This document was prepared by: Centre for Financial Reporting Reform (CFRR) Governance Global Practice, The World Bank Praterstrasse 31 1020 Vienna, Austria Web: www.worldbank.org/cfrr Email: cfrr@worldbank.org Phone: +43-1-217-0700 © 2017 International Bank for Reconstruction and Development / The World Bank 1818 H Street NW Washington DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org This work is a product of the staff of The World Bank with external contributions. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent. The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries. Rights and Permissions The material in this work is subject to copyright. Because The World Bank encourages dissemination of its knowledge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given. Any queries on rights and licenses, including subsidiary rights, should be addressed to World Bank Publications, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2625; e-mail: pubrights@worldbank.org. CONTENTS 1. INTRODUCTION ............................................................................................................ 1 2. THE RATIONALE FOR PUBLIC OVERSIGHT OF AUDIT ...................................................... 2 2.1. Public audit oversight improves audit quality and thus supports economic growth 2 2.2. Establishing public audit oversight follows international good practices and expectations ............................................................................................................... 2 2.3. Public audit oversight directs and assists further development of the audit profession .................................................................................................................. 3 3. BASIC CHARACTERISTICS OF PUBLIC OVERSIGHT SYSTEMS ............................................ 4 3.1. EU requirements ........................................................................................................ 4 3.2. International expectations......................................................................................... 6 4. EFFECTIVENESS OF STRUCTURES: EXAMPLES OF EU PUBLIC OVERSIGHT SYSTEMS ......... 9 4.1. Location of the public oversight system .................................................................. 13 4.2. Funding the public oversight system ....................................................................... 15 4.3. Characteristics of POS boards .................................................................................. 16 4.4. Potential transition path for new public oversight systems .................................... 17 5. EXTRACTS FROM THE EU STATUTORY AUDIT DIRECTIVE AND EU REGULATION REGARDING STATUTORY AUDIT OF PUBLIC-INTEREST ENTITIES ................................... 19 5.1. Directive 2006/43/EC ............................................................................................... 19 5.2. Regulation (EU) NO 537/2014 ................................................................................. 25 5.3. Title IV: Surveillance of the activities of statutory auditors and audit firms carrying out statutory audit of public-interest entities ......................................................... 26 i 1. INTRODUCTION Public oversight of audits and auditors is a relatively recent development, particularly in light of the length of time that capital markets and the audit profession have operated. This paper reflects on the rationale for public oversight of auditors, summarizes the relevant EU legislation and international benchmarks for public oversight systems, and thereafter compares and contrasts the different approaches taken by EU member states to operate their public oversight systems. 1 2. THE RATIONALE FOR PUBLIC OVERSIGHT OF AUDIT There are many benefits of establishing independent public oversight of statutory audit and auditors. Three key benefits are described below. 2.1. Public audit oversight improves audit quality and thus supports economic growth Effective and efficient allocation of capital and credit is essential to economic growth, job creation and long-term poverty reduction. In efficient economies, capital and credit are to a significant extent allocated on the basis of corporate financial information. For such financial information to be reliable, high quality independent audits of the information are essential. Thus, audits underpin the successful functioning of capital and credit markets and help smaller companies to access capital or credit from other sources, such as banks. For many years, the audit profession was largely self-regulated. However, a number of high profile corporate failures around the globe called into question the value of external audits, the integrity of the audit process and thus the ability of the audit profession to regulate itself effectively. Independent oversight of the audit profession in the public interest was quickly and widely established as a means of improving audit quality and re-establishing faith in corporate financial reporting. 2.2. Establishing public audit oversight follows international good practices and expectations Globalization of trade and business has increased the number of companies operating across national borders and helped create an international market for capital and credit flows. As a result, investors and other private stakeholders have an increasing interest in promoting consistent, international good practices for transparency and integrity in capital and credit markets. For their part, individual countries have a strong interest in following international good practices in order to compete effectively for investment capital in the global marketplace and improve the efficiency and reach of their domestic capital and credit markets. Finally, national oversight bodies that regulate audits of companies with multinational reach must determine whether and to what extent they can rely on the oversight bodies of other countries to assess the effectiveness of auditing practices within their respective jurisdictions. For the reasons above, there has been an international drive to establish audit regulators that function effectively, act consistently, and coordinate and cooperate to oversee the audit profession, including the international audit networks that dominate the market for audits of 2 multi-national companies, listed companies and other so-called public interest entities. All 28 member states of the European Union (EU) are required by EU legislation 1 to establish independent public oversight systems for audit. Audit regulators have come together both bilaterally and in groups such as the Committee of European Auditing Oversight Bodies (CEAOB), the European Audit Inspection Group 2 (EAIG) and the International Forum of Independent Audit Regulators3 (IFIAR) to create awareness of important issues and promote cooperation and consistency amongst audit regulators on quality assurance inspections. They share inspection practices and findings among their members and facilitate discussions on topics related to audit inspections, as well as with relevant third parties such as standard- setters and the audit profession. 2.3. Public audit oversight directs and assists further development of the audit profession Independent audit oversight in the public interest can help direct and facilitate the development of the audit profession. Oversight works to maintain and strengthen auditing standards and practices and also acts as a focal point for policy issues which can be key to developing and promoting effective audits and improving the audit profession. 1 See http://ec.europa.eu/internal_market/auditing/directives/index_en.htm 2 See http://www.eaigweb.org/home.php 3 See https://www.ifiar.org/ 3 3. BASIC CHARACTERISTICS OF PUBLIC OVERSIGHT SYSTEMS This section sets out the basic characteristics of public oversight systems by reference to EU requirements and other international expectations. 