News

ECIIA-Blog-header
ECB internal models guide should clarify assurance responsibilities NEW
June 2018

While ECIIA welcomes the European Central Bank’s (ECB) draft guide on internal models for financial services organisations, more clarity is needed in some areas over the role of internal audit and other assurance functions.

In response to the ECB consultation on its proposed guidance, ECIIA has highlighted several areas where a more explicit focus on the difference between the roles of the second and third lines of defence are needed.

For example, ECIIA says that validation of an organisation’s ratings-based approach for calculating how much capital it holds for regulatory purposes should be performed by a second line function – rather than by internal audit, as is currently suggested by the ECB.

“We should avoid overlapping between internal audit and the internal validation activities in order to make efficient the control function activities,” Farid Aractingi, ECIIA President, says. Internal audit’s role is to provide assurance that the validation approach is robust and efficient.

ECIIA also emphasised the need for ECB to adhere to a risk-based approach to the effectiveness of internal controls around internal models. For example, ECB has suggested an audit cycle of three years for those areas that did not show signs of increased risk.

“It is inappropriate to impose a minimum frequency of three years, for models or for any other area,” ECIIA said in its submission. “Each bank should be consistent with its own approach combining audit cycle and risk assessment.”

Read the ECB consultation document.

Read ECIIA’s response.

GDPR moves into the next phase NEW
May 2018

Europe’s General Data Protection Regulationcame into effect on 25 May after a mammoth effort by organisations throughout Europe and beyond to prepare for the launch date. The regulations give greater protection for individuals over how their data can be collected, processed and retained.

While internal auditors in many organisations will have been helping their organisations prepare for the new requirements, now that the legislation is live, they are more likely to be providing assurance. It is critical that organisations do not lose impetus after all of the hard work it has taken to get their processes off the ground.

“Now that GDPR is live, internal auditors will need to be ensure that people throughout their organisations do not become complacent because the new rules are here to stay,” ECIIA President Farid Aractingi says. “Internal auditors are likely to move from a more consulting role to providing assurance over the processes that are now in place.”

Typical areas on which audit can provide assurance include:

  • How adequate and effective are the policies and processes in place as controls?
  • How robust is the organisation’s data governance?
  • Are the right people in the right roles to promote sound data controlling and processing?
  • How rigorous and timely is the reporting of data breaches?
  • Are we fully compliant?
  • How do we learn from incidents?

Auditors will need to consider how GDPR is reflected in their annual audit planning. For example, should GDPR be a consideration for every audit engagement, in the way culture now should be? Is auditing the GDPR control framework also something that should happen across the organisation every two to three years?

Internal auditors are likely to give greater focus on specific areas after implementation. IT and GDPR-specific change programmes are obvious examples, but organisation-wide communications will need to ensure that GDPR stays topical even after the initial rush of activity. That could mean ensuring that human resources and learning and development teams have plans to amend training for existing staff and new joiners. GDPR should remain a significant topic for induction and refresher training.

There are currently gaps in the guidance available, but this will develop as everyone gets to grip with GDPR. Internal auditors should stay abreast of any changes to legislation, guidance and good practice.

For useful resources and information, visit CIIA’s website.

 

 

Over disclosure of information could erode stakeholder trust
May 2018
In the rush to comply with pressure to disclose ever-increasing levels of non-financial information, companies could inadvertently erode stakeholder trust by publishing too much data, delegates heard at the 22nd European Corporate Governance Conference in Sofia this April.
Since statutory auditors in Europe – with the exception of those in Italy and the UK – do not check the content of non-financial reporting, directors may be unaware that they are revealing competitive information. Since an estimated 80% of companies’ value is now intangible, such disclosure could have serious consequences.
“Getting the balance right on disclosure should boost competitive advantage rather than erode it,” Farid Aractingi, ECIIA President says. “There is clearly a potential gap in companies’ control systems that internal auditors are ideally placed to fill.”
Internal auditors have a unique oversight position as the third line of defence in organisations. That means they are ideally placed to help co-ordinate and provide assurance on the quality and relevance of information in non-financial reports.
Additional tools that can help organisations face non-financial disclosure challenges include the Global Reporting Initiative and IFAC’s integrated thinking and reporting resources.
The pressure on increased non-financial disclosure has been seen as part of a societal shift as stakeholders expect organisations to adopt more ethical and responsible strategies. Corporate governance has been responding to these shifts in expectations by expanding its remit to look at the environment, social justice issues and culture.
Boards need to be courageous if they are to rise to the challenge that these pressures.
EU announces ‘fitness check’ for public reporting framework
March 2018

The ECIIA has welcomed the launch of a ‘fitness check’ consultation on the EU’s public reporting framework for companies.

