Communication of External Auditor with Those Charged with Governance in the Banking Corporation

Supervisor of Banks: Proper Conduct of Banking Business (10/10) Communication of External Auditor with those Charged with Governance in the Banking Corporation Page 303- 1 Communication of External Auditor with those Charged with Governance in the Banking Corporation Introduction

1. As part of the guidance concerning the adoption of American auditing standards by external auditors conducting audits of the financial statements of banking corporations, the relevant auditing standards related to communication of an external auditor with those charged with governance in the banking corporation, have been applied to external auditors.
2. These standards include, among other things, the standards relating directly to communication of the external auditor with those charged with governance in a corporation as follows: (a) SAS 60 – Communication of Internal Control Structure Related Matters Noted in an Audit (and its amendments in SAS 78 and SAS 87). (b) SAS 61 – Communication with Audit Committees (and its amendments in SAS 89 and SAS 90). The matter is also dealt with in the overall framework of standards applying to an external auditor, such as: (c) SAS 54 – Illegal Acts by Clients (see Section 17). (d) SAS 99 – Consideration of Fraud in a Financial Statement Audit (see Sections 79-82). (e) SAS 100 – Interim Financial Information (see Sections 29-35).
3. This Directive regulates the application of the American standards relating to communication with those charged with governance in the banking corporation, and the application of several additional requirements beyond the standards in this regard in the United States, as detailed in the appendix to this Directive.
4. The implementation of this Directive does not absolve the external auditors of the banking corporations from the need to implement additional requirements in regard to communication of an external auditor with those charged with governance in the

Supervisor of Banks: Proper Conduct of Banking Business (10/10) Communication of External Auditor with those Charged with Governance in the Banking Corporation Page 303- 2 banking corporation of other auditing standards that apply by law to the auditing work of an external auditor in a banking corporation. 5. It is hereby clarified that if these standards are amended in the future, the said amendments should be applied accordingly. Applicability 6. This Directive will apply to communication of an external auditor with those charged with governance in: (a) All banking corporations. (b) Corporations in Israel that are controlled by banking corporations, if one of the following conditions is met: (1) They are a "major company" as this term is defined in Section 32.i. of the Directives concerning Preparation of the Annual Financial Statements of a Banking Corporation; (2) Proper Conduct of Banking Business Directives 201-211 regarding the "measurement and capital adequacy" applies to them (see Section 20 of Directive 201), unless the extent of their business is negligible relative to the activity of the group. 7. For the purpose of this directive, "banking corporation" – a corporation as per section 6 above.

Supervisor of Banks: Proper Conduct of Banking Business (10/10) Communication of External Auditor with those Charged with Governance in the Banking Corporation Page 303- 3 Appendix Explanatory Notes on Communication of an External Auditor with Those Charged with Governance in the Banking Corporation General

1. Communication between an external auditor of a banking corporation with those charged with governance in the banking corporation will take place in accordance with the rules set forth in the American auditing standards, which have been applied to banking corporations in Israel in order to establish new auditing standards as such standards are published in the United States. The application of the said standards will include the amendments and the changes made thereto following their initial publication in the United States.
2. The following additional provisions will apply to external auditors: (a) Further requirements in regard to communication by an external auditor with those charged with governance in the banking corporation that appear in other auditing standards that legally apply to the auditing work of an external auditor of a banking corporation. (b) Specific explanatory notes for the implementation of the American standards, and further requirements as detailed below. For implementation purposes, it should be emphasized that in Public Statement No. 76 issued by the Institute of Certified Public Accountants in Israel regarding "Communication on auditing matters with those charged with governance in the body being audited", the board of directors of the banking corporation is the body charged with governance.
3. For the sake of clarity it is hereby stated that if the relevant auditing standards are amended in the future, the amendments should be applied accordingly.

Supervisor of Banks: Proper Conduct of Banking Business (10/10) Communication of External Auditor with those Charged with Governance in the Banking Corporation Page 303- 4 Destination of reports 4. In addition to the auditing committee of the board of directors, the external auditor should determine which other elements on the board of directors are charged with governance, and with whom he should meet. Concurrently, the board of directors of the banking corporation should keep the external auditor up to date on the need to address certain reports sent to the auditing committee to the board of directors as well, or to another committee of the board of directors, such as a balance-sheet committee, if these matters fall within their purview. 5. For clarity and to eliminate doubt, it is stated that: (a) Compulsory reporting to those charged with governance does not absolve the need to report to the chairperson of the board of directors as set forth in Section 169(a) of the Companies Law, 5759-1999. (b) In accordance with his powers under Section 5.a. of the 1941 Banking Ordinance, the Supervisor of Banks is entitled to demand and to use in any way necessary, any information created in communication between an external auditor and the auditing committee, or between an external auditor and any other official in the banking corporation, even if restrictions on communication have been determined regarding addressees and the use of the information by others. Reporting Due Date 6. An annual long-form report, including material findings such as substantial weakness in internal control and any other matter of relevance for the approval of the financial statement, will be reported to those charged with governance in the banking corporation prior to the date of approval of the financial statement. 7. If those charged with governance in the banking corporation have been receiving written findings on a regular basis during the year, there is no requirement to repeat the findings in the long-form report, provided that the said findings and their source is mentioned.

