Preamble

On the basis of section 78 (6) of the Investment Firm Act (Wertpapierinstitutsgesetz) of 12 May 2021 (Federal Law Gazette I (Bundesgesetzblatt), p. 990) in conjunction with section 1d no. 1 of the Regulation on the Transfer of Powers to Issue Statutory Orders to the Federal Financial Supervisory Authority (Verordnung zur Übertragung von Befugnissen zum Erlass von Rechtsverordnungen auf die Bundesanstalt für Finanzdienstleistungsaufsicht) of 13 December 2002 (Federal Law Gazette 2003 I, p. 3), of which section 1d no. 1 was inserted by Article 1 of the Regulation of 26 June 2021 (Federal Law Gazette I, p. 2027), and in conjunction with the Jurisdiction Amendment Act (Zuständigkeitsanpassungsgesetz) of 16 August 2002 (Federal Law Gazette I, p. 3165) and the organisational statute of 8 December 2021 (Federal Law Gazette I, p. 5176), the Federal Financial Supervisory Authority (Bundesanstalt für Finanzdienstleistungsaufsicht), in agreement with the Federal Ministry of the Justice and after consulting the Deutsche Bundesbank, hereby issues the following Regulation:

Table of contents

Part 1 General provisions

Section 1 Scope of application

This Regulation governs

1. the substance and the timing of the audit in accordance with section 78 of the Investment Firm Act of small and medium-sized investment firms within the meaning of section 2 (16) and (17) of the Investment Firm Act and
2. the content of the audit reports within the meaning of section 76 (1) sentence 3 of the Investment Firm Act and the form in which audit reports are required to be submitted to the Federal Financial Supervisory Authority (the Supervisory Authority) and the Deutsche Bundesbank.

Section 2 Reporting period

(1) As a rule, the period covered by the audit (reporting period) shall be the financial year (year under review) ending on the date of the annual accounts (balance sheet closing date). 2If the period under review differs from the financial year, the audit report must cover at least the financial year ending on the balance sheet closing date.
(2) If the audit has been interrupted, reference must be made to this in the report, giving the duration of the interruption. 2The reasons for interruption must be given.
(3) Unless stated otherwise in this Regulation, stock data in the audit report must relate to the balance sheet closing date.

Section 3 Risk orientation and materiality

1. The basic principles of risk-based auditing and materiality must be taken into account. In particular the size of the investment firm, the scale of its business, and the complexity and the level of risk of the business conducted must be taken into account.

Section 4 Nature and scope of the report

(1) Subject to the following requirements, the scope of the report must be consistent with the importance and the level of risk of the transactions described.
(2) The supervisory requirements governing the investment firm and the requirements of this Regulation regarding the individual areas must be complied with in the assessments made in the audit report. The assessments must be justified comprehensibly with regard to appropriateness and, if required by this Regulation, to effectiveness.
(3) Any significant transactions that occurred after the balance sheet closing date and have come to the attention of the auditor must also be included and presented in the audit report, together with their impact.
(4) If the Supervisory Authority has imposed requirements on the investment firm relating to the content of the audit of the annual financial statements under section 78 (4) sentence 4 of the Investment Firm Act, the auditor must draw attention to such requirements in the audit report in connection with the audit engagement.
(5) At the auditor's discretion, the audit and the reporting on the audit may be divided into an audit part I and an audit report part I and an audit part II and an audit report part II in the case of medium-sized investment firm. The division of the audit areas must be consistent over several years. Any major changes in the results of audit report part I up until the end of the reporting period must be reported in audit report part II. These include in particular material changes in the quantitative information.
(6) The audit report must assess the suitability, appropriateness and effectiveness of the measures taken to remedy the deficiencies identified in the last audit. If measures to remedy identified deficiencies have already been initiated but not yet completed, the audit report must continue reporting on this until the deficiencies have been fully remedied.
(7) If a special audit in accordance with section 5 (4) sentence 2 of the Investment Firm Act was conducted in the reporting period, the auditor must use the findings of that audit when auditing supervisory issues. If these matters were the subject of the special audit, the supervisory reporting may be limited to material changes that have occurred up to the balance sheet closing date. If the recognition or measurement of balance sheet items of the investment firm has been reviewed during the special audit, changes in the balance sheet items commented on during the special audit must be reported separately in the audit reports for the next three reporting period. The Supervisory Authority may stipulate different requirements in individual cases.

Section 5 Nature and scope of the report

Every audit report and every part audit report must be submitted in electronic form without undue delay to the Supervisory Authority and the Deutsche Bundesbank upon completion. The submission must be made in the specified file format using the electronic procedures provided by the Supervisory Authority and the Deutsche Bundesbank.

Section 6 Audit findings

(1) Audit findings must be classified in classes F–0 to F–5, depending on their impact on the propriety of the business activities, the risks in accordance with to section 45 (1) of the Investment Firm Act or the effectiveness of preventive measures and precautions to prevent money laundering and the financing of terrorist, as well as criminal activities in accordance with section 33 (1) sentence 1 of the Investment Firm Act. 2Audit findings are classified as follows:

1. F–0 describes a complete absence of violations of requirements
2. F–1 describes violations of requirements with minor consequences (minor deficiencies),
3. F–2 describes violations of requirements with moderate consequences (moderate defects),
4. F–3 describes violations of requirements with serious consequences (serious deficiencies),
5. F–4 describes violations of requirements with serious consequences (serious deficiencies) or
6. F–5 describes the non-applicability of the audit requirement in the audited investment firm in particular because underlying legal obligations are not relevant in the specific case for the investment firm’s business activities.

(2) The on-site lead auditor is responsible for classifying audit findings in accordance with subsection (1). The classification must be made in the report as when the deficiency is described.
(3) The report must also be accompanied by tabular overviews of the audit findings in accordance with Annex 3 and of the other deficiencies identified in accordance with Annex 4.

Section 7 Annexes

Wherever explanatory notes are prepared on the particulars requested in this Regulation, these may be produced in the form of annexes to the audit report with a view to enhancing the clarity of the audit report if a sufficient evaluation is included in the audit report itself and the reporting in the annexes does not make the audit report confusing.

Section 8 Concluding summary

(1) Unless already addressed in the introductory statements in the report described in section 321 (1) sentence 2 of the Commercial Code (Handelsgesetzbuch), an opinion on all key issues must be expressed in a concluding summary such that the concluding summary itself enables an overall assessment to be made of

1. the financial situation of the investment firm;
2. The risk-bearing capacity the investment firm,
3. the propriety of the conduct of business of the investment firm, especially the establishment of adequate and effective risk management, and
4. compliance with other supervisory requirements.

In terms of the investment firm’s economic situation, the comments must in particular address its business performance, the financial position, liquidity position and results of operations, and the risks to which the investment firm is exposed, as well as the nature and scale of its off-balance-sheet business.

