International Association of Risk and Compliance Professionals (IARCP)
http://www.risk-compliance-association.com
Every Monday
Top 10 risk and compliance management related news stories and world events
Do you want to receive (at not cost) every Monday the Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next?
You can register at:
http://www.risk-compliance-association.com/Top_10_Risk_Compliance_Management_Stories_Events.html
Receive the New Member Orientation Newsletters
You will have the opportunity to learn (at not cost) what members registered before you have already learned. Understand better risk and compliance management, projects, careers, challenges and opportunities.
You can register at:
http://www.risk-compliance-association.com/New_Member_Orientation_Newsletters.html
Power point presentation on enterprise performance management
Risk management presentation April 1 2013
1. P a g e | 1
International Association of Risk and Compliance
Professionals (IARCP)
1200 G Street NW Suite 800 Washington, DC 20005-6705 USA
Tel: 202-449-9750 www.risk-compliance-association.com
Top 10 risk and compliance management related news stories
and world events that (for better or for worse) shaped the
week's agenda, and what is next
Dear Member,
TodayI will start withthe job description that
mademy day: BaselII/ III and SolvencyII risk
specialist, Mandarin Speaking!!!
Basel III Risk Specialist - Mandarin Speaking
Leading Global Investment Bank, London
ALeading Global Investment Bank isExpanding
theRegulatoryRisk Function withthehire of a
BaselIII Risk Specialist for their London Group.
- Basel III RegulatoryRisk Specialist
- LeadingGlobal Investment Bank
- Mandarin Speaking
- London, UK
- 50,000+ Excellent Bonus Benefits
Asakeymember oftheriskgroupyou will be
communicatingextensively withsenior
management on a global scaleincluding
direct contact withsenior management in
Hong Kong and Shanghai and will therefore
requireMandarinspeakingskillsat business APillar 3 Disclosure??
level proficiency.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
2. P a g e | 2
An expert in regulatoryframeworks,you will have practical
understandingof Basel II/ III and knowledgeof SolvencyII ICAAP is
alsohighly preferred.
This is a mid-level positionwithin the group and will require a minimum
of 3 years industry experiencewithin theLondon and/ or International
Financial Markets.
It is never toolate tolearn Mandarin. Islookseasy!
Amazingjobdescription…
Just one slight problem withthisjobdescription:You cannot have
knowledgeof SolvencyII ICAAP … simplybecausethere isnothing like
a SolvencyII ICAAP… perhapsthey mean SolvencyII ORSA(OwnRisk
and SolvencyAssessment, the Pillar 2 document).
It remindsme another job description, wheretheyrequired 5+ years of
Basel III experience. Provided that BaselIII wasendorsed at the end of
2010,theycould hire someone after 2015…
Another development:
Auditors… it is your turn tosuffer the consequencesof the crisis…
According to the BIS,The recent financial crisisnot onlyrevealed
weaknessesin risk management, control and governanceprocessesat
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
3. P a g e | 3
banks,but alsohighlightedthe needtoimprove thequalityof external
auditsof banks.
Giventhecentralrolebanksplayin contributingtofinancialstability, and
thereforethe need for market confidencein the qualityof external audits
of banks' financial statements,the Basel Committee is issuingfor
consultationthis guidanceon external auditsof banks.
This document describes,through sixteenprinciplesand explanatory
guidance,supervisoryexpectationsregardingaudit qualityand how that
relatestothe external auditor's work in a bank.
Read moreat Number 1below.
Welcometo the Top 10list.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
4. P a g e | 4
External auditsof banks
Given the central role banksplay in contributingto
financial stability, and thereforethe need for market
confidencein thequalityof external auditsof banks'
financial statements,the Basel Committeeis issuing
for consultationthis guidanceon external auditsof
banks.
This document describes,through sixteenprinciplesand explanatory
guidance,supervisoryexpectationsregardingaudit qualityand how that
relatestothe external auditor's work in a bank.
Meeting of the G20 Finance Ministers
and Central Bank Governors
Update by theIASB and FASB
Convergence projects
This report is a high-level update on thestatusand timelineof the
remainingconvergenceprojects.
ToG20Ministersand Central Bank
Governors
Progressof Financial Regulatory Reforms
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
5. P a g e | 5
EIOPA
The new Risk Dashboard
Focusing on Low- and Moderate-Income
WorkingAmericans
GovernorSarah Bloom Raskin
Board of Governorsof the Federal Reserve System At
theNational CommunityReinvestment Coalition
Annual Conference,Washington, D.C.
Islamic capital and money markets
Welcomingremarksby Mr Peter Pang, DeputyChief
Executive, Hong Kong MonetaryAuthority, at the
workshopon ―Islamic capital and moneymarkets‖, Hong Kong
Interview with Gabriel Bernardino, Chairman of
EIOPA, conducted
byNatašaGajski Kovačić, Svijet osiguranja(Croatia)
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
6. P a g e | 6
Reviewing filings for smaller public
companies
Theseslideswerepresented at the Forums on
Auditingin theSmall BusinessEnvironment hosted
bythe PCAOB during 2012.
The Global Financial Sector—Transforming
the Landscape
By ChristineLagarde, Managing
Director, International MonetaryFund, Frankfurt
FinanceSummit
Managing structural risks in the Swedish
banking sector
Speechby Mr Stefan Ingves,Governor of theSveriges
Riksbank and Chairman of the Basel
Committeeon Banking Supervision, atAffärsvärlden‘s
―Bank & FinansOutlook‖, Stockholm
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
7. P a g e | 7
External auditsof banks
Therecent financialcrisisnot only revealed
weaknessesin risk management, control
and governanceprocessesat banks, but
alsohighlighted theneed to improvethe
qualityof external auditsof banks.
Given the central role banksplay in
contributingto financial stability, and
thereforethe need for market confidencein
thequalityof external auditsof banks'
financial statements,the Basel Committee
is issuingfor consultation this guidanceon
externalauditsof banks.
This document describes,through sixteenprinciplesand explanatory
guidance,supervisoryexpectationsregardingaudit qualityand how that
relatestothe external auditor's work in a bank.
Implementation of theprinciplesand the explanatoryguidanceis
expectedto improve thequalityof bank auditsand enhancethe
effectivenessof prudential supervisionwhichis an important element of
financial stability.
This document setsout supervisoryexpectationsof how:
- externalauditorscandischargetheirresponsibilitiesmoreeffectively;
- audit committeescan contributetoaudit qualityin their oversight of
theexternal audit;
- an effectiverelationship betweentheexternal auditorand the
supervisor, which allowsgreater mutual understanding about the
respectiverolesand responsibilitiesof supervisorsand external
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
8. P a g e | 8
auditors,can leadtoregular communication of mutuallyuseful
information;and
- regular and effective dialogue between the banking supervisory
authorities and relevant audit oversight bodies can enhance the
qualityof bank audits.
Thisdocument enhancesand supersedesthe Committee'sguidanceThe
relationship betweenbanking supervisorsand bank's external auditors
(2002) and External audit qualityand banking supervision(2008).
In additiontothe proposed guidance, the Committeeispublishinga
letter tothe InternationalAuditing andAssurance StandardsBoard
(IAASB) on areaswhereit believesInternational StandardsonAuditing
could be enhanced.
Serving asan observer on the Basel Committeegroup that developed the
revisedguidance,theIAASBprovidedhelpful and meaningful input to
thiseffort.
Commentson the proposalsshould be submittedby Friday 21June2013
bye-mail to: baselcommittee@bis.org.
Alternatively, comments may be sent by post to: Secretariat of the Basel
Committee on Banking Supervision, Bank for International
Settlements,CH-4002Basel, Switzerland.
All commentsmay bepublishedon thewebsiteof the Bank for
International Settlementsunlessa comment contributor specifically
requestsconfidential treatment.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
9. P a g e | 9
External auditsof banks
1. Executive summary
1.Therecent financial crisisnot onlyrevealed weaknessesin risk
management, control and governanceprocessesat banks, but also
highlighted theneed to improve thequalityof external auditsof banks.
Giventhecentralrolebanksplayin contributingtofinancialstability, and
thereforethe need for market confidencein the qualityof external audits
of banks‘financial statements, the Basel Committeeon Banking
Supervision(the Committee) is issuingthis document on external audits
of banks.
It forms part of theCommittee‘scommitment tohelp improve audit
qualityat banks.
Thisdocument enhancesandreplacesTherelationship betweenbanking
supervisorsand banks‘external auditors(January 2002) and External
audit qualityand banking supervision(December 2008).
2.Implementationof the 16principlesand observation of theexplanatory
guidancein thisdocument are expectedtoimprove the qualityof bank
auditsand enhancetheeffectivenessofprudential supervision, whichwill
then contributetofinancial stability.
Throughtheseprinciplesand explanatoryguidance, the document
describessupervisoryexpectationsregardingaudit qualityand howthat
relatestothe external auditor‘swork in a bank.
This document specificallysetsout supervisoryexpectationsof how:
(a)external auditorscan discharge their responsibilitiesmore effectively;
(b)audit committeescan contributetoaudit qualityin their oversight of
theexternal audit;
(c)an effectiverelationshipbetweentheexternal auditor and the
supervisor,which allowsgreater mutual understandingabout the
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
10. P a g e | 10
respectiverolesand responsibilitiesof supervisorsand external
auditors,can lead toregular communication of mutuallyuseful
information;and
(d) regular and effective dialogue between the banking supervisory
authorities and the relevant audit oversight bodies can enhance the
qualityof bank audits.
3. Thedocument alsonotestheCommittee‘scontinued commitment to
workthrough international bodies toenhanceaudit quality.
2. Introduction, application, structure and the Committee‘s
international engagement
Introduction
4.Thebankingsectorisuniqueamongsectorsof theeconomy becauseit
plays a central rolein contributing to thefinancial stabilityof and the
provision of financial resourcesto theeconomy.
This sector includesmajor global banksthat are systemically important
banks(SIBs), the failure of one or moreof whichcould triggera global
financial crisis.
In addition, bankshavea uniqueoperatingmodel.
5.Supervisorsare primarilyconcerned withmaintainingthestability of the
bankingsystem and fosteringthesafetyand soundnessof individual
banksin order tomaintain market confidenceand protect theinterestsof
depositors.
Consequently, toenhancethe effectivenessof supervision, supervisors
havea keen interest in the qualitywithwhichexternal auditorsperform
bank audits.
Buildingeffectiverelationshipswith external auditorscan alsoenhance
bankingsupervision.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
11. P a g e | 11
6.An external auditor plansand performs theaudit of a bank‘sfinancial
statementsto obtain reasonableassuranceabout whetherthe financial
statementsasa wholeare free from material misstatements, whether due
tofraud or error, and areprepared, in all material respects, in accordance
with an applicablefinancial reportingframework.
