Within six months after a licence holder’s financial year ends, audit firms submit an assessment of the institution’s risk situation as well as the derived audit strategy to FINMA electronically using a standardised form. The risk analysis covers all audit fields with a view to determining net risk from a combination of the different risk factors and in accordance with the business activities.
A standard audit strategy is generally applied for supervised institutions in FINMA Supervisory Category 5. Here, the frequency and depth of the audit to be performed are determined by the net risk exposure in the respective audit fields. For supervised institutions in FINMA Supervisory Category 4, FINMA can exercise greater influence on the audit fields to be assessed by defining the audit strategy individually in a dialogue with the audit firm.
Supervised institutions in FINMA supervisory category 5 with no heightened risk situation and without any significant weaknesses in their internal control system can apply for the audit frequency to be reduced. If the application is approved by FINMA, the audit firm will then only carry out regulatory on-site audits every two years. In years when no audit is carried out, no risk analysis or audit strategy is drawn up either.
Once an audit firm has completed a regulatory audit of a licence holder, it communicates the findings and recommendations to FINMA in the form of a standardised report. The report also contains information about the conduct of the audit, a declaration of independence on the part of the audit firm, and further information in accordance with FINMA guidelines.
In exceptional circumstances, FINMA can appoint an audit mandatary. Potential candidates for this role are approved audit firms and independent third parties with relevant experience and specialist knowledge.