Responses to Consultation
Internal audit’s central role in the future of corporate reporting
Internal audit has a central role to play in the future of corporate reporting as an adviser on, and a builder and consolidator of the reporting process itself, according to the ECIIA’s response to a consultation on the issue by the Federation of European Accountants (FEE).
“Internal audit adds value to corporate reporting by providing an informed and independent review on processes, risks and controls,” ECIIA President Henrik Stein said in the confederation’s formal response to FEE.
In the future, developing integrated thinking would be critical if organisations were to be able to present a coherent and comprehensive picture of their long-term strategy and performance, he said. This would require the creation of cross-functional teams, which would include all key areas within the organisation.
He said organisations needed to adopt clear and unambiguous assurance models to report effectively.
“It is necessary for internal and external assurance providers to form a common view on issues of relevance, materiality, accuracy and completeness,” he said. “Combined assurance is needed to achieve an informed view on whether reports are fair and balanced and also to improve efficiency.”
FEE has been consulting on how to evolve corporate reporting in a way that will keep pace with the developing economic reality and address the needs of a wider stakeholder audience.
More communication needed between internal audit and regulators
Regulators should require regular, structured and ongoing dialogue between the competent authorities supervising insurers and the internal auditors working in them, the ECIIA has said in response to recent consultation by EIOPA (European Insurance and Occupational Pensions Authority).
That is because internal audit is well-placed to provide an independent opinion about the internal controls, risk management and governance of the companies concerned. Almost 8 out of 10 auditors in Europe say they follow the three Lines of Defense Model at some level, which enables them to provide objective assurance to their organisations.
“While internal audit’s main line of accountability is to the Audit Committee, it also shares information with the statutory auditors and the regulators,” ECIIA President Henrik Stein said. “Clear and effective communication between all these parties is vital in order to avoid duplication, or gaps, in the overall assurance picture,” he added.
Stein said he would welcome the opportunity to meet with senior EIOPA officials to discuss in more detail the role of internal audit in this area.
Europe’s current legislation on cybersecurity does not include robust corporate governance processes to help businesses manage cyber risks across their operations, ECIIA says.
ECIIA calls on the European Commission (EC) to develop legislation and guidance frameworks to promote integrated, cross-departmental approaches to manage cyber risks, in its response to the body’s recent consultation exercise. It says a wide range of partners within organisations need to co-ordinate their efforts in this area including compliance, finance, human resources, internal audit, IT and legal functions.
“There is a real gap in this area that needs to be plugged,” Henrik Stein, ECIIA President, says. “Without joined up thinking and action on cyber security, businesses are at greater risk than they should be.”
He says that senior management should track and report on the business impact of cyber threats and all risk management activity. “For its part, internal audit evaluates the effectiveness of cyber threat risk management and reports to the audit committee and board on these issues,” he adds.
ECIIA recognises that organisations that operate in multiple jurisdictions face additional problems because reporting requirements remain unharmonised. It says there is a case for developing global best practice and standards to help corporations monitor their global reporting on cyber security and risk effectively.
The ECIIA’s response also comments on the most pressing current cybersecurity risks and those that it believes will become more prominent over the coming five years. Read the full response here.
EBA clarifies internal audit’s position as third line of defence
The European Banking Authority (EBA) has adopted important clarifications suggested by ECIIA over the role and position of internal audit in the governance structure of companies looking to adopt sound remuneration policies.
In particular, EBA has said in the final draft of its Guidelines on sound remuneration policies that internal audit should form an independent third line of defence reporting directly to the board so that it can audit the activities of the other control functions.
“We are pleased that EBA has taken our views on board and clarified this important issue,” Henrik Stein, ECIIA President, says. “Reinforcing our members’ role as the independent, third line of defence provides organisations with the confidence that they can rely on the work of internal audit when it comes to assessing the effectiveness of their remuneration policies.”
EBA also clarified the involvement of control functions in assessing the risk profile of organisations and how the control functions should be remunerated, which also drew upon ECIIA’s.
The EBA’s guidelines set out the governance process for implementing sound remuneration policies across the EU and clarify the process for identifying those categories of staff to whom the specific remuneration provisions of the Capital Requirements Directive (CRD IV) apply, including the so called bonus cap.
Internal auditors should be included in communication between auditors and supervisors
Internal auditors should be included in the communication process over the scope of work to be undertaken by the statutory auditors and supervisors of credit institutions, the ECIIA has told the European Banking Authority.
In a written response to the EBA’s consultation on how auditors and supervisors could exchange information better – EBA/CP/2015/17 – ECIIA says: “Communication between competent authorities and statutory auditors, as deemed prudent at any phase of the supervisory or audit processes, may be enhanced by the inclusion of the internal auditors of the credit institution.”
Since both statutory auditors and supervisors may rely on the work of internal audit, speaking with the function would help provide greater confidence about the activities of internal audit and help to focus work on those areas that most need it.
ECIIA also says better clarification is needed between the 2nd and 3rd lines of defence by the document.