EBA clarifies internal audit’s position as third line of defence
The European Banking Authority (EBA) has adopted important clarifications suggested by ECIIA over the role and position of internal audit in the governance structure of companies looking to adopt sound remuneration policies.
In particular, EBA has said in the final draft of its Guidelines on sound remuneration policies that internal audit should form an independent third line of defence reporting directly to the board so that it can audit the activities of the other control functions.
“We are pleased that EBA has taken our views on board and clarified this important issue,” Henrik Stein, ECIIA President, says. “Reinforcing our members’ role as the independent, third line of defence provides organisations with the confidence that they can rely on the work of internal audit when it comes to assessing the effectiveness of their remuneration policies.”
EBA also clarified the involvement of control functions in assessing the risk profile of organisations and how the control functions should be remunerated, which also drew upon ECIIA’s.
The EBA’s guidelines set out the governance process for implementing sound remuneration policies across the EU and clarify the process for identifying those categories of staff to whom the specific remuneration provisions of the Capital Requirements Directive (CRD IV) apply, including the so called bonus cap.
The European Banking Authority’s (EBA) proposals on how the remuneration policies of banks are to be monitored need greater clarity if they are to be effective, according to the European Confederation of Institute’s of Internal Auditing (ECIIA).
The EBA’s consultation document on the issue (EBA/CP/2015/03) is often unclear over which internal department is best placed to provide overall assurance to the board that its policies and procedures are sound. In particular, it confuses the independent, oversight remit of internal audit with the compliance roles of risk management and control functions.
“The task of the internal audit function is not to control but to work alongside others to audit the control functions, giving assurance to the board and the supervisory bodies that the policies are both well monitored and sound,” Thijs Smit, ECIIA President says.
Control functions monitor whether the bank’s remuneration policies are in place and followed. Internal audit informs the board whether such monitoring is occurring and effective, and whether policies benchmark against industry best practice.
“It is essential for the EBA’s document to reflect the fact that internal audit is the only function for the board, which is independent of management, that can oversee all of the other functions – including how well risk management and compliance are working,” Smit says.
He says that the most effective way for banks be sure remuneration policies are working properly is for them to adopt the so-called Three Lines of Defence model of corporate governance. That provides internal audit with the independent remit it requires to perform this critical role.