Book traversal links for Financial Reporting and External Audit Standards
Financial Reporting and External Audit Standards
C 162/2018 STAIntroduction
1. These Standards form part of the Financial Reporting and External Audit Regulation. All Banks must comply with these Standards, which expand on the Regulation. These Standards are mandatory and enforceable in the same manner as the Regulation.
2. The Board is in the ultimate control of the Bank and accordingly ultimately responsible for the Bank’s approach to financial reporting and external audit. There is no one-size-fits-all or single best solution. Accordingly, each Bank could meet the minimum requirements of the Regulation and Standards in a different way and thus may adopt an organizational framework appropriate to the risk profile, nature, size and complexity of its business and structure. The onus is on the Board to demonstrate that it has implemented a comprehensive approach to financial reporting and external audit. Banks are encouraged to adopt leading practices that exceed the minimum requirements of the Regulation and Standards.1
3. The Standards follow the structure of the Regulation, with each article corresponding to the specific article in the Regulation.
1 The Central Bank will apply the principle of proportionality in the enforcement of the Regulation and Standards, whereby smaller Banks may demonstrate to the Central Bank that the objectives are met without necessarily addressing all of the specifics cited in the Standards.
Article (1): Definitions
1. Affiliate: An entity owned by another entity by more than 25% and less than 50% of its capital.
2. Bank: A financial entity, which is authorized by the Central Bank to accept deposits as a bank.
3. Board: The Bank’s board of directors.
4. Central Bank: The Central Bank of the United Arab Emirates.
5. Central Bank Law: Union Law No (10) of 1980 concerning the Central Bank, the Monetary System and Organization of Banking as amended or replaced from time to time.
6. Controlling Shareholder: A shareholder who has the ability to directly or indirectly influence or control the appointment of the majority of the board of directors, or the decisions made by the board or by the general assembly of the entity, through the ownership of a percentage of the shares or stocks or under an agreement or other arrangement providing for such influence.
7. External Auditor: The audit firm and the individual audit engagement team members conducting the audit. Where relevant, specific references are made to the audit firm only in certain paragraphs.
8. Group: A group of entities which includes an entity (the ‘first entity’) and:
- a.any Controlling Shareholder of the first entity;
- b.any Subsidiary of the first entity or of any Controlling Shareholder of the first entity; and
- c.any Affiliate.
9. Internal Control: Consists of five interrelated elements, whose effective functioning is essential to achieving a Bank’s performance, information, and compliance objectives:
- a.management oversight and the control culture;
- b.risk recognition and assessment;
- c.control activities and segregation of duties;
- d.information and communication; and
- e.monitoring activities and correcting deficiencies.
10. Islamic Financial Services: Shari’a compliant financial services offered by Islamic Banks and Conventional Banks offering Islamic banking products (Islamic Windows).
11. Pillar 3: Pillar 3 disclosure requirements – consolidated and enhanced framework issued by the Basel Committee on Banking Supervision in March 2017 and any subsequent revisions.
12. Risk governance framework: As part of the overall approach to corporate governance, the framework through which the Board and management establish and make decisions about the Bank’s strategy and risk approach; articulate and monitor adherence to the risk appetite and risk limits relative to the Bank’s strategy; and identify, measure, manage and control risks.
13. Senior Management: The executive management of the Bank responsible and accountable to the Board for the sound and prudent day-to-day management of the Bank, generally including, but not limited to, the chief executive officer, chief financial officer, chief risk officer, and heads of the compliance and internal audit functions.
14. Subsidiary: An entity, owned by another entity by more than 50% of its capital, or is under full control of that entity regarding the appointment of the board of directors.
Article (2): Financial Reporting
1. The Board is responsible for ensuring that the risk governance framework of the Bank, and if applicable, Group, provides for appropriate oversight of financial reporting and external audit. The framework must, at a minimum, provide for:
- a.Documentation in an appropriate mandate or terms of reference of the role and responsibility of the Board audit committee, including with respect to financial reporting; and
- b.Board-approved policies, procedures, systems, internal controls and independent assurance by the internal and/or external audit functions of the Bank on the preparation of financial statements and prudential reporting to the Central Bank.
2. Banks must prepare their financial statements in accordance with the International Financial Reporting Standards (IFRS) and the instructions of the Central Bank. Such instructions may include, but are not limited to, the submission and publication of financial statements, classification and provisioning of financial items or guidance on the application of specific IFRS in the UAE banking sector.
