The Auditor Protocol

2020 Protocol between the Central Bank of Ireland and the Auditors of Regulated Financial Service Providers – “The Auditor Protocol”

Auditor Protocol Central Bank of Ireland Page 2 Contents Introduction.........................................................................................................................3 The General Framework..................................................................................................3 Bilateral Meetings..............................................................................................................5 Trilateral Meetings............................................................................................................7 Review ...................................................................................................................................8 Version Due Amendments 1 2011 2 2013 Sections 3,8,10,15 & 17 3 2020 Sections 3,4,8,10,12,13 & 14

Auditor Protocol Central Bank of Ireland Page 3 Introduction

1. The aim of this Protocol is to enhance the information sharing between the Central Bank of Ireland (‘the Central Bank’) and auditors of regulated financial service providers (‘firms’) thereby improving the regulatory and statutory audit processes.
2. This Protocol is in addition to the statutory requirements on auditors of firms to report to the Central Bank under Irish legislative requirements e.g. under ‘prescribed’ enactments and under Sections 27B and 27C of the Central Bank Act, 1997. However, the Protocol does not extend in any way the nature and purpose of the statutory audit as required under legislation.
3. The scope of the Protocol extends to all communications, both written and oral, between the Central Bank and auditors with specific guidance in relation to the following areas:  bilateral meetings; and  trilateral meetings. The General Framework
4. To facilitate both the Central Bank and the auditors of firms to achieve the effective fulfilment of the two parties’ statutory powers, communication channels between both parties should always be open and an environment that facilitates frank discussions should exist. These goals can be achieved through the adoption of the following measures:  Firms shall advise the Central Bank of the contact details of the audit partner responsible for the audit within 5 days of their appointment.

Auditor Protocol Central Bank of Ireland Page 4  Firms shall advise its auditor of the contact details of its senior examiner in the Central Bank within 5 days of the auditor’s appointment.  Communications between the Central Bank and auditors shall be governed by the following principles: a) The Central Bank shall endeavour to share all information, which it believes would lead to higher quality audits, with the auditor; b) The auditing firm shall endeavour to share with the Central Bank any information that it believes may assist the Central Bank in the exercise of its supervisory functions; c) All communications between the Central Bank and auditors shall be deemed confidential under Section 33AK of the Central Bank Act, 1942 (as amended). 5. Material information (i.e. information which is deemed would be of immediate interest to the other party) shall be shared between both parties at the earliest instance even if a meeting between both parties is not planned. 6. Barriers to the sharing of information should be identified and, where possible, removed with a view to maximising the effectiveness of communication between both parties. 7. Contractual agreements between auditors and firms should not hinder information sharing. Specifically, the terms of the audit engagement shall include a provision that acknowledges that the Central Bank and the firm’s auditors can discuss any issue that is of relevance to their oversight

Auditor Protocol Central Bank of Ireland Page 5 of the firm and that this communication will not be determined to be a breach of duty by either party. 8. Communications between the Central Bank and auditors are covered by a provision in Section 58 of the Central Bank (Supervision and Enforcement) Act, 2013 relating to the limitation of liability in the reporting of certain matters. 9. In order for any meetings between the auditor and the Central Bank to be mutually beneficial, it is envisaged that the auditor will be represented by the lead partner and the Central Bank by the senior examiner. Bilateral Meetings 10. For high impact firms it is expected that there will be at least one formal bilateral meeting per year. For non-high impact firms the frequency of meetings will be determined by the impact category of the firm under the PRISM1 engagement model. 11. Following the commencement of the Single Supervisory Mechanism (“SSM”) on 4 November 2014 credit institutions within the Eurozone have been categorised into “significant” and “less significant” institutions. The ECB directly supervises significant institutions (SIs) while less significant institutions (LSIs) continue to be supervised by national competent authorities (NCA), in close cooperation with the ECB. In respect of SIs and LSIs the frequency of meetings with auditors

1 Probability Risk Impact System (PRISM) – further details are available on the Central Bank’s website.

Auditor Protocol Central Bank of Ireland Page 6 is aligned to the EBA Guidelines on communication between competent authorities and auditors2 . 12. A meeting may be held at any stage of the supervisory or audit process, including at the pre-audit stage or the post audit stage. A post audit meeting may occur after the audit is signed off, however if it is deemed beneficial by either party, it may occur before audit sign off. It is expected that this meeting will have an agenda which covers, inter alia, the following items: (i) The risk profile of the firm – e.g. changes in business lines, drivers of income, strategy, external environment. (ii) Weaknesses identified in previous audits. (iii) Overview of weaknesses identified through the supervisory process. (iv) The audit approach and the application of the materiality concept. (v) Changes in the corporate governance and internal governance structures of the firm. (vi) Observations on the control functions of the firm (e.g. risk management function, internal audit, compliance). (vii) Financial statements, valuation of assets and liabilities and disclosures. (viii) The Going Concern Concept. (ix) Discussion on whether the auditors were able to follow their intended audit plan and/or whether they had to make any amendments based on their findings during the audit.

2 EBA Guidelines on communication between competent authorities supervising credit institutions and the statutory auditor(s) and the audit firm(s) carrying out the statutory audit of credit institutions.

Auditor Protocol Central Bank of Ireland Page 7 (x) Discussion on the audit findings as originally presented to the firm and the adequacy of the firm’s response to these findings. (xi) Discussion on areas where management of the firm applied significant judgement and its impact on the auditor’s view of the financial statements and on the risk profile of the firm. This discussion would include how the level of professional scepticism was applied by the auditor. (xii) Any issues that affected communications between the auditor and/or the Central Bank and/or the firm during the year that could be improved. (xiii) The future strategy of the firm and the impact that it may have on audit and regulatory issues. Trilateral Meetings 13. The Central Bank, through its Corporate Governance requirements, places a significant onus on the Audit Committee to monitor the effectiveness and adequacy of the firm’s internal control (including around IT systems) and internal audit. It is because of this reliance that the Central Bank believes that consideration should be given to organising trilateral meetings between the Central Bank, the auditor and the Chair of the Audit Committee or, if an Audit Committee is not in place, an appropriate Independent Non-Executive Director, to discuss areas of concern and/or mutual interest regarding the firm. These meetings should cover all issues that the parties consider may be of interest to the other parties in carrying out their statutory or fiduciary functions.

Auditor Protocol Central Bank of Ireland Page 8 Review 14. This Protocol will be subject to review and will be updated to reflect feedback from participants, changes in legislation, auditing practice and other relevant developments as appropriate.

T: +353 (0)1 224 6000 E: accountingpolicy@centralbank.ie www.centralbank.ie