Circular 13/3AuditingInformation on auditing matters including aspects which are incompatible with audit mandates, Internal Audit and the special aspects to take into consideration when auditing banks, securities dealers, institutions under CISA, insurance companies and DSFIs

FINANCIAL SERVICES

1 Table of ContentsI. Title page pg. 1

II. Circular 2013/3 pg. 2

III. Annexes not included

2 Other LanguagesDE: FINMA-RS 13/3 Prüfwesen 18.11.2016

FR: Circ. FINMA 13/3 Activités d’audit 18.11.2016

Unofficial translation issued in February 2017

Circular 2013/3 AuditingInformation on auditing matters including aspects which are incompatible with audit mandates, Internal Audit and the special aspects to take into consideration when auditing banks, securities dealers, institutions under CISA, insurance companies and DSFIs

Circular 2013/3 Auditing | 2

FINANCIAL SERVICES

Circular 13/3AuditingInformation on auditing matters including aspects which are incompatible with audit mandates, Internal Audit and the special aspects to take into consideration when auditing banks, securities dealers, institutions under CISA, insurance companies and DSFIs

Reference: FINMA circ. 13/3 "Auditing"

Issued: 6 December 2012

Entry into force: 1 January 2013

Last amendment: 18 November 2016 [amendments are denoted with an * and are listed at the end of document]

Concordance: Previously: FINMA circ. 08/41 "Auditing"

Legal bases: FINMASA Article 7(1)(b), 24, 25, 27, 28a, 29 BA Article 18 SESTA Articles 15(4), 17 CISA Articles 52, 107, 118, 126, 130 ISA Articles 28, 30, 70, 78 FINMA-AO Articles 1-14 CISO-FINMA Articles 110, 112, 113, 114, 116 AMLA Article 19a MBoA Article 38a(1) FMIA Articles 83, 84(1) and (3), 116(2), 117(1)

Circular 2013/3 Auditing | 3

FINANCIAL SERVICES

Addressees

X X X X X X X X X X X X X X X X X X X

Ban

ks

Fina

ncia

l gro

ups

and

cong

l.

Oth

er in

term

edia

ries

Insu

ranc

e co

mpa

nies

Ins.

gro

ups

and

cong

l.

Dis

trib

utor

s

Sec

uriti

es d

eale

rs

Trad

ing

Venu

es

Cen

tral

Cou

nter

part

ies

Cen

tral

dep

osito

ries

Trad

e re

posi

torie

s

Paym

ent

syst

ems

Part

icip

ants

Fund

man

agem

ent

com

pani

es

SIC

AV

Lim

ited

part

ners

hips

for

CIS

SIC

AF

Cus

todi

an b

anks

Man

ager

s do

mes

tic C

IS

Dis

trib

utor

s

Rep

rese

ntat

ives

of

fore

ign

CIS

s

Oth

er in

term

edia

ries

SR

Os

DS

FIs

SR

O S

uper

vise

d

Aud

it fir

ms

Rat

ing

Age

ncie

s

BA ISA SESTA FMIA CISA AMLA OThERS

Annex 1: Presentation of Audit Strategy for Banks / Securities Dealers (Cat. 1)Annex 2 Presentation of Audit Strategy for Banks / Securities Dealers (Cat. 2-5)Annex 3: Standard audit strategy for CISA Fund Management CompaniesAnnex 4: Standard audit strategy for CISA Asset Management CompaniesAnnex 5: Standard audit strategy for CISA RepresentativesAnnex 6: Standard audit strategy for CISA SICAFAnnex 7: Standard audit strategy for CISA SICAVAnnex 8: Standard audit strategy for CISA LP-CISAnnex 9: Standard audit strategy CISA Custodian BanksAnnex 10: Standard audit strategy Insurance CompaniesAnnex 11: Standard audit strategy for Insurance Groups and ConglomeratesAnnex 12: Standard audit strategy DSFIsAnnex 13: Risk Analysis for BanksAnnex 14: Risk Analysis Insurance CompaniesAnnex 15: Risk Analysis for CISAAnnex 16: Risk analysis of financial market infrastructuresAnnex 17: Standard audit strategy for financial market infrastructuresAnnex 18: Additional Information in the Comprehensive Reporting on the

Financial Audit of banks and securities dealersAnnex 19: Additional Information in the Comprehensive Report on the Financial

Audit of insurancesAnnex 20: Additional Information in the Comprehensive Report on the Financial