(2) The concluding summary must also state whether the balance sheet items have been properly measured, and particularly whether the value adjustments and provisions are appropriate, and whether the provisions of the Money Laundering Act (Geldwäschegesetz) and the reporting requirements have been fulfilled.

(3) The summary must describe any significant audits findings that have emerged from the audit over and above the assessments specified under section 321 (1) sentence 3 of the Commercial Code.

Section 9 Reporting cycle

If, in accordance with this Regulation, the auditor is obliged to report only changes, the auditor must prepare a full report at appropriate intervals that goes beyond the presentation of the changes. Unless otherwise instructed by the Supervisory Authority, a complete report submitted every third year is deemed to be an appropriate interval.

Part 2 General information on the investment firm

Section 10 Description of the legal, financial and organisational framework

(1) The report must state the extent to which the investment firm made use of or exceeded its authorisation to provide investment services, ancillary services subject to an authorisation requirement as well as ancillary business, and complied with any requirements attached to these services or this business in the reporting period.

(2) Material changes in the investment firm’s legal, financial and organisational framework during the reporting period must be described, and the following in particular must be reported:

1. changes in the legal form, articles of association or shareholders’ agreement,
2. changes in the capitalisation and the shareholder structure,
3. changes to the allocation of responsibilities within the management board and changes in its composition, stating the respective responsibilities of the individual managers,
4. changes to the structure of the investment services provided and of other operations assignable to financial sector business in the broader sense of the term,
5. the forthcoming commencement of new lines of business,
6. changes to legal and business relations with affiliated undertakings within the meaning of section 271 (2) of the Commercial Code and other undertakings, as well as economically significant business policy agreements governing intercompany cooperation, especially regarding the nature and scope of the agreed services; reporting on affiliated undertakings may be waived provided a dependent company report in accordance with section 312 of the Stock Corporation Act (Aktiengesetz) for the reporting period has been submitted to the Supervisory Authority and the Deutsche Bundesbank,
7. changes in the investment firm’s organisational structure as well as changes in the operational structure that are significant from a risk perspective; if the management consists of more than one person, the current organisational chart reflecting the allocation of responsibilities must be attached as an annex,
8. material modifications to the IT systems with a description of the corresponding IT projects in the audit report, and
9. changes to the membership of the investment firm of a financial conglomerate within the meaning of section 1 (2) of the Financial Conglomerates Supervision Act (Finanzkonglomerate-Aufsichtsgesetz) and changes to the superordinate undertaking of a financial conglomerate within the meaning of section 12 of the Financial Conglomerates Supervision Act.

(3) The auditor must draw up a separate report on the outsourcing of significant activities and processes in due consideration of the requirements set out in section 40 of the Investment Firm Act. The auditor must state whether the classification of outsourcing arrangements as material or immaterial is understandable from the perspective of risk, nature, scale and complexity. Outsourced material activities and processes must be clearly specified and defined with reference to the information provided in accordance with Annex 2.

(4) The auditor must describe and assess the integration of tied agents within the meaning of section 3 (2) of the Investment Firm Act in the risk management structure. The auditor must report on whether and to what extent the information provided in the public register on the tied agents matches the information available at the investment firm. The report must further detail how the investment firm ensures its tied agents have the necessary professional qualifications and are trustworthy.

(5) The auditor must additionally report on whether the Supervisory Authority’s instructions in accordance with section 6 (1) sentence 3 of the Securities Trading Act have been complied with.

Section 11 Branches

The auditor must report on the investment firm’s foreign branches. The following must be assessed for these branches:

1. the contribution to the overall result of the undertaking,
2. their influence on the risk profile and the risk situation, as well as the risk provisioning of the investment firm, as well as
3. the integration of these branches into the investment firm’s risk management.

Part 3 Supervisory requirements

Subpart 1 Risk management, system of governance and trading book

Section 12 Appropriateness and suitability of the governance arrangements

(1) The auditor must assess the appropriateness and suitability of the corporate governance arrangements in accordance with section 41 of the Investment Firm Act, taking into account the nature, scope and complexity of the risks associated with the business model and the nature, scope and complexity of the transactions actually conducted by the investment firm. In accordance with section 38 (1) of the Investment Firm Act, in the case of small investment firms only risks for clients and liquidity risks in accordance with section 45 (1) sentence 3 nos. 1 and 4 of the Investment Firm Act and, in the case of medium-sized investment firms, additionally risks for the market and risks for the investment firm in accordance with section 45 (1) sentence 3 nos. 2 and 3 of the Investment Firm Act must be addressed.

(2) The auditor must assess whether

1. the investment firm has a clear organisational structure with clearly defined transparent, consistent reporting lines;
2. the arrangements, strategies and procedures for determining the risk-bearing capacity of the investment firm ensure a prudent determination of risks and the risk coverage potential,
3. the procedures for identifying, managing, monitoring and reporting risks that the investment firm is or might be exposed to or the risks that it poses or might pose to others;
4. the internal audit function in accordance with Article 24 of Commission Delegated Regulation (EU) 2017/565 of 25 April 2016 supplementing Directive 2014/65/ EU of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firm and defined terms for the purposes of that Directive (OJ L 87 of 31.3.2017, p. 1.; L 246 of 26.9.2017, p. 12; L 82 of 26.3.2018, p. 18), as most recently amended by Delegated Regulation (EU) 2021/1254 (OJ L 277 of 2.8.2021, p. 6), has been established in a way that is appropriate to its business and has the following responsibilities,
5. the internal control system is appropriate, sound and effective and, in particular, has effective risk management and compliance functions,
6. the business continuity planning for the systems and procedures in accordance with Article 21(3) of Delegated Regulation (EU) 2017/565 is adequate and effective,
7. the staffing and the resources for addressing significant risks to which the investment firm is exposed are adequate.

(3) The auditor must assess whether the managers meet the requirements under section 20 (1) of the Investment Firm Act and comply with the requirements under section 20 (3) and (4) of the Investment Firm Act. The auditor must also assess whether the administrative or supervisory bodies meet the requirements under section 21 (1) and (2) of the Investment Firm Act and effectively discharge the duty under section 21 (4) of the Investment Firm Act.

(4) The auditor must assess whether the managers have discharged their duties under section 43 (1) of the Investment Firm Act within the scope of their overall responsibility and have devoted sufficient time to the discharge of their duties under section 43 (2) of the Investment Firm Act.

(5) The auditor must assess whether the investment firm’s structures enable its administrative or supervisory body to properly discharge its duties. The auditor must additionally assess whether a risk and a remuneration committee in accordance with section 44 (3) sentence 1 of the Investment Firm Act have established. If these committees have not been established, the auditor must assess whether one of the reasons set out in section 44 (3) sentence 2 of the Investment Firm Act applied. The auditor must additionally assess whether the managers and the members of the risk committee have sufficient access to all information relating to the risks to which the investment firm is or could be exposed.

