FINANSSTILSYNET

Postboks 1187 Sentrum 0107 Oslo

Circular Guidance on Auditor Acceptance and Continuance of Audit Engagements

CIRCULAR: 6/2021 DATE: 21.12.2021 THE CIRCULAR APPLIES TO: Auditors Audit firms

---

Guidance on Auditor Acceptance and Continuance of Audit Engagements

Table of Contents

1. Introduction 3 1.1 Background and Purpose 3 1.2 Topics Covered in the Circular 3
2. Obligations of the Audit Firm 4 2.1 Risk Management and Internal Control 4 2.2 Quality Management and Quality Objectives 5 2.3 The Principle of Proportionality 6 2.4 Use of Templates 6
3. Acceptance of Audit Engagements – Engagement Partner 6 3.1 Engagement Partner’s Responsibility 6 3.2 Information about the Entity to be Audited 6 3.2.1 Communication between Predecessor and Successor Auditor 7 3.2.2 Relevant Information 7 3.3 Assessment of Received Information and Further Handling 7 3.4 Follow-up after Acceptance of the Engagement 8
4. Continuance Assessments 9
5. Withdrawal from Audit Engagements 9
6. Transfer of Audit Engagements in Connection with Mergers and Reorganizations 10

---

1 Introduction

1.1 Background and Purpose

The auditor plays a central role in preventing audit-required entities that are not operated in accordance with laws and regulations from continuing their operations. The auditor must withdraw if the audited entity does not rectify illegal matters discovered by the auditor during the audit. A new auditor must not take on the engagement without demanding rectification. If the audit-required entity does not comply and consequently does not obtain a new auditor, the entity will be dissolved by force. The duty to withdraw, and duties related to the acceptance of engagements, are therefore central to the audit profession. The auditor's compliance with these duties contributes to preventing an entity from continuing to operate at the expense of its creditors. It is important for the auditor's role as a person of trust to the public that auditors uphold these duties. The Financial Supervisory Authority receives reports, including from bankruptcy trustees, indicating that auditors have not upheld their duty to withdraw, or that new auditors have not fulfilled their duties upon acceptance, allowing the entity to continue operating at the expense of creditors.

The Auditor Act contains provisions regarding acceptance and continuance assessments. The Auditor Act implements the Audit Regulation (EU/537/2014), which applies to the audit of entities of public interest and establishes additional requirements, including regarding independence and the duration of the audit engagement. International Standards on Auditing (ISA) also contain provisions regarding the acceptance and continuance of audit engagements.

This circular provides general guidance that the Financial Supervisory Authority will base its follow-up of auditors' acceptance and continuance assessments on.

1.2 Topics Covered in the Circular

As the appointed auditor, audit firms have a responsibility for the execution of the audit, which must be maintained in a prudent manner. This also applies to audit activities in sole proprietorships. Section 2 contains a description of the audit firm's responsibilities and tasks.

Section 3 of the circular describes audit actions that fall within the responsibility of the engagement partner when an audit firm is appointed as auditor. The same responsibility lies with the owner of a sole proprietorship when they are appointed as auditor. The circular also describes actions related to acceptance and continuance, which are the responsibility of the audit firm but are often handled by the engagement partner on behalf of the audit firm.

The Financial Supervisory Authority's experience from supervision is that the duty to withdraw is particularly weakly upheld in auditors' assessments. Although the assessment of withdrawal is part of the continuance assessment, the Financial Supervisory Authority believes it is appropriate to discuss these two assessments in separate sections. Section 4 contains a brief description of continuance assessments in engagements where the question of withdrawal is not relevant. Section 5 describes situations where the auditor must consider withdrawing.

Some supervisory cases have raised questions regarding the Auditor Act's provision on the transfer of audit engagements in connection with mergers and reorganizations of audit activities. Section 6 of the circular contains a discussion of this topic.

The duties related to the acceptance and continuance of audit engagements partly overlap with the duties under Act No. 23 of 1 June 2018 on measures against money laundering and terrorist financing (the Money Laundering Act). This applies to both risk assessments that the audit firm must make and actions that naturally fall to the engagement partner. The circular does not contain a discussion of the relationship between the duties in the Auditor Act and the Money Laundering Act. The Financial Supervisory Authority assumes that audit firms assess how the duties in both laws can best be upheld both in connection with the acceptance of engagements and in ongoing work. Regarding the auditor's duties under the Money Laundering Act, reference is made to the Financial Supervisory Authority's Circular 14/2019. Reference is also made to Circular 8/2019, where the Financial Supervisory Authority expresses more general interpretations of the Money Laundering Act, which also apply to the audit area.

The Financial Supervisory Authority also refers to publications of supervisory reports and other central documents on the Financial Supervisory Authority's website, where the supervisor's assessments of acceptance and continuance assessments are also included.

