Auditor's access to classified information
- Jan Vácha
- Karolína Blažková
Under article 21 paragraph 2 of Act no. 93/2009 Coll., on auditors, as amended, an auditor is entitled to require documents and other relevant information from the accounting entity for duly performing his audit activity and to obtain sufficient evidential information for forming a qualified opinion. In this context, the auditor is obliged to maintain confidentiality of all facts that are not publicly known and that relate to the entity, in which he/she performs his/her audit activity. But what are the possible solutions in case some information and documents are subject to confidentiality regime? The Chamber of Auditors turned to the National Security Authority with a question and the individual pieces of information and conclusions are stated below.
In this case, it is appropriate to remember that de facto the standard, which has precedence over Act no. 93/2009 Coll., on Auditors (hereinafter the “AoA”), from which under article 15 the confidentiality principle arises, is Act no. 412/2005 Coll., on Protection of Classified Information and on Security Clearance, as amended (hereinafter the “Classified Information Act”), which by no means connects authorisation of access to classified information to confidentiality defined in the AoA.
Special forms of access to classified information are contained in article 58 to 62 of the Classified Information Act, under which, however, the standard activities of the auditor in auditing financial statements cannot be classified. If the auditor is to have access to classified information, he/she must hold the appropriate document proving his/her eligibility for access to classified information issued by the National Security Authority (i.e. have security clearance of the appropriate level).
It also depends on the auditor's professional judgement in the context of the given engagement whether classified information is necessary for the proper performance of the audit, or whether it would be sufficient in a particular case to document technical and evidential data without the need to provide classified information directly. If the auditor's access to necessary information is restricted, though, the auditor is required to consider the potential impact of that restriction on the opinion, i.e. to consider whether the auditor is able to obtain sufficient and appropriate evidential information despite the restriction. According to the requirements of International Standard on Auditing ISA 705 "Modification of an Opinion in the Independent Auditor's Report", when access to necessary information is restricted, the auditor is required to request that the management remove the restriction. However, if it is a situation where access is denied to the auditor due to legal impediments, the management cannot remove this restriction, and in this case, the possible solution on the part of the auditor is to obtain the relevant certificate. It is therefore advisable to agree with the management of the entity on the next course of action (e.g. termination of the audit contract or delay for issuing the certificate).
According to the status of the auditor, the law defines access to classified information. In the case of an audit company, both the audit company and its employee must have this authorisation. Specific conditions for auditor access are defined in relation to the classification level.
The auditor should have access to classified information as a natural person if he or she needs it for the performance of his or her activities, but only if he or she holds a certificate of compliance with the conditions for access to classified information of the appropriate classification level (Restricted, Confidential or higher).
To conclude, we can say that if the auditor is aware at the time of accepting the engagement that the entity has classified engagements, and if the auditor does not hold the relevant National Security Authority certificates, the auditor should consider whether he would be able to perform the engagement in that situation. Companies holding classified information should then draw attention to this fact within the tender process already. This will prevent a situation where the winning auditor would be unable to perform the contract because he would not have security clearance for the relevant classification level.
Source: Methodical Information of the Chamber of Auditors of CR – Restrictions on auditor's access to classified documents