Deloitte would expect the communications to be reciprocal. Deloitte propose that the objective of the guidelines be extended to include ‘the facilitation of the tasks of supervision and audit of credit institutions by competent authorities and auditors respectively through the promotion of effective communication between them.’
The CP refers to ‘the auditor or group auditor of a credit institution at the individual or consolidated levels’ (2.2 paragraph 8) but it is not clear how this would work in practice. More clarity around parent/subsidiary discussions is needed, particularly where groups extend beyond the EU. For example, can the auditor of an EU credit institution parent company share insights provided by the supervisor with the audit team of a non-EU credit institution subsidiary? Can the auditor of an EU-based subsidiary company share information gained from bilateral meetings with supervisors with those auditing the non-EU Head Office? Similarly, confidentiality obligations may affect the information the auditors of groups within and beyond the EU can share with the EU supervisors.
Yes, we believe that an effective date of later this year is appropriate. From the initial introduction of the guidelines it may take time for the first meetings to be held, particularly if participants plan to meet at a particular point in the audit cycle (such as the planning phase).
The framework appears appropriate and is generally clear. It is our understanding that the guidelines are intended principally to support meetings in person but this could be clarified.
It is helpful that 4.1 paragraph 14 states that the communication should be ‘open and constructive, as well as adaptable to unexpected developments.’ To support the evolution of conversations over time, it may be useful to state that the list of issues in Annex 1 are indicative rather than comprehensive.
Paragraph 16 refers to mutual understanding and building trust. These qualities, along with the ‘open and constructive’ expectation in paragraph 14, will be key to successful conversations. We see scope for the paper to address in more detail how this trust could be cultivated (or indeed undermined). Paragraph 19 states that information shared ‘must remain confidential’ and Deloitte welcomes this. The guidelines are silent on consequences where confidentiality has been breached.
The consultation paper defines ‘in-depth communication’ as ‘communication held on a more regular, formalised and documented basis’ (2.4 paragraph 11). We would observe that open sharing of information successfully occurs in meetings which are neither formal nor documented. Accordingly, we do not consider documentation to be a key component of the auditor-supervisor relationship. Nevertheless Deloitte recognises that a shared record of some oral communications may be useful, and the response provided below to question 7 expands on this.
The definitions of ‘knowledgeable individual’ and ‘informed individual’ are potentially confusing as they are similar but not identical. We understand that the knowledge, skills and experience indicated at the definitions will be relevant to the communications but question whether it is necessary to have these two separate terms.
We agree that the approach should be proportionate (as stated at section 4.1 paragraph 21).
At paragraph 21 the draft guidelines refer to ‘the credit institutions’ size, internal organisation and nature, scope and complexity or their activities’. Implicit in this is that the approach should be proportionate to the risks posed to domestic or global financial stability; this could be stated explicitly.
To support the application of a proportionate approach supervisors should communicate to auditors those credit institutions which are regarded as posing a systemic threat or are a focus for some other reason (paragraphs 22-23).
See our key points above. The draft guidelines are ambiguous, as ‘information shared’ could be interpreted as topics to be discussed or topics on which extensive written materials are expected to be shared. Our understanding is that the former is intended, and we recommend that this is made clearer. We note that some of the information should already be available to supervisors (for example from management) and it is not clear why they would need to be included in the scope of these guidelines as information that the auditor would be expected to provide. The themes identified in 4.2.1 are appropriate areas for discussion, but auditors should not be obliged to provide written materials on them. Further detail on this is provided below (paragraphs 20-22).
Paragraph 30c of the draft guidelines states that relevant information would include the ability of the credit institution to continue as a going concern. This is a key topic. As such, it is already subject to disclosure requirements under company law, corporate governance codes and audit and accounting standards. Deloitte agrees that going concern should form part of the dialogue between supervisors and auditors. We do not believe this prompts an additional requirement for auditors to supply written information to supervisors on the subject.
Paragraph 30d proposes the provision of information on the audit approach. This is covered by International Standard on Auditing (ISA) 260 Communication with those charged with governance, and we believe such communication will meet the requirements of the supervisors. We would not expect to provide additional written documentation. Indeed, the matters set out in ISA 260 Paragraph 16 and Appendix 2: Qualitative Aspects of Accounting Practices could be referred to in the guidelines as suitable topics for auditors and supervisors to consider in their communications.
Paragraph 30e of the consultation paper refers to ‘Financial statements, assets and liabilities valuation and disclosures’. Whilst this is an important topic for auditors and supervisors to discuss, it is neither desirable nor necessary for the auditor to provide written information on these to the supervisor, as the preparation and ownership of financial statement related data must remain with management.
As statutory audit reports are in the public domain once published, there should be no need for supervisors to obtain these under the guidelines. If the intention is that auditors discuss the proposed audit report (which will be subject to change where the audit is not completed) this could be clearer. We suggest that, if the discussions are likely to take place before the statutory audit report and the related report to the audit committee (referred to in Article 11 of the Audit Regulation for the statutory audit of PIEs) are issued, the references to audit reports in paragraph 30f should be revised to refer to ‘the form and content of the proposed auditor’s reports’.