3.1. EU requirements The key legal instrument that specifies the characteristics of Public Oversight Systems (POS) for member states of the European Union is the Directive 2006/43/EC on statutory audits of annual accounts and consolidated accounts as amended in 2014, often called the Statutory Audit Directive (SAD). In addition, further requirements are set out in Regulation 537/2014 on specific requirements regarding statutory audit of public-interest entities (the Regulation). All 28 EU member states have established POS in accordance with the requirements of the SAD. The relevant sections of the SAD and Regulation are included in section 5 and are summarized in the table below. Table 1: Summary of relevant sections of the SAD and Regulation Establish POS Member States should organize an effective system of public oversight (POS) for statutory auditors and audit firms and should designate a competent authority responsible for such oversight. Governance The POS should be governed by non-practitioners who are knowledgeable in the areas relevant to statutory audit. They should be selected in accordance with an independent and transparent nomination procedure. Non-practitioners are defined as persons who have not within the preceding three years carried out statutory audit, held voting rights in an audit firm, been a member of the administrative, management or supervisory body of an audit firm or been employed or otherwise associated with an audit firm. Responsibilities of competent authority The competent authority shall: • have the ultimate responsibility for the oversight of: (a) the approval and registration of statutory auditors and audit firms; (b) the adoption of standards on professional ethics, internal quality control of audit firms and auditing, (c) continuing education, quality assurance and investigative and disciplinary systems. 4 • have the right to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. • publish annual work programmes and activity reports. • be adequately funded. The funding shall be secure and free from any undue influence by statutory auditors or audit firms Delegation of tasks Member States may delegate, or allow the competent authorities to delegate, any of the tasks required to be undertaken by the Directive and Regulation to other authorities or bodies designated to carry out such tasks, except for tasks related to: (a) the quality assurance system for auditors of PIEs; (b) investigations arising from that quality assurance system or from a referral by another authority; and (c) sanctions and measures relating to related to the quality assurance reviews of auditors of PIEs or investigation of statutory audits of public-interest entities. Quality assurance system for auditors Regular inspections are a good means of achieving a consistently high quality in statutory audits. Quality assurance should: • be independent of the reviewed statutory auditors and audit firms and subject to public oversight; • be performed directly by the competent authority in respect of the audits of public interest entities; • have quality assurance reviewers that have appropriate professional education and relevant experience in statutory audit and financial reporting combined with specific training on quality assurance reviews; • the selection of reviewers shall be so that there are no conflicts of interest Frequency of inspections Quality assurance reviews shall take place at least every three years in respect of the auditors of public interest entities and at least every six years in the case of all other statutory auditors. Other requirements in the Audit Directive and Regulation The SAD also sets requirements for: • auditors’ qualifications (articles 3-13); • registration of auditors (articles 15-20); 5 • auditors’ professional ethics (articles 21-24); • auditing standards (article 26); • aspects of the audit process (articles 25, 27-28); • monitoring, investigation and sanctioning of auditors (articles 29-30); • oversight of auditors by competent authorities (articles 32-36, 47); and • regulation of third country auditors (articles 44-46). There are also some obligations in the SAD on audited entities, relating to: • appointment of auditors (article 37); • dismissal of auditors (article 38); and • establishment of an audit committee (article 39). The Regulation sets the following requirements in respect of the statutory audit of public- interest entities (PIEs): • conditions for carrying out statutory audit of PIEs (articles 4-15); • the appointment of statutory auditors or audit firms by PIEs (articles 16-19); • surveillance of the activities of statutory auditors and audit firms carrying out statutory audit of PIEs (articles 20-35); and • cooperation with third country authorities (articles 36-40). 3.2. International expectations As previously discussed in section 2.B of this paper, many multinational companies operate in multiple countries and are audited by international networks of audit firms. No one national body can adequately regulate such auditing on its own, and the international dimensions of audit oversight have assumed increasing importance. The creation of sound audit oversight systems and subsequent collaboration of institutions from different countries are crucial in the current global context to uphold consistent standards of audit quality across countries and to enable national oversight bodies to rely on the work of their counterparts in other countries where relevant. In addition to the EU requirements applicable to EU member states as described earlier, there are other international benchmarks for public oversight systems, most notable of which are those established by the International Forum of Independent Audit Regulators (IFIAR) 4. IFIAR brings together independent audit regulators from around 50 jurisdictions, including those from the most significant capital markets such as the US, Japan and the majority of EU states. IFIAR has sought to capture elements of good 4 See https://www.ifiar.org/ 6 practice in audit oversight through their membership criteria and core principles as presented below. According to IFIAR’s membership criteria, public oversight systems should be: • Independent of the audit profession, which means that a majority of the relevant governing body should be non-practitioners and funding should be free of undue influence by the profession 5; and • Engaged in audit regulatory functions in the public interest and responsible for the system of recurring inspection of audit firms undertaking audits of public interest entities, exercising that responsibility either directly or through oversight of inspections undertaken by professional bodies. IFIAR further specifies 11 core principles of public oversight systems arranged around three themes: The structure of audit oversight: 1. Principle 1: The responsibilities and powers of audit regulators should serve the public interest and be clearly and objectively stated in legislation. 2. Principle 2: Audit regulators should be operationally independent. 3. Principle 3: Audit regulators should be transparent and accountable. The operations of audit oversight: 4. Principle 4: Audit regulators should have comprehensive enforcement powers which include the capability to ensure that their inspection findings or recommendations are appropriately addressed; these enforcement powers should include the ability to impose a range of sanctions including, for example, fines and the removal of an audit license and/or registration. 5. Principle 5: Audit regulators should ensure that their staff is independent from the profession and should have sufficient staff of appropriate competence. 6. Principle 6: Audit regulators should be objective, free from conflicts of interest, and maintain appropriate confidentiality arrangements. 7. Principle 7: Audit regulators should make appropriate arrangements for cooperation with other audit regulators and, where relevant, other third parties. Audit inspection principles: 8. Principle 8: Audit regulators should as a minimum, conduct recurring inspections of audit firms undertaking audits of public interest entities in order to assess compliance 5 Profession includes, for example, audit firms, professional bodies and bodies or entities associated with the profession. 7 with applicable professional standards, independence requirements and other laws, rules and regulations. 9. Principle 9: Audit regulators should ensure that a risk-based inspections program is in place. 10. Principle 10: Audit regulators should ensure that inspections include effective procedures for both firm wide and file reviews. 