- 1. P a g e | 1International Association of Risk and
ComplianceProfessionals (IARCP)1200 G Street NW Suite 800
Washington, DC 20005-6705 USATel: 202-449-9750
www.risk-compliance-association.comTop 10 risk and compliance
management related news storiesand world events that (for better or
for worse) shaped theweeks agenda, and what is nextDear
Member,TodayI will start withthe job description thatmademy day:
BaselII/ III and SolvencyII riskspecialist, Mandarin
Speaking!!!Basel III Risk Specialist - Mandarin SpeakingLeading
Global Investment Bank, LondonALeading Global Investment Bank
isExpandingtheRegulatoryRisk Function withthehire of aBaselIII Risk
Specialist for their London Group.- Basel III RegulatoryRisk
Specialist- LeadingGlobal Investment Bank- Mandarin Speaking-
London, UK- 50,000+ Excellent Bonus BenefitsAsakeymember
oftheriskgroupyou will becommunicatingextensively
withseniormanagement on a global scaleincludingdirect contact
withsenior management inHong Kong and Shanghai and will
thereforerequireMandarinspeakingskillsat business APillar 3
Disclosure??level proficiency.International Association of Risk and
Compliance Professionals
(IARCP)www.risk-compliance-association.com
2. P a g e | 2An expert in regulatoryframeworks,you will have
practicalunderstandingof Basel II/ III and knowledgeof SolvencyII
ICAAP isalsohighly preferred.This is a mid-level positionwithin the
group and will require a minimumof 3 years industry
experiencewithin theLondon and/ or InternationalFinancial
Markets.It is never toolate tolearn Mandarin.
Islookseasy!AmazingjobdescriptionJust one slight problem
withthisjobdescription:You cannot haveknowledgeof SolvencyII ICAAP
simplybecausethere isnothing likea SolvencyII ICAAP perhapsthey
mean SolvencyII ORSA(OwnRiskand SolvencyAssessment, the Pillar 2
document).It remindsme another job description, wheretheyrequired
5+ years ofBasel III experience. Provided that BaselIII wasendorsed
at the end of2010,theycould hire someone after 2015Another
development:Auditors it is your turn tosuffer the consequencesof
the crisisAccording to the BIS,The recent financial crisisnot
onlyrevealedweaknessesin risk management, control and
governanceprocessesatInternational Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
3. P a g e | 3banks,but alsohighlightedthe needtoimprove
thequalityof externalauditsof banks.Giventhecentralrolebanksplayin
contributingtofinancialstability, andthereforethe need for market
confidencein the qualityof external auditsof banks financial
statements,the Basel Committee is issuingforconsultationthis
guidanceon external auditsof banks.This document describes,through
sixteenprinciplesand
explanatoryguidance,supervisoryexpectationsregardingaudit
qualityand how thatrelatestothe external auditors work in a
bank.Read moreat Number 1below.Welcometo the Top
10list.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 4. P a g e
| 4External auditsof banksGiven the central role banksplay in
contributingtofinancial stability, and thereforethe need for
marketconfidencein thequalityof external auditsof banksfinancial
statements,the Basel Committeeis issuingfor consultationthis
guidanceon external auditsofbanks.This document describes,through
sixteenprinciplesand
explanatoryguidance,supervisoryexpectationsregardingaudit
qualityand how thatrelatestothe external auditors work in a
bank.Meeting of the G20 Finance Ministersand Central Bank
GovernorsUpdate by theIASB and FASBConvergence projectsThis report
is a high-level update on thestatusand timelineof
theremainingconvergenceprojects.ToG20Ministersand Central
BankGovernorsProgressof Financial Regulatory ReformsInternational
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 5. P a g e | 5EIOPAThe
new Risk DashboardFocusing on Low- and
Moderate-IncomeWorkingAmericansGovernorSarah Bloom RaskinBoard of
Governorsof the Federal Reserve System AttheNational
CommunityReinvestment CoalitionAnnual Conference,Washington,
D.C.Islamic capital and money marketsWelcomingremarksby Mr Peter
Pang, DeputyChiefExecutive, Hong Kong MonetaryAuthority, at
theworkshopon Islamic capital and moneymarkets, Hong KongInterview
with Gabriel Bernardino, Chairman ofEIOPA, conductedbyNataaGajski
Kovai, Svijet osiguranja(Croatia)International Association of Risk
and Compliance Professionals
(IARCP)www.risk-compliance-association.com 6. P a g e | 6Reviewing
filings for smaller publiccompaniesTheseslideswerepresented at the
Forums onAuditingin theSmall BusinessEnvironment hostedbythe PCAOB
during 2012.The Global Financial SectorTransformingthe LandscapeBy
ChristineLagarde, ManagingDirector, International MonetaryFund,
FrankfurtFinanceSummitManaging structural risks in the
Swedishbanking sectorSpeechby Mr Stefan Ingves,Governor of
theSverigesRiksbank and Chairman of the BaselCommitteeon Banking
Supervision, atAffrsvrldensBank & FinansOutlook,
StockholmInternational Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 7. P a g e
| 7External auditsof banksTherecent financialcrisisnot only
revealedweaknessesin risk management, controland
governanceprocessesat banks, butalsohighlighted theneed to
improvethequalityof external auditsof banks.Given the central role
banksplay incontributingto financial stability, andthereforethe
need for market confidenceinthequalityof external auditsof
banksfinancial statements,the Basel Committeeis issuingfor
consultation this guidanceonexternalauditsof banks.This document
describes,through sixteenprinciplesand
explanatoryguidance,supervisoryexpectationsregardingaudit
qualityand how thatrelatestothe external auditors work in a
bank.Implementation of theprinciplesand the
explanatoryguidanceisexpectedto improve thequalityof bank auditsand
enhancetheeffectivenessof prudential supervisionwhichis an
important element offinancial stability.This document setsout
supervisoryexpectationsof how:-
externalauditorscandischargetheirresponsibilitiesmoreeffectively;-
audit committeescan contributetoaudit qualityin their oversight
oftheexternal audit;- an effectiverelationship betweentheexternal
auditorand thesupervisor, which allowsgreater mutual understanding
about therespectiverolesand responsibilitiesof supervisorsand
externalInternational Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 8. P a g e
| 8auditors,can leadtoregular communication of
mutuallyusefulinformation;and- regular and effective dialogue
between the banking supervisoryauthorities and relevant audit
oversight bodies can enhance thequalityof bank audits.Thisdocument
enhancesand supersedesthe CommitteesguidanceTherelationship
betweenbanking supervisorsand banks external auditors(2002) and
External audit qualityand banking supervision(2008).In
additiontothe proposed guidance, the Committeeispublishingaletter
tothe InternationalAuditing andAssurance StandardsBoard(IAASB) on
areaswhereit believesInternational StandardsonAuditingcould be
enhanced.Serving asan observer on the Basel Committeegroup that
developed therevisedguidance,theIAASBprovidedhelpful and meaningful
input tothiseffort.Commentson the proposalsshould be submittedby
Friday 21June2013bye-mail to: [email protected],
comments may be sent by post to: Secretariat of the BaselCommittee
on Banking Supervision, Bank for
InternationalSettlements,CH-4002Basel, Switzerland.All commentsmay
bepublishedon thewebsiteof the Bank forInternational
Settlementsunlessa comment contributor
specificallyrequestsconfidential treatment.International
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 9. P a g e | 9External
auditsof banks1. Executive summary1.Therecent financial crisisnot
onlyrevealed weaknessesin riskmanagement, control and
governanceprocessesat banks, but alsohighlighted theneed to improve
thequalityof external auditsof banks.Giventhecentralrolebanksplayin
contributingtofinancialstability, andthereforethe need for market
confidencein the qualityof external auditsof banksfinancial
statements, the Basel Committeeon BankingSupervision(the Committee)
is issuingthis document on external auditsof banks.It forms part of
theCommitteescommitment tohelp improve auditqualityat
banks.Thisdocument enhancesandreplacesTherelationship
betweenbankingsupervisorsand banksexternal auditors(January 2002)
and Externalaudit qualityand banking supervision(December
2008).2.Implementationof the 16principlesand observation of
theexplanatoryguidancein thisdocument are expectedtoimprove the
qualityof bankauditsand enhancetheeffectivenessofprudential
supervision, whichwillthen contributetofinancial
stability.Throughtheseprinciplesand explanatoryguidance, the
documentdescribessupervisoryexpectationsregardingaudit qualityand
howthatrelatestothe external auditorswork in a bank.This document
specificallysetsout supervisoryexpectationsof how:(a)external
auditorscan discharge their responsibilitiesmore
effectively;(b)audit committeescan contributetoaudit qualityin
their oversight oftheexternal audit;(c)an
effectiverelationshipbetweentheexternal auditor and
thesupervisor,which allowsgreater mutual understandingabout
theInternational Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 10. P a g e |
10respectiverolesand responsibilitiesof supervisorsand
externalauditors,can lead toregular communication of
mutuallyusefulinformation;and(d) regular and effective dialogue
between the banking supervisoryauthorities and the relevant audit
oversight bodies can enhance thequalityof bank audits.3.
Thedocument alsonotestheCommitteescontinued commitment
toworkthrough international bodies toenhanceaudit quality.2.