Section 13 Whistleblower system

The auditor must assess whether

1. the investment firm has established an appropriate procedure in accordance with section 13 (1) of the Investment Firm Act that enables its employees to report possible violations of regulatory requirements and potentially criminal activities within the undertaking through a special independent channel, and
2. the confidentiality of the employee’s identity is maintained.

Section 14 Remuneration systems

The auditor must assess the appropriateness and transparency of the investment firm’s remuneration systems and their alignment with the sustainable development of the investment firm in accordance with section 46 (1) of the Investment Firm Act. In doing so, the auditor must in particular assess and report whether

1. the allocation of the remuneration components to fixed remuneration is clear,
2. the remuneration systems, including the remuneration strategy, run counter to the achievement of the objectives that are set out in the investment firm’s business and risk strategies,
3. the management has informed the administrative or supervisory body at least once a year about the design of the investment firm’s remuneration systems,
4. the investment firm has established principles for the remuneration systems, reviewed compliance with them and documented the review, and
5. the employees are informed in writing about the design of the remuneration systems and remuneration parameters that apply to them.

Section 15 IT systems

(1) As part of the assessment under section 12 (2) no. 7, the auditor must explain whether the organisational, staffing and technical arrangements for ensuring the integrity, confidentiality, authenticity and availability of information relevant for supervision in accordance with Article 21(2) of Delegated Regulation (EU) 2017/565 are adequate and are implemented effectively. The auditor must address IT operations in particular. As part of the assessment of business continuity planning in accordance with section 12 (2) no. 6, the auditor must in particular address the technical and operational procedures in the event of an emergency situation.

(2) If external IT service providers, external computers or storage locations are used, the duties of the auditor referred to above also extend to those IT resources and their integration into the investment firm subject to the notification requirement.

Section 16 Recovery planning

In the course of the audit in accordance with section 78 (1) sentences 5 and 6 of the Investment Firm Act, the auditor must also assess, if applicable, whether the recovery plan to be prepared meets the requirements of section 12 (1) and section 13 (1) to (4) of the Recovery and Resolution Act (Sanierungs- und Abwicklungsgesetz), and must report on this in line with the following criteria. The auditor must examine the material aspects relevant to recovery planning for factual accuracy and appropriateness. The auditor must take into account any simplified requirements in accordance with section 19 of the Recovery and Resolution Act. If the recovery plan contains assumptions, estimates or conclusions, these must be checked for plausibility and comprehensibility. In particular, the auditor must assess:

1. the presentation of the corporate structure and business model, the designation of the primary business activities and critical functions as well as the description of the internal and external networking structures in the recovery plan in accordance with section 13 (2) no. 2 of the Recovery and Resolution Act,
2. the fundamental suitability, impact and practicability of the recovery option contained in the recovery plan in accordance with section 13 (2) nos. 3 to 5 of the Recovery and Resolution Act; the specific circumstances of the investment firm must be taken into account,
3. the qualitative and quantitative indicators in accordance with section 13 (2) no. 6 of the Recovery and Resolution Act to determine whether they appropriately reflect the special features specific to investment firms and enable the timely implementation of recovery options within a defined escalation and information process in an emergency situation,
4. the scenarios for severe stresses in accordance with section 13 (2) no. 7 of the Recovery and Resolution Act with regard to coverage of the material risk drivers, comprehensibility and suitability specific to the investment firm; with regard to the suitability of the scenarios, the supervisory requirements for the particular severity of the stresses and the nature of the relevant scenario must be taken into account in addition to the requirements specific to the investment firm,
5. the effectiveness and practicability of the recovery plan in accordance with section 13 (2) no. 8 of the Recovery and Resolution Act; the auditor must address whether the description and analysis of the interaction of stress scenarios, indicators and recovery options are adequate in terms of the underlying assumptions, appropriate and comprehensible with regard to the resulting analyses,
6. the communication and information concept in accordance with section 13 (2) no. 9 of the Recovery and Resolution Act in terms of whether it adequately takes into account the special features of the individual recovery options, and
7. the preparatory measures in accordance with section 13 (2) no. 10 of Recovery and Resolution Act, their suitability and the availability of an appropriate timetable and monitoring concept for implementation; the auditor must also assess whether the deficiencies identified on the basis of the audit can be rectified by the preparatory measures.

Section 17 Requirements for the trading book

The auditor must assess whether the investment firm in accordance with Article 21(2) of Regulation (EU) 2019/2033 of the European Parliament and of the Council of 27 November 2019 on prudential requirements of investment firms and amending Regulations (EU) No. 1093/2010, (EU) No. 575/2013, (EU) No. 600/2014 and (EU) No. 806/2014 (OJ L 314, 5.12.2019, p. 1; L 20, 24.1.2020, p. 26; L 405, 2.12.2020, p. 79; L 261, 22.7.2021, p. 60), as most recently amended by Delegated Regulation (EU) 2022/1455 (OJ L 229, 5.9.2022, p. 1), complied with the requirements under Part Three, Title I, Chapter 3 of Regulation (EU) No. 575/2013 of the European Parliament and of the Council of 26 June 2013 on prudential requirements for credit institutions and amending Regulation (EU) No. 648/2012 (OJ L 176, 27.6.2013, p. 1; L 208, 2.8.2013, p. 68; L 321, 30.11.2013, p. 6; L 193, 21.7.2015, p. 166; L 20, 25.1.2017, p. 3; L 92, 30.3.2023, p. 29), as most recently amended by Regulation (EU) 2022/2036 (OJ L 275, 25.10.2022, p. 1; L 277, 27.10.2022, p. 316), as amended, in the reporting period, in particular for the assignment of positions to the trading book and for the management of the trading book.

Subpart 2 Own funds, composition of own funds and liquidity position

Section 18 Determining own funds

(1) The auditor must assess whether the investment firm’s arrangements for properly determining Common Equity Tier 1 capital, Additional Tier 1 capital and Tier 2 capital are adequate, and whether the investment firm has properly satisfied the notification requirements under Article 54 of Regulation (EU) 2019/2033. Material procedural changes during the reporting period must be described.

(2) The auditor must assess the calculation of own funds requirements in accordance with Article 11 of Regulation (EU) 2019/2033. In this context, the auditor must separately assess the correct calculation of

1. fixed overheads in accordance with Article 13 of Regulation (EU) 2019/2033,
2. the permanent minimum capital in accordance with Article 14 of Regulation (EU) 2019/2033 and
3. the K-factor requirement in accordance with Article 15 of Regulation (EU) 2019/2033.

