The 2008 financial crisis highlighted weaknesses in the risk management, control and governance processes of banks as well as in their statutory audit and financial supervision. This led to increased scrutiny of the respective roles and interactions of banking supervisors and external auditors who are key contributors to market discipline. Auditors ensure that financial information is transparent and reliable while supervisors provide confidence in the financial systems. Both supervisors and auditors allow market players to make informed decisions and contribute to financial stability.

The present Guide draws together recommendations to improve the relationship between supervisors and external auditors illustrated by good practices from 35 supervisory authorities across Europe and Central Asia (ECA). It has been developed as a supplement to the 2015 World Bank Centre for Financial Reporting Reform (CFRR) report on Banking Supervisors and External Auditors: Building a Constructive Relationship. Its main objective is to assist banking supervisors in managing their relationships with banks' auditors and in developing their policies which will contribute to build enhanced auditing and supervisory practices.

The Guide also takes into account the 2014 Guidance of the Basel Committee on Banking Supervision (BCBS) on External Audits of Banks and the 2016 European Banking Authority (EBA) Guidelines on the Communication between auditors and competent authorities. The CFRR's report and its work are acknowledged in the EBA guidelines.

Explore the report's key recommendations and best practices below.

Disclaimer: This webpage was created and maintained with the financial support of the European Union. Its contents are the sole responsibility of CFRR and do not necessarily reflect the views of the European Union.

Observation     Possible actions

Supervisors face capacity constraints in terms of staffing and accounting and auditing training.

Supervisors do not always have a good understanding of what an external audit consists of and how they can rely on auditors' work.


Capacity Building:

  • Providing on-going training on ISA and IFRS to staff at the supervisory authority;
  • Hiring supervisors with accounting and auditing experience.
Examples of good practices and regulation

In the UK, the Prudential Regulation Authority (PRA) provides joint regular training for supervisors on auditor- supervisor engagement, with a focus on how they might better understand the work of auditors as well as encouraging a more open and in-depth dialogue.

What is an audit?*

An external audit is a process by which an independent external auditor will obtain sufficient appropriate audit evidence to give reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error. This enables the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework, and to report on the financial statements in accordance with the auditor's findings. Reasonable assurance is a high, but not absolute level of assurance. The independent opinion enhances the degree of confidence of intended users in the financial statements.


Observation     Possible actions

The majority of European supervisors can ask external auditors to perform additional tasks outside the scope of the audit. However, practices vary across ECA in terms of the scope of auditors' work, the extent of auditors' contributions to the supervisory process, and the type of assurance they provide.


Policy Actions / Working Practices:

  • Exchanging information with the external auditors on a continuous basis and establishing jointly which additional work the external auditors would be required to perform outside the scope of the statutory audit.
Examples of good practices and regulation
  • In Luxembourg, the Commission de Surveillance du Secteur Financier may set rules regarding the scope of the audit mandate, the content of the reports, and written comments of the approved external auditor.
  • In Cyprus, the Central Bank directs the external auditor's attention to certain areas of concern that are expected to be covered or analyzed in depth during the next audit.
  • In Ireland, the Central Bank (Supervision & Enforcement) Act 2013 introduced a provision for the Central Bank requesting external auditors to provide assurance over areas concerning: 1) Administrative or accounting procedures; 2) Internal control mechanisms; 3) Risk management; 4) Organizational structure; and 5) Governance of regulated financial service providers.
    Prior to 2013, Section 27E of the Central Bank Act 1997 provided the Central Bank with the ability to commission a report from the external auditor of any regulated financial service provider on: 1) The service provider's accounting records; 2) The systems (if any) that the service provider has in place to ensure that the service provider acts prudently in the interests of its members (if a company or firm) and the interests of those to whom the service provider provides financial services; 3) Any other matter in respect of which the Bank requires information about the service provider, or the service provider's activities, to enable the Central Bank to perform its function.
Observation     Possible actions

Currently, very few supervisors request a Long-Form Audit Report (LFAR) from external auditors.


Policy Actions:

  • Requiring external auditors to prepare an annual LFAR for Systemically Important Banks. This would include details of the audit methodology and its limitations and key findings on the going concern or key risks faced by the bank, and additional appropriate information (e.g. recommended remedial actions);
    The LFAR should be submitted on a timely basis to the supervisors to enable them to take appropriate action in due time; The scope and content of the LFAR should be flexible to reflect changes within the banking sector and within the bank and should be discussed between the auditors and the supervisors.