Introduction, application, structure and the
Committeesinternational
engagementIntroduction4.Thebankingsectorisuniqueamongsectorsof
theeconomy becauseitplays a central rolein contributing to
thefinancial stabilityof and theprovision of financial resourcesto
theeconomy.This sector includesmajor global banksthat are
systemically importantbanks(SIBs), the failure of one or moreof
whichcould triggera globalfinancial crisis.In addition, bankshavea
uniqueoperatingmodel.5.Supervisorsare primarilyconcerned
withmaintainingthestability of thebankingsystem and
fosteringthesafetyand soundnessof individualbanksin order
tomaintain market confidenceand protect
theinterestsofdepositors.Consequently, toenhancethe effectivenessof
supervision, supervisorshavea keen interest in the
qualitywithwhichexternal auditorsperformbank
audits.Buildingeffectiverelationshipswith external auditorscan
alsoenhancebankingsupervision.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
11. P a g e | 116.An external auditor plansand performs theaudit of
a banksfinancialstatementsto obtain reasonableassuranceabout
whetherthe financialstatementsasa wholeare free from material
misstatements, whether duetofraud or error, and areprepared, in all
material respects, in accordancewith an applicablefinancial
reportingframework.In many ways, thesupervisor and the external
auditor havecomplementaryconcernsregardingthesamematters.For
example, the audit of financial statementsmay help
identifyweaknessesin internal controlsrelatingtofinancial
reportingat a bankwhichmay, therefore,inform supervisoryeffortsin
this area andcontributeto a safeand sound bankingsystem.7.Although
the focusof thisdocument ison thequalityof theauditperformed by the
external auditor, an audit in accordancewithinternationallyaccepted
auditing standardsis conducted on thepremisethat the management
and, whereappropriate, thosecharged withgovernancehave
acknowledgedcertainresponsibilitiesthat arefundamental to
theconduct of the audit.Theaudit of the financial statementsdoesnot
relievemanagement orthosecharged withgovernanceof their
responsibilities.8.TheBasel Committee on Banking SupervisionsCore
PrinciplesforEffectiveBankingSupervision (September 2012,Core
Principles)providea framework of minimum standardsfor sound
supervisorypracticesandare considereduniversallyapplicable.Core
Principle27 focuseson prudential regulationsand
requirementsforbanksin relation to financial reportingand external
audits.This guidanceset out in this document is consistent withCore
Principle27.9.Theapplicationand thestructure of each sectionin this
document aredescribedbelow,followedby an outlineof the key
internationalInternational Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 12. P a g
e | 12relationshipsbetweenthe Committeeand other groupsrelevant
toexternalauditing.Application10.This document appliesto the
followingentitiessubject toa statutoryaudit:- all banks,
includingthosewithin a bankinggroup;- holdingcompanies
whosesubsidiariesarepredominantlybanks;and- holding
companiessubject to prudential supervision whosesubsidiariesare
predominantlybanks.All of
thesestructuresarereferredtoasbanksorbankingorganisationsinthisdocument.11.Theimplementation
of the principlesset forth in this documentshould be proportionate
tothe size, complexity, structure, economicsignificanceand
riskprofile of the bank and thegroup (if any)
towhichitbelongs.TheCommitteerecognisesthat some countrieshavefound
it appropriatetoadopt legal frameworksand standards(eg for
listedfirms), aswell asaccountingand auditingstandards, whichmay be
more
extensiveandprescriptivethantheprinciplesandexplanatoryguidanceset
forthherein.Such frameworksand standardstend tobe
particularlyrelevant for largeror publicly traded banks or
financial institutions.12.This document hasbeen prepared
withthefull awarenessthatsignificant differencesexist in national
institutional, legislativeandregulatoryframeworksamongst
jurisdictions,includingaccountingandauditingstandards,supervisorytechniquesand
institutional
corporategovernancestructures.Supervisorsshouldclearlycommunicatethe
recommendationscontainedhereinto the banks theysuperviseand their
respectiveexternal auditors,International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
13. P a g e |
13andarticulatethemeasuresbanksandexternalauditorsshouldundertaketomeet
thesebest practices,wherepossible.13.Theprinciplesset out in
thisdocument should be applied inaccordancewiththenational
legislationand corporategovernancestructuresapplicablein each
country.14.Thefollowingtermsare used in thisdocument, with
themeaningsspecified:- Financial statement audit An audit of a
banksfinancial statementsbyan external auditor in
accordancewithinternationallyacceptedauditingstandards.-
Statutoryaudit An audit carried out tocomply withtherequirementsof
particular legislationor regulations.In some jurisdictions,this may
includeonlythe financial statementaudit.In other jurisdictions,this
may alsoincludeextended reportingbyexternal auditorson matterssuch
asinternal controlsand regulatoryreturns.- External auditor The
audit firm and theindividual auditengagement team members.Where
relevant, specific referencesaremadetothe audit firm or
theindividual audit engagement team membersin certain paragraphs.-
Bankingsupervisoryauthority The body responsiblefor
promotingthesafetyand soundnessof banks and thebanking system in
aparticular jurisdiction, includingthepersonswhoare involved
withsupervisorypolicy settingand
policyissues,includingpoliciesregardingaccountingand auditing.-
Supervisor The group of supervisorypersonnel at a
bankingsupervisoryauthoritywhoaredirectlyinvolved
withthesupervision/ examinationof a specific
institution.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 14. P a g
e | 14- Board and senior management The governance structure at a
bankcomposed of a board and senior
management.TheCommitteerecognisesthat there aresignificant
differencesinthelegislativeand regulatory
frameworksacrosscountriesregardingthesefunctions.Somecountries usea
two-tier structure, wherethe supervisoryfunctionof the board is
performed by a separateentityknown asasupervisoryboard,
whichhasnoexecutivefunctions.Other countries, bycontrast, usea
one-tier structurein whichtheboardhasa broader role.Still other
countries have moved or aremoving to an approachthatdiscouragesor
prohibitsexecutivesfrom serving on theboard orlimitstheir number
and/ orrequires theboard and board committeestobe chairedonlyby
non-executiveboard members.Given thesedifferences, this document
doesnot advocate a specificboardstructure.Thetermsboard and senior
management are onlyused asa waytorefer tothe oversight function and
themanagement functioningeneral and should be interpretedthroughout
the document inaccordancewiththeapplicablelaw withineach
jurisdiction.- Audit committee A specialised committee established
by theboard, the mandate, scope and working procedures for which
are setout in a charter or other instrument.As stated in the BCBS
paper on Principlesfor enhancingcorporategovernance(October 2010),
toincreaseefficiencyand allowdeeperfocus in specificareas,boardsin
many jurisdictionsestablish certainspecialisedboard committees the
audit committeebeing one ofthem.Thepaper further recommendsthat,
for largeand internationallyactivebanks, an audit committeeor
equivalent should be required.It alsooutlinesthe overall
responsibilitiesof the audit committee.International Association of
Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 15. P a g e | 15-
Thosechargedwith governance Theperson(s) or organisation(s)with
responsibility for overseeingthestrategic direction of theentityand
obligationsrelatedto the accountabilityof the
entityasdefinedbyinternationallyaccepted auditingstandards.Such
person(s) or organisation(s)is (are) typically the board
ofdirectors.Where the board of directorsestablishesan audit
committeein abank to assist it in
meetingitsresponsibilitiesbychargingthe auditcommitteewith specific
tasksand responsibilities, in suchcircumstancesthe audit
committeecan be viewedastaking on theroleof
thosechargedwithgovernancein relation to thosespecifictasksand
responsibilities.StructureThe external auditor and audit
quality15.Audit qualityincludesdeliveringan appropriate,
independentprofessional opinionon the financial statements,in
compliancewithinternationallyaccepted auditing
standards.Internationally accepted auditing standards require the
external auditorto possess and demonstrate certain attributes while
applying a rigorousaudit process.16.Given that
internationallyaccepted auditingstandards are applicabletoall
entities,Section4of thisdocument buildsupon
thesestandardsandlaysout thesupervisoryexpectationsof theexternal
auditorregardingtheaudit of a bank.Moreover,Section 4highlightsthe
keyareaswheresignificant risksofmaterial misstatement in
banksfinancial statementsoften arise, whichthereforerequire
theauditorsparticularattention for a qualityaudit.International
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 16. P a g e |
16Engagement between the external auditor and the
auditcommittee17.Regular and effectiveengagement and communication
betweentheexternalauditor and the audit committeecontributetoaudit
quality.18.Amongst itsother responsibilities, theaudit
committeeisresponsiblefor overseeing thebanksexternal
auditor.Asoundlyconstitutedaudit committeecanplayakeyrolein
contributingtoaudit quality.Section 5 discussesthe audit
committeesresponsibilitiesin relationtotheoversight of, and its
relationshipwith, theexternal auditor.Engagement between the
supervisor and the external auditor19.Effectivecommunication
betweenthesupervisor and
theexternalauditorenhancestheeffectivenessof supervisionof the
bankingsector.This relationship will then alsocontributeto audit
quality.20.Thesupervisor and the external auditor have a mutual
interestinbuildingand maintainingan effectiverelationship, which
fostersregularcommunicationof useful information.Section
6providesprinciplesand explanatory guidancefor facilitating
aneffectiverelationshipbetweenthe supervisor and theexternal
auditor atthelevelsof thesupervisedbank, the audit firm and
theaccountingprofession asa whole.Engagement between thebanking
supervisory authority and theaudit oversight body21.Thebanking
supervisory authorityand the relevant audit oversightbody sharea
strongmutual interest in
ensuringqualityindependentaudits.International Association of Risk
and Compliance Professionals
(IARCP)www.risk-compliance-association.com 17. P a g e |
17Regularandeffectivedialoguebetweenthebankingsupervisoryauthorityandthe
audit oversight body at a national level can assist in
identifyingand dealingwithkeyissuesin relationtotheconduct of bank
audits.Section 7setsout theprinciplesfor
facilitatingeffectivecommunicationbetweenthese
bodies.22.Supervisorsare in a uniqueposition toidentify audit
qualityissuesatboth theindustry and individual audit level.Regular
and effectiveengagement betweenthe supervisorand therelevantaudit
oversight bodymay enablethesupervisortoprovide timelyfeedbackon
suchissues.Additionally, the supervisor may, if necessary, take
action toaddressissuesraisedby theaudit oversight body.The
