Catch up here on our latest, news, events and publications
Non-financial reporting: building trust with internal audit NEW
Internal audit can help organisations build trust with key stakeholders by assuring the quality of the information in their non-financial reports, according to new guidance published by ECIIA – the European Confederation of Institutes of Internal Auditing.
The paper says companies that adopt an integrated approach to assess their financial, environmental, social and other activities will benefit most.
“Internal audit has a crucial role to play in this respect,” Thijs Smit, ECIIA President, says. “That is because it is in a unique position to provide a helicopter view of an organisation and help develop a forward-thinking strategy on these issues.”
The paper demonstrates how internal audit provides assurance over both financial and non-financial information. That includes assurance on the systems, policies and controls supporting the production of such information – specifically in the areas of sustainability activities and reporting, and non-financial communication.
As a result, internal audit can assure boards on the quality of information contained in reports on non-financial issues and build trust with key stakeholders.
All large companies will need to report on the non-financial aspects of their operations under the Directive, which has been voted on by the European Parliament and will be implemented into national laws by 2017. The European Commission is organising workshops in those countries for the transposition of the Directive into national laws.
Starting gun fired for EU data regulation compliance
The European Union has published the final draft of its long-awaited Directive on General Data Protection and the General Data Protection Regulation (GPDR) that enforces it – giving internal auditors two years to help organisations prepare.
“The publication of these documents is the starting gun for companies to get ready for sweeping changes to the way they handle data,” Henrik Stein, ECIIA President says. “Internal auditors need to ensure that their organisations are ahead in that race.”
Companies need plenty of time to prepare because GDPR brings fundamental reform to data protection. That includes ensuring companies obtain explicit and informed consent from customers as to how their information could and would be used. Any person has a “right to be forgotten,” where he or she could request that the data controller must take all reasonable steps for their data to be erased. And businesses need to appoint a designated data officer.
Getting it wrong attracts potentially high fines – from between 2% and 5% of a company’s turnover.
“Data protection is a growing area of public concern and getting it wrong represents a risk of damage to a company’s reputation, in addition to attracting punishing fines,” Stein said. “The time for action is now.”
While the regulation came into force on 24 May 2016, it applies from 25 May 2018. The directive entered into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.
To read the final version of the directive and regulation, click here.
To read the ECIIA’s special report on how internal auditors can prepare for GDPR in European Governance, see pages 9-11.
More communication needed between internal audit and regulators
Regulators should require regular, structured and ongoing dialogue between the competent authorities supervising insurers and the internal auditors working in them, the ECIIA has said in response to recent consultation by EIOPA (European Insurance and Occupational Pensions Authority).
That is because internal audit is well-placed to provide an independent opinion about the internal controls, risk management and governance of the companies concerned. Almost 8 out of 10 auditors in Europe say they follow the three Lines of Defense Model at some level, which enables them to provide objective assurance to their organisations.
“While internal audit’s main line of accountability is to the Audit Committee, it also shares information with the statutory auditors and the regulators,” ECIIA President Henrik Stein said. “Clear and effective communication between all these parties is vital in order to avoid duplication, or gaps, in the overall assurance picture,” he added.
Stein said he would welcome the opportunity to meet with senior EIOPA officials to discuss in more detail the role of internal audit in this area.
Three lines of defence model crucial to success of non-financial reporting
Internal audit can contribute most effectively to the successful implementation of the European Commission’s (EC) directive on non-financial reporting in organisations that have adopted the three lines of defence model of corporate governance, the ECIIA has told the EC.
Independent internal audit departments can help organisations transform their compliance with the directive from a box-ticking exercise to something that improves the accuracy and transparency of information across the entire enterprise.
“Internal audit has a broad view across all the systems and processes in organisations, and an in-depth understanding of risks and controls,” wrote ECIIA President Henrik Stein in the body’s response to the consultation. “This puts it in an ideal position to provide advice, assurance and insight around the reporting of non-financial information.”
As well as continuing to provide assurance to boards and senior management teams on how controls mitigate risks to the organisation, internal audit can also contribute significantly to non-financial reporting, for example, by reviewing:
The underlying processes for the production of the report, including governance
Risks identified in executive and board risk assessments around operational issues, stakeholder relationships, compliance and reputation
Issues of materiality
The balance between conciseness and transparency in the report
The accuracy of the description of the business model in the report.
For further reading on internal audit’s role in non-financial reporting, see:
Internal auditors to create value from non-financial reporting directive
Internal auditors can help companies obtain a holistic and accurate view of their activities by helping to properly implement the European Commission’s new non-financial reporting Directive, said ECIIA Vice President Farid Aractingi at a recent conference organised by ECIIA, ACCA and Ecoda.
“Internal auditors partner with external assurance providers to ensure that engagements are performed efficiently, reliably and cost-effectively,” said Aractingi. “Therefore, they are in a good position not only to help implement the non- financial reporting system but also to ensure that it is not just a box-ticking exercise.”
He added that internal audit’s independence gave it the capacity to say things “bluntly but calmly.” For companies to create successful non-financial reporting practices, internal auditors would need to help develop the appropriate framework and define the KPIs to be included in the report. There is no “one-size-fits-all” solution to the directive, he said.
Nicolas Bernier-Abad, DG FISMA at the European Commission, explained to the conference that the aim of the directive was not to create a new report, but enhance the content of existing management reports on a range of issues – including the environment, social obligations, corruption, bribery and human rights.
“The directive should help explain to the owners of the company what is going on in the business,” he said. “It is necessary to talk about these things in the same way as talking about profit and loss.”
Europe’s current legislation on cybersecurity does not include robust corporate governance processes to help businesses manage cyber risks across their operations, ECIIA says.
ECIIA calls on the European Commission (EC) to develop legislation and guidance frameworks to promote integrated, cross-departmental approaches to manage cyber risks, in its response to the body’s recent consultation exercise. It says a wide range of partners within organisations need to co-ordinate their efforts in this area including compliance, finance, human resources, internal audit, IT and legal functions.
“There is a real gap in this area that needs to be plugged,” Henrik Stein, ECIIA President, says. “Without joined up thinking and action on cyber security, businesses are at greater risk than they should be.”
He says that senior management should track and report on the business impact of cyber threats and all risk management activity. “For its part, internal audit evaluates the effectiveness of cyber threat risk management and reports to the audit committee and board on these issues,” he adds.
ECIIA recognises that organisations that operate in multiple jurisdictions face additional problems because reporting requirements remain unharmonised. It says there is a case for developing global best practice and standards to help corporations monitor their global reporting on cyber security and risk effectively.
The ECIIA’s response also comments on the most pressing current cybersecurity risks and those that it believes will become more prominent over the coming five years. Read the full response here.