(1)

Under Article 47(1) of Directive 2006/43/EC, Member States may allow the transfer of audit working papers or other documents held by statutory auditors or audit firms approved by them, and of inspection or investigation reports relating to the audits in question, to the competent authorities of a third country only if those authorities meet requirements that have been declared adequate by the Commission and there are working arrangements on the basis of reciprocity between them and the competent authorities of the Member States concerned.

(2)

A decision on adequacy under Article 47(3) of Directive 2006/43/EC does not address other specific requirements for the transfer of audit working papers and other documents held by statutory auditors or audit firms and of inspection or investigation reports, such as the agreement on working arrangements on the basis of reciprocity between the competent authorities set out in Article 47(1)(d) of Directive 2006/43/EC, or the requirements for the transfer of personal data set out in Article 47(1)(e) of that Directive.

(3)

Cooperation over the transfer of audit working papers or other documents held by statutory auditors or audit firms and of inspection or investigation reports to the competent authority of a third country reflects the substantial public interest in carrying out independent public oversight. Accordingly, the competent authorities of the Member States should, in the framework of the working arrangements referred to in Article 47(2) of Directive 2006/43/EC, ensure that the competent authority of South Africa uses any documents transferred to it in accordance with Article 47(1) of that Directive only to exercise its functions of public oversight, external quality assurance and investigations of auditors and audit firms.

(4)

When inspections or investigations are carried out, statutory auditors and audit firms are not allowed to grant access to or to transmit their audit working papers or other documents to the competent authority of South Africa under any other conditions than those set out in Article 47 of Directive 2006/43/EC and in this Decision.

(5)

Without prejudice to Article 47(4) of Directive 2006/43/EC, Member States should ensure that, for the purposes of public oversight, quality assurance and investigations of statutory auditors and audit firms, contacts between the statutory auditors or audit firms approved by them and the competent authority of South Africa take place via the competent authorities of the Member States concerned.

(6)

In accordance with Article 47(1)(d) of Directive 2006/43/EC, the possibility for Member States to allow the transfer to the competent authority of South Africa of audit working papers or other documents held by statutory auditors or audit firms approved by them and of inspection or investigation reports is subject to the condition that working arrangements are agreed between the competent authorities concerned.

(7)

Member States should ensure that such working arrangements between their competent authorities and the competent authority of South Africa are agreed on the basis of reciprocity and subject to the conditions of Article 47(1) and (2) of Directive 2006/43/EC, including the protection of any professional secrets and commercial interests, including industrial and intellectual property, contained in such papers relating to the entities audited or to the statutory auditors and audit firms that audited those entities.

(8)

Where a transfer of audit working papers or other documents held by statutory auditors or audit firms and of inspection or investigation reports to the competent authority of South Africa involves the transfer of personal data, such a transfer is lawful only if it also complies with the requirements for international data transfers laid down in Regulation (EU) 2016/679 of the European Parliament and of the Council (2). Article 47(1)(e) of Directive 2006/43/EC therefore requires Member States to ensure that the transfer of personal data between their competent authorities and the competent authority of South Africa complies with any applicable data protection principles and rules and, in particular, with the provisions of Chapter V of Regulation (EU) 2016/679. Member States should ensure that appropriate safeguards for the transfer of personal data are provided for, in accordance with Article 46 of Regulation (EU) 2016/679. In addition, Member States should ensure that the competent authority of South Africa will not further disclose personal data contained in the documents transferred without the prior agreement of the competent authorities of the Member States concerned.

(9)

The Independent Regulatory Board for Auditors (IRBA) is the competent authority of South Africa responsible for the public oversight, external quality assurance and investigations of auditors and audit firms. It implements adequate safeguards prohibiting and sanctioning disclosure by its current or former employees of confidential information to any third person or authority. Under the South African Audit Profession Act 2005 and the IRBA Code of Conduct, the IRBA may transfer to the competent authorities of the Member States documents equivalent to those referred to in Article 47(1) of Directive 2006/43/EC.

(10)

Documents obtained by the IRBA in the performance of inspections and inspection reports may only be shared with the consent of the auditor or audit firm registered with the IRBA. That requirement may present difficulties in implementing the regulatory cooperation requirements contemplated under Article 47 of Directive 2006/43/EC. Therefore, the regulatory cooperation between the IRBA and the competent authorities of the Member States should be subject to close monitoring and review by the Commission to assess whether the consent requirement presents an obstacle to information exchange in practice.

(11)

The IRBA is the competent authority responsible to cooperate and enter into bilateral agreements with the Member States’ competent authorities for the transfer of audit working papers. Confidentiality of audit working papers is ensured by the South African ‘common law’ on professional secrecy, which sets out a general professional duty and obligation to observe confidentiality of client material by the auditor.