Committees international engagement on
externalauditing23.Approachesfor
dealingwithsupervisoryconcernsabout thequalityoftheaudit of an
individual bank may differ acrossjurisdictions,but
allapproachesshould be designed to contributeto enhancing audit
quality.In its effort to promote audit quality, the Committee
engages in regulardialogue and discussion with the relevant
international stakeholders onexternalaudit
matters.Thesestakeholdersinclude, but arenot limitedto, the
following:- theFinancial StabilityBoard (FSB),
whoseobjectivesincludetheenhancement of the effectivenessof banking
supervision;- theMonitoringGroup, which is responsiblefor advancing
thepublicinterest in areasrelatedtointernationalaudit quality;-
thePublic Interest Oversight Board (PIOB), which is
responsibleforimprovingthe qualityand public interest focusof the
internationalstandardsformulated
bystandard-settingboardsoperatingunder theInternational Association
of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 18. P a g e |
18auspicesof the International FederationofAccountants(IFAC)
intheareasof audit and assurance, education and
ethics,includingoversight of thepublic interest activitiesof three
of theIFACsindependent standard-setting boards and their
respectiveconsultativeadvisory groups;-
theconsultativeadvisorygroupsof the InternationalAuditing
andAssurance StandardsBoard (IAASB) and theInternational
EthicsStandardsBoard forAccountants(IESBA), whichare
responsiblefordeveloping international auditingand ethics standards
respectively;- theInternational Forum of Independent Audit
Regulators(IFIAR), which is responsiblefor improving audit
qualityglobally, includingthrough independent inspectionsof
auditorsand/ or audit firms;and- theGlobal Public Policy
Committee(GPPC), which is comprised ofrepresentativesfrom the six
largest international accountingnetworksand focuseson public
policyissuesfor the accountingprofession.24. The objectiveof
thisdialogueis toenabletheCommitteeand therelevant international
stakeholderstoidentify and discussrelevant issuesandtopics on a
timelybasis sothat supervisors, external auditorsandaudit oversight
bodiescan take appropriate action.As such, thesediscussionsshould
addressnot onlycurrent issuesandtopics, but alsoemergingareasand
trendsthat raiseconcern.3.Overview of the principles- Principle1:
The external auditorof a bank should have
bankingindustryknowledgeand competencesufficient to
respondappropriatelytothe risks of material misstatement in
thebanksfinancial statementsand toproperlymeet any additional
regulatoryrequirementsthat may be part of thestatutory audit.-
Principle2: The external auditorof a bank should be
objectiveandindependent in fact and appearancewithrespect to
thebank,International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 19. P a g
e | 19consistent withthe more stringent
requirementsapplicabletopublicinterest entitiesin
internationallyaccepted ethical standards.- Principle3: The
external auditorshould exerciseprofessionalscepticism
whenplanningand performingthe audit of abank, having due regard
tothe specific challengesin auditing abank.- Principle4:Audit firms
undertakingbank auditsshould complywiththemore stringent
requirementson qualitycontrol applicableto listedentitiesin
internationallyacceptedqualitycontrol standards,havingdue regard
tothe complexityof a bank audit.- Principle5: Theexternal auditorof
a bank shouldidentify and assesstherisksof material misstatement in
the banksfinancialstatements,takingintoconsideration
thecomplexitiesof bankingactivitiesand the need for banks tohave a
strong controlenvironment.- Principle6: The external auditorof a
bank should respondappropriatelytothe significant risks of material
misstatement in thebanksfinancial statements.- Principle7: The
audit committeeshould have a robust processforapproving, or
recommendingfor approval, theappointment, reappointment, removal
and remunerationof theexternal auditor.- Principle8: The audit
committeeshould monitor and assesstheindependenceof theexternal
auditor.- Principle9: The audit committeeshould monitor and
assesstheeffectivenessof theexternal audit.- Principle10: The audit
committeeshould have effectivecommunicationwiththeexternal auditor
toenablethe auditcommitteetocarry out itsoversight
responsibilitiesand to enhancethequalityof the audit.International
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 20. P a g e | 20-
Principle 11: The audit committee should require the external
auditorto report to it on all relevant mattersto enable the audit
committee tocarryout its oversight responsibilities.- Principle12:
The supervisor and the external auditor shouldhave
aneffectiverelationshipthat includesappropriate
communicationchannelsfor the exchangeof information relevant to
carrying outtheir respectivestatutoryresponsibilities.-
Principle13: The external auditor should report
tothesupervisormattersthat are likely tobe of material
significancetothefunctionsof the supervisor.- Principle14: There
should be open, timelyand
regularcommunicationbetweenthebankingsupervisoryauthority,
theauditfirm and the accountingprofession asa wholeon
keyrisksandsystemic issuesaswell asa continuousexchangeof
viewsonappropriateaccountingtechniquesand auditingissues.-
Principle15: There should be regular and
effectivedialoguebetweenthebanking supervisoryauthority and the
relevant audit oversightbody.- Principle16: The banking
supervisoryauthorityand theauditoversight body should observe
appropriateconfidentialityrequirementswhen sharing information.4.
Supervisory expectationsrelevant to the external auditor andthe
external audit of financial statements25.External auditsof
financial statementsperformed in
accordancewithinternationallyaccepted auditingstandards
enhancetheconfidenceof allusers,includingsupervisors,in
thereliability of the auditedfinancialstatementsand thequalityof
theinformation provided.26.Auditsof banks should be performed in
accordancewithinternationallyaccepted auditing
standards.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 21. P a g
e | 21As these standardsare not industry-specific, for a
qualityauditsupervisorsexpect external auditorsnot onlyto
complywithinternationallyaccepted auditing standardsbut
alsototailor their auditworkin response to thesignificant risksand
issuesapplicableto banks.27.External auditorsarerequired
tocomplywithapplicablejurisdictionaland, whererelevant,
internationallyaccepted ethical standards.However,given
thecomplexityand systemic risksassociatedwithbanks, the external
auditorof a bank should followthe most stringentrulesfor
independenceunder thesestandards.Similarly, theexternal auditor of
a bank should alsofollowthemoststringent standardson qualitycontrol
at the engagement level.28.PartAof this section
describesthesupervisorsexpectationsasa
userofthebanksfinancialstatements,specificallywithrespecttotheexternalauditorsknowledge,
competence, objectivity, independence,professionalscepticismand
qualitycontrol over the banksaudit.Part B identifies
areaswheresupervisorsbelieve there is often asignificant risk of
material misstatement in a banksfinancial statementsand
factorstowhichthesupervisorexpectsthe external auditor
topayattention whenauditingthoseareas.29.While theprimary focus in
this section is on thefinancial statementaudit, particularlyin
Principles5 and 6, the external auditor may identifymattersin
thecourseof the audit that areof interest
tothesupervisorandthereforeshould beconsideredfor communicationto
thesupervisor.Examplesof such mattershave been included in Section
6.30.In some jurisdictions,aspart of the statutory audit, the
externalauditormay alsoundertakeadditional work
toprovideassuranceoninternalcontrolsor other aspectsof a
banksoperations.Theprinciplesset out in this section providea
relevant referencefor theperformanceof such additional
work.International Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 22. P a g e |
2231.Theprinciplesand explanatoryguidanceset out in this
sectionprovidea frameworkfor the supervisorsinteractionswiththe
externalauditor,the audit committeeand therelevant audit oversight
body.Theoutcome of theseinteractionswill inform
thesupervisorsviewsastothequalityoftheexternalaudit and
contributetothesupervisoryprocess.Theseprinciplesand
explanatoryguidancealsoprovide a framework toassist the audit
committeein selectingthe external auditor and inassessingthe
external auditorsknowledge, competence,
objectivityandindependenceaswell asthe effectivenessof the audit
process.A.The supervisors expectationsof the external auditor of
abankKnowledge and competencePrinciple1: Theexternal auditor of
abank should havebanking industryknowledgeand competence sufficient
torespond appropriately totherisksof material misstatement in
thebanksfinancial statementsand toproperlymeet anyadditional
regulatory requirementsthat maybepart ofthestatutory audit.32.Given
thecomplexityand diversity of banking activities, and the legaland
regulatory framework in whichbanks operate, the external auditor
ofa bank should have specialised knowledgeand competencein
auditingbanksand should use
expertsasappropriate.Knowledge33.Theresourcesrequired toperform
theaudit should be suchthat theaudit engagement team, asa
whole,has:- proficient knowledgeand understandingof, and
practicalexperiencewith, the banking sector, associatedbanking
industry and bank -specific risks, and the operationsand
activitiesof banksand bankaudits.International Association of Risk
and Compliance Professionals
(IARCP)www.risk-compliance-association.com 23. P a g e | 23Theaudit
engagement team may acquire this proficiencythroughspecific
training, participation in bank auditsor workin the bankingsector;-
proficient knowledgeof applicableaccounting, assuranceand
ethicalstandards, industrypractice and relevant guidancesuch
asInternationalAuditing PracticeNote (IAPN) 1000;- proficient
knowledge of relevant regulatory requirements in the areasof
capital and liquidity, and a general understanding of the legal
andregulatoryframework applicabletobanks;and- proficient
knowledgeand understandingof IT relevant to bankaudits.34.In
addition, theexternal auditorshould consider
whethertheauditengagement team should includespecialistswitha high
degree oftechnicalaccountingknowledgerelevant to banking,
particularlygiventhecomplexityof the requirementsof
theapplicablefinancial reportingframeworkpertainingto
accountingestimates,includingloan lossprovisions,fair
valuemeasurements,andanyareasknowntobesubjecttodifferinginterpretationor
inconsistent or developing practices.Competence35.Audit firms
should have documented policies and procedures that setminimum
competency criteria for members of a banks audit
engagementteam.36.Supervisorsmay have the ability toinfluencethe
competencyrequirementsfor external
auditors.Whereregulationsandstandardsin
particularjurisdictionsdonot includespecific
competencyrequirementsfor banksexternal auditors,thesupervisormay
encourage professional and regulatorybodies to
introducerequirementsregarding trainingin, and experiencewith, bank
auditingand accountingsothat the audit engagement teamsfor bank
auditsarecomprised of sufficientlycompetent staff.International
