1. The external audit in Banks must be fully compliant with the provisions laid down in the Central Bank Law. Where more than one External Auditor is appointed, the External Auditors must distribute duties amongst themselves and issue a common external audit opinion.

2. The Board audit committee must approve a policy for the tendering of the audit engagement. This must include requirements for knowledge and competence, objectivity, independence, professional skepticism and quality control. The Board audit committee must review and agree to the terms of the engagement prior to the signing of the written contract. Where relevant, the Board audit committee must ensure that the work plan of the engagement has been updated to reflect changes in the size, business mix or complexity of the Bank or in the instructions of the Central Bank.

3. The Bank must carry out a procurement procedure to select the external audit firm at least once every 6 years, which coincides with the period of the rotation of the firm. Following rotation, a cooling off period of 3 years must be observed before the same firm may be re-selected. In addition, the Bank must rotate the external audit partner in charge of the audit every 3 years.

4. The Board audit committee must assess the overall quality of the External Auditor at least annually. The External Auditor must provide the Board audit committee on an annual basis with a report on the audit firm’s internal quality control procedures, including the audit firm’s engagement quality control process, and any significant matters of concern arising from these procedures.

5. In monitoring and assessing the work of the External Auditor, the Board audit committee must obtain an understanding of the auditor’s view on any significant matters arising during the audit, including both those subsequently resolved and those that remain outstanding. The Board audit committee must review with the External Auditor the statements provided by the Board and Senior Management in the representation letter to the External Auditor, considering whether, based on the knowledge of the members of the Board audit committee, the information provided for each item is complete and appropriate.

6. Following completion of the fieldwork for the audit, and prior to issuance of the audit opinion, the Board audit committee must consider whether the External Auditor followed the audit plan and understand any reasons for changes in the plan. The Board audit committee must obtain feedback from Senior Management on the conduct of the audit. The Board audit committee’s assessment of the effectiveness of the external audit process must be reported to the Board for discussion of findings and any recommendations.

7. The Board audit committee must have the right and authority to meet regularly – in the absence of Senior Management – with the External Auditor to understand and discuss all issues that may have arisen between the External Auditor and Senior Management in the course of the external audit and how these issues have been resolved. These meetings must also address any other matters that the External Auditor believes the Board audit committee should be aware of in order to exercise its responsibilities.

8. The Board audit committee must discuss with the External Auditor any matters arising from the audit that may have an impact on regulatory capital or regulatory disclosures. This may include, but is not limited to, the discussion of accounting impairment charges versus regulatory expected losses and the consistency of the Bank’s prudential information, including the Pillar 3 reporting, with its annual report.

9. The External Auditor must provide the Board audit committee with timely observations arising from the audit that are relevant to the committee’s oversight responsibility for the financial reporting process. These include, but not limited to:

1. a.Significant difficulties encountered during the audit;
2. b.Key areas of significant risk of material misstatement in the financial statements, in particular areas of estimates or measurement uncertainty such as loan loss provisioning and consequential effects on earnings, capital and other regulatory ratios;
3. c.Areas of significant management judgement;
4. d.The extent of requests made by the Group auditor to another audit firm or member firms with respect to performance of a Group audit;
5. e.The use of external experts to assist with the audit;
6. f.The External Auditor’s approach to internal control and significant internal control deficiencies noted;
7. g.The extent to which the External Auditor has used the work of the internal audit function;
8. h.Matters relating to accountability, including significant decisions or actions by Senior Management that lack appropriate authorization;
9. i.Significant qualitative aspects of financial statement disclosures; and
10. j.Feedback on the External Auditor’s relationship with Senior Management.

10. The Board audit committee must approve a policy governing the provision of non-audit services by the External Auditor. This policy must specify the types of non-audit services the External Auditor may provide, or is prohibited from providing, and establish a requirement for approval of any such arrangement by the Board audit committee or by an appropriate level of Senior Management in accordance with authority delegated by the Board audit committee.

