Incident procedure

Incident Procedure

1. Purpose of the Procedure

This procedure ensures that:

  • The organization has a policy to prevent involvement in criminal acts or legal violations that may damage trust in the audit firm or financial markets (Art. 32(1) Bta).
  • There are clear procedures for identifying and recording incidents that seriously impact the organization’s integrity (Art. 32(2) Bta).
  • The organization takes adequate measures to manage risks resulting from the incident and to prevent recurrence (Art. 32(3) Bta).
  • Incidents are reported to the Dutch Authority for the Financial Markets (AFM) immediately after they occur (Art. 32(4) Bta).
  • The organization records all facts, involved persons, and actions taken in response to the incident (Art. 33(1) Bta).
  • These records are retained for at least seven years (Art. 33(2) Bta).

2. Key Elements of the Procedure

The procedure addresses (non-exhaustively):

  • Definition of an incident
  • The organization’s stance on involvement in criminal acts or legal violations
  • When and how incidents must be reported
  • Responsibilities for reporting
  • Reporting method and recipients
  • Recording and documentation responsibilities
  • Internal and external communication
  • Procedures for AFM notification
  • Follow-up measures
  • Recordkeeping duration and instructions

3. Incident Procedure

3.1 Definitions

  • Audit firm: Entity performing statutory audits or affiliated organizations.
  • Board: The governing body responsible for decision-making.
  • Bta: Decree on Supervision of Audit Firms.
  • Partner: Person authorized to act on behalf of the firm.
  • Employee: Anyone engaged in executing the firm’s assignments.
  • Network: The audit firm’s collaborative structure.
  • Incident: Involvement in criminal acts or violations affecting market or firm trust.
  • Involved Person: Partner or employee personally involved in the incident.
  • Committee: Incident Committee (see section 3.3).
  • Compliance Officer: Responsible for coordinating the procedure (see section 3.4).
  • Secretary: Appointed secretary of the committee.
  • Incident Supervisor: Assigned contact for internal reports (see section 3.9).

3.2 Responsibilities of the Board

  • Employees must avoid involvement in any criminal acts or violations.
  • The board handles, registers, and publishes incident reports related to staff or network partners.

3.3 Incident Committee

  • May be set up for specific or ongoing cases.
  • Composed of at least two independent members; includes one board member.
  • One member acts as chair; another as secretary.
  • Advises the board on incidents not resolved by discussion or mediation.
  • Can also provide unsolicited advice and establish internal rules for its operations.

3.4 Compliance Officer

Appointed to coordinate the process, maintain the incident register, assess procedures and content, and produce management reports.

3.5 Reporting an Incident

  • Must be in writing, signed, and include:
    • Name and address of the reporter
    • Date
    • Clear description of facts and circumstances
  • Oral reports must be documented, signed by the reporter, and forwarded to the board and compliance officer.

3.6 Acknowledging Receipt

  • Compliance officer sends confirmation and information within one week.
  • Incomplete reports must be corrected within two weeks.
  • Anonymous reporting is not allowed.
  • If the report isn’t corrected on time, disciplinary action may follow.

3.7 Handling the Incident

  • Discussion with the involved person within two weeks to:
    • Explore mediation
    • Decide on further action
  • If mediation is successful, the matter is closed, and the involved party is informed.
  • If not, the case proceeds to formal review.

3.8 Committee Review and Advice

  • The board may appoint a temporary committee to advise within a set timeframe.
  • New developments are shared with the committee.
  • Confidentiality applies to all involved parties.

3.9 Internal Incident Handling

  • All involved must ensure the identity of internal reporters is protected.
  • An incident supervisor may be assigned.
  • No negative consequences may arise from reporting.
  • Follow-up is conducted within 3–6 months to confirm this.
  • Unless agreed otherwise, incident details will not be included in personnel files.

3.10 Delays

If resolution exceeds:

  • 10 weeks (no committee involved), or
  • 14 weeks (committee involved),

then the involved person must be notified of the delay before the deadline.

3.11 Board Decision

  • The board informs the involved person in writing of its findings and any conclusions.
  • If other network entities are involved, they receive a copy of this communication.

3.12 Incident Registration

Each incident report is recorded, including:

  • Name and address of reporter
  • Date
  • Incident details

Also recorded:

  • Method of submission
  • Handling process and timeline
  • Board decisions and measures taken
  • Committee advice, if applicable

All records are retained for at least seven years.

3.13 Internal Publication

The compliance officer publishes an anonymized annual summary with commentary on:

  • Structural deficiencies
  • Actions taken to resolve them

3.14 Reporting to AFM

The compliance officer ensures AFM is notified immediately after board approval. Notification must be in writing.

3.15 Implementation and Delegation

  • The board may define additional rules for effective incident management.
  • Tasks may be delegated to the executive board.
  • The compliance officer oversees implementation.

3.16 Short Title

This procedure is known as the Incident Procedure.

3.17 Effective Date

This procedure replaces the prior version dated and is effective from 27 May 2025.

3.18 Contact details

Incidents can be addressed to admin@justaudit.nl