Risk management presentation April 1 2013

723 views

Published on

International Association of Risk and Compliance Professionals (IARCP)
http://www.risk-compliance-association.com

Every Monday
Top 10 risk and compliance management related news stories and world events
Do you want to receive (at not cost) every Monday the Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next?
You can register at:
http://www.risk-compliance-association.com/Top_10_Risk_Compliance_Management_Stories_Events.html

Receive the New Member Orientation Newsletters
You will have the opportunity to learn (at not cost) what members registered before you have already learned. Understand better risk and compliance management, projects, careers, challenges and opportunities.
You can register at:
http://www.risk-compliance-association.com/New_Member_Orientation_Newsletters.html

Published in: Business, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
723
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Risk management presentation April 1 2013

  1. 1. P a g e | 1International Association of Risk and ComplianceProfessionals (IARCP)1200 G Street NW Suite 800 Washington, DC 20005-6705 USATel: 202-449-9750 www.risk-compliance-association.comTop 10 risk and compliance management related news storiesand world events that (for better or for worse) shaped theweeks agenda, and what is nextDear Member,TodayI will start withthe job description thatmademy day: BaselII/ III and SolvencyII riskspecialist, Mandarin Speaking!!!Basel III Risk Specialist - Mandarin SpeakingLeading Global Investment Bank, LondonALeading Global Investment Bank isExpandingtheRegulatoryRisk Function withthehire of aBaselIII Risk Specialist for their London Group.- Basel III RegulatoryRisk Specialist- LeadingGlobal Investment Bank- Mandarin Speaking- London, UK- 50,000+ Excellent Bonus BenefitsAsakeymember oftheriskgroupyou will becommunicatingextensively withseniormanagement on a global scaleincludingdirect contact withsenior management inHong Kong and Shanghai and will thereforerequireMandarinspeakingskillsat business APillar 3 Disclosure??level proficiency.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  2. 2. P a g e | 2An expert in regulatoryframeworks,you will have practicalunderstandingof Basel II/ III and knowledgeof SolvencyII ICAAP isalsohighly preferred.This is a mid-level positionwithin the group and will require a minimumof 3 years industry experiencewithin theLondon and/ or InternationalFinancial Markets.It is never toolate tolearn Mandarin. Islookseasy!Amazingjobdescription…Just one slight problem withthisjobdescription:You cannot haveknowledgeof SolvencyII ICAAP … simplybecausethere isnothing likea SolvencyII ICAAP… perhapsthey mean SolvencyII ORSA(OwnRiskand SolvencyAssessment, the Pillar 2 document).It remindsme another job description, wheretheyrequired 5+ years ofBasel III experience. Provided that BaselIII wasendorsed at the end of2010,theycould hire someone after 2015…Another development:Auditors… it is your turn tosuffer the consequencesof the crisis…According to the BIS,The recent financial crisisnot onlyrevealedweaknessesin risk management, control and governanceprocessesatInternational Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  3. 3. P a g e | 3banks,but alsohighlightedthe needtoimprove thequalityof externalauditsof banks.Giventhecentralrolebanksplayin contributingtofinancialstability, andthereforethe need for market confidencein the qualityof external auditsof banks financial statements,the Basel Committee is issuingforconsultationthis guidanceon external auditsof banks.This document describes,through sixteenprinciplesand explanatoryguidance,supervisoryexpectationsregardingaudit qualityand how thatrelatestothe external auditors work in a bank.Read moreat Number 1below.Welcometo the Top 10list.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  4. 4. P a g e | 4External auditsof banksGiven the central role banksplay in contributingtofinancial stability, and thereforethe need for marketconfidencein thequalityof external auditsof banksfinancial statements,the Basel Committeeis issuingfor consultationthis guidanceon external auditsofbanks.This document describes,through sixteenprinciplesand explanatoryguidance,supervisoryexpectationsregardingaudit qualityand how thatrelatestothe external auditors work in a bank.Meeting of the G20 Finance Ministersand Central Bank GovernorsUpdate by theIASB and FASBConvergence projectsThis report is a high-level update on thestatusand timelineof theremainingconvergenceprojects.ToG20Ministersand Central BankGovernorsProgressof Financial Regulatory ReformsInternational Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  5. 5. P a g e | 5EIOPAThe new Risk DashboardFocusing on Low- and Moderate-IncomeWorkingAmericansGovernorSarah Bloom RaskinBoard of Governorsof the Federal Reserve System AttheNational CommunityReinvestment CoalitionAnnual Conference,Washington, D.C.Islamic capital and money marketsWelcomingremarksby Mr Peter Pang, DeputyChiefExecutive, Hong Kong MonetaryAuthority, at theworkshopon ―Islamic capital and moneymarkets‖, Hong KongInterview with Gabriel Bernardino, Chairman ofEIOPA, conductedbyNatašaGajski Kovačić, Svijet osiguranja(Croatia)International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  6. 6. P a g e | 6Reviewing filings for smaller publiccompaniesTheseslideswerepresented at the Forums onAuditingin theSmall BusinessEnvironment hostedbythe PCAOB during 2012.The Global Financial Sector—Transformingthe LandscapeBy ChristineLagarde, ManagingDirector, International MonetaryFund, FrankfurtFinanceSummitManaging structural risks in the Swedishbanking sectorSpeechby Mr Stefan Ingves,Governor of theSverigesRiksbank and Chairman of the BaselCommitteeon Banking Supervision, atAffärsvärlden‘s―Bank & FinansOutlook‖, StockholmInternational Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  7. 7. P a g e | 7External auditsof banksTherecent financialcrisisnot only revealedweaknessesin risk management, controland governanceprocessesat banks, butalsohighlighted theneed to improvethequalityof external auditsof banks.Given the central role banksplay incontributingto financial stability, andthereforethe need for market confidenceinthequalityof external auditsof banksfinancial statements,the Basel Committeeis issuingfor consultation this guidanceonexternalauditsof banks.This document describes,through sixteenprinciplesand explanatoryguidance,supervisoryexpectationsregardingaudit qualityand how thatrelatestothe external auditors work in a bank.Implementation of theprinciplesand the explanatoryguidanceisexpectedto improve thequalityof bank auditsand enhancetheeffectivenessof prudential supervisionwhichis an important element offinancial stability.This document setsout supervisoryexpectationsof how:- externalauditorscandischargetheirresponsibilitiesmoreeffectively;- audit committeescan contributetoaudit qualityin their oversight oftheexternal audit;- an effectiverelationship betweentheexternal auditorand thesupervisor, which allowsgreater mutual understanding about therespectiverolesand responsibilitiesof supervisorsand externalInternational Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  8. 8. P a g e | 8auditors,can leadtoregular communication of mutuallyusefulinformation;and- regular and effective dialogue between the banking supervisoryauthorities and relevant audit oversight bodies can enhance thequalityof bank audits.Thisdocument enhancesand supersedesthe CommitteesguidanceTherelationship betweenbanking supervisorsand banks external auditors(2002) and External audit qualityand banking supervision(2008).In additiontothe proposed guidance, the Committeeispublishingaletter tothe InternationalAuditing andAssurance StandardsBoard(IAASB) on areaswhereit believesInternational StandardsonAuditingcould be enhanced.Serving asan observer on the Basel Committeegroup that developed therevisedguidance,theIAASBprovidedhelpful and meaningful input tothiseffort.Commentson the proposalsshould be submittedby Friday 21June2013bye-mail to: baselcommittee@bis.org.Alternatively, comments may be sent by post to: Secretariat of the BaselCommittee on Banking Supervision, Bank for InternationalSettlements,CH-4002Basel, Switzerland.All commentsmay bepublishedon thewebsiteof the Bank forInternational Settlementsunlessa comment contributor specificallyrequestsconfidential treatment.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  9. 9. P a g e | 9External auditsof banks1. Executive summary1.Therecent financial crisisnot onlyrevealed weaknessesin riskmanagement, control and governanceprocessesat banks, but alsohighlighted theneed to improve thequalityof external auditsof banks.Giventhecentralrolebanksplayin contributingtofinancialstability, andthereforethe need for market confidencein the qualityof external auditsof banks‘financial statements, the Basel Committeeon BankingSupervision(the Committee) is issuingthis document on external auditsof banks.It forms part of theCommittee‘scommitment tohelp improve auditqualityat banks.Thisdocument enhancesandreplacesTherelationship betweenbankingsupervisorsand banks‘external auditors(January 2002) and Externalaudit qualityand banking supervision(December 2008).2.Implementationof the 16principlesand observation of theexplanatoryguidancein thisdocument are expectedtoimprove the qualityof bankauditsand enhancetheeffectivenessofprudential supervision, whichwillthen contributetofinancial stability.Throughtheseprinciplesand explanatoryguidance, the documentdescribessupervisoryexpectationsregardingaudit qualityand howthatrelatestothe external auditor‘swork in a bank.This document specificallysetsout supervisoryexpectationsof how:(a)external auditorscan discharge their responsibilitiesmore effectively;(b)audit committeescan contributetoaudit qualityin their oversight oftheexternal audit;(c)an effectiverelationshipbetweentheexternal auditor and thesupervisor,which allowsgreater mutual understandingabout theInternational Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  10. 10. P a g e | 10respectiverolesand responsibilitiesof supervisorsand externalauditors,can lead toregular communication of mutuallyusefulinformation;and(d) regular and effective dialogue between the banking supervisoryauthorities and the relevant audit oversight bodies can enhance thequalityof bank audits.3. Thedocument alsonotestheCommittee‘scontinued commitment toworkthrough international bodies toenhanceaudit quality.2. Introduction, application, structure and the Committee‘sinternational engagementIntroduction4.Thebankingsectorisuniqueamongsectorsof theeconomy becauseitplays a central rolein contributing to thefinancial stabilityof and theprovision of financial resourcesto theeconomy.This sector includesmajor global banksthat are systemically importantbanks(SIBs), the failure of one or moreof whichcould triggera globalfinancial crisis.In addition, bankshavea uniqueoperatingmodel.5.Supervisorsare primarilyconcerned withmaintainingthestability of thebankingsystem and fosteringthesafetyand soundnessof individualbanksin order tomaintain market confidenceand protect theinterestsofdepositors.Consequently, toenhancethe effectivenessof supervision, supervisorshavea keen interest in the qualitywithwhichexternal auditorsperformbank audits.Buildingeffectiverelationshipswith external auditorscan alsoenhancebankingsupervision.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  11. 