2 Obligations of the Audit Firm

2.1 Risk Management and Internal Control

The Regulation of 22 September 2008 No. 1080 on risk management and internal control (the Risk Management Regulation) became applicable to audit firms from 1 January 2021, the same date that the new Auditor Act came into force. The regulation specifies the process by which entities must ensure that their operations are conducted prudently, and the division of responsibility between the board and the managing director. The regulation is intended to ensure that significant risks in the business are identified, that measures are implemented to reduce risks to a prudent level, that controls are implemented to ensure that the implemented measures are effective, and that errors and deficiencies discovered in established internal controls are followed up so that the matter is rectified. According to the regulation, the board is responsible for determining how risk management and internal control should be, and for ensuring that this is followed up. The managing director is responsible for implementing the board's decisions and reporting to the board so that the board can uphold its responsibility. The regulation further states that risk assessments, measures, and the process must be documented. In sole proprietorships, it is the owner who is responsible for upholding the duties, cf. Risk Management Regulation § 2, second paragraph.

In situations where the same person holds multiple roles with different responsibilities and tasks, special awareness is required in risk and quality management and in internal control.

2.2 Quality Management and Quality Objectives

The requirements for audit firms' management of quality in audit engagements follow from Chapter 7 of the Auditor Act. The duties arising from the provisions in this chapter must be upheld in the audit firm's risk management and internal control, including by setting quality objectives.

The Auditor Act § 7-1 on the organization of the business and quality control is particularly significant for ensuring that duties related to the acceptance and continuance of audit engagements are upheld. A statutory measure to reduce the risk of breach of duty and to achieve set quality objectives is the establishment of appropriate guidelines and routines. This also applies to the area of acceptance and continuance of audit engagements. For guidelines and routines to work as intended, they must be easily accessible, understandable, and sufficiently detailed to provide real guidance for those who are to use the guidelines and routines. They must normally address:

• Which assessments must be made, by whom, at what time, and what must be included in the basis for the assessment, cf. among other things Auditor Act § 9-2, second paragraph and Auditor Act § 9-3, first paragraph. The guidelines must be designed so that considerations regarding the audit firm's economy are not given weight. The same applies to other matters that do not uphold the purpose of the provisions on acceptance and continuance.
• The decision on whether an engagement should be accepted, continued, or whether withdrawal should occur. It must be clear whether the decision is to be taken by the engagement partner on behalf of the audit firm, and if so, whether and when the decision should be discussed with others. The latter may be relevant in the question of whether there is a duty or right to withdraw. If there are different processes for accepting engagements depending on criteria, such as the audited entity's business, size, or other matters of significance for the decision, this must be clear.
• How compliance with the guidelines should be controlled (monitored), by whom, and at what time.
• The handling of breaches of legal requirements, auditing standards, and internal guidelines, by whom and in what manner.

Auditor Act § 7-1 is supplemented by ISQC 1 (International Standard on Quality Control). Acceptance and continuance of client relationships and individual engagements form an element of the quality control system to be established in accordance with ISQC 1, cf. point 16 letter c). ISQC 1 will be replaced by ISQM 1 (International Standard on Quality Management) on quality management in audit firms and ISQM 2 on engagement performance, no later than 15 December 2022. Audit firms should therefore base their work on ISQM.

The Norwegian Association of Certified Public Accountants' guidance on quality management in audit firms is based on the new quality control standard, where one of the quality areas is the acceptance and continuance of client relationships.

1 https://www.revisorforeningen.no/fag/standarder-og-veiledninger/kvalitetsstyring-i-et-revisjonsforetak/veiledning-kvalitetsstyring-i-et-revisjonsforetak/innledning/ (requires login)

2.3 The Principle of Proportionality

According to Risk Management Regulation § 2, first paragraph and Auditor Act § 7-1, sixth paragraph, risk management and internal control, including quality management, must be adapted to the nature, scope, and complexity of the firm's business. The proportionality reflected in these provisions is that there will be fewer risks to assess when the business is small and uniform than when it is large and has a broad range of services. The risk-reducing measures must be seen in this context. The provision also affects the establishment of management and control structures. In large and complex businesses, it may be necessary to establish extensive management and control functions to ensure prudent operations, beyond legally mandated control measures. The provision on proportionality does not constitute an exception from regulatory duties. Even in small firms, risks must be identified and managed through internal control measures and reporting to ensure that the business is operated prudently.

2.4 Use of Templates

The use of templates for guidelines and routines is useful as a tool in the work with risk and quality management. However, it is not sufficient for audit firms to simply fill in the audit firm's name and other standard fields in such templates. The audit firm must have a concrete assessment of which guidelines and routines are necessary to manage and control the specific risks in the business. This follows from the Risk Management Regulation and Auditor Act § 7-1.

