In an ordinary audit, the audit opinion is the principal output and the audit file is the auditor’s working record. In an audit of a regulated entity — a credit union, an insurance company, a securities dealer, a pension fund administrator, a money services business, a bank — the picture changes. The audit opinion is still the principal output, but the audit file is no longer simply the auditor’s working record. It is, increasingly, a regulatory document. Caribbean financial regulators can and do request access to it. What it contains, how it is structured, and what it evidences are matters that go beyond the auditor and the audit committee. They are matters of supervisory concern.

That shift changes how the audit must be planned, executed, documented, and communicated. It also changes how a regulated entity should think about choosing its auditor. The audit of a regulated entity is no longer a procurement decision; it is a regulatory posture decision. The wrong auditor exposes the entity to questions the audit committee did not anticipate. The right auditor strengthens the entity’s regulatory relationship.

This article unpacks what a competent audit of a regulated Caribbean entity now looks like under the standards, what Caribbean supervisors increasingly expect to find in the audit file, and what audit committees of regulated entities — particularly those in credit unions, insurance, and securities — should be asking of their auditor before the next audit cycle begins.

Why a Regulated Audit Is a Different Engagement

Five structural features distinguish the audit of a regulated entity from the audit of an unsupervised company. Each affects how the audit must be planned and executed.

• Capital adequacy and prudential ratios. The financial statements of a regulated entity feed directly into supervisory returns. Capital adequacy, solvency, liquidity coverage, leverage, and similar prudential ratios derive from financial statement balances. An error in the audit becomes an error in the supervisory return, which becomes a supervisory matter.
• Specialised accounting estimates. Regulated-entity balance sheets are dominated by complex estimates. For credit unions and banks, expected credit losses under IFRS 9 dominate the loan portfolio. For insurers, insurance contract liabilities under IFRS 17 dominate the balance sheet. For securities dealers, fair-value measurement of trading and investment portfolios under IFRS 13 dominates. Each of these estimates is itself an audit subject of significant judgment, and each is something a generalist auditor without sector depth handles poorly.
• Regulatory reporting. Regulated entities file periodic prudential and financial returns to their supervisor. The auditor must understand how the audited financial statements reconcile to those returns and, in many jurisdictions, must report directly to the supervisor on certain matters.
• Anti-money-laundering and counter-financing-of-terrorism (AML/CFT) obligations. Regulated entities are obliged subjects under AML/CFT regimes. The auditor must understand the entity’s AML/CFT framework as part of the audit’s risk assessment and may, in some jurisdictions, be required to evaluate the effectiveness of specific AML/CFT controls.
• Sector-specific supervisory regimes. Credit unions in Jamaica are supervised by the Bank of Jamaica under specific co-operative regulations. Insurers and securities dealers are supervised by the Financial Services Commission of Jamaica. Across the Eastern Caribbean, the ECCB supervises licensed financial institutions and ECCU credit unions are supervised under national legislation. Cayman entities are supervised by CIMA; Trinidad and Tobago entities by the Central Bank of Trinidad and Tobago and TTSEC; Bahamas entities by the Central Bank of the Bahamas and the SCB. Each supervisor has its own expectations, its own forms, and its own enforcement posture.

“In a regulated audit, the audit file is no longer simply the auditor’s working record. It is, increasingly, a regulatory document.”

What the Standards Require

The International Standards on Auditing apply in full to regulated-entity audits. Two ISAs are particularly important for regulated engagements:

• ISA 250 (Revised) — Consideration of Laws and Regulations in an Audit of Financial Statements. This standard requires the auditor to obtain a general understanding of the legal and regulatory framework applicable to the entity, to identify non-compliance with laws and regulations that may have a material effect on the financial statements, and to communicate such non-compliance to management and those charged with governance. For a regulated entity, ISA 250 (Revised) is not a peripheral consideration; it is central.
• ISA 800 (Revised) — Special Considerations: Audits of Financial Statements Prepared in Accordance with Special Purpose Frameworks. Where a regulated entity prepares financial statements or schedules under a regulatory framework that differs from IFRS — for example, certain prudential statements — ISA 800 (Revised) governs the auditor’s engagement, opinion, and communication.

