internal audit

ECIIA-Blog-header
EBA’s draft regulations on outsourcing need tighter focus
September 2018

The European Banking Authority’s (EBA) draft Guidelines on outsourcing (EBA/CP/2018/11) should give more emphasis on the role of the first and second lines of defence in the oversight of outsourced activities, ECIIA has said in its written response to the consultation.

More specifically speaking, the response continued, management should be in charge of the operational side of the outsourcing arrangements, while risk management and other compliance functions should monitor whether the process is performed properly.

“The internal audit function plays the role of being a third line of defence in such arrangements,” ECIIA Banking Committee Chair Henrik Stein said. “Internal audit must focus on the assurance of the outsourcing framework in terms of the risks that may be being taken.”

“While we believe that EBA’s revision of its guidelines are timely and important, we strongly urge it to reflect best practice by specifically including reference to the three lines of defence governance structure in its new provisions.”

In addition, ECIIA urged EBA to lighten the principles for outsourcing arrangements between different entities within a group of companies because of the lower risk exposure this creates compared to external outsourcing. Similarly, “a distinction should be made for outsourcing services within the European area for those highly-regulated services – such as IT and financial modelling – and other services,” the response to the consultation said.

The ECIIA also said that the role of a risk-based approach to internal audit should be more clearly emphasised. While the document does acknowledge the that risk-based assessment should form part of the audit planning process, it also tries to lay down some requirements in the plan in respect of outsourcing arrangements.

“The inclusion of the outsourced arrangements – or otherwise – in the audit plan should be solely dependent on the results of the risk-based assessments carried by the audit function,” Stein said. “It’s hard to see how that would be helped by prescribing in advance what should be covered.”

EBA’s draft guidelines define which arrangements with third parties are considered as outsourcing and provide criteria for the identification of critical or important functions, which have a stronger impact on the financial institution’s risk profile or on its internal control framework. It says that where such critical or important functions are outsourced, stricter and stronger requirements should apply compared to other outsourcing arrangements.

GDPR moves into the next phase
May 2018

Europe’s General Data Protection Regulationcame into effect on 25 May after a mammoth effort by organisations throughout Europe and beyond to prepare for the launch date. The regulations give greater protection for individuals over how their data can be collected, processed and retained.

While internal auditors in many organisations will have been helping their organisations prepare for the new requirements, now that the legislation is live, they are more likely to be providing assurance. It is critical that organisations do not lose impetus after all of the hard work it has taken to get their processes off the ground.

“Now that GDPR is live, internal auditors will need to be ensure that people throughout their organisations do not become complacent because the new rules are here to stay,” ECIIA President Farid Aractingi says. “Internal auditors are likely to move from a more consulting role to providing assurance over the processes that are now in place.”

Typical areas on which audit can provide assurance include:

  • How adequate and effective are the policies and processes in place as controls?
  • How robust is the organisation’s data governance?
  • Are the right people in the right roles to promote sound data controlling and processing?
  • How rigorous and timely is the reporting of data breaches?
  • Are we fully compliant?
  • How do we learn from incidents?

Auditors will need to consider how GDPR is reflected in their annual audit planning. For example, should GDPR be a consideration for every audit engagement, in the way culture now should be? Is auditing the GDPR control framework also something that should happen across the organisation every two to three years?

Internal auditors are likely to give greater focus on specific areas after implementation. IT and GDPR-specific change programmes are obvious examples, but organisation-wide communications will need to ensure that GDPR stays topical even after the initial rush of activity. That could mean ensuring that human resources and learning and development teams have plans to amend training for existing staff and new joiners. GDPR should remain a significant topic for induction and refresher training.

There are currently gaps in the guidance available, but this will develop as everyone gets to grip with GDPR. Internal auditors should stay abreast of any changes to legislation, guidance and good practice.

For useful resources and information, visit CIIA’s website.

 

 

Internal auditors must speak out on governance
December 2017

ECIIA President Farid Aractingi tells the newspaper Les Echos-Cecile Desjardin that auditors must speak out on governance. Here is a translated transcript

What are the current challenges for the European Confederation of Institutes of Internal Auditing?

Working with others, internal auditors are important actors in a governance system that works towards creating sustainable performance. Governance is not an abstract principle dedicated only to ticking boxes in a regulatory framework. It requires a search for balance between the different actors of an organization. Those include the chairman, the CEO, and more generally between the board and the CEO. It also includes finding a balance between regulatory compliance and efficiency. This balance is guaranteed by the three main actors that build the governance system in an organisation: internal audit, risks management and internal controls. We serve the management but also inform them about any issues using our independent viewpoint.

