“Risk managers and internal auditors play an important role of coordination and cooperation to build an effective and resilient cyber security system within an organisation,” ECIIA President Henrik Stein says. ”We hope to convince organisations and regulators about the importance of a strong governance model to mitigate cyber risks.”
The guidance outlines a comprehensive risk management approach to cybersecurity, a cyber awareness program covering everyone in the organisation from top to bottom and, most important, the interactions between the three lines of defense to facilitate the communication to the board that is ultimately responsible for the oversight of the cyber governance framework.
Cyber risk was the most commonly cited threat by heads of internal audit across Europe regardless of nationality or business sector, according to a new report written by some members of ECIIA.
The EU’s General Data Protection Regulation and the broader challenge of managing data came second in the surveyRisk in focus: hot topics for internal audit 2018. The pace of innovation businesses face was the third most widely cited risk concern.
“The defining theme of this report is the fundamental impact that technology has in shaping, enabling and disrupting organisations’ operations and strategies,” Farid Aractingi, ECIIA President said. “This is a pressure that requires internal auditors to learn new skills and adopt innovative tools to bolster their capabilities in an increasingly digital world.”
The report’s research team interviewed chief audit executives (CAEs) from major organisations in six European countries – France, Italy, the Netherlands, Spain, Switzerland and the UK.
Not surprisingly there were some regional differences. CAEs in the UK and Spain said that political uncertainty could expose their organisations to fresh threats and opportunities. In the UK, these views were largely prompted by the prospect of Brexit; in Spain they arose within multinational businesses having expanded into Mexico and the implications of the Trump administration’s hostile position towards the country.
Those in the financial services sector showed more concern over regulatory complexity than any other industry. Notably, for CAEs at institutions in France, Italy, the Netherlands and Spain the continuing development of the European Central Bank’s three-year old Single Supervisory Mechanism was cited as a risk.
The ECIIA elected Farid Aractingi as President of its management board at the body’s annual conference in Switzerland.
Aractingi (centre in image) was previously Vice President of ECIIA. He is Chief Audit, Risk and Organisation Officer of Renault and a former Chairman of the Board of the IFACI, the French Institute of Internal Auditors, where he is now an honorary member.
“I’m looking forward to building on the great progress ECIIA has made in being the voice of the internal audit profession across Europe,” Aractingi said. “Henrik has done a fantastic job of raising the profession’s profile and authority among our many stakeholders over the past three years. I intend to build upon that firm foundation.”
Henrik Stein stepped down as President.
Thierry Thouvenot (left in image) was elected Vice President. Thouvenot has been IIA Luxembourg Chairman since 2012. Gabrielle Rudolf von Rohr (right in image) was appointed ECIIA Treasurer.
Jens motel now represents IIA Germany on the board and Manuel de Alzua, IIA Spain. The former Yugoslav Republic of Macedonia became an ECIIA member for the first time.
The European Commission has launched measures to strengthen cyber security across Europe.
It proposes to extend the powers of ENISA, Europe’s current cyber agency. In particular, the proposals aim to ensure ENISA is better placed to support member states in implementing the NIS Directive. And the agency will become a centre of expertise on cybersecurity certification, if the proposals are approved.
“ECIIA welcomes the strengthening of cross-border efforts to tackle the growing threat of cybercrime,” Henrik Stein, ECIIA President, says. “A more standardised certification system for ICT products across Europe could help improve assurance and transparency in the market.”
Implementing the NIS Directive is seen by the Commission as vital plank in its cyber strategy.
“The NIS Directive is a first essential step with a view to promoting a culture of risk management, by introducing security requirements as legal obligations for the key economic actors,” says the paper.
Internal auditors will play an important role in ensuring organisations comply with the new security requirements and have systems in place to better combat cybercrime.
The cyber security package was issued by the Directorate-General for Communications Networks, Content and Technology.
It builds on the Commissions objectives to:
Increase capabilities and preparedness of member states and businesses
Improve cooperation and coordination across Member States and EU
institutions, agencies and bodies
Increase EU level capabilities to complement the action of Member States, in particular in the case of cross-border cyber crises
Boost awareness of citizens and businesses on cybersecurity issues
Increase the overall transparency of cybersecurity assurance of ICT products and services to strengthen trust in the digital single market and in digital innovation; and
Avoid fragmentation of certification schemes in the EU and related security
requirements and evaluation criteria across Member States and sectors.
Ten years on – greater focus on ethics still needed
Ten years on from the financial crisis a greater focus on ethics is needed in how businesses are exploiting new technologies, according to a recent report from the accountancy body ACCA.
Nearly two thirds of respondents in its recent survey Ethics and trust in a digital age call for strong ethical leadership. Just over half 54% call for guidance on a new code of ethics for the digital age.
‘In the digital age there needs to be more, not less, importance placed on the ethical and professional judgement of individuals,” Maggie McGhee, Director of professional insights at ACCA. “What many are calling for is guidance and leadership on how to respond.”
“All those involved in decision-making levels in business should be aware of how new technologies can affect their reputation and consider how to support their employees in doing the right thing,” she added.
“Internal auditors can help provide leadership in this area,” Henrik Stein, ECIIA President, says. “With their unique oversight role across the business, they are well-placed to objectively assess and investigate the overall ethical impact of digital developments throughout and beyond the organisation.”
The report provides guidance on how internal auditors and accountants can get up to speed in this fast-developing area, including:
Building knowledge of emerging technologies and digital issues to reduce risk of compromise to professional competence and due care
Combining process control with a strategic view to reduce the risk of unintended consequences
Evaluating mechanisms for reporting unethical behaviour to reduce the risk of breaches.
The EC has adopted guidelines to help companies make better disclosure on the environmental and social impact of their activities.
The guidelines aim to help companies develop their non-financial reporting in ways that are more consistent and comparable. The EC says it wants to boost corporate transparency and performance, as well as encourage companies to embrace a more sustainable approach.
“Europe needs to take the lead in making economies greener and more sustainable,” Valdis Dombrovskis, Vice-President responsible for Euro and Social Dialogue, Financial Stability, Financial Services and Capital Market Union, said: “By providing relevant information on their environmental and social credentials, companies are doing themselves a favour and helping their investors, lenders and society at large.”
Meanwhile, the EC’s high-level expert group on sustainable finance has published its first report setting out concrete steps to create a financial system that supports sustainable investments. The Commission intends to explore some of the report’s recommendations that may help create a low carbon, more resource-efficient and sustainable economy.
“It will be very important for organisations to have robust processes underpinning their non-financial reporting systems,” Henrik Stein, ECIIA President, said. “Internal audit’s unique oversight position as the third line of defence gives it a critical role to play in helping organisations improve their non-financial reporting capabilities.”
The adoption of the new guidelines will supplement the already existing EU rules on non-financial reporting (Directive 2014/95/EU). Companies falling within its scope have to disclose relevant information on policies, risks and results as regards environmental matters, social and employee-related aspects, as well as respect for human rights, anti-corruption and bribery issues, and diversity on the boards of directors.