Audit of Licensees in Accordance with the CISA

Circular 2013/3 Auditing | 4

FINANCIAL SERVICES

Part 1 General Aspects margin nos. 1-78.1

I. Purpose margin no. 1

II. Appointment of the audit firm margin nos. 2-3

III. Audit content margin nos. 4-8

IV. Risk analysis margin nos. 9-27

V. Audit strategy margin nos. 28-31

VI. Audit depth margin nos. 32-34

VII. Audit standards margin nos. 35-44

A. Quality assurance margin nos. 37-38

B. Documentation margin no. 39

C. Legal and other regulations margin no. 40

D. Audit evidence margin nos. 41-44

VIIa. Incompatibility with an audit mandate margin nos. 44.1-44.8

VIII. Segregation of audit and financial audit margin nos. 45-46

IX. Internal Audit margin nos. 47-49

X. Audits for international groups and conglomerates margin nos. 50-52

XI. Reports margin nos. 53-77

XII. Notification duties margin nos. 78-78.1

Circular 2013/3 Auditing | 5

FINANCIAL SERVICES

Part 2 Special provisions margin nos. 79-149

I. Special provisions for the audit of banks and securities dealers margin nos. 79-112

A. Risk analysis margin nos. 79-85

B. Audit strategy margin nos. 86-107

C. Reports margin no. 108

D. Deadlines margin no. 109

E. Follow-up audits margin no. 110

F. Audits of central mortgage bond institutions margin no. 111

G. Financial audit margin no. 112

Ibis. Special provisions for the audit of Financial market infrastructures margin nos. 112.1-112.8

A. Risk analysis margin no. 112.2

B. Audit strategy margin nos. 112.3-112.5

C. Reports margin no. 112.6

D. Deadlines margin no. 112.7

E. Follow-up audits margin no. 112.8

II. Special provisions for audits under CISA margin nos. 113-122

A. Risk analysis margin no. 113

B. Audit strategy margin nos. 114-120

C. Deadlines margin no. 121

D. Follow-up audits margin no. 122

Circular 2013/3 Auditing | 6

FINANCIAL SERVICES

III. Special provisions for the audit of insurance companies margin nos. 122.1-130

A. Risk analysis margin nos. 122.1-127

B. Audit strategy margin no. 128

C. Deadlines margin no. 129

D. Financial audit margin no. 130

IV. Special provisions for the audit of directly subordinated financial intermediaries as per MLCA (Article 2(3) AMLA) (also known as DSFIs) margin nos. 131-148

A. Risk analysis margin no. 131

B. Audit strategy margin no. 132

C. Adherence to the authorization conditions and deficiencies regarding the implementation of due diligence margin no. 133

D. On-site audits margin no. 134

E. Audit risk margin nos. 135-143

F. Deadlines margin nos. 144-148

V. Annexes margin no. 149

Part 3 Transitional provisions margin nos. 150-155

Part 4 Entry into force margin no. 156

Circular 2013/3 Auditing | 7

FINANCIAL SERVICES

Part 1 General Aspects

I. Purpose

This circular shall govern the audit of supervised institutions by audit firms which act as the FINMA’s extended arm and, unless stated otherwise, always relates to the audit as per Article 24(1)(a) FINMASA (henceforth “audit”).

II. Appointment of the audit firm

Repealed

Any change of audit firm must be immediately reported to FINMA, but at the latest 3 months prior to submitting the current audit period’s risk analysis and audit strategy.

Repealed

III. Audit content

Audits shall be structured into individual audit areas. These audit areas in turn shall be broken down into audit fields, which in turn are subdivided into audit items. FINMA may define additional instructions on the performance of the audit (audit items).

Repealed

For every supervisory area, the audit areas to be tested during a basic audit are listed in the appendices to this circular.

Repealed

Repealed

IV. Risk analysis

Audit firms must prepare an annual risk analysis for each supervised institution to be audited and forward this analysis to the FINMA. A risk analysis must also be prepared for groups or conglomerates which are supervised by the FINMA.

A risk analysis is an independent assessment of the supervised institution’s risk situation prepared by the audit firm to the attention of the FINMA.

In the risk analysis, the audit firm shall show the risks to which the supervised institution is exposed from its perspective. The supervised institution shall be informed of its risk analysis. It is prohibited to coordi-nate the risk analysis with the supervised institution.

1

2*

2.1*

3*

4*

5*

6*

7*

8*

9*

10

11*

Circular 2013/3 Auditing | 8

FINANCIAL SERVICES

A risk analysis must:

• encompass the supervised institution to be audited in its entirety;

• provide an overview of the risks which result from the supervised institution’s business activities (for this, the audit firm must specifically take into consideration the market conditions and the financial and political environment in which such an institution is operating);

• include the corporate governance of the supervised institution; and

• be of an anticipatory nature, i.e. keep in mind the possible impact of current developments on the supervised institution.

The individual risks shall be assessed and weighted on the basis of the possible impact they could have on the supervised institution at hand.

The risk analysis must be prepared according to the Annex (cf. Annexes on Risk Analysis). It shall be structured as follows:

• the audit firm’s general assessment of the risks that could affect the supervised institution;

• comprehensive categorization and appraisal of risks: In general, the categorization shall depend on the audit areas and the audit fields. If other risks seem likely, these shall be added, so that the over-view of the supervised institution’s risk exposure is as comprehensive as possible.

