Our current views

ECIIA-Our-Current-Views-header
  • A key part of our mission is to be the voice of internal auditing in Europe and to communicate our views to governments, legislators, policy-makers and regulators. Here you can find our opinions on current developments in corporate governance.

    At the junction of corporate governance and cybersecurity
    July 2018

    ECIIA and FERMA have launched joint guidance aimed at helping organisations across Europe develop an effective cyber governance framework.

    The framework – detailed in At the junction of corporate governance and cybersecurity – enables companies to make consistent and understandable decisions about their security measures, risk management and overall cyber security posture.

    “Risk managers and internal auditors play an important role of coordination and cooperation to build an effective and resilient cyber security system within an organisation,” ECIIA President Henrik Stein says. ”We hope to convince organisations and regulators about the importance of a strong governance model to mitigate cyber risks.”

    The guidance outlines a comprehensive risk management approach to cybersecurity, a cyber awareness program covering everyone in the organisation from top to bottom and, most important, the interactions between the three lines of defense to facilitate the communication to the board that is ultimately responsible for the oversight of the cyber governance framework.

    Read the guidance here.

    Risk in focus: hot topics for internal audit 2018
    July 2018

    Cyber risk was the most commonly cited threat by heads of internal audit across Europe regardless of nationality or business sector, according to a new report written by some members of ECIIA.

    The EU’s General Data Protection Regulation and the broader challenge of managing data came second in the survey Risk in focus: hot topics for internal audit 2018. The pace of innovation businesses face was the third most widely cited risk concern.

    “The defining theme of this report is the fundamental impact that technology has in shaping, enabling and disrupting organisations’ operations and strategies,” Farid Aractingi, ECIIA President said. “This is a pressure that requires internal auditors to learn new skills and adopt innovative tools to bolster their capabilities in an increasingly digital world.”

    The report’s research team interviewed chief audit executives (CAEs) from major organisations in six European countries – France, Italy, the Netherlands, Spain, Switzerland and the UK.

    Not surprisingly there were some regional differences. CAEs in the UK and Spain said that political uncertainty could expose their organisations to fresh threats and opportunities. In the UK, these views were largely prompted by the prospect of Brexit; in Spain they arose within multinational businesses having expanded into Mexico and the implications of the Trump administration’s hostile position towards the country.

    Those in the financial services sector showed more concern over regulatory complexity than any other industry. Notably, for CAEs at institutions in France, Italy, the Netherlands and Spain the continuing development of the European Central Bank’s three-year old Single Supervisory Mechanism was cited as a risk.

    For much more, read Risk in focus: hot topics for internal audit 2018

    ECIIA publishes suite of best practice papers for European banks
    March 2018

    Internal audit can provide the boards and senior managers of European banks with distinctive and strategic assurance over their operations, according to a suite of position papers published by ECIIA. The papers cover a range of topics including internal audit’s role in good governance, audit planning, auditing a group of institutions, auditing outsourced operations, and follow-up monitoring on audit recommendations.

    These five position papers are intended as best practice guides to internal auditors and their organisations in a range of areas. Taken together the recommendations in these documents should enhance the ability of internal auditors to give boards and senior managers independent and objective insights into the overall internal control systems and risk management at their institutions.

    The papers have been produced by ECIIA’s banking committee, which was set up in 2014 with Chief Audit Executives of European Central Bank Supervised Banks. The documents address issues that require clarification due to recent changes in the way financial institutions are regulated. They are offered as best practice to be adopted or adapted by banks depending on their size, culture and local requirements.

    Because of its position as the third line of defence, internal audit is uniquely positioned to act as a trusted advisor to the board because of its clear understanding of the business’ organisation, mission, vision, strategy and long-term goals.

    The papers

    Internal audit’s role in good governance: Internal control is an important cornerstone for banks’ long-term sound governance. It should be tailored to the business model, risks and organisational structure. As the third line of defence, reporting to CEOs and the board, internal audit gives an overall assurance on internal control effectiveness including an independent review of risk and control functions as well as insights on efficiency.