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 24. P a g e |
2437.Competenceis particularlyimportant in underpinningan
externalauditorsabilityto exerciseprofessionaljudgment and carry
out keyaspectsof the audit, such asidentifying and assessingthe
risksofmaterial misstatement and designingand
implementingappropriateresponsestothoserisks.Use of experts38.In
someinstances,suchastheauditingofcertaincomplexaccountingestimates,more
specialised knowledgemay be required to support theaudit engagement
team,egadditionalexpertisebeyond thatpossessedbytheaudit engagement
teamsmembersin afieldother thanaccountingorauditing.Examplesof such
areasare valuation of complex financialinstruments,commercial
propertyvaluationsand evaluation of highlycomplex IT environments,
particularlyin areassubject to significantrisksof material
misstatement.39.Internationallyacceptedauditingstandardsset out
requirementsforthenature, timingand extent of audit
procedureswhichthe externalauditorshould perform to assessthe
competence, capabilitiesandobjectivityof the expertsthe external
auditor may use.Theseareimportant factorsin consideringthe
reliabilityof theinformation or resultsproducedby the
expert.Objectivity and independencePrinciple2: Theexternal auditor
of abank should beobjective andindependent in fact and appearance
withrespect to thebank, consistentwiththemorestringent
requirementsapplicabletopublic interestentitiesin
internationallyaccepted ethical standardsObjectivityInternational
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 25. P a g e |
2540.Objectivityis a fundamental ethical principleand a keyelement
ofaudit quality. It requires that theexternal auditorsjudgment is
notaffected by conflictsof interest.As objectivityis a state of
mind that in most casescannot be directlyobserved by usersof
financial statements, it is important for the externalauditortobe
independent in both fact and appearance.Independence41.Independence
is freedom from situations and relationshipsin which areasonably
informed third party would conclude that an external
auditorsobjectivityisimpaired.Jurisdictional and
internationallyaccepted auditingstandardsandinternationallyaccepted
ethicalstandardslayout frameworksfor externalauditorsto identify
and respond tothreatsto independence.42.Theexternal auditorof a
bank must complywith the applicablejurisdictional and
internationallyaccepted ethical standards.Furthermore,the
Committeebelievesthat the external auditor of a bankshould
complywith themore stringent independencestandards forpublic
interestentities.Tothe extent that any of theruleswithinany one of
thesestandardsonethics ismore restrictivethan the correspondingrule
in theotherstandardson ethics,the external auditor must complywith
themorerestrictiverule.43.Independenceshould be observed not only
in the context of thebankthat is beingaudited but alsowith respect
to thebanksrelated entities.44.External auditorsof a bank should
complywith applicablejurisdictional requirementson therotationof
membersof theauditengagement team.International Association of Risk
and Compliance Professionals
(IARCP)www.risk-compliance-association.com 26. P a g e |
2645.Theaudit engagement team members, the audit firm and,
whenapplicable,network audit firmsshould complywith the
independencerequirementsof both thehome jurisdictionand the
overseasregulatoryauthority(in thecasewherethe bank is
ultimatelyregulatedby anoverseasauthority).46.When
assessingwhetheranyrelationshipor circumstanceposesathreat to an
external auditorsindependence,theexternal auditor shouldevaluatenot
just thespecific ruleson independence,but alsothesubstanceof the
threat to independence, and how a reasonablyinformedthird
partywouldperceivethe threat and its effect onthe
externalauditorsobjectivity.Theprovision of significant non-audit
servicesby the audit firmand, when applicable, networkaudit firmsto
the bank beingauditedmayparticularlyaffect a third
partysperceptionof the externalauditorsindependence.Such
situationsshould be carefullyevaluated for threatsto the
externalauditorsobjectivityand perceived
independence.47.Thesupervisor expectstheexternal auditor toconsider
activelypotential threatsto theauditorsindependence,specificallythe
threat ofself-review, whendiscussingaccountingmatterswiththe
management.For example, complex transactionsmay be structured
toachieveaparticular accountingtreatment and/ or regulatory
outcome.When anexternal auditor discusseswithor providesadvice
tomanagement on such matters, the external auditor must
exercisecaresoasnot to take on a management role or
responsibility.Professional scepticismPrinciple 3: The external
auditor should exerciseprofessional scepticismwhen planning and
performing the audit of a bank, having due regard tothespecific
challengesin auditing abank.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
27. P a g e | 2748.Professional scepticism is defined asan
attitudethat includesaquestioningmind, beingalert
toconditionswhichmay indicate possiblemisstatement due toerror or
fraud, and a critical assessment ofevidence.Professional
scepticismshould manifest itselfnot onlythrough theauditorobtaining
corroboratingevidencefor managementsassertions,but
alsochallengingmanagements assertions,
activelyconsideringwhetherthere are
alternativeaccountingtreatmentsthat arepreferable to
thoseselectedby management, and documentingtheapproach,
theevidenceobtained, the rationaleappliedand
theconclusionsreached.Throughout the audit, the auditor should
adopt aquestioningapproachwhenconsideringinformation and forming
conclusions.49.Exercisingappropriate professional
scepticismiscriticallyimportantin auditsof banksbecauseof thenumber
and significanceof accountingestimatesand thepotential for
limitedobjectiveevidencesupportingthoseestimates.Professional
scepticismis particularlyimportant whenauditing
areasthat:(a)involvesignificant management estimatesand
judgmentsbecausetheseare more proneto management bias;(b)
involvesignificant non-recurringor unusual transactions;or(c)are
more susceptibleto fraud and errorsbeingperpetuated due
toweakinternal controls.50. Specific areaswhereprofessional
scepticism should be exercised bytheexternal auditorof a bank
includeimpairment calculations,fair valuemeasurementsand
goingconcern assessments,includingassessmentsofsolvencyand
liquidity.Otherexamplesmayincludecomplextransactionsstructuredtoachieveaparticular
accountingtreatment and/ or regulatory outcome by theInternational
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 28. P a g e |
28management wherethe audit engagement partner hasor ought to
havereasonabledoubt that the proposed accountingtreatment and/
orregulatoryoutcome isconsistent withtherelevant financial
reportingframeworkor regulatory requirements.In this context,
theexternal auditorshould actively
challengemanagementsassumptionsand judgmentsand form independent
views.This includeschallengingevidenceobtained from management
thatcorroboratesmanagementsview.51.Where a bank
consistentlyutilisesvaluationsthat are at the high or lowend of a
range of acceptablevaluationsor whenthere areother indicationsof
possiblemanagement bias, theexternal auditorshould
considerthisintheoverall risk assessment of thebank and
shouldinform thosechargedwithgovernance,
whereappropriate.52.Theevidenceoftheextent
ofprofessionalscepticismexercisedshouldbedemonstrable and
understandablethroughaudit documentation thatdescribeshow, whyand
what conclusionswerereached by the externalauditor.In this regard,
internationallyaccepted auditing standards establishminimum
requirementsfor audit documentation.Quality controlPrinciple4:Audit
firmsundertakingbank auditsshould complywiththemorestringent
requirementson qualitycontrol applicabletolistedentitiesin
internationallyaccepted qualitycontrol standards, having dueregard
to thecomplexityof abank audit.53.Audit firms must complywith the
applicablejurisdictional andinternationallyaccepted standardson
qualitycontrol.Furthermore, the Committeebelievesthat the external
auditor of a bankshould complywith themore stringent requirementson
qualitycontrolInternational Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 29. P a g
e | 29applicabletolistedentitiesin
internationallyacceptedqualitycontrolstandards.Tothe extent that
anyof the ruleswithinany one of
thesequalitycontrolstandardsismorerestrictivethanacorrespondingruleintheotherqualitycontrol
standards, theexternal auditor must comply withthe
morerestrictiverule.54.Theaudit of a bank should be subject to an
engagement qualitycontrol review (EQCR) performed
internallybytheaudit firm prior totheissuanceof the audit
opinion.Theengagement qualitycontrol reviewer should have
theappropriateknowledgeand competencetoreview bank
audits.Thereviewer should exerciseprofessional scepticismin
assessingthequalityof audit evidenceand whethertheauditors
judgmentsareappropriate.55.EQCR should be part of a broader
firm-level internal system of qualitycontrol that emphasises
quality and consultation and creates a culture ofcompliancewith
auditingand ethical standards.56.Wherea networkof audit firms
isinvolved in the audit of a bank, theindividual audit
firmswithinthe networkshould applyqualitycontrolprocessesthat
complywiththis document.In such cases, theleadaudit engagement
partner should be responsiblefor the performanceof a qualityaudit
by all the teamsreportingto it.In doing so, the lead partner may
placereliance on theprocessesbywhichqualitycontrol is exercised
withinthe networkfirmsthat report toit.For example,theleadaudit
engagement partnerof agroupaudit mayrelyon thefirms processesfor(a)
ensuring that each audit engagement team memberInternational
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 30. P a g e |
30(i)acquiresthe appropriateskills,knowledgeand experienceto
performbank auditsand(ii) complieswithindependencerules,and(b)
monitoringadherencetothe audit firms policiesand procedures
onqualitycontrol.57. The involvement of theengagement
qualitycontrol reviewerthroughout the audit, and the outcome of the
qualitycontrolreview, should be evident in the audit
workingpapers.Any significant discussionsbetweentheengagement
qualitycontrolreviewerand the audit engagement team, particularlyin
areaswhereviewsmay have differedand astohow conclusionswerereached,
shouldbefullydocumented in theaudit workingpapers.Thusin
jurisdictionswherethe supervisor hasaccessto
theexternalauditorsworkingpapers,the qualitycontrol review
wouldalsobe at thesupervisorsdisposal.B. Supervisory expectationsof
the audit of a banksfinancialstatementsIdentifying and assessing
significant risks of materialmisstatement specific to a banks
financial statementsPrinciple5:Theexternal auditor of abank should
identify and assesstherisksof material misstatement in
thebanksfinancial statements, takingintoconsideration
thecomplexities of bankingactivities and theneed forbanksto have
astrongcontrol environment.Identifying potential risks58. Banks are
exposed to a varietyof risksthat can potentiallyaffect theresultsof
their operationsor financial condition.International Association of
Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 31. P a g e |