In many ways, thesupervisor and the external auditor have
complementaryconcernsregardingthesamematters.
For example, the audit of financial statementsmay help identify
weaknessesin internal controlsrelatingtofinancial reportingat a bank
whichmay, therefore,inform supervisoryeffortsin this area and
contributeto a safeand sound bankingsystem.
7.Although the focusof thisdocument ison thequalityof theaudit
performed by the external auditor, an audit in accordancewith
internationallyaccepted auditing standardsis conducted on thepremise
that the management and, whereappropriate, thosecharged with
governancehave acknowledgedcertainresponsibilitiesthat are
fundamental to theconduct of the audit.
Theaudit of the financial statementsdoesnot relievemanagement or
thosecharged withgovernanceof their responsibilities.
8.TheBasel Committee on Banking Supervision‘sCore Principlesfor
EffectiveBankingSupervision (September 2012,Core Principles)provide
a framework of minimum standardsfor sound supervisorypracticesand
are considereduniversallyapplicable.
Core Principle27 focuseson prudential regulationsand requirementsfor
banksin relation to financial reportingand external audits.
This guidanceset out in this document is consistent withCore Principle
27.
9.Theapplicationand thestructure of each sectionin this document are
describedbelow,followedby an outlineof the key international
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
12. P a g e | 12
relationshipsbetweenthe Committeeand other groupsrelevant to
externalauditing.
Application
10.This document appliesto the followingentitiessubject toa statutory
audit:
- all banks, includingthosewithin a bankinggroup;
- holdingcompanies whosesubsidiariesarepredominantlybanks;and
- holding companiessubject to prudential supervision whose
subsidiariesare predominantlybanks.
All of thesestructuresarereferredtoasbanksorbankingorganisationsin
thisdocument.
11.Theimplementation of the principlesset forth in this document
should be proportionate tothe size, complexity, structure, economic
significanceand riskprofile of the bank and thegroup (if any) towhichit
belongs.
TheCommitteerecognisesthat some countrieshavefound it appropriate
toadopt legal frameworksand standards(eg for listedfirms), aswell as
accountingand auditingstandards, whichmay be more extensiveand
prescriptivethantheprinciplesandexplanatoryguidanceset forthherein.
Such frameworksand standardstend tobe particularlyrelevant for larger
or publicly traded banks or financial institutions.
12.This document hasbeen prepared withthefull awarenessthat
significant differencesexist in national institutional, legislativeand
regulatoryframeworksamongst jurisdictions,includingaccountingand
auditingstandards,supervisorytechniquesand institutional corporate
governancestructures.
Supervisorsshouldclearlycommunicatethe recommendationscontained
hereinto the banks theysuperviseand their respectiveexternal auditors,
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
13. P a g e | 13
andarticulatethemeasuresbanksandexternalauditorsshouldundertake
tomeet thesebest practices,wherepossible.
13.Theprinciplesset out in thisdocument should be applied in
accordancewiththenational legislationand corporategovernance
structuresapplicablein each country.
14.Thefollowingtermsare used in thisdocument, with themeanings
specified:
- Financial statement audit –An audit of a bank‘sfinancial statements
byan external auditor in accordancewithinternationallyaccepted
auditingstandards.
- Statutoryaudit –An audit carried out tocomply withthe
requirementsof particular legislationor regulations.
In some jurisdictions,this may includeonlythe financial statement
audit.
In other jurisdictions,this may alsoincludeextended reportingby
external auditorson matterssuch asinternal controlsand regulatory
returns.
- External auditor – The audit firm and theindividual audit
engagement team members.
Where relevant, specific referencesaremadetothe audit firm or the
individual audit engagement team membersin certain paragraphs.
- Bankingsupervisoryauthority– The body responsiblefor promoting
thesafetyand soundnessof banks and thebanking system in a
particular jurisdiction, includingthepersonswhoare involved with
supervisorypolicy settingand policyissues,includingpolicies
regardingaccountingand auditing.
- Supervisor – The group of supervisorypersonnel at a banking
supervisoryauthoritywhoaredirectlyinvolved withthe
supervision/ examinationof a specific institution.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
14. P a g e | 14
- Board and senior management – The governance structure at a bank
composed of a board and senior management.
TheCommitteerecognisesthat there aresignificant differencesin
thelegislativeand regulatory frameworksacrosscountriesregarding
thesefunctions.
Somecountries usea two-tier structure, wherethe supervisory
functionof the board is performed by a separateentityknown asa
supervisoryboard, whichhasnoexecutivefunctions.
Other countries, bycontrast, usea one-tier structurein whichthe
boardhasa broader role.
Still other countries have moved or aremoving to an approachthat
discouragesor prohibitsexecutivesfrom serving on theboard or
limitstheir number and/ orrequires theboard and board committees
tobe chairedonlyby non-executiveboard members.
Given thesedifferences, this document doesnot advocate a specific
boardstructure.
Theterms―board‖ and ―senior management‖ are onlyused asa way
torefer tothe oversight function and themanagement functionin
general and should be interpretedthroughout the document in
accordancewiththeapplicablelaw withineach jurisdiction.
- Audit committee – A specialised committee established by the
board, the mandate, scope and working procedures for which are set
out in a charter or other instrument.
As stated in the BCBS paper on Principlesfor enhancingcorporate
governance(October 2010), toincreaseefficiencyand allowdeeper
focus in specificareas,boardsin many jurisdictionsestablish certain
specialisedboard committees– the audit committeebeing one of
them.
Thepaper further recommendsthat, for largeand internationally
activebanks, an audit committeeor equivalent should be required.
It alsooutlinesthe overall responsibilitiesof the audit committee.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
15. P a g e | 15
- Thosechargedwith governance – Theperson(s) or organisation(s)
with responsibility for overseeingthestrategic direction of theentity
and obligationsrelatedto the accountabilityof the entityasdefined
byinternationallyaccepted auditingstandards.
Such person(s) or organisation(s)is (are) typically the board of
directors.
Where the board of directorsestablishesan audit committeein a
bank to assist it in meetingitsresponsibilitiesbychargingthe audit
committeewith specific tasksand responsibilities, in such
circumstancesthe audit committeecan be viewedastaking on the
roleof thosechargedwithgovernancein relation to thosespecific
tasksand responsibilities.
Structure
The external auditor and audit quality
15.Audit qualityincludesdeliveringan appropriate, independent
professional opinionon the financial statements,in compliancewith
internationallyaccepted auditing standards.
Internationally accepted auditing standards require the external auditor
to possess and demonstrate certain attributes while applying a rigorous
audit process.
16.Given that internationallyaccepted auditingstandards are applicableto
all entities,Section4of thisdocument buildsupon thesestandardsand
laysout thesupervisoryexpectationsof theexternal auditorregardingthe
audit of a bank.
Moreover,Section 4highlightsthe keyareaswheresignificant risksof
material misstatement in banks‘financial statementsoften arise, which
thereforerequire theauditor‘sparticularattention for a qualityaudit.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
16. P a g e | 16
Engagement between the external auditor and the audit
committee
17.Regular and effectiveengagement and communication betweenthe
externalauditor and the audit committeecontributetoaudit quality.
18.Amongst itsother responsibilities, theaudit committeeisresponsible
for overseeing thebank‘sexternal auditor.
Asoundlyconstitutedaudit committeecanplayakeyrolein contributing
toaudit quality.
Section 5 discussesthe audit committee‘sresponsibilitiesin relationto
theoversight of, and its relationshipwith, theexternal auditor.
Engagement between the supervisor and the external auditor
19.Effectivecommunication betweenthesupervisor and theexternal
auditorenhancestheeffectivenessof supervisionof the bankingsector.
This relationship will then alsocontributeto audit quality.
20.Thesupervisor and the external auditor have a mutual interestin
buildingand maintainingan effectiverelationship, which fostersregular
communicationof useful information.
Section 6providesprinciplesand explanatory guidancefor facilitating an
effectiverelationshipbetweenthe supervisor and theexternal auditor at
thelevelsof thesupervisedbank, the audit firm and theaccounting
profession asa whole.
Engagement between thebanking supervisory authority and the
audit oversight body
21.Thebanking supervisory authorityand the relevant audit oversight
body sharea strongmutual interest in ensuringqualityindependent
audits.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
17. P a g e | 17
Regularandeffectivedialoguebetweenthebankingsupervisoryauthority
andthe audit oversight body at a national level can assist in identifying
and dealingwithkeyissuesin relationtotheconduct of bank audits.
Section 7setsout theprinciplesfor facilitatingeffectivecommunication
betweenthese bodies.
22.Supervisorsare in a uniqueposition toidentify audit qualityissuesat
both theindustry and individual audit level.
Regular and effectiveengagement betweenthe supervisorand therelevant
audit oversight bodymay enablethesupervisortoprovide timelyfeedback
on suchissues.
Additionally, the supervisor may, if necessary, take action toaddress
issuesraisedby theaudit oversight body.
The Committee‘s international engagement on external
auditing
23.Approachesfor dealingwithsupervisoryconcernsabout thequalityof
theaudit of an individual bank may differ acrossjurisdictions,but all
approachesshould be designed to contributeto enhancing audit quality.
In its effort to promote audit quality, the Committee engages in regular
dialogue and discussion with the relevant international stakeholders on
externalaudit matters.
Thesestakeholdersinclude, but arenot limitedto, the following:
- theFinancial StabilityBoard (FSB), whoseobjectivesincludethe
enhancement of the effectivenessof banking supervision;
- theMonitoringGroup, which is responsiblefor advancing thepublic
interest in areasrelatedtointernationalaudit quality;
- thePublic Interest Oversight Board (PIOB), which is responsiblefor
improvingthe qualityand public interest focusof the international
standardsformulated bystandard-settingboardsoperatingunder the
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
18. P a g e | 18
auspicesof the International FederationofAccountants(IFAC) in
theareasof audit and assurance, education and ethics,including
oversight of thepublic interest activitiesof three of theIFAC‘s
independent standard-setting boards and their respective
consultativeadvisory groups;
- theconsultativeadvisorygroupsof the InternationalAuditing and
Assurance StandardsBoard (IAASB) and theInternational Ethics
StandardsBoard forAccountants(IESBA), whichare responsiblefor
developing international auditingand ethics standards respectively;
- theInternational Forum of Independent Audit Regulators
(IFIAR), which is responsiblefor improving audit quality
globally, includingthrough independent inspectionsof auditors
and/ or audit firms;and
- theGlobal Public Policy Committee(GPPC), which is comprised of
representativesfrom the six largest international accounting
networksand focuseson public policyissuesfor the accounting
profession.
24. The objectiveof thisdialogueis toenabletheCommitteeand the
relevant international stakeholderstoidentify and discussrelevant issues
andtopics on a timelybasis sothat supervisors, external auditorsand
audit oversight bodiescan take appropriate action.
