Within four months after the financial year ends, audit firms perform a thorough assessment of the risk situation to which each supervised institution is exposed, and submits a report to FINMA on a standard form. The risk analysis covers all audit fields with a view to determining net risk from a combination of the different risk factors.
If the risk analysis highlights a low to medium net risk exposure in certain audit fields, the standard audit strategy will be applied with no restrictions. However, the audit strategy must be adapted for audit fields with a high to very high net risk exposure; the frequency of auditing may be increased and/or the audit depth intensified as described in Circular 2013/3 "Auditing". The audit firm itself may propose changes to the audit strategy if there are substantial reasons to do so.
Following receipt of the risk analysis, FINMA has two months in which to assess the documents and call for any change to the audit strategy that it considers necessary. Subsequently the audit firm has a further six months to implement the chosen audit strategy.
Audit firms provide the results of their audits to FINMA in a detailed, standardised report on the regulatory auditing of banks which includes general information about the audit procedure, a statement of the auditors’ independence and other information about the development of the respective institution’s business activity and its organisation. The report also contains statements by the audit firm on each individual audit field, and is rounded off with a detailed commentary on any irregularities discovered or recommendations for improvement made.
In specific circumstances, FINMA may appoint an audit mandatary. Audit mandataries may be other authorised audit firms or independent third parties in possession of the necessary experience and specialist expertise.
Submission of Auditing Circular