Section 19 Own funds

(1) The amount and composition of the investment firm’s own funds in accordance with Article 9 of Regulation (EU) 2019/2033 must be presented as at the close of business on the balance sheet closing date and under the assumption that the audited financial statements are adopted. Components of own funds acquired or held through other credit firm, investment firms, financial enterprises, primary insurance companies and reinsurance companies must be listed separately, citing the relevant undertakings.

(2) The auditor must assess satisfaction of the applicable requirements of Regulation (EU) 2019/2033 for the capital instruments that the investment firm classifies as Common Equity Tier 1 capital, Additional Tier 1 capital or Tier 2 capital. With regard to the items referred to in Article 26(1)(c) to (f) of Regulation (EU) No. 575/2013 and allocated to Common Equity Tier 1 capital in accordance with Article 9(1)(i) of Regulation (EU) 2019/2033, the auditor must assess in particular whether they are directly available to the investment firm without restriction to immediately cover risks and losses. In addition, specific features in the development of own funds or individual own funds items during the reporting period must be reported Withdrawals by the owner or the general partner must be reported. If interim profits in accordance with Article 26(2) of Regulation (EU) No. 575/2013 in conjunction with Article 9 (1)(i) of Regulation (EU) 2019/2033 are assigned during the year, this must be reported.

(3) Tier 1 capital instruments without their own issues in domestic shares that are assigned for the first time or continue to be assigned to own funds must be reported together with the main features of the individual tranches; specific features must be highlighted.

(4) Tier 2 capital instruments must be presented in annual bands by maturity.

(5) The recognition of amounts in accordance with Article 9(1)(i) of Regulation (EU) 2019/2033 in conjunction with Article 62(c) and (d) of Regulation (EU) No. 575/2013 must be presented and assessed for accuracy.

(6) The auditor must present and assess whether the investment firm satisfies the requirements for prudent valuation in accordance with Article 34, including in conjunction with Article 105 of Regulation (EU) No 575/2013, when calculating its own funds in accordance with Article 9(1)(i) of Regulation (EU) 2019/2033.

Section 20 Loans to certain persons

The auditor must in all cases examine and present the loans to be notified in accordance with section 64 (1) no. 12 of the Investment Firm Act. The auditor must examine and present lending with regard to whether loans are granted at market conditions.

Section 21 Small and non-interconnected investment firms

The classification of an investment firm as a small and non-interconnected investment firm in accordance with Article 12 of Regulation (EU) 2019/2033 must be presented and assessed.

Section 22 Liquidity position

(1) The liquidity position and liquidity management system must be assessed. 2Measures taken to improve the liquidity position must be reported.

(2) The auditor must assess whether the investment firm has satisfied the liquidity requirements in accordance with Part 5 of Regulation (EU) 2019/2033. Any changes compared with the previous reporting period must be described.

Subpart 3 Disclosure, reporting system, exceptions for undertakings belonging to a group

Section 23 Disclosure requirements

The auditor must assess the suitability of the processes for determining and disclosing the information in accordance with Part 6 of Regulation (EU) 2019/2033 and section 54 of the Investment Firm Act. 2The audit report must address whether the investment firm has satisfied the disclosure requirements set out in Part 6 of Regulation (EU) 2019/2033 and section 54 of the Investment Firm Act.

Section 24 Notification system

The organisation of the reporting system must be assessed. The precautions taken by the investment firm to ensure the completeness and accuracy of the notifications and reports must be assessed. Any infringements established must be listed.

Section 25 Exemptions for investment firms belonging to a group

(1) In accordance with the exemption, the provisions of sections 17 to 19 and 23 shall not apply to member undertakings of groups of investment firms that have been exempted by the Supervisory Authority in accordance with Article 6 of Regulation (EU) 2019/2033.

(2) The auditor must report on whether the conditions set out in Article 6 of Regulation (EU) 2019/2033 are satisfied.

Part 4 Safeguards to prevent money laundering, the financing of terrorism and criminal activities in accordance with section 33 (1) sentence 1 of the Investment Firm Act

Section 26 Timing of the audit and reporting period

(1) The safeguards implemented by the investment firm, the investment holding company or the mixed financial holding company to prevent money laundering and the financing of terrorism in accordance with the Money Laundering Act and sections 34, 35 and 37 of the Investment Firm Act, as well as the safeguards implemented to prevent criminal activities in accordance with section 33 (1) sentence 1 of the Investment Firm Act, must be audited once a year. The same applies to the audit of the safeguards implemented by the investment holding company to prevent money laundering and the financing of terrorism in accordance with the Money Laundering Act and the provisions of sections 35 and 36 of the Investment Firm Act, as well as the safeguards implemented to prevent criminal activities in accordance with section 33 (1) sentence 1 of the Investment Firm Act. The auditor must specify the starting date of the audit and the reporting period at their own discretion in accordance with professional standards, subject to the following provisions.

(2) The reporting period for the audit is in each case the period between the reference date for the last audit and the reference date for the following audit. The end of the reporting period may not differ by more than three months from the reference date of the relevant annual financial statements. Irrespective of whether the audit and reporting happens in a one- or two-year cycle, it must cover the entire period since the balance sheet closing date of the last audit and report.

(3) The audit must commence at the latest 15 months after the start of the reporting period relevant for the audit.

(4) Compliance with the provisions of the Money Laundering Act and sections 33 to 35 and 37 of the Investment Firm Act need only be assessed every two years for small investment Firm within the meaning of section 2 (16) of the Investment Firm Act, beginning with the first full financial year in which investment services are provided, unless the investment firm’s risk situation requires a shorter auditing interval.

Section 27 Description and assessment of the measures taken to prevent money laundering, the financing of terrorism and criminal activities in accordance with section 33 (1) sentence 1 of the Investment Firm Act

(1) In the audit report, the auditor must describe the safeguards implemented by the undertaking subject to the Money Laundering Act or sections 34, 35 and 37 of the Investment Firm Act during the reporting period to prevent money laundering and the financing of terrorism, as well as criminal activities in accordance with section 33 (1) sentence 1 of the Investment Firm Act. The auditor’s remarks must cover all of the duties listed in the reporting form in Annex 3.

(2) In the audit report, the auditor must assess the appropriateness of the safeguards implemented by the investment firm.

(3) In the case of parent undertakings of groups of undertakings, the auditor must additionally assess the precautions in accordance with section 9 of the Money Laundering Act to establish whether

1. the duty to perform a risk analysis in accordance with section 9 (1) sentence 1 of the Money Laundering Act has been effectively satisfied,
2. the measures in accordance with section 9 (1) sentence 2 of the Money Laundering Act have been taken,
3. the relevant measures in accordance with section 9 (1) sentence 3 of the Money Laundering Act have been effectively implemented, and
4. in the case of section 9 (3) sentence 2 of the Money Laundering Act, there is assurance that the group undertakings located in the relevant third country adopt additional measures in order to effectively counter the risk of money laundering and the financing of terrorism, and that the Supervisory Authority was informed in this respect about the measures adopted.

