Trends in European Governance and Internal Audit · Coordination Committee (3 Board members, European Research Group Chair, 3 CEOs) -EUROSAI -Banking-Insurance European Parliament

Enhancing governance through internal audit www.eciia.eu

Enhancing governance through internal audit

Trends in European Governance and Internal Audit

Martin Stevens CIA, CFSA, CRMA

1

Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit

Trends in European Governance and Internal Audit

1. The ECIIA a) PAC

b) Magazine

c) Publications

2. Specific focus areas a) 3 LoD and beyond

b) Integrated reporting

c) Social media and cyber security

d) Role of IA in the financial sector

e) Risk culture

f) Data privacy

3. Conclusion

2



1. The ECIIA

3


1. European Confederation of Institutes of

Internal Auditing (ECIIA)

The ECIIA represents the beacon of the Internal Audit profession in the wider geographic area of Europe and the Mediterranean basin:

• 36 countries

• 40.000 members Our mission is to promote the Internal Audit

profession at the European Level

4

Primary objective of furthering the development of corporate

governance and internal audit through knowledge sharing,

key relationships and regulatory environment oversight


1 a) ECIIA Public Affairs Committee

Industry Players Banking (ECB, EBA) Insurance (EIOPA) Public Sector (EUROSAI) ………..

New Committee with Key CAEs from

different countries and different sectors

5

Coordination Committee (3 Board members, European Research Group Chair, 3 CEOs)

-EUROSAI -Banking

-Insurance

General European Players

European Parliament European Commission Business Europe European Issuers

New Committee with Key CAEs from different

countries and different sectors

European Stakeholder Associations Risk : Ferma Audit Committee & Board members : ecoDa External auditors : FEE,ACCA, ICAEW …


1 b) ECIIA MAGAZINE

6

ECIIA semi annual magazine:

Forcefully communicating to our stakeholders,

promoting good Corporate Governance

Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit 7

1 c) ECIIA publications Published 2010 – 2015 see ECIIA website www.eciia.eu :

• Guidance on the 8th EU Company Law Directive Article 41 (with FERMA) Parts 1 & 2

• Reinforcing audit committee oversight over global assurance and internal audit

• Corporate Governance Codes on Internal Audit

• Making the most of the internal audit function (with Ecoda)

• The role of internal audit under Solvency II

• Improving cooperation between external and internal audit

• Audit and risk committees (with Ferma)

• Non-financial reporting: building trust with internal audit

http://www.eciia.eu/


1 c) Making the most of the Internal Audit Function: Recommendations for Directors and Board Committees

1. Evaluate the need for establishing an internal audit function when such function does not exist

2. Assess and approve the internal audit charter 3. Ensure effective communication lines between the Chief

Audit Executive and the Board 4. Evaluate the internal audit plan 5. Assess the staffing of the internal audit function 6. Gain assurance regarding the quality of the internal audit

functions 7. Oversee the relationship between the internal audit function

and the organization's centralized Risk monitoring function 8. Coordination of the internal audit function with the work of

external audit 9. Assess internal audit reporting 10. Monitor management follow-up of internal audit

recommendations

8


1 c) Audit and Risk Committees: News from EU Legislation and Best Practices (with Ferma)

• Where Risk Committees are established: 10 potential responsibilities for Risk and Audit Committees

• Establishment of a separate Risk Committee for the following reasons:

• Regulatory requirement

• Alignment between risk management and strategy

• Need for a more detailed oversight of the risk management infrastructure (people, process, infrastructure)

• Complexity of the major/critical risks to be assessed

“The challenges for risk committee Chair and also audit committee Chair is to be constructively critical and use common sense advising the Board. The board needs to trust the committees and also to challenge and ask the right questions”

HEF Andersson, Board member Gjensidige

9



2 a) 3 LoD

10


2 a) 3LoD

11

http://www.ferma.eu/ http://www.eciia.eu/

http://www.eciia.eu/


2 a) The Three Lines of Defence for risk assurance mapping

12


2a) Internal audit positioning Application of the 3-lines of defence model

To ensure clarity of roles and responsibilities in organizational governance, the “3 lines of Defence” model defines three levels of control:

13

1ST

LIN

E

Operational management has ownership, responsibility and accountability for assessing, controlling and mitigating risks

2N

D L

INE

Internal governance functions

(Group support and control functions)

monitors and facilitates the implementation of effective risk management practices by the 1st line and assists risk owners in reporting adequate risk-related information throughout the organization

3R

D L

INE

Internal Audit

provides assurance to the Group governing body and senior management on the organization’s effectiveness in assessing and managing its risks and related internal control systems, including the manner in which the 1st and 2nd lines operate.