• The aspects “impact/extent” together with “probability of occurrence” of the risk shall determine the “inherent (gross) risk” for each audit area or field.

12

13

14

15

16

17

18

19

20

21

Circular 2013/3 Auditing | 9

FINANCIAL SERVICES

The inherent risk is determined as follows:

Impact/extent Probability of occurrence Inherent risk

very high very high very high

very high high very high

very high medium high

very high low high

high very high high

high high high

high medium medium

high low medium

medium very high medium

medium high medium

medium medium medium

medium low low

low

very high high mediumlow

low

The audit firm must rank the supervised institution’s gross risks.

The net risk shall be determined by taking into account the risk-mitigating measures (e.g. implemented controls) identified by the audit firm.

Repealed

All further details shall be found in the guidance sheet provided by the FINMA.

22

23

24

25*

26*

27

Circular 2013/3 Auditing | 10

FINANCIAL SERVICES

V. Audit strategy

The audit strategy shall determine the depth and periodicity of the audit required for the supervised insti-tution’s different audit areas. The audit firm’s audit plan shall be based on the audit strategy.

The FINMA shall determine a minimal standard audit strategy for the basic audit of each supervisory cat-egory (cf. Standard Audit Strategy appendices) in every supervisory area. This audit strategy shall deter-mine the audit areas, the minimal audit depths and the periodicity for the audit.

Should the audit firm deem a standard audit to be insufficient, it must suggest an alternative to the FIN-MA. Such a suggestion shall be substantiated.

The FINMA may also order other audits in addition to the standard audits outside of the normal timetable. It shall plan and communicate these as early as possible.

VI. Audit depth

Two audit depths shall be foreseen:

• Audit: The audit firm must get a comprehensive picture of the aspect to be audited. The result must be an unambiguous opinion on whether the regulatory provisions have been adhered to or not (called “positive assurance”).

• Critical assessment: The audit firm must get an adequate overview of the aspect under scrutiny. The audit firm shall report in writing that during the audit procedures undertaken (review of docu-ments, interviews, etc.) no facts were determined which would lead it to conclude that regulatory provisions were not being adhered to (also called “negative assurance”).

VII. Audit standards

International and national audit standards applicable to the financial audit based on the ordinary audit as per Code of Obligations (financial audit) are not applicable to the audit. This audit shall be based solely on the provisions of this circular.

The audit firm must perform a systematic audit planning based on the previously defined audit strategy. The audit firm shall prepare and perform the audit with critical distance, thus ensuring objective assess-ments. It shall keep in mind the possible impact of current developments in regard to audit areas, both at the level of the supervised entity and its environment. In particular, it must consider in its audit proce-dures whether any regulatory provisions may have been violated.

A. Quality assurance

The audit firm shall define standards to ensure the quality of its audit and ensures that these are adhered to at all times. It shall take the appropriate measures for each audit mandate which will allow it to adhere to the standards on the whole but also for the individual audit mandates. This shall be especially applicable

28

29*

30

31

32

33

34

35*

36

37*

Circular 2013/3 Auditing | 11

FINANCIAL SERVICES

to audit plans, the audit program and the delegation of tasks to competent employees, the availability of the information to be audited, the instructions given to the audit team, their supervision and an adequate timeline.

Should the supervised entity’s circumstances require additional tests, the audit firm shall engage further auditors, internal subject-matter experts or external specialists in the field.

B. Documentation

The audit firm must prepare a comprehensive and sufficiently detailed audit documentation for each man-date, which can also be understood by a knowledgeable third party. The information for the planning and the performance of the audit contained in the working papers shall document the deliberations and con-clusions of the tests, as well as the confirmations and the results in the reports sent to the FINMA. More-over, the working papers shall define the type, the time and depth of the audit procedures performed. If the audit firm uses documents prepared by the supervised institution, these must be identified as such and their correctness must be critically questioned. Working papers can be set up as master files, provid-ed the information contained therein is valid for more than the year in question. The audit documentation is the property of the audit firm and must be closed within an appropriate deadline after the audit report has been submitted to the FINMA. Once closed, the documentation may no longer be altered until the legal record retention requirement has expired. The audit firm shall ensure a safe and confidential reten-tion of the audit files separate from those used for the financial audit during the entire legally foreseen record retention requirement, as far as this is possible.

C. Legal and other regulations

When performing the audit, the audit firm must take into account all applicable legal and other regulatory provisions. If, during the audit, it becomes evident that legal or other provisions have been violated, it must be taken into account during audit procedures that the integrity of the company management and employees might be compromised.