11. P a g e | 116.An external auditor plansand performs theaudit of a bank‘sfinancialstatementsto obtain reasonableassuranceabout whetherthe financialstatementsasa wholeare free from material misstatements, whether duetofraud or error, and areprepared, in all material respects, in accordancewith an applicablefinancial reportingframework.In many ways, thesupervisor and the external auditor havecomplementaryconcernsregardingthesamematters.For example, the audit of financial statementsmay help identifyweaknessesin internal controlsrelatingtofinancial reportingat a bankwhichmay, therefore,inform supervisoryeffortsin this area andcontributeto a safeand sound bankingsystem.7.Although the focusof thisdocument ison thequalityof theauditperformed by the external auditor, an audit in accordancewithinternationallyaccepted auditing standardsis conducted on thepremisethat the management and, whereappropriate, thosecharged withgovernancehave acknowledgedcertainresponsibilitiesthat arefundamental to theconduct of the audit.Theaudit of the financial statementsdoesnot relievemanagement orthosecharged withgovernanceof their responsibilities.8.TheBasel Committee on Banking Supervision‘sCore PrinciplesforEffectiveBankingSupervision (September 2012,Core Principles)providea framework of minimum standardsfor sound supervisorypracticesandare considereduniversallyapplicable.Core Principle27 focuseson prudential regulationsand requirementsforbanksin relation to financial reportingand external audits.This guidanceset out in this document is consistent withCore Principle27.9.Theapplicationand thestructure of each sectionin this document aredescribedbelow,followedby an outlineof the key internationalInternational Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  12. 12. P a g e | 12relationshipsbetweenthe Committeeand other groupsrelevant toexternalauditing.Application10.This document appliesto the followingentitiessubject toa statutoryaudit:- all banks, includingthosewithin a bankinggroup;- holdingcompanies whosesubsidiariesarepredominantlybanks;and- holding companiessubject to prudential supervision whosesubsidiariesare predominantlybanks.All of thesestructuresarereferredtoasbanksorbankingorganisationsinthisdocument.11.Theimplementation of the principlesset forth in this documentshould be proportionate tothe size, complexity, structure, economicsignificanceand riskprofile of the bank and thegroup (if any) towhichitbelongs.TheCommitteerecognisesthat some countrieshavefound it appropriatetoadopt legal frameworksand standards(eg for listedfirms), aswell asaccountingand auditingstandards, whichmay be more extensiveandprescriptivethantheprinciplesandexplanatoryguidanceset forthherein.Such frameworksand standardstend tobe particularlyrelevant for largeror publicly traded banks or financial institutions.12.This document hasbeen prepared withthefull awarenessthatsignificant differencesexist in national institutional, legislativeandregulatoryframeworksamongst jurisdictions,includingaccountingandauditingstandards,supervisorytechniquesand institutional corporategovernancestructures.Supervisorsshouldclearlycommunicatethe recommendationscontainedhereinto the banks theysuperviseand their respectiveexternal auditors,International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  13. 13. P a g e | 13andarticulatethemeasuresbanksandexternalauditorsshouldundertaketomeet thesebest practices,wherepossible.13.Theprinciplesset out in thisdocument should be applied inaccordancewiththenational legislationand corporategovernancestructuresapplicablein each country.14.Thefollowingtermsare used in thisdocument, with themeaningsspecified:- Financial statement audit –An audit of a bank‘sfinancial statementsbyan external auditor in accordancewithinternationallyacceptedauditingstandards.- Statutoryaudit –An audit carried out tocomply withtherequirementsof particular legislationor regulations.In some jurisdictions,this may includeonlythe financial statementaudit.In other jurisdictions,this may alsoincludeextended reportingbyexternal auditorson matterssuch asinternal controlsand regulatoryreturns.- External auditor – The audit firm and theindividual auditengagement team members.Where relevant, specific referencesaremadetothe audit firm or theindividual audit engagement team membersin certain paragraphs.- Bankingsupervisoryauthority– The body responsiblefor promotingthesafetyand soundnessof banks and thebanking system in aparticular jurisdiction, includingthepersonswhoare involved withsupervisorypolicy settingand policyissues,includingpoliciesregardingaccountingand auditing.- Supervisor – The group of supervisorypersonnel at a bankingsupervisoryauthoritywhoaredirectlyinvolved withthesupervision/ examinationof a specific institution.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  14. 14. P a g e | 14- Board and senior management – The governance structure at a bankcomposed of a board and senior management.TheCommitteerecognisesthat there aresignificant differencesinthelegislativeand regulatory frameworksacrosscountriesregardingthesefunctions.Somecountries usea two-tier structure, wherethe supervisoryfunctionof the board is performed by a separateentityknown asasupervisoryboard, whichhasnoexecutivefunctions.Other countries, bycontrast, usea one-tier structurein whichtheboardhasa broader role.Still other countries have moved or aremoving to an approachthatdiscouragesor prohibitsexecutivesfrom serving on theboard orlimitstheir number and/ orrequires theboard and board committeestobe chairedonlyby non-executiveboard members.Given thesedifferences, this document doesnot advocate a specificboardstructure.Theterms―board‖ and ―senior management‖ are onlyused asa waytorefer tothe oversight function and themanagement functioningeneral and should be interpretedthroughout the document inaccordancewiththeapplicablelaw withineach jurisdiction.- Audit committee – A specialised committee established by theboard, the mandate, scope and working procedures for which are setout in a charter or other instrument.As stated in the BCBS paper on Principlesfor enhancingcorporategovernance(October 2010), toincreaseefficiencyand allowdeeperfocus in specificareas,boardsin many jurisdictionsestablish certainspecialisedboard committees– the audit committeebeing one ofthem.Thepaper further recommendsthat, for largeand internationallyactivebanks, an audit committeeor equivalent should be required.It alsooutlinesthe overall responsibilitiesof the audit committee.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  15. 15. P a g e | 15- Thosechargedwith governance – Theperson(s) or organisation(s)with responsibility for overseeingthestrategic direction of theentityand obligationsrelatedto the accountabilityof the entityasdefinedbyinternationallyaccepted auditingstandards.Such person(s) or organisation(s)is (are) typically the board ofdirectors.Where the board of directorsestablishesan audit committeein abank to assist it in meetingitsresponsibilitiesbychargingthe auditcommitteewith specific tasksand responsibilities, in suchcircumstancesthe audit committeecan be viewedastaking on theroleof thosechargedwithgovernancein relation to thosespecifictasksand responsibilities.StructureThe external auditor and audit quality15.Audit qualityincludesdeliveringan appropriate, independentprofessional opinionon the financial statements,in compliancewithinternationallyaccepted auditing standards.Internationally accepted auditing standards require the external auditorto possess and demonstrate certain attributes while applying a rigorousaudit process.16.Given that internationallyaccepted auditingstandards are applicabletoall entities,Section4of thisdocument buildsupon thesestandardsandlaysout thesupervisoryexpectationsof theexternal auditorregardingtheaudit of a bank.Moreover,Section 4highlightsthe keyareaswheresignificant risksofmaterial misstatement in banks‘financial statementsoften arise, whichthereforerequire theauditor‘sparticularattention for a qualityaudit.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  16. 16. P a g e | 16Engagement between the external auditor and the auditcommittee17.Regular and effectiveengagement and communication betweentheexternalauditor and the audit committeecontributetoaudit quality.18.Amongst itsother responsibilities, theaudit committeeisresponsiblefor overseeing thebank‘sexternal auditor.Asoundlyconstitutedaudit committeecanplayakeyrolein contributingtoaudit quality.Section 5 discussesthe audit committee‘sresponsibilitiesin relationtotheoversight of, and its relationshipwith, theexternal auditor.Engagement between the supervisor and the external auditor19.Effectivecommunication betweenthesupervisor and theexternalauditorenhancestheeffectivenessof supervisionof the bankingsector.This relationship will then alsocontributeto audit quality.20.Thesupervisor and the external auditor have a mutual interestinbuildingand maintainingan effectiverelationship, which fostersregularcommunicationof useful information.Section 6providesprinciplesand explanatory guidancefor facilitating aneffectiverelationshipbetweenthe supervisor and theexternal auditor atthelevelsof thesupervisedbank, the audit firm and theaccountingprofession asa whole.Engagement between thebanking supervisory authority and theaudit oversight body21.Thebanking supervisory authorityand the relevant audit oversightbody sharea strongmutual interest in ensuringqualityindependentaudits.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  17. 17. P a g e | 17Regularandeffectivedialoguebetweenthebankingsupervisoryauthorityandthe audit oversight body at a national level can assist in identifyingand dealingwithkeyissuesin relationtotheconduct of bank audits.Section 7setsout theprinciplesfor facilitatingeffectivecommunicationbetweenthese bodies.22.Supervisorsare in a uniqueposition toidentify audit qualityissuesatboth theindustry and individual audit level.Regular and effectiveengagement betweenthe supervisorand therelevantaudit oversight bodymay enablethesupervisortoprovide timelyfeedbackon suchissues.Additionally, the supervisor may, if necessary, take action toaddressissuesraisedby theaudit oversight body.The Committee‘s international engagement on externalauditing23.Approachesfor dealingwithsupervisoryconcernsabout thequalityoftheaudit of an individual bank may differ acrossjurisdictions,but allapproachesshould be designed to contributeto enhancing audit quality.In its effort to promote audit quality, the Committee engages in regulardialogue and discussion with the relevant international stakeholders onexternalaudit matters.Thesestakeholdersinclude, but arenot limitedto, the following:- theFinancial StabilityBoard (FSB), whoseobjectivesincludetheenhancement of the effectivenessof banking supervision;- theMonitoringGroup, which is responsiblefor advancing thepublicinterest in areasrelatedtointernationalaudit quality;- thePublic Interest Oversight Board (PIOB), which is responsibleforimprovingthe qualityand public interest focusof the internationalstandardsformulated bystandard-settingboardsoperatingunder theInternational Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  18. 18. P a g e | 18auspicesof the International FederationofAccountants(IFAC) intheareasof audit and assurance, education and ethics,includingoversight of thepublic interest activitiesof three of theIFAC‘sindependent standard-setting boards and their respectiveconsultativeadvisory groups;- theconsultativeadvisorygroupsof the InternationalAuditing andAssurance StandardsBoard (IAASB) and theInternational EthicsStandardsBoard forAccountants(IESBA), whichare responsiblefordeveloping international auditingand ethics standards respectively;- theInternational Forum of Independent Audit Regulators(IFIAR), which is responsiblefor improving audit qualityglobally, includingthrough independent inspectionsof auditorsand/ or audit firms;and- theGlobal Public Policy Committee(GPPC), which is comprised ofrepresentativesfrom the six largest international accountingnetworksand focuseson public policyissuesfor the accountingprofession.24. The objectiveof thisdialogueis toenabletheCommitteeand therelevant international stakeholderstoidentify and discussrelevant issuesandtopics on a timelybasis sothat supervisors, external auditorsandaudit oversight bodiescan take appropriate action.As such, thesediscussionsshould addressnot onlycurrent issuesandtopics, but alsoemergingareasand trendsthat raiseconcern.3.Overview of the principles- Principle1: The external auditorof a bank should have bankingindustryknowledgeand competencesufficient to respondappropriatelytothe risks of material misstatement in thebank‘sfinancial statementsand toproperlymeet any additional regulatoryrequirementsthat may be part of thestatutory audit.