AUD 4.11.3 Guidance

1. The DFSA expects a Registered Auditor to implement policies and procedures under AUD Rule 4.11.2 that are appropriate based on the nature, scale and complexity of the Registered Auditor’s business. For example, a larger auditor is expected to have more detailed and comprehensive policies and procedures in place.
2. The policies and procedures should:
a. include internal arrangements to allow for reports to be made by whistleblowers;
b. include adequate procedures to deal with, assess and, where appropriate, escalate reports to the senior management of the Registered Auditor or, if necessary, to the DFSA or to any other relevant authority;
c. include reasonable measures to protect the identity and confidentiality of whistleblowers;
d. include reasonable measures to protect the whistleblower from suffering any detriment, as a result of the report;
e. ensure that, where appropriate and feasible, feedback is provided to the whistleblower; and
f. include reasonable measures to manage any conflicts of interest and ensure the fair treatment of any person who is the subject of an allegation in a report.
3. A Registered Auditor’s whistleblowing policies and procedures should generally encourage reporting of concerns first to the Registered Auditor itself. However, the policies and procedures should also take into account that there may be circumstances where it is appropriate, or a whistleblower may prefer, to report the concerns directly to the DFSA or to another relevant authority.
4. The records under AUD Rule 4.11.3 should include:
a. the date the report was received;
b. a summary of the concerns raised;
c. the steps taken by the Registered Auditor in relation to the report until the matter is resolved;
d. any steps taken to maintain the confidentiality of the whistleblower and to ensure fair treatment of the whistleblower;
e. the list of persons who have knowledge of the report;
f. the outcome of the review of the report including the rationale for the outcome and any decision on whether or not to disclose the report to the DFSA or any other relevant authority; and
g. references or links to all documentation and review papers in relation to the report.
5. A Registered Auditor may be required to make its records of whistleblowing reports available to the DFSA for inspection.
6. In addition to the requirements in these Rules, Article 68A of the Regulatory Law provides legal protection to a whistleblower who discloses information about suspected misconduct in good faith to a specified person, such as the Registered Auditor, the DFSA or other relevant authorities.
7. The protection under the Regulatory Law applies to any person who makes such a disclosure. For example, the disclosure may be made by a person who is or has been an officer, employee or agent of a Registered Auditor, a Person who provides services or products to the Registered Auditor or a person who has no formal connection with the Registered Auditor.
8. The protection under the Regulatory Law is from liability, dismissal or detriment for making that disclosure. However, it does not, for example, prevent a Registered Auditor from taking action against an employee for other legitimate reasons, such as if the employee has engaged in misconduct.
9. A Registered Auditor should, as part of its policies and procedures, inform its officers and employees of the protection under Article 68A of the Regulatory Law.


Derived from DFSA RMI319/2021 (Made 27th October 2021). [VER05/04-22]