Under Principle 3, we suggest an additional paragraph be included making it explicit that auditors should be given access to all regulatory reports and related regulatory communications. Whilst ISA 250 Consideration of laws and regulations in an audit of financial statements paragraph 14 currently requires that auditors inspect correspondence with the relevant licensing and regulatory authorities and ISA 210, Agreeing the terms of audit engagements paragraph 6 requires management to provide auditors with all information that auditors require for the purpose of the audit, it can be difficult in practice for auditors to ascertain whether the information with which they have been provided, is complete.
The order of relevant information in paragraphs 30 and 33 is different, even when the topics are identical. Reordering would make both the similarities and differences clearer.
Deloitte especially welcomes the proposal to share the results of thematic and peer reviews across the industry (paragraph 34). Supervisory authorities are well placed to gain insights that can inform the audit approach including highlighting normal practices and outliers, for example in relation to financial instrument valuation or credit provisioning processes.
The explanatory text for principle 4 appears appropriate. We are unclear what is meant by ‘reports prepared by the auditor’ and ‘auditors’ reports’ in paragraphs 35 and 36. We assume this is intended to capture the statutory audit report and reports prepared for the audit committee but this could be clearer.
We also note that written communications can take time to prepare, slowing the communication of issues to the regulator. It is impractical for supervisors to ask for written reports from auditors during reporting phases of audits, since auditors’ focus will be on completing the audit.
We also note that the preparation of reports will require additional time and additional cost will be incurred. Depending on the frequency and volume, this may not be inconsequential. This does not appear to have been considered in the cost benefit analysis later in the document.
Given the potential importance and sensitivity of these communications, we would expect the lead audit partner to be the point of contact in almost all cases. Accordingly, we suggest that paragraph 39 be worded as follows.
‘In exceptional circumstances where the lead audit partner is unavailable and the communication occurs between individuals other than the supervisory team leader and the lead audit partner, both the supervisory team leader and the lead audit partner should be informed by their respective parties about the issues discussed and the outcome of such communication without undue delay.’
We further suggest that the definition of ‘Empowered individual’ at 2.4, page 14 should be clarified to mean that, in the context of audit networks, only signing partners and other “Responsible Individuals” would be considered to be empowered.
Our comments under Question 3 on the defined terms ‘knowledgeable individual’ and ‘Informed individual’ are also relevant to this question.
It will be important that it is clear to both parties whom they should contact if their usual contacts are unavailable, in the event that urgent matters arise. A statement to this effect should be added to section 4.2.3, ‘Participants in the communication’.
At paragraph 42 the draft guidelines propose that authorities ‘may invite other relevant authorities (such as those responsible for the supervision of financial markets or for the public oversight of auditors) to the meetings with the auditors’. The communications between the auditor and supervisor on a specific credit institution are important and confidential; it would not enhance their value to extend the scope of the meetings to include an audit regulation component. Audit oversight is an important but different area of focus which does not directly relate to prudential supervision, and it should be dealt with separately. Accordingly, the wording should be revised to remove the reference to such authorities.
There may be circumstances where resolution authorities should be invited to the meetings on specific credit institutions, and resolution authorities could be specifically mentioned in the guidelines.
To the extent that a written record of oral communications is deemed necessary, it may be useful to establish a process to prepare this and obtain mutual agreement on the record of the meeting. It could be the supervisor’s responsibility to prepare a draft which the auditor can then review.
Yes. The draft guidelines include sufficient flexibility for meetings to be scheduled when necessary. There will be a link between the number of meetings and the additional costs associated with the increased level of communication. The proportionate approach is relevant here – the size of the institution and the risk it poses to financial stability will influence the frequency of meetings.
Given the likely thematic content of the collective communications, we are content with the wide range of participants proposed at paragraph 52, and agree that the audit regulators should be invited as necessary.
The collective conversations outlined at section 4.3 of the draft guidelines could be structured in a number of ways, including within a jurisdiction, through the European Central Bank or by the European Banking Authority. It would be useful if the EBA were to provide more information on what is envisaged.
Deloitte is a member of the six major audit networks’ Global Public Policy Committee (GPPC). Mark Rhys co-chairs the GPPC’s Bank Working Group and would be happy to assist in establishing future collective communication if this would be useful
Costs are expected to arise for auditors in relation to bilateral meetings (for example as the cost benefit analysis refers to this at B Option 1 Costs, p. 32); we agree that this is a relevant but not overriding consideration for determining the frequency of meetings. We believe the cost would on average be significantly higher than suggested. In addition, the form in which communication takes place would also have an implication for costs. For example, were formal written reports requested from the auditor this would be significantly more expensive than communication by way of a telephone call.
We suggest a review between the EBA, supervisors, credit institutions, audit firms and professional bodies of how the guidelines are working in practice after the first two years of implementation. The objective of such a review would be to ensure that parties are satisfied with the effectiveness of the new arrangements and they are providing a proportionate and cost-efficient way of achieving shared objectives of increased financial stability