31Theseinclude, but are not limited to, credit risk, market risk,
liquidityrisk, operational risk and regulatory risk.New risksmay
emergeor the significanceof each risk may changeovertimeasa result
of various factorsthat may be driven by changedcircumstancesor
developmentsboth internal and external to thebank.59.In designing
and performingthe audit of a bank, the external auditorshould
assessthe inherent and control risk to determinethe risk ofmaterial
misstatementsat thefinancial statement and assertionlevels.By doing
so, the external auditor gains an understanding of internalcontrols
that are relevant to the audit, and particularly of the
controlenvironment designedby the bank.60.Torespond
totheassessedrisk of material misstatement, an
externalauditorfollowsan audit strategy that includesboth
substantiveproceduresand control testing.Given the nature of bank
activities, includingthoseinvolvinga highvolume of
transactions,banks implement controlsdesignedtoaddressrisksposed to
the organisation.As a result, the external auditor of a bank should
perform extensive testsof controlsover financial reportingto
assesswhether,and towhatextent, the auditorcan rely on
them.Materiality61.An understanding of the concept of materiality
and determination ofmateriality thresholds is needed in order to
establish the auditstrategy, and identify and assesswhether a risk
of material misstatementexistsin the financial
statements.62.Thedetermination of what is material tothefinancial
statementsasawholeisa matter for the external auditorsprofessional
judgment aboutmisstatementsthat could reasonablybe
expectedtoinfluenceeconomicdecisionsof userstaken on the basis of
the financial statements.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
32. P a g e | 3263.Theexternal auditorshould exercisecaution
whenevaluatingidentifiedmisstatements.Thesemisstatementscould be an
indicatorof widerissueswithinthebank whichcould potentiallylead
tomaterial misstatementsin thefinancial statementsasa
whole.Therefore, individual misstatementsshould not be
dismissedsolelybecausetheyare below the level of materiality set
for planningpurposes.64.For individual account balances, specific
classesof
transactionsordisclosures,internationallyacceptedauditingstandardsrequire
theexternalauditor todeterminea lowerlevel of materialityfor
thoseparticular account balances, classesof transactionsor
disclosures,if theexternalauditor believesthat misstatementsof
lesseramountsthanmaterialityfor the financial statementsasa
wholecould reasonablybeexpectedto influencetheeconomic decisionsof
users takenon the basisof the financial statements.This is
particularlyrelevant for auditsof banksbecausecertain
financialstatement itemsareused in the calculationof keymetricsused
by a widerangeof usersof thefinancial statements.For example,
regulatory ratios such as the leverage ratio, liquidity ratioand
capital adequacy ratio are calculated based on account balances
inthefinancial statementsor are derived from the financial
statements.Assessing the risksof material misstatementInternal
control and its components65.According to internationallyaccepted
auditingstandards, internalcontrol componentsare the control
environment, risk assessmentprocess, informationand
communicationsystems and processes,controlactivitiesand monitoring
of controls.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 33. P a g
e | 3366.Asstatedin the BCBSPrinciplesfor enhancingcorporate
governance, arobust internal control environment is critical to the
strength of a banksgovernancesystem and itsability
tomanagerisk.Consequently, whenobtainingan understanding of
thebanksinternalcontrol environment, the external auditorshould,
amongst otherconsiderations:- assessthe tone at the top, ie
whethermanagement, withtheinvolvement of thosecharged
withgovernance,ispromoting arobustcontrol environment;- determine
whether the control environment extends to all types ofoperations
and service offerings and encompasses all subsidiariesandbranchesof
thebanking group;- understand thebanksapproach tooutsourcing/
offshoring ofbusinessactivitiesandfunctionsand assesshowinternal
control overtheseactivitiesis maintained;and- obtain an
adequateunderstandingof the organisationof
keycontrolfunctionswithin the bank and itssubsidiaries.At a
minimum, key control functionsincludetheinternal audit,
riskmanagement, complianceand other
monitoringfunctions.67.Compensation arrangements at a bank may be a
good indicator of theculture within the organisation because they
can influence the behaviourof the bankspersonnel and the qualityof
corporategovernance.Theexternal auditorshould payparticular
attentiontothe risksofmaterial misstatement in thefinancial
statementsdue tofraud, particularlywhere banksemploycompensation
arrangementsthat mayencourage excessiverisk-takingor other
inappropriatebehaviour amongst their personnel.International
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 34. P a g e | 34Control
activities68.Internationallyacceptedauditingstandardsrequire the
externalauditortoobtain anunderstanding of control
activitiesrelevant totheaudit which, intheauditorsjudgment,
arenecessarytoassesstherisksofmaterial misstatement and
toestablishthe audit strategy.Theassessment of thecontrol
activitiesover financial reporting is criticalfor the designof
further audit proceduresresponsivetoassessedrisks.When identifying
and assessingrisksof material misstatement andassessingcontrols,the
external auditor should take account of thefollowingfactors:- the
knowledgeand competenceof thosein charge of financialreporting and
of other control functionshaving an impact onfinancial reporting;-
the nature of hedgingstrategiesemployed by thebank which,
ifcomplex, improperlystructuredor inadequately monitored, can
haveaccountingand solvency implications;- the useof complex
financial instrumentsinvolving significantestimatesof fair value;-
theprovisionofcustodial servicestoretail and/
orinstitutionalclientsandtheproceduresin place toavoid
co-minglingof client andproprietaryassets;- the volume of
transactionsby type of activityand/ or presenceofsignificant
non-routinetransactions;- theuseand monitoring of internal
accounts;- the structure and complexity of IT systems for
conducting businessand for facilitating efficient business and
financial reporting, as theymay lead to increased risk of fraud or
error, particularlywhere there ispotential for individual override
of the control system or the potentialfor fraudulent transactions
to go undetected due to the sophisticationand complexityof theIT
systems;International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 35. P a g
e | 35- thenumber, scope and geographicaldispersion of
subsidiariesandthenecessityfor complex consolidationprocedures;-
theexistenceof significant transactionswith related parties;and-
theuseof off-balancesheet
financingarrangements,suchasspecialpurposeentities(SPEs) and other
complex structures.69.Banking supervisorsand those
chargedwithgovernance, such astheaudit committee,need to be
satisfiedthat the internal control iscommensuratewiththenature,
volume and complexityof thebanksactivitiesand isorganised in
accordancewith regulatory and
legalrequirements.Theinternalcontrolofabank
mustberobustandreliableinorder tocopewith stressed
environments.Significant deficiencies in internal control whichhave
been identified bytheexternal auditorshould be communicated in
writingto thosechargedwith governanceand senior management, and
other deficienciesininternalcontrol should
becommunicatedtotheseniormanagement at anappropriatelevel of
responsibilityon a timelybasis.In addition,
theCommitteebelievesthat theexternal auditor shouldcommunicatein
writingall mattersthat are likely tobe significant
totheresponsibilitiesof thosecharged withgovernance in
overseeingthestrategic direction of the entityor
theentitysobligationsrelatedtoaccountability.Such mattersmay
includesignificant decisionsor actionsbymanagement that lack
appropriateauthorisation.Internal audit70.Theinternal audit
function is an important element of the overallinternalcontrol
environment.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 36. P a g
e | 36It providesassurancetotheboard ofdirectorsandsenior
management onthequalityand effectivenessof a banksinternal control,
risk managementand governance systems and processes.Theworkof
internalauditorscanhelpexternalauditorsassessthequalityof the
internal control processesand identify risks.71.Whether ornot
theexternalauditorexpectstousethework ofabanksinternalauditors,
providedthere is noreasontodoubt theirknowledge,competenceand
objectivity, theexternal auditorshouldengagewith, and seek
information on key internal audit findingsfrom,
theinternalauditors.Thismayprovidevaluableinput
intotheexternalauditorsunderstandingof the entityand itsenvironment
and aid in identifying and assessingrisksof material
misstatement.Theexternal auditorshould consider readingrelevant
internal auditreportsif theinformation obtained from
engagingwiththe internalauditorsindicatesissuesthat may have an
impact on the financialstatement audit.72.Theexternal
auditorsobservationson and, whererelevant, evaluationof a
banksinternalaudit function areof particular interesttothe
auditcommitteeand the bankssupervisor given the rolean
effectiveinternalaudit function plays in maintaininga robustcontrol
environment in abank.Responding to significant risksof material
misstatementspecific to a banksfinancial
statementsPrinciple6:Theexternal auditor of a bank should respond
appropriatelytothesignificant risks of material misstatement in
thebanksfinancialstatements.73.Having identifiedand assessedthe
risksof materialmisstatement,
internationallyacceptedauditingstandardsrequire
theauditortoidentifyanyareaswherethereis a significant risk of
materialmisstatement.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
37. P a g e | 37Paragraphs78-98below set out keyaudit areasof a
banksfinancialstatements,wherethere is often a significant risk of
materialmisstatement.74.In addition totheareasset out in
paragraphs78-98, there are otheritemsin a banksfinancial
statementswhoseregulatorytreatment couldgiverise to incentivesfor
management biasin the recognitionormeasurement of such
items.Asaconsequence,thereisagreaterriskofmaterialmisstatement
oftheseitemsin the financial statements.This may lead
toinappropriateapplicationof regulatory rulesto theseitemsand a
material misstatement of thebankscapital position.Examplesof such
itemsare deferred tax assets,investmentsinunconsolidatedentities,
pension fund assets,and theclassificationoffinancial
instruments.External auditorsshould thereforebe alert
toanylikelihoodthat thetreatment of such itemsin the financial
statementsis influencedbymanagement
biastowardsadesiredregulatoryoutcomeandconsiderthisin their risk
assessment of thebank.External auditorsshould alsobe awarethat
management biasmaychangeover time depending on, for example, the
extent to which thebank isabletomeet
itsregulatoryrequirements.External auditorsshould
evaluateestimateswhichmay be subject tothisbias, and any potential
audit differencesotherwiseidentified, in thecontext of theimpact on
regulatorycapital or regulatory capitalratios,consistent
