Governance gap in Europe’s cyber laws
Europe’s current legislation on cybersecurity does not include robust corporate governance processes to help businesses manage cyber risks across their operations, ECIIA says.
ECIIA calls on the European Commission (EC) to develop legislation and guidance frameworks to promote integrated, cross-departmental approaches to manage cyber risks, in its response to the body’s recent consultation exercise. It says a wide range of partners within organisations need to co-ordinate their efforts in this area including compliance, finance, human resources, internal audit, IT and legal functions.
“There is a real gap in this area that needs to be plugged,” Henrik Stein, ECIIA President, says. “Without joined up thinking and action on cyber security, businesses are at greater risk than they should be.”
He says that senior management should track and report on the business impact of cyber threats and all risk management activity. “For its part, internal audit evaluates the effectiveness of cyber threat risk management and reports to the audit committee and board on these issues,” he adds.
ECIIA recognises that organisations that operate in multiple jurisdictions face additional problems because reporting requirements remain unharmonised. It says there is a case for developing global best practice and standards to help corporations monitor their global reporting on cyber security and risk effectively.
The ECIIA’s response also comments on the most pressing current cybersecurity risks and those that it believes will become more prominent over the coming five years. Read the full response here.
Non-financial reporting: building trust with internal audit
Internal audit can help organisations build trust with key stakeholders by assuring the quality of the information in their non-financial reports, according to new guidance published by ECIIA – the European Confederation of Institutes of Internal Auditing.
The paper says companies that adopt an integrated approach to assess their financial, environmental, social and other activities will benefit most.
“Internal audit has a crucial role to play in this respect,” Thijs Smit, ECIIA President, says. “That is because it is in a unique position to provide a helicopter view of an organisation and help develop a forward-thinking strategy on these issues.”
The paper demonstrates how internal audit provides assurance over both financial and non-financial information. That includes assurance on the systems, policies and controls supporting the production of such information – specifically in the areas of sustainability activities and reporting, and non-financial communication.
As a result, internal audit can assure boards that the quality of information contained in reports on non-financial issues and build trust with key stakeholders.
All large companies will need to report on the non-financial aspects of their operations under the Directive, which has been voted on by the European Parliament and will be implemented into national laws by 2017. The European Commission is organising workshops in those countries for the transposition of the Directive into national laws.