(12)

Under the laws and regulations of South Africa, the IRBA may be subject to the requirement to share the information referred to in Article 47(1) of Directive 2006/43/EC with an ‘appropriate regulator’ but has discretionary powers to decide whether such onward sharing would be in the protection of the public and the public interest. When signing bilateral working agreements with the IRBA, the competent authorities of Member States could demand the IRBA to request their prior consent if the IRBA is compelled to transfer to an ‘appropriate regulator’ any non-public information received in the course of the cooperation. Furthermore, they should consider a requirement that the IRBA may share such information only with those entities identified in the agreements, stating that these entities should maintain such information as confidential and privileged. Moreover, the processing of personal data may only be performed for the specified purpose mentioned in this Decision, as stated in recital 3 and Article 1, and in accordance with the conditions mentioned in particular under recital 8 of this Decision.

(13)

Under Article 1 of Commission Implementing Decision (EU) 2016/1010 (3), several competent authorities of third countries or territories, including the IRBA, were declared adequate within the meaning of Article 47(1)(c) of Directive 2006/43/EC for the purpose of transfers of audit working papers or other documents and of inspection and investigation reports. Pursuant to Article 3 of Implementing Decision (EU) 2016/1010, that Implementing Decision ceased to apply with respect to the IRBA on 1 August 2019.

(14)

Although the IRBA did not enter into any bilateral working arrangements with any of the competent authorities of the Member States prior to 31 July 2019, some Member States have shown interest in developing cooperation with the IRBA.

(15)

The Committee of European Auditing Oversight Bodies (CEAOB) has reassessed the legal framework in South Africa, based on the Audit Profession Act of 2005, which has not changed since Implementing Decision (EU) 2016/1010. Taking into account the technical assessment of the CEAOB referred to in Article 30(7)(c) of Regulation (EU) No 537/2014 of the European Parliament and of the Council (4), the IRBA meets requirements that should be declared adequate for the purposes of Article 47(1)(c) of Directive 2006/43/EC.

(16)

This Decision does not affect the cooperation arrangements referred to in Article 25(4) of Directive 2004/109/ECof the European Parliament and of the Council (5).

(17)

Any conclusion on the adequacy of the requirements met by the competent authorities of a third country pursuant to the first subparagraph of Article 47(3) of Directive 2006/43/EC does not pre-empt any decision that the Commission may adopt on the equivalence of the public oversight, quality assurance, investigation and penalty systems for auditors and audit entities of that third country pursuant to Article 46(2) of that Directive.

(18)

This Decision aims to facilitate effective cooperation between the competent authorities of the Member States and the IRBA. Its purpose is to allow those authorities to exercise their functions of public oversight, external quality assurance and investigations and, at the same time, to protect the rights of the parties concerned. Where a competent authority decides to enter into working arrangements on the basis of reciprocity with the IRBA in order to enable the transfer of audit working papers and other documents held by statutory auditors or audit firms and of inspection or investigation reports, the Member State concerned is under the obligation to communicate to the Commission the reciprocal working arrangements concluded with the IRBA to allow the Commission to assess whether cooperation is in accordance with Article 47of Directive 2006/43/EC.

(19)

The ultimate objective of cooperation on audit oversight between Member States’ competent authorities and the IRBA is to reach mutual reliance on each other’s oversight systems and to enhance convergence in audit quality. Such mutual reliance and enhanced convergence would be based on the equivalence of the audit oversight systems of the Union and of South Africa. As a consequence, transfers of audit working papers or other documents held by statutory auditors or audit firms and of inspection or investigation reports should ultimately become the exception.

(20)

Given that there is a lack of practical experience in supervisory cooperation with the IRBA, and thus an inability to currently assess whether the requirement for the IRBA to procure the prior consent of the auditor or audit firm in order to share the documents obtained in the performance of inspections and inspection reports presents an obstacle to information exchange in practice, this Decision should be applicable for a limited period of time.

(21)

Notwithstanding the time limitation, the Commission will monitor on a regular basis the market developments, evolution of the supervisory and regulatory frameworks and the effectiveness of supervisory cooperation, taking into account experience gained during supervisory cooperation also based on Member States’ input. In particular, the Commission may undertake a specific review of this Decision at any time before the end of its expiration period where relevant developments make it necessary to re-assess the declaration of adequacy granted by this Decision. Such re-assessment could lead to the repeal of this Decision.

(22)

The European Data Protection Supervisor delivered an opinion on 3 December 2019.

(23)

The measures provided for in this Decision are in accordance with the opinion of the Committee established pursuant to Article 48(1) of Directive 2006/43/EC,