withparagraph 64.75.Areas of significant risk of material
misstatement particularlyrequirean external auditor
toapplyprofessional judgment and experience.Internationallyaccepted
auditing standardsrequire that theexternalauditorobtain sufficient
appropriate audit evidence51regarding theInternational Association
of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 38. P a g e | 38assessed
risks of material misstatement, through
designingandimplementingappropriate
responsestothoserisks.76.Internationallyacceptedauditingstandardsrequire
special auditconsiderationfor areaswheresignificant risksof
material misstatementare identified.Given that theseareasare
associatedwith issuesthat the external auditoridentifiesashighly
important for the bank, these areasare worthyofdiscussion withthose
chargedwithgovernance.77.As the categoriesof what may be a
significant risk for a bank maychangeover time, the list of audit
areasprovided in paragraphs78-98ofthisdocument asareaswherethere
isoften a significant risk of materialmisstatement is not intended
to be comprehensive.Loan lossprovisioning78.Loan lossprovisioning
is generallymaterial for a banksfinancialstatementsand the
calculationof capital and keyperformancemetrics.Themeasurement of
loanlossprovisionsin accordancewithinternationallyaccepted
accountingprinciplesinvolvescomplexjudgmentsabout credit riskwhich
may besubjectivein nature.79.Thefactorsthat the external auditor
needstoconsider in identifyingand assessingthe significant risksof
material misstatement in relationtoloanlossprovisioningand the
relatedallowancefor loan
lossesinclude:(a)Theestimationtechniquesusedtocompute provisionsand
howthetechniquesvary among and withinbanks.(b)How management
hasassessedthe effect of estimationuncertaintyonthelevel of
provisioning, and the effect suchuncertaintymay have on
theappropriatenessof therecognised provision and thesufficiencyof
therelatedallowancefor loanlossesin the financial
statements.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 39. P a g
e | 39(c)All knownand relevant impairment indicatorsfor
loanexposureswhichincludepreviouslyunexpectedadversedevelopmentsinthemarket
oreconomicenvironment, adversemovement in
interestrates,restructuring, inadequateunderwritingpoliciesadopted
by thebank, overduepayments, failure of the borrower tomeet
budgetedrevenuesor net income, covenant breachesand
forbearance.(d)Whether thebank hassought perspectivesand data from
differentfunctionswithin the bank, includingrisk management, credit
andinternalaudit, aswell asreliable sourcesexternaltothe bank,
includingpeer data and regulator perspectivessoasto consider all
relevant andavailableinformation in
assessingimpairment.(e)Accounting rulesfor provisioningmay differ
from the provisioningrules that applyfor regulatory reportingor
capital purposes.It may thereforebecustomary for banksto have
different processesandsystemsto generateloan lossprovisionsfor
accounting purposesand forregulatorypurposes.Further, there can be
material differencesin the applicationof the sameset of
accountingand/ or regulatory rulesby individual
banks.Largedifferencesbetweenprovisionsfor accountingpurposesand
forregulatorypurposesmay indicatea risk of material misstatement of
theaccountingprovision.In addition, whilst for regulatory capital
purposesunder theBaselframeworkthe accountingloan lossprovision for
internal ratings-basedapproach(IRB) portfoliosis replacedbythe
regulatoryexpectedlossprovision, the level of the
accountingprovisionmay neverthelesshaveanimpact on thelevel or the
composition of regulatory capital, due tothetreatment of the tax
effect of provisionsand the allocationof any excessprovision to
capital tiers.External auditorsshould be alert toany management
bias in this area.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 40. P a g
e | 40(f) Disclosuresshould enableuserstoassessthe loan
lossprovisioningmethodologyapplied by thebank, regardinghow it
relatestocredit riskforthat bank, andhowit
compareswithmethodologiesappliedacrossthebankingsector.Financial
instruments measured at fair value80.Abanksportfolioof financial
instrumentsmeasured at fair valuecanrangefrom plainvanilla
financial instrumentswhichare frequentlytraded in liquid
marketswithobservablemarket prices, and involve lessmeasurement
uncertainty, tothose whicharecustomised, complex, andwherethe
valuationis basedon significant unobservable inputswith
asubstantial amount of management judgment.Financial
instrumentsmeasured at fair value
alsoincludefinancialinstrumentsthat aresubjecttoan impairment
assessment which is a keyarea of judgment.81.Where there
arechangesin the composition of a banksportfolio offinancial
instruments whetherdue tochangesin customer demand,
thebanksapproach to managingrisk and liquidity, or changesin
prudentialregulation thebank
willneedtoevaluateanyaccountingimplicationsofthechanges.82.Accounting
standardscontain requirementson recognition;initialand subsequent
measurement (includingimpairment); reclassificationfrom fair value
toamortised cost;presentation;and disclosures.Becausethese
requirementsarecomplex, theymay be difficult tointerpret and apply,
and thereforethe external auditor often needstoutilisemore complex
and wider-rangingaudit proceduresto obtainsufficient
appropriateaudit evidencetosatisfyhim/ herselfthat thefinancial
statementsare not materiallymisstated.Theclassificationof an
individual financial instrument may beparticularlyimportant for
achievinga favourableregulatoryoutcome.International Association of
Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 41. P a g e | 4183.In
adoptinga sceptical approach to
managementsassumptionsregardingthevaluation of financial
instrumentsfor whichtherearesignificant unobservableinputs, IAPN
1000,Special considerations inauditingfinancial instruments,setsout
specificaudit proceduresthat maybefollowedin auditingfinancial
instrumentsmeasured at fair value.Liabilitiesincluding contingent
liabilitiesarising fromnon-compliance with lawsand regulations, and
contractualbreaches84.Non-compliancewith, or material breachesof,
the prudentialframework,conduct requirements, legal requirementsor
contractualagreementscould lead to legal or supervisory
actionsagainstabank, therebyexposingthebank topotential
litigationand/ ortheimpositionof substantial penalties.Such
eventsmay require recognitionof provisions, contingent
liabilitiesand/ orqualitativedisclosuresin the banksfinancial
statements.Further, any adverse impact on the banks reputation
resulting from thisnon-compliance could have consequences for the
banks going concernassessment.85.In the courseof theaudit, the
external auditor should remain alert toactual or
suspectedbreachesof prudential regulations,particularlythosethat
are likely tobeof material significancetothe functionsof
thesupervisor.As noted in Section 6 below,55if theexternal auditor
identifiesanysuchbreachesof
materialsignificance,theauditorshouldnotify
thesupervisorimmediately.Disclosures86.Anumber of factorshave
contributedto an increaseddemand fromusersfor more relevant and
extensivequalitativeand quantitativedisclosures.International
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 42. P a g e |
42Theseincludethe increasedcomplexityof
businesstransactions,includingoff-balancesheet transactionsand
non-recognition of assetsand liabilities, and increaseduseof fair
value andother accountingestimates,with significant
uncertaintiesand changesin measurement attributes.87.While
accounting standards specify disclosure objectives, thestandards
may not always prescribe in all circumstances specificdisclosuresto
meet thoseobjectives.Therefore, there may be a substantial amount
of judgment in
assessingwhetherdisclosuresarepresentedfairlyinaccordancewiththedisclosureobjectivesin
the relevant accountingframework.88.Increasedtransparencythrough
fairlypresentedpublic disclosuresenhancesmarket confidence.It is
thereforeimportant that thebank provide
disclosureswhichpresentthebanksfinancial condition, the
riskstowhichit is exposed and howtheyare managed, and aremeaningful
and responsiveto changesinmarket conditionsand perceived
risks.89.In respondingtothe significant risksin this area of audit,
theexternalauditorhasan important role to playin encouraging
consistent andmeaningful disclosureswhich present thebanksfinancial
condition in awaythat isinformativeand understandableto usersof
financialstatements.90.In the courseof itsaudit work, the external
auditor should be alert toanyindicationsthat disclosuresin
financial statementsare not consistentwith the banksprudential
information such ascapital
adequacyandliquiditypositiondisclosureswithinthe financial
statements.Going concern assessment91.Agoing concerngivesriseto
twoseparate issues:International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 43. P a g
e | 43(a)whetherthegoingconcernbasisofpreparation
offinancialstatementsis appropriate;
and(b)theexternalauditorsevaluationof thebanksassessment of
itsabilitytocontinuetomeet
itsobligationsfortheforeseeablefuture(forat least12monthsafter
thedate of thefinancial statements) and whetherthere arematerial
uncertaintiesin thisregard that should be disclosedin
theapplicableaccountingframework.92.Theworkthe external auditor
performs to assessthe going concernstatusof a bank isdifferent from
that likelyto beperformed for anon-bank entitybecauseof the
contractual termsof bank assetsandliabilities(maturitymismatch),
the potential for regulatoryintervention, and theimpact that
thesignallingof anyuncertaintyoverthebanksabilityto continueasa
goingconcern could have on the short-termviability of
thebank.93.Examplesof reasonsthat make the goingconcern assessment
of abank uniqueareasfollows:(a)Current emerging risks and
concernsspecific to the bank or thebankingindustry asa wholemay
have an impact on the historical trendsfor the specific bank in
sucha manner that the historical trendsmay notreflectthelikely
trend over the next year.For example, during periodsof market
turmoil, normal sourcesoffundingmay nolonger be available,
asdepositspayable on demand mayrun off more quickly than historical
experiencewouldcontemplateandsuch depositsmay be difficult to
replace.(b)As banks arehighlyleveraged, a small changein asset
valuationmayhavea substantial impact on the adequacyof a
banksregulatory capital.Marketrisksmaybesuchthat
financialinstrumentsheldat fairvaluemaybesubject to substantial
changesin valuein the short term and significantvolatility over the
longer term.Adecreasein regulatory capital may result in a
downgradeby ratingagenciesmakingfunding more expensiveand
possiblyharder toobtain.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
44. P a g e | 4494. Given theseand other risks, banks are
requiredtomeet liquidityrequirementsand capital ratios set by
thebank supervisory authority.There should be equal emphasison the
evaluation of liquidityandsolvencyof thebank for the period over
which the going concernassumption hasbeen assessed:(a)Liquidity:
Factorsto assessincludethereasonablenessand reliabilityof the
cashforecast for at least12monthsafter the date of
thefinancialstatements,liquidityrisk disclosures,regulatory or
