supervisory authority has a representative member in the AOB. The National Bank of the FYR of Macedonia reported that this practice allows for timely information sharing between the two institutions; ►► In a third of EU jurisdictions and a quarter of STAREP jurisdictions, consultations take place between the supervisor and the AOB. A Memorandum of Understanding (MoU) has been agreed between the AOB and the supervisor in most of these jurisdictions to exchange relevant information regarding their respective tasks and to facilitate the identification of poor quality external audits; ►► Thirty-one percent, 25% and 50% of EU, STAREP and REPARIS supervisors respectively indicate that no formal relationship has been established with the AOB. Such a relationship is, however, being implemented in Bosnia and Herzegovina. 66 Communication with Audit Oversight Bodies Most of the supervisors have communication lines with the AOB Supervisors may communicate any significant findings to the AOB to ensure that it is duly informed of violations or breaches of the laws and regulations applicable to external auditors. In return, AOBs need to communicate any significant issues related to the bank’s audit to supervisors: ►► Seventy-six percent of European supervisors meet with the AOB. For most ad-hoc communication, meetings are organized with the AOB when significant matters are identified. Communication occurs once per year or more, depending on the nature and number of issues identified. Some European supervisors, however, meet and communicate with the AOB on a regular basis. These meetings can be conducted weekly, monthly or quarterly depending on the size of the supervised entity, its risk profile and the jurisdictions. During these meetings, supervisors and members of the AOB can share information regarding the planning of the supervision (i.e. audit oversight and enforcement of financial reporting standards). ►► Only one REPARIS supervisory authority meets and communicates regularly with the AOB in his/ her jurisdiction. ►► Seventy-five percent of STAREP supervisors meet and communicate regularly with their respective AOB. Supervisors from Azerbaijan and Moldova communicate with the AOB once per year, whereas their counterparts in Armenia communicate with the AOB on a quarterly basis. Audit Quality Assurance Systems Quality assurance systems are designed to prevent or address potential deficiencies in the manner in which statutory audits are carried out. Quality assurance systems, if properly implemented and governed, are an essential pillar of effective public oversight of auditors and audit firms. Quality assurance systems include the verification of internal quality control systems of external auditors and audit firms, and the related documented procedures to verify the implementation and efficiency of such internal systems (Bank of Spain). Quality control systems are also designed to guarantee auditors’ compliance with procedures related to the performance of audit activities and with international standards on auditing (Czech National Bank). Is an audit quality assurance system in place in the jurisdiction? Yes No 67 A total of 94% of supervisors report that an audit quality assurance system is in place in their jurisdiction. Regional comparisons demonstrate that all European jurisdictions have implemented an audit quality assurance system whereas this is not the case for all REPARIS and STAREP jurisdictions. The countries under these programs are mostly at the early stage of implementing their quality assurance system, with the notable exception of FYR of Macedonia which has a more advanced system. Example 1: The audit quality assurance system in Czech Republic The quality control system shall: a. be independent of the controlled statutory auditors and audit firms; b. be subjected to public oversight; c. have safe financing and shall not be negatively affected by the auditors; d. be executed by a natural person who is independent of the controlled auditors and who has sufficient professional education and experience in the area of statutory audits and accounting reporting and who has passed specialized training for such purposes as determined by the Chamber; and e. be performed at least once in three years for the auditors of banks. In 76% of the jurisdictions, the entity in charge of the quality assurance reviews is the AOB. Depending on the jurisdiction, the AOB is a special Council/Committee, the Supervisory Authority or the Ministry of Finance. As is the case in Belgium and Austria, some jurisdictions have a system of oversight in place rather than a single authority responsible for audit quality controls: an institute of auditors or a special association performs the quality controls and the supervisor or a special Chamber is entrusted with the legal supervision of the quality control process. These systems of oversight will be modified as a result of the new European audit regulation and directive. Twenty-four percent of supervisors report that a different body to the AOB organizes and manages quality assurance systems in their jurisdiction. This distinct body is often the Chamber of Auditors. The entity responsible for the oversight of auditors and audit firms with Public Interest Entities’ mandates may differ from the entity in charge of the oversight of other external auditors. In France the audit oversight body High Council of the Order of Statutory Auditors (H3C) assesses external auditors and audit firms that audit the financial statements of PIEs every three years, while the Compagnie Nationale des Commissaires aux Comptes (CNCC) assesses other audit firms every six years. H3C is in charge of the general oversight of quality controls performed and