Working Practices:

  • Establishing together with auditors a list of specific financial reporting issues to be covered in the LFAR, based on the risk profile of the bank and its business model;
  • Conducting face-to-face discussions with the external auditors, the bank's management, as well as the chair of both the audit committee and the risk committee in order to gain a detailed understanding of the key findings and issues highlighted.
Examples of good practices and regulation
  • In Austria, according to the Austrian Banking Act,* external auditors of banks are obliged to audit an additional appendix (prudential report) together with the external audit of financial statements.
    Depending on the size of the credit institution, external auditors issue a reasonable or limited assurance on the effectiveness of internal controls in various areas (i.e. funds, liquidity, special risks, money laundering law and compliance rules, etc.). This appendix is not published, but submitted to the supervisor with the auditor's report within six months of the date of the financial statements. The Financial Market Authority has issued a regulation defining the form and layout of this appendix.
  • In Germany, external auditors are required to submit a Long-Form Audit Report* to the supervisory board. This report is not available to the public and is a useful tool to monitor management. This report must include the following:

General Findings

  • Comments on the general situation of the bank and going concern assessment (based on the audited records and management report);
  • Facts and significant risks that affect the future development and existence of the bank;
  • Any irregularities or violations of statutory provisions or the articles of incorporation by representatives or employees of the bank.

Basis of the External Audit

  • Subject, nature and scope of the external audit;
  • Applied Accounting and Auditing Standards;
  • Confirmation of the external auditor's independence.

Accounting Policy Decisions

  • Accounting methods, substantial bases of valuation and changes thereof;
  • Exercise of accounting and measurement options;
  • Use of discretion, estimation and judgment;
  • Structuring measures ("window dressing" transactions);
  • Any material disclosures not already in the notes.

Risk Management and Internal Control

  • In the case of listed banks: whether the executive management has implemented sufficient risk management and internal control systems.
Observation     Possible actions

External auditors do not always have the statutory duty to disclose significant findings and fraud encountered during the course of their audit (statutory duty to report).

Furthermore, not all the jurisdictions provide "safe haven" rules for auditors when reporting matters to supervisors that do not give rise to a statutory duty to report but may, nevertheless, be relevant to the supervisor's exercise of his/her functions (right to report).


Policy Actions:

  • Updating regulations to include examples of instances and events when external auditors must report bank-specific information directly to supervisors (statutory duty to report). Examples may include when external auditors detect significant findings, fraud or going concern issues during the course of the audit or when management uses significant accounting judgment which materially affects the bank's results and position;
  • Creating "safe haven" rules to allow auditors to share bank- specific information with the supervisors on matters that fall outside the scope of the duty to report if communicated in good faith, and if reasonably believed to be relevant to the supervisor in order to conduct his/her functions (right to report).
    For matters that give rise to the right to report, it is normally appropriate for the auditor to request in writing that those charged with governance in the bank bring these matters to the attention of the supervisor. If those charged with governance fail to inform the supervisor of the matters in a timely manner, the auditor shall report them directly to the supervisor;
  • Requiring access to documents supporting the audit findings regarding identified or suspected non-compliance with laws and regulations, going concern issues, key risks faced by the bank in the short-term and medium-term, and areas when judgment and assumptions are used by management. In general, supervisors should be able to access any type of audit information that they judge relevant to the supervision of the bank. Documents could include minutes of discussions held with management and those in charge of governance, audit committee minutes, audit working papers, etc.;
  • Referring to the recent guidelines proposed by the International Ethics Standards Board for Accountants' (IESBA). These guidelines specify how external auditors should respond to some proven or alleged cases of non-compliance with laws and regulations (NOCLAR)*.
Examples of good practices and regulation
  • In Austria, there is a special duty to report in some cases (i.e. the credit institution will not be able to fulfill its obligations or continue as a going concern, there is a material violations of the law, etc.).
  • In the Czech Republic, the external auditor has a duty to report in writing to the Czech National Bank any facts which may indicate a breaches of the legislation governing banks' activities, have a material negative impact on the economy, etc.
  • In the FYR of Macedonia, the audit firm shall immediately notify the Governor in writing if, during the audit, it discovers that a bank's solvency or liquidity is compromised and the bank operates, and/or has operated, contrary to the regulations. This requirement applies also to legal entities with which the bank has close links.
  • In Ireland, the Central Bank (Supervision & Enforcement) Act 2013 provides for limitation of liability in the reporting of certain matters by external auditors to the Central Bank.

Auditor's 'duty to report' in the EU legislation*

For the purposes of strengthening the prudential supervision of institutions and the protection of clients of institutions, auditors should have a duty to report promptly to the competent authorities, wherever, during the performance of their tasks, they become aware of certain facts which are liable to have a serious effect on the financial situation or the administrative and accounting organization of an institution. For the same reason Member States should also provide that such a duty applies in all circumstances where such facts are discovered by an auditor during the performance of his tasks in an undertaking which has close links with an institution.

Regular exchanges of information between external auditors and banking supervisors enable both parties to perform their duties effectively. A strong and fruitful two-way relationship depends on the quality of interaction between auditors and supervisors. The objective is to have "the right discussions at the right level and at the right time",* using the most appropriate channels of communication so that supervisors can engage more effectively with external auditors.