As such, thesediscussionsshould addressnot onlycurrent issuesand
topics, but alsoemergingareasand trendsthat raiseconcern.
3.Overview of the principles
- Principle1: The external auditorof a bank should have banking
industryknowledgeand competencesufficient to respond
appropriatelytothe risks of material misstatement in thebank‘s
financial statementsand toproperlymeet any additional regulatory
requirementsthat may be part of thestatutory audit.
- Principle2: The external auditorof a bank should be objectiveand
independent in fact and appearancewithrespect to thebank,
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
19. P a g e | 19
consistent withthe more stringent requirementsapplicabletopublic
interest entitiesin internationallyaccepted ethical standards.
- Principle3: The external auditorshould exerciseprofessional
scepticism whenplanningand performingthe audit of a
bank, having due regard tothe specific challengesin auditing a
bank.
- Principle4:Audit firms undertakingbank auditsshould complywith
themore stringent requirementson qualitycontrol applicableto listed
entitiesin internationallyacceptedqualitycontrol standards,having
due regard tothe complexityof a bank audit.
- Principle5: Theexternal auditorof a bank shouldidentify and assess
therisksof material misstatement in the bank‘sfinancial
statements,takingintoconsideration thecomplexitiesof banking
activitiesand the need for banks tohave a strong control
environment.
- Principle6: The external auditorof a bank should respond
appropriatelytothe significant risks of material misstatement in the
bank‘sfinancial statements.
- Principle7: The audit committeeshould have a robust processfor
approving, or recommendingfor approval, the
appointment, reappointment, removal and remunerationof the
external auditor.
- Principle8: The audit committeeshould monitor and assessthe
independenceof theexternal auditor.
- Principle9: The audit committeeshould monitor and assessthe
effectivenessof theexternal audit.
- Principle10: The audit committeeshould have effective
communicationwiththeexternal auditor toenablethe audit
committeetocarry out itsoversight responsibilitiesand to enhance
thequalityof the audit.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
20. P a g e | 20
- Principle 11: The audit committee should require the external auditor
to report to it on all relevant mattersto enable the audit committee to
carryout its oversight responsibilities.
- Principle12: The supervisor and the external auditor shouldhave an
effectiverelationshipthat includesappropriate communication
channelsfor the exchangeof information relevant to carrying out
their respectivestatutoryresponsibilities.
- Principle13: The external auditor should report tothesupervisor
mattersthat are likely tobe of material significancetothefunctions
of the supervisor.
- Principle14: There should be open, timelyand regular
communicationbetweenthebankingsupervisoryauthority, theaudit
firm and the accountingprofession asa wholeon keyrisksand
systemic issuesaswell asa continuousexchangeof viewson
appropriateaccountingtechniquesand auditingissues.
- Principle15: There should be regular and effectivedialoguebetween
thebanking supervisoryauthority and the relevant audit oversight
body.
- Principle16: The banking supervisoryauthorityand theaudit
oversight body should observe appropriateconfidentiality
requirementswhen sharing information.
4. Supervisory expectationsrelevant to the external auditor and
the external audit of financial statements
25.External auditsof financial statementsperformed in accordancewith
internationallyaccepted auditingstandards enhancetheconfidenceof all
users,includingsupervisors,in thereliability of the auditedfinancial
statementsand thequalityof theinformation provided.
26.Auditsof banks should be performed in accordancewith
internationallyaccepted auditing standards.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
21. P a g e | 21
As these standardsare not industry-specific, for a qualityaudit
supervisorsexpect external auditorsnot onlyto complywith
internationallyaccepted auditing standardsbut alsototailor their audit
workin response to thesignificant risksand issuesapplicableto banks.
27.External auditorsarerequired tocomplywithapplicablejurisdictional
and, whererelevant, internationallyaccepted ethical standards.
However,given thecomplexityand systemic risksassociatedwith
banks, the external auditorof a bank should followthe most stringent
rulesfor independenceunder thesestandards.
Similarly, theexternal auditor of a bank should alsofollowthemost
stringent standardson qualitycontrol at the engagement level.
28.PartAof this section describesthesupervisor‘sexpectationsasa user
ofthebank‘sfinancialstatements,specificallywithrespecttotheexternal
auditor‘sknowledge, competence, objectivity, independence,professional
scepticismand qualitycontrol over the bank‘saudit.
Part B identifies areaswheresupervisorsbelieve there is often a
significant risk of material misstatement in a bank‘sfinancial statements
and factorstowhichthesupervisorexpectsthe external auditor topay
attention whenauditingthoseareas.
29.While theprimary focus in this section is on thefinancial statement
audit, particularlyin Principles5 and 6, the external auditor may identify
mattersin thecourseof the audit that areof interest tothesupervisorand
thereforeshould beconsideredfor communicationto thesupervisor.
Examplesof such mattershave been included in Section 6.
30.In some jurisdictions,aspart of the statutory audit, the external
auditormay alsoundertakeadditional work toprovideassuranceon
internalcontrolsor other aspectsof a bank‘soperations.
Theprinciplesset out in this section providea relevant referencefor the
performanceof such additional work.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
22. P a g e | 22
31.Theprinciplesand explanatoryguidanceset out in this section
providea frameworkfor the supervisor‘sinteractionswiththe external
auditor,the audit committeeand therelevant audit oversight body.
Theoutcome of theseinteractionswill inform thesupervisor‘sviewsasto
thequalityoftheexternalaudit and contributetothesupervisoryprocess.
Theseprinciplesand explanatoryguidancealsoprovide a framework to
assist the audit committeein selectingthe external auditor and in
assessingthe external auditor‘sknowledge, competence, objectivityand
independenceaswell asthe effectivenessof the audit process.
A.The supervisor‘s expectationsof the external auditor of a
bank
Knowledge and competence
Principle1: Theexternal auditor of abank should havebanking industry
knowledgeand competence sufficient torespond appropriately tothe
risksof material misstatement in thebank‘sfinancial statementsand to
properlymeet anyadditional regulatory requirementsthat maybepart of
thestatutory audit.
32.Given thecomplexityand diversity of banking activities, and the legal
and regulatory framework in whichbanks operate, the external auditor of
a bank should have specialised knowledgeand competencein auditing
banksand should use expertsasappropriate.
Knowledge
33.Theresourcesrequired toperform theaudit should be suchthat the
audit engagement team, asa whole,has:
- proficient knowledgeand understandingof, and practicalexperience
with, the banking sector, associatedbanking industry and bank -
specific risks, and the operationsand activitiesof banksand bank
audits.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
23. P a g e | 23
Theaudit engagement team may acquire this proficiencythrough
specific training, participation in bank auditsor workin the banking
sector;
- proficient knowledgeof applicableaccounting, assuranceand ethical
standards, industrypractice and relevant guidancesuch as
InternationalAuditing PracticeNote (IAPN) 1000;
- proficient knowledge of relevant regulatory requirements in the areas
of capital and liquidity, and a general understanding of the legal and
regulatoryframework applicabletobanks;and
- proficient knowledgeand understandingof IT relevant to bank
audits.
34.In addition, theexternal auditorshould consider whethertheaudit
engagement team should includespecialistswitha high degree of
technicalaccountingknowledgerelevant to banking, particularlygiven
thecomplexityof the requirementsof theapplicablefinancial reporting
frameworkpertainingto accountingestimates,includingloan loss
provisions,fair valuemeasurements,andanyareasknowntobesubjectto
differinginterpretationor inconsistent or developing practices.
Competence
35.Audit firms should have documented policies and procedures that set
minimum competency criteria for members of a bank‘s audit engagement
team.
36.Supervisorsmay have the ability toinfluencethe competency
requirementsfor external auditors.
Whereregulationsandstandardsin particularjurisdictionsdonot include
specific competencyrequirementsfor banks‘external auditors,the
supervisormay encourage professional and regulatorybodies to introduce
requirementsregarding trainingin, and experiencewith, bank auditing
and accountingsothat the audit engagement teamsfor bank auditsare
comprised of sufficientlycompetent staff.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
24. P a g e | 24
37.Competenceis particularlyimportant in underpinningan external
auditor‘sabilityto exerciseprofessionaljudgment and carry out key
aspectsof the audit, such asidentifying and assessingthe risksof
material misstatement and designingand implementingappropriate
responsestothoserisks.
Use of experts
38.In someinstances,suchastheauditingofcertaincomplexaccounting
estimates,more specialised knowledgemay be required to support the
audit engagement team,egadditionalexpertisebeyond thatpossessedby
theaudit engagement team‘smembersin afieldother thanaccountingor
auditing.
Examplesof such areasare valuation of complex financial
instruments,commercial propertyvaluationsand evaluation of highly
complex IT environments, particularlyin areassubject to significant
risksof material misstatement.
39.Internationallyacceptedauditingstandardsset out requirementsfor
thenature, timingand extent of audit procedureswhichthe external
auditorshould perform to assessthe competence, capabilitiesand
objectivityof the expertsthe external auditor may use.
Theseareimportant factorsin consideringthe reliabilityof the
information or resultsproducedby the expert.
Objectivity and independence
Principle2: Theexternal auditor of abank should beobjective and
independent in fact and appearance withrespect to thebank, consistent
withthemorestringent requirementsapplicabletopublic interestentities
in internationallyaccepted ethical standards
Objectivity
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
25. P a g e | 25
40.Objectivityis a fundamental ethical principleand a keyelement of
audit quality. It requires that theexternal auditor‘sjudgment is not
affected by conflictsof interest.
As objectivityis a state of mind that in most casescannot be directly
observed by usersof financial statements, it is important for the external
auditortobe independent in both fact and appearance.
Independence
41.Independence is freedom from situations and relationshipsin which a
reasonably informed third party would conclude that an external auditor‘s
objectivityisimpaired.
Jurisdictional and internationallyaccepted auditingstandardsand
internationallyaccepted ethicalstandardslayout frameworksfor external
auditorsto identify and respond tothreatsto independence.
42.Theexternal auditorof a bank must complywith the applicable
jurisdictional and internationallyaccepted ethical standards.
Furthermore,the Committeebelievesthat the external auditor of a bank
should complywith themore stringent independencestandards for
public interestentities.
Tothe extent that any of theruleswithinany one of thesestandardson
ethics ismore restrictivethan the correspondingrule in theother
standardson ethics,the external auditor must complywith themore
restrictiverule.
43.Independenceshould be observed not only in the context of thebank
that is beingaudited but alsowith respect to thebank‘srelated entities.
44.External auditorsof a bank should complywith applicable
jurisdictional requirementson therotationof membersof theaudit
engagement team.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
26. P a g e | 26
45.Theaudit engagement team members, the audit firm and, when
applicable,network audit firmsshould complywith the independence
requirementsof both thehome jurisdictionand the overseasregulatory
authority(in thecasewherethe bank is ultimatelyregulatedby an
overseasauthority).