At European level, it means that our profession must speak about corporate governance by, for example, participating on consultations on proposed European Directives, speaking during conferences, issuing discussion papers and guidance either produced solely by ECIIA or with our colleagues in other professional bodies – such as the Federation of European Risk Management Associations (FERMA).

Thanks to our oversight position over so many organisations’ operations, we can provide our unique perspective and recommendations to the European regulations on various issues, such as the management of personal data (GDPR), cybersecurity and audit reform.

How has internal audit evolved over the past few years?

Today, the profession is focused on five distinctive topics: independence, cross functionality, the discipline of execution, exercising pragmatic courage, and fulfilling our role as guardians of the temple of internal controls. Besides technical skills, soft skills are very important. Auditors must develop their capacity to manage contradictions. We must, at the same time; analyse and summarise, recommend control processes and innovate; understand deeply the business while retaining some “naiveté”; communicate verbally and on paper; and navigate between transparency and confidentiality.

All these changes have transformed internal auditors into a robust and well-equipped business partner, supported by both a panoramic 360° vision and a proven methodology, able to make a reliable, independent diagnosis about the issues of the organisation, and to be able to advise. To “win our seat at the table” means being heard by the board and the CEO. To achieve that we must always be more professional, a good communicator, flexible and reactive, with our global vision, searching for the best within all organisations.

Is the profession still attractive?

It depends from one country to the other. Today, more people want to become internal auditors in Athens or Istanbul than in Paris. Our ability to attract people into the profession is declining in Western Europe where internal audit departments have difficulties recruiting new people, although many young people are looking for a job. The profession requests discipline, rigour and a respect of methodologies. It requires flexibility, deadline management, as well as team work and stand-alone work. Maybe this is not in line with the expectations of new generations of workers.

Internal audit is very satisfactory intellectually, though. It is a training school in various domains where we can learn quickly as we change engagements every five to six weeks on average. The profession provides a good “social lift” for those passing through it, a period for developing discernment, and it is an extraordinary starting point to begin from in an organisation. After four years’ experience in internal audit, people can do anything and have a better idea of which area they want to work.

Non-financial reporting proposals move a step closer
October 2016

The European Commission’s DG FISMA has provided greater clarity over the likely content of its proposed guidelines on non-financial reporting, following meetings with ECIIA in September.

Officials at the directorate have confirmed non-financial reporting mechanisms should form part of the overall management reporting system, and that its scope should be similar to existing rules on financial disclosure. In addition, businesses will be encouraged to comment on the effectiveness of their corporate governance framework, and to publicly describe their principal risks and how they are being managed and mitigated.

“We have had constructive dialogue with officials at DG FISMA and emphasised the need for good risk management and internal controls,” ECIIA President Henrik Stein said. “Internal auditors have a critical role to play in the reliability of their organisation’s non-financial reporting because without timely and accurate information Boards and other stakeholders will be unable to depend on the reports’ contents.”

The directorate agreed that providing assurance on an organisation’s non-financial mechanisms was important, but has not specified the exact process for achieving that aim because, it said, that was beyond the scope of the current directive. Under the guidelines, external auditors will provide limited assurance by confirming that the organisation has prepared such a report.

“This is a great opportunity for internal auditors to provide leadership by helping the Board achieve the levels of assurance they need over their non-financial reporting systems,” Stein said.

The Directive should be finalised by end of December 2016 and the detailed guidance completed by end of December 2017.

Read more on the expected details of the directive here.

Internal audit’s central role in the future of corporate reporting
July 2016

Internal audit has a central role to play in the future of corporate reporting as an adviser on, and a builder and consolidator of the reporting process itself, according to the ECIIA’s response to a consultation on the issue by the Federation of European Accountants (FEE).

“Internal audit adds value to corporate reporting by providing an informed and independent review on processes, risks and controls,” ECIIA President Henrik Stein said in the confederation’s formal response to FEE.

In the future, developing integrated thinking would be critical if organisations were to be able to present a coherent and comprehensive picture of their long-term strategy and performance, he said. This would require the creation of cross-functional teams, which would include all key areas within the organisation.

He said organisations needed to adopt clear and unambiguous assurance models to report effectively.

“It is necessary for internal and external assurance providers to form a common view on issues of relevance, materiality, accuracy and completeness,” he said. “Combined assurance is needed to achieve an informed view on whether reports are fair and balanced and also to improve efficiency.”

FEE has been consulting on how to evolve corporate reporting in a way that will keep pace with the developing economic reality and address the needs of a wider stakeholder audience.

To read ECIIA’s response, click here.

To visit FEE’s page on corporate reporting, click here.

Theme author: Web developer Front End Developer Wordpress developer Web developer Front End Developer Wordpress developer Notariusz Szczecin