11. Principle 11: Audit regulators should have a mechanism for reporting inspections findings to the audit firm and ensuring remediation of findings with the audit firm. 8 4. EFFECTIVENESS OF STRUCTURES: EXAMPLES OF EU PUBLIC OVERSIGHT SYSTEMS This section analyses the challenges involved in establishing public oversight systems and gives examples of what various EU member states have chosen to do. It addresses the choices and dilemmas involved, including the location of the Public Oversight Board (POB) that is responsible for the Public Oversight System (POS), the sources of funding of the POS, whether the POB inspects the work of all auditors including auditors of Public Interest Entities (PIEs), or whether it adopts an indirect supervision method by relying on the work of others such as a professional accountancy organization for non-PIE auditors. The analysis is based on EU member states’ 2016 IFIAR member profiles which are publicly available on the IFIAR website and other sources where available. Accordingly, this analysis does not include information about EU member states with audit regulators that not are members of IFIAR. Table 2: EU member states’ Public Oversight Systems - Location of regulator Part of a Part of IFIAR Independent # EU member state 6 government another member 7 regulator department regulator 1 Austria yes yes 2 Belgium yes yes 3 Bulgaria yes yes 4 Croatia yes yes 5 Cyprus yes yes 6 Czech Republic yes yes 7 Denmark yes yes 8 Estonia no 9 Finland yes yes 10 France yes yes 11 Germany yes yes 12 Greece yes yes 13 Hungary yes yes 14 Ireland yes yes 6 http://europa.eu/about-eu/countries/member-countries/index_en.htm 7 https://www.ifiar.org/members/member-directory/ 9 Part of a Part of IFIAR Independent # EU member state 6 government another member 7 regulator department regulator 15 Italy yes yes 16 Latvia no 17 Lithuania yes yes 18 Luxembourg yes yes 19 Malta no yes 20 Netherlands yes yes 21 Poland yes yes 22 Portugal yes yes 23 Romania no 24 Slovak Republic yes yes 25 Slovenia yes yes 26 Spain yes yes 27 Sweden yes yes 28 United Kingdom yes yes Table 3: EU member states’ Public Oversight Systems - Sources of funding for POB Companies and Auditors and # EU member state 8 State Other listing authorities audit profession 1 Austria yes yes 2 Belgium yes 3 Bulgaria yes 4 Croatia yes 5 Cyprus 6 Czech Republic yes 7 Denmark yes yes 8 Estonia 9 Finland yes 8 http://europa.eu/about-eu/countries/member-countries/index_en.htm 10 Companies and Auditors and # EU member state 8 State Other listing authorities audit profession 10 France yes 11 Germany yes yes 12 Greece yes 13 Hungary yes yes 14 Ireland yes yes 15 Italy yes yes 16 Latvia 17 Lithuania yes 18 Luxembourg yes yes 19 Malta yes yes 20 Netherlands yes yes 21 Poland yes 22 Portugal yes yes yes 23 Romania 24 Slovak Republic yes yes 25 Slovenia yes 26 Spain yes 27 Sweden yes 28 United Kingdom yes yes Table 4: EU member states’ Public Oversight Systems - POB statistics No. of No. of PIE No. of POB EU member No. of PIE No. of # audit audit Board state 9 audits POB staff firms firms members 1 Austria 374 18 6 27 2 Belgium 261 507 3 3 Bulgaria 177 5 4 Croatia 7 9 http://europa.eu/about-eu/countries/member-countries/index_en.htm 11 No. of No. of PIE No. of POB EU member No. of PIE No. of # audit audit Board state 9 audits POB staff firms firms members 5 Cyprus 6 Czech Republic 303 375 60 6 7 Denmark 950 1561 11 6 8 Estonia 9 Finland 600 66 16 14 5 10 France 3431 6600 350 14 50 11 Germany 1491 13000 3791 5 12 Greece 280 46 7 13 Hungary 300 3100 46 14 Ireland 1100 1600 7 8 15 Italy 1500 26 5 16 Latvia 17 Lithuania 149 172 7 18 Luxembourg 450 15 7 19 Malta 126 10 3 20 Netherlands 1049 356 10 4 21 Poland 1383 1606 123 9 22 Portugal 1300 229 5 23 Romania 24 Slovak Republic 600 232 6 25 Slovenia 58 54 18 9 26 Spain 7962 1224 189 14 18 27 Sweden 280 150 7 9 28 United Kingdom 2000 7000 49 13 The data in the Table 2, 3 and 4 is based on EU member states’ 2016 IFIAR member profiles available at https://www.ifiar.org/members/member-directory/. Cyprus joined in 2016 so does not have a member profile available. 12 4.1. Location of the public oversight system One fundamental characteristic is where the public oversight regulator is situated – is it an independent body, is it part of a government department, or is it part of another regulator such as a securities or financial services regulator? Of the 24 EU IFIAR members with profiles, 9 are independent bodies, 10 are part of a government department and 5 are part of another regulator such as a securities or financial services regulator. Public audit oversight and Public Oversight Boards (POBs) are only a comparatively recent innovation, and the amount of guidance and international experience available to assist national bodies in structuring their oversight systems was initially limited. The frameworks that have developed so far may have often resulted from existing circumstances as much as conscious design or the consideration of alternatives. However, a body of experience has now developed with alternative structures, and that experience may be helpful to national bodies in creating, evaluating, or considering possible reform of their own systems. The public oversight function in the United Kingdom's Financial Reporting Council, for example, has always been part of an independent regulator, while the public oversight function in the Netherlands has always been part of that country's financial markets regulator, the Authority for Financial Markets. The French audit oversight body, the H3C, was created in 2003 as a high-level independent public authority with direct links to the Ministry of Justice and has a working relationship with the combined banking and insurance regulator. Smaller EU countries also have a mix of approaches: Hungary’s POS is part of government; Bulgaria’s is independent; Malta’s is part of government; Lithuania’s is independent; and Greece’s is independent. Sometimes the lines are blurred; POBs can be relatively independent within government, or be independent but closely linked to a sponsoring government body or regulator. There are no clear differences within IFIAR between the ‘categories’ of audit regulators or any obvious impact on approaches to audit inspection and regulation. Those audit regulators that are also securities regulators are members of International Organization of Securities Commissions (IOSCO), the international organization of securities regulators, which addresses audit issues as a non-core activity. The different approaches were highlighted in a recent EU legislative reform debate when the EC proposed that the European Securities and Markets Authority (ESMA) be given oversight over audit regulation. The fewer EU member states who address audit oversight within their securities regulators supported the proposition, while others opposed it. 13 There can be some advantages, notably scale, to having the audit regulator as part of a wider functioning body such as government or a larger regulator. There can be advantages too in an independent audit regulator. Significant factors relevant to various structural alternatives are shown in the table below. Table 5: Significant factors relevant to various structural alternatives Factor Considerations State Budget A POB which is dependent on a stagnant, declining or insufficient State Budget and is prohibited from raising additional revenues may not be able to properly to perform its obligations. It might be better instead to form the POB as an entity that is not dependent on financing from the State Budget. Raising If the POB is considering raising revenues by charging fees directly from revenues public interest entities and if other regulators already levy fees on PIEs, it might be easier if PIEs were levied a single charge by one regulator. This does not necessarily mean that regulators should merge but it would make things easier from an administrative perspective it they did. Influence In countries where there is comparatively little appreciation of the value of a POB and all that it stands for, and where there is a much greater appreciation of other regulators, it might make sense at least in the short- term to establish the POB as part of another regulator. Pay scales Countries where civil service pay scales would be insufficient to attract appropriately qualified and experienced staff to a POB might consider establishing their POB outside of the civil service. Regulators’ Countries with a relatively small pool of accountants with significant accounting experience of IFRS and other financial reporting standards might benefit capacity from combining the POB with other regulators who need and would benefit from such experience as they review their regulated entities’ financial statements. Regulators’ Countries with a relatively small pool of experienced audit professionals audit might benefit from combining the POB with other regulators who need and capacity would benefit from such experience in their interactions with audit firms. Infrastructure Separate institutions and regulators require comparatively greater resources in terms of time and funds to establish and maintain infrastructure. Combining regulators may reduce overhead costs. 