All European supervisors meet with external auditors but meetings typically occur at a late stage, mainly after the audit work has been completed and the audit report has been issued. For most European supervisors, direct meetings with external auditors without the bank's management, are the preferred option. Confidentiality remains an issue in other jurisdictions. Few jurisdictions provide "safe haven" rules for auditors when reporting matters to supervisors. Finally, very few jurisdictions have a feedback system in place to assess and monitor the quality of the relationship between supervisors and auditors.

Observation     Possible actions

Not all the supervisors use a proportionate* risk-based approach when communicating with external auditors.


Policy Actions:

  • Developing formal criteria to define Systemically Important Banks (SIBs) and set up a clear process for systematic and regular interactions and communication with their external auditors and the chairman of the audit committee (meetings with the auditors of these credit institutions should happen at least once a year).

Working Practices:

  • Engaging with external auditors to obtain sufficient information about the audit process and audit findings in a timely manner to assist the supervisory process;
  • Conducting systematic one-on-one meetings with the chairman of the audit committee of each SIB in a structured manner with a clear and relevant agenda, and clearly identified outcomes and follow-up actions.
Examples of good practices and regulation

In Belgium, the National Bank of Belgium (NBB) uses a proportionate approach when interacting with external auditors based on the risk profile of the bank, its size, and whether it is headquartered in Belgium. A set of criteria determines Systemically Important Financial Institutions (SIFI). SIFI meetings are conducted every quarter, whereas non-SIFI meetings are only conducted once per year. The NBB delegation includes more senior staff for meetings with SIFI. The NBB sends a copy of most of the communication between the NBB and the bank to the external auditor.

Observation     Possible actions

While most supervisors mentioned the ability to have ad-hoc meetings with external auditors, the communication with external auditors often takes place only after the audit opinion has been issued.


Policy Action / Working Practices:

  • Building a constructive and effective relationship with external auditors by setting up a joint framework of engagement that will include the terms and scope of communication and interaction in a systematic, frequent and timely manner.

Working Practices:

  • Meeting and exchanging information with the external auditors of a supervised bank formally, informally or on an ad-hoc basis to avoid routine meetings and focus on current and medium term risks and issues that may affect the banking sector and the bank;
    The exchange of information should be regular and flexible to discuss material and relevant risks and events during and after the audit and should take place in addition to pre- scheduled meetings among the supervisors, the bank and the external auditors; The exchange of information should be part of, and embedded in the supervisory process rather than just an additional item on the checklist of the supervisor. It should be conducted in a structured manner, with a relevant agenda and clearly identified outcomes and follow-up actions. The supervisory authority should keep internal records of the communication to ensure its continuity regardless of staff turnover. This may include minutes of meetings, key issues discussed, conclusions and agreed next steps;
  • Meeting the audit profession at least once per year and during any phase of the audit or supervisory process.
Examples of good practices and regulation
  • In the Netherlands, trilateral* meetings have been introduced twice a year for large banks and once a year for other banks (with exceptions for small banks). The National Bank of the Netherlands also meets three times a year with the financial sector committees of the Dutch Association of Accountants (NBA), and with senior management of audit firms (Big 4) on a subsector basis (banks, insurers and pension funds). They also meet with the board of the NBA once a year to discuss matters of a strategic nature.
  • In Finland, the Financial Supervisory Authority shares information with external auditors at the planning stage of the audit because it affects the audit's planning and, in some cases, the scope of the external audit of a bank.
  • In Sweden, the Financial Supervisory Authority finds that holding discussions about risks at an early stage of the audit process improves its own risk assessment of the bank, and contributes to closer cooperation between external auditors and supervisors.
  • In Italy and FYR of Macedonia, scheduling discussions just before the issuance of the audit opinion helps auditors take supervisory findings into account when forming their audit opinion, and, in some cases, can trigger corrections. It allows supervisors to discuss or challenge auditors' key accounting treatments, assumptions and methodologies.
Observation     Possible actions

Generally, supervisors either use formal channels or an equal mix of both formal and informal channels when communicating with external auditors.

European supervisors prefer discussing some matters directly with external auditors, without the presence of the bank under supervision (i.e. Bilateral meetings).