- Principle2: The external auditorof a bank should be objectiveandindependent in fact and appearancewithrespect to thebank,International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  19. 19. P a g e | 19consistent withthe more stringent requirementsapplicabletopublicinterest entitiesin internationallyaccepted ethical standards.- Principle3: The external auditorshould exerciseprofessionalscepticism whenplanningand performingthe audit of abank, having due regard tothe specific challengesin auditing abank.- Principle4:Audit firms undertakingbank auditsshould complywiththemore stringent requirementson qualitycontrol applicableto listedentitiesin internationallyacceptedqualitycontrol standards,havingdue regard tothe complexityof a bank audit.- Principle5: Theexternal auditorof a bank shouldidentify and assesstherisksof material misstatement in the bank‘sfinancialstatements,takingintoconsideration thecomplexitiesof bankingactivitiesand the need for banks tohave a strong controlenvironment.- Principle6: The external auditorof a bank should respondappropriatelytothe significant risks of material misstatement in thebank‘sfinancial statements.- Principle7: The audit committeeshould have a robust processforapproving, or recommendingfor approval, theappointment, reappointment, removal and remunerationof theexternal auditor.- Principle8: The audit committeeshould monitor and assesstheindependenceof theexternal auditor.- Principle9: The audit committeeshould monitor and assesstheeffectivenessof theexternal audit.- Principle10: The audit committeeshould have effectivecommunicationwiththeexternal auditor toenablethe auditcommitteetocarry out itsoversight responsibilitiesand to enhancethequalityof the audit.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  20. 20. P a g e | 20- Principle 11: The audit committee should require the external auditorto report to it on all relevant mattersto enable the audit committee tocarryout its oversight responsibilities.- Principle12: The supervisor and the external auditor shouldhave aneffectiverelationshipthat includesappropriate communicationchannelsfor the exchangeof information relevant to carrying outtheir respectivestatutoryresponsibilities.- Principle13: The external auditor should report tothesupervisormattersthat are likely tobe of material significancetothefunctionsof the supervisor.- Principle14: There should be open, timelyand regularcommunicationbetweenthebankingsupervisoryauthority, theauditfirm and the accountingprofession asa wholeon keyrisksandsystemic issuesaswell asa continuousexchangeof viewsonappropriateaccountingtechniquesand auditingissues.- Principle15: There should be regular and effectivedialoguebetweenthebanking supervisoryauthority and the relevant audit oversightbody.- Principle16: The banking supervisoryauthorityand theauditoversight body should observe appropriateconfidentialityrequirementswhen sharing information.4. Supervisory expectationsrelevant to the external auditor andthe external audit of financial statements25.External auditsof financial statementsperformed in accordancewithinternationallyaccepted auditingstandards enhancetheconfidenceof allusers,includingsupervisors,in thereliability of the auditedfinancialstatementsand thequalityof theinformation provided.26.Auditsof banks should be performed in accordancewithinternationallyaccepted auditing standards.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  21. 21. P a g e | 21As these standardsare not industry-specific, for a qualityauditsupervisorsexpect external auditorsnot onlyto complywithinternationallyaccepted auditing standardsbut alsototailor their auditworkin response to thesignificant risksand issuesapplicableto banks.27.External auditorsarerequired tocomplywithapplicablejurisdictionaland, whererelevant, internationallyaccepted ethical standards.However,given thecomplexityand systemic risksassociatedwithbanks, the external auditorof a bank should followthe most stringentrulesfor independenceunder thesestandards.Similarly, theexternal auditor of a bank should alsofollowthemoststringent standardson qualitycontrol at the engagement level.28.PartAof this section describesthesupervisor‘sexpectationsasa userofthebank‘sfinancialstatements,specificallywithrespecttotheexternalauditor‘sknowledge, competence, objectivity, independence,professionalscepticismand qualitycontrol over the bank‘saudit.Part B identifies areaswheresupervisorsbelieve there is often asignificant risk of material misstatement in a bank‘sfinancial statementsand factorstowhichthesupervisorexpectsthe external auditor topayattention whenauditingthoseareas.29.While theprimary focus in this section is on thefinancial statementaudit, particularlyin Principles5 and 6, the external auditor may identifymattersin thecourseof the audit that areof interest tothesupervisorandthereforeshould beconsideredfor communicationto thesupervisor.Examplesof such mattershave been included in Section 6.30.In some jurisdictions,aspart of the statutory audit, the externalauditormay alsoundertakeadditional work toprovideassuranceoninternalcontrolsor other aspectsof a bank‘soperations.Theprinciplesset out in this section providea relevant referencefor theperformanceof such additional work.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  22. 22. P a g e | 2231.Theprinciplesand explanatoryguidanceset out in this sectionprovidea frameworkfor the supervisor‘sinteractionswiththe externalauditor,the audit committeeand therelevant audit oversight body.Theoutcome of theseinteractionswill inform thesupervisor‘sviewsastothequalityoftheexternalaudit and contributetothesupervisoryprocess.Theseprinciplesand explanatoryguidancealsoprovide a framework toassist the audit committeein selectingthe external auditor and inassessingthe external auditor‘sknowledge, competence, objectivityandindependenceaswell asthe effectivenessof the audit process.A.The supervisor‘s expectationsof the external auditor of abankKnowledge and competencePrinciple1: Theexternal auditor of abank should havebanking industryknowledgeand competence sufficient torespond appropriately totherisksof material misstatement in thebank‘sfinancial statementsand toproperlymeet anyadditional regulatory requirementsthat maybepart ofthestatutory audit.32.Given thecomplexityand diversity of banking activities, and the legaland regulatory framework in whichbanks operate, the external auditor ofa bank should have specialised knowledgeand competencein auditingbanksand should use expertsasappropriate.Knowledge33.Theresourcesrequired toperform theaudit should be suchthat theaudit engagement team, asa whole,has:- proficient knowledgeand understandingof, and practicalexperiencewith, the banking sector, associatedbanking industry and bank -specific risks, and the operationsand activitiesof banksand bankaudits.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  23. 23. P a g e | 23Theaudit engagement team may acquire this proficiencythroughspecific training, participation in bank auditsor workin the bankingsector;- proficient knowledgeof applicableaccounting, assuranceand ethicalstandards, industrypractice and relevant guidancesuch asInternationalAuditing PracticeNote (IAPN) 1000;- proficient knowledge of relevant regulatory requirements in the areasof capital and liquidity, and a general understanding of the legal andregulatoryframework applicabletobanks;and- proficient knowledgeand understandingof IT relevant to bankaudits.34.In addition, theexternal auditorshould consider whethertheauditengagement team should includespecialistswitha high degree oftechnicalaccountingknowledgerelevant to banking, particularlygiventhecomplexityof the requirementsof theapplicablefinancial reportingframeworkpertainingto accountingestimates,includingloan lossprovisions,fair valuemeasurements,andanyareasknowntobesubjecttodifferinginterpretationor inconsistent or developing practices.Competence35.Audit firms should have documented policies and procedures that setminimum competency criteria for members of a bank‘s audit engagementteam.36.Supervisorsmay have the ability toinfluencethe competencyrequirementsfor external auditors.Whereregulationsandstandardsin particularjurisdictionsdonot includespecific competencyrequirementsfor banks‘external auditors,thesupervisormay encourage professional and regulatorybodies to introducerequirementsregarding trainingin, and experiencewith, bank auditingand accountingsothat the audit engagement teamsfor bank auditsarecomprised of sufficientlycompetent staff.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  24. 24. P a g e | 2437.Competenceis particularlyimportant in underpinningan externalauditor‘sabilityto exerciseprofessionaljudgment and carry out keyaspectsof the audit, such asidentifying and assessingthe risksofmaterial misstatement and designingand implementingappropriateresponsestothoserisks.Use of experts38.In someinstances,suchastheauditingofcertaincomplexaccountingestimates,more specialised knowledgemay be required to support theaudit engagement team,egadditionalexpertisebeyond thatpossessedbytheaudit engagement team‘smembersin afieldother thanaccountingorauditing.Examplesof such areasare valuation of complex financialinstruments,commercial propertyvaluationsand evaluation of highlycomplex IT environments, particularlyin areassubject to significantrisksof material misstatement.39.Internationallyacceptedauditingstandardsset out requirementsforthenature, timingand extent of audit procedureswhichthe externalauditorshould perform to assessthe competence, capabilitiesandobjectivityof the expertsthe external auditor may use.Theseareimportant factorsin consideringthe reliabilityof theinformation or resultsproducedby the expert.Objectivity and independencePrinciple2: Theexternal auditor of abank should beobjective andindependent in fact and appearance withrespect to thebank, consistentwiththemorestringent requirementsapplicabletopublic interestentitiesin internationallyaccepted ethical standardsObjectivityInternational Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  25. 25. P a g e | 2540.Objectivityis a fundamental ethical principleand a keyelement ofaudit quality. It requires that theexternal auditor‘sjudgment is notaffected by conflictsof interest.As objectivityis a state of mind that in most casescannot be directlyobserved by usersof financial statements, it is important for the externalauditortobe independent in both fact and appearance.Independence41.Independence is freedom from situations and relationshipsin which areasonably informed third party would conclude that an external auditor‘sobjectivityisimpaired.Jurisdictional and internationallyaccepted auditingstandardsandinternationallyaccepted ethicalstandardslayout frameworksfor externalauditorsto identify and respond tothreatsto independence.42.Theexternal auditorof a bank must complywith the applicablejurisdictional and internationallyaccepted ethical standards.Furthermore,the Committeebelievesthat the external auditor of a bankshould complywith themore stringent independencestandards forpublic interestentities.Tothe extent that any of theruleswithinany one of thesestandardsonethics ismore restrictivethan the correspondingrule in theotherstandardson ethics,the external auditor must complywith themorerestrictiverule.43.Independenceshould be observed not only in the context of thebankthat is beingaudited but alsowith respect to thebank‘srelated entities.44.External auditorsof a bank should complywith applicablejurisdictional requirementson therotationof membersof theauditengagement team.