FINMA Circular 2025/1 Audit

Laupenstrasse 27 3003 Bern Tel. +41 (0)31 327 91 00 www.finma.ch Circular 2025/1 Audit Audit Reference: FINMA-Circular 25/1 "Audit" Issued: 31 October 2024 Entry into force: 1 January 2025 Concordance: replaces FINMA-Circular 13/3 "Audit" of 6 December 2012 Legal basis: FINMA Act Art. 7 para. 1 lit. b, 24, 25, 27, 28a, 29 FINMA Ordinance Art. 7 Addressees (indicative information) BankG VAG FINIG FinfraG KAG GwG Others Banks Financial groups and conglomerates Persons under Art. 1b BankG Other intermediaries Insurers Insurance groups and conglomerates Intermediaries Asset managers Trustees Managers of collective assets Fund management Custodian securities firms Non-custodian securities firms Trading venues Central counterparties Central securities depositories Transaction registers Payment systems Participants SICAV KmG for KKA SICAF Custodian banks Representatives of foreign KKA Other intermediaries SRO SRO-supervised Audit firms Rating agencies X

Table of Contents 2/6 I. Purpose II. Scope III. Selection and Replacement of the Audit Firm IV. Additional Audits V. Reporting Obligations in Case of Reduced Audit Cadence VI. Result of the Audit (Rz 7 of RS 1/2009 RAB) VII. Incompatibility with an Audit Mandate VIII. Information and Involvement of the SNB in the Audit of Systemically Important Financial Market Infrastructures Rz 1 2 3 4 5 6–7 8–21 22

3/6 I. Purpose This circular specifies the supervisory practice of FINMA regarding: • Selection and replacement of the audit firm; • Additional audits; • Reporting obligations in case of reduced audit cadence; • Incompatibility with an audit mandate (Art. 7 Financial Market Inspection Ordinance of 5 November 2014 [FINMA-PV; SR 956.161]); • Information and involvement of the SNB in the audit of systemically important financial market infrastructures. II. Scope This circular applies to: • Banks under Art. 1a of the Banking Act of 8 November 1934 (BankG; SR 952.0), securities firms under Art. 2 lit. e and 41 of the Financial Institutions Act of 15 June 2018 (FINIG; SR 954.1), and mortgage bond central banks under the Mortgage Bond Act of 25 June 1930 (PfG; SR 211.423.4); • Financial market infrastructures under Art. 2 lit. a of the Financial Market Infrastructure Act of 19 June 2015 (FinfraG, SR 958.1); • Supervised entities under Art. 2 para. 1 lit. c–e FINIG or Art. 13 para. 2 of the Collective Investment Schemes Act of 23 June 2006 (KAG; SR 951.31); • Insurance companies under Art. 2 para. 1 of the Insurance Supervision Act of 17 December 2004 (VAG, SR 961.01); • Persons under Art. 1b BankG. III. Selection and Replacement of the Audit Firm The selection and replacement of the audit firm under Art. 28a of the Financial Market Supervision Act of 22 June 2007 (FINMAG; SR 956.1) must be reported to FINMA by the supervised entities immediately, but no later than 3 months before the deadline for submitting the risk analysis of the current audit period. The supervised entities must always have a regulatory audit firm. IV. Additional Audits Additional audits under Art. 4 FINMA-PV are part of the supervisory audit. If the risks or business model of a supervised entity require an additional audit, FINMA may order an additional audit at any time. The provisions of the FINMA Supervisory Audit Ordinance of 31 October 2024 apply mutatis mutandis.