Working Practices:

Using as applicable:

  • Formal (meetings with external auditors with or without the bank under supervision, meetings with external auditors and the chair of the audit committee) and informal channels (telephone calls, emails etc.). Physical meetings between the supervisory authority and auditors should be held to facilitate open and effective communication, particularly when in-depth communication is required;*
  • Oral (meetings, calls, etc.) and written communication (official letters, exchange of a Long-Form Audit Report, etc.); Written communication should be used when greater clarity is required and/or to keep a record of the communication. (i.e. changes in regulation, emerging issues, complex technical matters, audit report, auditors' communication with the bank, etc.);*
  • Ad-hoc meetings and meetings with predefined timing. Regular contact will slowly help build open cooperation based on trust;
  • Bilateral meetings and/or Trilateral meetings.* Trilateral meetings should be held in addition to any bilateral meetings and may include members of the bank's audit committee, internal auditors, experts on relevant key control functions, or members of the credit institution's management body and senior management, as necessary. Other relevant public authorities may be invited to attend (or may be informed), subject to professional secrecy conditions and if it would facilitate the exercise of supervisory tasks. Trilateral meetings are particularly useful when some clarifications or coordination are deemed necessary;*
  • The primary relationship holders, namely the audit firm partner and the supervisor team leader. Other colleagues and staff of their respective teams and/or experts may also be involved in the communication and exchange of information process at the working levels. However, in any case, both the supervisory team leader and key audit partner should be kept informed about the content of their discussions.
Examples of good practices and regulation
  • In Denmark, the Financial Supervisory Authority (FSA) receives a Long Form Audit Report from external auditors every year, while external auditors receive a copy of most of the communication between the bank and the Danish FSA.
  • European supervisors prefer discussing some matters directly with external auditors, without the presence of the bank under supervision. The presence of the bank in meetings can, however, be necessary in specific circumstances. Examples given include: the going concern ability of the bank (Financial Supervisory Authority of Finland); internal controls and measures undertaken by the bank in order to meet supervisory requirements (National Bank of the Netherlands and National Bank of the FYR of Macedonia). In addition, the National Bank of Georgia reports that trilateral meetings can be helpful for supervisors to better understand the relationship and information sharing processes between the bank and its external auditors.
    Similarly, the presence of the bank in meetings can be preferred at a specific stage of the audit process. Some supervisors stressed the importance of the bank's presence during the planning stage in order to provide both auditors and supervisors with a comprehensive update of the bank's business activities and material changes since the previous external audit (Central Bank of Ireland). Some supervisors find it important for those meetings to take place at the conclusion of the external audit to discuss major audit findings (UK Prudential Regulatory Authority and Polish Financial Supervision Authority).
Observation     Possible actions

The majority of supervisors do not have a feedback system for assessing the quality of the relationship with external auditors. When a feedback process exists, it tends to be informal.


Working Practices:

  • Setting up a formal and regular feedback process within the supervisory authority which may include an anonymous survey sent to supervisors and external auditors who take part in the meetings to assess the quality of the meetings and relationships between the supervisors and the external auditors;
  • The feedback should assess the limits of the relationship and areas of improvement, such as increasing the frequency of meetings, exchanging more pertinent information and discussing more specific issues relevant to the bank.
Examples of good practices and regulation
  • In the UK,* the Prudential Regulation Authority (PRA) Board conducted an electronic survey of supervisors of the largest firms on: 1) The frequency and timing of scheduled or formal auditor-supervisor meetings; 2) The quality of those meetings; and 3) Whether the broader relationship was such that supervisors believe that auditors would contact them proactively, informally, outside scheduled meetings, to disclose emerging concerns.

To obtain the auditors' perspectives, each auditor was also asked to provide the PRA with its overall assessment of the quality of the external auditor- supervisor relationship. To help ensure that the auditors' findings were comparable with the results of the supervisors' survey, the PRA shared the list of firms covered in the survey as well as the full suite of survey questions addressed to supervisors with the auditors.

Following the survey and report on the quality of auditor-supervisor dialogue in the summer of 2014, the following actions were undertaken:

  • Discussions took place with each external auditor to emphasize the overall messages from the report;
  • Presentations were provided to partners and managers of the large external audit firms on the results of the survey and feedback from supervisors. These presentations included discussions about what the PRA expects from external auditors under the PRA Code.
  • More regular training is being provided to supervisors on the auditor - supervisor engagement, with a focus on how they might better understand the work of auditors as well as encouraging more open and in-depth dialogue.

The PRA uses biannual bilateral meetings with the senior financial services partners of the largest external audit firms to provide and receive feedback on the external auditor-supervisor engagement compared to the PRA Code. Hence the level of co-operation is kept under constant review.

Observation     Possible actions

Few supervisors discuss the audit strategy and plan with external auditors. Changes in those plans are not systematically communicated to supervisors.