(4) The auditor must,

1. in the assessment in accordance with subsections (2) and (3), discuss whether the risk analysis prepared by the investment firm as part of its risk management to prevent money laundering and the financing of terrorism in accordance with section 5 of the Money Laundering Act reflects the investment firm’s actual risk situation, and
2. in accordance with subsection (2) also address whether the risk analysis required as part of risk management for the prevention of criminal activities in accordance with section 33 (1) sentence 1 of the Investment Firm Act reflects the investment firm’s actual risk situation.

(5) If the Supervisory Authority has issued instructions to the investment firm subject to the requirements of the Money Laundering Act or the Investment Firm Act that are connected to the investment firm’s duties to prevent money laundering and the financing of terrorism, as well as criminal activities in accordance with section 33 (1) sentence 1 of the Investment Firm Act, the auditor must report on these as part of the description under subsection (1). The auditor must also assess whether the investment firm subject to the requirements has properly followed those instructions.

(6) In the description of the safeguards implemented to prevent money laundering and the financing of terrorism under subsection (1), as well as criminal activities in accordance with section 33 (1) sentence 1 of the Investment Firm Act, and the assessment of these safeguards in accordance with subsections (2) to (5), the auditor must take into account the findings of all audits by the internal audit function that were performed in the reporting period of the audit.

(7) In the description of the investment firm’s risk situation, the auditor must also incorporate the following information in Annex 3, based on the investment firm’s current comprehensive risk analysis:

1. all high-risk products offered by the investment firm,
2. the number of customers who conduct transactions directly via the firm in connection with crypto assets, as well as the cumulative total volume of these transactions in euros,

3. the number of clients who are legal persons, in particular
   
   a) the number of clients who are subject to simplified due diligence procedures in accordance with section 14 of the Money Laundering Act,
   b) the number of clients who are subject to enhanced due diligence procedures in accordance with section 15 of the Money Laundering Act or section 35 of the Investment Firm Act, and
   c) the number of clients resident in third countries and, of these clients, the number of clients located in high-risk countries in accordance with Commission Delegated Regulation (EU) 2016/1675 of 14 July 2016 supplementing Directive (EU) 2015/849 of the European Parliament and of the Council by identifying high-risk third countries with strategic deficiencies (OJ L 254, 20.9.2016, p. 1), as most recently amended by Delegated Regulation (EU) 2023/1219 (OJ L 160, 26.6.2023, p. 1), as amended,

   
   

4. the number of clients who are natural persons, in particular
   
   a) the number of clients who are subject to simplified due diligence procedures in accordance with section 14 of the Money Laundering Act,
   b) the number of clients that are subject to enhanced due diligence procedures in accordance with section 15 of the Money Laundering Act or section 35 of the Investment Firm Act, and
   c) the number of clients domiciled in third countries, and, of these clients, the number of clients in high-risk countries in accordance with Delegated Regulation (EU) 2016/1675,

5. the number of business relationships with politically exposed persons,

6. regarding the correspondent banking relationships of the investment firm within the meaning of section 1 (21) no. 2 of the Money Laundering Act:
   
   a) the number of correspondent banking relationships with respondents within the meaning of section 1 (21) no. 2 of the Money Laundering Act that are located in a Member State of the European Union or another signatory state to the Agreement on the European Economic, as well as
   b) the number of correspondent banking relationships with respondents within the meaning of section 1 (21) no. 2 of the Money Laundering Act that are located in a third country and, of these respondents, the number of correspondent banking relationships with respondents within the meaning of section 1 (21) no. 2 of the Money Laundering Act that are located in a high-risk country in accordance with Delegated Regulation (EU) 2016/1675,

7. regarding the establishments, branch offices and other subordinated undertakings of the investment firm, to the extent that they themselves are subject to the requirements of the Money Laundering Act:
   
   a) the number of them in Germany,
   b) the number of them in other Member States of the European Union and other signatory states to the Agreement on the European Economic Area,
   c) the number of them in third countries and, of these establishments, branches and other subordinated undertakings, the number of establishments, branches and other subordinated undertakings that are located in high-risk countries within the meaning of Delegated Regulation (EU) 2016/1675, and

8. the number of tied agents that work for the investment firm in Germany, and the number of tied agents that work for the investment firm outside Germany.
   

(8) The auditor must additionally record and assess the material findings of their audit in a reporting form in accordance with Annex 3. The classification in accordance with section 6 (1) must be used for the assessment.

(9) The requirements governing the audit cycle under section 26 (4) are not affected by the subsections above.

Part 5 Information on certain risks

Section 28 Country-related risk

The auditor must describe and assess the total extent of the country-related exposures incurred by the investment firm, as well as the method used to manage and monitor them. In particular, the auditor must address whether the estimation of country-related exposures is based on suitable analyses.

Section 29 Securities loans

If the investment firm grants loans within the meaning of section 2 (3) no. 2 of the Investment Firm Act for the purpose of the loan-financed acquisition of securities, the auditor must report on the following at the balance sheet closing date

1. the total volume of loans and the number of all borrowers, and
2. the volume and number of unsecured loans.

Section 30 Compliance with obligations under derivatives transactions in accordance with Regulations (EU) No. 648/2012 and (EU) No. 600/2014

(1) The auditor must review the procedures for identifying all OTC derivative contracts subject to a central counterparty clearing obligation as well as compliance with the clearing obligation in accordance with Article 4(1), (2) and (3) subparagraph 2 and Article 4a of Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories (OJ L 201, 27.7.2012, p. 1; L 321, 30.11.2013, p. 6), as amended by Delegated Regulation (EU) 2021/1456 (OJ L 317, 8.9.2021, p. 1), as amended. If intra-group transactions are subject to the exemption in Article 4(2) of Regulation (EU) No 648/2012, the auditor must assess the organisational measures instituted to comply with the associated requirements.

(2) The auditor must assess the processes for satisfying the reporting obligations in accordance with Article 9(1) to (3) of Regulation (EU) No. 648/2012.