    Audit planning approach: To manage risks effectively is an essential part of good corporate governance. An important role of each organisation is to identify all business risks and uncertainties which the organisation faces, quickly implementing risk mitigating measures and enhancing the system of internal controls. The Chief Audit Executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals – an approach that can be difficult to combine with traditional, cyclical auditing methods. The paper outlines strategies to combine a traditional cyclical approach to internal auditing with a risk-based approach.

    Internal audit within a group: the audit departments of banking groups need to deliver consistent and adequate levels of assurance across the group, while considering both group and subsidiary regulatory requirements, with the intention of fostering consolidated supervision across the group.

    Internal audit oversight of external outsourcing: internal audit function has an important role to play in providing assurance over the effectiveness and security of key processes outsourced from banks to third parties. It is crucial that key stakeholders, including management, the board and the bank’s supervisors can place reliance
on the work of internal audit in respect of the risk management of third parties, while at the same time maintaining a reasonable expectation of the extent of the internal audit function’s responsibilities in this area.

    Follow-up monitoring: an audit report generally includes the management action defined as a response to the recommendation, together with a due date and an action owner. Every internal audit function should have a process for monitoring follow-up on implementation of management actions. This can be an indicator for the internal audit function’s effectiveness.

    Download:

    Internal audit’s role in good governance

    Audit planning approach

    Internal audit within a group

    Internal audit oversight of external outsourcing

    Follow-up monitoring

    Internal audit’s central role in the future of corporate reporting
    July 2016

    Internal audit has a central role to play in the future of corporate reporting as an adviser on, and a builder and consolidator of the reporting process itself, according to the ECIIA’s response to a consultation on the issue by the Federation of European Accountants (FEE).

    “Internal audit adds value to corporate reporting by providing an informed and independent review on processes, risks and controls,” ECIIA President Henrik Stein said in the confederation’s formal response to FEE.

    In the future, developing integrated thinking would be critical if organisations were to be able to present a coherent and comprehensive picture of their long-term strategy and performance, he said. This would require the creation of cross-functional teams, which would include all key areas within the organisation.

    He said organisations needed to adopt clear and unambiguous assurance models to report effectively.

    “It is necessary for internal and external assurance providers to form a common view on issues of relevance, materiality, accuracy and completeness,” he said. “Combined assurance is needed to achieve an informed view on whether reports are fair and balanced and also to improve efficiency.”

    FEE has been consulting on how to evolve corporate reporting in a way that will keep pace with the developing economic reality and address the needs of a wider stakeholder audience.

    To read ECIIA’s response, click here.

    To visit FEE’s page on corporate reporting, click here.

    More communication needed between internal audit and regulators
    May 2016

    Regulators should require regular, structured and ongoing dialogue between the competent authorities supervising insurers and the internal auditors working in them, the ECIIA has said in response to recent consultation by EIOPA (European Insurance and Occupational Pensions Authority).

    That is because internal audit is well-placed to provide an independent opinion about the internal controls, risk management and governance of the companies concerned. Almost 8 out of 10 auditors in Europe say they follow the three Lines of Defense Model at some level, which enables them to provide objective assurance to their organisations.

    “While internal audit’s main line of accountability is to the Audit Committee, it also shares information with the statutory auditors and the regulators,” ECIIA President Henrik Stein said. “Clear and effective communication between all these parties is vital in order to avoid duplication, or gaps, in the overall assurance picture,” he added.

    Stein said he would welcome the opportunity to meet with senior EIOPA officials to discuss in more detail the role of internal audit in this area.

    Read the ECIIA’s response here.

    Tags: EIOPA, Regulation
  • Publications

    At the junction of corporate governance and cybersecurity
    July 2018

    ECIIA and FERMA have launched joint guidance aimed at helping organisations across Europe develop an effective cyber governance framework.

