Within four months after the financial year ends, audit firms perform a thorough assessment of the risk situation to which each supervised institution is exposed, and submit this assessment to FINMA on a standard form. The risk analysis covers all audit fields with a view to determining net risk from a combination of the different risk factors.
A standard audit strategy is applied for supervised institutions in FINMA Supervisory Categories 3 to 5. Here, the frequency and depth of the audit to be performed are determined by the net risk exposure in the audit fields. For supervised institutions in FINMA Supervisory Categories 1 and 2, FINMA exercises greater influence on the audit fields to be assessed by defining the audit strategy in a dialogue with the audit firm. The audit firm implements the audit strategy on site at the premises of the supervised institution.
Supervised institutions in FINMA Supervisory Categories 4 and 5 with no heightened risk situation and without any significant weaknesses can apply for the audit frequency to be reduced. If the application is approved by FINMA, the audit firm will then only carry out regulatory on-site audits every two or three years.
Audit firms provide the findings from their audits to FINMA in a standardised report on the regulatory auditing of banks and securities firms which includes general information about the audit procedure, a statement of the auditors’ independence and other information about the development of the respective institution’s business activity and its organisation. The report also contains a commentary on any irregularities discovered or on recommendations for improvements.
In specific circumstances, FINMA may appoint an audit mandatary. Audit mandataries may be other authorised audit firms or independent third parties in possession of the necessary experience and specialist expertise.
The notification regarding the selection of an audit firm is made via the FINMA Survey and Application Platform (EHP). If your institution does not have access to the EHP, the form below can be used.