Our current views

ECIIA-Our-Current-Views-header
  • A key part of our mission is to be the voice of internal auditing in Europe and to communicate our views to governments, legislators, policy-makers and regulators. Here you can find our opinions on current developments in corporate governance.

    Governance gap in Europe’s cyber laws
    March 2016

    Europe’s current legislation on cybersecurity does not include robust corporate governance processes to help businesses manage cyber risks across their operations, ECIIA says.

    ECIIA calls on the European Commission (EC) to develop legislation and guidance frameworks to promote integrated, cross-departmental approaches to manage cyber risks, in its response to the body’s recent consultation exercise. It says a wide range of partners within organisations need to co-ordinate their efforts in this area including compliance, finance, human resources, internal audit, IT and legal functions.

    “There is a real gap in this area that needs to be plugged,” Henrik Stein, ECIIA President, says. “Without joined up thinking and action on cyber security, businesses are at greater risk than they should be.”

    He says that senior management should track and report on the business impact of cyber threats and all risk management activity. “For its part, internal audit evaluates the effectiveness of cyber threat risk management and reports to the audit committee and board on these issues,” he adds.

    ECIIA recognises that organisations that operate in multiple jurisdictions face additional problems because reporting requirements remain unharmonised. It says there is a case for developing global best practice and standards to help corporations monitor their global reporting on cyber security and risk effectively.

    The ECIIA’s response also comments on the most pressing current cybersecurity risks and those that it believes will become more prominent over the coming five years. Read the full response here.

     

    ECIIA conference 2016 – early bird discount
    February 2016

    Secure your place and an early bird discount a ECIIA’s European Conference on Governance, Risk and Control 2016 – Navigating in rough waters.

    The conference will take place between 6th and 7th October 2016 at Stockholm’s Waterfront Congress Centre. There will be 4 plenary sessions and over 50 parallel sessions covering a wide range of topics. A full schedule will be available soon.

    Click here to secure your early bird price today.

    Tags: conference
    EBA clarifies internal audit’s position as third line of defence
    February 2016

    The European Banking Authority (EBA) has adopted important clarifications suggested by ECIIA over the role and position of internal audit in the governance structure of companies looking to adopt sound remuneration policies.

    In particular, EBA has said in the final draft of its Guidelines on sound remuneration policies that internal audit should form an independent third line of defence reporting directly to the board so that it can audit the activities of the other control functions.

    “We are pleased that EBA has taken our views on board and clarified this important issue,” Henrik Stein, ECIIA President, says. “Reinforcing our members’ role as the independent, third line of defence provides organisations with the confidence that they can rely on the work of internal audit when it comes to assessing the effectiveness of their remuneration policies.”

    EBA also clarified the involvement of control functions in assessing the risk profile of organisations and how the control functions should be remunerated, which also drew upon ECIIA’s.

    The EBA’s guidelines set out the governance process for implementing sound remuneration policies across the EU and clarify the process for identifying those categories of staff to whom the specific remuneration provisions of the Capital Requirements Directive (CRD IV) apply, including the so called bonus cap.

    See ECIIA’s recommendations in full.

     

    Internal auditors should be included in communication between auditors and supervisors
    January 2016

    Internal auditors should be included in the communication process over the scope of work to be undertaken by the statutory auditors and supervisors of credit institutions, the ECIIA has told the European Banking Authority.

    In a written response to the EBA’s consultation on how auditors and supervisors could exchange information better – EBA/CP/2015/17  – ECIIA says: “Communication between competent authorities and statutory auditors, as deemed prudent at any phase of the supervisory or audit processes, may be enhanced by the inclusion of the internal auditors of the credit institution.”

    Since both statutory auditors and supervisors may rely on the work of internal audit, speaking with the function would help provide greater confidence about the activities of internal audit and help to focus work on those areas that most need it.

    ECIIA also says better clarification is needed between the 2nd and 3rd lines of defence by the document.

    It also recommends that the quality of internal audit functions at credit institutions be assessed against how well they comply with International Professional Practices Framework 

    To read the full response, click here.