is entitled to make recommendations. The results are included in an annual report. In Spain and Cyprus recommendations of AOBs stemming from quality controls are legally binding. Supervisors indicate that quality assurance systems are beneficial to them because: ►► Audit quality controls contribute to the robustness of the bank’s financial information on which the prudential data are based; 68 ►► They enable the supervisor to evaluate external auditors and audit firms, including their internal quality review systems, as well as the auditor’s willingness to involve prudential supervisors in tailoring their audit plan; ►► They reassure the public and supervisors that the external auditors are performing their duties in accordance with law, regulations and ethical requirements; and ►► Findings on inspections of banks are shared with the supervisor. Role of bank audit committees An audit committee is “a specialized committee established by the board, the mandate, scope and working procedures for which are set out in a charter or other instrument.”22 Banks are required to have an audit committee in most jurisdictions A total of 88% of European supervisors report that banks are required to have an audit committee or body performing an equivalent function. This is also the case for all REPARIS supervisors and 75% of STAREP supervisors. In most jurisdictions, this is already a legal requirement but in some it is currently more of a common practice than a statutory obligation. This requirement is sometimes detailed in a Corporate Governance Code. The survey reveals that audit committees are required for: ►► All banks; or ►► Banks with securities admitted to trading on a regulated market; and/or ►► Banks exceeding special size criteria (i.e. size of the balance sheet, profit, number of employees) Percentage of jurisdictions requiring banks to have an audit committee: Audit committees can play a crucial role in promoting and contributing to high-quality bank external audits through constructive communication with external auditors and effective oversight of the external audit process. It is their responsibility to create an atmosphere in which the bank’s management and external auditors communicate openly and transparently, with mutual respect, by fostering open discussions and relevant exchanges of information between parties. 22 External audits of banks, Basel Committee on Banking Supervision (BCBS), 2014. 69 The audit committee must comply with specific criteria regarding the composition and the expertise of its members. There are two essential features to be taken into account: independence and technical competence. Example 2: Criteria regarding the composition of an audit committee in the FYR of Macedonia According to the Banking Law of the FYR of Macedonia, banks must establish an audit committee in line with the following criteria: ►► The number of members must be at least five, but no more than nine; ►► The majority of audit committee members should be members of the Supervisory Board, while the rest should be independent from the bank; and ►► At least one member should be a licensed auditor. The audit committee’s roles and responsibilities may differ depending on the jurisdiction they operate in. Globally, however, the majority support the appointment of external auditors, review and monitor the independence of the statutory auditors or audit firm, and evaluate the work of the external auditors. Audit committees are involved in23: Audit committees may have additional roles, for example making recommendations to the bank’s management or board on the scope of auditors’ intervention as well as issues of compensation, terms of engagement and substitution or rotation. In many jurisdictions, the monitoring of the independence of external auditors also includes the scrutiny of the provision of non-audit or auxiliary services provided to the bank. 23 Answers to this open-ended question have been organized based on their recurrence 70 In jurisdictions including Austria, Slovenia and Moldova, audit committees monitor the effectiveness of the risk management process, internal audit and internal control functions, and review the accounting procedures of the bank. According to the survey 11% of supervisors indicate that it is not compulsory for banks to have an audit committee in their jurisdiction. In some cases banks’ administrative or supervisory boards may handle tasks undertaken elsewhere by audit committees such as ensuring the independence of auditors and evaluating auditors’ work, instead of establishing a separate body. Communication with audit committees A total of 60% of European supervisors meet with audit committees, but often not on a regular and formal basis. Meetings can take place during on-site inspections. Only a few supervisors have institutionalized timings for meetings with audit committees. For example, UK supervisors meet with audit committees on a quarterly basis. Approximately half of European supervisors meet with the chair of the audit committee when necessary. Overall, the chair of the audit committee participates in trilateral meetings with the banking supervisor and the external auditor in only 14% of European jurisdictions. “The minutes of the Audit Committee are reviewed during the supervisory process. Communication on audit issues is channeled through the internal audit director.” - Bank of Spain Direct exchange of information with external auditors was cited as a reason for not communicating with audit committees. Very few REPARIS supervisors meet with audit committees. Meetings usually occur on an exceptional basis. However, half of REPARIS supervisors report communication with audit committees each year. The written correspondence exchanged between audit committees and the off-site Supervision Department of the FYR of Macedonia illustrates this effort. All STAREP supervisors meet with audit committees, with the majority having some communication every year. Meetings are generally held on an ad-hoc basis if the need arises and/ or during on-site inspections. Responses to the survey suggest that in most jurisdictions there is no specific agenda for the communication. Instead, supervisors and audit committees exchange information as a result of significant breaches in the internal control system or concerns that might lead to operational and legal risks (for example, internal fraud and money laundering). Audit committees generally report the actions undertaken by the bank’s management to banking supervisors based on findings and measures prescribed by the supervisory authority. 