EY

Yes, we believe the scope of application of the draft Guidelines is clear.

However, as the Guidelines would apply to all credit intuitions in the EU, including smaller credit institutions, we wonder whether, in addition to the proposed proportionality principle for their application, there should be a size and/or systemic impact test to determine their scope.
No, we do not think that applying the Guidelines mid-audit cycle is helpful or appropriate. In our view, the Guidelines should apply from Q2, 2017 i.e., after the 31 December year-end reporting and in preparation for implementation during the 2017 audit cycles.
We welcome the statement, in paragraph 17 of the draft Guidelines that “neither party should discharge their respective responsibilities or use the work of the other as a substitute for their own work.” For communication to be open and effective it is important that the Guidelines are not seen as creating risk or liability issues for either competent authorities or auditors (particularly in EU Member States where auditors can be subject to criminal sanction). The Guidelines per se. should not create any additional duty of care or increase the responsibilities of either auditors or competent authorities and it would be helpful if paragraph 17 could clarify this point and “hold harmless” both competent authorities and auditors i.e.:
• shared information should inform the auditor or competent authority’s judgement but reliance should not be placed on the information as a matter of fact, as it may be based on subjective judgements
• the party receiving the information is responsible for assessing the extent to which it is appropriate to place reliance on shared information
• shared information should be used to prompt questions if it does not accord with the receiving party’s own judgement, but differences of opinion may still be valid

We note that paragraph 19 of the draft Guidelines provides that: “Information shared during the communication between competent authorities and auditors…does not constitute a breach of any contractual or legal restriction on disclosure of information in accordance with Article 12(3) of the Audit Regulation for the statutory audits of PIEs.” Notwithstanding, it will be important to ensure that communications under the Guidelines would not contravene auditors’ duties of confidentiality or require an auditor to communicate information in breach of any EEA or non-EEA legal requirements (such as any confidentiality requirements for banking groups with operations outside the EU.
We believe that the Guidelines could include more detail on how the dialogue will operate effectively in relation to global credit institutions that are of systemic importance in EU Member States.
We welcome the “proportionate approach” in paragraph 20 et seq. of the draft Guidelines and agree that it is appropriate to differentiate and apply more intensive “in-depth communication” to those credit institutions that are systemically important.

We also agree that to achieve the objectives of the draft Guidelines efficiently and also effectively, the competent authorities and auditors of all credit institutions will need to tailor the elements of communication – and also their expectations - to a credit institution’s “size, internal organisation and nature, scope and complexity of their activities”.
To further guard against a ‘one-size fits all’ approach being adopted, it may be helpful to expand on paragraph 23 and for competent authorities and auditors to discuss and agree a communication plan – including whether “in-depth communication” is to be applied - before the start of each audit cycle.
In our experience, the UK Prudential Regulation Authority’s (PRA’s) Supervisory Statement LSS 7/13 “The relationship between the external auditor and the supervisor: a code of practice” is a good model that enhances communication without increasing costs for clients. We were, therefore, pleased to note that the “Examples of issues on what [sic] information could be shared between competent authorities and auditors” in Annex 1 to the draft Guidelines closely follows the PRA approach. We believe that early and regular two-way sharing of information - including things to think about, views on emerging risks and early health checks - is key to building an effective relationship between competent authorities and auditors.

To avoid increasing the costs to credit institutions, though, it is important that the scope of the information auditors will be asked to communicate is clear and arises from, or relates to, the statutory audit work i.e. the focus should be on information which is logically available as part of, and consistent with, the audit process. Requests for financial or other information from the regulated firms should be made directly to the credit institutions.

In addition, it is important that references to “information sharing” are not interpreted as authorising competent authorities to use the Guidelines in lieu of statutory information gathering powers (such as the PRA’s s.166 reports) to request the auditors to carry out additional work or as substitute for internal supervisory resources. Equally, we do not believe that the Guidelines should be used as a means of introducing long-form reporting.

We agree that there is a wider discussion about where auditors can support regulators – including with additional work – but this needs to be thought through carefully (e.g. what is appropriate and possible to obtain and who should carry the cost). If, for example, the EBA wished to introduce long-form reporting to enable competent authorities to gather additional information or seek additional comfort, we believe it should be the subject of a separate consultation.

Finally, we agree that at the end of each audit cycle there should be “feedback on the quality of the communication between competent authorities and auditors and ways to improve communication” (Annex 1, “Others”, point (d)). We would note that the PRA surveys and reports annually to their Board on the quality of the auditor-supervisor dialogue: we believe that this is an example of good practice that could be replicated across the EU.
To enhance open communication, we do not believe that written communication “should” be mandated in particular circumstances (c.f. paragraph 36 of the draft Guidelines), as informal communication is likely to be more effective than a formal reporting process.

Notwithstanding, it will be important to ensure that any written reporting adds to, and does not detract from, open and proactive dialogue between competent authorities and auditors and does not deliver responses that are subject to high levels of risk management. It will also be important to ensure there is clarity around the reporting requirements and, as noted previously, no conflicts with auditors’ duties of confidentiality or legal requirements.
In the UK, the PRA's code of practice requires at least one tri-lateral meeting per annum for “category 1” firms. We believe that this approach, which we fully support, should be incorporated in the draft Guidelines.

When in-depth communication is applied, we believe that paragraphs 40 and 41 of the draft Guidelines, which concern “the assessment of the usefulness organising tri-lateral meetings” should include a minimum requirement of one tri-lateral meeting per year, rather than leaving it to competent authorities to determine, based on their assessment of “usefulness”, whether or not to organise trilateral meetings. We also think that the role of audit committees and the importance of engagement with audit committee chairs should be reflected in the draft Guidelines.
We believe that the draft Guidelines on the frequency and timing of communication are sufficiently clear for credit intuitions that are not systemically important.

However, for systemically important credit institutions, we believe it would be useful to have a dialogue between auditors and competent authorities at least twice a year - rather that “at least on an annual basis” (c.f. paragraph 48 of the draft Guidelines) - with one meeting at the start of the audit to share respective visions on the risks of the credit institution and another meeting before the audit option is signed.

We would note that the Annex to the PRA’s code of practice provides guidance on the timing and content of bilateral meetings for category 1" firms and suggests “that as minimum, that two meetings be held before an audit closes” – one at the planning stage and one pre-close. We think it would be helpful to include similar guidance in the Guidelines."
Yes. We strongly support collective meetings between competent authorities and auditors and agree that there should be at least one meeting per annum (before audit planning stage of the audit cycle) but ideally two. These meetings are important for discussing accounting, auditing or industry issues, including current or immerging trends, vulnerabilities and risks that should be of interest to both supervisors and auditors.
We have no comments on this question at this time. However, as a general observation, we would note that using auditors to obtain information from credit institutions that competent authorities could obtain directly, is likely to increase the costs of that data.
We have no additional comments on the draft Guidelines at this time.

However, we suggest that, in addition to competent authorities gathering feedback on the quality of the auditor-supervisor dialogue, the EBA carries out a formal, post implementation review, of the Guidelines to ensure they are operating effectively and consistently across the EU.
Jeremy Jennings, Partner - Regulatory & Public Policy Leader, EMEIA