     

    Internal audit could review corporate tax disclosures
    September 2015

    Internal auditors could play a key role in the European Commission’s (EC) efforts to improve corporate tax transparency by reviewing organisations’ disclosures to the tax authorities, or to the general public, the European Confederation of Institute’s of Internal Auditors says.

    “Internal auditors are ideally placed to give assurance over the contents of the disclosure document and the controls governing the processes in place to generate it,” Thijs Smit, ECIIA President, says, responding to the EC’s consultation on tax transparency. “So we see no need for an external reviewer to check whether the report has been properly compiled and is based on sound data.”

    The Commission is canvassing views on whether all large businesses in the European Union should be required to disclose the tax they pay in every country where they operate, either to the tax authorities, to the public, or to both. At present, they are only required to disclose the total amount of tax paid for all EU countries in which they operate in a consolidated statement.

    The consultation is part of the Commission’s broader Action Plan for Fair and Efficient Corporate Taxation and closed on 9 September. For more details click here.

  • Publications

    Governance gap in Europe’s cyber laws
    March 2016

    Europe’s current legislation on cybersecurity does not include robust corporate governance processes to help businesses manage cyber risks across their operations, ECIIA says.

    ECIIA calls on the European Commission (EC) to develop legislation and guidance frameworks to promote integrated, cross-departmental approaches to manage cyber risks, in its response to the body’s recent consultation exercise. It says a wide range of partners within organisations need to co-ordinate their efforts in this area including compliance, finance, human resources, internal audit, IT and legal functions.

    “There is a real gap in this area that needs to be plugged,” Henrik Stein, ECIIA President, says. “Without joined up thinking and action on cyber security, businesses are at greater risk than they should be.”

    He says that senior management should track and report on the business impact of cyber threats and all risk management activity. “For its part, internal audit evaluates the effectiveness of cyber threat risk management and reports to the audit committee and board on these issues,” he adds.

    ECIIA recognises that organisations that operate in multiple jurisdictions face additional problems because reporting requirements remain unharmonised. It says there is a case for developing global best practice and standards to help corporations monitor their global reporting on cyber security and risk effectively.

    The ECIIA’s response also comments on the most pressing current cybersecurity risks and those that it believes will become more prominent over the coming five years. Read the full response here.

     

    ECIIA conference 2016 – early bird discount
    February 2016

    Secure your place and an early bird discount a ECIIA’s European Conference on Governance, Risk and Control 2016 – Navigating in rough waters.

    The conference will take place between 6th and 7th October 2016 at Stockholm’s Waterfront Congress Centre. There will be 4 plenary sessions and over 50 parallel sessions covering a wide range of topics. A full schedule will be available soon.

    Click here to secure your early bird price today.

    Tags: conference
    EBA clarifies internal audit’s position as third line of defence
    February 2016

    The European Banking Authority (EBA) has adopted important clarifications suggested by ECIIA over the role and position of internal audit in the governance structure of companies looking to adopt sound remuneration policies.

    In particular, EBA has said in the final draft of its Guidelines on sound remuneration policies that internal audit should form an independent third line of defence reporting directly to the board so that it can audit the activities of the other control functions.

    “We are pleased that EBA has taken our views on board and clarified this important issue,” Henrik Stein, ECIIA President, says. “Reinforcing our members’ role as the independent, third line of defence provides organisations with the confidence that they can rely on the work of internal audit when it comes to assessing the effectiveness of their remuneration policies.”

    EBA also clarified the involvement of control functions in assessing the risk profile of organisations and how the control functions should be remunerated, which also drew upon ECIIA’s.

    The EBA’s guidelines set out the governance process for implementing sound remuneration policies across the EU and clarify the process for identifying those categories of staff to whom the specific remuneration provisions of the Capital Requirements Directive (CRD IV) apply, including the so called bonus cap.

    See ECIIA’s recommendations in full.

     

    Internal auditors should be included in communication between auditors and supervisors
    January 2016

    Internal auditors should be included in the communication process over the scope of work to be undertaken by the statutory auditors and supervisors of credit institutions, the ECIIA has told the European Banking Authority.

