Recommendation L on the Role of Statutory Auditors in the Supervision of Banks and Cooperative Savings and Loan Associations

Financial Supervision Authority Recommendation L concerning the role of statutory auditors in the supervision process of banks and cooperative savings and loan associations Warsaw, December 2018

Recommendation L Page 2 of 23 I. Introduction Recommendation L is issued pursuant to Article 137(1)(5) of the Act of 29 August 1997 – Banking Law (consolidated text: Journal of Laws of 2017, item 1876, as amended), Article 62(2) of the Act of 5 November 2009 on Cooperative Savings and Loan Associations (consolidated text: Journal of Laws of 2017, item 2065, as amended), and Article 11(1) and Article 67(2) of the Act of 21 July 2006 on the Supervision of the Financial Market (consolidated text: Journal of Laws of 2018, item 621, as amended). It is addressed to banks and cooperative savings and loan associations (SKOK) with the aim of shaping their relationships with audit firms and statutory auditors in such a way as to ensure, to the highest possible extent, the application of good practices specified in this Recommendation.

The amended Recommendation L implements a new model of cooperation between participants in the process of auditing financial statements and supervising entities of public interest, namely between audit firms, statutory auditors, the supervisory authority, and supervised entities whose financial statements are subject to the obligation of audit. This model aims to develop relationships that are more partnership-oriented and less hierarchical. In the opinion of the KNF, such a communication strategy should result in increased effectiveness and efficiency of public supervision over entities of public interest, such as banks and SKOK, as well as the independence of statutory auditors and the quality of financial statement audits, to the benefit of all financial market participants, and consequently should strengthen the stability and safety of the financial sector.

The issuance of the amended Recommendation L ensures consistency of the KNF recommendations contained in this document regarding the role of statutory auditors and audit firms in the supervision process of banks and cooperative savings and loan associations with currently applicable national and EU law and market standards.

This Recommendation concerns good practices regarding the cooperation of statutory auditors and audit firms with the financial supervisory authority in the area of data and information exchange obtained by statutory auditors and audit firms during the statutory audit of financial statements of banks and SKOK, and which are significant for the implementation of supervisory goals for the aforementioned entities. It presents the KNF's expectations regarding the conduct of banks and cooperative savings and loan associations in accordance with the provisions of the Act of 11 May 2017 on statutory auditors, audit firms, and public supervision (Journal of Laws of 2017, item 1089, as amended, hereinafter: the Act on Statutory Auditors).

The provisions of the amended Recommendation L regarding the relationship between the financial supervisory authority and audit firms and statutory auditors take into account changes in the regulatory environment, resulting in particular from the reform of the audit services market within the European Union and at the national level, as well as changing market practice regarding the role of audit firms and statutory auditors in the supervision process of banks and cooperative savings and loan associations.

The Recommendation takes into account, inter alia, the Corporate Governance Code for supervised institutions issued by the KNF on 22 July 2014, as well as European Union legal acts and standards issued by other supervisory and industry institutions, including:

• Directive 2014/56/EU of the European Parliament and of the Council of 16 April 2014 amending Directive 2006/43/EC on statutory audits of annual accounts and consolidated accounts;
• Regulation (EU) No 537/2014 of the European Parliament and of the Council of 16 April 2014 on specific requirements regarding statutory audit of financial statements of entities of public interest, repealing Commission Decision 2005/909/EC, hereinafter referred to as "Regulation No 537/2014";
• Guidelines of the European Banking Authority (EBA) No EBA/GL/2016/05 of 7 November 2016 on communication between competent authorities supervising credit institutions and the statutory auditor(s) and the audit firm(s) carrying out the statutory audit of credit institutions;
• Recommendation H of the Financial Supervision Authority regarding the internal control system in banks, adopted by KNF Resolution No 141/2017 of 25 April 2017.

The provisions of the Recommendation should be applied with due regard to the principle of proportionality, including taking into account structural differences and the specificity of activities conducted by supervised entities within its scope (in particular with regard to cooperative savings and loan associations).

The KNF expects that this Recommendation will be implemented in banks and cooperative savings and loan associations no later than 31 March 2019.

