Document 112
EUROPEAN COMMISSION
DIRECTORATE-GENERAL FOR HEALTH AND FOOD SAFETY
Health systems, medical products and innovation
The Director
Brussels
SANTE.DDG1.B/
/
/(2019)8515359
To whom it may concern,
Subject:
Follow-up to letter of 27 November 2019 on the notification of proposed external
auditors / audit firms (Article 15(8) of Directive 2014/40/EU)
I am writing to you in follow-up to my letter of 27 November 2019 concerning the notification of
proposed audit firms, as required under Article 15(8) of Directive 2014/40/EU.
Several manufacturers have responded to advise that an adequate internal selection and bidding
process requires more time. I furthermore understand from the comments received that the absence of
complete information on the scope of the annual audit reports poses additional difficulties to the
selection process.
In light of these concerns, we have decided to amend the notification procedure for the proposed audit
firms. I refer you to the new notification procedure outlined below.
Notification procedure:
Article 15(8), second subparagraph, of Directive 2014/40/EU stipulates that an external auditor, who is
proposed and paid by the tobacco manufacturer, shall monitor the activities of each notified and
approved primary repository. As such, manufacturers are invited to propose to the Commission, for
approval, an audit firm responsible for auditing their primary repository.
The approved audit firms shall submit annual reports on the audits of the primary repositories to the
competent authorities and to the Commission. The Commission undertakes to publish guidelines on
the scope of the audit reports. The publication is foreseen for early 2020.
Manufacturers are invited to notify the Commission of the audit firms that they propose to monitor the
activities of their respective primary repository.
Note: Two or more manufacturers may also decide to submit a joint notification proposing one audit
firm.
Each manufacturer should submit the information listed in Annex A (signed by the manufacturer), as
well as copies of the required declaration forms B and C (signed by the proposed audit firm), in
electronic format, to xxxxxxxxxxx@xx.xxxxxx.xx.
The notification of the proposed audit firm should be submitted within 45 calendar days from the date
of publication of the guidelines document referred to above.
Commission européenne/Europese Commissie, 1049 Bruxelles/Brussel, BELGIQUE/BELGIË - Tel. +32 22991111
The Commission will carry out the assessment of the proposed audit firm as quickly as possible and
will seek to issue a decision within three months of the date of receiving the notification. A list of
approved audit firms will be made publicly available on the Commission website.
Your sincerely,
(e-signed)
Andrzej RYS
Enclosed:
Annexes A, B, C
2
ANNEX A
- Notification of proposed audit firm -
Pursuant to Article 26(1) of Commission Implementing Regulation (EU) 2018/574, each manufacturer
of tobacco products shall contract an independent third-party provider for the purpose of establishing
a repository, which stores data relating to the tobacco products of the individual manufacturer
(hereafter "primary repository"). The activities of the primary repository and its provider shall be
monitored on an annual basis by an independent external auditor. The auditor shall be proposed and
paid by the tobacco manufacturers.
I, the undersigned [insert name and surname], being [insert name of position held] of [insert company
name], (hereafter "the company"), located at [insert full address] and with the VAT identification
number [insert VAT number], acting as a legal representative of the aforementioned company, hereby
propose the audit firm indicated below to be responsible for the annual audits of the primary
repository contracted by the company.
Name of audit firm: [please insert]
Full address (legal seat): [please insert]
Legal representative(s) of audit firm: [please insert]
VAT identification number: [please insert]
Place and date:
Signature:
3
ANNEX B
- Declaration form: independence of audit firm and auditors -
Pursuant to Article 26(1) of Commission Implementing Regulation (EU) 2018/574, each manufacturer
of tobacco products shall contract an independent third-party provider for the purpose of establishing
a repository, which stores data relating to the tobacco products of the individual manufacturer
(hereafter "primary repository"). The activities of the primary repository and its provider shall be
monitored on an annual basis by an independent external auditor. The auditor shall be proposed and
paid by the tobacco manufacturers.
I, the undersigned [insert name and surname], being [insert name of position held] of [insert name of
audit firm], (hereafter "the audit firm"), located at [insert full address] and with the VAT identification
number [insert VAT number], acting as a legal representative of the aforementioned audit firm, hereby
solemnly declare that:
the audit firm complies with the requirements on legal independence, financial independence,
and absence of conflict of interest, as defined in Article 35(2) (a) (c) of Commission
Implementing Regulation (EU) 2018/574;
the audit firm has not been contracted in the last four calendar years to carry out non-audit
services in the fields of tobacco traceability or the fight against illicit trade of tobacco
products;
the auditors carrying out the audit of the primary repository on behalf of the audit firm have
not been employed in the tobacco industry, nor have they had any professional involvement in
any project related to tobacco, in the last four calendar years;
the auditors carrying out the audit of the primary repository on behalf of the audit firm are free
from any pecuniary or non-pecuniary interest linked to the tobacco industry, including
possession of stocks, participation in private pension scheme or interest held by their partners,
spouses or direct relatives in the ascending or descending line.
Place and date:
Signature:
4
ANNEX C
- Declaration form: professional suitability of audit firm and auditors -
Pursuant to Article 26(1) of Commission Implementing Regulation (EU) 2018/574, each manufacturer
of tobacco products shall contract an independent third-party provider for the purpose of establishing
a repository, which stores data relating to the tobacco products of the individual manufacturer
(hereafter "primary repository"). The activities of the primary repository and its provider shall be
monitored on an annual basis by an independent external auditor. The auditor shall be proposed and
paid by the tobacco manufacturers.
I, the undersigned [insert name and surname], being [insert name of position held] of [insert name of
audit firm], (hereafter "the audit firm"), located at [insert full address] and with the VAT identification
number [insert VAT number], acting as a legal representative of the aforementioned audit firm, hereby
solemnly declare that:
the audit firm has at least seven years of experience in carrying out audits of medium-sized
and/or large-sized enterprises, and at least five years of experience in offering services of IT
Audit and Information System Security, including expertise in assessing organisational and
physical security, operations security, access control, communications security, business
continuity mechanisms, and assets and data integrity;
the Lead Auditor with responsibility for the audit of the primary repository must be certified
as an ISO/IEC 27001 Lead Auditor;
any other auditor(s) who may be involved in the audit have at least two years of professional
experience in carrying out audits in the area of information security management (ISMS).
Place and date:
Signature:
5
5