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  26. 26. P a g e | 2645.Theaudit engagement team members, the audit firm and, whenapplicable,network audit firmsshould complywith the independencerequirementsof both thehome jurisdictionand the overseasregulatoryauthority(in thecasewherethe bank is ultimatelyregulatedby anoverseasauthority).46.When assessingwhetheranyrelationshipor circumstanceposesathreat to an external auditor‘sindependence,theexternal auditor shouldevaluatenot just thespecific ruleson independence,but alsothesubstanceof the threat to independence, and how a reasonablyinformedthird partywouldperceivethe threat and its effect onthe externalauditor‘sobjectivity.Theprovision of significant non-audit servicesby the audit firmand, when applicable, networkaudit firmsto the bank beingauditedmayparticularlyaffect a third party‘sperceptionof the externalauditor‘sindependence.Such situationsshould be carefullyevaluated for threatsto the externalauditor‘sobjectivityand perceived independence.47.Thesupervisor expectstheexternal auditor toconsider activelypotential threatsto theauditor‘sindependence,specificallythe threat ofself-review, whendiscussingaccountingmatterswiththe management.For example, complex transactionsmay be structured toachieveaparticular accountingtreatment and/ or regulatory outcome.When anexternal auditor discusseswithor providesadvice tomanagement on such matters, the external auditor must exercisecaresoasnot to take on a management role or responsibility.Professional scepticismPrinciple 3: The external auditor should exerciseprofessional scepticismwhen planning and performing the audit of a bank, having due regard tothespecific challengesin auditing abank.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  27. 27. P a g e | 2748.Professional scepticism is defined as―an attitudethat includesaquestioningmind, beingalert toconditionswhichmay indicate possiblemisstatement due toerror or fraud, and a critical assessment ofevidence‖.Professional scepticismshould manifest itselfnot onlythrough theauditorobtaining corroboratingevidencefor management‘sassertions,but alsochallengingmanagement‘s assertions, activelyconsideringwhetherthere are alternativeaccountingtreatmentsthat arepreferable to thoseselectedby management, and documentingtheapproach, theevidenceobtained, the rationaleappliedand theconclusionsreached.Throughout the audit, the auditor should ―adopt aquestioningapproachwhenconsideringinformation and forming conclusions‖.49.Exercisingappropriate professional scepticismiscriticallyimportantin auditsof banksbecauseof thenumber and significanceof accountingestimatesand thepotential for limitedobjectiveevidencesupportingthoseestimates.Professional scepticismis particularlyimportant whenauditing areasthat:(a)involvesignificant management estimatesand judgmentsbecausetheseare more proneto management bias;(b) involvesignificant non-recurringor unusual transactions;or(c)are more susceptibleto fraud and errorsbeingperpetuated due toweakinternal controls.50. Specific areaswhereprofessional scepticism should be exercised bytheexternal auditorof a bank includeimpairment calculations,fair valuemeasurementsand goingconcern assessments,includingassessmentsofsolvencyand liquidity.Otherexamplesmayincludecomplextransactionsstructuredtoachieveaparticular accountingtreatment and/ or regulatory outcome by theInternational Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  28. 28. P a g e | 28management wherethe audit engagement partner hasor ought to havereasonabledoubt that the proposed accountingtreatment and/ orregulatoryoutcome isconsistent withtherelevant financial reportingframeworkor regulatory requirements.In this context, theexternal auditorshould actively challengemanagement‘sassumptionsand judgmentsand form independent views.This includeschallengingevidenceobtained from management thatcorroboratesmanagement‘sview.51.Where a bank consistentlyutilisesvaluationsthat are at the high or lowend of a range of acceptablevaluationsor whenthere areother indicationsof possiblemanagement bias, theexternal auditorshould considerthisintheoverall risk assessment of thebank and shouldinform thosechargedwithgovernance, whereappropriate.52.Theevidenceoftheextent ofprofessionalscepticismexercisedshouldbedemonstrable and understandablethroughaudit documentation thatdescribeshow, whyand what conclusionswerereached by the externalauditor.In this regard, internationallyaccepted auditing standards establishminimum requirementsfor audit documentation.Quality controlPrinciple4:Audit firmsundertakingbank auditsshould complywiththemorestringent requirementson qualitycontrol applicabletolistedentitiesin internationallyaccepted qualitycontrol standards, having dueregard to thecomplexityof abank audit.53.Audit firms must complywith the applicablejurisdictional andinternationallyaccepted standardson qualitycontrol.Furthermore, the Committeebelievesthat the external auditor of a bankshould complywith themore stringent requirementson qualitycontrolInternational Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  29. 29. P a g e | 29applicabletolistedentitiesin internationallyacceptedqualitycontrolstandards.Tothe extent that anyof the ruleswithinany one of thesequalitycontrolstandardsismorerestrictivethanacorrespondingruleintheotherqualitycontrol standards, theexternal auditor must comply withthe morerestrictiverule.54.Theaudit of a bank should be subject to an engagement qualitycontrol review (EQCR) performed internallybytheaudit firm prior totheissuanceof the audit opinion.Theengagement qualitycontrol reviewer should have theappropriateknowledgeand competencetoreview bank audits.Thereviewer should exerciseprofessional scepticismin assessingthequalityof audit evidenceand whethertheauditor‘s judgmentsareappropriate.55.EQCR should be part of a broader firm-level internal system of qualitycontrol that emphasises quality and consultation and creates a culture ofcompliancewith auditingand ethical standards.56.Wherea networkof audit firms isinvolved in the audit of a bank, theindividual audit firmswithinthe networkshould applyqualitycontrolprocessesthat complywiththis document.In such cases, theleadaudit engagement partner should be responsiblefor the performanceof a qualityaudit by all the teamsreportingto it.In doing so, the lead partner may placereliance on theprocessesbywhichqualitycontrol is exercised withinthe networkfirmsthat report toit.For example,theleadaudit engagement partnerof agroupaudit mayrelyon thefirm‘s processesfor(a) ensuring that each audit engagement team memberInternational Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  30. 30. P a g e | 30(i)acquiresthe appropriateskills,knowledgeand experienceto performbank auditsand(ii) complieswithindependencerules,and(b) monitoringadherencetothe audit firm‘s policiesand procedures onqualitycontrol.57. The involvement of theengagement qualitycontrol reviewerthroughout the audit, and the outcome of the qualitycontrolreview, should be evident in the audit workingpapers.Any significant discussionsbetweentheengagement qualitycontrolreviewerand the audit engagement team, particularlyin areaswhereviewsmay have differedand astohow conclusionswerereached, shouldbefullydocumented in theaudit workingpapers.Thusin jurisdictionswherethe supervisor hasaccessto theexternalauditor‘sworkingpapers,the qualitycontrol review wouldalsobe at thesupervisor‘sdisposal.B. Supervisory expectationsof the audit of a bank‘sfinancialstatementsIdentifying and assessing significant risks of materialmisstatement specific to a bank‘s financial statementsPrinciple5:Theexternal auditor of abank should identify and assesstherisksof material misstatement in thebank‘sfinancial statements, takingintoconsideration thecomplexities of bankingactivities and theneed forbanksto have astrongcontrol environment.Identifying potential risks58. Banks are exposed to a varietyof risksthat can potentiallyaffect theresultsof their operationsor financial condition.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  31. 31. P a g e | 31Theseinclude, but are not limited to, credit risk, market risk, liquidityrisk, operational risk and regulatory risk.New risksmay emergeor the significanceof each risk may changeovertimeasa result of various factorsthat may be driven by changedcircumstancesor developmentsboth internal and external to thebank.59.In designing and performingthe audit of a bank, the external auditorshould assessthe inherent and control risk to determinethe risk ofmaterial misstatementsat thefinancial statement and assertionlevels.By doing so, the external auditor gains an understanding of internalcontrols that are relevant to the audit, and particularly of the controlenvironment designedby the bank.60.Torespond totheassessedrisk of material misstatement, an externalauditorfollowsan audit strategy that includesboth substantiveproceduresand control testing.Given the nature of bank activities, includingthoseinvolvinga highvolume of transactions,banks implement controlsdesignedtoaddressrisksposed to the organisation.As a result, the external auditor of a bank should perform extensive testsof controlsover financial reportingto assesswhether,and towhatextent, the auditorcan rely on them.Materiality61.An understanding of the concept of materiality and determination ofmateriality thresholds is needed in order to establish the auditstrategy, and identify and assesswhether a risk of material misstatementexistsin the financial statements.62.Thedetermination of what is material tothefinancial statementsasawholeisa matter for the external auditor‘sprofessional judgment aboutmisstatementsthat could reasonablybe expectedtoinfluenceeconomicdecisionsof userstaken on the basis of the financial statements.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  32. 32. P a g e | 3263.Theexternal auditorshould exercisecaution whenevaluatingidentifiedmisstatements.Thesemisstatementscould be an indicatorof widerissueswithinthebank whichcould potentiallylead tomaterial misstatementsin thefinancial statementsasa whole.Therefore, individual misstatementsshould not be dismissedsolelybecausetheyare below the level of materiality set for planningpurposes.64.For individual account balances, specific classesof transactionsordisclosures,internationallyacceptedauditingstandardsrequire theexternalauditor todeterminea lowerlevel of materialityfor thoseparticular account balances, classesof transactionsor disclosures,if theexternalauditor believesthat ―misstatementsof lesseramountsthanmaterialityfor the financial statementsasa wholecould reasonablybeexpectedto influencetheeconomic decisionsof users takenon the basisof the financial statements‖.This is particularlyrelevant for auditsof banksbecausecertain financialstatement itemsareused in the calculationof keymetricsused by a widerangeof usersof thefinancial statements.For example, regulatory ratios such as the leverage ratio, liquidity ratioand capital adequacy ratio are calculated based on account balances inthefinancial statementsor are derived from the financial statements.Assessing the risksof material misstatementInternal control and its components65.According to internationallyaccepted auditingstandards, internalcontrol componentsare the control environment, risk assessmentprocess, informationand communicationsystems and processes,controlactivitiesand monitoring of controls.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  33. 