4/6 V. Reporting Obligations in Case of Reduced Audit Cadence The statutory reporting obligations of the audit firms must be complied with at all times, also in the event of applying the reduced audit cadence under Art. 30 or 40 of the FINMA Supervisory Audit Ordinance. VI. Result of the Audit (Rz 7 of RS 1/2009 RAB) If the audit firm issues a modified audit opinion under ISA-CH 705 in the context of the audit of the annual financial statements, or formulates an emphasis of matter paragraph or other matter paragraph in the auditor's report under ISA-CH 706, it must inform FINMA immediately, in any case before the issuance of the audit report. The confirmations regarding the annual financial statements are included in the short report for collective investment schemes (cf. Art. 113 as well as Art. 115 and 116 KKV-FINMA). If the audit firm issues a modified audit opinion under ISA-CH 705 or formulates an emphasis of matter paragraph or other matter paragraph in the auditor's report under ISA-CH 706, it must inform FINMA immediately, in any case before the issuance of the confirmation report. VII. Incompatibility with an Audit Mandate The audit firms as well as the auditors of the supervised entities must comply with the independence provisions under Art. 11l of the Audit Oversight Ordinance of 22 August 2007 (RAV; SR 221.302.3) and Art. 7 FINMA-PV. These and the following explanations on incompatibility with an audit mandate must also be considered when applying the reduced audit cadence (Art. 30, 40 FINMA Supervisory Audit Ordinance). There are no time restrictions for general advisory activities until the start of the first audit period for a newly accepted regulatory audit mandate. Previous audit and advisory mandates must, however, be disclosed to FINMA in connection with the notification of the selection of an audit firm. The term "audit mandate" within the meaning of Art. 8 para. 1 FINMA-PV covers only the services provided by the lead auditor. The term "mandate" covers all services provided or to be provided by the audit firm, regardless of whether they are regulatory or other audits or services. The term "regulatory consulting" within the meaning of Art. 7 para. 1 lit. a FINMA-PV basically covers all regulatory-relevant services on behalf of the organs and employees of the supervised entity, namely • the development and implementation of IT and management information systems as well as the development of measures to remedy gaps and weaknesses in existing systems,

5/6 • the development and implementation of customer-specific compliance and risk control/risk management tools, • the development of business processes, • the preparation of specification documents (e.g., directives), • coaching, • customer-specific training, • customer-specific know-how transfer, • accompanying and support services. In contrast, upstream assessments (e.g., pre-audit activities) without advisory or accompanying services are possible, provided there is full disclosure to FINMA. Such assessments do not constitute an obstacle to issuing an independent audit opinion for a defined audit area or field. The audit object must be fully developed and ready for implementation here. Generic analyses (non-institution-specific assessments) and comparative analyses (market comparisons, benchmarking of key figures), in which the audit firms merely compile facts and do not provide recommendations, are also permissible. Regulatory consulting in connection with a licensing procedure is excluded if the audit mandate is taken over after the license is granted. All services in connection with due diligence activities (buy-side and sell-side, regardless of any potential licensing requirement by FINMA), in which a supervised entity in Switzerland is involved and which are not merely the creation of factbooks or the setup of data rooms, are considered regulatory consulting and are not permissible. The audits under the Merger Act of 3 October 2003 (FusG; SR 221.301) and audits in the context of the regulatory audit under Art. 24 para. 1 lit. a FINMAG remain reserved. For the performance of services for domestic and foreign group companies that are subject to the consolidated supervision of FINMA, Rz 8–19 apply. It is not decisive whether the service is provided by the audit firm or by a company belonging to the same network. The decision as to whether regulatory consulting is permissible for a domestic or foreign group company not subject to the consolidated supervision of FINMA depends in particular on the relevance of the group company in question, for which consulting is envisaged, as well as on the nature and scope of the planned consulting. A secondment of an employee of the audit firm to the internal audit of the supervised entity is permissible, provided that the employee has no decision-making authority and the secondment does not exceed a duration of six months. Secondments of employees of the internal audit to audit firms are permissible, provided they take place once per person and are limited to a maximum of six months.

6/6 Further secondments are permitted if the secondees perform a activity that is permissible under regulatory law within the framework of a service contract and they do not hold decision-making authority. Further provision of personnel is not permissible. VIII. Information and Involvement of the SNB in the Audit of Systemically Important Financial Market Infrastructures For systemically important financial market infrastructures, the following applies: • The risk analysis must be submitted to the SNB in addition. • The SNB must be involved in the creation of the audit strategy. • The reporting must be submitted to the SNB in addition.