News

ECIIA-Blog-header
EC’s climate-related reporting depends on robust governance NEW
February 2019

ECIIA has welcomed the European Commission’s latest proposals on the reporting requirements for businesses relating to how their activities impact the climate. In particular, the document – published by the Technical Expert Group on Sustainable Finance– says that organisations’ reporting methods should depend on how far they are exposed to climate change issues.

The proposal suggest three types of non-binding disclosure, ranging from businesses that should disclose, those who should consider disclosing, to those who may not need to – all depending to how much their activities impact (or are impacted by) the environment.

“The approach with different layers of reporting for different levels of exposure to climate-related risk is very good because there is no one-size-fits-all solution for this kind of disclosure,” Farid Aractingi, ECIIA President, says.

In its response to the EC’s consultation, ECIIA said that one of the challenges in climate-related, non-financial disclosure is to ensure that controls are effective, that the right things are measured, and that systems and processes are in place to capture the data needed for reporting purposes.

“The quality of  those systems and outputs must be, as far as possible, evaluated and stakeholders assured on them,” said ECIIA’s response. “Sound governance, risk management and control processes are a fundamental foundation for good reporting.”

ECIIA supports the integrated thinking and reporting approach contained in the document as a way of coordinate organisational efforts and strategies.

“This can be achieved by ensuring that all layers of the control framework, operational management, specialist compliance and risk management, assurance providers and those with ultimate responsibility for corporate governance are closely aligned,” said the ECIIA’s consultation response. It added that the three lines of defence model was the best way to achieve these aims.

This model puts internal auditors in an ideal position to provide assurance on how well the disclosure mechanisms are working how well the overall governance processes support climate-related disclosure.

Boards face greater risks
December 2018

Boards of directors are exposed to a wider range of risks and carry more accountability than they did only a decade ago, according to a recent webinar hosted by the directors’ body Ecoda “Mitigating risks at board level”.

The speakers agreed that boards’ exposure to risks now goes beyond traditional financial risks and includes those related to privacy, climate change and cultural issues, such as the #MeToo movement. New sets of liability rules for supervisory board members are emerging worldwide, which has led to a common set of expectations and a common approach to accountability, they said.

Those on the panel, Kevin LaCroix (Vice President at RT ProExec), Noëlle Lenoir (Partner, Kramer Levin Naftalis) and Noona Barlow (Head of International Financial Lines Claims at AIG), agreed that with many companies operating globally, it is not only the scope of risks that is growing but also the exposure to multi-jurisdictions. In that context, board members must anticipate possible severe crises, almost having to operate as risk managers and closely review an organisation’s risk mapping.

Directors should ask for, and benefit from, periodic compliance training based on real life examples, the speakers said. Board training is key to providing full awareness of directors’ duties and the legal implications of not complying.  Many organisations were turning to chief compliance officers within the company as best practice. Having an open culture in organisations where people could speak up without fear of reprisals was also seen as important.

“Boards that have developed strong and proactive relationships with their heads of internal audit have been able to keep abreast of this wider range of risks more readily,” Farid Aractingi, ECIIA President, said commenting on the webinar discussion. “Internal audit’s position in the third line of defence gives it an overview of all of the risks a business faces and it can quickly identify control weaknesses and gaps in assurance where they arise. Many heads of internal audit are now seen as trusted advisers on risk to the board.”

Participants were invited to take part in a poll showing what risks are of most concern for their board. Data security (69%) was the most frequently cited issue followed by corruption and bribery (25%), competition and antitrust issues (25%), privacy (19%), climate change (13%) and health issues (9%). Panellists expressed surprise that corruption and bribery did not receive a higher score and that “#MeToo” type concerns were not cited at all.

Download debriefing note: here
Download speakers’ presentations here
Download the webinar: here

 

EC to update non-financial reporting directive
October 2018

The European Commission (EC) is planning to update its non-binding guidance on how to implement the Non-Financial Reporting Directive and set out proposals for consultation in June 2020. The directive, which affects about 6000 companies in Europe, sets out how organisations can effectively communicate the environmental, social and ethical impacts of their behaviour to stakeholders.

Any new guidance is likely to aim at strengthening the link between the existing directive and the recommendations of the Task Force on Climate-related Financial Disclosures and a forthcoming taxonomy of sustainable economic activities, delegates heard in October at a meeting organised by DG FISMA — Directorate-General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA).