46.When assessingwhetheranyrelationshipor circumstanceposesa
threat to an external auditor‘sindependence,theexternal auditor should
evaluatenot just thespecific ruleson independence,but alsothe
substanceof the threat to independence, and how a reasonablyinformed
third partywouldperceivethe threat and its effect onthe external
auditor‘sobjectivity.
Theprovision of significant non-audit servicesby the audit firm
and, when applicable, networkaudit firmsto the bank beingaudited
mayparticularlyaffect a third party‘sperceptionof the external
auditor‘sindependence.
Such situationsshould be carefullyevaluated for threatsto the external
auditor‘sobjectivityand perceived independence.
47.Thesupervisor expectstheexternal auditor toconsider actively
potential threatsto theauditor‘sindependence,specificallythe threat of
self-review, whendiscussingaccountingmatterswiththe management.
For example, complex transactionsmay be structured toachievea
particular accountingtreatment and/ or regulatory outcome.
When anexternal auditor discusseswithor providesadvice to
management on such matters, the external auditor must exercisecareso
asnot to take on a management role or responsibility.
Professional scepticism
Principle 3: The external auditor should exerciseprofessional scepticism
when planning and performing the audit of a bank, having due regard to
thespecific challengesin auditing abank.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
27. P a g e | 27
48.Professional scepticism is defined as―an attitudethat includesa
questioningmind, beingalert toconditionswhichmay indicate possible
misstatement due toerror or fraud, and a critical assessment of
evidence‖.
Professional scepticismshould manifest itselfnot onlythrough the
auditorobtaining corroboratingevidencefor management‘s
assertions,but alsochallengingmanagement‘s assertions, actively
consideringwhetherthere are alternativeaccountingtreatmentsthat are
preferable to thoseselectedby management, and documentingthe
approach, theevidenceobtained, the rationaleappliedand the
conclusionsreached.
Throughout the audit, the auditor should ―adopt aquestioningapproach
whenconsideringinformation and forming conclusions‖.
49.Exercisingappropriate professional scepticismiscriticallyimportant
in auditsof banksbecauseof thenumber and significanceof accounting
estimatesand thepotential for limitedobjectiveevidencesupporting
thoseestimates.
Professional scepticismis particularlyimportant whenauditing areas
that:
(a)involvesignificant management estimatesand judgmentsbecause
theseare more proneto management bias;
(b) involvesignificant non-recurringor unusual transactions;or
(c)are more susceptibleto fraud and errorsbeingperpetuated due to
weakinternal controls.
50. Specific areaswhereprofessional scepticism should be exercised by
theexternal auditorof a bank includeimpairment calculations,fair value
measurementsand goingconcern assessments,includingassessmentsof
solvencyand liquidity.
Otherexamplesmayincludecomplextransactionsstructuredtoachievea
particular accountingtreatment and/ or regulatory outcome by the
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
28. P a g e | 28
management wherethe audit engagement partner hasor ought to have
reasonabledoubt that the proposed accountingtreatment and/ or
regulatoryoutcome isconsistent withtherelevant financial reporting
frameworkor regulatory requirements.
In this context, theexternal auditorshould actively challenge
management‘sassumptionsand judgmentsand form independent views.
This includeschallengingevidenceobtained from management that
corroboratesmanagement‘sview.
51.Where a bank consistentlyutilisesvaluationsthat are at the high or low
end of a range of acceptablevaluationsor whenthere areother indications
of possiblemanagement bias, theexternal auditorshould considerthisin
theoverall risk assessment of thebank and shouldinform thosecharged
withgovernance, whereappropriate.
52.Theevidenceoftheextent ofprofessionalscepticismexercisedshould
bedemonstrable and understandablethroughaudit documentation that
describeshow, whyand what conclusionswerereached by the external
auditor.
In this regard, internationallyaccepted auditing standards establish
minimum requirementsfor audit documentation.
Quality control
Principle4:Audit firmsundertakingbank auditsshould complywiththe
morestringent requirementson qualitycontrol applicabletolisted
entitiesin internationallyaccepted qualitycontrol standards, having due
regard to thecomplexityof abank audit.
53.Audit firms must complywith the applicablejurisdictional and
internationallyaccepted standardson qualitycontrol.
Furthermore, the Committeebelievesthat the external auditor of a bank
should complywith themore stringent requirementson qualitycontrol
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
29. P a g e | 29
applicabletolistedentitiesin internationallyacceptedqualitycontrol
standards.
Tothe extent that anyof the ruleswithinany one of thesequalitycontrol
standardsismorerestrictivethanacorrespondingruleintheotherquality
control standards, theexternal auditor must comply withthe more
restrictiverule.
54.Theaudit of a bank should be subject to an engagement quality
control review (EQCR) performed internallybytheaudit firm prior tothe
issuanceof the audit opinion.
Theengagement qualitycontrol reviewer should have theappropriate
knowledgeand competencetoreview bank audits.
Thereviewer should exerciseprofessional scepticismin assessingthe
qualityof audit evidenceand whethertheauditor‘s judgmentsare
appropriate.
55.EQCR should be part of a broader firm-level internal system of quality
control that emphasises quality and consultation and creates a culture of
compliancewith auditingand ethical standards.
56.Wherea networkof audit firms isinvolved in the audit of a bank, the
individual audit firmswithinthe networkshould applyqualitycontrol
processesthat complywiththis document.
In such cases, theleadaudit engagement partner should be responsible
for the performanceof a qualityaudit by all the teamsreportingto it.
In doing so, the lead partner may placereliance on theprocessesby
whichqualitycontrol is exercised withinthe networkfirmsthat report to
it.
For example,theleadaudit engagement partnerof agroupaudit mayrely
on thefirm‘s processesfor
(a) ensuring that each audit engagement team member
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
30. P a g e | 30
(i)acquiresthe appropriateskills,knowledgeand experienceto perform
bank auditsand
(ii) complieswithindependencerules,and
(b) monitoringadherencetothe audit firm‘s policiesand procedures on
qualitycontrol.
57. The involvement of theengagement qualitycontrol reviewer
throughout the audit, and the outcome of the qualitycontrol
review, should be evident in the audit workingpapers.
Any significant discussionsbetweentheengagement qualitycontrol
reviewerand the audit engagement team, particularlyin areaswhere
viewsmay have differedand astohow conclusionswerereached, should
befullydocumented in theaudit workingpapers.
Thusin jurisdictionswherethe supervisor hasaccessto theexternal
auditor‘sworkingpapers,the qualitycontrol review wouldalsobe at the
supervisor‘sdisposal.
B. Supervisory expectationsof the audit of a bank‘sfinancial
statements
Identifying and assessing significant risks of material
misstatement specific to a bank‘s financial statements
Principle5:Theexternal auditor of abank should identify and assessthe
risksof material misstatement in thebank‘sfinancial statements, taking
intoconsideration thecomplexities of bankingactivities and theneed for
banksto have astrongcontrol environment.
Identifying potential risks
58. Banks are exposed to a varietyof risksthat can potentiallyaffect the
resultsof their operationsor financial condition.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
31. P a g e | 31
Theseinclude, but are not limited to, credit risk, market risk, liquidity
risk, operational risk and regulatory risk.
New risksmay emergeor the significanceof each risk may changeover
timeasa result of various factorsthat may be driven by changed
circumstancesor developmentsboth internal and external to thebank.
59.In designing and performingthe audit of a bank, the external auditor
should assessthe inherent and control risk to determinethe risk of
material misstatementsat thefinancial statement and assertionlevels.
By doing so, the external auditor gains an understanding of internal
controls that are relevant to the audit, and particularly of the control
environment designedby the bank.
60.Torespond totheassessedrisk of material misstatement, an external
auditorfollowsan audit strategy that includesboth substantive
proceduresand control testing.
Given the nature of bank activities, includingthoseinvolvinga high
volume of transactions,banks implement controlsdesignedtoaddress
risksposed to the organisation.
As a result, the external auditor of a bank should perform extensive tests
of controlsover financial reportingto assesswhether,and towhat
extent, the auditorcan rely on them.
Materiality
61.An understanding of the concept of materiality and determination of
materiality thresholds is needed in order to establish the audit
strategy, and identify and assesswhether a risk of material misstatement
existsin the financial statements.
62.Thedetermination of what is material tothefinancial statementsasa
wholeisa matter for the external auditor‘sprofessional judgment about
misstatementsthat could reasonablybe expectedtoinfluenceeconomic
decisionsof userstaken on the basis of the financial statements.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
32. P a g e | 32
63.Theexternal auditorshould exercisecaution whenevaluating
identifiedmisstatements.
Thesemisstatementscould be an indicatorof widerissueswithinthe
bank whichcould potentiallylead tomaterial misstatementsin the
financial statementsasa whole.
Therefore, individual misstatementsshould not be dismissedsolely
becausetheyare below the level of materiality set for planningpurposes.
64.For individual account balances, specific classesof transactionsor
disclosures,internationallyacceptedauditingstandardsrequire the
externalauditor todeterminea lowerlevel of materialityfor those
particular account balances, classesof transactionsor disclosures,if the
externalauditor believesthat ―misstatementsof lesseramountsthan
materialityfor the financial statementsasa wholecould reasonablybe
expectedto influencetheeconomic decisionsof users takenon the basis
of the financial statements‖.
This is particularlyrelevant for auditsof banksbecausecertain financial
statement itemsareused in the calculationof keymetricsused by a wide
rangeof usersof thefinancial statements.
For example, regulatory ratios such as the leverage ratio, liquidity ratio
and capital adequacy ratio are calculated based on account balances in
thefinancial statementsor are derived from the financial statements.
Assessing the risksof material misstatement
Internal control and its components
65.According to internationallyaccepted auditingstandards, internal
control componentsare the control environment, risk assessment
process, informationand communicationsystems and processes,control
activitiesand monitoring of controls.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
33. P a g e | 33
66.Asstatedin the BCBSPrinciplesfor enhancingcorporate governance, a
robust internal control environment is critical to the strength of a bank‘s
governancesystem and itsability tomanagerisk.
Consequently, whenobtainingan understanding of thebank‘sinternal
control environment, the external auditorshould, amongst other
considerations:
- assessthe ―tone at the top‖, ie whethermanagement, withthe
involvement of thosecharged withgovernance,ispromoting arobust
control environment;
- determine whether the control environment extends to all types of
operations and service offerings and encompasses all subsidiaries
andbranchesof thebanking group;
- understand thebank‘sapproach tooutsourcing/ offshoring of
businessactivitiesandfunctionsand assesshowinternal control over
theseactivitiesis maintained;and
- obtain an adequateunderstandingof the organisationof keycontrol
functionswithin the bank and itssubsidiaries.
