Publications

ECIIA-Blog-header
EC to update non-financial reporting directive NEW
October 2018

The European Commission (EC) is planning to update its non-binding guidance on how to implement the Non-Financial Reporting Directive and set out proposals for consultation in June 2020. The directive, which affects about 6000 companies in Europe, sets out how organisations can effectively communicate the environmental, social and ethical impacts of their behaviour to stakeholders.

Any new guidance is likely to aim at strengthening the link between the existing directive and the recommendations of the Task Force on Climate-related Financial Disclosures and a forthcoming taxonomy of sustainable economic activities, delegates heard in October at a meeting organised by DG FISMA — Directorate-General for Financial Stability, Financial Services and Capital Markets Union (DG FISMA).

Delegates heard how businesses in different countries had sought to implement the directive. In Germany, for example, companies had used a broad variety of formats to report non-financial data. In addition, 81% of companies had their statements audited with limited assurance, with only half publishing an audit certificate in this area, according to a recent study. A separate study examining 80 companies based in France, Germany and the UK, suggested that while almost all reported on their non-financial reporting policies, there was a lack of connection between the policies and outcomes, key performance indicators and risk .

Finally, the EC presented the results of its own initial consultation on how the directive is being implemented. “Some factors are affecting the effectiveness of the directive include the flexibility of the framework, the materiality definition and the assurance process of the information,” according to Tom Dodd, the B3 policy case officer for corporate transparency.

“While the implementation of the directive is still in its early phases across Europe, it is already clear that companies are struggling with the providing assurance that the data that goes into their non-financial reports is robust and reliable,” Farid Aractingi, ECIIA President, says. “That is clearly an area that internal auditors can help with because of their unique oversight role in their organisations.”

ECIIA has already advocated to DG FISMA that businesses adopt the three lines of defence model of corporate governance. Under the model, the first and second lines of defence are responsible for internal controls and risk management, while internal audit provides independent assurance that those systems are well-designed and functioning properly. “The model puts internal auditors in an ideal position to assist companies in ensuring accuracy in non-financial reporting,” Aractingi says.

Click here for more information on the event and copies of the individual presentations made by participants.

ECIIA General Assembly 2018
October 2018
The ECIIA General Assembly took place on October 6 in Madrid.
The Board of Directors has welcomed a new representative for Italy: Gianfranco Carolia,  Chief Audit Executive of Ferrovie dello Stato Italiane S.p.A., Member of the Audit Committee of FAO, Founding member of AITRA, Member of the Audit Committee of EBU  and Board and Executive Committee Member of IIA Italy.
Farid Aractingi, Chief Audit, Risk and Organisation Officer of Renault, Chairman of Audit Committees (Bank, Distribution) and previous Chairman of the Board of the IFACI, the French Institute of Internal Auditors has been renominated as ECIIA President.
Gabrielle Rudolf von Rohr, Director at the Cantonal Financial Control in Solothurn and President of IIA Switzerland has been renominated as Treasurer of ECIIA.
Verra Marmalidou, Deputy Director at National Bank of Greece Group Internal Audit and President of IIA Greece has been renominated for 2 years as ECIIA Board member.
Tomáš Pivoňka, Chief Audit Executive at CEZ and President of Czech IIA has been renominated for 2 years as Board member.
The ECIIA Annual Report and the advocacy plans for 2018/2019 have been presented at this occasion.
ECIIA publishes suite of best practice papers for European banks
March 2018

Internal audit can provide the boards and senior managers of European banks with distinctive and strategic assurance over their operations, according to a suite of position papers published by ECIIA. The papers cover a range of topics including internal audit’s role in good governance, audit planning, auditing a group of institutions, auditing outsourced operations, and follow-up monitoring on audit recommendations.

These five position papers are intended as best practice guides to internal auditors and their organisations in a range of areas. Taken together the recommendations in these documents should enhance the ability of internal auditors to give boards and senior managers independent and objective insights into the overall internal control systems and risk management at their institutions.

The papers have been produced by ECIIA’s banking committee, which was set up in 2014 with Chief Audit Executives of European Central Bank Supervised Banks. The documents address issues that require clarification due to recent changes in the way financial institutions are regulated. They are offered as best practice to be adopted or adapted by banks depending on their size, culture and local requirements.

Because of its position as the third line of defence, internal audit is uniquely positioned to act as a trusted advisor to the board because of its clear understanding of the business’ organisation, mission, vision, strategy and long-term goals.

The papers

Internal audit’s role in good governance: Internal control is an important cornerstone for banks’ long-term sound governance. It should be tailored to the business model, risks and organisational structure. As the third line of defence, reporting to CEOs and the board, internal audit gives an overall assurance on internal control effectiveness including an independent review of risk and control functions as well as insights on efficiency.

Audit planning approach: To manage risks effectively is an essential part of good corporate governance. An important role of each organisation is to identify all business risks and uncertainties which the organisation faces, quickly implementing risk mitigating measures and enhancing the system of internal controls. The Chief Audit Executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals – an approach that can be difficult to combine with traditional, cyclical auditing methods. The paper outlines strategies to combine a traditional cyclical approach to internal auditing with a risk-based approach.

Internal audit within a group: the audit departments of banking groups need to deliver consistent and adequate levels of assurance across the group, while considering both group and subsidiary regulatory requirements, with the intention of fostering consolidated supervision across the group.

Internal audit oversight of external outsourcing: internal audit function has an important role to play in providing assurance over the effectiveness and security of key processes outsourced from banks to third parties. It is crucial that key stakeholders, including management, the board and the bank’s supervisors can place reliance
on the work of internal audit in respect of the risk management of third parties, while at the same time maintaining a reasonable expectation of the extent of the internal audit function’s responsibilities in this area.

Follow-up monitoring: an audit report generally includes the management action defined as a response to the recommendation, together with a due date and an action owner. Every internal audit function should have a process for monitoring follow-up on implementation of management actions. This can be an indicator for the internal audit function’s effectiveness.

Download:

Internal audit’s role in good governance

Audit planning approach

Internal audit within a group

Internal audit oversight of external outsourcing

Follow-up monitoring

Cyber risk tops internal audit list
October 2017

Cyber risk was the most commonly cited threat by heads of internal audit across Europe regardless of nationality or business sector, according to a new report written by some members of ECIIA.

The EU’s General Data Protection Regulation and the broader challenge of managing data came second in the survey Risk in focus: hot topics for internal audit 2018. The pace of innovation businesses face was the third most widely cited risk concern.

“The defining theme of this report is the fundamental impact that technology has in shaping, enabling and disrupting organisations’ operations and strategies,” Farid Aractingi, ECIIA President said. “This is a pressure that requires internal auditors to learn new skills and adopt innovative tools to bolster their capabilities in an increasingly digital world.”

The report’s research team interviewed chief audit executives (CAEs) from major organisations in six European countries – France, Italy, the Netherlands, Spain, Switzerland and the UK.

Not surprisingly there were some regional differences. CAEs in the UK and Spain said that political uncertainty could expose their organisations to fresh threats and opportunities. In the UK, these views were largely prompted by the prospect of Brexit; in Spain they arose within multinational businesses having expanded into Mexico and the implications of the Trump administration’s hostile position towards the country.

Those in the financial services sector showed more concern over regulatory complexity than any other industry. Notably, for CAEs at institutions in France, Italy, the Netherlands and Spain the continuing development of the European Central Bank’s three-year old Single Supervisory Mechanism was cited as a risk.

For much more, read Risk in focus: hot topics for internal audit 2018

Theme author: Web developer Front End Developer Wordpress developer Web developer Front End Developer Wordpress developer Notariusz Szczecin