    The framework – detailed in At the junction of corporate governance and cybersecurity – enables companies to make consistent and understandable decisions about their security measures, risk management and overall cyber security posture.

    “Risk managers and internal auditors play an important role of coordination and cooperation to build an effective and resilient cyber security system within an organisation,” ECIIA President Henrik Stein says. ”We hope to convince organisations and regulators about the importance of a strong governance model to mitigate cyber risks.”

    The guidance outlines a comprehensive risk management approach to cybersecurity, a cyber awareness program covering everyone in the organisation from top to bottom and, most important, the interactions between the three lines of defense to facilitate the communication to the board that is ultimately responsible for the oversight of the cyber governance framework.

    Read the guidance here.

    Risk in focus: hot topics for internal audit 2018
    July 2018

    Cyber risk was the most commonly cited threat by heads of internal audit across Europe regardless of nationality or business sector, according to a new report written by some members of ECIIA.

    The EU’s General Data Protection Regulation and the broader challenge of managing data came second in the survey Risk in focus: hot topics for internal audit 2018. The pace of innovation businesses face was the third most widely cited risk concern.

    “The defining theme of this report is the fundamental impact that technology has in shaping, enabling and disrupting organisations’ operations and strategies,” Farid Aractingi, ECIIA President said. “This is a pressure that requires internal auditors to learn new skills and adopt innovative tools to bolster their capabilities in an increasingly digital world.”

    The report’s research team interviewed chief audit executives (CAEs) from major organisations in six European countries – France, Italy, the Netherlands, Spain, Switzerland and the UK.

    Not surprisingly there were some regional differences. CAEs in the UK and Spain said that political uncertainty could expose their organisations to fresh threats and opportunities. In the UK, these views were largely prompted by the prospect of Brexit; in Spain they arose within multinational businesses having expanded into Mexico and the implications of the Trump administration’s hostile position towards the country.

    Those in the financial services sector showed more concern over regulatory complexity than any other industry. Notably, for CAEs at institutions in France, Italy, the Netherlands and Spain the continuing development of the European Central Bank’s three-year old Single Supervisory Mechanism was cited as a risk.

    For much more, read Risk in focus: hot topics for internal audit 2018

    ECIIA publishes suite of best practice papers for European banks
    March 2018

    Internal audit can provide the boards and senior managers of European banks with distinctive and strategic assurance over their operations, according to a suite of position papers published by ECIIA. The papers cover a range of topics including internal audit’s role in good governance, audit planning, auditing a group of institutions, auditing outsourced operations, and follow-up monitoring on audit recommendations.

    These five position papers are intended as best practice guides to internal auditors and their organisations in a range of areas. Taken together the recommendations in these documents should enhance the ability of internal auditors to give boards and senior managers independent and objective insights into the overall internal control systems and risk management at their institutions.

    The papers have been produced by ECIIA’s banking committee, which was set up in 2014 with Chief Audit Executives of European Central Bank Supervised Banks. The documents address issues that require clarification due to recent changes in the way financial institutions are regulated. They are offered as best practice to be adopted or adapted by banks depending on their size, culture and local requirements.

    Because of its position as the third line of defence, internal audit is uniquely positioned to act as a trusted advisor to the board because of its clear understanding of the business’ organisation, mission, vision, strategy and long-term goals.

    The papers

    Internal audit’s role in good governance: Internal control is an important cornerstone for banks’ long-term sound governance. It should be tailored to the business model, risks and organisational structure. As the third line of defence, reporting to CEOs and the board, internal audit gives an overall assurance on internal control effectiveness including an independent review of risk and control functions as well as insights on efficiency.

    Audit planning approach: To manage risks effectively is an essential part of good corporate governance. An important role of each organisation is to identify all business risks and uncertainties which the organisation faces, quickly implementing risk mitigating measures and enhancing the system of internal controls. The Chief Audit Executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals – an approach that can be difficult to combine with traditional, cyclical auditing methods. The paper outlines strategies to combine a traditional cyclical approach to internal auditing with a risk-based approach.