At a minimum, key control functionsincludetheinternal audit, risk
management, complianceand other monitoringfunctions.
67.Compensation arrangements at a bank may be a good indicator of the
culture within the organisation because they can influence the behaviour
of the bank‘spersonnel and the qualityof corporategovernance.
Theexternal auditorshould payparticular attentiontothe risksof
material misstatement in thefinancial statementsdue to
fraud, particularlywhere banksemploycompensation arrangements
that mayencourage excessiverisk-takingor other inappropriate
behaviour amongst their personnel.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
34. P a g e | 34
Control activities
68.Internationallyacceptedauditingstandardsrequire the external
auditortoobtain anunderstanding of control activitiesrelevant tothe
audit which, intheauditor‘sjudgment, arenecessarytoassesstherisksof
material misstatement and toestablishthe audit strategy.
Theassessment of thecontrol activitiesover financial reporting is critical
for the designof further audit proceduresresponsivetoassessedrisks.
When identifying and assessingrisksof material misstatement and
assessingcontrols,the external auditor should take account of the
followingfactors:
- the knowledgeand competenceof thosein charge of financial
reporting and of other control functionshaving an impact on
financial reporting;
- the nature of hedgingstrategiesemployed by thebank which, if
complex, improperlystructuredor inadequately monitored, can have
accountingand solvency implications;
- the useof complex financial instrumentsinvolving significant
estimatesof fair value;
- theprovisionofcustodial servicestoretail and/ orinstitutionalclients
andtheproceduresin place toavoid co-minglingof client and
proprietaryassets;
- the volume of transactionsby type of activityand/ or presenceof
significant non-routinetransactions;
- theuseand monitoring of internal accounts;
- the structure and complexity of IT systems for conducting business
and for facilitating efficient business and financial reporting, as they
may lead to increased risk of fraud or error, particularlywhere there is
potential for individual override of the control system or the potential
for fraudulent transactions to go undetected due to the sophistication
and complexityof theIT systems;
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
35. P a g e | 35
- thenumber, scope and geographicaldispersion of subsidiariesand
thenecessityfor complex consolidationprocedures;
- theexistenceof significant transactionswith related parties;and
- theuseof off-balancesheet financingarrangements,suchasspecial
purposeentities(SPEs) and other complex structures.
69.Banking supervisorsand those chargedwithgovernance, such asthe
audit committee,need to be satisfiedthat the internal control is
commensuratewiththenature, volume and complexityof thebank‘s
activitiesand isorganised in accordancewith regulatory and legal
requirements.
Theinternalcontrolofabank mustberobustandreliableinorder tocope
with stressed environments.
Significant deficiencies in internal control whichhave been identified by
theexternal auditorshould be communicated in writingto thosecharged
with governanceand senior management, and other deficienciesin
internalcontrol should becommunicatedtotheseniormanagement at an
appropriatelevel of responsibilityon a timelybasis.
In addition, theCommitteebelievesthat theexternal auditor should
communicatein writingall mattersthat are likely tobe significant tothe
responsibilitiesof thosecharged withgovernance in overseeingthe
strategic direction of the entityor theentity‘sobligationsrelatedto
accountability.
Such mattersmay includesignificant decisionsor actionsby
management that lack appropriateauthorisation.
Internal audit
70.Theinternal audit function is an important element of the overall
internalcontrol environment.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
36. P a g e | 36
It providesassurancetotheboard ofdirectorsandsenior management on
thequalityand effectivenessof a bank‘sinternal control, risk management
and governance systems and processes.
Theworkof internalauditorscanhelpexternalauditorsassessthequality
of the internal control processesand identify risks.
71.Whether ornot theexternalauditorexpectstousethework ofabank‘s
internalauditors, providedthere is noreasontodoubt their
knowledge,competenceand objectivity, theexternal auditorshould
engagewith, and seek information on key internal audit findings
from, theinternalauditors.
Thismayprovidevaluableinput intotheexternalauditor‘sunderstanding
of the entityand itsenvironment and aid in identifying and assessingrisks
of material misstatement.
Theexternal auditorshould consider readingrelevant internal audit
reportsif theinformation obtained from engagingwiththe internal
auditorsindicatesissuesthat may have an impact on the financial
statement audit.
72.Theexternal auditor‘sobservationson and, whererelevant, evaluation
of a bank‘sinternalaudit function areof particular interesttothe audit
committeeand the bank‘ssupervisor given the rolean effectiveinternal
audit function plays in maintaininga robustcontrol environment in a
bank.
Responding to significant risksof material misstatement
specific to a bank‘sfinancial statements
Principle6:Theexternal auditor of a bank should respond appropriately
tothesignificant risks of material misstatement in thebank‘sfinancial
statements.
73.Having identifiedand assessedthe risksof material
misstatement, internationallyacceptedauditingstandardsrequire the
auditortoidentifyanyareaswherethereis a significant risk of material
misstatement.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
37. P a g e | 37
Paragraphs78-98below set out keyaudit areasof a bank‘sfinancial
statements,wherethere is often a significant risk of material
misstatement.
74.In addition totheareasset out in paragraphs78-98, there are other
itemsin a bank‘sfinancial statementswhoseregulatorytreatment could
giverise to incentivesfor management biasin the recognitionor
measurement of such items.
Asaconsequence,thereisagreaterriskofmaterialmisstatement ofthese
itemsin the financial statements.
This may lead toinappropriateapplicationof regulatory rulesto these
itemsand a material misstatement of thebank‘scapital position.
Examplesof such itemsare deferred tax assets,investmentsin
unconsolidatedentities, pension fund assets,and theclassificationof
financial instruments.
External auditorsshould thereforebe alert toanylikelihoodthat the
treatment of such itemsin the financial statementsis influencedby
management biastowardsadesiredregulatoryoutcomeandconsiderthis
in their risk assessment of thebank.
External auditorsshould alsobe awarethat management biasmay
changeover time depending on, for example, the extent to which the
bank isabletomeet itsregulatoryrequirements.
External auditorsshould evaluateestimateswhichmay be subject tothis
bias, and any potential audit differencesotherwiseidentified, in the
context of theimpact on regulatorycapital or regulatory capital
ratios,consistent withparagraph 64.
75.Areas of significant risk of material misstatement particularlyrequire
an external auditor toapplyprofessional judgment and experience.
Internationallyaccepted auditing standardsrequire that theexternal
auditorobtain sufficient appropriate audit evidence51regarding the
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
38. P a g e | 38
assessed risks of material misstatement, through designingand
implementingappropriate responsestothoserisks.
76.Internationallyacceptedauditingstandardsrequire special audit
considerationfor areaswheresignificant risksof material misstatement
are identified.
Given that theseareasare associatedwith issuesthat the external auditor
identifiesashighly important for the bank, these areasare worthyof
discussion withthose chargedwithgovernance.
77.As the categoriesof what may be a significant risk for a bank may
changeover time, the list of audit areasprovided in paragraphs78-98of
thisdocument asareaswherethere isoften a significant risk of material
misstatement is not intended to be comprehensive.
Loan lossprovisioning
78.Loan lossprovisioning is generallymaterial for a bank‘sfinancial
statementsand the calculationof capital and keyperformancemetrics.
Themeasurement of loanlossprovisionsin accordancewith
internationallyaccepted accountingprinciplesinvolvescomplex
judgmentsabout credit riskwhich may besubjectivein nature.
79.Thefactorsthat the external auditor needstoconsider in identifying
and assessingthe significant risksof material misstatement in relationto
loanlossprovisioningand the relatedallowancefor loan lossesinclude:
(a)Theestimationtechniquesusedtocompute provisionsand howthe
techniquesvary among and withinbanks.
(b)How management hasassessedthe effect of estimationuncertaintyon
thelevel of provisioning, and the effect suchuncertaintymay have on the
appropriatenessof therecognised provision and thesufficiencyof the
relatedallowancefor loanlossesin the financial statements.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
39. P a g e | 39
(c)All knownand relevant impairment indicatorsfor loanexposureswhich
includepreviouslyunexpectedadversedevelopmentsinthemarket or
economicenvironment, adversemovement in interest
rates,restructuring, inadequateunderwritingpoliciesadopted by the
bank, overduepayments, failure of the borrower tomeet budgeted
revenuesor net income, covenant breachesand forbearance.
(d)Whether thebank hassought perspectivesand data from different
functionswithin the bank, includingrisk management, credit and
internalaudit, aswell asreliable sourcesexternaltothe bank, including
peer data and regulator perspectivessoasto consider all relevant and
availableinformation in assessingimpairment.
(e)Accounting rulesfor provisioningmay differ from the provisioning
rules that applyfor regulatory reportingor capital purposes.
It may thereforebecustomary for banksto have different processesand
systemsto generateloan lossprovisionsfor accounting purposesand for
regulatorypurposes.
Further, there can be material differencesin the applicationof the same
set of accountingand/ or regulatory rulesby individual banks.
Largedifferencesbetweenprovisionsfor accountingpurposesand for
regulatorypurposesmay indicatea risk of material misstatement of the
accountingprovision.
In addition, whilst for regulatory capital purposesunder theBasel
frameworkthe accountingloan lossprovision for internal ratings-based
approach(IRB) portfoliosis replacedbythe regulatoryexpectedloss
provision, the level of the accountingprovisionmay neverthelesshavean
impact on thelevel or the composition of regulatory capital, due tothe
treatment of the tax effect of provisionsand the allocationof any excess
provision to capital tiers.
External auditorsshould be alert toany management bias in this area.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
40. P a g e | 40
(f) Disclosuresshould enableuserstoassessthe loan lossprovisioning
methodologyapplied by thebank, regardinghow it relatestocredit risk
forthat bank, andhowit compareswithmethodologiesappliedacrossthe
bankingsector.
Financial instruments measured at fair value
80.Abank‘sportfolioof financial instrumentsmeasured at fair valuecan
rangefrom ―plainvanilla‖ financial instrumentswhichare frequently
traded in liquid marketswithobservablemarket prices, and involve less
measurement uncertainty, tothose whicharecustomised, complex, and
wherethe valuationis basedon significant unobservable inputswith a
substantial amount of management judgment.
Financial instrumentsmeasured at fair value alsoincludefinancial
instrumentsthat aresubjecttoan impairment assessment which is a key
area of judgment.
81.Where there arechangesin the composition of a bank‘sportfolio of
financial instruments– whetherdue tochangesin customer demand, the
bank‘sapproach to managingrisk and liquidity, or changesin prudential
regulation– thebank willneedtoevaluateanyaccountingimplicationsof
thechanges.
82.Accounting standardscontain requirementson recognition;initial
and subsequent measurement (includingimpairment); reclassification
from fair value toamortised cost;presentation;and disclosures.