14 Factor Considerations Number of Countries with a relatively small number of PIEs might be better served by PIEs fewer regulators given that POBs tend to review the audits of individual PIEs on a three-year cycle and other regulators tend regularly to review PIEs’ financial statements. Number Countries with a relatively small number of auditors of PIEs might be better auditors of served by fewer regulators particularly as other regulators tend to meet PIEs regularly with PIEs’ auditors to discuss general industry issues as well as approaches to specific accounting and auditing concerns. Regulation of Countries with lots of regulation aimed solely at listed companies are likely listed to have a close relationship between the countries’ POB and securities entities. regulator; e.g., the US PCAOB has a close relationship with the SEC. Appetite of If other regulators are not keen on the idea of a super regulator or are likely other to regard an integrated POB as a distraction, burden or irrelevance, the regulators POB may be better kept separate. An independent body has a much clearer institutional focus on audit oversight and the governance arrangements are often clearer. Conclusion Each country’s specifics determine the best location for its regulator. POBs are situated variously in government, within wider-remit regulators or are independent. In smaller countries they may also either be part of government or independent but with close links to the sponsoring government department, especially in the start-up phase. There is no single model from a specific jurisdiction that has been shown to be better than another. They all have their specific merits and demerits and there is always room for improvements to be made to the audit supervisory model in order to adapt to the growing role for audit regulators and audit regulation. 4.2. Funding the public oversight system The funding arrangements differ between the members of IFIAR. Some are wholly funded by the state’s public funds; others receive a mix of funding from the state, regulated companies (directly or through the relevant listing authority) and audit firms (directly or through the relevant professional body). Of the 24 EU IFIAR members, 6 are funded entirely by the state; 10 are not funded in any way by the state including 7 that are funded entirely by audit firms; and 11 receive a mix of funding. 15 Smaller and more recently established POSs generally tend to be reliant for a large proportion or even for all of their funding from the state. Thus, the POSs in Slovenia, Bulgaria and Lithuania are funded entirely from the state. However, in Malta, 50% of the funding comes from the state and 50% from auditors; and in Greece, the POS is funded by audit firms but there is provision for the state to top this up if necessary. The larger IFIAR members, including the US, UK and Germany, tend to receive little or no state funding although Japan’s POS is 100% state funded. The IFIAR member profiles contain no information about their budgets. However, based on other sources, the following table illustrates the level of funding of POSs in countries whose POSs perform direct supervision of auditors of PIEs. The table relates the funding to the population of the country, the estimated number of PIEs and the number of audit firms performing those PIE audits. Table 6: Funding, population of the country, the estimated number of PIEs and the number of audit firms performing those PIE audits Funding Estimated number of Public Number of audit Country Population of POS (€) Interest Entities (PIEs) firms of PIEs Finland 1.0m 5.3m 600 16 Netherlands 6.8m 16.4m 1,100 12 Slovakia 0.7m 5.4m 600 Not available Sweden 2.4m 9.2m 270 7 Conclusion There is a range of funding sources and funding amounts among audit regulators. Within IFIAR the members’ funding sources are almost equally split between government funding, levies on auditors and companies and mixes of both. As POSs evolve, there is a trend towards less reliance on government funding. 4.3. Characteristics of POS boards There is a range of sizes of governing boards among IFIAR members. A majority have more than 6 members, however, and for the sake of interest, the largest POS (US) has only 5 board members, all of whom are full-time executives. Of public oversight boards of the 24 EU IFIAR members, 3 comprise four or less members, 10 comprise 5-7 members, 5 comprise 8-10 members, and 5 comprise more than 10 members. 16 Consistent with the EU requirements, all EU POS boards contain only non-practitioners, to avoid potential conflicts of interest. Public Oversight Boards at large IFIAR members typically include: • Retired professionals such as lawyers • Former audit professionals • Bankers • Directors or former directors of leading companies • Former civil servants By contrast, POS Boards in smaller or more recently-established members typically include: • Representatives of other regulators, government departments • Academics • Representatives from the Central Bank This difference in composition often reflects the level of development and sizes of auditing and other professions in the larger member states and the availability of large pools of retirees and other experts willing to serve on POS Boards, often at little or no cost. Where auditing and other professions are smaller or less established, greater reliance is often seen on personnel from government, regulatory bodies and academia. Conclusion POS Boards typically comprise 6-10 members although there is a wide range of sizes. There is also a wide range of POS Board member backgrounds, often reflecting the history and development of audit and other professions in the jurisdiction. 4.4. Potential transition path for new public oversight systems A World Bank report from 2004 concluded with regards to public oversight of the audit function that, “models recently introduced in more developed jurisdictions may not always be applicable in situations where the relative importance of the various stakeholder groups is different, and national regulators do not always have easy access to emerging international good practice and consensus” 10. International good practice, where the POS performs its own audit inspections and has sufficient funding and resources to be completely operationally independent of the 10 The World Bank – (September 2004) IMPLEMENTATION OF INTERNATIONAL ACCOUNTING AND AUDITING STANDARDS - Lessons Learned from the World Bank’s Accounting and Auditing ROSC Program 17 profession and others, may well be the ultimate goal. However, in a start-up phase, especially where resources and funding are limited, a more appropriate and effective solution may be more simple oversight of the professional body doing inspections and registration. Many of the members of IFIAR operated such regimes in their early stages (e.g. Austria, Germany and United Kingdom). In an early stage, government funding may also be preferable. Conclusion While complete operational independence of the POS may represent good practice in the longer term, funding and resource constraints in the start-up and early stages of POSs may require transition measures including oversight of professional body inspection systems and reliance on government funding and resources. 