(3) The auditor must assess the appropriateness of risk mitigation techniques for OTC derivative contracts that are not subject to a central counterparty clearing obligation in accordance with Article 11 of Regulation (EU) No 648/2012, including in relation to

1. Commission Delegated Regulation (EU) No. 149/2013 of 19 December 2012 supplementing Regulation (EU) No. 648/2012 of the European Parliament and of the Council with regard to regulatory technical standards on indirect clearing arrangements, the clearing obligation, the public register, access to a trading venue, non-financial counterparties and risk mitigation techniques for OTC derivative contracts not cleared by a CCP (OJ L 52, 23.2.2013, p. 11), as most recently amended by Delegated Regulation (EU) 2022/2310 (OJ L 307, 28.11.2022, p. 29), as amended,
2. Commission Delegated Regulation (EU) No. 285/2014 of 13 February 2014 supplementing Regulation (EU) No. 648/2012 of the European Parliament and of the Council with regard to regulatory technical standards on direct, substantial and foreseeable effect of contracts within the Union and to prevent the evasion of rules and obligation (OJ L 85, 21.3.2014, p. 1), as amended,
3. Commission Delegated Regulation (EU) 2016/2251 of 4 October 2016 supplementing Regulation (EU) No. 648/2012 of the European Parliament and of the Council on OTC derivatives, central counterparties and trade repositories with regard to regulatory technical standards on risk-mitigation techniques for OTC derivative contracts not cleared by a central counterparty (OJ L 340, 15.12.2016, p. 9; L 40, 17.2.2017, p. 79), as most recently amended by Delegated Regulation (EU) 2023/314 (OJ L 43, 13.2.2023, p. 2), as amended, and

4. regulatory technical standards referred to in Article 11(15)(a)(aa) of Regulation (EU) No. 648/2012.

   The auditor must assess the following in particular:

1. the processes for the timely confirmation of the terms of transactions entered into,
2. the processes for reconciling portfolios,
3. the extent to which the investment firm has made use of the option to compress portfolios in accordance with Article 14 of Delegated Regulation (EU) No. 149/2013,
4. the processes for identifying disputed transactions and resolving such disputes, including reporting disputed transactions in accordance with Article 15(2) of Delegated Regulation (EU) No. 149/2013, and
5. the collateralisation of non-centrally cleared contracts and the scope of the exemption from the collateralisation requirement in accordance with Article 11(5), (6), (8) and (10) of Regulation (EU) No. 648/2012.

(4) To the extent that intra-group transactions in accordance with Article 11(5) of Regulation (EU) No. 648/2012 are exempt from the collateralisation requirement in accordance with Article 11(3) of Regulation (EU) No. 648/2012, the auditor must assess whether the conditions for exemption from this collateralisation requirement are satisfied. In cases where intra-group transactions have been exempted from the collateralisation requirement under the conditions of Article 11(6), (8) or (10) of Regulation (EU) No. 648/2012, the auditor must assess whether the organisational measures instituted by the investment firm can ensure that the conditions for this exemption are satisfied, including the publication requirement under Article 11(11) of Regulation (EU) No. 648/2012, including in conjunction with Article 20 of Delegated Regulation (EU) No. 149/2013.

(5) The auditor must examine whether the investment firm has implemented safeguards or has systems that are suitable in each case for ensuring satisfaction of the conditions in accordance with Article 28(1) to (3) of Regulation (EU) No. 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No. 648/2012 (OJ L 173, 12.6.2014, p. 84; L 6, 10.1.2015, p. 6; L 270, 15.10.2015, p. 4; L 278, 27.10.2017, p. 54), as most recently amended by Regulation (EU) 2022/858 (OJ L 151, 2.6.2022, p. 1), as amended.

(6) The auditor must report on circumstances where the firm has contractually outsourced implementation of performance of the duties or processes referred to in subsections (1) to (5) to a third person or another undertaking.

Part 6 Reporting based on financial statement information

Section 31 Business performance in the reporting period

The business performance of the investment firm must be presented and explained for each investment service and ancillary investment service provided, comparing the relevant figures for the reporting period and the previous year. The number of clients, the volume of assets under management or for which advice is provided and the volume of brokered financial instruments must regularly be presented.

Section 32 Changes in financial position

(1) The changes in the financial position of the investment firm must be assessed. Particular attention must be given to specific aspects that are significant for the assessment of the financial position, in particular the nature and scale of off-balance-sheet assets and liabilities.

(2) The report must also cover

1. the nature and scale of hidden reserves and hidden liabilities, with a particular description of write-downs of securities that have been avoided,
2. material agreements and pending legal disputes that could adversely affect the financial position, and the recognition of the necessary provisions,
3. all comfort letters issued; the substance of these comfort letters must be described and their enforceability assessed, and
4. subordinated assets.

Section 33 Changes in results of operations

(1) The changes in the results of operations of the investment firm must be assessed.

(2) Based on the documents provided by the investment firm, the report must also address the results of operations of the main lines of business; the most important sources of and factors affecting financial performance and the material planning assumptions must be described separately.

(3) Potential effects of risks on changes in the results of operations must be described.

Section 34 Risk situation and risk provisioning

(1) The risk situation and the risk-bearing capacity of the investment firm must be assessed.

(2) The nature of, scale of and changes in risk provisioning must be explained and the adequacy of risk provisioning must be assessed. The procedure for determining risk provisioning must be described and assessed. The firm-specific principles and procedures for recognising general allowances must also be addressed; changes to these principles and procedures and the quantitative effects of the changes on the amount of the general allowances must be reported separately.

(3) If a requirement for new risk provisioning was identified for the period after the balance sheet closing date, this must be included in the report.

Section 35 Explanatory comments on the accounting system

The balance sheet items, off-balance-sheet items and income statement items must be explained, taking the principle of materiality into consideration, and compared with the figures of the previous year.

Part 7 Information on groups of investment firms and financial conglomerates

Section 36 Scope of application

(1) This Part also applies to investment firm´s within the meaning of section 2 (25) of the Investment Firm Act.

(2) Reporting is governed by section 78 (5) of the Investment Firm Act.

Section 37 Reporting on groups and consolidation

(1) In accordance with section 78 (5) sentence 1 no. 1 of the Investment Firm Act, the auditor must examine and report on whether the group of undertakings to be included was determined correctly. These undertakings must be described, disclosing the type of undertaking.

(2) In accordance with section 78 (5) sentence 1 no. 2 of the Investment Firm Act, the auditor must examine and report on whether the consolidation requirements in accordance with Article 7 of Regulation (EU) 2019/2033 or the group capital test in accordance with Article 8 of Regulation (EU) 2019/2033 have been complied with.

(3) The auditor must examine whether the notifications to be made at group level in accordance with section 67 of the Investment Firm Act have been correctly submitted.

Section 38 Additional information

Subject to section 37, the report on the audit of the investment firm that the Supervisory Authority has exempted in accordance with Article 6 of Regulation (EU) 2019/2033 must also address the following:

1. the names of the group undertakings that the Supervisory Authority has exempted in accordance with Article 6 of Regulation (EU) 2019/2033, as well as the scope of the exemption,.
2. Transfers of own funds or repayments of liabilities by the parent undertaking in favour of subordinated undertakings that the Supervisory Authority has exempted in accordance with Article 6 of Regulation (EU) 2019/2033, and
3. Transfers of own funds or repayments of liabilities in favour of the parent undertaking to the extent that it has been exempted by the Supervisory Authority in accordance with Article 6 of Regulation (EU) 2019/2033.