Working Practices:

  • Meeting with external auditors during the planning stage to discuss specific areas within the scope (or outside the scope) of the audit which regulators would like them to focus on during the course of the audit. Supervisory authorities should prepare a list of issues for discussion and consult auditors on its appropriateness;
  • Using the audit strategy and plan as input to the supervisory work plan;
  • Discussing the audit plan and strategy specifically with external auditors of Systemically Important Banks. External auditors should share the audit plan and strategy with supervisors upon request.
Examples of good practices and regulation
  • In Belgium, the information obtained from the external audit provides input to the National Bank of Belgium's own supervisory work plan.
  • In Croatia, audit firms are required to deliver an annual audit plan for each credit institution to the Croatian National Bank, indicating the areas of focus, the audit methodology, as well as the envisaged duration of the audit.
Observation     Possible actions

Loan valuation and loan loss provisioning, the bank's asset valuation, and the effectiveness of its internal control are topics of particular interest to supervisors that can be discussed with external auditors.


Working Practices:

  • Discussing with external auditors the processes to obtain a detailed understanding of internal controls and assumptions used in the valuation process to ensure that supervisors can critically assess whether they are relevant, reliable and are being used consistently by the bank;
  • Requiring adequate independent validation and verification of the valuation framework and controlling procedures by either internal or external experts;
  • Holding discussions with external auditors to obtain a clear understanding of the impairment charges and other credit risk provisions in order to assess the charges and the provisions in a critical manner.
Examples of good practices and regulation

In France, the French prudential regulator - L'Autorité de Contrôle Prudentiel et de Résolution (ACPR) - provides a list of potential discussion topics:*

Accounting topics

  • Significant aspects of accounting practices:
  • Implementation of new accounting standards;
  • Changes in accounting practices;
  • Adequacy of information in the appendix to the financial statements.
  • Accounting estimates:
  • Review of significant accounting estimates, including those lacking objective data and involving a judgment;
  • Adequacy of the valuation process and model used with the generally accepted accounting principles;
  • Assessment of the factors likely to influence and/or guide the judgment of management and their choice between several options in the valuation process;
  • Assessment of the reasonableness of the assumptions chosen and results obtained;
  • Adequacy of information in the appendix to the financial statements.
  • Assessment of the analysis made by management and the external auditors with regards to the banks' ability to continue as a going concern;
  • Summary of audit adjustments used and not disclosed and an estimation of their materiality;
  • Documentation of internal control weaknesses identified during the financial reporting process;
  • Compliance and reliability of financial information with regard to reporting requirements, risks, and exercised judgments discussed at prior meetings.

Specific difficulties or particularities of the year, non-recurring items

  • Significant difficulties encountered during the audit;
  • Circumstances that led to a change in the audit mission plan;
  • Work carried out due to significant non-recurring and complex transactions requiring an expert opinion;
  • Significant topics that were the subject of considerable discussions with the management;
  • Likelihood of the issuance of a qualified opinion.

Audit committee

  • Key points that will be communicated to the audit committee;
  • Involvement of the audit committee in overseeing the preparation of the financial statement and its appendix, including the quality of the relationship with the external auditors.

Other possible topics of discussion

  • Information on other entities of the banking group under supervision that is available to the supervisor and communicated by other supervisory authorities;
  • Evidence that the prudential information might not be consistent with the financial statements;
  • Evidence that the valuation process of assets and liabilities of the bank under supervision might not be in line with the accounting framework and/or regulations;
  • Evidence of a failure of the control environment or flaws in the internal control process;
  • Evidence of a failure in internal audit, risk management and compliance.
Observation     Possible actions

Reconciliation between prudential capital elements and audited financial statements is often not subject to an audit. Prudential returns are often not reviewed by auditors.


Policy Actions:

  • Requiring external auditors to review the reconciliation of prudential own funds with accounting capital;
  • Requiring external auditors to review and assess banks' internal controls for preparing the prudential returns in the regulatory reporting system;
  • Requiring external auditors to report to supervisors in a timely manner when weaknesses or breaches have been identified.
Examples of good practices and regulation
  • In Poland, the external auditor must audit the solvency ratio.
  • In Serbia, prudential returns must be reviewed (not audited) by external auditors. External auditors should report any findings in the Management Letter and submit it to the National Bank of Serbia.
  • In Spain, external auditors might be asked to check the consistency of accounting figures contained in certain prudential returns with accounting registers reviewed within the scope of the audit, and in some cases include their findings in the Long-Form Audit Report.
  • In Lithuania, accounting figures under IFRS are reconciled to prudential returns using "prudential filters".
  • In Macedonia, a detailed report on the composition of own funds and risk-weighted assets calculated in compliance with the prudential regulation is required. In this detailed report, all the lines from the audited balance sheet can be identified. Since the external auditor is obliged to verify the completeness, accuracy and compliance of the bank's prudential returns as of year-end, a reconciliation is indirectly performed.

The Importance of the Management Letter*

Key features

A modern audit follows a risk-based approach, which focuses on the risks of material misstatements and how the audited entity mitigates these risks through its internal control system.