    In a written response to the EBA’s consultation on how auditors and supervisors could exchange information better – EBA/CP/2015/17  – ECIIA says: “Communication between competent authorities and statutory auditors, as deemed prudent at any phase of the supervisory or audit processes, may be enhanced by the inclusion of the internal auditors of the credit institution.”

    Since both statutory auditors and supervisors may rely on the work of internal audit, speaking with the function would help provide greater confidence about the activities of internal audit and help to focus work on those areas that most need it.

    ECIIA also says better clarification is needed between the 2nd and 3rd lines of defence by the document.

    It also recommends that the quality of internal audit functions at credit institutions be assessed against how well they comply with International Professional Practices Framework 

    To read the full response, click here.

     

    Internal audit could review corporate tax disclosures
    September 2015

    Internal auditors could play a key role in the European Commission’s (EC) efforts to improve corporate tax transparency by reviewing organisations’ disclosures to the tax authorities, or to the general public, the European Confederation of Institute’s of Internal Auditors says.

    “Internal auditors are ideally placed to give assurance over the contents of the disclosure document and the controls governing the processes in place to generate it,” Thijs Smit, ECIIA President, says, responding to the EC’s consultation on tax transparency. “So we see no need for an external reviewer to check whether the report has been properly compiled and is based on sound data.”

    The Commission is canvassing views on whether all large businesses in the European Union should be required to disclose the tax they pay in every country where they operate, either to the tax authorities, to the public, or to both. At present, they are only required to disclose the total amount of tax paid for all EU countries in which they operate in a consolidated statement.

    The consultation is part of the Commission’s broader Action Plan for Fair and Efficient Corporate Taxation and closed on 9 September. For more details click here.

  • ECIIA Activity Report 2015, September 2015

    Audit and risk committees: news from EU legislation and best practices, October 2014

    ECIIA Activity Report 2014, September 2014

    ECIIA and EUROSAI: Coordination and cooperation between supreme audit institutions and internal auditors in the public sector, May 2014

    Improving cooperation between internal and external audit, November 2013

    ECIIA activity report 2013, October 2013

    The future of European governance: key views from key people, October 2013

    Guidance on the role of internal audit under Solvency II, June 2013

    ECIIA and ECODA: Making the most of the internal audit function: Recommendations for directors and board committees, December 2012

    Corporate governance codes on internal audit, June 2012

    Corporate governance insight: Reinforcing audit committee oversight over global assurance and internal audit, May 2012

    ECIIA and FERMA: Guidance on EU 8th company law directive, art 41, part 1, December 2011

    ECIIA and FERMA: Guidance on EU 8th company law directive, art 41, part 2, December 2011

    Insight and Oversight: Guidance for audit committees on governance oversight, October 2011

  • Responses to consultation

    Assurance debate needs wider focus
    June 2014

    Internal and external auditors must work together to provide boards with effective and efficient assurance, says the European Confederation of Institutes of Internal Auditing (ECIIA) in its response to a discussion paper on the topic published by the Federation of European Accountants (FEE).

    FEE’s paper – The Future of Audit and Assurance – asks how audit and assurance quality can be enhanced in the wake of the financial and economic crises. But ECIIA believes that the scope of the debate proposed by the report is too narrow.

    “Our main concern with this document is that it focuses exclusively on the role of external audit in providing assurance to boards and does not recognise the central role also played by other functions such as internal audit and risk,” ECIIA President Thijs Smit says. “An essential aspect of assurance is the way external audit works with these other functions to ensure that boards receive a full and coordinated picture of governance, risk and control,” he says.

    External auditors tend to provide assurance only on an organisation’s financial statements. Internal audit helps governing bodies monitor the effectiveness of the company’s internal control and risk management systems and provides them with independent and objective assurance on governance, risk and control. Boards need assurance on these different aspects of their organisations, the ECIIA says.

    Read the full response here.

    Read the ECIIA’s position paper Improving cooperation between internal and external audit, here.