33. P a g e | 3366.Asstatedin the BCBSPrinciplesfor enhancingcorporate governance, arobust internal control environment is critical to the strength of a bank‘sgovernancesystem and itsability tomanagerisk.Consequently, whenobtainingan understanding of thebank‘sinternalcontrol environment, the external auditorshould, amongst otherconsiderations:- assessthe ―tone at the top‖, ie whethermanagement, withtheinvolvement of thosecharged withgovernance,ispromoting arobustcontrol environment;- determine whether the control environment extends to all types ofoperations and service offerings and encompasses all subsidiariesandbranchesof thebanking group;- understand thebank‘sapproach tooutsourcing/ offshoring ofbusinessactivitiesandfunctionsand assesshowinternal control overtheseactivitiesis maintained;and- obtain an adequateunderstandingof the organisationof keycontrolfunctionswithin the bank and itssubsidiaries.At a minimum, key control functionsincludetheinternal audit, riskmanagement, complianceand other monitoringfunctions.67.Compensation arrangements at a bank may be a good indicator of theculture within the organisation because they can influence the behaviourof the bank‘spersonnel and the qualityof corporategovernance.Theexternal auditorshould payparticular attentiontothe risksofmaterial misstatement in thefinancial statementsdue tofraud, particularlywhere banksemploycompensation arrangementsthat mayencourage excessiverisk-takingor other inappropriatebehaviour amongst their personnel.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  34. 34. P a g e | 34Control activities68.Internationallyacceptedauditingstandardsrequire the externalauditortoobtain anunderstanding of control activitiesrelevant totheaudit which, intheauditor‘sjudgment, arenecessarytoassesstherisksofmaterial misstatement and toestablishthe audit strategy.Theassessment of thecontrol activitiesover financial reporting is criticalfor the designof further audit proceduresresponsivetoassessedrisks.When identifying and assessingrisksof material misstatement andassessingcontrols,the external auditor should take account of thefollowingfactors:- the knowledgeand competenceof thosein charge of financialreporting and of other control functionshaving an impact onfinancial reporting;- the nature of hedgingstrategiesemployed by thebank which, ifcomplex, improperlystructuredor inadequately monitored, can haveaccountingand solvency implications;- the useof complex financial instrumentsinvolving significantestimatesof fair value;- theprovisionofcustodial servicestoretail and/ orinstitutionalclientsandtheproceduresin place toavoid co-minglingof client andproprietaryassets;- the volume of transactionsby type of activityand/ or presenceofsignificant non-routinetransactions;- theuseand monitoring of internal accounts;- the structure and complexity of IT systems for conducting businessand for facilitating efficient business and financial reporting, as theymay lead to increased risk of fraud or error, particularlywhere there ispotential for individual override of the control system or the potentialfor fraudulent transactions to go undetected due to the sophisticationand complexityof theIT systems;International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  35. 35. P a g e | 35- thenumber, scope and geographicaldispersion of subsidiariesandthenecessityfor complex consolidationprocedures;- theexistenceof significant transactionswith related parties;and- theuseof off-balancesheet financingarrangements,suchasspecialpurposeentities(SPEs) and other complex structures.69.Banking supervisorsand those chargedwithgovernance, such astheaudit committee,need to be satisfiedthat the internal control iscommensuratewiththenature, volume and complexityof thebank‘sactivitiesand isorganised in accordancewith regulatory and legalrequirements.Theinternalcontrolofabank mustberobustandreliableinorder tocopewith stressed environments.Significant deficiencies in internal control whichhave been identified bytheexternal auditorshould be communicated in writingto thosechargedwith governanceand senior management, and other deficienciesininternalcontrol should becommunicatedtotheseniormanagement at anappropriatelevel of responsibilityon a timelybasis.In addition, theCommitteebelievesthat theexternal auditor shouldcommunicatein writingall mattersthat are likely tobe significant totheresponsibilitiesof thosecharged withgovernance in overseeingthestrategic direction of the entityor theentity‘sobligationsrelatedtoaccountability.Such mattersmay includesignificant decisionsor actionsbymanagement that lack appropriateauthorisation.Internal audit70.Theinternal audit function is an important element of the overallinternalcontrol environment.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  36. 36. P a g e | 36It providesassurancetotheboard ofdirectorsandsenior management onthequalityand effectivenessof a bank‘sinternal control, risk managementand governance systems and processes.Theworkof internalauditorscanhelpexternalauditorsassessthequalityof the internal control processesand identify risks.71.Whether ornot theexternalauditorexpectstousethework ofabank‘sinternalauditors, providedthere is noreasontodoubt theirknowledge,competenceand objectivity, theexternal auditorshouldengagewith, and seek information on key internal audit findingsfrom, theinternalauditors.Thismayprovidevaluableinput intotheexternalauditor‘sunderstandingof the entityand itsenvironment and aid in identifying and assessingrisksof material misstatement.Theexternal auditorshould consider readingrelevant internal auditreportsif theinformation obtained from engagingwiththe internalauditorsindicatesissuesthat may have an impact on the financialstatement audit.72.Theexternal auditor‘sobservationson and, whererelevant, evaluationof a bank‘sinternalaudit function areof particular interesttothe auditcommitteeand the bank‘ssupervisor given the rolean effectiveinternalaudit function plays in maintaininga robustcontrol environment in abank.Responding to significant risksof material misstatementspecific to a bank‘sfinancial statementsPrinciple6:Theexternal auditor of a bank should respond appropriatelytothesignificant risks of material misstatement in thebank‘sfinancialstatements.73.Having identifiedand assessedthe risksof materialmisstatement, internationallyacceptedauditingstandardsrequire theauditortoidentifyanyareaswherethereis a significant risk of materialmisstatement.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  37. 37. P a g e | 37Paragraphs78-98below set out keyaudit areasof a bank‘sfinancialstatements,wherethere is often a significant risk of materialmisstatement.74.In addition totheareasset out in paragraphs78-98, there are otheritemsin a bank‘sfinancial statementswhoseregulatorytreatment couldgiverise to incentivesfor management biasin the recognitionormeasurement of such items.Asaconsequence,thereisagreaterriskofmaterialmisstatement oftheseitemsin the financial statements.This may lead toinappropriateapplicationof regulatory rulesto theseitemsand a material misstatement of thebank‘scapital position.Examplesof such itemsare deferred tax assets,investmentsinunconsolidatedentities, pension fund assets,and theclassificationoffinancial instruments.External auditorsshould thereforebe alert toanylikelihoodthat thetreatment of such itemsin the financial statementsis influencedbymanagement biastowardsadesiredregulatoryoutcomeandconsiderthisin their risk assessment of thebank.External auditorsshould alsobe awarethat management biasmaychangeover time depending on, for example, the extent to which thebank isabletomeet itsregulatoryrequirements.External auditorsshould evaluateestimateswhichmay be subject tothisbias, and any potential audit differencesotherwiseidentified, in thecontext of theimpact on regulatorycapital or regulatory capitalratios,consistent withparagraph 64.75.Areas of significant risk of material misstatement particularlyrequirean external auditor toapplyprofessional judgment and experience.Internationallyaccepted auditing standardsrequire that theexternalauditorobtain sufficient appropriate audit evidence51regarding theInternational Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  38. 38. P a g e | 38assessed risks of material misstatement, through designingandimplementingappropriate responsestothoserisks.76.Internationallyacceptedauditingstandardsrequire special auditconsiderationfor areaswheresignificant risksof material misstatementare identified.Given that theseareasare associatedwith issuesthat the external auditoridentifiesashighly important for the bank, these areasare worthyofdiscussion withthose chargedwithgovernance.77.As the categoriesof what may be a significant risk for a bank maychangeover time, the list of audit areasprovided in paragraphs78-98ofthisdocument asareaswherethere isoften a significant risk of materialmisstatement is not intended to be comprehensive.Loan lossprovisioning78.Loan lossprovisioning is generallymaterial for a bank‘sfinancialstatementsand the calculationof capital and keyperformancemetrics.Themeasurement of loanlossprovisionsin accordancewithinternationallyaccepted accountingprinciplesinvolvescomplexjudgmentsabout credit riskwhich may besubjectivein nature.79.Thefactorsthat the external auditor needstoconsider in identifyingand assessingthe significant risksof material misstatement in relationtoloanlossprovisioningand the relatedallowancefor loan lossesinclude:(a)Theestimationtechniquesusedtocompute provisionsand howthetechniquesvary among and withinbanks.(b)How management hasassessedthe effect of estimationuncertaintyonthelevel of provisioning, and the effect suchuncertaintymay have on theappropriatenessof therecognised provision and thesufficiencyof therelatedallowancefor loanlossesin the financial statements.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  39. 39. P a g e | 39(c)All knownand relevant impairment indicatorsfor loanexposureswhichincludepreviouslyunexpectedadversedevelopmentsinthemarket oreconomicenvironment, adversemovement in interestrates,restructuring, inadequateunderwritingpoliciesadopted by thebank, overduepayments, failure of the borrower tomeet budgetedrevenuesor net income, covenant breachesand forbearance.(d)Whether thebank hassought perspectivesand data from differentfunctionswithin the bank, includingrisk management, credit andinternalaudit, aswell asreliable sourcesexternaltothe bank, includingpeer data and regulator perspectivessoasto consider all relevant andavailableinformation in assessingimpairment.(e)Accounting rulesfor provisioningmay differ from the provisioningrules that applyfor regulatory reportingor capital purposes.It may thereforebecustomary for banksto have different processesandsystemsto generateloan lossprovisionsfor accounting purposesand forregulatorypurposes.Further, there can be material differencesin the applicationof the sameset of accountingand/ or regulatory rulesby individual banks.Largedifferencesbetweenprovisionsfor accountingpurposesand forregulatorypurposesmay indicatea risk of material misstatement of theaccountingprovision.In addition, whilst for regulatory capital purposesunder theBaselframeworkthe accountingloan lossprovision for internal ratings-basedapproach(IRB) portfoliosis replacedbythe regulatoryexpectedlossprovision, the level of the accountingprovisionmay neverthelesshaveanimpact on thelevel or the composition of regulatory capital, due tothetreatment of the tax effect of provisionsand the allocationof any excessprovision to capital tiers.External auditorsshould be alert toany management bias in this area.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  40. 