71 Example 3: The supervisor’s engagement with audit committees and the AOB in the United Kingdom24 Current engagement of the Prudential Regulation Authority (PRA) with audit committees Given audit committee responsibilities — which include monitoring of the integrity of financial statements and assessment of the independence, objectivity and effectiveness of the auditor — the PRA regularly meets the chairs of audit committees of the largest banks in roundtable meetings (currently three times a year). The aim of the meetings is to share observations and expectations on topical accounting and auditing issues as covered in the biannual bilaterals with auditors. In addition, the PRA also meets the individual chairs in trilaterals with auditors and as part of ongoing supervision. The PRA’s engagement with the AOB The PRA does not set or monitor the implementation of auditing standards but instead engages closely on auditing matters with the body that has these responsibilities, namely the Financial Reporting Council (FRC). The PRA and FRC already have a Memorandum of Understanding (MoU), which generally outlines the way the regulators cooperate. Under this MoU, the PRA gives input to the FRC’s Audit Quality Review Team (AQRT) in relation to the team’s identification of which audits to inspect. The PRA also engages with the AQRT on matters of thematic interest. In relation to each audit inspected, the FRC AQRT provides private written reports to the auditors, the chair of the audit committee and to the PRA when it relates to a PRA authorized firm. If the audit inspection indicates significant deficiencies in the audit of the firm, the PRA seeks to ensure that improvements are underway and deficiencies are being addressed. 24 Bank of England, Prudential Regulation Authority, extract from the Engagement between external auditors and supervisors and commencing the PRA’s disciplinary powers over external auditors and actuaries – Consultation Paper CP8/15 , February 2015. http://www.bankofengland.co.uk/pra/Pages/publications/cp/2015/cp815.aspx 72 Survey findings and possible actions Survey findings Possible actions Relationship between supervisors and ►► Signing a Memorandum of Understanding (MoU) AOBs between the AOB and the supervisory authority. This document would detail circumstances Most of the supervisors have communication in which supervisors would communicate lines with AOBs. The frequency of meetings directly with the AOB on topics related to and communication with AOBs varies public oversight, registration, inspections and depending on the jurisdictions. investigations of external auditors of banks; ►► Setting up provisions for a clear mandate for supervisors to meet the AOB on a regular and systematic basis to discuss auditing issues in a constructive and critical manner. This should not prevent ad-hoc meetings. Audit Oversight Bodies & Quality ►► Requesting the implementation of the Assurance appropriate tools, methodologies and skills for public oversight and quality assurance agencies In many jurisdictions, the professional in the respective jurisdiction. This includes on- organization for auditors is responsible going training and knowledge requirements in for quality assurance. IFRS and ISA as applicable. In the EU, a single competent authority will be designated to bear ultimate responsibility for the audit public oversight system (mandatory from 2016). 73 Survey findings Possible actions Audit committees ►► Requesting banks to have an audit committee, and ensuring that most members are The role and responsibilities, as well as the independent of the audited entity and have capacity, of audit committees vary in the the appropriate skills; ECA region. In 11% of the jurisdictions audit committees are not mandatory for banks. ►► Promoting the creation of a Corporate Governance Code which, inter alia, sets out the role and responsibilities of audit committees; ►► Meeting with chairs of audit committees of SIBs; ►► Discussing relevant experience with the audit committee regarding interaction with external auditors in the context of the supervision of the bank. 74 Summary of the proposed policy actions Insight 1 - External audit in banks: Auditors’ work does contribute to the effective supervision of banks Capacity of supervisors Survey findings Supervisors face capacity constraints in terms of staffing and accounting and auditing training. Supervisors do not always have a good understanding of what an external audit consists of and how they can rely on auditors’ work. Possible actions ►► Providing on-going training on ISA and IFRS to staff at the supervisory authority. Duty and right to report Survey findings External auditors do not always have the statutory duty to disclose significant findings and fraud encountered during the course of their audit (statutory duty to report). Furthermore, not all the