Becausethese requirementsarecomplex, theymay be difficult to
interpret and apply, and thereforethe external auditor often needsto
utilisemore complex and wider-rangingaudit proceduresto obtain
sufficient appropriateaudit evidencetosatisfyhim/ herselfthat the
financial statementsare not materiallymisstated.
Theclassificationof an individual financial instrument may be
particularlyimportant for achievinga favourableregulatoryoutcome.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
41. P a g e | 41
83.In adoptinga sceptical approach to management‘sassumptions
regardingthevaluation of financial instrumentsfor whichthereare
significant unobservableinputs, IAPN 1000,Special considerations in
auditingfinancial instruments,setsout specificaudit proceduresthat may
befollowedin auditingfinancial instrumentsmeasured at fair value.
Liabilitiesincluding contingent liabilitiesarising from
non-compliance with lawsand regulations, and contractual
breaches
84.Non-compliancewith, or material breachesof, the prudential
framework,conduct requirements, legal requirementsor contractual
agreementscould lead to legal or supervisory actionsagainsta
bank, therebyexposingthebank topotential litigationand/ orthe
impositionof substantial penalties.
Such eventsmay require recognitionof provisions, contingent liabilities
and/ orqualitativedisclosuresin the bank‘sfinancial statements.
Further, any adverse impact on the bank‘s reputation resulting from this
non-compliance could have consequences for the bank‘s going concern
assessment.
85.In the courseof theaudit, the external auditor should remain alert to
actual or suspectedbreachesof prudential regulations,particularlythose
that are likely tobeof material significancetothe functionsof the
supervisor.
As noted in Section 6 below,55if theexternal auditor identifiesanysuch
breachesof materialsignificance,theauditorshouldnotify thesupervisor
immediately.
Disclosures
86.Anumber of factorshave contributedto an increaseddemand from
usersfor more relevant and extensivequalitativeand quantitative
disclosures.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
42. P a g e | 42
Theseincludethe increasedcomplexityof business
transactions,includingoff-balancesheet transactionsand non-
recognition of assetsand liabilities, and increaseduseof fair value and
other accountingestimates,with significant uncertaintiesand changes
in measurement attributes.
87.While accounting standards specify disclosure objectives, the
standards may not always prescribe in all circumstances specific
disclosuresto meet thoseobjectives.
Therefore, there may be a substantial amount of judgment in assessing
whetherdisclosuresarepresentedfairlyinaccordancewiththedisclosure
objectivesin the relevant accountingframework.
88.Increasedtransparencythrough fairlypresentedpublic disclosures
enhancesmarket confidence.
It is thereforeimportant that thebank provide disclosureswhichpresent
thebank‘sfinancial condition, the riskstowhichit is exposed and how
theyare managed, and aremeaningful and responsiveto changesin
market conditionsand perceived risks.
89.In respondingtothe significant risksin this area of audit, theexternal
auditorhasan important role to playin encouraging consistent and
meaningful disclosureswhich present thebank‘sfinancial condition in a
waythat isinformativeand understandableto usersof financial
statements.
90.In the courseof itsaudit work, the external auditor should be alert to
anyindicationsthat disclosuresin financial statementsare not consistent
with the bank‘sprudential information such ascapital adequacyand
liquiditypositiondisclosureswithinthe financial statements.
Going concern assessment
91.Agoing concerngivesriseto twoseparate issues:
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
43. P a g e | 43
(a)whetherthegoingconcernbasisofpreparation offinancialstatements
is appropriate; and
(b)theexternalauditor‘sevaluationof thebank‘sassessment of itsability
tocontinuetomeet itsobligationsfortheforeseeablefuture(forat least12
monthsafter thedate of thefinancial statements) and whetherthere are
material uncertaintiesin thisregard that should be disclosedin the
applicableaccountingframework.
92.Theworkthe external auditor performs to assessthe going concern
statusof a bank isdifferent from that likelyto beperformed for a
non-bank entitybecauseof the contractual termsof bank assetsand
liabilities(maturitymismatch), the potential for regulatory
intervention, and theimpact that thesignallingof anyuncertaintyover
thebank‘s
abilityto continueasa goingconcern could have on the short-term
viability of thebank.
93.Examplesof reasonsthat make the goingconcern assessment of a
bank uniqueareasfollows:
(a)Current emerging risks and concernsspecific to the bank or the
bankingindustry asa wholemay have an impact on the historical trends
for the specific bank in sucha manner that the historical trendsmay not
reflectthelikely trend over the next year.
For example, during periodsof market turmoil, normal sourcesof
fundingmay nolonger be available, asdepositspayable on demand may
run off more quickly than historical experiencewouldcontemplateand
such depositsmay be difficult to replace.
(b)As banks arehighlyleveraged, a small changein asset valuationmay
havea substantial impact on the adequacyof a bank‘sregulatory capital.
Marketrisksmaybesuchthat financialinstrumentsheldat fairvaluemay
besubject to substantial changesin valuein the short term and significant
volatility over the longer term.
Adecreasein regulatory capital may result in a downgradeby rating
agenciesmakingfunding more expensiveand possiblyharder toobtain.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
44. P a g e | 44
94. Given theseand other risks, banks are requiredtomeet liquidity
requirementsand capital ratios set by thebank supervisory authority.
There should be equal emphasison the evaluation of liquidityand
solvencyof thebank for the period over which the going concern
assumption hasbeen assessed:
(a)Liquidity: Factorsto assessincludethereasonablenessand reliability
of the cashforecast for at least12monthsafter the date of thefinancial
statements,liquidityrisk disclosures,regulatory or contractual
restrictionson cash, loancovenants,and pension funding.
(b)Solvency: Given thepotential adverse impact of capital adequacy
concernson theconfidencein abank and, asa consequence,on thebank
operatingasa going concern, the external auditor will need toconsider
therobustnessof thebank‘ssystem for managing capital.
In addition, theexternal auditorwill need to considerthe capital position
in relationtothe current and any knownfuture capital
requirements,definitionsof capital resources,and challengesof raising
capital.
This is particularlycriticalwherecapital levelsare strained, accessto
capital resources isrestricted or where, for example, the bank‘sannual
report or internal capital projectionsincludeambitiousprojectionsof
improvementsin capital levels.
95. In respondingto thesignificant risksin this area of audit, and
assessingmanagement‘sassertion that a bank isa going concern, factors
whicharenecessarytoconsider are:
(a)therobustnessof thebank‘sown systemsand controlsfor managing
liquidity, capital and market risk;
(b)theprudential informationthat isreportedtosupervisorscoveringthe
bank‘ssolvencyand capital;
(c) anyexternal indicatorsthat reveal liquidityor fundingconcerns;and
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
45. P a g e | 45
(d) the availability of short-term liquiditysupport.
96.Given the aboverisksand thepossiblesystemic implications,if there
are anysignificant doubtswhichmay causematerial uncertaintyover the
bank‘sabilityto continue asa going concern, and if the external auditor
considersreferring tothegoing concernissue in theaudit report, the
externalauditor should promptlycommunicatethis fact to the
supervisors.
Securitisations– SPEs
97.Thebanking sector is involved in activitiessuch assponsoring (or
originating) structuredproducts/transactionsthat support
maturity, credit and liquiditytransformationrisksmore often than other
industrysectors.
Thesponsoring bank doesnot ordinarilyfund such activities.
Thefunding isgenerallyprovidedby other parties.
However,thesponsoring bank may be exposed to riskssuch as
reputational risk in the event of thesponsoredentityencountering
financial or operational difficulties.
98.Such activitiesrequire special considerationby the external auditor
and are of interest to the supervisorfor the followingreasons:
(a) Accounting concern –Accounting frameworksare often
principles-based, whichmayresult indifferent treatmentsofeachofthese
complex transactions.
In addition, becausetheseare highly structured products, their
accountingtreatment may vary based on the factsand circumstancesof
each transaction, egwhereSPEsare tailored toremain off the bank‘s
balancesheet.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
46. P a g e | 46
In theseinstances, it is necessaryfor theauditortoevaluatethe
judgmentsmadeby themanagement and consider whetherthe
accountingtreatment is appropriate and thedisclosuresare sufficient.
(b)Regulatoryconcern – Becauseof thecomplexityof thesecuritisation
andthechain of financial intermediation, thesponsoring bank in an
―originateto distribute‖ model may underestimatethereal risk
transferred or therisk retained on itsbalancesheet (includingreputation
risk and conflictsof interest in caseof defaultson the securitisedassets).
Even so, the originatormay be ableto benefit from an off-balancesheet
treatment for the assetsunderlying thesetransactionsand hencemay not
berequired tohold additional regulatorycapital unlessspecifically
requiredby thesupervisor.
Theexternal auditorshould be alert towhenthe supervisorrequires
additional capital even though the off-balancesheet accounting
treatment applied bythebank isappropriate.
(c)Interconnectivity– Increasesthecorrelationbetweenbanks and other
non-bankingsectors, whichcan add to theglobal systemic risk.
5. Supervisory expectationswith regard to a bank‘s audit
committee and itsrelationship with the external auditor
99. The BCBS‘s paper on the Internal audit function in banks (June 2012)
and its paper on Principles for enhancing corporate governance (October
2010) describethe main responsibilitiesof a bank‘saudit committee.
Theaudit committee has, amongst others, a number of responsibilities
with respect to the external auditor and the statutoryaudit.
Theaudit committee approves, or recommendsto the board of directors
for approval, the appointment, reappointment, dismissal and
compensation of the external auditor.
Theaudit committeealsomonitorsand assessesthe independenceof the
externalauditor.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
47. P a g e | 47
100.Theaudit committeeoverseesthebank‘sstatutoryaudit process.
Key aspectsof the audit committee‘swork encompassthe assessment of
theeffectivenessof theexternal audit process.
Theaudit committee should require that senior management take the
necessarycorrectiveactionstoaddressthefindingsand
recommendationsof theexternal auditorin a timelymanner.
101.Thediscussion below focuseson theaudit committee‘s
responsibilitiesin relationtotheoversight of, and itsrelationship
with, the external auditor topromote and support the integrity, objectivity
and independenceof theauditor, the qualityof theexternal audit and the
competenciesthat underpin that quality.
Toenablethe audit committeeto carry out itsoversight
responsibilities, which alsocontributeto the effectivenessof the audit
process,theprinciplesin thissection promote effectivetwo-way
communicationbetweenthe audit committeeand theexternal auditor.
It is important to note that all the discussionsbelow stem from an
important overarchingprinciple:namely, that thereshould be a
frank, open workingrelationship and a high level of mutual respect
amongst all partiesinvolved.
102.Theprinciplesand explanatoryguidancein this section form the
basisfor the supervisor‘smonitoring of theeffectivenessof theaudit
committeein itsoversight of the external auditor.