40. P a g e | 40(f) Disclosuresshould enableuserstoassessthe loan lossprovisioningmethodologyapplied by thebank, regardinghow it relatestocredit riskforthat bank, andhowit compareswithmethodologiesappliedacrossthebankingsector.Financial instruments measured at fair value80.Abank‘sportfolioof financial instrumentsmeasured at fair valuecanrangefrom ―plainvanilla‖ financial instrumentswhichare frequentlytraded in liquid marketswithobservablemarket prices, and involve lessmeasurement uncertainty, tothose whicharecustomised, complex, andwherethe valuationis basedon significant unobservable inputswith asubstantial amount of management judgment.Financial instrumentsmeasured at fair value alsoincludefinancialinstrumentsthat aresubjecttoan impairment assessment which is a keyarea of judgment.81.Where there arechangesin the composition of a bank‘sportfolio offinancial instruments– whetherdue tochangesin customer demand, thebank‘sapproach to managingrisk and liquidity, or changesin prudentialregulation– thebank willneedtoevaluateanyaccountingimplicationsofthechanges.82.Accounting standardscontain requirementson recognition;initialand subsequent measurement (includingimpairment); reclassificationfrom fair value toamortised cost;presentation;and disclosures.Becausethese requirementsarecomplex, theymay be difficult tointerpret and apply, and thereforethe external auditor often needstoutilisemore complex and wider-rangingaudit proceduresto obtainsufficient appropriateaudit evidencetosatisfyhim/ herselfthat thefinancial statementsare not materiallymisstated.Theclassificationof an individual financial instrument may beparticularlyimportant for achievinga favourableregulatoryoutcome.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  41. 41. P a g e | 4183.In adoptinga sceptical approach to management‘sassumptionsregardingthevaluation of financial instrumentsfor whichtherearesignificant unobservableinputs, IAPN 1000,Special considerations inauditingfinancial instruments,setsout specificaudit proceduresthat maybefollowedin auditingfinancial instrumentsmeasured at fair value.Liabilitiesincluding contingent liabilitiesarising fromnon-compliance with lawsand regulations, and contractualbreaches84.Non-compliancewith, or material breachesof, the prudentialframework,conduct requirements, legal requirementsor contractualagreementscould lead to legal or supervisory actionsagainstabank, therebyexposingthebank topotential litigationand/ ortheimpositionof substantial penalties.Such eventsmay require recognitionof provisions, contingent liabilitiesand/ orqualitativedisclosuresin the bank‘sfinancial statements.Further, any adverse impact on the bank‘s reputation resulting from thisnon-compliance could have consequences for the bank‘s going concernassessment.85.In the courseof theaudit, the external auditor should remain alert toactual or suspectedbreachesof prudential regulations,particularlythosethat are likely tobeof material significancetothe functionsof thesupervisor.As noted in Section 6 below,55if theexternal auditor identifiesanysuchbreachesof materialsignificance,theauditorshouldnotify thesupervisorimmediately.Disclosures86.Anumber of factorshave contributedto an increaseddemand fromusersfor more relevant and extensivequalitativeand quantitativedisclosures.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  42. 42. P a g e | 42Theseincludethe increasedcomplexityof businesstransactions,includingoff-balancesheet transactionsand non-recognition of assetsand liabilities, and increaseduseof fair value andother accountingestimates,with significant uncertaintiesand changesin measurement attributes.87.While accounting standards specify disclosure objectives, thestandards may not always prescribe in all circumstances specificdisclosuresto meet thoseobjectives.Therefore, there may be a substantial amount of judgment in assessingwhetherdisclosuresarepresentedfairlyinaccordancewiththedisclosureobjectivesin the relevant accountingframework.88.Increasedtransparencythrough fairlypresentedpublic disclosuresenhancesmarket confidence.It is thereforeimportant that thebank provide disclosureswhichpresentthebank‘sfinancial condition, the riskstowhichit is exposed and howtheyare managed, and aremeaningful and responsiveto changesinmarket conditionsand perceived risks.89.In respondingtothe significant risksin this area of audit, theexternalauditorhasan important role to playin encouraging consistent andmeaningful disclosureswhich present thebank‘sfinancial condition in awaythat isinformativeand understandableto usersof financialstatements.90.In the courseof itsaudit work, the external auditor should be alert toanyindicationsthat disclosuresin financial statementsare not consistentwith the bank‘sprudential information such ascapital adequacyandliquiditypositiondisclosureswithinthe financial statements.Going concern assessment91.Agoing concerngivesriseto twoseparate issues:International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  43. 43. P a g e | 43(a)whetherthegoingconcernbasisofpreparation offinancialstatementsis appropriate; and(b)theexternalauditor‘sevaluationof thebank‘sassessment of itsabilitytocontinuetomeet itsobligationsfortheforeseeablefuture(forat least12monthsafter thedate of thefinancial statements) and whetherthere arematerial uncertaintiesin thisregard that should be disclosedin theapplicableaccountingframework.92.Theworkthe external auditor performs to assessthe going concernstatusof a bank isdifferent from that likelyto beperformed for anon-bank entitybecauseof the contractual termsof bank assetsandliabilities(maturitymismatch), the potential for regulatoryintervention, and theimpact that thesignallingof anyuncertaintyoverthebank‘sabilityto continueasa goingconcern could have on the short-termviability of thebank.93.Examplesof reasonsthat make the goingconcern assessment of abank uniqueareasfollows:(a)Current emerging risks and concernsspecific to the bank or thebankingindustry asa wholemay have an impact on the historical trendsfor the specific bank in sucha manner that the historical trendsmay notreflectthelikely trend over the next year.For example, during periodsof market turmoil, normal sourcesoffundingmay nolonger be available, asdepositspayable on demand mayrun off more quickly than historical experiencewouldcontemplateandsuch depositsmay be difficult to replace.(b)As banks arehighlyleveraged, a small changein asset valuationmayhavea substantial impact on the adequacyof a bank‘sregulatory capital.Marketrisksmaybesuchthat financialinstrumentsheldat fairvaluemaybesubject to substantial changesin valuein the short term and significantvolatility over the longer term.Adecreasein regulatory capital may result in a downgradeby ratingagenciesmakingfunding more expensiveand possiblyharder toobtain.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  44. 44. P a g e | 4494. Given theseand other risks, banks are requiredtomeet liquidityrequirementsand capital ratios set by thebank supervisory authority.There should be equal emphasison the evaluation of liquidityandsolvencyof thebank for the period over which the going concernassumption hasbeen assessed:(a)Liquidity: Factorsto assessincludethereasonablenessand reliabilityof the cashforecast for at least12monthsafter the date of thefinancialstatements,liquidityrisk disclosures,regulatory or contractualrestrictionson cash, loancovenants,and pension funding.(b)Solvency: Given thepotential adverse impact of capital adequacyconcernson theconfidencein abank and, asa consequence,on thebankoperatingasa going concern, the external auditor will need toconsidertherobustnessof thebank‘ssystem for managing capital.In addition, theexternal auditorwill need to considerthe capital positionin relationtothe current and any knownfuture capitalrequirements,definitionsof capital resources,and challengesof raisingcapital.This is particularlycriticalwherecapital levelsare strained, accesstocapital resources isrestricted or where, for example, the bank‘sannualreport or internal capital projectionsincludeambitiousprojectionsofimprovementsin capital levels.95. In respondingto thesignificant risksin this area of audit, andassessingmanagement‘sassertion that a bank isa going concern, factorswhicharenecessarytoconsider are:(a)therobustnessof thebank‘sown systemsand controlsfor managingliquidity, capital and market risk;(b)theprudential informationthat isreportedtosupervisorscoveringthebank‘ssolvencyand capital;(c) anyexternal indicatorsthat reveal liquidityor fundingconcerns;andInternational Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  45. 45. P a g e | 45(d) the availability of short-term liquiditysupport.96.Given the aboverisksand thepossiblesystemic implications,if thereare anysignificant doubtswhichmay causematerial uncertaintyover thebank‘sabilityto continue asa going concern, and if the external auditorconsidersreferring tothegoing concernissue in theaudit report, theexternalauditor should promptlycommunicatethis fact to thesupervisors.Securitisations– SPEs97.Thebanking sector is involved in activitiessuch assponsoring (ororiginating) structuredproducts/transactionsthat supportmaturity, credit and liquiditytransformationrisksmore often than otherindustrysectors.Thesponsoring bank doesnot ordinarilyfund such activities.Thefunding isgenerallyprovidedby other parties.However,thesponsoring bank may be exposed to riskssuch asreputational risk in the event of thesponsoredentityencounteringfinancial or operational difficulties.98.Such activitiesrequire special considerationby the external auditorand are of interest to the supervisorfor the followingreasons:(a) Accounting concern –Accounting frameworksare oftenprinciples-based, whichmayresult indifferent treatmentsofeachofthesecomplex transactions.In addition, becausetheseare highly structured products, theiraccountingtreatment may vary based on the factsand circumstancesofeach transaction, egwhereSPEsare tailored toremain off the bank‘sbalancesheet.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  46. 46. P a g e | 46In theseinstances, it is necessaryfor theauditortoevaluatethejudgmentsmadeby themanagement and consider whethertheaccountingtreatment is appropriate and thedisclosuresare sufficient.(b)Regulatoryconcern – Becauseof thecomplexityof thesecuritisationandthechain of financial intermediation, thesponsoring bank in an―originateto distribute‖ model may underestimatethereal risktransferred or therisk retained on itsbalancesheet (includingreputationrisk and conflictsof interest in caseof defaultson the securitisedassets).Even so, the originatormay be ableto benefit from an off-balancesheettreatment for the assetsunderlying thesetransactionsand hencemay notberequired tohold additional regulatorycapital unlessspecificallyrequiredby thesupervisor.Theexternal auditorshould be alert towhenthe supervisorrequiresadditional capital even though the off-balancesheet accountingtreatment applied bythebank isappropriate.(c)Interconnectivity– Increasesthecorrelationbetweenbanks and othernon-bankingsectors, whichcan add to theglobal systemic risk.5. Supervisory expectationswith regard to a bank‘s auditcommittee and itsrelationship with the external auditor99. The BCBS‘s paper on the Internal audit function in banks (June 2012)and its paper on Principles for enhancing corporate governance (October2010) describethe main responsibilitiesof a bank‘saudit committee.Theaudit committee has, amongst others, a number of responsibilitieswith respect to the external auditor and the statutoryaudit.Theaudit committee approves, or recommendsto the board of directorsfor approval, the appointment, reappointment, dismissal andcompensation of the external auditor.Theaudit committeealsomonitorsand assessesthe independenceof theexternalauditor.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  47. 