More specifically speaking, the response continued, management should be in charge of the operational side of the outsourcing arrangements, while risk management and other compliance functions should monitor whether the process is performed properly.
“The internal audit function plays the role of being a third line of defence in such arrangements,” ECIIA Banking Committee Chair Henrik Stein said. “Internal audit must focus on the assurance of the outsourcing framework in terms of the risks that may be being taken.”
“While we believe that EBA’s revision of its guidelines are timely and important, we strongly urge it to reflect best practice by specifically including reference to the three lines of defence governance structure in its new provisions.”
In addition, ECIIA urged EBA to lighten the principles for outsourcing arrangements between different entities within a group of companies because of the lower risk exposure this creates compared to external outsourcing. Similarly, “a distinction should be made for outsourcing services within the European area for those highly-regulated services – such as IT and financial modelling – and other services,” the response to the consultation said.
The ECIIA also said that the role of a risk-based approach to internal audit should be more clearly emphasised. While the document does acknowledge the that risk-based assessment should form part of the audit planning process, it also tries to lay down some requirements in the plan in respect of outsourcing arrangements.
“The inclusion of the outsourced arrangements – or otherwise – in the audit plan should be solely dependent on the results of the risk-based assessments carried by the audit function,” Stein said. “It’s hard to see how that would be helped by prescribing in advance what should be covered.”
EBA’s draft guidelines define which arrangements with third parties are considered as outsourcing and provide criteria for the identification of critical or important functions, which have a stronger impact on the financial institution’s risk profile or on its internal control framework. It says that where such critical or important functions are outsourced, stricter and stronger requirements should apply compared to other outsourcing arrangements.
EBA guidelines need to better reflect internal audit’s proper role
The European Banking Authority’s (EBA) Guidelines on internal governance need to better reflect internal audit’s proper role, the ECIIA has said in its response a consultation on the issue.
“The general impression given throughout the guidelines is that internal audit is understood solely as a traditional and simple control function, checking and confirming adherence to existing rules,” ECIIA President Henrik Stein says in a letter to EBA. “However, internal audit has developed significantly in the past decade.”
Today, internal audit it plays an important supporting role to management across the range of its management and supervisory functions, giving assurance, advice and insight, he adds.
EBA clarifies internal audit’s position as third line of defence
The European Banking Authority (EBA) has adopted important clarifications suggested by ECIIA over the role and position of internal audit in the governance structure of companies looking to adopt sound remuneration policies.
In particular, EBA has said in the final draft of its Guidelines on sound remuneration policies that internal audit should form an independent third line of defence reporting directly to the board so that it can audit the activities of the other control functions.
“We are pleased that EBA has taken our views on board and clarified this important issue,” Henrik Stein, ECIIA President, says. “Reinforcing our members’ role as the independent, third line of defence provides organisations with the confidence that they can rely on the work of internal audit when it comes to assessing the effectiveness of their remuneration policies.”
EBA also clarified the involvement of control functions in assessing the risk profile of organisations and how the control functions should be remunerated, which also drew upon ECIIA’s.
The EBA’s guidelines set out the governance process for implementing sound remuneration policies across the EU and clarify the process for identifying those categories of staff to whom the specific remuneration provisions of the Capital Requirements Directive (CRD IV) apply, including the so called bonus cap.
Internal auditors do not control, ECIIA tells EBA
The European Banking Authority’s (EBA) guidelines on the common procedures and methodologies it proposes for supervising banks need better clarity over the role of internal audit in the governance structure, says ECIIA.
“The task of the internal audit function is not to control, but to audit (amongst others) the control functions, giving assurance to the board and supervisory bodies,” said the response.
ECIIA says the distinction is essential because it reflects the core task of internal audit to oversee all of the other functions of a bank from a uniquely independent perspective for the board.
“Given that future international teams of inspectors will be working with this extremely helpful paper, it is important to establish a clear understanding of the difference between control systems and the internal audit function,” ECIIA President Thijs Smit says.
ECIIA has written to EBA requesting for a number of amendments to be made to the draft guidance.
The EBA’s final guidelines will be applied in the supervision of all institutions across the European Union and represent a step towards forging a consistent supervisory culture across the single market.
EBA says the guidelines provide a common framework for the work of supervisors in their assessment of risks to banks’ business models, their solvency and liquidity. “The guidelines will be a key component of the EU Single Rulebook aimed at improving the functioning of the internal market, including a sound, effective and consistent level of regulation and supervision in the banking sector,” it said.