3 Acceptance of Audit Engagements – Engagement Partner

3.1 Engagement Partner’s Responsibility

Even if the audit firm has assessed the engagement partner's independence, capacity, and competence, including competence regarding relevant legal requirements for the specific audited entity, and access to resources and personnel has been ensured, the engagement partner has an independent responsibility for the execution of the audit. The engagement partner must make corresponding and independent assessments to ensure that the role of engagement partner is upheld in a prudent manner, and in accordance with requirements in the law and relevant auditing standards.

In the following description, it is assumed that there is no uncertainty regarding capacity, competence, and independence, so that this in itself does not prevent the engagement from being accepted.

3.2 Information about the Entity to be Audited

It is important that the auditor obtains the necessary information about the entity to be audited to have a good basis for assessing whether the engagement can be accepted.

3.2.1 Communication between Predecessor and Successor Auditor

If the entity has appointed an auditor², a request must be sent to the predecessor auditor in accordance with Auditor Act § 9-2. The predecessor auditor's duty to respond arises when the process for changing auditors has progressed to the point where it is clarified which audit firm or auditor will take over the engagement. The duty to clarify with the predecessor auditor does not apply if the entity did not have an appointed auditor for the financial year preceding the financial year the new auditor is to audit. The Financial Supervisory Authority believes, however, that the new auditor should consult with the previous auditor, even in such situations. The Financial Supervisory Authority also expects that the previous auditor responds to such an inquiry.

Information from the predecessor auditor must be documented and included in the audit documentation if the engagement is accepted. How much information the predecessor auditor provides and how complete it is will vary, and the new auditor must have a conscious relationship to this. The new auditor cannot interpret a lack of response from the predecessor auditor as if everything is in order. If the predecessor auditor does not respond, the auditor must obtain information from other sources. If the auditor cannot obtain the necessary information, the engagement cannot be accepted.

If the predecessor auditor does not fulfill their disclosure duty despite reminders, this is information of interest to the Financial Supervisory Authority for potential supervisory follow-up regarding the predecessor auditor.

3.2.2 Relevant Information

Information that may be relevant to review in connection with the assessment of whether the audit engagement can be accepted includes, among other things:

• The most recent annual accounts, including the board's report
• The most recent audit reports, particularly with a view to clarifying whether these contain qualifications or clarifications
• The most recent interim accounts
• Numbered letters from the last few years and other central communication between the previous auditor and the audited entity
• Whether the audited entity has had frequent auditor changes, including whether the appointment of an auditor was made at an extraordinary general meeting
• Information about the entity's business and the industry or industries it operates in
• Information about management and management's integrity. Information can be obtained by searching public registers, in the media, and on the internet.
• Correspondence between the audited entity and various supervisory authorities

What constitutes necessary information must be assessed concretely.

3.3 Assessment of Received Information and Further Handling

Based on the received information, the new auditor must assess whether the engagement can and should be accepted. That the predecessor auditor reports matters indicating that the new auditor should not take on the engagement is not a hindrance to the engagement being accepted. However, this heightens the requirement for the new auditor's assessment of whether the engagement should be accepted, and there is also a special duty to document the reasoning, cf. Auditor Act § 9-9, third paragraph.

A central part of the auditor's assessment is whether conditions should be set for taking on the engagement, and if so, which ones. Received information may show that the entity does not meet requirements in laws or regulations. This could be, for example, failure to use a tax deduction account, illegal loans to shareholders, failure to uphold the duty to act under the Companies Act or the Public Limited Liability Companies Act in the event of weak equity, breaches of the Accounting Act and the Annual Accounts Act, including missing, delayed, or incorrect reporting to public authorities. It can also be matters that the previous auditor has pointed out regarding weak management and internal control at the audited entity, uncertainty about going concern, or lack of competence, or willingness on the part of management or other key personnel to rectify pointed-out matters. Qualifications and clarifications in the most recent audit report will always be central to the assessment. The same applies to matters pointed out by any supervisory authority.

The new auditor should exercise particular caution if the audited entity expresses that the previous auditor "did not understand," "was wrong," "was too strict," or similar, and tries to bind the new auditor to accept matters the previous auditor did not accept.

The auditor must assess the probability that the entity is capable of producing accounts that can be audited. If this is not probable, the auditor must not take on the engagement. Examples of matters that should be rectified before the auditor commits to auditing the entity include illegal loans to shareholders, failure to use a tax deduction account, lack of capital injection, etc.

For matters that cannot be rectified quickly, the auditor must demand that the entity present a realistic plan for how and when the matters will be rectified. The auditor must in such cases assess whether it is highly probable that the plan can and will be fulfilled before the auditor commits, so that qualifications in the audit report can be avoided.