47. P a g e | 47100.Theaudit committeeoverseesthebank‘sstatutoryaudit process.Key aspectsof the audit committee‘swork encompassthe assessment oftheeffectivenessof theexternal audit process.Theaudit committee should require that senior management take thenecessarycorrectiveactionstoaddressthefindingsandrecommendationsof theexternal auditorin a timelymanner.101.Thediscussion below focuseson theaudit committee‘sresponsibilitiesin relationtotheoversight of, and itsrelationshipwith, the external auditor topromote and support the integrity, objectivityand independenceof theauditor, the qualityof theexternal audit and thecompetenciesthat underpin that quality.Toenablethe audit committeeto carry out itsoversightresponsibilities, which alsocontributeto the effectivenessof the auditprocess,theprinciplesin thissection promote effectivetwo-waycommunicationbetweenthe audit committeeand theexternal auditor.It is important to note that all the discussionsbelow stem from animportant overarchingprinciple:namely, that thereshould be afrank, open workingrelationship and a high level of mutual respectamongst all partiesinvolved.102.Theprinciplesand explanatoryguidancein this section form thebasisfor the supervisor‘smonitoring of theeffectivenessof theauditcommitteein itsoversight of the external auditor.Appointment of the external auditorPrinciple7:Theaudit committee shouldhave arobustprocessforapproving, orrecommendingfor approval, theappointment, reappointment, removal and remuneration of theexternal auditor.103.Theaudit committeehastheprimary responsibility for approving, orrecommending to theboard of directorsfor approval, theappointment, reappointment, removal and remunerationof the externalauditor.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  48. 48. P a g e | 48In doing so, the audit committeeshould determine appropriatecriteriaforselectingthe external auditor and regularlyassesstheknowledge, competence,independence(seePrinciple8below) of theexternalauditor andeffectiveness(seePrinciple9below)of theexternalaudit, havingdueregard to the guidancein Section 4.104.Theaudit committee‘sproceduresfor approving or recommendingtheapproval of the external auditor should alsoincludea risk assessmentof the likelihood of thewithdrawalof theexternal auditor from theaudit, and how thebank wouldrespond tothat risk.105.Theaudit committeeshould contributea section tothebank‘sannual report whichexplainsthe approach taken regarding therecommendation of the appointment or reappointment of theexternalauditor,and should includesupporting information onthe tenure of theincumbent auditor.106.If the board of directorshasapproval responsibilitieswith respectto the external auditor, but doesnot accept the audit committee‘srecommendation, it should includein theannual report, and in anypapersrelatingto theappointment/ reappointment/ dismissal of theexternalauditor, a statement explainingtheaudit committee‘srecommendation and the reasonswhytheboard of directorshastaken adifferent position.107.Theaudit committeeshould assesstheoverall qualityof the externalauditor,prior toitsfirstappointment and at least annuallythereafter.Tothat end, the audit committeeshould request that the external auditorreport on theexternal auditor‘sown internal qualitycontrolprocedures,including the audit firm‘s EQCR process, and any significantmattersof concerns arisingfrom theseprocedures.Theaudit committee should alsoconsider, whereavailable, the externalaudit firm‘s annual transparencyreport and any inspectionreportson theaudit firm issuedby the relevant oversight body.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  49. 49. P a g e | 49108.Theaudit committeeshould maintain anunderstandingandknowledgeof:- thestructure and governance of the audit firm;- thecurrent nature of the audit environment, includingany overseasjurisdictionswherethebank operates;- significant issues and concerns raised by the relevant audit oversightbody regarding the audit firm, and the auditor‘s action in addressingtheseconcerns, to understand how these shortcomingsmay affect thequalityof theaudit of the bank;- thenature of bankingregulatory actionsand conditionsthat couldhavean impact on theexternal auditor‘sworkon thebank, includinganyregulatory actionsand conditionsspecific tothe bank beingaudited, or to actionsand conditionsthat the supervisoris imposingon all banks(for example, through newlyimplemented regulationsand policies);and- public lessonslearnedfrom any recent external audit failuresassociatedwiththebank‘saudit firm and how thefirm hasdealt withthem sothat similar deficienciesdo not occur.109.Theaudit committeeshould alsosatisfyitselfthat the level of theaudit feesis commensurate with the scope of workundertaken.Where fee reductionsare offeredand accepted, the audit committeeshould seek assurancethat thesereductionsdonot implyaninappropriateincreasein thematerialitylevel tobe applied by theexternalauditor, or a narrowingof the external auditor‘sproposed scopeof the audit, or a reduction in the attentionwhichwill be given to eachbusinesscomponent and thesignificant audit risksidentified.110.Theaudit committeeshould discussand agreeto theterms of theengagement letter issued by the external auditor prior tothe approval oftheengagement.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  50. 50. P a g e | 50Where relevant, theaudit committeeshould agree toan engagementletter that hasbeen updatedtoreflect changesin circumstances, suchasthosearisingfrom changesin legal requirementsand changesin thescopeof the external auditor‘swork asa result of revisionstointernationallyaccepted auditing standardswhichhave arisen sincethepreviousyear.111.If the external auditor resigns or communicatesan intentiontoresign, the audit committeeshould followup on thereasons/explanationsgivingrise to such resignationand considerwhethertheaudit committeeneedstotakeanyactionin responsetothosereasons.Independence of the external auditorsPrinciple8:Theaudit committee shouldmonitorand assesstheindependence of theexternal auditor.112.Theindependenceof the external auditor is one of the mainprerequisitesfor an adequatelevel of audit quality.As such, the audit committeeshould understand theapplicableindependencerequirements.Theaudit committee should have proceduresto monitor and assesstheindependenceof theexternal auditor at least annually, taking intoconsiderationrelevant national laws,regulationsand professionalrequirements.Theassessment should alsoinvolve a consideration of all relationshipsbetweenthebank andtheaudit firm (includingtheprovisionofnon-auditservices) and any safeguardsestablishedby the external auditor.113.Where the audit firm hasbeen theexternal auditor of thebank formanyyears, there may be a perceptionthat there is a familiarity orself-interest threat tothe external auditor‘sobjectivityand independencein itsaudit of the bank.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  51. 51. P a g e | 51However, when the bank changes its external auditor, there is a risk thatthe depth of understanding of the bank and its activities and systemswillbelost.This may affect thenew external auditor‘sabilityto identify risks ofmaterial financial statement misstatementsand respond to themappropriately, and hencemay detract from thequalityof theaudit.114.Audit committeesshouldhave a policy in placethat stipulatesthefrequencywithwhichthere should be a tender for theexternal auditcontract.Thepolicyshould alsocall for the audit committeetoconsiderperiodicallywhetherthereshould be a limit tothelength of an externalauditor‘stenure asthebank‘sexternal auditor given thepotential impactof audit firm rotation on independenceand audit quality.115.Audit committeesshouldunderstand the audit firm‘s policy onrotation of members of the audit engagement team and the audit firm‘scompliancewith anyjurisdictional or other localregulatory requirementsin this regard.116.As describedin Principle2, theaudit committee shouldseekassurancethat the audit engagement team membersand their firmand, when applicable, thenetwork external auditorshavenofinancial,personal, businessor other relationshipswith the bank whichcould adverselyaffect theauditor‘sactual or perceivedindependenceand objectivity.The audit committee should seek from the external auditor, at least on anannual basis, information about the audit firm‘s policies and processes formaintaining independence and monitoring compliance with the relevantindependencerequirements.117.Audit committeesof banks should develop a formal policywhichgovernstheacceptanceof non-audit servicesprovidedby theauditor.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  52. 52. P a g e | 52Amongst other provisions,thepolicyshould includecriteria for thetypesof non-audit servicesthat the external auditor may provideor isprohibited from providing, and rulesstipulatingwhen advanceapprovalbythe audit committeeis required for the auditor‘s performanceofnon-audit services.Thepolicyshould be reviewedperiodicallyand complianceshould bemonitored, takingintoaccount the contentsof Section 4 of thisdocument.118.Where non-audit servicesare providedby the external auditor, theaudit committeeshould monitor and establishthat theprovision of suchservicesdoesnot impair theexternal auditor‘sobjectivityandindependence,takingintoconsiderationvariousfactorsincludingtheskillsand experienceof the external auditor,safeguardsin place tomitigateanythreattoobjectivityandindependence,andthenatureofandarrangementsfor non-audit fees.119.Where the external auditor providesnon-audit servicestothebank, the bank‘sannual report shouldexplain toshareholdersthe natureof and thefeearrangementsfor thenon-audit servicesreceived, andhowauditor independenceissafeguarded.Effectivenessof the external auditPrinciple9:Theaudit committee shouldmonitorand assesstheeffectivenessof theexternal audit.120.At the start of each audit, the audit committee should considerwhetherthe audit approach is appropriate, includingconsiderations ontheaudit scope, the level of materiality, areasof focusand whetherplannedaudit proceduresaddresstheareasof significant risk for thebank, in particular thoseareasdescribedin Section 4 of this document.121.Theaudit committeeshould consider whethertheproposedresourcesto executetheaudit plan are reasonablegiven thescope of theaudit engagement, the nature and complexityof the bank‘soperations,and itsstructure and activities.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  53. 53. P a g e | 53Theaudit committee should understand thenature and extent of auditworkthattheexternalauditorintendstorelyuponwheretheaudit workisperformed by network firm personnel or other audit firms.122.Theaudit committeeshould obtain confirmation from the externalauditorthat there is adequateknowledge, competenceand expertisewithintheaudit engagement team and that theaudit will beconducted incompliancewithinternationallyaccepted auditingstandards, aswell asanyapplicablelawsand regulations.123.Theaudit committeeshould discusswith the external auditor thefindingsof the latter‘swork.In the courseof itsmonitoring, the audit committee should:- Obtain anunderstanding of the external auditor‘sview on any majorissuesthat aroseduring the audit (includingthoseissuesthat weresubsequentlyresolved aswell asthose that have been leftunresolved), in particular the external auditor‘sexplanationof thesignificant judgmentstheaudit engagement team madeand theconclusionsit reached.This should includethe discussionswithmanagement and thejudgmentsinvolved, the rangeof possibleoutcomesand, whereavailable,a comparisonof thebank‘spositionwiththat of itspeergroup (on an anonymous basis), includinga comparison withpreviousperiodson such major issues;- Obtain an understandingof the rationalebehind thefinal conclusionsdrawnby theaudit engagement partner on significant accountingand auditingmatters,particularlyin thosecircumstanceswheretheaudit engagement partner‘sconclusionsdifferedfrom thoseof theengagement qualitycontrol reviewer;and- Review thenature and levelsof misstatementsidentifiedduring theaudit, obtainingexplanationsfrom management and, wherenecessary, the external auditor asto whycertain errorsmight remainunadjusted.