D. Audit evidence

The audit firm must gather sufficient and appropriate audit evidence, using suitable audit procedures based on results and processes. This allows the drawing of substantiated conclusions, which form the basis for the confirmations and the relevant reports. The design and effectiveness of systems and pro-cesses shall be tested using process-oriented audit procedures. Case-by-case audits and analytical audits shall be handled with results-based audit procedures. Audit evidence shall be the result of inspections, observations, interviews, confirmations and calculations, as well as of analytical audit procedures, which are used to complement the analysis of, for instance, key figures, trends or comparisons with previous periods or expectations as well as comparisons within the industry. Risk assessments and audit plans shall require analytical as well as results-based audit procedures.

When testing with random samples, the number of samples must be large enough to allow a con-clusion as to the overall contents of the sample pool and the risk associated with sample testing thereby being reduced to an acceptable level. When defining the samples, the purpose of the audit procedures and the characteristics of the sample pool must be kept in mind. Errors found on the basis of the sample must be assessed in regard to type and reason, and it should be determined whether

38

39*

40

41

42

Circular 2013/3 Auditing | 12

FINANCIAL SERVICES

these have occurred in other areas as well, and if necessary, an extrapolation must be made for the entire sample pool.

Significant events which are identified after the audit has ended and before the report has been submit-ted must be listed in the audit report. For this, the audit firm must gather sufficient and appropriate audit evidence.

Repealed

VIIa. Incompatibility with an audit mandate

Both the audit firm and the auditors must adhere to the independence rules as per Article 11l AOO.

Moreover, Article 7 FINMA-AO shall provide a non-exhaustive list of activities that are incompatible with an auditing mandate. In this regard, specifically the following shall be noted:

• The term “regulatory advice” shall include any kind of service provided upon the request of the supervised institution’s governing bodies or employees. Such activities specifically shall include the development and introduction of client-specific tools used to control or manage compliance and/or risk, coaching, client-specific training, transfer of know-how and accompanying and/or supportive services.

• Contrary to this, pre-audit assessments (e.g. pre-audit activities), which do not encompass advising and/or accompanying services shall be permissible, provided they are fully disclosed to the FINMA. Such assessments shall enable the independent provision of an audit opinion for a specific audit field not part of the audit. For this, the audit object must be developed in full and be ready to be implemented.

• It is not permitted to provide regulatory advice related to a license application procedure if the audit firm will be taking over the audit mandate after the license has been obtained.

• All services related to due diligence which affect a supervised institution in Switzerland that go beyond the mere preparation of fact books or data rooms shall be considered to be regulatory advi-sory services and are therefore not permitted. Audits as per Merger Act may be excluded.

• Margin nos. 44.3-44.6 shall be applicable to the provision of services to national and international group companies that are subject to a consolidated supervision by FINMA. Whether the service is provided by the audit firm or by another company belonging to the same network shall be irrelevant.

• Secondments by audit firm employees as internal auditors at the supervised institution shall be per-mitted as long as this employee is not involved in the decision-making process and the secondment does not last longer than six months. Secondments by internal audit department employees shall be permitted as long as the assignment for each person is a one-off and does not exceed six months. A reciprocation of staff going beyond the above-mentioned is not permitted.

43*

44*

44.1*

44.2*

44.3*

44.4*

44.5*

44.6*

44.7*

44.8*

Circular 2013/3 Auditing | 13

FINANCIAL SERVICES

VIII. Segregation of audit and financial audit

Repealed

If justified, the FINMA may demand that the audit must not be performed by the same Lead Auditor and audit team as the ones that performed the financial audit.

IX. Internal Audit

Repealed

If the audit firm relies on Internal Audit’s work, this must be clearly indicated in the audit report. It shall state the audit area, the audit depth and the results reached by the institution’s internal audit department. The audit firm must assess the quality and the meaningfulness of the audit performed by Internal Audit.

However, the audit firm is not allowed to rely on the work provided by Internal Audit (margin no. 48) for the same audit area for two consecutive audit cycles.

X. Audits for international groups and conglomerates

Audit firms shall perform their own group audits for group or conglomerate companies abroad.

The audits may also be performed by affiliated audit firms. The affiliate shall be instructed diligently by the leading audit firm, which then carefully supervises the ensuing activities. Working papers’ quality must be subject to a periodic quality review. The audit firm must appraise the affiliate’s audits.

The audit firm must inform the FINMA in its audit report if Swiss regulatory provisions could not be adhered to due to a conflict with a foreign law.

XI. Reports

Repealed

In its reports, the audit firm shall take into account the supervised institution’s environment and current and near-future developments.

