Blog

ECIIA-Blog-header

Catch up here on our latest, news, events and publications

Risk in Focus 2019: Hot topics for internal auditors NEW
September 2018
We are happy to share the third edition of Risk in Focus defining hot topics for Internal Auditors.
This edition is the result of a collaborative effort between seven European institutes of internal auditors in France, Germany, Italy, the Netherlands, Spain, Sweden and the UK and Ireland. As previously,  Chief Audit Executives (CAEs) have been interviewed in all of these territories and across sectors as part of the qualitative research into priority risk areas that are expected to be addressed in audit plans for 2019 — and further into the future. To supplement the interview process, this year for the first time a survey was distributed that received 311 responses. The European institutes of internal auditors are immensely grateful to everybody who contributed to this report, both the 300- plus CAEs who responded the survey and especially the 42 executives who gave up their time to be interviewed.
The 10 priority risk areas internal audit should address in 2019 are:
  1. Cybersecurity: IT governance & third parties
  2. Data protection & strategies in a post-GDPR world
  3. Digitalisation, automation & AI: technology adoption risks
  4. Sustainability: the environment & social  ethics
  5. Anti-bribery & anti-corruption compliance
  6. Communications risk: protecting brand & reputation
  7. Workplace culture: discrimination & staff inequality
  8. The new era of trade: protectionism & sanctions
  9. Risk governance & controls: adapting to change
  10. Auditing the right risks: taking a genuine risk-based approach

Find out the detailed results of the study here.

Internal auditors playing greater role in insurance regulation
June 2018

Insurance regulators and supervisors across Europe are increasingly looking to internal auditors to help their organisations achieve the necessary compliance requirements, according to a recent meeting of ECIIA’s insurance committee in Stockholm, Sweden.

While trends in supervision and regulation differ across Europe, many authorities are looking for insurers to strengthen their risk-based approach to compliance. Businesses are also expected to be more forward-looking in their risk analyses.

In some European jurisdictions, supervisory bodies are relying more on internal audit reports than in others. That has led to some regions considering tougher sanctions against internal audit functions if they fail to produce audit reports that are robust and accurate, and it emphasizes the need to define the relation between internal auditors and the supervisory bodies.

The committee identified emerging trends in artificial intelligence, business continuity, data science, IT security, liquid assets, money laundering and outsourcing.

“Clearly, internal auditors in the insurance sector have an increasingly important role to play in helping their organisations satisfy regulatory and supervisory requirements,” ECIIA insurance committee Hervé Gloaguen says. “Our committee is working on a publication that outlines these shifting priorities to keep our members up to date with recent developments.”

The insurance committee is meeting again in October in Madrid – a complete list of the volunteers on the group can be found here.

 

ECB internal models guide should clarify assurance responsibilities
June 2018

While ECIIA welcomes the European Central Bank’s (ECB) draft guide on internal models for financial services organisations, more clarity is needed in some areas over the role of internal audit and other assurance functions.

In response to the ECB consultation on its proposed guidance, ECIIA has highlighted several areas where a more explicit focus on the difference between the roles of the second and third lines of defence are needed.

For example, ECIIA says that validation of an organisation’s ratings-based approach for calculating how much capital it holds for regulatory purposes should be performed by a second line function – rather than by internal audit, as is currently suggested by the ECB.

“We should avoid overlapping between internal audit and the internal validation activities in order to make efficient the control function activities,” Farid Aractingi, ECIIA President, says. Internal audit’s role is to provide assurance that the validation approach is robust and efficient.

ECIIA also emphasised the need for ECB to adhere to a risk-based approach to the effectiveness of internal controls around internal models. For example, ECB has suggested an audit cycle of three years for those areas that did not show signs of increased risk.

“It is inappropriate to impose a minimum frequency of three years, for models or for any other area,” ECIIA said in its submission. “Each bank should be consistent with its own approach combining audit cycle and risk assessment.”

Read the ECB consultation document.

Read ECIIA’s response.

GDPR moves into the next phase
May 2018

Europe’s General Data Protection Regulationcame into effect on 25 May after a mammoth effort by organisations throughout Europe and beyond to prepare for the launch date. The regulations give greater protection for individuals over how their data can be collected, processed and retained.

While internal auditors in many organisations will have been helping their organisations prepare for the new requirements, now that the legislation is live, they are more likely to be providing assurance. It is critical that organisations do not lose impetus after all of the hard work it has taken to get their processes off the ground.

“Now that GDPR is live, internal auditors will need to be ensure that people throughout their organisations do not become complacent because the new rules are here to stay,” ECIIA President Farid Aractingi says. “Internal auditors are likely to move from a more consulting role to providing assurance over the processes that are now in place.”

Typical areas on which audit can provide assurance include:

  • How adequate and effective are the policies and processes in place as controls?
  • How robust is the organisation’s data governance?
  • Are the right people in the right roles to promote sound data controlling and processing?
  • How rigorous and timely is the reporting of data breaches?
  • Are we fully compliant?
  • How do we learn from incidents?

Auditors will need to consider how GDPR is reflected in their annual audit planning. For example, should GDPR be a consideration for every audit engagement, in the way culture now should be? Is auditing the GDPR control framework also something that should happen across the organisation every two to three years?

Internal auditors are likely to give greater focus on specific areas after implementation. IT and GDPR-specific change programmes are obvious examples, but organisation-wide communications will need to ensure that GDPR stays topical even after the initial rush of activity. That could mean ensuring that human resources and learning and development teams have plans to amend training for existing staff and new joiners. GDPR should remain a significant topic for induction and refresher training.

There are currently gaps in the guidance available, but this will develop as everyone gets to grip with GDPR. Internal auditors should stay abreast of any changes to legislation, guidance and good practice.

For useful resources and information, visit CIIA’s website.

 

 

Over disclosure of information could erode stakeholder trust
May 2018
In the rush to comply with pressure to disclose ever-increasing levels of non-financial information, companies could inadvertently erode stakeholder trust by publishing too much data, delegates heard at the 22nd European Corporate Governance Conference in Sofia this April.
Since statutory auditors in Europe – with the exception of those in Italy and the UK – do not check the content of non-financial reporting, directors may be unaware that they are revealing competitive information. Since an estimated 80% of companies’ value is now intangible, such disclosure could have serious consequences.
“Getting the balance right on disclosure should boost competitive advantage rather than erode it,” Farid Aractingi, ECIIA President says. “There is clearly a potential gap in companies’ control systems that internal auditors are ideally placed to fill.”
Internal auditors have a unique oversight position as the third line of defence in organisations. That means they are ideally placed to help co-ordinate and provide assurance on the quality and relevance of information in non-financial reports.
Additional tools that can help organisations face non-financial disclosure challenges include the Global Reporting Initiative and IFAC’s integrated thinking and reporting resources.
The pressure on increased non-financial disclosure has been seen as part of a societal shift as stakeholders expect organisations to adopt more ethical and responsible strategies. Corporate governance has been responding to these shifts in expectations by expanding its remit to look at the environment, social justice issues and culture.
Boards need to be courageous if they are to rise to the challenge that these pressures.
Theme author: Web developer Front End Developer Wordpress developer Web developer Front End Developer Wordpress developer Notariusz Szczecin