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  54. 54. P a g e | 54124.Theaudit committeeshould alsodiscusswiththe external auditortheaudit representation lettersbeforesignature bythe board ofdirectors/ senior management and give particular consideration tomatterswherespecific representation hasbeen requested.Theaudit committee should consider whetherthe information providedon each of the itemsin therepresentation lettersis completeandappropriatebased on its own knowledge.125.As part of the ongoingmonitoring process, the audit committeeshould discusswiththe auditorthemanagement letter(or equivalent)and any other audit-relatedreportsprovidedtothebank.In particular, the audit committee should discuss with the externalauditor any significant deficiencies identified in the bank‘s controlenvironment and in itsinternal control over financial reporting.126.At the end of theaudit engagement period, the audit committeeshould:- consider whethertheaudit firm hasfolloweditsaudit plan andunderstand the reasonsfor any changes,includingchangesinperceivedaudit risksandtheworkundertakenbytheexternalauditortoaddressthoserisks;- obtain feedback about the conduct of theaudit from keybankpersonnel involved, eg theheadsof financeand internal audit; and- report tothe board of directorson theeffectivenessof the externalaudit process.127.Theaudit committeeshould seek toobtain information from theexternalauditor on themain findingsof audit qualityreviewsof thebank‘saudit and the audit firm‘s qualitycontrol systemsby auditoversight bodies.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  55. 55. P a g e | 55Relationship between the audit committee and the externalauditorPrinciple10: Theaudit committeeshould have effective communicationwith theexternal auditortoenabletheaudit committee tocarryout itsoversight responsibilities andtoenhancethequalityof theaudit.128.Thefoundationfor an effectiverelationshipis regular, timely, openandhonestcommunicationbetweentheaudit committeeandtheexternalauditor.Regular dialoguebetweenthetwopartiesshould be held throughout thereporting cycle of the bank.129.Whileboth cooperation and challengesare needed betweentheexternalauditor and the audit committeefor the external audit to beeffective, theneedfor cooperationshouldneverprevent robust challengesfrom being made whenneeded.Such challengesarea keyresponsibilityof the audit committeeand arepart of theproductive dialogueon key judgmentsthat can result instronger and deeper understanding of and viewson thepositionsof allparties.130.In ordertoreinforcetheaudit committee‘seffectivenessandenhancethequalityof the audit, the audit committeeshould consider invitingtheexternalauditor toattend audit committeemeetings(except whendiscussingmattersin relationto theassessment of the externalauditor), even if there are noitemsexplicitlyrelevant to theexternal auditon theagenda.Theexternal auditor‘sattendanceshould facilitatethe exchangeof viewson businessperformance, risk and other topics.Further,toenhanceaudit quality, theaudit committeeshouldconsider, ifnecessary, assistingthe external auditor togain accessto anyothercommitteemeetingsthat the external auditor determinesto be relevantfor the auditor‘swork.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  56. 56. P a g e | 56131.Theaudit committeeshould havethe right and authoritytomeetregularly– in the absenceof executivemanagement – withthe externalauditor.This will enablethe audit committeetounderstand and discussall issuesthat mayhavearisenbetweentheexternal auditorandbank managementin thecourseof theexternal audit and how theseissueshavebeenresolved.In addition, thesemeetingsshould addressany other mattersthat theexternalauditor believestheaudit committeeshould be awareof in ordertoexerciseitsresponsibilities.132.The audit committee should discusswith the auditor any mattersarising from the statutory audit that may have an impact on regulatorycapital or disclosures.This may includediscussionof theinteraction between the accountinginformation and theregulatory information, eg accountingimpairmentchargesversusregulatory expectedlosses,or the consistencyof thebank‘sPillar 3 reporting withits annual report.133.Theaudit committeeshould discusswiththe external auditor anysignificant issuesidentified in the course of theaudit, in particular inareaswhich could be relevant to future financial statements,topromoteearlydiscussion and planning.This includesupcoming changesin accountingstandards or regulationsandtheconsequencesof material transactions.134.Theaudit committeeshould alsocommunicateto the externalauditormattersthat are likely tobe of significant influenceon theconduct of thestatutory audit.Such mattersmay encompasssubjectsthat the audit committeebelieveswarrant particular attention, significant communicationswiththesupervisor,or other mattersthat the audit committeeconsidersmayinfluencethe audit of the financial statements.International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  57. 57. P a g e | 57Reporting by the external auditor to the audit committeePrinciple 11: The audit committee should require the external auditor toreport to it on all relevant mattersto enable the audit committee to carryout itsoversight responsibilities.135.In some jurisdictions,aspart of the statutory audit, the auditorsarealsorequired by law or regulationstoexpressan opinion on the controlenvironment of thebank and provideadditional reportingof mattersidentifiedaccordingly.Theexplanatoryguidancein the followingparagraphsonlycoversreporting to the audit committee that maybe required in thecontext ofthefinancial statement audit.136.Theaudit committeeshould expect the external auditor tocommunicatepromptly tothe audit committeeany significant auditfindingsnoted in thecourseof the audit and any significant problemsencounteredin carrying out theaudit.137.Upon completion of the audit work,the external auditor shouldreport tothe audit committeeon the outcome of theaudit in writing.Thecontentsof thesewrittenreportsshould be aligned withtherequirementsset by internationallyaccepted auditingstandardsformatterstobe communicatedtothosecharged withgovernance, therecommendationsmadein this document, and any additionalrequirementsunder applicablelawsand regulations.138.In addition totheabove, wherenot already covered by therecommendationsin other partsof thisdocument and therelevantauditingstandards, theaudit committeeshould requestthat the externalauditorreport toit in writingon other significant matters,includingthefollowing:- Key areasof significant risk of material misstatement in thefinancialstatements,in particular on critical accountingestimatesor areasofmeasurement uncertainty(eg loan lossprovisioningand valuationInternational Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  58. 58. P a g e | 58uncertainties), includingpotential valuation bias and consequentialeffectson earnings,compensation structuresand regulatory ratios.- Areas of significant management and auditor judgment, includingjudgmentspertainingto therecognition, de-recognition, measurement or disclosureof relevant itemswithin thefinancial statementsand, whererelevant, judgmentsabout materialuncertaintiesthat may cast doubt on an entity‘sability to continueasa going concern (includingconsiderationof liquidity/fundingissuesof the entity).- Outsourcingof keyexternal audit work(egwithrespect to auditsofsubsidiaries)toanother audit firm or use of external expertstoassistwith the external audit.- Significant internalcontrol deficienciesidentifiedin thecourseof thestatutoryaudit.- Mattersthat arelikelytobesignificant totheresponsibilitiesof thosechargedwith governancein overseeingthe strategicdirectionof theentityor the entity‘sobligationsrelated toaccountability.- Areas of financial statement disclosures, for the bank itselfandrelativetoitspeers,whichthe auditorbelievescould beimproved, includingthe resultsof discussionswithmanagement.139.For thepurposesof complying withthe requirementsofinternationallyacceptedauditingstandards, wheresignificant mattersarecommunicated tothe audit committee,the external auditor should alsodetermineif these mattersneed tobe communicatedto theboard ofdirectors.6. The relationship between the supervisor and the externalauditor140.This section setsout theprinciplesthat promote effectiverelationshipsthat will enableregular communication of mutuallyusefulinformation in thecontext of a statutoryaudit between:International Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  59. 59. P a g e | 59- the supervisor and the external auditor at the supervised banklevel, regardless of whether the communication is mandatory(SubsectionA– Principles12and 13); and- thebanking supervisoryauthority and the audit firm, and theaccountingprofession asa wholethat is not specific to an individualbank (Subsection B – Principle14).141.Thekey objectiveof having effectiverelationshipsbetweenthepartiesreferredtoaboveistoenhancetheeffectivenessof thesupervisionof the bankingsector.Thisrelationshipwillthenalsocontributetothequalityofexternalaudits.142.An effectiverelationship should enableeach partyto carry out itsrespectivestatutoryresponsibilitieswhilenot implying that eitherparty isresponsiblefor or should or can perform thestatutoryresponsibilitiesoftheother party.A. Effective relationship at the supervised bank level143.Theexternal auditorcan provide thesupervisor withvaluableinsightintovariousaspectsof a bank‘soperationsand management‘sattitudetotheapplicationof keyaccountingpolicies,judgmentsand modelsadopted.Conversely, the external auditormay obtain helpful insightsfrominformation originatingfrom the supervisorwherethe supervisorprovidesan independent assessment in areassignificant tothe externalaudit and may focusattentionon specificareasof supervisoryconcerns.In certain jurisdictions,the supervisor may alsorequest the externalauditortoperform specificassignmentsthat gobeyond the statutoryaudit workof theauditor.Principle12: Thesupervisor and theexternal auditorshould have aneffective relationship that includesappropriatecommunication channelsInternational Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com
  60. 60. P a g e | 60for theexchange of information relevant tocarrying out their respectivestatutory responsibilities.144.Supervisorsand external auditorsshould havean open andconstructiverelationship, withconfidencein each other that informationexchangedwill be treated appropriately and confidentially.145.For an effectiverelationship toexist, the engagement betweenthesupervisorand the external auditor should involve individualswhoareknowledgeable,informed and empoweredby their respectiveorganisationstoexchangeinformation.146.Thesupervisor may benefit from theresultsof the external auditor‘sworkbecausein many respectsthetwopartieshave complementaryconcernsregardingthesame mattersalthoughthefocusof their concernsis different.Similarly, the external auditor may benefit from insightsthat thesupervisorcan communicate.However,in order todischargetheir respectivestatutoryresponsibilities, each party should not use theworkof theother asasubstitutefor its ownwork and the supervised entityshould remain themain sourceof information for their respectivework.147.Theterms, natureandscopeofthisrelationshipcanbedeterminedinindividualjurisdictionsandshouldbecleartoboth thesupervisor andtheexternalauditor – for example, through guidanceissued by the bankingsupervisoryauthority.Accessto communication with the bank148.Theexternal auditor‘sworkgivesrise to theauditor‘sreport on theannual/ consolidatedfinancial statementswhichis oftenused forprudential supervisory purposes.When performinga financial statement audit in accordancewithinternationallyaccepted auditing standards, the external auditorInternational Association of Risk and Compliance Professionals (IARCP)www.risk-compliance-association.com

×