    Internal audit within a group: the audit departments of banking groups need to deliver consistent and adequate levels of assurance across the group, while considering both group and subsidiary regulatory requirements, with the intention of fostering consolidated supervision across the group.

    Internal audit oversight of external outsourcing: internal audit function has an important role to play in providing assurance over the effectiveness and security of key processes outsourced from banks to third parties. It is crucial that key stakeholders, including management, the board and the bank’s supervisors can place reliance
on the work of internal audit in respect of the risk management of third parties, while at the same time maintaining a reasonable expectation of the extent of the internal audit function’s responsibilities in this area.

    Follow-up monitoring: an audit report generally includes the management action defined as a response to the recommendation, together with a due date and an action owner. Every internal audit function should have a process for monitoring follow-up on implementation of management actions. This can be an indicator for the internal audit function’s effectiveness.

    Download:

    Internal audit’s role in good governance

    Audit planning approach

    Internal audit within a group

    Internal audit oversight of external outsourcing

    Follow-up monitoring

    Internal audit’s central role in the future of corporate reporting
    July 2016

    Internal audit has a central role to play in the future of corporate reporting as an adviser on, and a builder and consolidator of the reporting process itself, according to the ECIIA’s response to a consultation on the issue by the Federation of European Accountants (FEE).

    “Internal audit adds value to corporate reporting by providing an informed and independent review on processes, risks and controls,” ECIIA President Henrik Stein said in the confederation’s formal response to FEE.

    In the future, developing integrated thinking would be critical if organisations were to be able to present a coherent and comprehensive picture of their long-term strategy and performance, he said. This would require the creation of cross-functional teams, which would include all key areas within the organisation.

    He said organisations needed to adopt clear and unambiguous assurance models to report effectively.

    “It is necessary for internal and external assurance providers to form a common view on issues of relevance, materiality, accuracy and completeness,” he said. “Combined assurance is needed to achieve an informed view on whether reports are fair and balanced and also to improve efficiency.”

    FEE has been consulting on how to evolve corporate reporting in a way that will keep pace with the developing economic reality and address the needs of a wider stakeholder audience.

    To read ECIIA’s response, click here.

    To visit FEE’s page on corporate reporting, click here.

    More communication needed between internal audit and regulators
    May 2016

    Regulators should require regular, structured and ongoing dialogue between the competent authorities supervising insurers and the internal auditors working in them, the ECIIA has said in response to recent consultation by EIOPA (European Insurance and Occupational Pensions Authority).

    That is because internal audit is well-placed to provide an independent opinion about the internal controls, risk management and governance of the companies concerned. Almost 8 out of 10 auditors in Europe say they follow the three Lines of Defense Model at some level, which enables them to provide objective assurance to their organisations.

    “While internal audit’s main line of accountability is to the Audit Committee, it also shares information with the statutory auditors and the regulators,” ECIIA President Henrik Stein said. “Clear and effective communication between all these parties is vital in order to avoid duplication, or gaps, in the overall assurance picture,” he added.

    Stein said he would welcome the opportunity to meet with senior EIOPA officials to discuss in more detail the role of internal audit in this area.

    Read the ECIIA’s response here.

    Tags: EIOPA, Regulation
  • ECIIA Activity Report 2015, September 2015

    Audit and risk committees: news from EU legislation and best practices, October 2014

    ECIIA Activity Report 2014, September 2014

    ECIIA and EUROSAI: Coordination and cooperation between supreme audit institutions and internal auditors in the public sector, May 2014

    Improving cooperation between internal and external audit, November 2013

    ECIIA activity report 2013, October 2013

    The future of European governance: key views from key people, October 2013

    Guidance on the role of internal audit under Solvency II, June 2013

    ECIIA and ECODA: Making the most of the internal audit function: Recommendations for directors and board committees, December 2012

