Annual Report 2017 - Federal Audit Oversight Authority FAOA
28 Regulatory Audit | FAOA 2017 – Improving and adjusting training concepts; – Updating work tools, audit programmes and checklists. Monitoring of training and audit hours To retain a licence the regulatory auditor-in-charge must meet audit and training hourly requirements. While training hours must be completed annually, a four year period applies to auditing hours. Under the transitional provisions of the AOO (Art. 51a, para 2 AOO) the required auditing hours had to be met as from 1 January 2017, that is, for the period from 1 January 2013 to 31 December 2016. Regulatory audit firms could choose to confirm the compliance of their regulatory auditors-in-charge themselves. Alternatively, each regulatory auditor-in-charge could confirm compliance personally using appropriate evidence. In the first case, a sample of the hours confirmed is checked by the FAOA during its inspections. The personal confirmations of regulatory auditors-in-charge are checked by the FAOA on an ongoing basis. The required training and audit hours could be verified with few exceptions. In isolated cases training hours did not meet AOO requirements. Deficiencies were noted particularly in the separate recording of regulatory audit hours. Irrespective of size, some audit firms did not record regulatory and financial audit hours separately. They calculated regulatory audit hours retrospectively using unverifiable ratios. With this approach it is unclear whether the regulatory audit hours were actually spent in regulatory audit. If a regulatory auditor-in-charge determines that he no longer meets the minimum number of training or auditing hours at the reporting date, he may no longer work as regulatory auditor-in-charge on an engagement in the relevant oversight category. The regulatory audit firm must also ensure, as part of quality assurance, that such an individual is no longer deployed on an engagement as regulatory auditor-in-charge. The following table shows the minimum licensing and licence renewal requirements per category. Figure 15 Licensing requirements for regulatory auditors-in-charge Licences Professional experience (audit services in CH or abroad, if equivalent) One time Regulatory audit hours (in relevant licence area) Training (in year before licence application and in relevant licence area) Regulatory audit hours (in last 4 years and in relevant licence area) Periodical Training (per year and in relevant licence area) Banks, stock exchanges, securities traders, central mortgage bond institutions 8 years 1,500 hours 24 hours 400 hours 24 hours Insurers 8 years 400 hours 16 hours 100 hours 16 hours Fund managers, investment funds, etc.(CISA) 8 years 800 hours 16 hours 100 hours 16 hours Financial intermediaries (DSFI) 5 years 200 hours 4 hours 100 hours 4 hours
Regulatory Audit | FAOA 2017 29 Various regulatory auditors-in-charge gave up their licences voluntarily during the year. This related particularly to the CISA and DSFI categories. In one case an audit licence under financial market law had to be withdrawn from a regulatory auditor-in-charge as he did not meet the required annual training hours. Cooperation with FINMA The regular exchange between the FAOA and FINMA is based on legal foundations (Art. 28 FINMAG and Art. 22 AOA). The exchange takes place at all seniority levels as part of the file reviews of those supervised by FINMA. The risk-based selection of file review focus areas requires a continuous exchange of information between the FAOA and FINMA. The FAOA informs FINMA of the results of the firm and file reviews by providing a copy of the final inspection report, as well as the comment forms and other reportable findings relating to the regulatory and financial audits of those supervised by FINMA. The FAOA is thereby transparent towards FINMA and supports it in carrying out its supervisory activities. Points of focus for 2018 inspections The FAOA has selected the following points of focus for 2018 in the regulatory audit area: – Quality and extent of regulatory audit internal monitoring. – Audit of compliance with AMLA requirements, particularly business relationships and high risk transactions and the identification of PEP, as well as the application of AMLA, AMLO, AMLO-FINMA and CDB16. – Application of current and applicable FINMA audit programmes (inspection points and minimum audit procedures).