11. The prohibited non-audit services are listed below; they must include further any prohibited services under Article (20) of Federal Law no. 12 of 2014 concerning Auditing Profession as well as under the Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants, which are not specifically listed below:

1. a.Bookkeeping and preparing accounting records and financial statements;
2. b.Designing and implementing internal control or risk management procedures related to the preparation and/or control of financial information or designing and implementing financial information technology systems;
3. c.services related to the Bank’s internal audit function;
4. d.valuation services, including valuations performed in connection with actuarial services or litigation support services;
5. e.human resources services, with respect to:
   1. i.management in a position to exert significant influence over the preparation of the accounting records or financial statements which are the subject of the external audit, where such services involve searching for or seeking out candidates for such position or undertaking reference checks of candidates for such positions;
   2. ii.structuring the organisation design; and
   3. iii.cost control;
6. f.brokerage services in securities services or works;
7. g.services linked to the financing, capital structure and allocation, and investment strategy of the Bank, except providing assurance services in relation to the financial statements, such as the issuing of comfort letters in connection with prospectuses issued by the Bank;
8. h.promoting, dealing in, or underwriting shares in the Bank;
9. i.legal services, with respect to:
   1. i.the provision of general counsel;
   2. ii.negotiating on behalf of the Bank; and
   3. iii.acting in an advocacy role in the resolution of litigation;
10. j.services that involve playing any part in the management or decision-making of the Bank; and
11. k.tax services and provision of tax advice.

12. Where non-audit services are provided by the External Auditor, the Board audit committee must monitor the provision of such services to ensure that their performance does not impair the External Auditor’s objectivity and independence. This must take into consideration various factors including the skills and experience of the External Auditor, safeguards in place to mitigate any threat to objectivity and independence, and the nature of and arrangements for non-audit fees. The Bank’s annual report must explain to shareholders the nature of and the fee arrangements for the non-audit services received, and how the External Auditor’s independence is safeguarded.

13. The External Auditor must meet the following expectations:

1. a.have banking industry knowledge and competence sufficient to respond appropriately to the risks of material misstatement in the Bank’s financial statements and to properly meet any additional regulatory requirements that may be part of the external audit;
2. b.be objective and independent in both fact and appearance with respect to the Bank;
3. c.exercise professional skepticism when planning and performing the audit of Banks, having due regard to the specific challenges in auditing a Bank;
4. d.comply with the applicable standards on quality control;
5. e.identify and assess the risks of material misstatement in the Bank’s financial statements, taking into consideration the complexities of the Bank’s activities and the effectiveness of its internal control environment; and
6. f.have professional indemnity insurance in the UAE.

14. The External Auditor must furnish the Board audit committee at least annually with information about the firm’s policies and processes for maintaining independence and monitoring compliance with independence requirements. This includes, but is not limited to, assurance that the audit engagement team members have no personal, family, business, financial or other relationships with the Bank which could adversely affect the External Auditor’s actual or perceived independence and objectivity.

15. The External Auditor may not purchase the securities of the Bank whose accounts are audited by them or sell such securities directly or indirectly or provide any consultancies to any person in connection with such securities during the blackout period.

16. The External Auditor may not serve on the Board or hold a position in Senior Management before two years have lapsed from the time of involvement in the Bank’s audit.

17. The External Auditor’s terms of engagement must be established in a written contract which, at a minimum, provides that:

1. a.The External Auditor must meet with the Central Bank as deemed necessary for supervisory purposes. The Central Bank will determine whether the Bank will participate in such meetings;
2. b.The External Auditor bears no duty of confidentiality to the Bank with respect to any notification to or meeting with the Central Bank required by this Regulation, or the provision of any document or information required to be submitted to, or requested by, the Central Bank for supervisory purposes; and
3. c.The External Auditor must provide, upon request by the Central Bank, access to working papers and other documents that support conclusions made in the audit opinion.