    Protect auditors who fight money laundering and terrorism
    April 2014

    Chief internal audit executives need better protection from threats, poor treatment and potential terminations of contract to strengthen their role in the fight against money laundering and terrorism, according to the European Confederation of Institute’s of Internal Auditing (ECIIA).

    In its response to the European Parliament’s consultation on a new directive to tackle these issues, ECIIA says that the directive should give explicit protection to auditors who play a crucial role in bringing wrong-doing to the board, executive management, the regulators and the public.

    “The directive should make it clear that chief audit executives should receive all possible protection against threats, adverse treatment and consequences – such as the termination of their contract of employment,” Thijs Smit, ECIIA President says. “Everything possible should be done to strengthen their role, position and independence.”

    That should include the provision of free legal aid, he added.

    High profile internal audit whistle-blowers, such as Cynthia Cooper who discovered a $3.8bn black hole in WorldCom’s accounts in 2002, often come under intense pressure and bullying to make them conceal the truth.

    Given the central role that internal auditors play in uncovering unethical behaviour, ECIIA urged the European Parliament to amend the directive to provide them with explicit protection in its response to consultation on the proposed new measures. 

    Read here.

    Banks need independent internal audit
    June 2013

    The European Banking Association’s (EBA) draft technical standards on recovery plans for credit institutions and investment firms need to ensure the independence of internal audit, ECIIA says.

    The goal of the EBA’s Draft Regulatory Technical Standards is to establish a framework for the recovery and resolution of problems at credit institutions and investment firms. It sets out a Union-wide framework for crisis prevention, management and resolution. These standards only touch the role of internal audit to a minor extent.

    But, says the ECIIA in its response to the EBA’s consultation on the standards, the current wording or suggestions endangers the independence of internal audit and are not in line with Global IIA’s Standards on internal auditing.

    “Article 5 seems to regard the function of a risk committee and the internal audit function as being alternatives in the process of approving the recovery plan,” it says. That suggests that internal audit’s involvement is optional, whereas it should be involved on a consultative basis to develop the recovery plan.

    “But its role must at no point in time be any part of the approval process,” the response says. “Moreover, internal audit must not officially ‘review’ any plan which later it has to audit and on which it must give judgement otherwise its objectivity and independence might be compromised.”

    Internal audit’s review of the recovery plan should occur in the course of its normal auditing activities, the ECIIA adds.

    Download the full response here.

    Three lines of defence
    June 2013

    The three lines of defence model of corporate governance makes the roles and responsibilities for risk management and assurance clear, ECIIA says.

    The comment was made in ECIIA’s response to the European Insurance and Occupational Pensions Authority’s (EIOPA) consultation on its Proposals for Guidelines on the System of Governance.

    “This model is increasingly recognised as an international benchmark to effectively coordinate different organisational functions toward a comprehensive risk management system,” it said in the response.

    The three lines of defence model gives equal weighting to the controls put in place by management, the assessment of those controls, and a final independent review of them by internal audit.

    Download ECIIA’s response.

    Download an explanation of the Three lines of defence model.

    Internal audit should provide “overall assurance” in EU governance
    July 2011

    Internal audit’s role is to provide overall assurance within the European Union’s corporate governance framework, the ECIIA says in its response to the EU Green Paper on the subject.

    It argues that this is in line with the recommendations of the Basel Committee and with existing best practice among all types of businesses.

    Internal audit should “be fully taken advantage of in order to monitor potential conflicts of interest or inconsistences or inefficiencies between control functions such as risk management or compliance and operational units,” it says in its response.

    Given the wide variety of methods available for managing risk, the ECIIA says that it would be useful for the EU to recommend companies to adopt a suitable one and disclose to shareholders the framework they had chosen. It said methods such as those put forward by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) were well known and understood.

    The Confederation also says in its response that the Three Lines of Defense model of corporate governance provided the best explanation of the risk management and assurance responsibilities of management, risk and internal audit.

    Click here for a copy of the response.

Our current viewsPublicationsPublications indexResponses to consultation
Theme author: Web developer Front End Developer Wordpress developer Web developer Front End Developer Wordpress developer Notariusz Szczecin