(1)

Under Article 47(1) of Directive 2006/43/EC, the competent authorities of Member States may allow the transfer of audit working papers or other documents held by statutory auditors or audit firms approved by them and of inspection or investigation reports relating to the audits in question to the competent authorities of a third country only if those authorities meet requirements that have been declared adequate by the Commission and there are reciprocal working arrangements between them and the competent authorities of the Member States concerned. It therefore needs to be determined whether the competent authorities of certain third countries meet requirements which are adequate for the purpose of having audit working papers or other documents held by statutory auditors or audit firms and inspection or investigation reports transferred to them.

(2)

A decision on adequacy under Article 47(3) of Directive 2006/43/EC does not address other specific requirements for the transfer of audit working papers and other documents held by statutory auditors or audit firms and of inspection or investigation reports, such as the agreement on reciprocal working arrangements between the competent authorities set out in Article 47(1)(d) of that Directive, or the requirements for the transfer of personal data set out in Article 47(1)(e) of that Directive.

(3)

For the purposes of this Decision, the competent authorities of certain territories which are designated by law and are in charge of the regulation and/or oversight of statutory auditors and audit firms or of specific aspects thereof in those territories should be treated as competent authorities of third countries.

(4)

A transfer of audit working papers or other documents held by statutory auditors or audit firms and of inspection or investigation reports to the competent authority of a third country or territory reflects the substantial public interest in carrying out independent public oversight. Accordingly, the competent authorities of Member States should, in the framework of the working arrangements referred to in Article 47(2) of Directive 2006/43/EC, ensure that the competent authority of the third country or territory concerned uses any documents transferred to it in accordance with Article 47(1) of that Directive only to exercise its functions of public oversight, external quality assurance and investigations of auditors and audit firms.

(5)

The transfer of audit working papers or other documents held by statutory auditors or audit firms to the competent authority of a third country or territory includes the granting of access to or transmission of such papers to such an authority by the statutory auditor or audit firm holding the paper upon prior agreement of the competent authority of the Member State concerned or by that authority itself.

(6)

When inspections or investigations are carried out, statutory auditors and audit firms are not allowed to grant access to or to transmit their audit working papers or other documents to the competent authorities of third countries or territories under any other conditions than those set out in Article 47 of Directive 2006/43/EC and in this Decision.

(7)

Without prejudice to Article 47(4) of Directive 2006/43/EC, Member States should ensure that, for the purposes of public oversight, quality assurance and investigations of statutory auditors and audit firms, contacts between the statutory auditors or audit firms approved by them and the competent authority of the third country or territory concerned take place via the competent authorities of the Member State concerned.

(8)

Member States should ensure that the working arrangements required by Directive 2006/43/EC to transfer audit working papers or other documents held by statutory auditors or audit firms and of inspection or investigation reports between their competent authorities and the competent authorities of a third country or territory which are subject to this Decision are agreed on the basis of reciprocity, and include protection of any professional secrets and sensitive commercial information contained in such papers relating to the entities audited, including their industrial and intellectual property, or to the statutory auditors and audit firms that audited those entities.

(9)

Where a transfer of audit working papers or other documents held by statutory auditors or audit firms and of inspection or investigation reports to the competent authorities of a third country or territory concerned involves the disclosure of personal data, such a disclosure is lawful only if it also complies with the requirements for international data transfers laid down in Directive 95/46/EC of the European Parliament and of the Council (2). Article 47(1)(e) of Directive 2006/43/EC therefore requires Member States to ensure that the transfer of personal data between their competent authorities and the competent authority of the third country or territory concerned complies with Chapter IV of Directive 95/46/EC. Member States should ensure that there are appropriate safeguards for the protection of personal data transferred, if necessary through binding agreements, and that the competent authority of a third country or territory will not further disclose personal data contained in the documents transferred without the prior agreement of the competent authorities of the Member States concerned.

(10)

The adequacy of requirements that the competent authority of a third country or territory is subject to is assessed in light of the regulatory cooperation requirements set out in Article 36 of Directive 2006/43/EC or essentially equivalent functional results. In particular, adequacy should be assessed having regard to the competences exercised by the competent authority of the third country or territory concerned, the applicable safeguards against breaches of professional secrecy and confidentiality rules, and the conditions laid down in the laws and regulations of the third country or territory concerned under which those competent authorities may cooperate with the competent authorities of Member States.