    Corporate governance codes on internal audit, June 2012

    Corporate governance insight: Reinforcing audit committee oversight over global assurance and internal audit, May 2012

    ECIIA and FERMA: Guidance on EU 8th company law directive, art 41, part 1, December 2011

    ECIIA and FERMA: Guidance on EU 8th company law directive, art 41, part 2, December 2011

    Insight and Oversight: Guidance for audit committees on governance oversight, October 2011

  • Responses to consultation

    Internal audit could review corporate tax disclosures
    September 2015

    Internal auditors could play a key role in the European Commission’s (EC) efforts to improve corporate tax transparency by reviewing organisations’ disclosures to the tax authorities, or to the general public, the European Confederation of Institute’s of Internal Auditors says.

    “Internal auditors are ideally placed to give assurance over the contents of the disclosure document and the controls governing the processes in place to generate it,” Thijs Smit, ECIIA President, says, responding to the EC’s consultation on tax transparency. “So we see no need for an external reviewer to check whether the report has been properly compiled and is based on sound data.”

    The Commission is canvassing views on whether all large businesses in the European Union should be required to disclose the tax they pay in every country where they operate, either to the tax authorities, to the public, or to both. At present, they are only required to disclose the total amount of tax paid for all EU countries in which they operate in a consolidated statement.

    The consultation is part of the Commission’s broader Action Plan for Fair and Efficient Corporate Taxation and closed on 9 September. For more details click here.

    Bank remuneration monitoring must be clear
    June 2015

    The European Banking Authority’s (EBA) proposals on how the remuneration policies of banks are to be monitored need greater clarity if they are to be effective, according to the European Confederation of Institute’s of Internal Auditing (ECIIA).

    The EBA’s consultation document on the issue (EBA/CP/2015/03) is often unclear over which internal department is best placed to provide overall assurance to the board that its policies and procedures are sound. In particular, it confuses the independent, oversight remit of internal audit with the compliance roles of risk management and control functions.

    “The task of the internal audit function is not to control but to work alongside others to audit the control functions, giving assurance to the board and the supervisory bodies that the policies are both well monitored and sound,” Thijs Smit, ECIIA President says.

    Control functions monitor whether the bank’s remuneration policies are in place and followed. Internal audit informs the board whether such monitoring is occurring and effective, and whether policies benchmark against industry best practice.

    “It is essential for the EBA’s document to reflect the fact that internal audit is the only function for the board, which is independent of management, that can oversee all of the other functions – including how well risk management and compliance are working,” Smit says.

    He says that the most effective way for banks be sure remuneration policies are working properly is for them to adopt the so-called Three Lines of Defence model of corporate governance. That provides internal audit with the independent remit it requires to perform this critical role.

    Download the ECIIA response here.

    ECIIA’s response to Basel Committee on Banking Supervision’s consultation
    January 2015

    The Basel Committee on Banking Supervision’ s most recent consultation document – Corporate governance principles for banks – sometimes erroneously describes internal audit as a control function of banks, says the European Confederation of Institute’s of Internal Auditing (ECIIA) in its response to the paper.

    This misunderstanding could seriously undermine internal audit’s ability to provide banking boards with objective assurance on the effectiveness of their risk management systems.

    “It is essential for the document to reflect that internal audit is the only independent function for the board that can oversee all other functions and so provide boards with the assurance they need,” ECIIA President Thijs Smit says. “In some paragraphs of the current draft, control functions such as risk and compliance are given the same status as internal audit.”

    While the paper recognises the importance of internal audit’s role as an assurance provider, it fails to distinguish its unique oversight position in the three lines of defence model that the consultation document adopts.

    “As this document will have a core status of reference for the banking sector in Europe, it is vital to have a common view and understanding of the internal audit function as the third line of defence and how it differs from the other lines,” Smit says. “Our comments aim to help clarify the role and function of internal audit and to remove any potential confusion.”