3. The Board’s responsibilities for governance structures applicable to all financial instruments measured at fair value must include:
- a.Reviewing and approving written policies related to fair valuations;
- b.Ongoing review of significant valuation model performance for issues escalated for resolution and all significant changes to valuation policies;
- c.Ensuring adequate resources are devoted to the valuation process;
- d.Articulating the Bank’s tolerance for exposures subject to valuation uncertainty and monitoring compliance with the Board’s overall policy settings at an aggregate Bank-wide level;
- e.Ensuring independence in the valuation process between risk taking and control units;
- f.Ensuring the appropriate internal and external audit coverage of fair valuations and related processes and controls;
- g.Ensuring the consistent application of accounting and disclosures; and
- h.Ensuring the identification of significant differences, if any, between accounting and risk management measurements, and that these are well documented and monitored.
Article (3): External Audit
1. The external audit in Banks must be fully compliant with the provisions laid down in the Central Bank Law. Where more than one External Auditor is appointed, the External Auditors must distribute duties amongst themselves and issue a common external audit opinion.
2. The Board audit committee must approve a policy for the tendering of the audit engagement. This must include requirements for knowledge and competence, objectivity, independence, professional skepticism and quality control. The Board audit committee must review and agree to the terms of the engagement prior to the signing of the written contract. Where relevant, the Board audit committee must ensure that the work plan of the engagement has been updated to reflect changes in the size, business mix or complexity of the Bank or in the instructions of the Central Bank.
3. The Bank must carry out a procurement procedure to select the external audit firm at least once every 6 years, which coincides with the period of the rotation of the firm. Following rotation, a cooling off period of 3 years must be observed before the same firm may be re-selected. In addition, the Bank must rotate the external audit partner in charge of the audit every 3 years.
4. The Board audit committee must assess the overall quality of the External Auditor at least annually. The External Auditor must provide the Board audit committee on an annual basis with a report on the audit firm’s internal quality control procedures, including the audit firm’s engagement quality control process, and any significant matters of concern arising from these procedures.
5. In monitoring and assessing the work of the External Auditor, the Board audit committee must obtain an understanding of the auditor’s view on any significant matters arising during the audit, including both those subsequently resolved and those that remain outstanding. The Board audit committee must review with the External Auditor the statements provided by the Board and Senior Management in the representation letter to the External Auditor, considering whether, based on the knowledge of the members of the Board audit committee, the information provided for each item is complete and appropriate.
6. Following completion of the fieldwork for the audit, and prior to issuance of the audit opinion, the Board audit committee must consider whether the External Auditor followed the audit plan and understand any reasons for changes in the plan. The Board audit committee must obtain feedback from Senior Management on the conduct of the audit. The Board audit committee’s assessment of the effectiveness of the external audit process must be reported to the Board for discussion of findings and any recommendations.
7. The Board audit committee must have the right and authority to meet regularly – in the absence of Senior Management – with the External Auditor to understand and discuss all issues that may have arisen between the External Auditor and Senior Management in the course of the external audit and how these issues have been resolved. These meetings must also address any other matters that the External Auditor believes the Board audit committee should be aware of in order to exercise its responsibilities.
8. The Board audit committee must discuss with the External Auditor any matters arising from the audit that may have an impact on regulatory capital or regulatory disclosures. This may include, but is not limited to, the discussion of accounting impairment charges versus regulatory expected losses and the consistency of the Bank’s prudential information, including the Pillar 3 reporting, with its annual report.
9. The External Auditor must provide the Board audit committee with timely observations arising from the audit that are relevant to the committee’s oversight responsibility for the financial reporting process. These include, but not limited to:
- a.Significant difficulties encountered during the audit;
- b.Key areas of significant risk of material misstatement in the financial statements, in particular areas of estimates or measurement uncertainty such as loan loss provisioning and consequential effects on earnings, capital and other regulatory ratios;
- c.Areas of significant management judgement;
- d.The extent of requests made by the Group auditor to another audit firm or member firms with respect to performance of a Group audit;
- e.The use of external experts to assist with the audit;
- f.The External Auditor’s approach to internal control and significant internal control deficiencies noted;
- g.The extent to which the External Auditor has used the work of the internal audit function;
- h.Matters relating to accountability, including significant decisions or actions by Senior Management that lack appropriate authorization;
- i.Significant qualitative aspects of financial statement disclosures; and
- j.Feedback on the External Auditor’s relationship with Senior Management.
10. The Board audit committee must approve a policy governing the provision of non-audit services by the External Auditor. This policy must specify the types of non-audit services the External Auditor may provide, or is prohibited from providing, and establish a requirement for approval of any such arrangement by the Board audit committee or by an appropriate level of Senior Management in accordance with authority delegated by the Board audit committee.
