EC to update non-financial reporting directive
The European Commission (EC) is planning to update its non-binding guidance on how to implement the Non-Financial Reporting Directive and set out proposals for consultation in June 2020. The directive, which affects about 6000 companies in Europe, sets out how organisations can effectively communicate the environmental, social and ethical impacts of their behaviour to stakeholders.
Delegates heard how businesses in different countries had sought to implement the directive. In Germany, for example, companies had used a broad variety of formats to report non-financial data. In addition, 81% of companies had their statements audited with limited assurance, with only half publishing an audit certificate in this area, according to a recent study. A separate study examining 80 companies based in France, Germany and the UK, suggested that while almost all reported on their non-financial reporting policies, there was a lack of connection between the policies and outcomes, key performance indicators and risk .
Finally, the EC presented the results of its own initial consultation on how the directive is being implemented. “Some factors are affecting the effectiveness of the directive include the flexibility of the framework, the materiality definition and the assurance process of the information,” according to Tom Dodd, the B3 policy case officer for corporate transparency.
“While the implementation of the directive is still in its early phases across Europe, it is already clear that companies are struggling with the providing assurance that the data that goes into their non-financial reports is robust and reliable,” Farid Aractingi, ECIIA President, says. “That is clearly an area that internal auditors can help with because of their unique oversight role in their organisations.”
ECIIA has already advocated to DG FISMA that businesses adopt the three lines of defence model of corporate governance. Under the model, the first and second lines of defence are responsible for internal controls and risk management, while internal audit provides independent assurance that those systems are well-designed and functioning properly. “The model puts internal auditors in an ideal position to assist companies in ensuring accuracy in non-financial reporting,” Aractingi says.
The ECIIA General Assembly took place on October 6 in Madrid.
The Board of Directors has welcomed a new representative for Italy: Gianfranco Carolia, Chief Audit Executive of Ferrovie dello Stato Italiane S.p.A., Member of the Audit Committee of FAO, Founding member of AITRA, Member of the Audit Committee of EBU and Board and Executive Committee Member of IIA Italy.
Farid Aractingi, Chief Audit, Risk and Organisation Officer of Renault, Chairman of Audit Committees (Bank, Distribution) and previous Chairman of the Board of the IFACI, the French Institute of Internal Auditors has been renominated as ECIIA President.
Gabrielle Rudolf von Rohr, Director at the Cantonal Financial Control in Solothurn and President of IIA Switzerland has been renominated as Treasurer of ECIIA.
Verra Marmalidou, Deputy Director at National Bank of Greece Group Internal Audit and President of IIA Greece has been renominated for 2 years as ECIIA Board member.
Tomáš Pivoňka, Chief Audit Executive at CEZ and President of Czech IIA has been renominated for 2 years as Board member.
More specifically speaking, the response continued, management should be in charge of the operational side of the outsourcing arrangements, while risk management and other compliance functions should monitor whether the process is performed properly.
“The internal audit function plays the role of being a third line of defence in such arrangements,” ECIIA Banking Committee Chair Henrik Stein said. “Internal audit must focus on the assurance of the outsourcing framework in terms of the risks that may be being taken.”
“While we believe that EBA’s revision of its guidelines are timely and important, we strongly urge it to reflect best practice by specifically including reference to the three lines of defence governance structure in its new provisions.”
In addition, ECIIA urged EBA to lighten the principles for outsourcing arrangements between different entities within a group of companies because of the lower risk exposure this creates compared to external outsourcing. Similarly, “a distinction should be made for outsourcing services within the European area for those highly-regulated services – such as IT and financial modelling – and other services,” the response to the consultation said.
The ECIIA also said that the role of a risk-based approach to internal audit should be more clearly emphasised. While the document does acknowledge the that risk-based assessment should form part of the audit planning process, it also tries to lay down some requirements in the plan in respect of outsourcing arrangements.
“The inclusion of the outsourced arrangements – or otherwise – in the audit plan should be solely dependent on the results of the risk-based assessments carried by the audit function,” Stein said. “It’s hard to see how that would be helped by prescribing in advance what should be covered.”
EBA’s draft guidelines define which arrangements with third parties are considered as outsourcing and provide criteria for the identification of critical or important functions, which have a stronger impact on the financial institution’s risk profile or on its internal control framework. It says that where such critical or important functions are outsourced, stricter and stronger requirements should apply compared to other outsourcing arrangements.
ECB internal models guide should clarify assurance responsibilities
While ECIIA welcomes the European Central Bank’s (ECB) draft guide on internal models for financial services organisations, more clarity is needed in some areas over the role of internal audit and other assurance functions.
In response to the ECB consultation on its proposed guidance, ECIIA has highlighted several areas where a more explicit focus on the difference between the roles of the second and third lines of defence are needed.
For example, ECIIA says that validation of an organisation’s ratings-based approach for calculating how much capital it holds for regulatory purposes should be performed by a second line function – rather than by internal audit, as is currently suggested by the ECB.
“We should avoid overlapping between internal audit and the internal validation activities in order to make efficient the control function activities,” Farid Aractingi, ECIIA President, says. Internal audit’s role is to provide assurance that the validation approach is robust and efficient.
ECIIA also emphasised the need for ECB to adhere to a risk-based approach to the effectiveness of internal controls around internal models. For example, ECB has suggested an audit cycle of three years for those areas that did not show signs of increased risk.
“It is inappropriate to impose a minimum frequency of three years, for models or for any other area,” ECIIA said in its submission. “Each bank should be consistent with its own approach combining audit cycle and risk assessment.”
Europe’s General Data Protection Regulationcame into effect on 25 May after a mammoth effort by organisations throughout Europe and beyond to prepare for the launch date. The regulations give greater protection for individuals over how their data can be collected, processed and retained.
While internal auditors in many organisations will have been helping their organisations prepare for the new requirements, now that the legislation is live, they are more likely to be providing assurance. It is critical that organisations do not lose impetus after all of the hard work it has taken to get their processes off the ground.
“Now that GDPR is live, internal auditors will need to be ensure that people throughout their organisations do not become complacent because the new rules are here to stay,” ECIIA President Farid Aractingi says. “Internal auditors are likely to move from a more consulting role to providing assurance over the processes that are now in place.”
Typical areas on which audit can provide assurance include:
How adequate and effective are the policies and processes in place as controls?
How robust is the organisation’s data governance?
Are the right people in the right roles to promote sound data controlling and processing?
How rigorous and timely is the reporting of data breaches?
Are we fully compliant?
How do we learn from incidents?
Auditors will need to consider how GDPR is reflected in their annual audit planning. For example, should GDPR be a consideration for every audit engagement, in the way culture now should be? Is auditing the GDPR control framework also something that should happen across the organisation every two to three years?
Internal auditors are likely to give greater focus on specific areas after implementation. IT and GDPR-specific change programmes are obvious examples, but organisation-wide communications will need to ensure that GDPR stays topical even after the initial rush of activity. That could mean ensuring that human resources and learning and development teams have plans to amend training for existing staff and new joiners. GDPR should remain a significant topic for induction and refresher training.
There are currently gaps in the guidance available, but this will develop as everyone gets to grip with GDPR. Internal auditors should stay abreast of any changes to legislation, guidance and good practice.