    The Bank for International Settlements, which established the committee, published the proposed guidelines in October 2014. The new recommendations build on the committee’s 2010 paper Principles for enhancing corporate governance.

    Among other things, the committee wishes to strengthen the guidance on risk governance, including the risk management roles played by business units, risk management teams, and internal audit and control functions; underline the importance of a sound risk culture to drive risk management within a bank; and expand the guidance on the role of the board of directors in overseeing the implementation of effective risk management systems.

    For ECIIA’s letter to Basel committee, click here.

    For ECIIA’s detailed response, click here.

    For the committee’s proposals, click here.

    Internal auditors do not control, ECIIA tells EBA NEW
    October 2014

    The European Banking Authority’s (EBA) guidelines on the common procedures and methodologies it proposes for supervising banks need better clarity over the role of internal audit in the governance structure, says ECIIA.

    In its response to the EBA’s consultation on Draft Guidelines for common procedures and methodologies for the supervisory review and evaluation process under Article 107 (3) of Directive 2013/36/EU, ECIIA said that the body was wrong to describe internal audit as part of the internal control systems of financial institutions.

    “The task of the internal audit function is not to control, but to audit (amongst others) the control functions, giving assurance to the board and supervisory bodies,” said the response.

    ECIIA says the distinction is essential because it reflects the core task of internal audit to oversee all of the other functions of a bank from a uniquely independent perspective for the board.

    “Given that future international teams of inspectors will be working with this extremely helpful paper, it is important to establish a clear understanding of the difference between control systems and the internal audit function,” ECIIA President Thijs Smit says.

    ECIIA has written to EBA requesting for a number of amendments to be made to the draft guidance.

    The EBA’s final guidelines will be applied in the supervision of all institutions across the European Union and represent a step towards forging a consistent supervisory culture across the single market. 

    EBA says the guidelines provide a common framework for the work of supervisors in their assessment of risks to banks’ business models, their solvency and liquidity.  “The guidelines will be a key component of the EU Single Rulebook aimed at improving the functioning of the internal market, including a sound, effective and consistent level of regulation and supervision in the banking sector,” it said.

    Download consultation response

    Internal audit’s independence must be clearly defined under Solvency II
    September 2014

    Internal audit must be unambiguously independent if it is to play an effective role under Europe’s new regulatory regime for insurers known as Solvency II, according to the European Confederation of Institute’s of Internal Auditing (ECIIA).

    Guidelines issued on the implementation of Solvency II by the European Insurance and Occupational Pensions Authority (EIOPA) demand explicit segregation of responsibility between the different governance functions, which ECIIA welcomes. But the consultation document in which these responsibilities are set out needs to be more specific about how the independence of internal audit is to be achieved.

    “One of the main tasks of internal audit is to audit the system of governance,” the ECIIA says in its response EIOPA’s consultation paper on the subject. “This includes auditing other key functions such as risk management, compliance and the actuarial function and, therefore, internal audit has to be kept separate from these functions.”

    It says that key to internal audit’s independence are its relationship with the audit committee – which must be direct and confidential, where necessary – and the right to audit any part of the insurance business without limitation or influence from management. Internal audit should also report functionally to the board and operationally to the organisation’s chief executive officer, it says.

    EIOPA has issued five sets of draft guidelines and an impact assessment relating to large areas of pillars 1 and 2 of the new regime, which is expected to come into force in 2016. Elements covered by the drafts include use of internal models, system of governance and own risks and solvency assessment (ORSA), supervisory review processes and methodology for equivalence assessments.

    Although non-binding, EIOPA’s guidelines are intended to ensure common, uniform and consistent application of the new regime by national supervisors and affected financial institutions.

    Read ECIIA’s response here.

Our current viewsPublicationsPublications indexResponses to consultation
Theme author: Web developer Front End Developer Wordpress developer Web developer Front End Developer Wordpress developer Notariusz Szczecin