Beyond the ISAs, regulated-entity audits may be subject to specific regulator-issued requirements. Several Caribbean supervisors issue auditor guidance notes setting out their expectations on matters such as auditor independence, audit firm rotation, communication of supervisory concerns, and the structure of the audit file. A serious regulated-entity auditor must read and apply those requirements alongside the ISAs.

Sector-Specific Considerations

Credit Unions

Caribbean credit unions, supervised in Jamaica by the Bank of Jamaica and across the region by national co-operative regulators, face distinctive audit considerations. Expected credit losses under IFRS 9 dominate the audit, with significant judgment in the design and calibration of the ECL model — particularly the staging criteria, the probability of default and loss given default parameters, and the management overlays used to adjust modelled outputs. The auditor must engage with the model directly, not simply accept it. Member share capital classification, dividend payments, statutory reserve transfers, and the treatment of member savings are also areas requiring specific co-operative-sector knowledge. A general-purpose audit team unfamiliar with credit union accounting and regulation will struggle with several of these.

Insurance Companies

The implementation of IFRS 17 — Insurance Contracts — has transformed the audit of insurers. The standard’s general measurement model, premium allocation approach, and variable fee approach each require substantial actuarial judgment in the construction of the contractual service margin, the risk adjustment, and the discount rates applied. The auditor must engage actuarial specialists, evaluate the appropriateness of model design, test the data feeding the model, and assess the reasonableness of management’s assumptions. For a Caribbean insurer transitioning into post-IFRS 17 audit cycles, the choice of auditor is materially more consequential than it was under IFRS 4.

Securities Dealers and Investment Managers

Securities dealers face audit considerations dominated by fair value measurement under IFRS 13, classification and measurement of financial instruments under IFRS 9, segregation and reconciliation of client assets, and capital adequacy reporting under the supervisor’s prudential framework. The audit must engage with valuation methodology (mark-to-market, mark-to-model, level 1/2/3 hierarchy), with the controls over client asset segregation, and with the calculation of regulatory capital and liquidity measures. AML/CFT control evaluation is also particularly important in this sector given the cross-border movement of client funds.

Other Regulated Sectors

Other regulated subjects across the Caribbean include pension fund administrators, money services businesses, trust and corporate services providers, virtual asset service providers, and entities regulated under FATCA / CRS information-exchange regimes. Each carries sector-specific audit considerations that go beyond the generalist financial statement audit. A firm that wishes to audit in any of these sectors credibly must invest in the specialist knowledge — actuarial, valuation, IT audit, AML — that the sector requires.

“The choice of auditor for a regulated entity is no longer a procurement decision. It is a regulatory posture decision.”

What Caribbean Supervisors Are Looking For

Across the region, Caribbean supervisors are aligning, at varying paces, around a set of expectations for the audit files of regulated entities. Five expectations recur across supervisors:

• Documented understanding of the entity’s regulatory framework. The audit file should evidence that the engagement team understood, in writing, the specific supervisory framework applicable to the entity — the licensing regime, the prudential standards, the supervisory expectations, the periodic returns.
• Substantive engagement with significant accounting estimates. Where the entity is dominated by ECL, IFRS 17 liabilities, fair value, or similar significant estimates, the audit file should evidence substantive auditor engagement with the model, the data, the assumptions, and the management overlays — not mere acceptance of management’s working.
• Specialist involvement. Where the engagement requires actuarial, IT audit, valuation, or forensic specialist input, the file should evidence the involvement of those specialists, their qualifications, and the manner in which their work was directed, supervised, and reviewed by the engagement partner.
• Communication with the supervisor. Where the entity’s regulatory regime contemplates direct auditor-to-supervisor communication on certain matters, the audit file should evidence that those communications were considered, made where required, and documented.
• Regulator-ready file structure. The audit file should be capable of being read by an external supervisor. Working papers should be organised, indexed, dated, and signed; conclusions should be supported by evidence; significant judgments should be explained. A file that is intelligible only to the engagement team is not a regulator-ready file.

