EU’s non-audit “blacklist” services include internal audit
Internal audit is now officially on a “blacklist” of services that accountancy firms are forbidden from providing to their statutory audit clients.
The EU’s revised Statutory Audit Directive and its Regulation include measures aimed at strengthening auditor independence, compulsory auditor rotation, a broader role for the audit committee and restrictions to the work that statutory auditors can provide to their clients.
“We fully support the move to make the statutory audit more transparent,” ECIIA President Henrik Stein says. But the rules have serious implications for the way that internal audit is resourced in larger organisations, he adds. Chief audit executives will need to think carefully about the balance between out-sourced internal audit requirements and those provided in-house.
Internal audit will also play a critical role in ensuring the systems put in place to help the audit committee monitor the work of external audit are robust and accurate. “In large organisations, statutory audits can take several months to perform over many legal jurisdictions and it will be a challenge to get this right,” Stein says.
While audit oversight will continue to be conducted at a national level, a new Committee of European Auditing Oversight Bodies will replace the existing European Group of Auditor Oversight Bodies. The precise details of how the latter is to operate are unclear.
Those affected are listed companies and other so-called public interest entities, such as credit institutions and insurers. The European Union’s revised rules on auditing came into effect on 17 June 2016.
The European Confederation of Internal Auditors (ECIIA) welcomes the OECD’s recognition that an independent internal audit function is best placed to assure the integrity of an organisation’s accounting and financial reporting systems.
The OECD says that it is best practice among corporations wishing to demonstrate that risk oversight is in place over such systems to establish an internal audit function that reports directly to an independent audit committee, in a paper – G20/OECD Principles of Corporate Governance – presented to G20 Finance Ministers and Central Bank Governors in September 2015.
“It is considered good practice for the internal auditors to report to an independent audit committee of the board or an equivalent body which is also responsible for managing the relationship with the external auditor, thereby allowing a co-ordinated response by the board,” says the document.
The paper also says that internal audit is ideally placed to oversee an organisation’s internal controls, providing it has direct access to the board. Internal auditors should also provide non-executive board members with timely information on risk to help their decision making.
“We welcome the OECD’s recognition of the key role internal auditors should play in the corporate governance structure of organisations,” Thijs Smit, ECIIA President, says. “An independent internal audit function that reports directly to the board can provide valuable assurance to the business that its controls over its key risks are robust and up-to-date.”
The G20/OECD’s principles are intended to help policy makers evaluate and improve the legal, regulatory, and institutional framework for corporate governance, with a view to support economic efficiency, sustainable growth and financial stability, the report says.
ECIIA and FERMA issue joint guidance for risk and audit committees
Help is at hand for audit and risk committees who are under increasing pressure to comply with a raft of transparency measures enacted by the European Union over the last five years.
ECIIA and the Federation of European Risk Management Associations (FERMA) have launched joint guidance – Audit and risk committees: news from EU legislation and best practices – designed to aid those committees cope with recent revisions to the 8th Company Law Directive. Those changes have affected such areas as gender diversity and remuneration.
The document provides advice on how risk and audit committees should support their boards and receive help from internal auditors and risk managers. It identifies ten possible responsibilities to share between audit and risk committees and is meant to help boards of companies and the chairmen of audit and risk committees to handle the increased EU requirements on financial and non-financial transparency.
“In this changing environment where regulatory and business burdens are increasing, it is important for each organisation to set up an efficient and integrated corporate governance model,” Thijs Smit, ECIIA President, says: “This guidance clarifies the role of each actor of the governance arena and should help all members of risk and audit committees.”
“Overall, the burden for audit committees is increasing and the knowledge requirements of their members is expanding,” FERMA President Julia Graham says. “There is a clear constraint on the time and resources of audit and risk committees when they set their agendas. The support of risk managers and internal auditors has become more relevant than ever to ensure meaningful and qualitative reporting.”
To facilitate the implementation of the more recent Directive on non-financial reporting adopted by the Council of the EU on 29 September 2014, European legislators have required the European Commission to adopt guidelines within the next two years on a methodology for reporting non-financial information.
“In addition to informing the board and senior executives about the best practices and the latest developments, our guidance is also meant to be a first step towards a positive dialogue with the Commission to build these guidelines,” says Graham.
The internal audit profession is moving into an era where it will be expected to provide foresight on the risks facing business, according to Judge Professor Mervyn King, Chairman of the International Integrated Reporting Council.
Speaking at the IIA’s International Conference in London in July 2014, he said the profession was operating at the cutting edge of strategy, sustainability, governance and a whole range of other issues. That provided internal auditors with a unique perspective on their organisations, he said, and gave them the ability to think ahead about risk.
“The purview of internal audit has changed. Internal audit is becoming more insightful and can look at how risks are likely to evolve. It is moving into an era of foresight,” he said.
That would present challenges, he said, including having sufficient resources to operate at this enhanced level. But he said boards were increasingly depending on internal audit to provide assurance on those aspects of the business that made its operations sustainable in the longer term. That overarching perspective was changing the way that internal audit was perceived by audit committees, he said.
He said that investors were increasingly interested in integrated reporting because they wanted to make investment decisions that had long-term validity. The recent economic crisis had highlighted the pitfalls of business strategies that failed to consider the broader impact of their activities on society. “Short-term capitalism doesn’t work,” he said. “We need inclusive capitalism, or sustainable capitalism.”
A good working relationship between the chief audit executive (CAE) and the audit committee chair is key to effective corporate governance, according to Sarah Blackburn, Chief Executive at The Wayside Network Limited, a governance consultancy.
But that relationship worked best if it did not revolve solely around formal meetings and reports, she said during a public sector panel discussion at the IIA’s International Conference in London in July 2014.
“If you can both share your worries informally away from the immediate pressures of the business world, you can help each other raise your games,” she said. “The audit committee chair can help you think in a more strategic way, and you can be their eyes and ears, and to let them know what is going on within the business.”
Tea Enting-Beijering, CAE of the Ministry of Infrastructure and Environment in the Netherlands, agreed: “Having informal meetings helps you build up rapport and to keep up-to-date with key issues.” She said that CAE’s should also consider preparing for meetings with the audit committee chair so that the right questions were raised.
Bruce Turner, Audit Committee Chairman of the IIA’s Public Sector Committee, also on the panel, said that CAE’s had to get a clear understanding of stakeholder expectations as there was often a big gap between what stakeholders wanted and what internal audit provided.
“We need to engage with the audit committee early to help us understand our stakeholder groups and to put systems in place to manage them effectively,” he said. He also said that it was important to have an on-going dialogue with executive managers so that they did not receive a lot of surprises in the CAE’s reports on their activities.
Bruce Sloan, Senior Principal at the Canada Office of the Auditor General, said that having a good relationship with the audit committee chair gave CAE’s an outside presence they could go turn to for help. Stephen Linden, Director of the consultancy Protiviti, said, “Internal audit’s discussion with the chair of the audit committee should help clarify and set stakeholder expectations, and also allow the chair to understand what internal audit can provide, including what its restrictions might be.”