(11)

Persons employed or formerly employed by the competent authorities of third countries or territories that receive audit working papers or other documents in accordance with Article 47(1) of Directive 2006/43/EC should be subject to obligations of professional secrecy.

(12)

Statutory auditors and audit firms approved by a Member State that audit companies which have issued securities in Brazil, Dubai International Financial Centre, Guernsey, Indonesia, the Isle of Man, Jersey, Malaysia, South Africa, South Korea, Taiwan or Thailand, or which form part of a group issuing statutory consolidated accounts in one of those third countries or territories, are regulated under the domestic laws of the respective third country or territory. It should therefore be decided whether the competent authorities of those third countries and territories meet requirements which can be considered adequate having regard to the regulatory cooperation requirements set out in Article 36 of Directive 2006/43/EC or essentially equivalent in their function.

(13)

Adequacy assessments for the purposes of Article 47 of Directive 2006/43/EC have been carried out with respect to the competent authorities of Brazil, Dubai International Financial Centre, Guernsey, Indonesia, the Isle of Man, Jersey, Malaysia, South Africa, South Korea, Taiwan and Thailand. Decisions on the adequacy of those authorities should be based on those assessments.

(14)

The Comissão de Valores Mobiliários of Brazil has competence in public oversight, external quality assurance and investigations of auditors and audit firms. It implements adequate safeguards prohibiting and sanctioning disclosure by its current or former employees of confidential information to any third person or authority. Under the laws and regulations of Brazil, it may transfer to the competent authorities of the Member States documents equivalent to those referred to in Article 47(1) of Directive 2006/43/EC. On that basis, the Comissão de Valores Mobiliários of Brazil meets requirements which should be declared adequate for the purposes of Article 47(1)(c) of Directive 2006/43/EC.

(15)

The Dubai Financial Service Authority of Dubai International Financial Centre has competence in public oversight, external quality assurance and investigations of auditors and audit firms. It implements adequate safeguards prohibiting and sanctioning disclosure by its current or former employees of confidential information to any third person or authority. Under the laws and regulations of Dubai and of Dubai International Financial Centre, the Dubai Financial Service Authority may transfer to the competent authorities of the Member States documents equivalent to those referred to in Article 47(1) of Directive 2006/43/EC. On that basis, the Dubai Financial Service Authority of Dubai International Financial Centre meets requirements which should be declared adequate for the purposes of Article 47(1)(c) of Directive 2006/43/EC.

(16)

The Registrar of Companies of Guernsey has competence in public oversight, external quality assurance and investigations of auditors and audit firms. It implements adequate safeguards prohibiting and sanctioning disclosure by its current or former employees of confidential information to any third person or authority. Under the laws and regulations of Guernsey, it may transfer to the competent authorities of the Member States documents equivalent to those referred to in Article 47(1) of Directive 2006/43/EC. On that basis, the Registrar of Companies of Guernsey meets requirements which should be declared adequate for the purposes of Article 47(1)(c) of Directive 2006/43/EC.

(17)

The Finance Professions Supervisory Centre of Indonesia has competence in public oversight, external quality assurance and investigations of auditors and audit firms. The Finance Professions Supervisory Centre of Indonesia carries out its duties together with or in parallel to the Financial Services Authority, but is the national regulator of the audit profession in Indonesia. Therefore, the Finance Professions Supervisory Centre of Indonesia is the competent authority for the purposes of Article 47(1)(c) of Directive 2006/43/EC. It implements adequate safeguards prohibiting and sanctioning disclosure by its current or former employees of confidential information to any third person or authority. A conclusion that the Finance Professions Supervisory Centre of Indonesia may transfer to the competent authorities of the Member States documents equivalent to those referred to in Article 47(1) of Directive 2006/43/EC can presently be based on the interpretation of laws and regulations of Indonesia. The regulatory cooperation between the Finance Professions Supervisory Centre of Indonesia and the competent authorities of the Member States should therefore be subject to close monitoring and review by the Commission. On that basis, the Finance Professions Supervisory Centre of Indonesia meets requirements which should be declared adequate for the purposes of Article 47(1)(c) of Directive 2006/43/EC for a limited period of time.