11. The prohibited non-audit services are listed below; they must include further any prohibited services under Article (20) of Federal Law no. 12 of 2014 concerning Auditing Profession as well as under the Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants, which are not specifically listed below:
- a.Bookkeeping and preparing accounting records and financial statements;
- b.Designing and implementing internal control or risk management procedures related to the preparation and/or control of financial information or designing and implementing financial information technology systems;
- c.services related to the Bank’s internal audit function;
- d.valuation services, including valuations performed in connection with actuarial services or litigation support services;
- e.human resources services, with respect to:
- i.management in a position to exert significant influence over the preparation of the accounting records or financial statements which are the subject of the external audit, where such services involve searching for or seeking out candidates for such position or undertaking reference checks of candidates for such positions;
- ii.structuring the organisation design; and
- iii.cost control;
- f.brokerage services in securities services or works;
- g.services linked to the financing, capital structure and allocation, and investment strategy of the Bank, except providing assurance services in relation to the financial statements, such as the issuing of comfort letters in connection with prospectuses issued by the Bank;
- h.promoting, dealing in, or underwriting shares in the Bank;
- i.legal services, with respect to:
- i.the provision of general counsel;
- ii.negotiating on behalf of the Bank; and
- iii.acting in an advocacy role in the resolution of litigation;
- j.services that involve playing any part in the management or decision-making of the Bank; and
- k.tax services and provision of tax advice.
12. Where non-audit services are provided by the External Auditor, the Board audit committee must monitor the provision of such services to ensure that their performance does not impair the External Auditor’s objectivity and independence. This must take into consideration various factors including the skills and experience of the External Auditor, safeguards in place to mitigate any threat to objectivity and independence, and the nature of and arrangements for non-audit fees. The Bank’s annual report must explain to shareholders the nature of and the fee arrangements for the non-audit services received, and how the External Auditor’s independence is safeguarded.
13. The External Auditor must meet the following expectations:
- a.have banking industry knowledge and competence sufficient to respond appropriately to the risks of material misstatement in the Bank’s financial statements and to properly meet any additional regulatory requirements that may be part of the external audit;
- b.be objective and independent in both fact and appearance with respect to the Bank;
- c.exercise professional skepticism when planning and performing the audit of Banks, having due regard to the specific challenges in auditing a Bank;
- d.comply with the applicable standards on quality control;
- e.identify and assess the risks of material misstatement in the Bank’s financial statements, taking into consideration the complexities of the Bank’s activities and the effectiveness of its internal control environment; and
- f.have professional indemnity insurance in the UAE.
14. The External Auditor must furnish the Board audit committee at least annually with information about the firm’s policies and processes for maintaining independence and monitoring compliance with independence requirements. This includes, but is not limited to, assurance that the audit engagement team members have no personal, family, business, financial or other relationships with the Bank which could adversely affect the External Auditor’s actual or perceived independence and objectivity.
15. The External Auditor may not purchase the securities of the Bank whose accounts are audited by them or sell such securities directly or indirectly or provide any consultancies to any person in connection with such securities during the blackout period.
16. The External Auditor may not serve on the Board or hold a position in Senior Management before two years have lapsed from the time of involvement in the Bank’s audit.
17. The External Auditor’s terms of engagement must be established in a written contract which, at a minimum, provides that:
- a.The External Auditor must meet with the Central Bank as deemed necessary for supervisory purposes. The Central Bank will determine whether the Bank will participate in such meetings;
- b.The External Auditor bears no duty of confidentiality to the Bank with respect to any notification to or meeting with the Central Bank required by this Regulation, or the provision of any document or information required to be submitted to, or requested by, the Central Bank for supervisory purposes; and
- c.The External Auditor must provide, upon request by the Central Bank, access to working papers and other documents that support conclusions made in the audit opinion.
Article (4): Duty to Report to the Central Bank
1. The contract between the Bank and its External Auditor must specifically include all the requirements of Article 4 of the Regulation with regard to its duty to report to the Central Bank.
Article (5): Islamic Banking
1. The terms of the engagement of the External Auditor of Banks offering Islamic Financial Services must ensure adequate coverage of the financing portfolio, financing loss provisions, non-performing assets, asset valuations, trading and other securities transactions, Shari’a-compliant hedging instruments, asset securitizations, consolidation of and other involvement with off-balance sheet vehicles and the adequacy of internal controls over financial reporting.