Section 39 Supplementary requirements for undertakings of a financial conglomerate (sections 17, 18, 23 and 25 of the Financial Conglomerates Supervision Act)

(1) In the case of superordinate undertakings of a financial conglomerate within the meaning of section 12 of the Financial Conglomerates Supervision Act, the auditor must describe whether the calculation of the own funds of the financial conglomerate complies with section 18 of the Financial Conglomerates Supervision Act and must report on whether the undertaking met the reporting requirements in accordance with to section 17 (2) sentence 2 of the Financial Conglomerates Supervision Act.

(2) The auditor must report what measures the superordinate undertaking uses to meet the requirements of sections 23 and 25 of the Financial Conglomerates Supervision Act. This also includes assessing compliance with the reporting requirements in accordance with section 23 (1) and (3) sentence 6 of the Financial Conglomerates Supervision Act.

Part 8 Data overview and final provisions

Section 40 Data overview

The templates in Annexes 1 to 4 applicable to the relevant firm must be completed in full and attached to the audit report. The templates in Annex 1 must be supplemented by the corresponding prior-year data.

Section 41 Entry into force

This Regulation enters into force on the day following its promulgation.

Annex 1 (relating to Section 40) SON01W

Data overview for small and medium-sized investment firms

Monetary amounts must be stated in thousands of euros (EUR thousand) using commercial rounding principles. Enter percentage amounts with one decimal place. The number of liabilities concerned must be indicated before the designation “Qty.”

Item					Reporting period (1)	Prior-year period (2)
(1) Data on the organisational framework
1.	Application of provisions relating to the trading book: yes (= 0)/no (= 1)			300
2.	Investment firm is a publicly traded undertaking: yes (= 0)/no (= 1)			428
3.	Number of employees in accordance with section 267 (5) of the HGB			001
(2) Financial position data
1.	Own funds in accordance with Article 9 of the IFR1as at the close of business on the balance sheet closing date
	a)	Tier 1 capital		006
		aa)	Common Equity Tier 1 capital	426
		bb)	Additional Tier 1 capital	427
	b)	Tier 2 capital		007
2.	Balance of reserves in accordance with section 340f of the HGB
	a)	Hidden reserves not recognised as equity in accordance with section 340f of the HGB		002
	b)	Restricted reserves due to specific valuation allowances not recognised in accordance with section 340f of the HGB		400
3.	Unrealised price gains on debt instruments and other fixed-income securities
	a)	Gross unrealised price gains		301
	b)	Net unrealised price gains2		302
4.	Unrealised price gains on equities and other non-fixed income securities, investments in unconsolidated subsidiaries and investments in affiliated companies
	a)	Gross unrealised price gains		303
	b)	Net unrealised price gains2		304
5.	Write-downs of debt instruments and other fixed-income securities avoided by transferring them to fixed assets			305
6.	Write-downs of equities and other non-fixed income securities avoided by transferring them to fixed assets			306
7.	Investments in an undertaking in the financial sector in accordance with Article 4(1)(17) of the IFR			402
8.	Loans and other credits granted in accordance with section 2 (3) no. 2 of the WpIG			901
(3) Data on liquidity and funding
1.	Liabilities to banks that exceed 10 per cent of “Liabilities to banks”			022 250	Qty.	Qty.
2.	Liabilities to customers that exceed 10 per cent of “Liabilities to customers”			023 251	Qty.	Qty.
3.	Funding facilities committed to the investment firm excluding those at Deutsche Bundesbank
	a)	Commitments		024
	b)	Utilisation		025
(4) Data on the results of operations
1.	Net interest income
	a)	Interest income3		029
	b)	Interest expense		030
	c)	of which: for silent participations, for participation rights and for subordinated liabilities		031
	d)	Net interest income		032
2.	Net fee and commission income
	a)	Fee and commission income		313
	b)	Fee and commission expenses		314
	c)	Net fee and commission income		033
3.	Trading expenses and income
	a)	Expenses from transactions with securities in the trading portfolio		315
	b)	Income from transactions with securities in the trading portfolio		316
	c)	Expenses from transactions in foreign exchange and precious metals4		317
	d)	Income from transactions in foreign exchange and precious metals4		318
	e)	Expenses from transactions in derivatives		319
	f)	Income from transactions in derivatives		320
4.	Net income from other non-interest related transactions5			037
5.	General and administrative expenses
	a)	Personnel expenses6		038
	b)	Other administrative expenses7		039
6.	Other and extraordinary income and expenses8			902
7.	Taxes on income			048
8.	Income from loss absorption and cash off-balance sheet claims			049
9.	Expenses from recognition of contingency reserves under sections 340f and 340g of the HGB			050
10.	Income from reversal of contingency reserves under sections 340f and 340g of the HGB			051
11.	Profit transferred on the basis of a profit pooling, profit transfer, or partial profit transfer agreement			052
12.	Retained profits carried forward from the previous year			053
13.	Accumulated losses brought forward from the previous year			054
14.	Withdrawals from capital reserves and revenue reserves			055
15.	Appropriations to capital reserves and revenue reserves			056
16.	Withdrawals from profit participation capital			057
17.	Replenishment of profit participation capital			058
(5) Supplementary information
1.	Departures within the meaning of section 284 (2) no. 2 of the HGB
	a)	from recognition methods yes (= 0)/no (= 1)		095
	b)	from measurement methods yes (= 0)/no (= 1)		096
2.	Amount of marketable securities not measured at the lower of cost or market for the following items (section 35 (1) no. 2 of the RechKredV)
	a)	debt instruments and other fixed-income securities (asset item no. 5)		107
	b)	equities and other non-fixed income securities (asset item no. 6)		108
3.	Subordinated assets
	a)	Subordinated receivables from banks		112
	b)	Subordinated receivables from clients		113
	c)	Other subordinated assets		114
4.	Gross aggregate income from investment services and activities in accordance with Article 12(1)(i) of Regulation (EU) 2019/2033			900

Annex 2 (relating to Section 40) SON02W

Data overview for small and medium-sized investment firms that have outsourced areas to another undertaking

Investment firm:

Serial no.	External service provider incl.  address	KN ID no.	Outsourced activities and processes	Status (planned for/ Implemented on/  terminated on)	Date of outsourcing	Comments in particular on sub-outsourcing

Annex 3 (relating to sections 27, 40)

Reporting form in accordance with section 27 of the WpIPrüfbV

Investment firm:
Reporting period:
Audit date:
On-site lead auditor:

Part One:

Disclosures on the following risk factors based on the most recent comprehensive internal risk analysis of the investment firm [section 27 (7)]

1. List of all high-risk products offered (according to risk analysis):
   
2. Number of client who conduct transactions directly via the firm in connection with crypto assets: ________
   
   a) Cumulative total volume (calculated using daily updated prices as at the audit date) in EUR of all transactions in connection with crypto assets carried out for clients directly via the firm ________ €
   b) – Not allocated –
   