(18)

The Financial Supervision Commission of the Isle of Man has competence in public oversight, external quality assurance and investigations of auditors and audit firms. It implements adequate safeguards prohibiting and sanctioning disclosure by its current or former employees of confidential information to any third person or authority. Under the laws and regulations of the Isle of Man, it may transfer to the competent authorities of the Member States documents equivalent to those referred to in Article 47(1) of Directive 2006/43/EC. On that basis, the Financial Supervision Commission of the Isle of Man meets requirements which should be declared adequate for the purposes of Article 47(1)(c) of Directive 2006/43/EC.

(19)

The Jersey Financial Services Commission has competence in public oversight, external quality assurance and investigations of auditors and audit firms. It implements adequate safeguards prohibiting and sanctioning disclosure by its current or former employees of confidential information to any third person or authority. Under the laws and regulations of Jersey, it may transfer to the competent authorities of the Member States documents equivalent to those referred to in Article 47(1) of Directive 2006/43/EC. On that basis, the Jersey Financial Services Commission meets requirements which should be declared adequate for the purposes of Article 47(1)(c) of Directive 2006/43/EC.

(20)

The Audit Oversight Board of Malaysia has competence in public oversight, external quality assurance and investigations of auditors and audit firms, including matters of cooperation with relevant foreign authorities on exchange and transfer of information for audit oversight purposes, and this Decision should only cover these competences. The Audit Oversight Board carries out its duties on behalf of the Securities Commission of Malaysia, but operates independently of it. Therefore, the Audit Oversight Board of Malaysia is the competent authority for the purposes of Article 47(1)(c) of Directive 2006/43/EC. It implements adequate safeguards prohibiting and sanctioning disclosure by its current or former employees of confidential information to any third person or authority. Under the laws and regulations of Malaysia, it may transfer to the competent authorities of the Member States documents equivalent to those referred to in Article 47(1) of Directive 2006/43/EC. On that basis, the Audit Oversight Board of Malaysia meets requirements which should be declared adequate for the purposes of Article 47(1)(c) of Directive 2006/43/EC.

(21)

The Independent Regulatory Board for Auditors of South Africa has competence in public oversight, external quality assurance and investigations of auditors and audit firms. It implements adequate safeguards prohibiting and sanctioning disclosure by its current or former employees of confidential information to any third person or authority. Under the laws and regulations of South Africa, it may transfer to the competent authorities of the Member States documents equivalent to those referred to in Article 47(1) of Directive 2006/43/EC. Documents obtained in the performance of inspections and inspection reports may however only be shared with the consent of the auditor or audit firm registered with the Independent Regulatory Board for Auditors of South Africa. That requirement may present difficulties in implementing the regulatory cooperation requirements set out in Article 47 of Directive 2006/43/EC. Therefore, the regulatory cooperation between the Independent Regulatory Board for Auditors of South Africa and the competent authorities of the Member States should be subject to close monitoring and review by the Commission to assess whether the consent requirement presents an obstacle to information exchange in practice. On that basis, the requirements met by the Independent Regulatory Board for Auditors of South Africa should be declared adequate for the purposes of Article 47(1)(c) of Directive 2006/43/EC for a limited period of time.

(22)

The Financial Services Commission of South Korea and the Financial Supervisory Service of South Korea within the Financial Services Commission have competence in public oversight, external quality assurance and investigations of auditors and audit firms. The Financial Services Commission has overall policy responsibility for audit matters, while the Financial Supervisory Service has responsibility for the conduct of inspections and investigations for the Financial Services Commission. This Decision should cover the Financial Supervisory Service within the Financial Services Commission and the competences of the Financial Services Commission for audit oversight. The Financial Services Commission and the Financial Supervisory Service implement adequate safeguards prohibiting and sanctioning disclosure by their current or former employees of confidential information to any third person or authority. Under the laws and regulations of South Korea, they may transfer to the competent authorities of the Member States documents equivalent to those referred to in Article 47(1) of Directive 2006/43/EC. On that basis, the Financial Services Commission of South Korea and the Financial Supervisory Service of South Korea meet requirements which should be declared adequate for the purposes of Article 47(1)(c) of Directive 2006/43/EC.