Recommendation L Page 3 of 23 II. Definitions

1. Statutory audit - the audit of the annual consolidated financial statements of a group of undertakings or the audit of the annual financial statements, the obligation to conduct which arises from Article 64 of the Act of 29 September 1994 on Accounting (consolidated text: Journal of Laws of 2018, item 395, as amended, hereinafter: the Accounting Act), provisions of other laws, or provisions of EU law, conducted in accordance with national audit standards referred to in Article 2(1) of the Act on Statutory Auditors;
2. Review of financial statements - the review of the consolidated financial statements of a group of undertakings or financial statements, conducted in accordance with national review standards referred to in Article 2(4) of the Act on Statutory Auditors;
3. Statutory auditor - a person entered in the register of statutory auditors, practicing the profession on behalf of an audit firm referred to in Article 3(3) of the Act on Statutory Auditors;
4. Key statutory auditor - in accordance with Article 2(12) of the Act on Statutory Auditors: a) in the case of an audit of financial statements - a statutory auditor appointed by the audit firm as primarily responsible for conducting the audit on behalf of the audit firm, or b) in the case of an audit of the consolidated financial statements of a group of undertakings - a statutory auditor appointed by the audit firm as primarily responsible for conducting the audit of the consolidated financial statements of the group of undertakings on behalf of the audit firm at the level of the parent undertaking of the group, and a statutory auditor appointed as primarily responsible for conducting the audit of the consolidated financial statements of the group of undertakings at the level of significant subsidiaries included in the consolidated financial statements of the group, or c) a statutory auditor signing the audit report;
5. Audit team - in accordance with Article 2(16) of the Act on Statutory Auditors, all persons involved in conducting the audit, including in particular the team of statutory auditors, persons conducting quality control of the engagement, senior management, and persons undergoing the training referred to in Article 4(2)(5) of the Act on Statutory Auditors, participating in the conducted audit, as well as experts employed by the audit firm and other persons performing, within the framework of the given audit, activities on behalf of or under the control of a statutory auditor or audit firm;
6. Audit firm - an entity authorized to conduct audits of financial statements, in which audits of financial statements are conducted by statutory auditors, entered on the list referred to in Article 57(1) of the Act on Statutory Auditors and conducting business in one of the permitted forms specified in Article 46 of that Act;
7. Rules for the selection of an audit firm - internal regulations referred to in Article 130(1)(5) and (7) of the Act on Statutory Auditors, of a bank or SKOK being an entity of public interest;
8. Internal control unit - an independent internal audit unit tasked with independently and objectively examining and assessing the adequacy and effectiveness of the risk management system and the internal control system. In cooperative banks affiliated with umbrella banks, the internal control unit may be the internal audit unit of the umbrella bank conducting controls under the terms specified in the affiliation agreement. In cases where the umbrella bank or cooperative banks are participants in a protection scheme, the internal control unit may be the internal audit unit of the protection scheme conducting controls under the terms specified in the protection scheme agreement;
9. Participant in the protection scheme - a participant referred to in Article 22b(1) of the Act of 7 December 2000 on the operation of cooperative banks, their affiliation, and umbrella banks (consolidated text: Journal of Laws of 2018, item 613);

Recommendation L Page 4 of 23 10) Body approving the financial statements - the body which, in accordance with applicable law and the statute, is authorized to approve the financial statements; 11) Audit committee - an audit committee referred to in Regulation No 537/2014 and Chapter 8 of the Act on Statutory Auditors, operating in entities of public interest; 12) Entity of public interest - an entity referred to in Article 2(9) of the Act on Statutory Auditors (hereinafter: EPI); 13) Bank - a domestic bank, a cooperative bank, and an umbrella bank, understood as: Domestic bank - a legal person referred to in Article 4(1)(1) of the Banking Law, established in accordance with legal provisions, operating based on licenses authorizing the performance of banking activities involving risk-bearing funds entrusted under any title for repayment, and having its registered office on the territory of the Republic of Poland; Cooperative bank - a bank that is a cooperative, referred to in Article 2(1) of the Act on the operation of cooperative banks, their affiliation, and umbrella banks; Umbrella bank - a bank in the form of a joint-stock company, referred to in Article 2(2) of the Act on the operation of cooperative banks, their affiliation, and umbrella banks, established by cooperative banks; 14) Cooperative savings and loan association - a cooperative within the meaning of Article 2 of the Act on Cooperative Savings and Loan Associations, hereinafter: SKOK; 15) Internal control system - procedures and mechanisms of internal control, the purpose of which is to support management and employees of the bank in the proper and efficient performance of duties; 16) Tender documentation - in cases where the bank is subject to the provisions of the Act of 29 January 2004 on Public Procurement Law (consolidated text: Journal of Laws of 2017, item 1579, as amended), it is documentation meeting the requirements specified in that Act and consistent with regulations resulting from Regulation 537/2014. In other cases, it is an offer consistent with the requirements of Regulation 537/2014.

Recommendation L Page 5 of 23 II. List of Recommendations Recommendation 1 The bodies of the bank and the bodies of the SKOK should make every effort to entrust the statutory audit to a statutory auditor possessing professional knowledge and competencies adequate to the scale and degree of complexity of the activities conducted by these entities, their risk profile, and in particular to the transactions conducted by them.