Delegates heard how businesses in different countries had sought to implement the directive. In Germany, for example, companies had used a broad variety of formats to report non-financial data. In addition, 81% of companies had their statements audited with limited assurance, with only half publishing an audit certificate in this area, according to a recent study. A separate study examining 80 companies based in France, Germany and the UK, suggested that while almost all reported on their non-financial reporting policies, there was a lack of connection between the policies and outcomes, key performance indicators and risk .

Finally, the EC presented the results of its own initial consultation on how the directive is being implemented. “Some factors are affecting the effectiveness of the directive include the flexibility of the framework, the materiality definition and the assurance process of the information,” according to Tom Dodd, the B3 policy case officer for corporate transparency.

“While the implementation of the directive is still in its early phases across Europe, it is already clear that companies are struggling with the providing assurance that the data that goes into their non-financial reports is robust and reliable,” Farid Aractingi, ECIIA President, says. “That is clearly an area that internal auditors can help with because of their unique oversight role in their organisations.”

ECIIA has already advocated to DG FISMA that businesses adopt the three lines of defence model of corporate governance. Under the model, the first and second lines of defence are responsible for internal controls and risk management, while internal audit provides independent assurance that those systems are well-designed and functioning properly. “The model puts internal auditors in an ideal position to assist companies in ensuring accuracy in non-financial reporting,” Aractingi says.

Click here for more information on the event and copies of the individual presentations made by participants.

ECIIA General Assembly 2018
October 2018
The ECIIA General Assembly took place on October 6 in Madrid.
The Board of Directors has welcomed a new representative for Italy: Gianfranco Carolia,  Chief Audit Executive of Ferrovie dello Stato Italiane S.p.A., Member of the Audit Committee of FAO, Founding member of AITRA, Member of the Audit Committee of EBU  and Board and Executive Committee Member of IIA Italy.
Farid Aractingi, Chief Audit, Risk and Organisation Officer of Renault, Chairman of Audit Committees (Bank, Distribution) and previous Chairman of the Board of the IFACI, the French Institute of Internal Auditors has been renominated as ECIIA President.
Gabrielle Rudolf von Rohr, Director at the Cantonal Financial Control in Solothurn and President of IIA Switzerland has been renominated as Treasurer of ECIIA.
Verra Marmalidou, Deputy Director at National Bank of Greece Group Internal Audit and President of IIA Greece has been renominated for 2 years as ECIIA Board member.
Tomáš Pivoňka, Chief Audit Executive at CEZ and President of Czech IIA has been renominated for 2 years as Board member.
The ECIIA Annual Report and the advocacy plans for 2018/2019 have been presented at this occasion.
EBA’s draft regulations on outsourcing need tighter focus
September 2018

The European Banking Authority’s (EBA) draft Guidelines on outsourcing (EBA/CP/2018/11) should give more emphasis on the role of the first and second lines of defence in the oversight of outsourced activities, ECIIA has said in its written response to the consultation.

More specifically speaking, the response continued, management should be in charge of the operational side of the outsourcing arrangements, while risk management and other compliance functions should monitor whether the process is performed properly.

“The internal audit function plays the role of being a third line of defence in such arrangements,” ECIIA Banking Committee Chair Henrik Stein said. “Internal audit must focus on the assurance of the outsourcing framework in terms of the risks that may be being taken.”

“While we believe that EBA’s revision of its guidelines are timely and important, we strongly urge it to reflect best practice by specifically including reference to the three lines of defence governance structure in its new provisions.”

In addition, ECIIA urged EBA to lighten the principles for outsourcing arrangements between different entities within a group of companies because of the lower risk exposure this creates compared to external outsourcing. Similarly, “a distinction should be made for outsourcing services within the European area for those highly-regulated services – such as IT and financial modelling – and other services,” the response to the consultation said.

The ECIIA also said that the role of a risk-based approach to internal audit should be more clearly emphasised. While the document does acknowledge the that risk-based assessment should form part of the audit planning process, it also tries to lay down some requirements in the plan in respect of outsourcing arrangements.

“The inclusion of the outsourced arrangements – or otherwise – in the audit plan should be solely dependent on the results of the risk-based assessments carried by the audit function,” Stein said. “It’s hard to see how that would be helped by prescribing in advance what should be covered.”

EBA’s draft guidelines define which arrangements with third parties are considered as outsourcing and provide criteria for the identification of critical or important functions, which have a stronger impact on the financial institution’s risk profile or on its internal control framework. It says that where such critical or important functions are outsourced, stricter and stronger requirements should apply compared to other outsourcing arrangements.

Theme author: Web developer Front End Developer Wordpress developer Web developer Front End Developer Wordpress developer Notariusz Szczecin