(23)

The Financial Supervisory Commission of Taiwan has competence in public oversight, external quality assurance and investigations of auditors and audit firms. It implements adequate safeguards prohibiting and sanctioning disclosure by its current or former employees of confidential information to any third person or authority. Under the laws and regulations of Taiwan, it may transfer to the competent authorities of the Member States documents equivalent to those referred to in Article 47(1) of Directive 2006/43/EC. On that basis, the Financial Supervisory Commission of Taiwan meets requirements which should be declared adequate for the purposes of Article 47(1)(c) of Directive 2006/43/EC.

(24)

The Securities and Exchange Commission of Thailand has competence in public oversight, external quality assurance and investigations of auditors and audit firms. It implements adequate safeguards prohibiting and sanctioning disclosure by its current or former employees of confidential information to any third person or authority. Under the laws and regulations of Thailand, it may transfer to the competent authorities of the Member States documents equivalent to those referred to in Article 47(1) of Directive 2006/43/EC. On that basis, the Securities and Exchange Commission of Thailand meets requirements which should be declared adequate for the purposes of Article 47(1)(c) of Directive 2006/43/EC.

(25)

This Decision does not affect the cooperation arrangements referred to in Article 25(4) of Directive 2004/109/EC of the European Parliament and of the Council (3).

(26)

This Decision aims to facilitate effective cooperation between the competent authorities of the Member States and those of Brazil, Dubai International Financial Centre, Guernsey, Indonesia, the Isle of Man, Jersey, Malaysia, South Africa, South Korea, Taiwan and Thailand. Its purpose is to allow those authorities to exercise their functions of public oversight, external quality assurance and investigations and, at the same time, to protect the rights of the parties concerned. Member States are under the obligation to communicate to the Commission the reciprocal working arrangements concluded with those authorities to allow the Commission to assess whether cooperation is in accordance with Article 47 of Directive 2006/43/EC.

(27)

The ultimate objective of cooperation on audit oversight with Brazil, Dubai International Financial Centre, Guernsey, Indonesia, the Isle of Man, Jersey, Malaysia, South Africa, South Korea, Taiwan and Thailand is to reach mutual reliance on each other's oversight systems. In that way, transfers of audit working papers or other documents held by statutory auditors or audit firms and of inspection or investigation reports should become the exception. Mutual reliance would be based on the equivalence of auditor oversight systems of the Union and of the third country or territory concerned.

(28)

The Commission will monitor developments in the supervisory and regulatory framework of the third countries and territories concerned on a regular basis. This Decision will be reviewed as appropriate in light of the supervisory and regulatory changes in the Union and in the third countries and territories concerned, taking into account available sources of relevant information. In particular, the Commission, assisted by the CEAOB as referred to in Article 30(7)(c) and Article 30(12) of Regulation (EU) No 537/2014 of the European Parliament and of the Council (4), can reassess adequacy at any time, in particular where there has been a change in the relevant law or facts. That reassessment could lead to the withdrawal of its declaration of adequacy.

(29)

The European Data Protection Supervisor delivered an opinion on 17 December 2015.

(30)

The measures provided for in this Decision are in accordance with the opinion of the Committee established by Article 48(1) of Directive 2006/43/EC,

(1)

the Comissão de Valores Mobiliários of Brazil;

(2)

the Dubai Financial Service Authority of Dubai International Financial Centre;

(3)

the Registrar of Companies of Guernsey;

(4)

the Finance Professions Supervisory Centre of Indonesia;

(5)

the Financial Supervision Commission of the Isle of Man;

(6)

the Jersey Financial Services Commission;

(7)

the Audit Oversight Board of Malaysia;

(8)

the Independent Regulatory Board for Auditors of South Africa;

(9)

the Financial Services Commission of South Korea and the Financial Supervisory Service of South Korea;

(10)

the Financial Supervisory Commission of Taiwan;

(11)

the Securities and Exchange Commission of Thailand.