   
3. Number of clients (legal persons):
   
   a) Proportion of business relationships with legal persons subject to the simplified due diligence procedures in accordance with section 14 of the GwG ____.____%
   b) Proportion of business relationships with legal persons subject to the enhanced due diligence procedures in accordance with section 15 of the GwG or section 35 of the WpIG ____.____%
   c) Number of clients domiciled in third countries: ________
   of which in high-risk countries in accordance with Delegated Regulation (EU) 2016/1675, as amended ________
   
   
4. Number of clients (natural persons):
   
   a) Proportion of business relationships with natural persons subject to simplified due diligence procedures in accordance with section 14 of the GwG ____.____%
   b) of which proportion of business relationships with natural persons subject to the enhanced due diligence procedures in accordance with section 15 of the GwG or section 35 of the WpIG ____.____%
   c) Number of clients domiciled in third countries: ________
   of which in high-risk countries in accordance with Delegated Regulation (EU) 2016/1675, as amended ________
   
   
5. Number of politically exposed persons in accordance with section 1 (12) of the GwG, including family members and persons known to be close associates in accordance with section 1 (13) and (14) of the GwG: ________
6. Number of correspondence relationships in accordance with section 1 (21) of the GwG with companies whose registered office is in:
   
   a) EU/EEA countries ________
   b) Third countries ________
   of which in high-risk countries in accordance with Delegated Regulation (EU) 2016/1675, as amended ________
   
   
7. Number of establishments/branch offices/subordinated undertakings, to the extent that they themselves are subject to the requirements of the Money Laundering Act:
   
   a) in Germany ____/____
   b) in other EU/EEA countries ___/__/___
   c) in third countries ___/__/___
   of which in high-risk countries in accordance with Delegated Regulation (EU) 2016/1675, as amended ___/__/___
   
   
8. Number of tied agents that work for the investment firm:
   
   a) in Germany ________
   b) outside Germany _______

Part Two:

Classification of audit findings F–0 to F–5 [section 6 (1), section 27 (8)]

No.	Provision	Audit requirements	Finding	Source
A. Money laundering/Financing of terrorism
I. Internal controls and safeguards
1.	Section 5 (1) and (2) of the GwG	Preparation, documentation, review, if applicable update of a risk analysis relating to money laundering and the financing of terrorism
2.	Section 6 (2) nos. 1 and 4, (5) of the GwG	Implementation of internal controls and safeguards relating to money laundering and the financing of terrorism
3.	Section 6 (2) no. 2 in conjunction with section 7 of the GwG	Satisfaction of requirements relating to the performance of the duties of the money laundering officer (e.g. appointment, notification, equipment, checks)
4.	Section 6 (2) no. 5 of the GwG	Performance of assessment of reputation
5.	Section 6 (2) no. 6 of the GwG	Performing training and informing employees
6.	Section 6 (2) no. 7 of the GwG	Performance of audits by the internal audit function relating to measures to prevent money laundering and the financing of terrorism
7.	–	not allocated
8.	Section 6 (7) of the GwG	Contractual outsourcing of internal controls and safeguards
II. Client due diligence
9.	Section 10 (2), section 14 (1), section 15 (2) of the GwG	Performance of risk assessments of business relationships and transactions
10.	Section 10 (1) no. 1 in conjunction with sections 11 to 13 of the GwG, section 34 of the WpIG, section 10 (9) of the GwG	Identification of the counterparty and the persons acting on its behalf (including non-performance/termination obligation)
11.	Section 10 (1) no. 2 in conjunction with section 11 (1) and (5), section 10 (9), section 23a (1) of the GwG	Clarification and, if applicable, identification of the beneficial owner (including non-performance/termination obligation)
12.	Section 10 (1) no. 3, section 10 (9) of the GwG	Obtaining information about the purpose/nature of the business relationship (including non-performance/termination obligation)
13.	Section 10 (1) no. 4, section 10 (9) of the GwG	Clarification of status as a politically exposed person (including non-performance/termination obligation)
14.	Section 10 (1) no. 5 clause 1 of the GwG	Ongoing monitoring of business relationships
15.	Section 10 (1) no. 5 clause 2 of the GwG	Performance of updates
16.	Section 14 (1) to (3) of the GwG in conjunction with section 10 (9) of the GwG	Performance of simplified due diligence procedures (documentation, appropriateness of measures)
17.	Section 15 (1) to (7) and 9 in conjunction with section 10 (9) of the GwG, section 35 of the WpIG	Performance of enhanced due diligence procedures (documentation, appropriateness of measures)
18.	Section 17 (1) to (7) of the GwG	Performance of due diligence procedures by third parties and contractual outsourcing
19.	–	not allocated
III. Other obligations
20.	Section 6 (6) of the GwG	Organisation and compliance with the information requirement
21.	Section 8 of the GwG	Implementation of records and retention
22.	Section. 9 in conjunction with section 5 (3) of the GwG	Implementation of group-wide duties
23.	Section 43 in conjunction with section 47 (1) to (4) of the GwG	Implementation of suspicious transaction report procedure (including compliance with the prohibition of disclosure)
24.	Section 6 (8) and (9), section 7 (3), section 9 (3) sentence 3, section 15 (5a) and (8), section 28 (1) sentence 2 no. 5, section 39 (3), section 40 (1) sentence 2 no. 3 of the GwG	Compliance with orders
25.	Section 37 of the WpIG	Compliance with bans on doing business
B. Criminal activities within the meaning of section 33 of the WpIG
26.	Section 33 (1) of the WpIG	Preparation, documentation, review, if applicable update of a risk analysis relating to criminal activities
27.	Section 33 (1) of the WpIG	Implementation of internal controls and safeguards relating to criminal activities
28.	Section 33 (1) of the WpIG	Performance of audits by the internal audit function relating to measures adopted to prevent criminal activities
29.	–	– Not allocated –
30.	Section 33 (2) of the WpIG in conjunction with section 8 of the GwG,	Performance of the investigation obligation
31.	Section 33 (3) of the WpIG	Contractual outsourcing of internal controls and safeguards
32.	Section 33 (4) of the WpIG	Compliance with orders
33.	Section 33 (5) of the WpIG in conjunction with section 7 of the GwG,	Performance of the duties of the FIU (or authorised exemption if applicable)

Annex 4 (relating to sections 6, 40)

Reporting form in accordance with section 6 of the WpIPrüfbV (other deficiencies identified)

Investment firm:
Reporting period:
Audit date:
On-site lead auditor:

List of audit findings F–1 to F–4 (deficiencies)

No.	Provision	Fact pattern	Classification in accordance with section 6 (1) and (2)	Source	Year of determination	Current status of remediation of deficiency

(A separate table line must be used for each audit finding. The number of lines must be reduced or increased accordingly.)