Six Questions the Audit Committee of a Regulated Entity Should Ask

• What is your firm’s sector experience in our specific regulatory subset — credit unions, insurance, securities, or our particular regulated activity? The question is not generic financial audit experience. It is the specific sector competence the engagement requires.
• Which specialists in your firm will be involved on this engagement — actuarial, IT audit, valuation, AML / forensic — and how will their work be directed and reviewed? A regulated entity audit without specialist involvement is, in most sectors, not a competent audit.
• How will you engage with our principal accounting estimates — ECL, insurance contract liabilities, fair values — and what evidence will be in the file at the end? The answer should be specific and grounded in the entity’s actual model and data.
• How does your firm interact with our supervisor, and what is your protocol if a matter requires direct auditor-to-supervisor communication? An auditor who has not thought this through in advance is an auditor unprepared for the moment when it matters.
• What does your audit file look like, and would it stand up to inspection by our supervisor today? You are not asking to read the file. You are asking whether the auditor has built one that can be read by others.
• How do you maintain awareness of evolving supervisory expectations across the Caribbean — guidance notes, thematic reviews, enforcement actions — and how does that awareness flow into our audit? The answer reveals whether the firm tracks the regulatory landscape, or merely audits within it.

How Dawgen Global Approaches Regulated-Entity Audits

Dawgen Global audits regulated entities across the Caribbean — credit unions, insurance companies, securities dealers, pension administrators, money services businesses, and other supervised institutions — under the D·ASSURE™ methodology, with the firm’s integrated practice supplying the specialist competencies each engagement requires. The Jamaica Assurance Team standard governs the engagement leadership designation on all regulated audit deliverables, with sector specialists — actuarial, IT audit, valuation, forensic, AML — drawn from the firm’s eleven service disciplines as the engagement risk assessment requires.

Engagement acceptance for regulated entities is conducted under the firm’s ISQM 1 acceptance framework, with explicit consideration of sector competence, specialist availability, independence in fact and appearance under the IESBA Code, and the firm’s capacity to deliver the engagement to the standard the supervisor expects. The audit file is structured throughout to be regulator-readable, with working papers indexed, dated, signed, and supported by evidence sufficient for external inspection.

The firm maintains active awareness of evolving supervisory expectations across the Caribbean, with the audit and assurance leadership monitoring guidance notes, thematic reviews, and supervisory enforcement actions from the BOJ, FSC Jamaica, ECCB, CIMA, FSRC, and other regional supervisors. That awareness flows into engagement planning, into the firm’s training programme, and — where appropriate — into the firm’s thought leadership.

What’s Next in the Series

Article 8 takes up the audit of groups — the audit of Caribbean conglomerates, holding companies, and cross-border structures under ISA 600 (Revised). Where this article addressed how the audit operates when the supervisor is the principal reader, the next addresses how the audit operates when the audit itself spans multiple entities, multiple jurisdictions, and multiple component auditors. ISA 600 (Revised), effective for audits of periods beginning on or after 15 December 2023, has materially changed how group audits must be planned, directed, and concluded.

If you are an audit committee chair, CFO, or director of a regulated Caribbean entity — credit union, insurer, securities dealer, pension administrator, money services business — and would like a confidential briefing on what a sector-competent audit should look like for your entity, or a diagnostic review of your current auditor’s regulated-sector posture, the Dawgen Global Audit & Assurance team welcomes the conversation. Write to [email protected] or visit dawgen.global.

About the Author

Dr. Dawkins Brown is the Executive Chairman and Founder of Dawgen Global, an independent, integrated multidisciplinary professional services firm headquartered in New Kingston, Jamaica, with operations across more than fifteen Caribbean territories. He writes weekly on Caribbean governance, audit, and assurance matters through Caribbean Boardroom Perspectives and The Caribbean Advisory Brief.

The Caribbean Audit Imperative

A twelve-article series from Dawgen Global  |  dawgen.global

About Dawgen Global