Recommendation 2 The audit committee or another supervisory or control body in the EPI, to which the function of the audit committee has been entrusted, develops the policy and procedure for the selection of an audit firm in the bank and SKOK.

Recommendation 3 The rules for the selection of an audit firm to conduct the statutory audit should be developed in a manner ensuring their transparency and should specify clear, unambiguous, and unquestionable criteria for the selection of the audit firm.

Recommendation 4 The bank and SKOK have an informational obligation towards the National Chamber of Statutory Auditors and the KNF regarding the termination of the statutory audit agreement, and an informational obligation towards the KNF regarding significant changes concerning the agreement concluded by the bank or SKOK with the audit firm.

Recommendation 5 The bank and SKOK being EPIs should ensure, prior to selecting an audit firm, that the statutory auditor recommended to conduct the statutory audit, or in the case of a SKOK not being an EPI, the statutory auditor selected without recommendation, meets the conditions for expressing an impartial, independent, and objective opinion.

Recommendation 6 The bank and SKOK should cooperate with the audit firm and statutory auditors conducting the statutory audit to increase the productivity and efficiency of their work in a manner ensuring that the statutory auditor maintains independence, objectivity, and professional skepticism.

Recommendation 7 The bank should ensure the proper functioning of the internal control system within its management system. The SKOK should ensure the proper functioning of internal control.

Recommendation 8 The bank and SKOK should make available to the statutory auditor conducting the statutory audit or providing a service other than the statutory audit the entirety of correspondence conducted with the KNF at least for the period covered by that audit up to the date of preparation of the audit report by the statutory auditor or the date of preparation of the report.

Recommendation 9 The bank and SKOK should, after each statutory audit or review of financial statements, make available to the KNF all documents concerning the findings of the statutory auditor from the audit or review of financial statements.

Recommendation 10 The fulfillment by the audit firm or statutory auditor of the obligation to disclose information, data, and documents concerning the bank or SKOK within the communication with the KNF is carried out in accordance with generally applicable legal provisions.

Recommendation 11 Communication between the bank or SKOK, the audit firm, and the key statutory auditor and the KNF should take place frequently enough to ensure rapid and effective exchange of information and data on significant issues identified during the performance of duties by each of the parties. Communication may take place with the participation of representatives of several or all of the entities mentioned above and at any stage of the supervision or control process, and may proceed in two ways: in the form of meetings or in written form.

Recommendation 12 The audit committee or another supervisory or control body, to which the function of the audit committee has been entrusted in the EPI, develops the rules of conduct regarding the process of disclosing and exchanging data and information between the KNF, the audit firm, the key statutory auditor, and the bank unit responsible for control mechanisms within the internal control system, while observing the conditions specified in Recommendation 10.

Recommendation 13 The bank and SKOK, as the subject of activities undertaken by the key statutory auditor, the audit firm, and the KNF, should remain the main source of information for the aforementioned entities regarding the tasks performed by them.

Recommendation 14 In cases referred to in Article 136 of the Banking Law and Article 62e of the Act on Cooperative Savings and Loan Associations, the bank and SKOK provide the audit firm and the statutory auditor conducting the statutory audit with all available information concerning events referred to in these provisions.

Recommendation 15 The KNF should strive to ensure constant, smooth, and direct exchange of information and data between the Audit Committee of the bank or the Audit Committee of the SKOK, the audit firm, and the key statutory auditor through joint participation in meetings concerning:

• analysis of inspection results in the bank or SKOK;
• assessment of the situation of the bank or SKOK;
• other issues significant for the functioning of the bank or SKOK.

Recommendation 16 There should be an exchange of information between the KNF and audit firms and key statutory auditors conducting the statutory audit in the bank or SKOK for the purpose of identifying threats and risks affecting the safety of the financial system, which may shape the conditions for exercising supervision or the methodology for conducting statutory audits.

Recommendation L Page 6 of 23 III. Recommendations I. General rules of responsibility of the bank and SKOK for the selection of the statutory auditor Recommendation 1 The bodies of the bank and the bodies of the SKOK should make every effort to entrust the statutory audit to a statutory auditor possessing professional knowledge and competencies adequate to the scale and degree of complexity of the activities conducted by these entities, their risk profile, and in particular to the transactions conducted by them. 1.1 When selecting the statutory auditor, the statutory bodies of the bank and SKOK should be guided in particular by such premises as the objectivity, professional skepticism, honesty, and due diligence of the statutory auditor, compliance by the statutory auditor with the rules of professional ethics and professional secrecy in accordance with the provisions of the Act on Statutory Auditors.

