The Companies (Auditing and Accounting) Act 2003, established the Irish Auditing and Accounting Supervisory Authority (IAASA). IAASA was conferred with the majority of its statutory functions and powers under the Act in early 2006. IAASA is under the aegis of my colleague, the Minister for Business, Enterprise and Innovation.
Under the Companies Act 2014, the Transparency Regulations and the Audit Regulations, IAASA has seven primary functions:
- Supervision of how the Prescribed Accountancy Bodies (PABs) regulate and monitor their members;
- Monitoring of the periodic financial reporting of certain entities whose securities have been admitted to trading on a regulated market in the EU;
- Carrying out certain functions in respect of liquidators;
- Promotion of adherence to high professional standards in the auditing and accountancy profession;
- Acting as a specialist source of advice to the Minister for Business, Enterprise and Innovation on auditing and accounting matters;
- External quality assurance of the auditors of listed companies, credit institutions and insurance undertakings to ensure a high quality of audit; and
- Adoption and maintenance of the audit framework for Ireland.
Further information on IAASA can be found on its website: https://www.iaasa.ie/About-IAASA/Our-Role
The EU completed a significant reform of the rules governing statutory audit with the adoption of two new instruments in April 2014. The resulting EU Directive and EU Regulation on Audits update existing EU law on statutory audits. S.I. 312 of 2016 transposed the EU Audit Directive and gave effect to some provisions of the EU Regulation, was signed into law on 15 June 2016.
The following are the main areas of impact –
- The framework for public oversight was enhanced and the Irish Auditing and Accounting Supervisory Authority (IAASA) is now the single competent authority with ultimate responsibility for oversight of statutory auditors and audit firms and has direct responsibility for oversight of audits of public interest entities (credit institutions, insurers, and listed entities). The recognised accountancy bodies still retain responsibility for certain oversight tasks such as approval and continuing education of auditors and inspections of non-public interest entity audits.
- The obligations on statutory auditors to be independent when auditing the financial statements of their clients were strengthened and in particular limits placed on the type and amount of non-audit services an auditor may provide.
- New obligations on public interest entities with respect to the appointment of and interaction with their auditors were introduced, most significantly the requirement to change auditor at least every ten years.
- The Companies (Statutory Audits) Bill 2017 avails of options not available in secondary legislation which will enhance the system of oversight of audit in Ireland and audit quality. It elevates the provisions of S.I. No. 312 of 2016 into primary legislation to provide a single, comprehensive framework for statutory audit in the Companies Act 2014. It gives IAASA, as the competent authority with ultimate responsibility for oversight, enhanced powers for monitoring and enforcement of the new requirements.
The Companies (Statutory Audits) Bill 2017 passed Committee Stage in the Dáil on 21 February 2018. Dáil Report Stage is expected to take place mid-July. The Bill has yet to pass through the Seanad but it is intended that it be enacted as soon as possible.
The above matters are the responsibility of my colleague, the Minister for Business, Enterprise and Innovation, and any further queries on any should be directed to her.
Further to the above legislation governing auditors, there are additional requirements for the auditors of Regulated Financial Service Providers (RFSPs) imposed by the Central Bank of Ireland. These include the Auditor Protocol and a number of reporting requirements, which are detailed as follows.
The Protocol between the Central Bank of Ireland and the Auditors of Regulated Financial Service Providers:
- The Auditor Protocol was first developed and published in 2011 and applied to those firms which were rated High Impact under the Central Bank’s then new regulatory risk model, Probability Risk Impact System (“PRISM”). Institutions are categorised based on the greatest impact on financial stability and the consumer as follows, High Impact, Medium-High Impact, Medium-Low Impact and Low Impact
- Following a review in 2013 the scope of the Auditor Protocol was extended to include all meetings held between external auditors and the Central Bank including meetings held in respect of supervisory tasks relating to medium high and medium low impact firms.
- For High Impact firms it is expected that there will be at least two formal bilateral meetings per year. These meetings will take place at the pre audit stage and the post audit stage.
- For non-High Impact firms the frequency of meetings will be determined by the impact category of the firm under the PRISM engagement model.
- The Central Bank, through its Corporate Governance requirements, places a significant onus on the Audit Committee to monitor the effectiveness and adequacy of the firm’s internal control (including around IT systems) and internal audit. It is because of this reliance that the Central Bank believes that trilateral meetings should take place between the Central Bank, the auditor and the Chair of the Audit Committee or, if an Audit Committee is not in place, an appropriate Independent Non-Executive Director, to discuss areas of concern and/or mutual interest regarding the firm. The Trilateral Meeting will, in the normal course of audits, be conducted at the planning stage of the audit process. These meetings should cover all issues that the parties consider may be of interest to the other parties in carrying out their statutory or fiduciary functions.
- Pre Audit Meeting: It is envisaged that this meeting will be held as part of the Trilateral Meeting process but it could also be held as a bilateral meeting if both the Central Bank and the auditor believe that it would be more beneficial to do so.
- Post Audit Meeting: It is envisaged that this meeting will be arranged after the audit report is signed off. However, this meeting may occur before audit sign off if it is deemed more beneficial.
- The Central Bank's Auditor Protocol is available at the following link: https://www.centralbank.ie/docs/default-source/regulation/codes/gns-4-1-7he-auditor-protocol.pdf?sfvrsn=4
Reporting Obligations to the Central Bank
Client Asset Regulations for Investment Firms 2015 and Investor Money Regulations 2015 for Fund Service Providers
In accordance with the Client Asset Regulations for Investment Firms 2015 and Investor Money Regulations 2015 for Fund Service Providers an investment firm/fund service provider should engage an external auditor to report (“assurance report”) at least on an annual basis on the investment firm’s/fund service provider’s safeguarding of client assets and shall ensure that the external auditor appointed for this purpose receives full co-operation in a timely matter in relation to the preparation of the assurance report.
Statutory Duty Declaration/Annual Positive Statement
Section 27B of the Central Bank Act 1997 places a duty on auditors to make a written report to the Central Bank, within one month after the date of the auditor’s report on the financial service provider’s financial statements or within such extended period as the Central Bank allows, stating whether or not circumstances have arisen that require the auditor to report a matter to the Central Bank under a prescribed enactment and if such circumstances have arisen specify those circumstances (the “Statutory Duty Confirmation”).
Auditors Reports to those charged with governance including ‘Nil’ Return
Section 27C of the Central Bank Act 1997 requires that if the auditor of an entity regulated by the Central Bank makes a report to the entity, or those concerned with its management, on any matter that has come to the auditor’s notice during the course of the financial statement audit (or while carrying out any work for the entity of a kind specified by the Central Bank), the auditor must provide the Central Bank with a copy of that report. Where no such report is to be sent to the entity section 27C (3) of the Central Bank Act 1997 requires the auditors to inform the Central Bank that such is the case i.e. a ‘nil return’.
Reports sent to the Office of the Director of Corporate Enforcement (ODCE)
Section 27D of the Central Bank Act 1997 requires that auditors of regulated entities to submit to the Central Bank copies of any reports sent to ODCE. Copies must be submitted at the same time or as soon as practicable after the report is made to ODCE.
Auditor Assurance Reports
Section 27BA of the Central Bank Act 1997 provides that where the Central Bank considers it necessary owing to the nature, scale or complexity of the activities of a regulated financial service provider, it may, by notice in writing to the auditor of the regulated financial service provider, require the auditor to conduct an examination for the purpose of providing to the Central Bank a statement as to the extent to which the regulated financial service provider has complied with obligations imposed by or under such provisions of financial services legislation as are specified in the notice.