18 5. EXTRACTS FROM THE EU STATUTORY AUDIT DIRECTIVE AND EU REGULATION REGARDING STATUTORY AUDIT OF PUBLIC-INTEREST ENTITIES 5.1. Directive 2006/43/EC The key sections of the EU Statutory Audit Directive (SAD) relating to public oversight systems for audit are Chapters 8, 6 and 7 as set out below. Chapter VIII: Public Oversight and Regulatory Arrangements between Member States Article 32 Principles of public oversight 1. Member States shall organise an effective system of public oversight for statutory auditors and audit firms based on the principles set out in paragraphs 2 to 7 and shall designate a competent authority responsible for such oversight. 2. All statutory auditors and audit firms shall be subject to public oversight. 3. The system of public oversight shall be governed by non-practitioners who are knowledgeable in the areas relevant to statutory audit. They shall be selected in accordance with an independent and transparent nomination procedure. The competent authority may engage practitioners to carry out specific tasks and may also be assisted by experts when this is essential for the proper fulfilment of its tasks. In such instances, both the practitioners and the experts shall not be involved in any decision-making of the competent authority. 4. The competent authority shall have the ultimate responsibility for the oversight of: (a) the approval and registration of statutory auditors and audit firms; (b) the adoption of standards on professional ethics, internal quality control of audit firms and auditing, except where those standards are adopted or approved by other Member State authorities; and (c) continuing education, quality assurance and investigative and disciplinary systems. 4a. Member States shall designate one or more competent authorities to carry out the tasks provided for in this Directive. Member States shall designate only one competent authority bearing the ultimate responsibility for the tasks referred in this Article except for the purpose of the statutory audit of cooperatives, savings banks or similar entities as referred to in Article 45 of Directive 86/635/EEC, or a subsidiary or legal successor of 19 a cooperative, savings bank or similar entity as referred to in Article 45 of Directive 86/635/EEC. Member States shall inform the Commission of their designation. The competent authorities shall be organised in such a manner that conflicts of interests are avoided. 4b. Member States may delegate or allow the competent authority to delegate any of its tasks to other authorities or bodies designated or otherwise authorised by law to carry out such tasks. The delegation shall specify the delegated tasks and the conditions under which they are to be carried out. The authorities or bodies shall be organised in such a manner that conflicts of interest are avoided. Where the competent authority delegates tasks to other authorities or bodies, it shall be able to reclaim the delegated competences on a case- by-case basis. 5. The system of public oversight shall have the right, where necessary, to conduct investigations in relation to statutory auditors and audit firms and the right to take appropriate action. Where a competent authority engages experts to carry out specific assignments, it shall ensure that there are no conflicts of interest between those experts and the statutory auditor or the audit firm in question. Such experts shall comply with the same requirements as those provided for in point (a) of Article 29(2). The competent authority shall be given the powers necessary to enable it to carry out its tasks and responsibilities under this Directive. 6. The system of public oversight shall be transparent. This shall include the publication of annual work programmes and activity reports. 7. The system of public oversight shall be adequately funded and shall have adequate resources to initiate and conduct investigations, as referred to in paragraph 5. The funding of the public oversight system shall be secure and free from any undue influence by statutory auditors or audit firms. Article 33 Cooperation between public oversight systems at Community level Member States shall ensure that regulatory arrangements for public oversight systems permit effective cooperation at Community level in respect of Member States' oversight activities. To that end, each Member State shall make one entity specifically responsible for ensuring that cooperation. 20 Chapter VI: Quality Assurance Article 29 Quality assurance systems 1. Each Member State shall ensure that all statutory auditors and audit firms are subject to a system of quality assurance which meets at least the following criteria: (a) the quality assurance system shall be organised in such a manner that it is independent of the reviewed statutory auditors and audit firms and subject to public oversight; (b) the funding for the quality assurance system shall be secure and free from any possible undue influence by statutory auditors or audit firms; (c) the quality assurance system shall have adequate resources; (d) the persons who carry out quality assurance reviews shall have appropriate professional education and relevant experience in statutory audit and financial reporting combined with specific training on quality assurance reviews; (e) the selection of reviewers for specific quality assurance review assignments shall be effected in accordance with an objective procedure designed to ensure that there are no conflicts of interest between the reviewers and the statutory auditor or audit firm under review; (f) the scope of the quality assurance review, supported by adequate testing of selected audit files, shall include an assessment of compliance with applicable auditing standards and independence requirements, of the quantity and quality of resources spent, of the audit fees charged and of the internal quality control system of the audit firm; (g) the quality assurance review shall be the subject of a report which shall contain the main conclusions of the quality assurance review; (h) quality assurance reviews shall take place on the basis of an analysis of the risk and, in the case of statutory auditors and audit firms carrying out statutory audits as defined in point (a) of point 1 of Article 2, at least every six years; (i) the overall results of the quality assurance system shall be published annually; (j) recommendations of quality reviews shall be followed up by the statutory auditor or audit firm within a reasonable period; (k) quality assurance reviews shall be appropriate and proportionate in view of the scale and complexity of the reviews statutory auditor or audit firm. If the recommendations referred to in point (j) are not followed up, the statutory auditor or audit firm shall, if applicable, be subject to the system of disciplinary actions or penalties referred to in Article 30. 21 Chapter VII: Investigations and Penalties Article 30 Systems of investigations and sanctions 1. Member States shall ensure that there are effective systems of investigations and penalties to detect, correct and prevent inadequate execution of the statutory audit. 2. Without prejudice to Member States' civil liability regimes, Member States shall provide for effective, proportionate and dissuasive penalties in respect of statutory auditors and audit firms, where statutory audits are not carried out in conformity with the provisions adopted in the implementation of this Directive, and, where applicable, Regulation (EU) No 537/2014. Member States may decide not to lay down rules for administrative sanctions for infringements which are already subject to national criminal law. In that event, they shall communicate to the Commission the relevant criminal law provisions. 3. Member States shall provide that measures taken and sanctions imposed on statutory auditors and audit firms are to be appropriately disclosed to the public. Sanctions shall include the possibility of the withdrawal of approval. Member States may decide that such disclosure shall not contain personal data within the meaning of point (a) of Article 2 of Directive 95/46/EC. Article 30a Sanctioning powers 1. Member States shall provide for competent authorities to have the power to take and/or impose at least the following administrative measures and sanctions for breaches of the provisions of this Directive and, where applicable, of Regulation (EU) No 537/2014: (a) a notice requiring the natural or legal person responsible for the breach to cease the conduct and to abstain from any repetition of that conduct; (b) a public statement which indicates the person responsible and the nature of the breach, published on the website of competent authorities; (c) a temporary prohibition, of up to three years' duration, banning the statutory auditor, the audit firm or the key audit partner from carrying out statutory audits and/or signing audit reports; (d) a declaration that the audit report does not meet the requirements of Article 28 of this Directive or, where applicable, Article 10 of Regulation (EU) No 537/2014; (e) a temporary prohibition, of up to three years' duration, banning a member of an audit firm or a member of an administrative or management body of a public- interest entity from exercising functions in audit firms or public-interest entities; 22 (f) the imposition of administrative pecuniary sanctions on natural and legal persons. 