Recommendation 2 The audit committee or another supervisory or control body in the EPI, to which the function of the audit committee has been entrusted, develops the policy and procedure for the selection of an audit firm in the bank and SKOK. 2.1 In implementing the policy and procedures for the selection of an audit firm, the Audit Committee submits a recommendation regarding the designation of an audit firm to the body approving the financial statements or the supervisory board, if in accordance with the statute the decision on the selection of the audit firm is made by the supervisory board. Unless this concerns the renewal of the audit engagement, the recommendation of the audit committee should contain justification and at least two options for entrusting the statutory audit. The Audit Committee should also express a appropriately justified preference for one of the options indicated in the recommendation. The Audit Committee should indicate that its recommendation is free from the influence of third parties and that no clause has been imposed on the committee that could limit the possibility of selecting an audit firm to specific categories or lists of audit firms. 2.2 The bank and SKOK should directly and immediately notify the KNF of any attempts by third parties to impose contractual clauses or otherwise influence their decision regarding the selection of an audit firm. 2.3 In accordance with Article 66(5a) of the Accounting Act, any contractual clauses in agreements concluded by the bank or SKOK that would limit the possibility of selecting an audit firm by the body making the selection of the audit firm for the purpose of conducting the statutory audit of the bank or SKOK to specific categories or lists of audit firms are deemed void by operation of law. 2.4 The selection of an audit firm to conduct the statutory audit is made by the body approving the financial statements, unless the statute of the bank or SKOK grants such authority to the supervisory board. 2.5 The head of the bank or SKOK concludes an agreement with the audit firm for statutory audits. The first statutory audit agreement is concluded with an audit firm for a period of no less than two years, with the possibility of extension for subsequent periods of at least two years, while maintaining compliance with provisions on rotation.

Recommendation 3 The rules for the selection of an audit firm to conduct the statutory audit should be developed in a manner ensuring their transparency and should specify clear, unambiguous, and unquestionable criteria for the selection of the audit firm. 3.1 The rules for the selection of an audit firm to conduct the statutory audit should be regulated in the procedure and policy for the selection of an audit firm adopted for use in the bank or SKOK. 3.2 The rules for the selection of an audit firm and other internal regulations related to the statutory audit process (policy on the provision of services by the audit firm conducting the audit, by entities affiliated with the audit firm, and by members of the audit firm's network for permitted non-audit services, procedure for the provision by entities affiliated with the audit firm and by members of the audit firm's network of permitted non-audit services) should be consistent with applicable legal provisions, in particular with the Act on Statutory Auditors and Regulation No 537/2014. In cases where the bank or SKOK is subject to the provisions of the Public Procurement Law, the tender procedure for the selection of an audit firm should be conducted under public procurement rules, provided that the requirements specified in the Public Procurement Law provisions are not contrary to regulations resulting from Regulation 537/2014. 3.3 The rules for the selection of an audit firm should be developed by the audit committee taking into account the following criteria: a) The audit committee of the bank or SKOK, excluding a cooperative bank entrusting the statutory audit to an audit association, may invite any audit firms to submit offers for the provision of the statutory audit service, provided that the principle of rotation of the audit firm, key statutory auditor, and gradual rotation of senior personnel is observed, and ensuring that firms which obtained less than 15% of total remuneration from audits from EPIs in a given EU Member State in the previous calendar year are not excluded from participation in the selection procedure. The audit committee of a cooperative bank entrusting the statutory audit to an audit association ensures the observance of the principle of rotation of the key statutory auditor; b) The audit committee of the bank or SKOK prepares tender documentation for invited audit firms. The tender documentation enables the detailed scope of activities of the bank or SKOK and the type of statutory audit to be conducted to be known; c) The tender documentation contains transparent and non-discriminatory selection criteria, which are used to evaluate offers submitted by audit firms and take into account quality standards regarding the functioning of audit firms in the Polish audit services market; d) The audit committee of the bank or SKOK may conduct direct negotiations with interested bidders during the selection procedure; e) The audit committee of the bank or SKOK evaluates offers submitted by audit firms in accordance with the selection criteria specified in the tender documentation. 3.4 The rules for the selection of an audit firm for the purpose of conducting the statutory audit should not in any way limit the possibility of selecting an audit firm. 3.5 A SKOK not being an EPI may not apply the provisions contained in Recommendation 3.3.

Recommendation 4 The bank and SKOK have an informational obligation towards the National Chamber of Statutory Auditors and the KNF regarding the termination of the statutory audit agreement, and an informational obligation towards the KNF regarding significant changes concerning the agreement concluded by the bank or SKOK with the audit firm.