Supervisor of Banks: Proper Conduct of Banking Business (10/10) Communication of External Auditor with those Charged with Governance in the Banking Corporation Page 303- 5 8. If the external auditor has not completed the report on the other audit findings by the date on which the financial statements are approved, he will inform the banking corporation to this effect and present a supplemental report within 60 days after the publication of the financial statement. 8a. A banking corporation shall submit annually to the Supervisor of Banks: (a) A copy of the annual long form report and the supplementary report, not later than 15 days from the dates by which the external auditor is required to submit said reports to the banking corporation, as described in section 6 and 8 above. (b) A copy of its written reply to the findings of the external auditor as described in subsection 9(a), not later than 15 days from submitting the reply to the external auditor. Response to reports and correction of deficiencies 9. (a) Those charged with governance in the banking corporation, or a group authorized by them, will be required to respond in writing to the external auditor concerning the audit findings within 60 days from the receipt of the statement that refers to all the deficiencies. (b) As part of this procedure, the banking corporation will be required to certify the correction of all the deficiencies that the external auditor, after obtaining the response of the banking corporation, deems to be in need of correction. When the procedure for the correction of specific deficiencies entails long￾term action, such as a thorough overhaul of the computer system, the banking corporation will make the corrections on the basis of a defined schedule. (c) If the said deficiencies are not corrected in a timely fashion, particularly deficiencies that the banking corporation had certified as having been corrected, repeat deficiencies will be reported separately or as part of the report on "Material Weakness in Internal Control", if such exists (see Section 13 below).

Supervisor of Banks: Proper Conduct of Banking Business (10/10) Communication of External Auditor with those Charged with Governance in the Banking Corporation Page 303- 6 Approaching the Supervisor of Banks 10. In material cases and depending on the matter, the external auditor will weigh the necessity for approaching the Supervisor of Banks when he is of the opinion that: (a) After all the discussions and correspondence, including discussions and correspondence with the board of directors, disagreement still remains in matters that do not entail any change in the standard format of the external auditor's report; (b) The schedule for the correction of the deficiencies set out by the banking corporation, is unreasonable; (c) Those charged with governance in the banking corporation have not responded properly, within a reasonable period of time, to his notice about matters found in an audit of a financial statement or in a review of interim statements that cause him to believe that these statements are in need of material change. Written Reporting Requirement 11. A written reporting requirement is needed, at least in matters that SAS 60 defines as reportable, and other material matters in regard to which communication with those charged with governance in the banking corporation is needed. Additional Reporting by an External Auditor 12. An external auditor will also report the following to those charged with governance in the banking corporation, either on the long-form report or on a current basis, as the case may be: (a) Report on the scope of the audit: (1) General description of the scope of the audit; (2) Areas in which the audit was expanded and the reasons that prompted the external auditor to expand the audit in them; (3) Evaluation of the internal-auditing actions and the soundness of the internal control system, and the extent to which the external auditor relied on them for determining the scope of the audit.

Supervisor of Banks: Proper Conduct of Banking Business (10/10) Communication of External Auditor with those Charged with Governance in the Banking Corporation Page 303- 7 (b) Reliance on experts: When an external auditor relies on other experts (accountants, attorneys, adjusters, economists, etc.) in material matters, he should inform those charged with governance in the banking corporation of the names of the experts and the matters on which he relied on them; (c) The possible effect on the financial statements of significant risks and exposures of any kind, such as a lawsuit that must be disclosed in the financial statements; (d) Material uncertainty about events and situations that may raise significant doubts about the ability of the banking corporation to function as a going concern; (e) Expected changes in the standard format of the external auditor's report; (f) Any other matters that demand the attention of those charged with the governance of the banking corporation, such as questions relating to the integrity of management; (g) Non-auditing services—review of non-auditing services that the external auditor or a service firm controlled by the external auditor, has provided for the banking corporation during the year (in accordance with the definitions in the report of the board of directors, Appendix C, p. 630-10); (h) Reports submitted during the year—a list of all reports of the external auditor during the year and to whom they were submitted. Material Weakness in Internal Control 13. Because of material considerations and to prevent a situation in which a material deficiency is "submerged" in a large series of findings, the external auditor will identify and report to those charged with governance in the banking corporation, each material weakness, as defined in SAS 60, separately. Clarifications—Protection of Assets 14. The Appendix to SAS 60 gives examples of matters that may be reportable, including, but not limited to, improper conditions for the protection of banking corporation assets or evidence of failure to protect banking corporation assets from

Supervisor of Banks: Proper Conduct of Banking Business (10/10) Communication of External Auditor with those Charged with Governance in the Banking Corporation Page 303- 8 loss, damage, or misuse. For clarity, it is stated that the foregoing also relates to assets held for others in custodianship or as a trustee. 15. The term "protection of assets" is related to internal-control policies and processes that pertain to the financial statements. In the context of the structure of internal control at the banking corporation, assets protection relates only to protection against loss due to errors and irregularities in the performance of transactions and to the protection of the applicable assets. It does not include, for example, asset loss due to operational decisions of management. 16. In this matter, it is explained that the function of management is to determine policy for protecting assets, and that the function of the external auditor is to ensure that the said safeguarding policies are in place, and to check for compliance with the said policies in the context of the financial statements. An external auditor is not required to attest to the adequacy of the policies. For example, an external auditor's examination of controls in the context of financial reporting on loans should include tests indicating whether the banking corporation has carried out the transactions in accordance with management policy related to the financing and documentation of loans. These processes may include, for example, comparison of loan execution certifications with written management policy.

---