When the auditor has submitted a declaration of willingness to the Business Register, the auditor has committed to taking on the engagement, provided that any conditions for acceptance are met. The auditor may also have committed to taking on the engagement on other grounds vis-à-vis the specific entity. This applies when entering into an engagement agreement, but other behavior may also have given the entity legitimate grounds to believe that the auditor has accepted the engagement. The auditor must therefore be clear in their communication with the entity and ensure that necessary qualifications are taken until the acceptance assessment is completed, and a decision has been made that the engagement will be accepted.

3.4 Follow-up after Acceptance of the Engagement

If the auditor has set as a condition that a plan must be presented to rectify matters, the auditor must follow up that the plan is adhered to. Such follow-up cannot wait until the ordinary audit actions begin. If the plan is not followed by the audited entity, the auditor must assess immediate withdrawal. It is not sufficient for the auditor to follow up with qualifications or clarifications in the audit report. Such qualifications do not prevent the entity from continuing its operations with a new auditor who has not made a sufficient acceptance assessment.

4 Continuance Assessments

For the auditor to contribute to preventing audit-required entities that are not operated in accordance with laws and regulations from continuing such operations, and thereby upholding the role as a person of trust to the public, the continuance assessment must be real. When using employees, the engagement partner is responsible for the assessments.

The auditor has a duty to send numbered letters in accordance with Auditor Act § 9-5 (written communication) to ensure that illegal or undesirable matters at the audited entity are rectified. The auditor's continuance assessment must include the audited entity's follow-up of numbered letters. Other communication with the audited entity may also be significant for the continuance assessment. If the auditor has raised questions about whether management displays a sufficient degree of integrity, this must be included in the assessment. Other matters may also indicate a more extensive continuance assessment, including significant changes in the business, economic matters, including profitability, or changes in ownership.

The annual continuance assessment must be made at such an early time that there is no pressure to continue the engagement.

5 Withdrawal from Audit Engagements

It follows from Auditor Act § 9-6 that the auditor has a duty to withdraw when the auditor has pointed out significant breaches of legal requirements to which the audited entity is subject, and necessary measures are not implemented to rectify the matters. The auditor's right to withdraw from an engagement is also regulated by the provision, but this is not a topic in this circular.

A prerequisite for the auditor to fulfill their duty to withdraw is that a numbered letter has previously been sent to the audited entity's board, cf. Auditor Act § 9-5. The letter must state what must be rectified and by what deadline. It must also be clear that the consequence of failing to rectify the pointed-out matters will be that the auditor must withdraw.

When withdrawal has been decided, the auditor must notify the audited entity of this within a reasonable time. What constitutes a reasonable time for notification must be assessed concretely. If withdrawal has not previously been notified, such notification will come in addition to the preceding numbered letter, and is in reality an orientation about the withdrawal and the time it will occur from.

When the auditor has withdrawn, the Business Register must be notified without unjustified delay, cf. Auditor Act § 9-6, last sentence. Auditors who withdraw from engagements where the audited entity is an entity of public interest have a special duty to report this to the Financial Supervisory Authority. The same applies if the entity appoints a new auditor at an extraordinary general meeting, cf. Financial Supervisory Authority Act § 3a, third paragraph. The auditor must also assess whether there is a reporting duty under other legislation as a result of the withdrawal, or if the matters justifying the withdrawal require reporting. See among other things Financial Supervisory Authority Act § 3a, first paragraph and the Audit Regulation Articles 7 and 12.

6 Transfer of Audit Engagements in Connection with Mergers and Reorganizations

Auditor Act § 2-4 states that those audited by audit firms that merge do not need to hold a general meeting or annual meeting to appoint the merged firm as the new auditor. According to the provision, the merged firm becomes the audited entity's appointed auditor. The same applies when an audit firm changes its corporate form without real changes in ownership, or when a sole proprietorship is absorbed into an audit firm. The provision applies only to corporate law changes, and regardless of registration in the Business Register.

In the takeover of large portfolios, it may be difficult to make an acceptance assessment before the takeover that fully meets the requirements in the Auditor Act. If the Financial Supervisory Authority sees that this is the situation, the Financial Supervisory Authority will assess what measures and assessments the audit firm that has acquired the portfolio has made to ensure that the takeover of the individual engagements is nonetheless prudent. Among other things, the investigations made and documented prior to the takeover will be significant, including what has been done to obtain good knowledge about the composition and risk of the acquired portfolio to ensure independence, capacity, and competence. Also, what controls are directed at audit quality in the portfolio will be included in the assessment. Regarding the duty to send a request to the previous auditor, it will be significant whether also auditors who were engagement partners in the audit firm selling the portfolio follow [the text cuts off here, but the translation reflects the provided text accurately].