Repealed

Repealed

Repealed

Repealed

45*

46*

47*

48*

49

50

51

52

53*

54*

55*

56*

57*

58*

Circular 2013/3 Auditing | 14

FINANCIAL SERVICES

Repealed

Repealed

Repealed

Repealed

At a minimum, the audit report must be structured as follows:

• Overview of the audit environment, i.e. specifically the scope of the audit, the audit period, the name of the leading auditor, the period of the audit procedures, audit approach, scope of reliance on third-party work, confirmation of adherence to the previously defined audit strategy;

• Confirmation of adherence to the audit firm’s independence;

• Information on other mandates the audit firm has performed for the supervised institution;

• Summary of the audit results, including all notices of reservation and recommendations, presented as a table;

• Presentation of significant changes at the supervised institution or in the audit area, specifically regarding owners, governing bodies, business models, affiliations/relationships to other companies and basic procedures;

• Presentation of specific audit results;

• Further comments;

• Any difficulties encountered during the audit, including a confirmation that the supervised institution provided all of the necessary information in a timely manner and in the quality required.

• Repealed

Audit firms must use FINMA templates for the reports.

Repealed

Repealed

Regardless of the audit depth used, issues raised shall require either a notice of reservation or a recom-mendation.

The audit firm shall disclose if it has discussed notices of reservation with the supervised institution before filing the report. Moreover, it must be indicated if the supervised institution disagrees with a notice of reservation. The audit firm must systematically review that the institution has remedied prior issues.

59*

60*

61*

62*

63

64*

65

66

67*

68

69

70

71

72

73

74*

75*

75.1*

76

Circular 2013/3 Auditing | 15

FINANCIAL SERVICES

Notices of reservation that recur repeatedly must be flagged as such.

For groups and conglomerates, the audit firm shall in principle prepare a stand-alone and a separate group report.

XII. Notification duties

The audit firm’s notification duties must be adhered to at all times. The FINMA must be informed immedi-ately of any fraudulent acts by the supervised institution.

As per Article 14(2) FINMA-AO, the FINMA shall be notified of expenses and fees for audit and non-audit services provided to supervised institutions in accordance with FINMA guidelines.

Part 2 Special Provisions

I. Special provisions for the audit of banks and securities dealers

A. Risk analysis

The general rules related to risk analyses shall apply.

In order to define the net risks, the risk analysis (cf. Annex Risk Analysis Banks) shall take into consider-ation the gross risks identified at the supervised institution, as well as the implemented controls. In doing so, the audit firm shall provide an assessment of the inherent risks (also see margin nos. 22 seqq.) and the control risks.

• High: The audit firm has not yet performed any audit procedures on the existence and functioning of controls, is not sure whether controls exist or has deemed the controls to be ineffective.

• Medium: Based on the audit procedures applied during the last audit, the audit firm has determined that controls exist and does not dispose of any indications that these were inadequate or ineffective. The institution’s current control environment shall be included in the assessment.

• Low: Based on the audit procedures applied during the last audit, the audit firm has determined that the controls are adequate and effective. The institution’s current control environment shall be included in the assessment.

76.1*

77

78

78.1*

79

80*

81

82

83

Circular 2013/3 Auditing | 16

FINANCIAL SERVICES

Net risks shall be determined as follows:

Inherent risk Control risk Net risk

very high high very high

very high medium very high

very high low high

High high high

High medium medium

High low medium

medium high medium

medium medium medium

medium low low

Low high low

Low medium low

Low low low

B. Audit strategy

The audit firm must state its opinion to the FINMA and explain why it deems a standard audit strategy to be sufficient. It shall base this assessment on its risk analysis.

The standard audit strategy shall be used if the audit firm’s risk analysis and the risk assessment by the FINMA come to the conclusion that there is no need to adjust the standard audit strategy.

This shall be the case if the net risk is “low” or “medium”. If the net risk is “high” or “very high”, the audit firm must adjust its audit strategy in regard to audit depth and periodicity, as follows:

• If a risk is deemed to be “high”, the “intervention every 2 or 3 years” shall be replaced with an annu-al intervention with the depth “critical assessment”. The audit depth “audit” shall be applied at least every 4 years (category 1) or 6 years (categories 2-5).

84

85

86

87

88

89

Circular 2013/3 Auditing | 17

FINANCIAL SERVICES

• If a risk is deemed “very high”, the intervention shall be on an annual basis with depth “audit”.

These adjustments to the standard risk strategy must take place for all audit areas or fields, except for the following:

• capital adequacy requirements and capital planning: Category 1: There shall be no adjustment if the risk is deemed to be “high”.

• Audit of the long-term profitability: an annual critical assessment shall be sufficient even if risks are deemed to be “high” or “very high”.

• Qualitative liquidity requirements / quantitative liquidity requirements: Category 1: There shall be no adjustment if the risk is deemed to be “high”.

• Corporate governance (at the level of the stand-alone institution and the group): an annual critical assessment shall also be sufficient even if risks are deemed to be “high” or “very high”.

• Internal Audit (at stand-alone or group level): an annual critical assessment shall be sufficient even if risks are deemed to be “high” or “very high”.

• Internal organization, internal control system, IT: the audit firm must gradually cover all of these aspects over a period of six years in this audit area. There shall be an annual intervention with audit depth “audit” for areas with identified weaknesses.