Appointment of the external auditor
Principle7:Theaudit committee shouldhave arobustprocessfor
approving, orrecommendingfor approval, the
appointment, reappointment, removal and remuneration of the
external auditor.
103.Theaudit committeehastheprimary responsibility for approving, or
recommending to theboard of directorsfor approval, the
appointment, reappointment, removal and remunerationof the external
auditor.International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
48. P a g e | 48
In doing so, the audit committeeshould determine appropriatecriteriafor
selectingthe external auditor and regularlyassessthe
knowledge, competence,independence(seePrinciple8below) of the
externalauditor andeffectiveness(seePrinciple9below)of theexternal
audit, havingdueregard to the guidancein Section 4.
104.Theaudit committee‘sproceduresfor approving or recommending
theapproval of the external auditor should alsoincludea risk assessment
of the likelihood of thewithdrawalof theexternal auditor from the
audit, and how thebank wouldrespond tothat risk.
105.Theaudit committeeshould contributea section tothebank‘s
annual report whichexplainsthe approach taken regarding the
recommendation of the appointment or reappointment of theexternal
auditor,and should includesupporting information onthe tenure of the
incumbent auditor.
106.If the board of directorshasapproval responsibilitieswith respect
to the external auditor, but doesnot accept the audit committee‘s
recommendation, it should includein theannual report, and in any
papersrelatingto theappointment/ reappointment/ dismissal of the
externalauditor, a statement explainingtheaudit committee‘s
recommendation and the reasonswhytheboard of directorshastaken a
different position.
107.Theaudit committeeshould assesstheoverall qualityof the external
auditor,prior toitsfirstappointment and at least annuallythereafter.
Tothat end, the audit committeeshould request that the external auditor
report on theexternal auditor‘sown internal qualitycontrol
procedures,including the audit firm‘s EQCR process, and any significant
mattersof concerns arisingfrom theseprocedures.
Theaudit committee should alsoconsider, whereavailable, the external
audit firm‘s annual transparencyreport and any inspectionreportson the
audit firm issuedby the relevant oversight body.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
49. P a g e | 49
108.Theaudit committeeshould maintain anunderstandingand
knowledgeof:
- thestructure and governance of the audit firm;
- thecurrent nature of the audit environment, includingany overseas
jurisdictionswherethebank operates;
- significant issues and concerns raised by the relevant audit oversight
body regarding the audit firm, and the auditor‘s action in addressing
theseconcerns, to understand how these shortcomingsmay affect the
qualityof theaudit of the bank;
- thenature of bankingregulatory actionsand conditionsthat could
havean impact on theexternal auditor‘sworkon thebank, including
anyregulatory actionsand conditionsspecific tothe bank being
audited, or to actionsand conditionsthat the supervisoris imposing
on all banks(for example, through newlyimplemented regulations
and policies);and
- public lessonslearnedfrom any recent external audit failures
associatedwiththebank‘saudit firm and how thefirm hasdealt with
them sothat similar deficienciesdo not occur.
109.Theaudit committeeshould alsosatisfyitselfthat the level of the
audit feesis commensurate with the scope of workundertaken.
Where fee reductionsare offeredand accepted, the audit committee
should seek assurancethat thesereductionsdonot implyan
inappropriateincreasein thematerialitylevel tobe applied by the
externalauditor, or a narrowingof the external auditor‘sproposed scope
of the audit, or a reduction in the attentionwhichwill be given to each
businesscomponent and thesignificant audit risksidentified.
110.Theaudit committeeshould discussand agreeto theterms of the
engagement letter issued by the external auditor prior tothe approval of
theengagement.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
50. P a g e | 50
Where relevant, theaudit committeeshould agree toan engagement
letter that hasbeen updatedtoreflect changesin circumstances, suchas
thosearisingfrom changesin legal requirementsand changesin the
scopeof the external auditor‘swork asa result of revisionsto
internationallyaccepted auditing standardswhichhave arisen sincethe
previousyear.
111.If the external auditor resigns or communicatesan intentionto
resign, the audit committeeshould followup on thereasons/explanations
givingrise to such resignationand considerwhethertheaudit committee
needstotakeanyactionin responsetothosereasons.
Independence of the external auditors
Principle8:Theaudit committee shouldmonitorand assessthe
independence of theexternal auditor.
112.Theindependenceof the external auditor is one of the main
prerequisitesfor an adequatelevel of audit quality.
As such, the audit committeeshould understand theapplicable
independencerequirements.
Theaudit committee should have proceduresto monitor and assessthe
independenceof theexternal auditor at least annually, taking into
considerationrelevant national laws,regulationsand professional
requirements.
Theassessment should alsoinvolve a consideration of all relationships
betweenthebank andtheaudit firm (includingtheprovisionofnon-audit
services) and any safeguardsestablishedby the external auditor.
113.Where the audit firm hasbeen theexternal auditor of thebank for
manyyears, there may be a perceptionthat there is a familiarity or
self-interest threat tothe external auditor‘sobjectivityand independence
in itsaudit of the bank.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
51. P a g e | 51
However, when the bank changes its external auditor, there is a risk that
the depth of understanding of the bank and its activities and systemswill
belost.
This may affect thenew external auditor‘sabilityto identify risks of
material financial statement misstatementsand respond to them
appropriately, and hencemay detract from thequalityof theaudit.
114.Audit committeesshouldhave a policy in placethat stipulatesthe
frequencywithwhichthere should be a tender for theexternal audit
contract.
Thepolicyshould alsocall for the audit committeetoconsider
periodicallywhetherthereshould be a limit tothelength of an external
auditor‘stenure asthebank‘sexternal auditor given thepotential impact
of audit firm rotation on independenceand audit quality.
115.Audit committeesshouldunderstand the audit firm‘s policy on
rotation of members of the audit engagement team and the audit firm‘s
compliancewith anyjurisdictional or other localregulatory requirements
in this regard.
116.As describedin Principle2, theaudit committee shouldseek
assurancethat the audit engagement team membersand their firm
and, when applicable, thenetwork external auditorshaveno
financial,personal, businessor other relationshipswith the bank which
could adverselyaffect theauditor‘sactual or perceivedindependence
and objectivity.
The audit committee should seek from the external auditor, at least on an
annual basis, information about the audit firm‘s policies and processes for
maintaining independence and monitoring compliance with the relevant
independencerequirements.
117.Audit committeesof banks should develop a formal policywhich
governstheacceptanceof non-audit servicesprovidedby theauditor.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
52. P a g e | 52
Amongst other provisions,thepolicyshould includecriteria for thetypes
of non-audit servicesthat the external auditor may provideor is
prohibited from providing, and rulesstipulatingwhen advanceapproval
bythe audit committeeis required for the auditor‘s performanceof
non-audit services.
Thepolicyshould be reviewedperiodicallyand complianceshould be
monitored, takingintoaccount the contentsof Section 4 of this
document.
118.Where non-audit servicesare providedby the external auditor, the
audit committeeshould monitor and establishthat theprovision of such
servicesdoesnot impair theexternal auditor‘sobjectivityand
independence,takingintoconsiderationvariousfactorsincludingthe
skillsand experienceof the external auditor,safeguardsin place to
mitigateanythreattoobjectivityandindependence,andthenatureofand
arrangementsfor non-audit fees.
119.Where the external auditor providesnon-audit servicestothe
bank, the bank‘sannual report shouldexplain toshareholdersthe nature
of and thefeearrangementsfor thenon-audit servicesreceived, andhow
auditor independenceissafeguarded.
Effectivenessof the external audit
Principle9:Theaudit committee shouldmonitorand assessthe
effectivenessof theexternal audit.
120.At the start of each audit, the audit committee should consider
whetherthe audit approach is appropriate, includingconsiderations on
theaudit scope, the level of materiality, areasof focusand whether
plannedaudit proceduresaddresstheareasof significant risk for the
bank, in particular thoseareasdescribedin Section 4 of this document.
121.Theaudit committeeshould consider whethertheproposed
resourcesto executetheaudit plan are reasonablegiven thescope of the
audit engagement, the nature and complexityof the bank‘s
operations,and itsstructure and activities.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
53. P a g e | 53
Theaudit committee should understand thenature and extent of audit
workthattheexternalauditorintendstorelyuponwheretheaudit workis
performed by network firm personnel or other audit firms.
122.Theaudit committeeshould obtain confirmation from the external
auditorthat there is adequateknowledge, competenceand expertise
withintheaudit engagement team and that theaudit will beconducted in
compliancewithinternationallyaccepted auditingstandards, aswell as
anyapplicablelawsand regulations.
123.Theaudit committeeshould discusswith the external auditor the
findingsof the latter‘swork.
In the courseof itsmonitoring, the audit committee should:
- Obtain anunderstanding of the external auditor‘sview on any major
issuesthat aroseduring the audit (includingthoseissuesthat were
subsequentlyresolved aswell asthose that have been left
unresolved), in particular the external auditor‘sexplanationof the
significant judgmentstheaudit engagement team madeand the
conclusionsit reached.
This should includethe discussionswithmanagement and the
judgmentsinvolved, the rangeof possibleoutcomesand, where
available,a comparisonof thebank‘spositionwiththat of itspeer
group (on an anonymous basis), includinga comparison with
previousperiodson such major issues;
- Obtain an understandingof the rationalebehind thefinal conclusions
drawnby theaudit engagement partner on significant accounting
and auditingmatters,particularlyin thosecircumstanceswherethe
audit engagement partner‘sconclusionsdifferedfrom thoseof the
engagement qualitycontrol reviewer;and
- Review thenature and levelsof misstatementsidentifiedduring the
audit, obtainingexplanationsfrom management and, where
necessary, the external auditor asto whycertain errorsmight remain
unadjusted.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
54. P a g e | 54
124.Theaudit committeeshould alsodiscusswiththe external auditor
theaudit representation lettersbeforesignature bythe board of
directors/ senior management and give particular consideration to
matterswherespecific representation hasbeen requested.
Theaudit committee should consider whetherthe information provided
on each of the itemsin therepresentation lettersis completeand
appropriatebased on its own knowledge.
125.As part of the ongoingmonitoring process, the audit committee
should discusswiththe auditorthemanagement letter(or equivalent)
and any other audit-relatedreportsprovidedtothebank.
In particular, the audit committee should discuss with the external
auditor any significant deficiencies identified in the bank‘s control
environment and in itsinternal control over financial reporting.
126.At the end of theaudit engagement period, the audit committee
should:
- consider whethertheaudit firm hasfolloweditsaudit plan and
understand the reasonsfor any changes,includingchangesin
perceivedaudit risksandtheworkundertakenbytheexternalauditor
toaddressthoserisks;
- obtain feedback about the conduct of theaudit from keybank
personnel involved, eg theheadsof financeand internal audit; and
- report tothe board of directorson theeffectivenessof the external
audit process.
