Internal audit can provide the boards and senior managers of European banks with distinctive and strategic assurance over their operations, according to a suite of position papers published by ECIIA. The papers cover a range of topics including internal audit’s role in good governance, audit planning, auditing a group of institutions, auditing outsourced operations, and follow-up monitoring on audit recommendations.
These five position papers are intended as best practice guides to internal auditors and their organisations in a range of areas. Taken together the recommendations in these documents should enhance the ability of internal auditors to give boards and senior managers independent and objective insights into the overall internal control systems and risk management at their institutions.
The papers have been produced by ECIIA’s banking committee, which was set up in 2014 with Chief Audit Executives of European Central Bank Supervised Banks. The documents address issues that require clarification due to recent changes in the way financial institutions are regulated. They are offered as best practice to be adopted or adapted by banks depending on their size, culture and local requirements.
Because of its position as the third line of defence, internal audit is uniquely positioned to act as a trusted advisor to the board because of its clear understanding of the business’ organisation, mission, vision, strategy and long-term goals.
Internal audit’s role in good governance: Internal control is an important cornerstone for banks’ long-term sound governance. It should be tailored to the business model, risks and organisational structure. As the third line of defence, reporting to CEOs and the board, internal audit gives an overall assurance on internal control effectiveness including an independent review of risk and control functions as well as insights on efficiency.
Audit planning approach: To manage risks effectively is an essential part of good corporate governance. An important role of each organisation is to identify all business risks and uncertainties which the organisation faces, quickly implementing risk mitigating measures and enhancing the system of internal controls. The Chief Audit Executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals – an approach that can be difficult to combine with traditional, cyclical auditing methods. The paper outlines strategies to combine a traditional cyclical approach to internal auditing with a risk-based approach.
Internal audit within a group: the audit departments of banking groups need to deliver consistent and adequate levels of assurance across the group, while considering both group and subsidiary regulatory requirements, with the intention of fostering consolidated supervision across the group.
Internal audit oversight of external outsourcing: internal audit function has an important role to play in providing assurance over the effectiveness and security of key processes outsourced from banks to third parties. It is crucial that key stakeholders, including management, the board and the bank’s supervisors can place reliance on the work of internal audit in respect of the risk management of third parties, while at the same time maintaining a reasonable expectation of the extent of the internal audit function’s responsibilities in this area.
Follow-up monitoring: an audit report generally includes the management action defined as a response to the recommendation, together with a due date and an action owner. Every internal audit function should have a process for monitoring follow-up on implementation of management actions. This can be an indicator for the internal audit function’s effectiveness.
Cyber risk was the most commonly cited threat by heads of internal audit across Europe regardless of nationality or business sector, according to a new report written by some members of ECIIA.
The EU’s General Data Protection Regulation and the broader challenge of managing data came second in the survey Risk in focus: hot topics for internal audit 2018. The pace of innovation businesses face was the third most widely cited risk concern.
“The defining theme of this report is the fundamental impact that technology has in shaping, enabling and disrupting organisations’ operations and strategies,” Farid Aractingi, ECIIA President said. “This is a pressure that requires internal auditors to learn new skills and adopt innovative tools to bolster their capabilities in an increasingly digital world.”
The report’s research team interviewed chief audit executives (CAEs) from major organisations in six European countries – France, Italy, the Netherlands, Spain, Switzerland and the UK.
Not surprisingly there were some regional differences. CAEs in the UK and Spain said that political uncertainty could expose their organisations to fresh threats and opportunities. In the UK, these views were largely prompted by the prospect of Brexit; in Spain they arose within multinational businesses having expanded into Mexico and the implications of the Trump administration’s hostile position towards the country.
Those in the financial services sector showed more concern over regulatory complexity than any other industry. Notably, for CAEs at institutions in France, Italy, the Netherlands and Spain the continuing development of the European Central Bank’s three-year old Single Supervisory Mechanism was cited as a risk.
For much more, read Risk in focus: hot topics for internal audit 2018
ECIIA and FERMA have launched joint guidance aimed at helping organisations across Europe develop an effective cyber governance framework.
The framework – detailed in At the junction of corporate governance and cybersecurity – enables companies to make consistent and understandable decisions about their security measures, risk management and overall cyber security posture.
“Risk managers and internal auditors play an important role of coordination and cooperation to build an effective and resilient cyber security system within an organisation,” ECIIA President Henrik Stein says. ”We hope to convince organisations and regulators about the importance of a strong governance model to mitigate cyber risks.”
The guidance outlines a comprehensive risk management approach to cybersecurity, a cyber awareness program covering everyone in the organisation from top to bottom and, most important, the interactions between the three lines of defense to facilitate the communication to the board that is ultimately responsible for the oversight of the cyber governance framework.
Read the guidance here.