The management letter is a key output of the audit addressed to management in which the deficiencies and weaknesses in a bank's organizational structure are identified and eventual recommendations from external auditors on how to improve these internal control issues are presented. The bank's management usually provides a written response to the external auditor's remarks which is integrated into the management letter. The follow-up audit work should assess the progress made by the bank to implement the recommendations of the initial audit or fix the problems highlighted in the management letter. The management letter is often shared with supervisors and is also a key topic for discussions between external auditors and audit committees.

Importance for supervisors

The management letter details weaknesses in internal controls that could cause a material misstatement in the financial statement. Thus this document raises important points and summarizes the key areas for the attention of banking supervisors.

Observation     Possible actions

Confidentiality rules can prevent supervisors from sharing information with external auditors, which can have negative impacts on the supervision of banks.


Policy Actions:

  • Creating "gateway" rules to allow the sharing of information with external auditors.

Working Practices:

  • This information can be bank specific, industry specific and related to current and emerging risks and should, in the supervisor's judgement, be relevant to the audit of the credit institution. The objective is to help auditors conduct a better quality audit which could, in turn, contribute to the supervisory process.
Examples of good practices and regulation

In the Netherlands, supervisors have, by law, the choice to share information with external auditors, but are not required to do so. Sometimes supervisors become aware of circumstances that can endanger "solutions" when discussed with auditors. In such cases supervisors do not share this sensitive information. If the information has or could have a direct influence on the auditor's opinion, the supervisor will share this information with external auditors.

Information that supervisors could provide to external auditors**

General accounting topics:

  • Assessments of the quality of published financial statements, the appendixes and areas identified for improvement;
  • Views on the appropriateness of accounting judgments and materiality thresholds used.


  • Views of existing and/or upcoming macro- and micro-economic risks that banks might face. These could include global systemic risks, such as liquidity and refinancing problems;
  • Other risks could include those related to the valuation of certain financial instruments or technical provisions, credit risk level on certain portfolios or the level of impairment attached to some asset classes. Views on the bank's loan loss provisioning could include, whenever possible, a comparison with other institutions on an unnamed basis;
  • Information on issues such as governance, risk management, compliance framework and internal control that have a potential impact on the quality of financial reporting and regulatory information produced by the bank. For this purpose, the supervisor might share findings derived from his/ her on-site inspections;
  • Measures implemented by the supervisor to prevent or limit the consequences or generalization of an identified risk.

Regulatory and accounting developments:

  • The prudential treatment of a new type of product or operation and its eventual impact on accounting;
  • Views on the interactions of new regulatory requirements with financial reporting practices and requirements;
  • Information on potential issues identified and related to the application of new accounting standards or reporting practices. For example, the eventual impact of the accounting treatment of a new type of financial instrument or financial transaction as well as the impact of the new standard on regulatory requirements;
  • Significant disagreements on the application of a new accounting, regulatory or prudential standard by the bank under supervision;
  • Information on the progress of prudential regulation projects and the perspective of supervisors on accounting regulation projects.


  • Correspondence between the supervisor and the bank's management, including certain instructions and minutes of meetings;
  • Any intervention from the supervisor;
  • Feedback on publications from the accounting profession;
  • In general, all items that could have a material impact on banks' financial statements.
Observation     Possible actions

Most European supervisors have some form of oversight responsibility over the appointment of external auditors (i.e. the right to pre-select, approve/remove or to commission an independent audit). However, supervisors' responsibilities vary on a country-by-country basis.


Policy Actions:

  • Setting up a principles-based framework in line with international best practices for the selection, appointment and removal of external auditors.

Working Practices:

  • Monitoring the selection and appointment of external auditors to ensure it is fair, objective, transparent, independent of the bank's management, and well documented;
  • Encouraging the appointment of external auditors who are able and willing to develop good working relationships and dialogue with supervisors.
Examples of good practices and regulation
  • In France, there is a mandatory joint audit for companies that prepare consolidated financial statements. A joint audit is the audit of a company by two or more audit firms. Only one single auditor's report is produced. The responsibility for issuing an audit is shared by all joint auditors, and work is allocated between audit firms, with each audit firm reviewing the work performed by the other. By allowing the selection of two audit firms, it provides further assurance that the audit opinion is complete (i.e. increasing the number of cross checks between audit firms improves audit quality). When appointment terms are staggered, it facilitates a smooth rotation of audit firms (i.e. knowledge and understanding of the bank's operations are retained while the risk of over familiarity is mitigated). Audit firms should also have more leverage to report jointly inappropriate bank management financial reporting practices.
  • In Austria, supervisors have the right to object to the appointment of external auditors. For example, over the last five years, supervisors have objected to the appointment of four external auditors (one because they breached the internal rotation rule, the others because they did not perform audits with the care required).
  • In Denmark, external auditors of banks are obliged to be certified by the Danish Financial Supervisory Authority (FSA). According to certification requirements, external auditors should, inter alia:
  1. Demonstrate that they have performed at least 1,500 chargeable hours auditing financial institutions, financial holding companies, pension funds or alternative investment funds within the past five years. Of these chargeable hours, 1,000 must include audit services to at least three banks. All of these hours should be realized after being authorized as a state public accountant and 50 percent of them as a signing auditor or audit team manager;
  2. Document that they fulfill applicable training requirements for auditors of banks;
  3. Not have had a case with the Danish Disciplinary Board on Auditors (DDBA) within the last five years;
  4. Not have been subject to criminal liability for violating financial legislation or other relevant legislation, including legislation abroad. The Danish FSA considers whether the offense involves a risk that the external auditor might be unable to fulfill his/her duties or role in a satisfactory manner;
  5. Not have displayed or engaged in conduct which gives the FSA reason to believe that the external auditor will not carry out his/her function or position adequately. In judging the appropriateness of the behavior, emphasis is placed on the FSA's objective to maintain confidence in the financial sector.
  • In Moldova, external auditors shall pass qualification exams on general audit at the Ministry of Finance and on banks' specific audit at the National Bank. During these exams and interviews, the National Bank has the opportunity to assess the external auditors' knowledge, experience and qualifications.
  • In the Czech Republic, the supervisors suggested using ad hoc meetings as part of the auditor assessment process.
Observation     Possible actions

Results show that mandatory audit firm rotations are scarce while the majority of supervisors currently enforce compulsory key audit partner rotations.

In most jurisdictions, the same external auditor can be reappointed without going through a mandatory tender process.


Policy Actions:

  • Setting up a framework for the rotation of external auditors in line with international best practices to ensure independence and avoid a conflict of interest. According to the Basel Committee on Banking Supervision's Core Principles for Effective Banking Supervision, the supervisor determines whether banks rotate their external auditors (either the firm or individuals within the firm) from time to time;
  • Requiring that the appropriate criteria have been used to select the key audit partner by the relevant parties;
  • Ensuring that there is a clear policy for retendering and clear, well-documented criteria for selection, as well as transparency regarding the reappointment of external auditors.

Working Practices:

  • Continuously monitoring audit quality especially during transition periods;
  • Reviewing the retendering process on a regular basis.
Examples of good practices and regulation

EU audit reform legislation – Requirements for rotation and retendering*

Audit firm rotation and audit retendering

From June 2016 onwards, Public Interest Entities (PIEs) are required to change their audit firms after a maximum 10-year mandate. The 10-year mandate can be extended by up to 10 additional years if tenders are carried out, and by up to 14 additional years in the case of a joint audit. In some exceptional circumstances, supervisors are empowered to extend the term once for a further two years at the request of the audited entity. There is the possibility to adopt a shorter rotation term.

Rotation of key audit partners

EU legislation requires the key audit partners of PIEs to rotate at least every seven years with a cooling off period of three years.

Extract from the Basel Core Principles (BCP) for Effective Banking Supervision - Principle 27 on financial reporting and external audit*

A snapshot of some essential criteria:

  • The supervisor holds the bank's board and management responsible for ensuring that financial statements are prepared in accordance with accounting policies and practices that are widely accepted internationally. Furthermore, the financial statements should be supported by recordkeeping systems in order to produce adequate and reliable data;
  • The supervisor holds the bank's board and management responsible for ensuring that the financial statements issued annually to the public bear an independent external auditor's opinion. This will be the result of an audit conducted in accordance with internationally accepted auditing practices and standards;
  • The supervisor has the power to reject and rescind the appointment of an external auditor who is deemed to have inadequate expertise or independence, or is not subject to, or does not adhere to, established professional standards;
  • The supervisor determines whether banks rotate their external auditors (either the firm or individuals within the firm) from time to time.
Observation     Possible actions

Although most of the supervisors have communication lines with AOBs, the frequency of meetings and communication with AOBs varies depending on the jurisdictions.

In many jurisdictions, the professional organization for auditors is responsible for quality assurance.

In the EU, a single competent authority will be designated to bear ultimate responsibility for the audit public oversight system (mandatory from 2016).


Policy Actions:

  • Signing a Memorandum of Understanding (MoU) between the AOB and the supervisory authority. This document would detail circumstances in which supervisors would communicate directly with the AOB on topics related to public oversight, registration, inspections and investigations of external auditors of banks;
  • Setting up provisions for a clear mandate for supervisors to meet the AOB on a regular and systematic basis to discuss auditing issues in a constructive and critical manner. This should not prevent ad-hoc meetings.