2. Member States shall ensure that the competent authorities are able to exercise their sanctioning powers in accordance with this Directive and national law and in any of the following ways: (a) directly; (b) in collaboration with other authorities; (c) by application to the competent judicial authorities. 3. Member States may confer on competent authorities other sanctioning powers in addition to those referred to in paragraph 1. 4. By way of derogation from paragraph 1, Member States may confer on authorities supervising public-interest entities, when they are not designated as the competent authority pursuant to Article 20(2) of Regulation (EU) No 537/2014, powers to impose sanctions for breaches of reporting duties provided for by that Regulation. Article 30b Effective application of sanctions When laying down rules pursuant to Article 30, Member States shall require that, when determining the type and level of administrative sanctions and measures, competent authorities are to take into account all relevant circumstances, including where appropriate: (a) the gravity and the duration of the breach; (b) the degree of responsibility of the responsible person; (c) the financial strength of the responsible person, for example as indicated by the total turnover of the responsible undertaking or the annual income of the responsible person, if that person is a natural person; (d) the amounts of the profits gained or losses avoided by the responsible person, in so far as they can be determined; (e) the level of cooperation of the responsible person with the competent authority; (f) previous breaches by the responsible legal or natural person. Additional factors may be taken into account by competent authorities, where such factors are specified in national law. Article 30c Publication of sanctions and measures 1. Competent authorities shall publish on their official website at least any administrative sanction imposed for breach of the provisions of this Directive or of Regulation (EU) No 23 537/2014 in respect of which all rights of appeal have been exhausted or have expired, as soon as reasonably practicable immediately after the person sanctioned has been informed of that decision, including information concerning the type and nature of the breach and the identity of the natural or legal person on whom the sanction has been imposed. Where Member States permit publication of sanctions which are subject to appeal, competent authorities shall, as soon as reasonably practicable, also publish on their official website information concerning the status and outcome of any appeal. 2. Competent authorities shall publish the sanctions imposed on an anonymous basis, and in a manner which is in conformity with national law, in any of the following circumstances: (a) where, in the event that the sanction is imposed on a natural person, publication of personal data is shown to be disproportionate by an obligatory prior assessment of the proportionality of such publication; (b) where publication would jeopardise the stability of financial markets or an ongoing criminal investigation; (c) where publication would cause disproportionate damage to the institutions or individuals involved. 3. Competent authorities shall ensure that any publication in accordance with paragraph 1 is of proportionate duration and that it remains on their official website for a minimum period of five years after all rights of appeal have been exhausted or have expired. The publication of sanctions and measures and of any public statement shall respect fundamental rights as laid down in the Charter of Fundamental Rights of the European Union, in particular the right to respect for private and family life and the right to the protection of personal data. Member States may decide that such publication or any public statement is not to contain personal data within the meaning of point (a) of Article 2 of Directive 95/46/EC. Article 30d Appeal Member States shall ensure that decisions taken by the competent authority in accordance with this Directive and Regulation (EU) No 537/2014 are subject to a right of appeal. Article 30e Reporting of breaches 1. Member States shall ensure that effective mechanisms are established to encourage reporting of breaches of this Directive or of Regulation (EU) No 537/2014 to the competent authorities. 24 2. The mechanisms referred to in paragraph 1 shall include at least: (a) specific procedures for the receipt of reports of breaches and their follow-up; (b) protection of personal data concerning both the person who reports the suspected or actual breach and the person who is suspected of committing, or who has allegedly committed that breach, in compliance with the principles laid down in Directive 95/46/EC; (c) appropriate procedures to ensure the right of the accused person to a defence and to be heard before the adoption of a decision concerning him or her, and the right to seek an effective remedy before a tribunal against any decision or measure concerning him or her. 3. Member States shall ensure that audit firms establish appropriate procedures for their employees to report potential or actual breaches of this Directive or of Regulation (EU) No 537/2014 internally through a specific channel. Article 30f Exchange of information 1. Competent authorities shall provide the CEAOB annually with aggregated information regarding all administrative measures and all sanctions imposed in accordance with this chapter. The CEAOB shall publish that information in an annual report. 2. Competent authorities shall immediately communicate to the CEAOB all temporary prohibitions referred to in points c) and e) of Article 30a(1). 5.2. Regulation (EU) NO 537/2014 The key sections of the Regulation on the specific requirements regarding the statutory audit of public-interest entities (the Regulation) in respect of public oversight systems are set out below. Article 14 Information for competent authorities Statutory auditors and audit firms shall provide annually to his, her or its competent authority a list of the audited public-interest entities by revenue generated from them, dividing those revenues into: (a) revenues from statutory audit; (b) revenues from non-audit services other than those referred to in Article 5(1) which are required by Union or national legislation; and, 25 (c) revenues from non-audit services other than those referred to in Article 5(1) which are not required by Union or national legislation. 5.3. Title IV: Surveillance of the activities of statutory auditors and audit firms carrying out statutory audit of public-interest entities Chapter I: Competent authorities Article 20 Designation of competent authorities 1. Competent authorities responsible for carrying out the tasks provided for in this Regulation and for ensuring that the provisions of this Regulation are applied shall be designated from amongst the following: (a) the competent authority referred to in Article 24(1) of Directive 2004/109/EC; (b) the competent authority referred to in point (h) of Article 24(4) of Directive 2004/109/EC; (c) the competent authority referred to in Article 32 of Directive 2006/43/EC. 2. By way of derogation from paragraph 1, Member States may decide that the responsibility for ensuring that all or part of the provisions of Title III of this Regulation are applied is to be entrusted to, as appropriate, the competent authorities referred to in: (a) Article 48 of Directive 2004/39/EC; (b) Article 24(1) of Directive 2004/109/EC; (c) point (h) of Article 24(4) of Directive 2004/109/EC; (d) Article 20 of Directive 2007/64/EC; (e) Article 30 of Directive 2009/138/EC; (f) Article 4(1) of Directive 2013/36/EU; or to other authorities designated by national law. 3. Where more than one competent authority has been designated pursuant to paragraphs 1 and 2, those authorities shall be organised in such a manner that their tasks are clearly allocated. 