• Outsourcing: the audit firm must gradually cover all of these individual aspects over a period of six years in this audit field. There shall be an annual intervention with audit depth “audit” for areas with identified weaknesses and newly concluded outsourcing agreements.

• Central functions for risk control and risk mitigation: risk control function / compliance function (at the level of the stand-alone institution and the group): There shall be no adjustment if the risk is deemed to be “high”.

• Adherence to anti-money-laundering provisions (at stand-alone and group level): There shall be no adjustment if the risk is deemed to be “high”.

• Group-wide measures for fulfilling qualitative and quantitative liquidity requirements: Category 1: there shall be no adjustment if the risk is deemed to be “high”.

• Group-wide measures to ensure compliance with duties regarding derivative transactions: Category 1: there shall be no adjustment if the risk is deemed to be “high”.

• Group-wide measures regarding capital and risk diversification / compliance with capital adequacy provisions: Category 1: there shall be no adjustment if the risk is deemed to be “high”.

• Intra-group financing structures and contingent liabilities: there shall be no adjustment if the risk is deemed to be “high”.

90

91

92

93

94*

95

96

97

98*

99*

100

101*

101.1*

102*

103

Circular 2013/3 Auditing | 18

FINANCIAL SERVICES

• Group-wide measures to ensure compliance with other Swiss and foreign regulatory requirements: there shall be no adjustment if the risk is deemed to be “high”.

For institutions where the compliance with capital adequacy requirements as per FINMA circ. 11/02 is no longer ensured, the audit firm must rank the net risk for the audit field “capital adequacy requirements and capital planning” “very high”, specifically if the institution drops below the intervention threshold defined in the circular. In case the institution drops below the targeted capital level, the risk is deemed to be “high”.

Basing itself on the risk analysis, the audit firm shall prepare a substantiated suggestion, which is more stringent in regards to the audit periodicity and audit depth if the supervised institution’s complexity and risk situation should require this.

Repealed

The FINMA shall be entitled to adjust the audit strategy (intervention).

C. Reports

The report must confirm that the institution has adhered to the FINMA’s orders, e.g. as required by a formal decision.

D. Deadlines

Audit reports must be submitted 4 months after the annual closing. The risk analysis and audit strategy must be submitted by the same deadline.

E. Follow-up audits

Should the audit firm set a deadline as per Article 27(2) FINMASA, it must perform a follow-up audit within an adequate time frame.

F. Audits of central mortgage bond institutions

Both the general and the special provisions detailed in this chapter shall also apply to central mortgage bond institutions.

G. Financial audit

The audit firm shall take into consideration the provisions of FINMA and FAOA on the comprehensive reporting as per Article 728b Code of Obligations (CO). A comprehensive report shall also be prepared for the following entities: i) supervised institutions that are not public limited companies, ii) branch offices of foreign banks and iii) financial groups and financial conglomerates subject to FINMA supervision as such.

103.1*

104

105

106*

107

108

109

110

111

112*

Circular 2013/3 Auditing | 19

FINANCIAL SERVICES

Ibis. Special provisions for the audit of financial market infrastructures

In principle, FINMA shall supervise financial market infrastructures. However, the Financial Markets Infra-structure Act (FMIA) requires systemically important financial market infrastructures to also be under the supervision of the SNB.

A. Risk analysis

The risk analysis for institutions subject to FMIA shall be carried out taking into consideration the general and special provisions on risk analyses for banks and securities dealers (also see margin no. 79 et seqq.). When considering risks, the specificities of licensee under FMIA shall be taken into consideration.1

B. Audit strategy

The FINMA shall define the minimum standard audit strategy for the basic audit. For systemically import-ant financial market infrastructures, it shall do this in consultation with the SNB.2 According to margin no. 4, the FINMA may define additional audit items. Basing itself on the risk analysis, the audit firm shall pre-pare a substantiated suggestion that is more stringent in regards to the audit periodicity and audit depth if the supervised institution’s risk situation should require this.3

The FINMA shall be entitled to adjust the audit strategy (intervention).4

C. Reports

Reports shall be based on the special provisions for banks and securities dealers (cf. margin no. 108).5

D. Deadlines

Deadlines shall be based on the special provisions for banks and securities dealers (cf. margin no. 109).

E. Follow-up audits

Follow-up audits shall be based on the special provisions for banks and securities dealers (cf. margin no. 110).

1 Systemically important financial market infrastructures shall also submit a risk analysis to SNB..2 The SNB may also define such indications (audit items) for systemically important financial market infrastructures.3 Audit strategies for systemically important institutions subject to FMIA shall also be submitted to SNB.4 The SNB shall have the same competences (intervention) for systemically important financial market infrastructures.5 Reports for systemically important institutions subject to FMIA shall also be submitted to SNB.