The consultation will look at whether the framework is fit for purpose, is relevant for meeting the EU’s objectives and adds value at a European level. It will also consider specific aspects of the existing legislation as required by EU law and whether the framework is fit for the future and new challenges such as sustainability and digitalisation.

The Commission is seeking comments from the broadest possible base of stakeholders, in particular providers and users of financial and non-financial information, and the ECIIA says that internal auditors have a key part to play in highlighting any areas that are ripe for change.

“We very much welcome this wide-ranging review into modernising company reporting,” says Farid Aractingi, ECIIA president. “Internal auditors have had an increasing role to play in ensuring the accuracy of reported company data in recent years, and this unique oversight position gives them a crucial role in helping the EU ensure its framework does the job for which it’s intended.”

Europe’s company reporting regime has grown organically over the past 40 years to require broader and deeper levels of information, including recent initiatives to expand the level of non-financial reporting required from larger companies. These additional requirements cover relevant environmental and social information, as well as statements on board diversity.

The consultation asks respondents to rate how effective this diverse range of EU reporting requirements have been in supporting its objectives. Those include ensuring stakeholder protection, developing the internal market, promoting integrated EU capital markets, ensuring financial stability and promoting sustainability.

Looking to the future, it is also essential to consider whether the framework for public reporting is responsive enough to handle new ways of working. Respondents are asked to comment on the challenge of digitalisation and whether the framework takes into account the impact of technology in changing how companies prepare and disseminate corporate reports and the ways investors and the public access and analyse company information.

This fitness check is one of the actions announced in the action plan on financing sustainable growth that builds on the recommendations of the Commission’s High Level Expert Group (HLEG) on sustainable finance. Replies to the consultation will feed into a staff working document on the fitness of the EU framework for public reporting by companies, to be published in 2019.

Responses must be submitted via the online questionnaire. The consultation closes on July 21, 2018.

ECIIA publishes suite of best practice papers for European banks
March 2018

Internal audit can provide the boards and senior managers of European banks with distinctive and strategic assurance over their operations, according to a suite of position papers published by ECIIA. The papers cover a range of topics including internal audit’s role in good governance, audit planning, auditing a group of institutions, auditing outsourced operations, and follow-up monitoring on audit recommendations.

These five position papers are intended as best practice guides to internal auditors and their organisations in a range of areas. Taken together the recommendations in these documents should enhance the ability of internal auditors to give boards and senior managers independent and objective insights into the overall internal control systems and risk management at their institutions.

The papers have been produced by ECIIA’s banking committee, which was set up in 2014 with Chief Audit Executives of European Central Bank Supervised Banks. The documents address issues that require clarification due to recent changes in the way financial institutions are regulated. They are offered as best practice to be adopted or adapted by banks depending on their size, culture and local requirements.

Because of its position as the third line of defence, internal audit is uniquely positioned to act as a trusted advisor to the board because of its clear understanding of the business’ organisation, mission, vision, strategy and long-term goals.

The papers

Internal audit’s role in good governance: Internal control is an important cornerstone for banks’ long-term sound governance. It should be tailored to the business model, risks and organisational structure. As the third line of defence, reporting to CEOs and the board, internal audit gives an overall assurance on internal control effectiveness including an independent review of risk and control functions as well as insights on efficiency.

Audit planning approach: To manage risks effectively is an essential part of good corporate governance. An important role of each organisation is to identify all business risks and uncertainties which the organisation faces, quickly implementing risk mitigating measures and enhancing the system of internal controls. The Chief Audit Executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals – an approach that can be difficult to combine with traditional, cyclical auditing methods. The paper outlines strategies to combine a traditional cyclical approach to internal auditing with a risk-based approach.

Internal audit within a group: the audit departments of banking groups need to deliver consistent and adequate levels of assurance across the group, while considering both group and subsidiary regulatory requirements, with the intention of fostering consolidated supervision across the group.

Internal audit oversight of external outsourcing: internal audit function has an important role to play in providing assurance over the effectiveness and security of key processes outsourced from banks to third parties. It is crucial that key stakeholders, including management, the board and the bank’s supervisors can place reliance
on the work of internal audit in respect of the risk management of third parties, while at the same time maintaining a reasonable expectation of the extent of the internal audit function’s responsibilities in this area.

Follow-up monitoring: an audit report generally includes the management action defined as a response to the recommendation, together with a due date and an action owner. Every internal audit function should have a process for monitoring follow-up on implementation of management actions. This can be an indicator for the internal audit function’s effectiveness.

Download:

Internal audit’s role in good governance

Audit planning approach

Internal audit within a group

Internal audit oversight of external outsourcing

Follow-up monitoring

Theme author: Web developer Front End Developer Wordpress developer Web developer Front End Developer Wordpress developer Notariusz Szczecin