127.Theaudit committeeshould seek toobtain information from the
externalauditor on themain findingsof audit qualityreviewsof the
bank‘saudit and the audit firm‘s qualitycontrol systemsby audit
oversight bodies.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
55. P a g e | 55
Relationship between the audit committee and the external
auditor
Principle10: Theaudit committeeshould have effective communication
with theexternal auditortoenabletheaudit committee tocarryout its
oversight responsibilities andtoenhancethequalityof theaudit.
128.Thefoundationfor an effectiverelationshipis regular, timely, open
andhonestcommunicationbetweentheaudit committeeandtheexternal
auditor.
Regular dialoguebetweenthetwopartiesshould be held throughout the
reporting cycle of the bank.
129.Whileboth cooperation and challengesare needed betweenthe
externalauditor and the audit committeefor the external audit to be
effective, theneedfor cooperationshouldneverprevent robust challenges
from being made whenneeded.
Such challengesarea keyresponsibilityof the audit committeeand are
part of theproductive dialogueon key judgmentsthat can result in
stronger and deeper understanding of and viewson thepositionsof all
parties.
130.In ordertoreinforcetheaudit committee‘seffectivenessandenhance
thequalityof the audit, the audit committeeshould consider invitingthe
externalauditor toattend audit committeemeetings(except when
discussingmattersin relationto theassessment of the external
auditor), even if there are noitemsexplicitlyrelevant to theexternal audit
on theagenda.
Theexternal auditor‘sattendanceshould facilitatethe exchangeof views
on businessperformance, risk and other topics.
Further,toenhanceaudit quality, theaudit committeeshouldconsider, if
necessary, assistingthe external auditor togain accessto anyother
committeemeetingsthat the external auditor determinesto be relevant
for the auditor‘swork.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
56. P a g e | 56
131.Theaudit committeeshould havethe right and authoritytomeet
regularly– in the absenceof executivemanagement – withthe external
auditor.
This will enablethe audit committeetounderstand and discussall issues
that mayhavearisenbetweentheexternal auditorandbank management
in thecourseof theexternal audit and how theseissueshavebeen
resolved.
In addition, thesemeetingsshould addressany other mattersthat the
externalauditor believestheaudit committeeshould be awareof in order
toexerciseitsresponsibilities.
132.The audit committee should discusswith the auditor any matters
arising from the statutory audit that may have an impact on regulatory
capital or disclosures.
This may includediscussionof theinteraction between the accounting
information and theregulatory information, eg accountingimpairment
chargesversusregulatory expectedlosses,or the consistencyof the
bank‘sPillar 3 reporting withits annual report.
133.Theaudit committeeshould discusswiththe external auditor any
significant issuesidentified in the course of theaudit, in particular in
areaswhich could be relevant to future financial statements,topromote
earlydiscussion and planning.
This includesupcoming changesin accountingstandards or regulations
andtheconsequencesof material transactions.
134.Theaudit committeeshould alsocommunicateto the external
auditormattersthat are likely tobe of significant influenceon the
conduct of thestatutory audit.
Such mattersmay encompasssubjectsthat the audit committeebelieves
warrant particular attention, significant communicationswiththe
supervisor,or other mattersthat the audit committeeconsidersmay
influencethe audit of the financial statements.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
57. P a g e | 57
Reporting by the external auditor to the audit committee
Principle 11: The audit committee should require the external auditor to
report to it on all relevant mattersto enable the audit committee to carry
out itsoversight responsibilities.
135.In some jurisdictions,aspart of the statutory audit, the auditorsare
alsorequired by law or regulationstoexpressan opinion on the control
environment of thebank and provideadditional reportingof matters
identifiedaccordingly.
Theexplanatoryguidancein the followingparagraphsonlycovers
reporting to the audit committee that maybe required in thecontext of
thefinancial statement audit.
136.Theaudit committeeshould expect the external auditor to
communicatepromptly tothe audit committeeany significant audit
findingsnoted in thecourseof the audit and any significant problems
encounteredin carrying out theaudit.
137.Upon completion of the audit work,the external auditor should
report tothe audit committeeon the outcome of theaudit in writing.
Thecontentsof thesewrittenreportsshould be aligned withthe
requirementsset by internationallyaccepted auditingstandardsfor
matterstobe communicatedtothosecharged withgovernance, the
recommendationsmadein this document, and any additional
requirementsunder applicablelawsand regulations.
138.In addition totheabove, wherenot already covered by the
recommendationsin other partsof thisdocument and therelevant
auditingstandards, theaudit committeeshould requestthat the external
auditorreport toit in writingon other significant matters,includingthe
following:
- Key areasof significant risk of material misstatement in thefinancial
statements,in particular on critical accountingestimatesor areasof
measurement uncertainty(eg loan lossprovisioningand valuation
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
58. P a g e | 58
uncertainties), includingpotential valuation bias and consequential
effectson earnings,compensation structuresand regulatory ratios.
- Areas of significant management and auditor judgment, including
judgmentspertainingto therecognition, de-
recognition, measurement or disclosureof relevant itemswithin the
financial statementsand, whererelevant, judgmentsabout material
uncertaintiesthat may cast doubt on an entity‘sability to continueas
a going concern (includingconsiderationof liquidity/fundingissues
of the entity).
- Outsourcingof keyexternal audit work(egwithrespect to auditsof
subsidiaries)toanother audit firm or use of external expertstoassist
with the external audit.
- Significant internalcontrol deficienciesidentifiedin thecourseof the
statutoryaudit.
- Mattersthat arelikelytobesignificant totheresponsibilitiesof those
chargedwith governancein overseeingthe strategicdirectionof the
entityor the entity‘sobligationsrelated toaccountability.
- Areas of financial statement disclosures, for the bank itselfand
relativetoitspeers,whichthe auditorbelievescould be
improved, includingthe resultsof discussionswithmanagement.
139.For thepurposesof complying withthe requirementsof
internationallyacceptedauditingstandards, wheresignificant mattersare
communicated tothe audit committee,the external auditor should also
determineif these mattersneed tobe communicatedto theboard of
directors.
6. The relationship between the supervisor and the external
auditor
140.This section setsout theprinciplesthat promote effective
relationshipsthat will enableregular communication of mutuallyuseful
information in thecontext of a statutoryaudit between:
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
59. P a g e | 59
- the supervisor and the external auditor at the supervised bank
level, regardless of whether the communication is mandatory
(SubsectionA– Principles12and 13); and
- thebanking supervisoryauthority and the audit firm, and the
accountingprofession asa wholethat is not specific to an individual
bank (Subsection B – Principle14).
141.Thekey objectiveof having effectiverelationshipsbetweenthe
partiesreferredtoaboveistoenhancetheeffectivenessof thesupervision
of the bankingsector.
Thisrelationshipwillthenalsocontributetothequalityofexternalaudits.
142.An effectiverelationship should enableeach partyto carry out its
respectivestatutoryresponsibilitieswhilenot implying that eitherparty is
responsiblefor or should or can perform thestatutoryresponsibilitiesof
theother party.
A. Effective relationship at the supervised bank level
143.Theexternal auditorcan provide thesupervisor withvaluableinsight
intovariousaspectsof a bank‘soperationsand management‘sattitudeto
theapplicationof keyaccountingpolicies,judgmentsand models
adopted.
Conversely, the external auditormay obtain helpful insightsfrom
information originatingfrom the supervisorwherethe supervisor
providesan independent assessment in areassignificant tothe external
audit and may focusattentionon specificareasof supervisoryconcerns.
In certain jurisdictions,the supervisor may alsorequest the external
auditortoperform specificassignmentsthat gobeyond the statutory
audit workof theauditor.
Principle12: Thesupervisor and theexternal auditorshould have an
effective relationship that includesappropriatecommunication channels
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
60. P a g e | 60
for theexchange of information relevant tocarrying out their respective
statutory responsibilities.
144.Supervisorsand external auditorsshould havean open and
constructiverelationship, withconfidencein each other that information
exchangedwill be treated appropriately and confidentially.
145.For an effectiverelationship toexist, the engagement betweenthe
supervisorand the external auditor should involve individualswhoare
knowledgeable,informed and empoweredby their respective
organisationstoexchangeinformation.
146.Thesupervisor may benefit from theresultsof the external auditor‘s
workbecausein many respectsthetwopartieshave complementary
concernsregardingthesame mattersalthoughthefocusof their concerns
is different.
Similarly, the external auditor may benefit from insightsthat the
supervisorcan communicate.
However,in order todischargetheir respectivestatutory
responsibilities, each party should not use theworkof theother asa
substitutefor its ownwork and the supervised entityshould remain the
main sourceof information for their respectivework.
147.Theterms, natureandscopeofthisrelationshipcanbedeterminedin
individualjurisdictionsandshouldbecleartoboth thesupervisor andthe
externalauditor – for example, through guidanceissued by the banking
supervisoryauthority.
Accessto communication with the bank
148.Theexternal auditor‘sworkgivesrise to theauditor‘sreport on the
annual/ consolidatedfinancial statementswhichis oftenused for
prudential supervisory purposes.
When performinga financial statement audit in accordancewith
internationallyaccepted auditing standards, the external auditor
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com
61. P a g e | 61
communicates with management and/ or those charged with governance
about significant matters relating to financial reporting or supplementary
matters,and these communicationsmaybe accessed by thesupervisor.
In thesamemanner,in certainjurisdictions,theexternalauditormayalso
haveaccesstothe supervisor‘scommunicationstothebank.
149.Giventhebenefitsthat may ensue, whencommunicatingwith
management and/ orthosechargedwithgovernanceofthebank, boththe
supervisorand the external auditor should consider communicating
mattersthat mayalsobeofmutual interesttoeachother inwritingsothat
theyform part of thebank‘srecordsto whichthe other party should have
access.
Direct communication at the supervised bank level
150.In addition, effectivecommunicationshould be establishedthrough
oneor a combination of direct writtenand oral communication
channels,asdictatedby thecircumstances.
151.Writtencommunicationchannelsmayincludeextendedaudit reports
on theaudited financial statements,whicharesubmitted to thesupervisor
and arenot available tothe public.
In certain jurisdictions, these reportsmay be part of the external auditor‘s
statutory audit work and mayalsocover assignmentsrelated to prudential
supervisoryrequirements.
152.Oral communication channelsmay includebilateral meetings
betweenrepresentativesof the supervisor and the external auditor,and
may beformal or adhoc.
In additiontobilateral meetings, trilateral meetingsinvolving
representativesof the supervisor, the external auditor and thosecharged
with governanceat thesupervisedbank can alsobe held.
International Association of Risk and Compliance Professionals (IARCP)
www.risk-compliance-association.com