contractualrestrictionson cash, loancovenants,and pension
funding.(b)Solvency: Given thepotential adverse impact of capital
adequacyconcernson theconfidencein abank and, asa consequence,on
thebankoperatingasa going concern, the external auditor will need
toconsidertherobustnessof thebankssystem for managing capital.In
addition, theexternal auditorwill need to considerthe capital
positionin relationtothe current and any knownfuture
capitalrequirements,definitionsof capital resources,and
challengesof raisingcapital.This is
particularlycriticalwherecapital levelsare strained,
accesstocapital resources isrestricted or where, for example, the
banksannualreport or internal capital
projectionsincludeambitiousprojectionsofimprovementsin capital
levels.95. In respondingto thesignificant risksin this area of
audit, andassessingmanagementsassertion that a bank isa going
concern, factorswhicharenecessarytoconsider are:(a)therobustnessof
thebanksown systemsand controlsfor managingliquidity, capital and
market risk;(b)theprudential informationthat
isreportedtosupervisorscoveringthebankssolvencyand capital;(c)
anyexternal indicatorsthat reveal liquidityor
fundingconcerns;andInternational Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 45. P a g
e | 45(d) the availability of short-term liquiditysupport.96.Given
the aboverisksand thepossiblesystemic implications,if thereare
anysignificant doubtswhichmay causematerial uncertaintyover
thebanksabilityto continue asa going concern, and if the external
auditorconsidersreferring tothegoing concernissue in theaudit
report, theexternalauditor should promptlycommunicatethis fact to
thesupervisors.Securitisations SPEs97.Thebanking sector is involved
in activitiessuch assponsoring (ororiginating)
structuredproducts/transactionsthat supportmaturity, credit and
liquiditytransformationrisksmore often than
otherindustrysectors.Thesponsoring bank doesnot ordinarilyfund such
activities.Thefunding isgenerallyprovidedby other
parties.However,thesponsoring bank may be exposed to riskssuch
asreputational risk in the event of
thesponsoredentityencounteringfinancial or operational
difficulties.98.Such activitiesrequire special considerationby the
external auditorand are of interest to the supervisorfor the
followingreasons:(a) Accounting concern Accounting frameworksare
oftenprinciples-based, whichmayresult indifferent
treatmentsofeachofthesecomplex transactions.In addition,
becausetheseare highly structured products,
theiraccountingtreatment may vary based on the factsand
circumstancesofeach transaction, egwhereSPEsare tailored toremain
off the banksbalancesheet.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
46. P a g e | 46In theseinstances, it is necessaryfor
theauditortoevaluatethejudgmentsmadeby themanagement and consider
whethertheaccountingtreatment is appropriate and thedisclosuresare
sufficient.(b)Regulatoryconcern Becauseof thecomplexityof
thesecuritisationandthechain of financial intermediation,
thesponsoring bank in anoriginateto distribute model may
underestimatethereal risktransferred or therisk retained on
itsbalancesheet (includingreputationrisk and conflictsof interest
in caseof defaultson the securitisedassets).Even so, the
originatormay be ableto benefit from an off-balancesheettreatment
for the assetsunderlying thesetransactionsand hencemay
notberequired tohold additional regulatorycapital
unlessspecificallyrequiredby thesupervisor.Theexternal
auditorshould be alert towhenthe supervisorrequiresadditional
capital even though the off-balancesheet accountingtreatment
applied bythebank isappropriate.(c)Interconnectivity
Increasesthecorrelationbetweenbanks and othernon-bankingsectors,
whichcan add to theglobal systemic risk.5. Supervisory
expectationswith regard to a banks auditcommittee and
itsrelationship with the external auditor99. The BCBSs paper on the
Internal audit function in banks (June 2012)and its paper on
Principles for enhancing corporate governance (October2010)
describethe main responsibilitiesof a banksaudit committee.Theaudit
committee has, amongst others, a number of responsibilitieswith
respect to the external auditor and the statutoryaudit.Theaudit
committee approves, or recommendsto the board of directorsfor
approval, the appointment, reappointment, dismissal andcompensation
of the external auditor.Theaudit committeealsomonitorsand
assessesthe independenceof theexternalauditor.International
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 47. P a g e |
47100.Theaudit committeeoverseesthebanksstatutoryaudit process.Key
aspectsof the audit committeeswork encompassthe assessment
oftheeffectivenessof theexternal audit process.Theaudit committee
should require that senior management take
thenecessarycorrectiveactionstoaddressthefindingsandrecommendationsof
theexternal auditorin a timelymanner.101.Thediscussion below
focuseson theaudit committeesresponsibilitiesin
relationtotheoversight of, and itsrelationshipwith, the external
auditor topromote and support the integrity, objectivityand
independenceof theauditor, the qualityof theexternal audit and
thecompetenciesthat underpin that quality.Toenablethe audit
committeeto carry out itsoversightresponsibilities, which
alsocontributeto the effectivenessof the
auditprocess,theprinciplesin thissection promote
effectivetwo-waycommunicationbetweenthe audit committeeand
theexternal auditor.It is important to note that all the
discussionsbelow stem from animportant overarchingprinciple:namely,
that thereshould be afrank, open workingrelationship and a high
level of mutual respectamongst all
partiesinvolved.102.Theprinciplesand explanatoryguidancein this
section form thebasisfor the supervisorsmonitoring of
theeffectivenessof theauditcommitteein itsoversight of the external
auditor.Appointment of the external auditorPrinciple7:Theaudit
committee shouldhave arobustprocessforapproving, orrecommendingfor
approval, theappointment, reappointment, removal and remuneration
of theexternal auditor.103.Theaudit committeehastheprimary
responsibility for approving, orrecommending to theboard of
directorsfor approval, theappointment, reappointment, removal and
remunerationof the externalauditor.International Association of
Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 48. P a g e | 48In doing
so, the audit committeeshould determine
appropriatecriteriaforselectingthe external auditor and
regularlyassesstheknowledge,
competence,independence(seePrinciple8below) of theexternalauditor
andeffectiveness(seePrinciple9below)of theexternalaudit,
havingdueregard to the guidancein Section 4.104.Theaudit
committeesproceduresfor approving or recommendingtheapproval of the
external auditor should alsoincludea risk assessmentof the
likelihood of thewithdrawalof theexternal auditor from theaudit,
and how thebank wouldrespond tothat risk.105.Theaudit
committeeshould contributea section tothebanksannual report
whichexplainsthe approach taken regarding therecommendation of the
appointment or reappointment of theexternalauditor,and should
includesupporting information onthe tenure of theincumbent
auditor.106.If the board of directorshasapproval
responsibilitieswith respectto the external auditor, but doesnot
accept the audit committeesrecommendation, it should includein
theannual report, and in anypapersrelatingto theappointment/
reappointment/ dismissal of theexternalauditor, a statement
explainingtheaudit committeesrecommendation and the
reasonswhytheboard of directorshastaken adifferent
position.107.Theaudit committeeshould assesstheoverall qualityof
the externalauditor,prior toitsfirstappointment and at least
annuallythereafter.Tothat end, the audit committeeshould request
that the external auditorreport on theexternal auditorsown internal
qualitycontrolprocedures,including the audit firms EQCR process,
and any significantmattersof concerns arisingfrom
theseprocedures.Theaudit committee should alsoconsider,
whereavailable, the externalaudit firms annual transparencyreport
and any inspectionreportson theaudit firm issuedby the relevant
oversight body.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 49. P a g
e | 49108.Theaudit committeeshould maintain
anunderstandingandknowledgeof:- thestructure and governance of the
audit firm;- thecurrent nature of the audit environment,
includingany overseasjurisdictionswherethebank operates;-
significant issues and concerns raised by the relevant audit
oversightbody regarding the audit firm, and the auditors action in
addressingtheseconcerns, to understand how these shortcomingsmay
affect thequalityof theaudit of the bank;- thenature of
bankingregulatory actionsand conditionsthat couldhavean impact on
theexternal auditorsworkon thebank, includinganyregulatory
actionsand conditionsspecific tothe bank beingaudited, or to
actionsand conditionsthat the supervisoris imposingon all banks(for
example, through newlyimplemented regulationsand policies);and-
public lessonslearnedfrom any recent external audit
failuresassociatedwiththebanksaudit firm and how thefirm hasdealt
withthem sothat similar deficienciesdo not occur.109.Theaudit
committeeshould alsosatisfyitselfthat the level of theaudit feesis
commensurate with the scope of workundertaken.Where fee
reductionsare offeredand accepted, the audit committeeshould seek
assurancethat thesereductionsdonot implyaninappropriateincreasein
thematerialitylevel tobe applied by theexternalauditor, or a
narrowingof the external auditorsproposed scopeof the audit, or a
reduction in the attentionwhichwill be given to
eachbusinesscomponent and thesignificant audit
risksidentified.110.Theaudit committeeshould discussand agreeto
theterms of theengagement letter issued by the external auditor
prior tothe approval oftheengagement.International Association of
Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 50. P a g e | 50Where
relevant, theaudit committeeshould agree toan engagementletter that
hasbeen updatedtoreflect changesin circumstances,
suchasthosearisingfrom changesin legal requirementsand changesin
thescopeof the external auditorswork asa result of
revisionstointernationallyaccepted auditing standardswhichhave
arisen sincethepreviousyear.111.If the external auditor resigns or
communicatesan intentiontoresign, the audit committeeshould
followup on thereasons/explanationsgivingrise to such
resignationand considerwhethertheaudit
committeeneedstotakeanyactionin responsetothosereasons.Independence
of the external auditorsPrinciple8:Theaudit committee
shouldmonitorand assesstheindependence of theexternal
auditor.112.Theindependenceof the external auditor is one of the
mainprerequisitesfor an adequatelevel of audit quality.As such, the
audit committeeshould understand
theapplicableindependencerequirements.Theaudit committee should
have proceduresto monitor and assesstheindependenceof theexternal
auditor at least annually, taking intoconsiderationrelevant
national laws,regulationsand professionalrequirements.Theassessment
should alsoinvolve a consideration of all
relationshipsbetweenthebank andtheaudit firm
(includingtheprovisionofnon-auditservices) and any
safeguardsestablishedby the external auditor.113.Where the audit