4. Paragraphs 1, 2 and 3 shall be without prejudice to the right of a Member State to make separate legal and administrative arrangements for overseas countries and territories with which that Member State has special relations. 5. The Member States shall inform the Commission of the designation of competent authorities for the purposes of this Regulation. 26 The Commission shall consolidate this information and make it public. Article 21 Conditions of independence The competent authorities shall be independent of statutory auditors and audit firms. The competent authorities may consult experts, as referred to in point (c) of Article 26(1), for the purpose of carrying out specific tasks and may also be assisted by experts when this is essential for the proper fulfilment of their tasks. In such instances, the experts shall not be involved in any decision-making. A person shall not be a member of the governing body, or responsible for the decision– making, of those authorities if during his or her involvement or in the course of the three previous years that person: (a) has carried out statutory audits; (b) held voting rights in an audit firm; (c) was member of the administrative, management or supervisory body of an audit firm; (d) was a partner, employee of, or otherwise contracted by, an audit firm. The funding of those authorities shall be secure and free from undue influence by statutory auditors and audit firms. Article 22 Professional secrecy in relation to competent authorities The obligation of professional secrecy shall apply to all persons who are or have been employed or independently contracted by, or involved in the governance of, competent authorities or by any authority or body to which tasks have been delegated under Article 24 of this Regulation. Information covered by professional secrecy may not be disclosed to any other person or authority except by virtue of the obligations laid down in this Regulation or the laws, regulations or administrative procedures of a Member State. Article 23 Powers of competent authorities 1. Without prejudice to Article 26, in carrying out their tasks under this Regulation, the competent authorities or any other public authorities of a Member State may not interfere with the content of audit reports. 2. Member States shall ensure that the competent authorities have all the supervisory and investigatory powers that are necessary for the exercise of their functions under this Regulation in accordance with the provisions of Chapter VII of Directive 2006/43/EC. 27 3. The powers referred to in paragraph 2 of this Article shall include, at least, the power to: (a) access data related to the statutory audit or other documents held by statutory auditors or audit firms in any form relevant to the carrying out of their tasks and to receive or take a copy thereof; (b) obtain information related to the statutory audit from any person; (c) carry out on-site inspections of statutory auditors or audit firms; (d) refer matters for criminal prosecution; (e) request experts to carry out verifications or investigations; (f) take the administrative measures, and impose the sanctions referred to in Article 30a of Directive 2006/43/EC. The competent authorities may use the powers referred to in the first subparagraph only in relation to: (a) statutory auditors and audit firms carrying out statutory audit of public-interest entities; (b) persons involved in the activities of statutory auditors and audit firms carrying out statutory audit of public-interest entities; (c) audited public-interest entities, their affiliates and related third parties; (d) third parties to whom the statutory auditors and the audit firms carrying out statutory audit of public-interest entities have outsourced certain functions or activities; and (e) persons otherwise related or connected to statutory auditors and audit firms carrying out statutory audit of public- interest entities. 4. Member States shall ensure that the competent authorities are allowed to exercise their supervisory and investigatory powers in any of the following ways: (a) directly; (b) in collaboration with other authorities; (c) by application to the competent judicial authorities. 5. The supervisory and investigatory powers of competent authorities shall be exercised in full compliance with national law, and in particular, with the principles of respect for private life and the right of defence. 6. The processing of personal data processed in the exercise of the supervisory and investigatory powers pursuant to this Article shall be carried out in accordance with Directive 95/46/EC. 28 Article 24 Delegation of tasks 1. Member States may delegate or allow the competent authorities referred to in Article 20(1) to delegate any of the tasks required to be undertaken pursuant to this Regulation to other authorities or bodies designated or otherwise authorised by law to carry out such tasks, except for tasks related to: (a) the quality assurance system referred to in Article 26; (b) investigations referred to in Article 23 of this Regulation and Article 32 of Directive 2006/43/EC arising from that quality assurance system or from a referral by another authority; and (c) sanctions and measures as referred to in Chapter VII of Directive 2006/43/EC related to the quality assurance reviews or investigation of statutory audits of public- interest entities. 2. Any execution of tasks by other authorities or bodies shall be the subject of an express delegation by the competent authority. The delegation shall specify the delegated tasks and the conditions under which they are to be carried out. Where the competent authority delegates tasks to other authorities or bodies, it shall be able to reclaim these competences on a case-by-case basis. 3. The authorities or bodies shall be organised in such a manner that there are no conflicts of interest. The ultimate responsibility for supervising compliance with this Regulation and with the implementing measures adopted pursuant thereto shall lie with the delegating competent authority. The competent authority shall inform the Commission and the competent authorities of Member States of any arrangement entered into with regard to the delegation of tasks, including the precise conditions governing such delegation. 4. By way of derogation from paragraph 1, Member States may decide to delegate the tasks referred to in point (c) of paragraph 1 to other authorities or bodies designated or otherwise authorised by law to carry out such tasks, when the majority of the persons involved in the governance of the authority or body concerned is independent from the audit profession. Article 25 Cooperation with other competent authorities at national level Competent authorities designated pursuant to Article 20(1) and, where appropriate, any authority to whom such a competent authority has delegated tasks shall cooperate at national level with: (a) the competent authorities referred to in Article 32(4) of Directive 2006/43/EC; 29 (b) the authorities referred to in Article 20(2), whether or not they have been designated competent authorities for the purposes of this Regulation; (c) the financial intelligence units and the competent authorities referred to in Articles 21 and 37 of Directive 2005/60/EC. For the purposes of such cooperation, the obligation of professional secrecy under Article 22 of this Regulation shall apply. Chapter II: Quality assurance, market monitoring, and transparency of competent authorities Article 26 Quality assurance 1. For the purposes of this Article: (a) ‘inspections’ means quality assurance reviews of statutory auditors and audit firms, which are led by an inspector and which do not constitute an investigation within the meaning of Article 32(5) of Directive 2006/43/EC; (b) ‘inspector’ means a reviewer who meets the requirements set out in point (a) of the first subparagraph of paragraph 5 of this Article and who is employed or otherwise contracted by a competent authority; (c) ‘expert’ means a natural person who has specific expertise in financial markets, financial reporting, auditing or other fields relevant for inspections, including practising statutory auditors. 