112.1*

112.2*

112.3*

112.4*

112.5*

112.6*

112.7*

Circular 2013/3 Auditing | 20

FINANCIAL SERVICES

II. Special provisions for audits under CISA

A. Risk analysis

The risk analysis for institutions subject to FMIA shall be carried out taking into consideration the general and special provisions on risk analyses for banks and securities dealers (also see margin no. 79 et seqq.). When assessing the risks of licensees subject to CISA, the audit firm must also take into account the collective investment schemes managed by these.

B. Audit strategy

The standard audit strategy shall be used if the audit firm’s risk analysis and the risk assessment by the FINMA come to the conclusion that there is no need to adjust the standard audit strategy.

This shall be the case if the net risk is “low” or “medium”. Should the net risk of an audit area or audit field be “high” or “very high”, the audit firm must adjust the audit strategy in regard to audit depth and periodicity, as follows:

• Should the net risk be “high”, the audit firm must test this on an annual basis with audit depth “crit-ical assessment”;

• If the net risk is “very high”, the audit firm must test this on an annual basis with audit depth “audit”.

These adjustments to the standard audit strategy must take place for all audit areas or audit fields, except for the following:

• Corporate governance: an annual critical assessment shall in principle also be sufficient even if the net risk is deemed to be “very high”.

• Internal Audit: an annual critical assessment shall in principle also be sufficient even if the net risk is deemed to be “very high”.

Basing itself on the risk analysis, the audit firm shall prepare a substantiated suggestion, which is more stringent in regards to the audit periodicity and audit depth if the supervised institution’s complexity and risk situation should require this.

Repealed

The FINMA shall be entitled to adjust the audit strategy (intervention).

113

114

115*

116*

117*

117.1*

118

119*

120

Circular 2013/3 Auditing | 21

FINANCIAL SERVICES

C. Deadlines

6 7

Document: Deadline:

Audit report 6 months after the end of the business year

Risk analysis and audit strategy of the following year6

6 months after the end of the business year

Audit report for fund management companies, for products with financial reports of less than a year (excerpt of audit report with product- related aspects)7

6 months after the closing of the product (on a quarterly basis)

Audit report for custodian banks3 months after the closing of the fund manage-ment company or the SICAV's business year

D. Follow-up audits

Should the audit firm set a deadline as per Article 27(2) FINMASA, it must perform a follow-up audit within an adequate time frame.

III. Special provisions for the audit of insurance companies

A. Risk analysis

In its risk analysis (cf. Annex Risk Analysis Insurance Companies), the audit firm shall describe the identi-fied risks together with the available, functioning and risk-mitigating measures that have already been tak-en by the insurance company, group or conglomerate or which will be taken within the next six months. The lack of such measures for identified risks must also be mentioned.

The audit firm shall assess the net risks, taking into consideration the described risk-mitigating measures (or any negative notifications), stating very high, high, medium or low and ranks the net risks.

Depending on the supervisory category, the FINMA may determine that there is no need for an annual risk analysis.

6 No risk analysis is necessary for custodian banks and representative offices of foreign collective investment schemes.7 Complementary quarterly report as per Article 105(2) CISO-FINMA.

121

122

122.1*

122.2*

123

Circular 2013/3 Auditing | 22

FINANCIAL SERVICES

No risk analysis is necessary for insurance companies not fully subject to institutional supervision by the FINMA. In particular, these shall include:

• branch offices in Switzerland of foreign insurance companies;

• comprehensive health insurance companies subject to supervision by the Swiss Federal Office of Public Health (Article 25 SPA in conjunction with Article 2(2)(b) ISA); and

• re-insurance captives which are small and have a simple risk structure.

B. Audit strategy

The FINMA shall determine the audit strategy.

C. Deadlines

Document Deadline

Audit reports of insurance companies (re-insurers excluded)

30 April of the following business year

Audit reports of insurance companies which solely conduct reinsurance business

30 June of the following business year

Audit reports of insurance groups and conglomerates

30 April of the following business year

Risk analysis for insurance companies (without re-insurers)

30 April of the following business year

Risk analysis for re-insurers which solely conduct reinsurance business

30 June of the following business year

Risk analysis for insurance groups and conglomerates

30 April of the following business year

D. Financial audit

The audit firm shall take into consideration the provisions of FINMA and FAOA on the comprehensive reporting as per Article 728b CO. Branch offices of foreign insurance companies subject to FINMA super-vision shall submit financial statements consisting of an income statement, a balance sheet and the notes prepared in accordance with the accounting standards stated in Articles 957 - 961d Code of Obligations and any additional FINMA requirements.

124

125*

126

127*

128

129

130*

Circular 2013/3 Auditing | 23

FINANCIAL SERVICES

IV. Special Provisions for the Audit of Financial Intermediaries Directly Subordinated to the MLCA (Article 2(3) AMLA) (also known as DSFIs)

A. Risk analysis

No risk analysis is necessary. If needed, the FINMA may order a risk analysis to be prepared according to the general provisions of this circular.