firm hasbeen theexternal auditor of thebank formanyyears, there may
be a perceptionthat there is a familiarity orself-interest threat
tothe external auditorsobjectivityand independencein itsaudit of
the bank.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 51. P a g
e | 51However, when the bank changes its external auditor, there is
a risk thatthe depth of understanding of the bank and its
activities and systemswillbelost.This may affect thenew external
auditorsabilityto identify risks ofmaterial financial statement
misstatementsand respond to themappropriately, and hencemay detract
from thequalityof theaudit.114.Audit committeesshouldhave a policy
in placethat stipulatesthefrequencywithwhichthere should be a
tender for theexternal auditcontract.Thepolicyshould alsocall for
the audit committeetoconsiderperiodicallywhetherthereshould be a
limit tothelength of an externalauditorstenure asthebanksexternal
auditor given thepotential impactof audit firm rotation on
independenceand audit quality.115.Audit committeesshouldunderstand
the audit firms policy onrotation of members of the audit
engagement team and the audit firmscompliancewith anyjurisdictional
or other localregulatory requirementsin this regard.116.As
describedin Principle2, theaudit committee shouldseekassurancethat
the audit engagement team membersand their firmand, when
applicable, thenetwork external auditorshavenofinancial,personal,
businessor other relationshipswith the bank whichcould
adverselyaffect theauditorsactual or perceivedindependenceand
objectivity.The audit committee should seek from the external
auditor, at least on anannual basis, information about the audit
firms policies and processes formaintaining independence and
monitoring compliance with the
relevantindependencerequirements.117.Audit committeesof banks
should develop a formal policywhichgovernstheacceptanceof non-audit
servicesprovidedby theauditor.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
52. P a g e | 52Amongst other provisions,thepolicyshould
includecriteria for thetypesof non-audit servicesthat the external
auditor may provideor isprohibited from providing, and
rulesstipulatingwhen advanceapprovalbythe audit committeeis
required for the auditors performanceofnon-audit
services.Thepolicyshould be reviewedperiodicallyand
complianceshould bemonitored, takingintoaccount the contentsof
Section 4 of thisdocument.118.Where non-audit servicesare
providedby the external auditor, theaudit committeeshould monitor
and establishthat theprovision of suchservicesdoesnot impair
theexternal
auditorsobjectivityandindependence,takingintoconsiderationvariousfactorsincludingtheskillsand
experienceof the external auditor,safeguardsin place
tomitigateanythreattoobjectivityandindependence,andthenatureofandarrangementsfor
non-audit fees.119.Where the external auditor providesnon-audit
servicestothebank, the banksannual report shouldexplain
toshareholdersthe natureof and thefeearrangementsfor thenon-audit
servicesreceived, andhowauditor
independenceissafeguarded.Effectivenessof the external
auditPrinciple9:Theaudit committee shouldmonitorand
assesstheeffectivenessof theexternal audit.120.At the start of each
audit, the audit committee should considerwhetherthe audit approach
is appropriate, includingconsiderations ontheaudit scope, the level
of materiality, areasof focusand whetherplannedaudit
proceduresaddresstheareasof significant risk for thebank, in
particular thoseareasdescribedin Section 4 of this
document.121.Theaudit committeeshould consider
whethertheproposedresourcesto executetheaudit plan are
reasonablegiven thescope of theaudit engagement, the nature and
complexityof the banksoperations,and itsstructure and
activities.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 53. P a g
e | 53Theaudit committee should understand thenature and extent of
auditworkthattheexternalauditorintendstorelyuponwheretheaudit
workisperformed by network firm personnel or other audit
firms.122.Theaudit committeeshould obtain confirmation from the
externalauditorthat there is adequateknowledge, competenceand
expertisewithintheaudit engagement team and that theaudit will
beconducted incompliancewithinternationallyaccepted
auditingstandards, aswell asanyapplicablelawsand
regulations.123.Theaudit committeeshould discusswith the external
auditor thefindingsof the latterswork.In the courseof
itsmonitoring, the audit committee should:- Obtain anunderstanding
of the external auditorsview on any majorissuesthat aroseduring the
audit (includingthoseissuesthat weresubsequentlyresolved aswell
asthose that have been leftunresolved), in particular the external
auditorsexplanationof thesignificant judgmentstheaudit engagement
team madeand theconclusionsit reached.This should includethe
discussionswithmanagement and thejudgmentsinvolved, the rangeof
possibleoutcomesand, whereavailable,a comparisonof
thebankspositionwiththat of itspeergroup (on an anonymous basis),
includinga comparison withpreviousperiodson such major issues;-
Obtain an understandingof the rationalebehind thefinal
conclusionsdrawnby theaudit engagement partner on significant
accountingand auditingmatters,particularlyin
thosecircumstanceswheretheaudit engagement
partnersconclusionsdifferedfrom thoseof theengagement
qualitycontrol reviewer;and- Review thenature and levelsof
misstatementsidentifiedduring theaudit, obtainingexplanationsfrom
management and, wherenecessary, the external auditor asto
whycertain errorsmight remainunadjusted.International Association
of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 54. P a g e |
54124.Theaudit committeeshould alsodiscusswiththe external
auditortheaudit representation lettersbeforesignature bythe board
ofdirectors/ senior management and give particular consideration
tomatterswherespecific representation hasbeen requested.Theaudit
committee should consider whetherthe information providedon each of
the itemsin therepresentation lettersis completeandappropriatebased
on its own knowledge.125.As part of the ongoingmonitoring process,
the audit committeeshould discusswiththe auditorthemanagement
letter(or equivalent)and any other
audit-relatedreportsprovidedtothebank.In particular, the audit
committee should discuss with the externalauditor any significant
deficiencies identified in the banks controlenvironment and in
itsinternal control over financial reporting.126.At the end of
theaudit engagement period, the audit committeeshould:- consider
whethertheaudit firm hasfolloweditsaudit plan andunderstand the
reasonsfor any changes,includingchangesinperceivedaudit
risksandtheworkundertakenbytheexternalauditortoaddressthoserisks;-
obtain feedback about the conduct of theaudit from keybankpersonnel
involved, eg theheadsof financeand internal audit; and- report
tothe board of directorson theeffectivenessof the externalaudit
process.127.Theaudit committeeshould seek toobtain information from
theexternalauditor on themain findingsof audit qualityreviewsof
thebanksaudit and the audit firms qualitycontrol systemsby
auditoversight bodies.International Association of Risk and
Compliance Professionals (IARCP)www.risk-compliance-association.com
55. P a g e | 55Relationship between the audit committee and the
externalauditorPrinciple10: Theaudit committeeshould have effective
communicationwith theexternal auditortoenabletheaudit committee
tocarryout itsoversight responsibilities andtoenhancethequalityof
theaudit.128.Thefoundationfor an effectiverelationshipis regular,
timely, openandhonestcommunicationbetweentheaudit
committeeandtheexternalauditor.Regular
dialoguebetweenthetwopartiesshould be held throughout thereporting
cycle of the bank.129.Whileboth cooperation and challengesare
needed betweentheexternalauditor and the audit committeefor the
external audit to beeffective, theneedfor
cooperationshouldneverprevent robust challengesfrom being made
whenneeded.Such challengesarea keyresponsibilityof the audit
committeeand arepart of theproductive dialogueon key judgmentsthat
can result instronger and deeper understanding of and viewson
thepositionsof allparties.130.In ordertoreinforcetheaudit
committeeseffectivenessandenhancethequalityof the audit, the audit
committeeshould consider invitingtheexternalauditor toattend audit
committeemeetings(except whendiscussingmattersin relationto
theassessment of the externalauditor), even if there are
noitemsexplicitlyrelevant to theexternal auditon
theagenda.Theexternal auditorsattendanceshould facilitatethe
exchangeof viewson businessperformance, risk and other
topics.Further,toenhanceaudit quality, theaudit
committeeshouldconsider, ifnecessary, assistingthe external auditor
togain accessto anyothercommitteemeetingsthat the external auditor
determinesto be relevantfor the auditorswork.International
Association of Risk and Compliance Professionals
(IARCP)www.risk-compliance-association.com 56. P a g e |
56131.Theaudit committeeshould havethe right and
authoritytomeetregularly in the absenceof executivemanagement
withthe externalauditor.This will enablethe audit
committeetounderstand and discussall issuesthat
mayhavearisenbetweentheexternal auditorandbank managementin
thecourseof theexternal audit and how
theseissueshavebeenresolved.In addition, thesemeetingsshould
addressany other mattersthat theexternalauditor believestheaudit
committeeshould be awareof in
ordertoexerciseitsresponsibilities.132.The audit committee should
discusswith the auditor any mattersarising from the statutory audit
that may have an impact on regulatorycapital or disclosures.This
may includediscussionof theinteraction between the
accountinginformation and theregulatory information, eg
accountingimpairmentchargesversusregulatory expectedlosses,or the
consistencyof thebanksPillar 3 reporting withits annual
report.133.Theaudit committeeshould discusswiththe external auditor
anysignificant issuesidentified in the course of theaudit, in
particular inareaswhich could be relevant to future financial
statements,topromoteearlydiscussion and planning.This
includesupcoming changesin accountingstandards or
regulationsandtheconsequencesof material transactions.134.Theaudit
committeeshould alsocommunicateto the externalauditormattersthat
are likely tobe of significant influenceon theconduct of
thestatutory audit.Such mattersmay encompasssubjectsthat the audit
committeebelieveswarrant particular attention, significant
communicationswiththesupervisor,or other mattersthat the audit
committeeconsidersmayinfluencethe audit of the financial
statements.International Association of Risk and Compliance
Professionals (IARCP)www.risk-compliance-association.com 57. P a g
e | 57Reporting by the external auditor to the audit
committeePrinciple 11: The audit committee should require the
external auditor toreport to it on all relevant mattersto enable
the audit committee to carryout itsoversight
responsibilities.135.In some jurisdictions,aspart of the statutory
audit, the auditorsarealsorequired by law or regulationstoexpressan
opinion on the controlenvironment of thebank and provideadditional
reportingof mattersidentifiedaccordingly.Theexplanatoryguidancein
the followingparagraphsonlycoversreporting to the audit committee
that maybe requir