ECIIA publishes suite of best practice papers for European banks
March 2018

Internal audit can provide the boards and senior managers of European banks with distinctive and strategic assurance over their operations, according to a suite of position papers published by ECIIA. The papers cover a range of topics including internal audit’s role in good governance, audit planning, auditing a group of institutions, auditing outsourced operations, and follow-up monitoring on audit recommendations.

These five position papers are intended as best practice guides to internal auditors and their organisations in a range of areas. Taken together the recommendations in these documents should enhance the ability of internal auditors to give boards and senior managers independent and objective insights into the overall internal control systems and risk management at their institutions.

The papers have been produced by ECIIA’s banking committee, which was set up in 2014 with Chief Audit Executives of European Central Bank Supervised Banks. The documents address issues that require clarification due to recent changes in the way financial institutions are regulated. They are offered as best practice to be adopted or adapted by banks depending on their size, culture and local requirements.

Because of its position as the third line of defence, internal audit is uniquely positioned to act as a trusted advisor to the board because of its clear understanding of the business’ organisation, mission, vision, strategy and long-term goals.

The papers

Internal audit’s role in good governance: Internal control is an important cornerstone for banks’ long-term sound governance. It should be tailored to the business model, risks and organisational structure. As the third line of defence, reporting to CEOs and the board, internal audit gives an overall assurance on internal control effectiveness including an independent review of risk and control functions as well as insights on efficiency.

Audit planning approach: To manage risks effectively is an essential part of good corporate governance. An important role of each organisation is to identify all business risks and uncertainties which the organisation faces, quickly implementing risk mitigating measures and enhancing the system of internal controls. The Chief Audit Executive must establish a risk-based plan to determine the priorities of the internal audit activity, consistent with the organisation’s goals – an approach that can be difficult to combine with traditional, cyclical auditing methods. The paper outlines strategies to combine a traditional cyclical approach to internal auditing with a risk-based approach.

Internal audit within a group: the audit departments of banking groups need to deliver consistent and adequate levels of assurance across the group, while considering both group and subsidiary regulatory requirements, with the intention of fostering consolidated supervision across the group.

Internal audit oversight of external outsourcing: internal audit function has an important role to play in providing assurance over the effectiveness and security of key processes outsourced from banks to third parties. It is crucial that key stakeholders, including management, the board and the bank’s supervisors can place reliance
on the work of internal audit in respect of the risk management of third parties, while at the same time maintaining a reasonable expectation of the extent of the internal audit function’s responsibilities in this area.

Follow-up monitoring: an audit report generally includes the management action defined as a response to the recommendation, together with a due date and an action owner. Every internal audit function should have a process for monitoring follow-up on implementation of management actions. This can be an indicator for the internal audit function’s effectiveness.


Internal audit’s role in good governance

Audit planning approach

Internal audit within a group

Internal audit oversight of external outsourcing

Follow-up monitoring

Sustainability management moves up a gear
May 2014 Magazine cover image - spring 2014

The Global Reporting Initiative has retooled its guidance on sustainability reporting in a way that enables companies to manage their activities in this area proactively. As a result, internal auditors could play a more central role in providing assurance on organisations’ sustainability processes.

In the latest issue of the ECIIA’s European Corporate Governance magazine, ECIIA Management Board member Silvio de Girolamo writes that the body’s Sustainability Reporting Guidelines (G4) represent something of a revolution.

“G4 can be seen as nothing less than a thorough-going re-specification of the sustainable approach to business,” he says. “Sustainability reporting no longer aims to just measure the organisation’s impact on the outside world in retrospect, but seeks to develop a full set of tools to detect and interpret that impact in time for the business to take action.”

Also in the edition, in an exclusive interview, MEP Ashley Fox calls for a moratorium on corporate governance reform until the most recent set of European Union rules and regulations have had time to bed in.

“Companies provide the profit and the employment that drive prosperity and we are in danger in the European Union of over-regulating our businesses,” he says.

 Download the issue here.


Devil in the detail
June 2013 Cover European Governance magazine spring 2013

Solvency II could provide insurers with sounder balance sheets and better corporate governance regimes. The ECIIA is adding the detail that could help make the directive a success.

Insurers have been gearing up for new solvency rules since the European Commission decided to revise them in its Solvency II Directive (2009/138/EC) back in 2009. The directive aims to strengthen the way that insurers cover their risks and lay down principles that businesses need to adopt to reinforce their balance sheets against potential losses.

Solvency II is not just about balance sheets. The rules will also “for the first time compel insurers specifically to focus on and devote significant resources to the identification, measurement and proactive management of risks,” says the Commission. Regulators, under the Supervisory Review Process, will be checking both solvency capital and making sure the “risk management and governance systems are adequate to the nature, scale and complexity of the insurer in question,” it says.

The ECIIA is concerned that the guidance is too vague, will lead to duplication of effort and confusion among boards over their risk assurance. It has published its own guidance – The role of internal audit under Solvency II – to shed light on these issues.

“We think the Solvency II Directive is fine in general, but we think its important to be more precise in what the role of internal audit is in the solvency II context,” Hans-Joachim Büsselberg says, one of the ECIIA report authors.

He says that the guidance has two main aims. First, it will help internal auditors in Europe understand their role in Solvency II. Second, its broader objective is to start a discussion with the European Union, European Parliament, the European Insurance and Occupational Pensions Authority and others over the role of internal audit and what it means in practice.

Download the ECIIA guidance on Solvency II.

Read an in-depth interview with guidance co-author Hans Joachim Büsselberg.

Avoid regulatory attention
December 2011

Guidance for senior executives on risk can help them avoid additional regulatory attention.

Practical guidance on implementing European company law requirements on risk management, internal control and internal audit can help reduce further regulatory attention, according to the Federation of European Risk Management Associations (FERMA) and ECIIA.

The advice is designed for senior managers and executive committees on practical approaches to support the board and audit committees in meeting their responsibilities under article 41-2b of the EU 8th Company Law Directive: “Monitoring the effectiveness of internal control, internal audit and risk management systems.”

Carolyn Dittmeier, past President of ECIIA, said: “Today, it is crucial for organisations to think clearly about their internal assurance processes to avoid being subject to additional external regulation. The 8th EU Company Law Directive coupled with our papers gives organisations the necessary guidance to enable them to move forward with a governance framework that provides a risk-aware culture to maximise the opportunities of success.”

Jorge Luzzi, President of FERMA, said: “Good governance depends on managers being conscious that good control reinforces management systems. With this Part 2 of the Guidance, ECIIA and FERMA aim to provide senior executives with practical guidance to be adapted to the culture, activities and organisation of their companies.”

The publication offers guidance drawn from the real-life experience of members of FERMA and ECIIA. It takes senior executives through a series of questions that show how they can support the board in managing risks, and making best use of internal control and assurance from internal audit.

The purpose of FERMA and ECIIA in producing Part 2 of the Guidance is not to deliver definitive answers, but to suggest approaches that senior executives can adapt for their companies. This follows Part 1 of the Implementation Guidance on the 8th Company Law Directive for boards and audit committees, released by FERMA and ECIIA in September 2011.

Download Part 1 of the guidance here and Part 2, here.

Theme author: Web developer Front End Developer Wordpress developer Web developer Front End Developer Wordpress developer Notariusz Szczecin