B. Audit strategy

The standard audit strategy defined by FINMA shall be applicable to all DSFI audits. The FINMA may order an additional audit any time.

C. Adherence to the authorization conditions and deficiencies regarding the implementation of due diligence

The audit firm must state in its audit report if it detects that the DSFI no longer fulfills the licensing condi-tions or if it does not implement due diligence duties carefully enough.

D. On-site audits

Audits must take place on the DSFI’s premises. The DSFI must provide the auditors with an adequate workplace, and make available all information, documents and accounting vouchers necessary for the audit.

E. Audit risk

After it has performed the audit, the audit firm must express an opinion on the audit performed and on the audit results and provide an audit opinion. Specifically, the audit firm shall inform on the following:

• whether it encountered difficulties during the audit;

• whether the DSFI made available all of the required documentation and accounting vouchers, incl. bookkeeping records;

• whether the DSFI’s business activities and the presentation of the company’s organization was easy to understand and complete.

Moreover, the audit firm must also explain:

• how the audit was carried out;

• which documents and accounting vouchers were inspected;

131

132

133

134

135

136

137

138

139

140

141

Circular 2013/3 Auditing | 24

FINANCIAL SERVICES

• the number of tested files and transactions; and

• the duration of the audit.

F. Deadlines

The audit must be performed no later than 6 months after the end of the business year, and the audit report must be submitted no later than 7 months after the closing of the accounts.

The following rules shall apply to newly licensed financial intermediaries subject to the AMLA as regards the audit period:

• For financial intermediaries subject to AMLA that have been licensed prior to 30 September of a calendar year, the audit firm must apply a standard audit strategy in the year following the granting of the license. However, the audit period shall includes the period after the license has been granted or business has been started up to the end of the relevant business year.

• For financial intermediaries subject to AMLA that have been granted their license after 30 Septem-ber of a calendar year, the audit period shall start at the time the license was granted or the company starts up its business up to the end of the following business year.

The FINMA may prescribe a different procedure for the first audit at the time it grants the license.

V. Annexes

Please find appended the templates for the standard audit strategy and risk analysis.

Part 3 Transitional provisions

Repealed

Repealed

Repealed

Repealed

Repealed

Repealed

Part 4 Entry into force

This circular enters into force on 1 January 2013.

142

143

144

145

146

147

148

149

150*

151*

152*

153*

154*

155*

156

Circular 2013/3 Auditing | 25

FINANCIAL SERVICES

List of amendments

The circular has been amended as follows:

These amendments were passed on 28 November 2014 and enter into force on 1 January 2015.

New margin nos. 44.1-44.8, 75.1, 76.1, 78.1, 122.1, 122.2

Amended margin nos. 4, 6, 9, 11, 25, 29, 35, 37, 39, 43, 46, 48, 54, 64, 77, 80, 106, 112, 119, 125, 127, 130

Repealed margin nos. 2, 3, 5, 7, 8, 26, 44, 45, 47, 53, 55-62, 72, 74, 75, 150-155

Moreover, the term “regulatory audit” was replaced with “audit” throughout the whole circular.

These amendments were passed on 18 November 2016 and shall enter into force on 1 January 2017.

New margin nos. 2.1, 101.1, 103.1, 112.1–112.7, 117.1

Amended margin nos. 4, 67, 94, 98, 99, 101, 102, 112, 115, 116, 117, 130

Repealed margin nos. 106, 119

FINANCIAL SERVICES

Circular 2008/21 Operational Risk – Banks | 26

Contacts

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received, or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. The scope of any potential collaboration with audit clients is defined by regulatory requirements governing auditor independence. © 2017 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss legal entity. All rights reserved.

www.kpmg.ch

Philipp RickertPartner, Head of Financial Services, Member of the Executive CommitteeZurich Tel. +41 58 249 42 13prickert@kpmg.com

Patrizio AggioDirector, Financial ServicesLuganoTel. +41 58 249 32 34paggio@kpmg.com

Jürg BirriPartner, Leiter Regulatory Competence Center ZurichTel. +41 58 249 35 48jbirri@kpmg.com

Cataldo CastagnaPartner, Financial ServicesZurichTel. +41 58 249 52 85ccastagna@kpmg.com

Olivier GauderonPartner, Financial ServicesGenevaTel. +41 58 249 37 56ogauderon@kpmg.com

Mirko LibertoPartner, Financial ServicesZurichTel. + 41 58 249 40 73mirkoliberto@kpmg.com

Michael SchneebeliPartner, Financial ServicesZurichTel. +41 58 249 41 06mschneebeli@kpmg.com

Markus SchunkPartner, Head Investment ManagementZurichTel. +41 58 249 36 82markusschunk@kpmg.com

Manfred SuppanPartner, Financial ServicesZurichTel. +41 58 249 57 98msuppan@kpmg.com