2. The competent authorities designated under Article 20(1) shall establish an effective system of audit quality assurance. They shall carry out quality assurance reviews of statutory auditors and audit firms that carry out statutory audits of public-interest entities on the basis of an analysis of the risk and: (a) in the case of statutory auditors and audit firms carrying out statutory audits of public-interest entities other than those defined in points (17) and (18) of Article 2 of Directive 2006/43/EC at least every three years; and, (b) in cases other than those referred to in point (a), at least every six years. 3. The competent authority shall have the following responsibilities: (a) approval and amendment of the inspection methodologies, including inspection and follow-up manuals, reporting methodologies and periodic inspection programmes; (b) approval and amendment of inspection reports and follow-up reports; (c) approval and assignment of inspectors for each inspection. The competent authority shall allocate adequate resources to the quality assurance system. 4. The competent authority shall organise the quality assurance system in a manner that is independent of the reviewed statutory auditors and audit firms. The competent 30 authority shall ensure that appropriate policies and procedures related to the independence and objectivity of the staff, including inspectors, and the management of the quality assurance system are put in place. 5. The competent authority shall comply with the following criteria when appointing inspectors: (a) inspectors shall have appropriate professional education and relevant experience in statutory audit and financial reporting combined with specific training on quality assurance reviews; (b) a person who is a practising statutory auditor or is employed by or otherwise associated with a statutory auditor or an audit firm shall not be allowed to act as an inspector; (c) a person shall not be allowed to act as an inspector in an inspection of a statutory auditor or an audit firm until at least three years have elapsed since that person ceased to be a partner or employee of that statutory auditor or of that audit firm or to be otherwise associated with that statutory auditor or audit firm; (d) inspectors shall declare that there are no conflicts of interest between them and the statutory auditor and the audit firm to be inspected. By way of derogation from point (b) of paragraph 1, a competent authority may contract experts for carrying out specific inspections when the number of inspectors within the authority is insufficient. The competent authority may also be assisted by experts when this is essential for the proper conduct of an inspection. In such instances, the competent authorities and the experts shall comply with the requirements of this paragraph. Experts shall not be involved in the governance of, or employed or otherwise contracted by professional associations and bodies but may be members of such associations or bodies. 6. The scope of inspections shall at least cover: (a) an assessment of the design of the internal quality control system of the statutory auditor or of the audit firm; (b) adequate compliance testing of procedures and a review of audit files of public- interest entities in order to verify the effectiveness of the internal quality control system; (c) in the light of the findings of the inspection under points (a) and (b) of this paragraph, an assessment of the contents of the most recent annual transparency report published by a statutory auditor or an audit firm in accordance with Article 13. 7. At least the following internal quality control policies and procedures of the statutory auditor or the audit firm shall be reviewed: 31 (a) compliance by the statutory auditor or the audit firm with applicable auditing and quality control standards, and ethical and independence requirements, including those set out in Chapter IV of Directive 2006/43/EC and Articles 4 and 5 of this Regulation, as well as relevant laws, regulations and administrative provisions of the Member State concerned; (b) the quantity and quality of resources used, including compliance with continuing education requirements as set out in Article 13 of Directive 2006/43/EC; (c) compliance with the requirements set out in Article 4 of this Regulation on the audit fees charged. For the purposes of testing compliance, audit files shall be selected on the basis of an analysis of the risk of a failure to carry out a statutory audit adequately. Competent authorities shall also periodically review the methodologies used by statutory auditors and audit firms to carry out statutory audits. In addition to the inspection covered by the first subparagraph, competent authorities shall have the power to perform other inspections. 8. The findings and conclusions of inspections on which recommendations are based, including the findings and conclusions related to a transparency report, shall be communicated to and discussed with the inspected statutory auditor or audit firm before an inspection report is finalised. Recommendations of inspections shall be implemented by the inspected statutory auditor or audit firm within a reasonable period set by the competent authority. Such period shall not exceed 12 months in the case of recommendations on the internal quality control system of the statutory auditor or of the audit firm. 9. The inspection shall be the subject of a report which shall contain the main conclusions and recommendations of the quality assurance review. Article 27 Monitoring market quality and competition 1. The competent authorities designated under Article 20(1) and the European Competition Network (ECN), as appropriate, shall regularly monitor the developments in the market for providing statutory audit services to public-interest entities and shall in particular assess the following: (a) the risks arising from high incidence of quality deficiencies of a statutory auditor or an audit firm, including systematic deficiencies within an audit firm network, which may lead to the demise of any audit firm, the disruption in the provision of statutory audit services whether in a specific sector or across sectors, the further accumulation of risk of audit deficiencies and the impact on the overall stability of the financial sector; 32 (b) the market concentration levels, including in specific sectors; (c) the performance of audit committees; (d) the need to adopt measures to mitigate the risks referred to in point (a). 2. By 17 June 2016, and at least every three years thereafter, each competent authority and the ECN, shall draw up a report on developments in the market for providing statutory audit services to public-interest entities and submit it to the CEAOB, ESMA, EBA, EIOPA and the Commission. The Commission, following consultations with the CEAOB, ESMA, EBA and EIOPA shall use those reports to draw up a joint report on those developments at Union level. That joint report shall be submitted to the Council, the European Central Bank and the European Systemic Risk Board, as well as, where appropriate, to the European Parliament. Article 28 Transparency of competent authorities Competent authorities shall be transparent and shall at least publish: (a) annual activity reports regarding their tasks under this Regulation; (b) annual work programmes regarding their tasks under this Regulation; (c) a report on the overall results of the quality assurance system on an annual basis. This report shall include information on recommendations issued, follow-up on the recommendations, supervisory measures taken and sanctions imposed. It shall also include quantitative information and other key performance information on financial resources and staffing, and the efficiency and effectiveness of the quality assurance system; (d) the aggregated information on the findings and conclusions of inspections referred to in the first subparagraph of Article 26(8). Member States may require the publication of those findings and conclusions on individual inspections. 33