In December 2011, following a public consultation, the Central Bank of Ireland published the Auditor Protocol between it and auditors of regulated financial service providers. The protocol, which, in the first instance, applies to those firms that are rated 'high impact' under the Central Bank's new regulatory risk model, PRISM, became effective on 1 January, 2012.
The aim of the protocol is to enhance information sharing between the Central Bank and auditors of firms, thereby improving the regulatory and statutory audit processes. To do this, the protocol provides a framework to facilitate information sharing principally through a structure for pre- and post-audit meetings. It is envisaged that the auditor will be represented by the lead partner and the Central Bank by the senior examiner in order to ensure that the meetings are mutually beneficial.
The pre-audit meeting
The Central Bank, through its corporate governance requirements, places a significant onus on the a udit committee to monitor the effectiveness and adequacy of the firm's internal controls and internal audit functions. The Central Bank, thus, believes that it is appropriate for the pre-audit meeting to be a trilateral meeting (i.e., a meeting between the Central Bank, auditors and the audit committee or independent non-executive directors) unless both the Central Bank and the auditor believe that it would be more beneficial to only have a bilateral meeting. It is expected that the agenda for this meeting would cover, inter alia, the following issues: (i) the risk profile of the firm ‚e.g. changes in business lines, drivers of income, strategy, etc.; (ii) weaknesses identified in previous audits; (iii) overview of weaknesses identified through the supervisory process; (iv) the audit approach and the application of the materiality concept; (v) changes in the corporate governance and internal governance structures of the firm; and (vi) observations on the control functions of the firm (e.g. risk management function, internal audit, compliance, etc.).
The post-audit meeting
The post-audit meeting will be a bilateral meeting (i.e., a meeting between the Central Bank and auditors), which will generally be held after the audit report is signed off. This meeting may, however, occur before sign off if it is deemed more beneficial. It is expected that the agenda for this meeting would cover, inter alia, the following issues: (i) the going-concern concept; (ii) an update on the items outlined in the pre-audit meeting; (iii) discussion on whether the auditors were able to follow their intended audit plan and/or whether they had to make any amendments based on their findings during the audit; (iv) discussion on the audit findings as originally presented to the firm and the adequacy of the firm‚Äôs response to these findings; (v) discussion on areas where management of the firm applied significant judgment and its impact on the auditor‚Äôs view of the financial statements and on the risk profile of the firm. This discussion would include how the level of professional scepticism was applied by the auditor; (vi) any issues that affected communications between the auditor and/or the Central Bank and/or the firm during the year that could be improved; and (vii) the future strategy of the firm and the impact that it may have on audit and regulatory issues.
Open and frank communication
The Central Bank recognises that, in order for the protocol to be successful, the communication between the relevant parties needs to be open and frank. For this reason, a number of measures to achieve this goal have been outlined in the general framework section of the protocol. Firstly, it obliges the firm to advise: (i) the Central Bank of the contact details of the audit partner responsible for the audit within five days of their appointment; and (ii) its auditor of the contact details of its senior examiner in the Central Bank within five days of the auditor's appointment.
Secondly, it outlines a number of principles governing the meetings between the Central Bank and auditors: (a) the Central Bank shall endeavour to share all information, which it believes would lead to higher quality audits with the auditor; (b) the auditing firm shall endeavour to share with the Central Bank any information that it believes may assist the Central Bank in the exercise of its supervision functions; and (c) all communication between the Central Bank and auditors shall be deemed confidential under Section 33AK of the Central Bank Act, 1942 (as amended).
It should be noted that the protocol also facilitates material information (i.e., information that is deemed would be of immediate interest to the other party) to be shared between both parties at the earliest instance, even if a meeting between both parties is not planned. Thirdly, it requires the terms of the audit engagement to include a clause that specifically acknowledges that the Central Bank and the firm‚Äôs auditors can discuss any issue that is of relevance to their oversight of the firm and that this communication will not be determined by the firm as a breach of duty by either party.
Annual review process
In order to ensure the protocol remains relevant and up to date, it includes an annual review clause. The annual review will include updating the protocol to reflect changes in legislation, auditing practices and other relevant developments including, where possible, removing any barriers to the sharing of information identified during the year (if any), thereby maximising the effectiveness of communication between both parties.
The views expressed in the article are those of the author and are not necessarily the views of the Central Bank of Ireland.
Andrew Guiney FCCA is a senior accountant in the Governance, Accounting and Auditing Policy Division of the Central Bank of Ireland.