three lines of defence

ECIIA-Blog-header
EBA’s draft regulations on outsourcing need tighter focus
September 2018

The European Banking Authority’s (EBA) draft Guidelines on outsourcing (EBA/CP/2018/11) should give more emphasis on the role of the first and second lines of defence in the oversight of outsourced activities, ECIIA has said in its written response to the consultation.

More specifically speaking, the response continued, management should be in charge of the operational side of the outsourcing arrangements, while risk management and other compliance functions should monitor whether the process is performed properly.

“The internal audit function plays the role of being a third line of defence in such arrangements,” ECIIA Banking Committee Chair Henrik Stein said. “Internal audit must focus on the assurance of the outsourcing framework in terms of the risks that may be being taken.”

“While we believe that EBA’s revision of its guidelines are timely and important, we strongly urge it to reflect best practice by specifically including reference to the three lines of defence governance structure in its new provisions.”

In addition, ECIIA urged EBA to lighten the principles for outsourcing arrangements between different entities within a group of companies because of the lower risk exposure this creates compared to external outsourcing. Similarly, “a distinction should be made for outsourcing services within the European area for those highly-regulated services – such as IT and financial modelling – and other services,” the response to the consultation said.

The ECIIA also said that the role of a risk-based approach to internal audit should be more clearly emphasised. While the document does acknowledge the that risk-based assessment should form part of the audit planning process, it also tries to lay down some requirements in the plan in respect of outsourcing arrangements.

“The inclusion of the outsourced arrangements – or otherwise – in the audit plan should be solely dependent on the results of the risk-based assessments carried by the audit function,” Stein said. “It’s hard to see how that would be helped by prescribing in advance what should be covered.”

EBA’s draft guidelines define which arrangements with third parties are considered as outsourcing and provide criteria for the identification of critical or important functions, which have a stronger impact on the financial institution’s risk profile or on its internal control framework. It says that where such critical or important functions are outsourced, stricter and stronger requirements should apply compared to other outsourcing arrangements.

Auditors must remain vigilant NEW
October 2017

Internal auditors need to remain vigilant following recent data showing that macro risks, such as economic growth and the state of monetary policy, weigh heavily on the minds of chief executives in the insurance sector.

“Despite some positive developments, the continuing low-yield environment and the observation that market fundamentals might not properly reflect the underlying credit risk, are still important concerns for the European insurance industry,“ says European Insurance and Occupational Pensions Authority’s (EIOPA) quarterly risk dashboard.

This risk dashboard is based on EIOPA’s analysis of Solvency II data and represents the main risks and vulnerabilities in the European Union insurance sector.

“Internal auditors will welcome the headline news that the risk environment remains constant,” Hervé Gloaguen, chairman of ECIIA’s Insurance Committee. “But the continuing low interest rate environment, political instability in some countries, and the impact of adverse weather events mean that auditors need to be on their guard.”

It is important that internal auditors are positioned within each company to provide objective assurance over key risks. That is best achieved through the three lines of defence model of corporate governance, he added.

 

Theme author: Web developer Front End Developer Wordpress developer Web developer Front End Developer Wordpress developer Notariusz Szczecin