Capacity Building:

  • Promoting and contributing to the implementation of the appropriate tools, methodologies and skills for public oversight and quality assurance agencies in the respective jurisdiction. This includes on-going training and knowledge requirements in IFRS and ISA, as applicable, and providing information on the supervisory process.
Examples of good practices and regulation

In the Czech Republic, the audit quality assurance system shall:

  1. be independent of the controlled statutory auditors and audit firms;
  2. be subjected to public oversight;
  3. have safe financing and shall not be negatively affected by the auditors;
  4. be executed by a natural person who is independent of the controlled auditors and who has sufficient professional education and experience in the area of statutory audits and accounting reporting and who has passed specialized training for such purposes as determined by the Chamber; and
  5. be performed at least once in three years for the auditors of banks.
Observation     Possible actions

The role and responsibilities, as well as the capacity, of audit committees vary in the ECA region. In a few jurisdictions, audit committees are not mandatory for banks.


Policy Actions:

  • Requiring banks to have an audit committee, and ensuring that most members are independent of the audited entity and have the appropriate skills.

Capacity Building:

  • Promoting and contributing to the development of a Corporate Governance guide which sets out the role and responsibilities of audit committees.

Working Practices:

  • Meeting with chairs of audit committees of Systemically Important Banks;
  • Discussing relevant experience with the audit committee regarding interaction with external auditors in the context of the supervision of the bank.
Examples of good practices and regulation

In Czech Republic, the audit quality assurance system shall:

  • In the FYR of Macedonia, according to the Banking Law, banks must establish an audit committee with the following criteria:
  • The number of members must be at least five, but no more than nine;
  • The majority of audit committee members should be members of the Supervisory Board, while the rest should be independent from the bank; and
  • At least one member should be a licensed auditor.
  • In jurisdictions including Austria, Slovenia and Moldova, audit committees monitor the effectiveness of the risk management process, internal audit and internal control functions, and review the accounting procedures of the bank.
  • In Spain, the minutes of the Audit Committee are reviewed during the supervisory process. Communication on audit issues is channeled through the internal audit director.
  • In the UK, the Prudential Regulation Authority (PRA) engages with both audit committees and the AOB.*
    Given audit committee responsibilities — which include monitoring the integrity of financial statements and assessing the independence, objectivity and effectiveness of the auditor — the PRA regularly meets the chairs of audit committees of the largest banks in roundtable meetings (currently three times a year). The aim of the meetings is to share observations and expectations on topical accounting and auditing issues as covered in the biannual bilateral meetings with auditors. In addition, the PRA also meets the individual chairs in trilaterals with auditors and as part of the ongoing supervision process. The PRA does not set or monitor the implementation of auditing standards but instead engages closely on auditing matters with the body that has these responsibilities, namely the Financial Reporting Council (FRC). The PRA and the FRC already have a Memorandum of Understanding (MoU), which generally outlines the way that regulators cooperate. Under this MoU, the PRA gives input to the FRC's Audit Quality Review Team (AQRT) in relation to the team's identification of which audits to inspect. The PRA also engages with the AQRT on matters of thematic interest. In relation to each audit inspected, the FRC AQRT provides private written reports to the auditors, the chair of the audit committee and to the PRA when it relates to a PRA authorized firm. If the audit inspection indicates significant deficiencies in the audit of the firm, the PRA seeks to ensure that improvements are underway and deficiencies are being addressed.

The present Guide draws together recommendations to improve the relationship between supervisors and external auditors illustrated by good practices from 35 supervisory authorities across Europe and Central Asia (ECA). It has been developed as a supplement to the 2015 World Bank Centre for Financial Reporting Reform (CFRR) report on Banking Supervisors and External Auditors: Building a Constructive Relationship. Its main objective is to assist banking supervisors in managing their relationships with banks' auditors and in developing their policies which will contribute to build enhanced auditing and supervisory practices.

The Guide also takes into account the 2014 Guidance of the Basel Committee on Banking Supervision (BCBS) on External Audits of Banks and the 2016 European Banking Authority (EBA) Guidelines on the Communication between auditors and competent authorities. The CFRR's report and its work are acknowledged in the EBA guidelines.

Banking Supervisors and External Auditors: Building a Constructive Relationship - GUIDE
English2.57 MB
Russian2.41 MB

This publication presents key findings from the World Bank CFRR survey – Financial supervisors and external auditors: building a constructive relationship that was conducted during the second half of 2014, and discussions with regulators conducted in 2015.

Responses from 35 supervisory authorities from the European Union and other countries in Eastern Europe, South Eastern Europe and the South Caucasus suggest that stronger two-way interaction between external auditors and supervisors can improve the quality of external audits and enhance banking supervision. This report highlights some actionable insights based on reported good practices that can be helpful to banking supervisors in managing their relationships with banks’ auditors. The report is can be used to define the necessary policies and guidelines towards building an enhanced collaboration between auditors and supervisors contributing to better auditing and supervisory practices.

Banking Supervisors and External Auditors: Building a Constructive Relationship
English2.5 MB