jurisdictions provide “safe haven” rules for auditors when reporting matters to supervisors that do not give rise to a statutory duty to report but may, nevertheless, be relevant to the supervisor’s exercise of his/her functions (right to report). Possible actions ►► Updating regulations to include examples of instances and events when external auditors must report bank-specific information directly to supervisors (statutory duty to report). Examples may include when external auditors detect significant findings, fraud or going concern issues during the course of the audit or when management uses significant accounting judgment which materially affects the bank’s results and position; ►► Creating “safe haven” rules to allow auditors to share bank-specific information with the supervisors on matters that fall outside the scope of the duty to report if communicated in good faith, and if reasonably believed to be relevant to the supervisor in order to conduct his/her functions (right to report). ►► For matters that give rise to the right to report, it is normally appropriate for the auditor to request in writing that those charged with governance in the bank bring these matters to the attention of the supervisor. If those charged with governance fail to inform the supervisor of the matters in a 75 timely manner, the auditor shall report them directly to the supervisor; ►► Requesting access to documents supporting the audit findings regarding identified or suspected non-compliance with laws and regulations, going concern issues, key risks faced by the bank in the short-term and medium-term, and areas when judgment and assumptions are used by management. In general, supervisors should be able to access any type of audit information that they judge relevant to the supervision of the bank. Documents could include minutes of discussions held with management and those in charge of governance, audit committee minutes, audit working papers, etc; ►► Referring to the guidelines proposed by the International Ethics Standards Board for Accountants’ (IESBA) in its recent exposure draft. These guidelines specify how external auditors should respond to some proven or alleged cases of non-compliance with laws and regulations (NOCLAR).25 Extent of use of external auditors Survey findings About 70% of supervisors can ask external auditors to perform additional tasks outside the scope of the audit. Possible actions ►► Exchanging information with the external auditors on a continuous basis and before planning the statutory audit. This would help supervisors and external auditors to establish jointly which additional work the external auditors would be required to perform outside the scope of the statutory audit. Long-Form Audit Report Survey findings Currently, very few supervisors request a Long-Form Audit Report (LFAR) from external auditors. Possible actions ►► Requesting external auditors to prepare an annual LFAR for Domestic Systemically Important Banks (SIBs). This would include details of the audit methodology and its limitations and key findings on the going concern or key risks faced by the bank, and additional appropriate information (e.g. recommended remedial actions); ►► The LFAR should be submitted on a timely basis to the supervisors to enable them to take appropriate action in due time; ►► The scope and content of the LFAR should be flexible to reflect changes within the banking sector and within the bank and should be discussed between the auditors and the supervisors; ►► Establishing together with auditors a list of specific financial reporting issues to be covered in the LFAR, based on the risk profile of the bank and its business model; ►► Conducting face-to-face discussions with the external auditors, the bank’s management, the chair 25 International Ethics Standards Board for Accountants, Responding to Non-Compliance with Laws and Regulations, May 2015. http://www.ifac.org/system/files/publications/files/IESBA-Non-Compliance-with-Laws-Regulations-Exposure-Draft.pdf 76 of both the audit committee and the risk committee in order to gain a detailed understanding of the key findings and issues highlighted in the LFAR with a view to finding timely and appropriate remedial actions. Insight 2 - Channels of communication: Supervisors could engage more effectively with external auditors Proportionate risk-based approach Survey findings About half of the supervisors use a proportionate risk-based approach when communicating with external auditors. Possible actions ►► Developing formal criteria to define SIBs and set up a clear process for systematic and regular interactions and communication with their external auditors; ►► Engaging with external auditors to obtain sufficient information about the audit process and audit findings in a timely manner to assist the supervisory process; ►► Conducting systematic one-on-one meetings with the chairman of the audit committee of each bank in a structured manner with a clear and relevant agenda, and clearly identified outcomes and follow-up actions. Timing and frequency of communication with external auditors Survey findings Sixty-two percent of the supervisors communicate with external auditors after the audit opinion has been issued. Most supervisors meet external auditors on an ad-hoc basis when required. Some also hold regular meetings with auditors. Possible actions ►► Building a constructive and effective relationship with external auditors by setting up a joint framework of engagement that will include the terms and scope of communication and interaction in a systematic, frequent and timely manner; ►► Meeting and exchanging information with the external auditors formally, informally or on an ad-hoc basis to avoid routine meetings and focus on current and medium term risks and issues that may affect the banking sector and the bank; ►► The exchange of information should be regular and flexible to discuss material and relevant risks and events during and after the audit and should take place in addition to pre-scheduled meetings among the supervisors, the bank and the external auditors; 77 ►► The exchange of information should be part of, and embedded in the supervisory process rather than just an additional item on the checklist of the supervisor. It should be conducted in a structured manner, with a relevant agenda and clearly identified outcomes and follow-up actions. Channels of communication Survey findings Generally, supervisors either use formal channels or an equal mix of both formal and informal channels when communicating with external auditors. Possible actions ►► Using as applicable: ►► Formal (meetings with external auditors with or without the bank under supervision, meetings with external auditors and the chair of the audit committee) and informal channels (telephone calls, emails etc.); ►► Oral (meetings, calls, etc.) and written communication (official letters, exchange of a Long-Form Audit Report, etc.); ►► Ad-hoc meetings and meetings with predefined timing; regular contact will slowly help build open cooperation based on trust; ►► The primary relationship holders, namely the audit firm partner and the supervisor team leader. Other colleagues and staff of their respective teams and/or experts should also be involved in the communication and exchange of information process at the working levels. Feedback process Survey findings Eighty-six percent of supervisors do not have a feedback system for assessing the quality of the relationship with external auditors. Possible actions ►► Setting up a formal feedback process within the supervisory authority which may include an anonymous survey sent to supervisors who take part in the meetings with external auditors to assess the quality of the meetings and relationships between the supervisors and the external auditors. ►► The feedback should assess the limits of the relationship and areas of improvements such as increasing the frequency of meetings, exchanging more pertinent information and discussing more specific issues relevant to the bank rather than focusing on high level and general issues on a routine basis with no added value to the supervisory process. 78 Insight 3 - Topics of mutual interest: External auditors could contribute more on specific areas of interest to supervisors Audit planning and process Survey findings Few supervisors discuss the audit strategy and plan with external auditors. Changes in those plans are not systematically communicated to supervisors. Possible actions ►► Meeting with external auditors during the planning stage to discuss specific areas within the scope or outside the scope of the audit which regulators would like them to focus on during the course of the audit; ►► Exchanging information and findings identified during and after the audit for the current and previous financial year and discussing whether or not they are in line with the expectations of external auditors and supervisors; ►► Using the audit strategy and plan as input to the supervisory work plan; ►► Discussing the audit plan and strategy specifically with external auditors of SIBs. The external auditors should share the audit plan and strategy with supervisors upon request. Accounting policies Survey findings Loan valuation and loan loss provisioning, and more generally the bank’s asset valuation, and the effectiveness of financial controls were topics of particular interest for supervisors to discuss with external auditors. Possible actions ►► Discussing with external auditors the processes to obtain a detailed understanding of internal controls and assumptions used in the valuation process to ensure that supervisors can critically assess whether they are relevant, reliable and are being used consistently by the bank; ►► Requesting adequate independent validation and verification of the valuation framework and controlling procedures by either internal or external experts; ►► Holding discussions with external auditors to obtain a clear understanding of the impairment charges and other credit risk provisions in order to assess the charges and the provisions in a critical manner. Prudential returns Survey findings Reconciliation between prudential capital elements and audited financial statements is often not subject to an audit. Prudential returns are often not reviewed by auditors. 79 Possible actions ►► Requesting external auditors to review the reconciliation of prudential own funds with accounting capital; ►► Requesting external auditors to review and assess banks’ internal controls for preparing the prudential returns in the regulatory reporting system; ►► Requiring external auditors to report to supervisors in a timely manner when weaknesses or breaches have been identified. Insight 4 - Supervisors’ input to audits: Supervisors do contribute to enhanced audit quality Information sharing from supervisors to external auditors Survey findings Confidentiality rules can prevent supervisors from sharing information with external auditors, which can have negative impacts on the supervision of banks. Possible actions ►► Creating “gateway” rules to allow the sharing of information with external auditors. This information can be bank specific, industry specific and related to current and emerging risks. The objective is to help auditors conduct a better quality audit and which, in turn, could contribute to the supervisory process. Appointment of external auditors of banks Survey findings Responses show that most supervisors have some form of oversight responsibility over the appointment of external auditors (i.e. the right to pre-select, approve/remove or to commission an independent audit). Possible actions ►► Setting up a principles-based framework in line with international best practices for the selection, appointment and removal of external auditors; ►► Ensuring that the process for the selection and appointment of external auditors is fair, objective, transparent, independent of the bank’s management, and well documented; ►► Encouraging the appointment of external auditors who are able and willing to develop good working relationships and dialogue with supervisors; ►► Reviewing and monitoring regularly the conditions of an external auditor’s appointment to ensure the two previous conditions are adhered to. 80 Audit firm rotation Survey findings Results show that mandatory audit firm rotations are scarce while the majority of supervisors currently enforce compulsory key audit partner rotations. Possible actions ►► Setting up a framework for the rotation of external auditors in line with international best practices to ensure independence and avoid a conflict of interest. According to the Basel Committee on Banking Supervision Core Principles for Effective Banking Supervision, the supervisor determines whether banks rotate their external auditors (either the firm or individuals within the firm) from time to time; ►► Requesting that the appropriate criteria have been used to select the key audit partner by the relevant parties; ►► Continuously monitoring audit quality especially during transition periods. Audit retendering Survey findings In most jurisdictions, the same external auditor can be reappointed without going through a mandatory tender process. Possible actions ►► Reviewing the retendering process on a regular basis and ensuring that there is a clear policy for retendering and clear, well-documented criteria for selection, and transparency regarding reappointment. Insight 5 - Other communications: Effective communication between audit and banking supervisors and audit committees does improve audit quality Relationship between supervisors and AOBs Survey findings Most of the supervisors have communication lines with AOBs. The frequency of meetings and communication with AOBs varies depending on the jurisdictions. Possible actions ►► Signing a Memorandum of Understanding (MoU) between the AOB and the supervisory authority. This document would detail circumstances in which supervisors would communicate directly with the AOB on topics related to public oversight, registration, inspections and investigations of external 81 auditors of banks; ►► Setting up provisions for a clear mandate for supervisors to meet the AOB on a regular and systematic basis to discuss auditing issues in a constructive and critical manner. This should not prevent ad-hoc meetings. Audit Oversight Bodies & Quality Assurance Survey findings In many jurisdictions, the professional organization for auditors is responsible for quality assurance. In the EU, a single competent authority will be designated to bear ultimate responsibility for the audit public oversight system (mandatory from 2016). Possible actions ►► Requesting the implementation of the appropriate tools, methodologies and skills for public oversight and quality assurance agencies in the respective jurisdiction. This includes on-going training and knowledge requirements in IFRS and ISA, as applicable. Audit committees Survey findings The role and responsibilities, as well as the capacity, of audit committees vary in the ECA region. In 11% of the jurisdictions audit committees are not mandatory for banks. Possible actions ►► Requesting banks to have an audit committee, and ensuring that most members are independent of the audited entity and have the appropriate skills; ►► Promoting the creation of a Corporate Governance Code which, inter alia, sets out the role and responsibilities of audit committees; ►► Meeting with chairs of audit committees of SIBs; ►► Discussing relevant experience with the audit committee regarding interaction with external auditors in the context of the supervision of the bank. 82 About the CFRR The Centre for Financial Reporting Reform (CFRR) located in Vienna, Austria, is part of the World Bank’s Governance Global Practice and is responsible for the World Bank‘s corporate sector financial reporting activities in Europe and Central Asia. The Centre helps client countries build strong accounting, reporting, and auditing practices, which bring sustainable and equitable private sector-led growth, strengthened governance and accountability. The CFRR provides knowledge services including analytical and advisory services; learning and skill development; know-how and knowledge transfer; and technical assistance to strengthen existing institutions. Activities of the centre are focused on four areas of expertise: i) raising awareness of the importance of the corporate financial reporting reform agenda and contributing to legislative reform; ii) building institutional capacities by addressing knowledge gaps and offering tailored advice in areas such as public oversight and standards; iii) encouraging strong and engaged professional accountancy organizations; and iv) promoting the development of internationally compatible accounting education. The CFRR organizes specific knowledge sharing activities for supervisors such as the Executive IFRS workshop, distant learning events and other publications. Centre for Financial Reporting Reform Governance Global Practice The World Bank Praterstrasse 31 1020 Vienna – Austria T: +43 (0)1 2170-700 F: +43 (0)1 2170-701 cfrr@worldbank.org www.worldbank.org/cfrr 83 84