2 a) Internal auditing positioning

• The 3LoD model has helped articulate internal audit’s role / value

• The new Basel Committee guidelines, and the new OECD Corporate Governance guidelines refer to the 3 LoD model

• Encroachment between 2nd and 3rd lines of defense is occurring

• Audit/oversight fatigue presents challenges and opportunities

• Internal audit can be a leader in coordinating key players

14


2 a) 3LoD

Are we just defenders or should we be providing more direct assistance to the front line ?

Reserves ? or Cavalry ? Or Scouts – Intelligence – Strategic advisors ?



2 b) Nonfinancial reporting

16


|

17

2 b) Nonfinancial reporting

EU Directive 2014/95/EU on disclosure of non-financial and diversity information by certain large undertakings and groups

- Guidelines to be issued by 2016

- National legislation by 2016, first reporting 2017

- Large companies (> 500 employees) will have to disclose in their management report, information on policies, risks and outcomes as regards :

• Environmental matters,

• Social and employee related aspects

• Respect for human rights

• Anti-corruption and bribery issues

• Diversity in the Board

- Significant flexibility for companies to disclose relevant information

- May use international, European or national guidelines


2 b) Some international guidelines

• GRI Sustainability Reporting Guidelines Reporting Principles, Standard Disclosures and Implementation Manual for the preparation of sustainability reports.

• International reference for disclosure of governance approach and of the environmental, social and economicI

• Last update: 5 August 2015

18

The IIRC released December 2013 its framework of corporate reporting

Enhanced integrated reporting

• Published 2015

• Overview of research to those charged with governance and senior management.

• Guide for internal audit and risk practitioners


2 b) Non-financial reporting: building trust with internal audit

• Aim to clarify the different roles that internal audit may play and how it can add value to organizations and assist the Board in the fulfilment of its new duties.

• Describes sustainability in European context

• The roles of the 3 Lines of Defence in collection and preparation of information

• Internal audit’s role dependent on maturity

19

Published ECIIA 2015


2b) Non-financial reporting: building trust with internal audit

• Integrated assurance and the role of internal audit

• Conclusion:

o Internal audit may play various roles: from advisory to assurance or both.

o IA may also assist companies in the implementation of combined assurance.

o It is important that IA’s role and responsibilities clearly defined

20

“Internal audit has a crucial role to play..

because it is in a unique position to provide a helicopter view of an organisation and help

develop a forward-thinking strategy on

these issues.” Thijs Smit,

ECIIA Past President


2b) Tax transparency

Internal Audit’s role • European Commission (EC) consultation on tax

transparency. • Internal auditors could play a key role in the EC’s efforts to

improve corporate tax transparency by reviewing organisations’ disclosures to the tax authorities, or to the general public o “Internal auditors are ideally placed to give assurance over the

contents of the disclosure document and the controls governing the processes in place to generate it….”

o “….So we see no need for an external reviewer to check whether the report has been properly compiled and is based on sound data.” Thijs Smit, ECIIA Past President

21



2 c) Social Media and Cybersecurity

22


2c) Social media and cybersecurity

23


2c) Social media and cybersecurity

• Biggest growing fraud goes through to people obtaining money by pretending to be something/someone else.

• Selling customer databases.

• IT is so pervasive in everything we do.

• Start looking at risk from high level - examine policies, plans and business issues

• Network with peers and special interest groups e.g. ISACA and ACFEs and Security Services

• Invest in training

24



2 d) Role of Internal Audit in the financial sector

25


2 d) Role of Internal Audit inn the financial sector

26

“Internal control and internal audit are at the centre of sound management, especially for credit institutions in advanced financial systems….” “..the internal audit function has a vital and prominent role, being responsible for an independent review of the first two lines of defence, and for proactively promoting best practices within the organisation by addressing the existing main weaknesses in the business areas to the management body and asking for prompt remedial actions.”

- Danièle Nouy, Chair of the Supervisory Board of the Single Supervisory Mechanism (SSM)


2 d) EU Banking supervision

27

• Controls and the internal governance of credit institutions key feature of SSM methodology

• Internal audit a vital role ensuring the overall governance framework was effective – as 3rd LoD

• SSM assesses during the yearly Supervisory Review and Evaluation Process:

1. How effective and reliable IA functions were. 2. How independent IA was from management 3. Whether IA had the right resources to do its job 4. Whether IA had enough power to enforce any remediation actions.


2 d) The Financial Services Code

• Background the financial crisis – where was internal audit?

• “Effective Internal Audit in the Financial Services Sector”

• Published July 2013 by IIA UK and Ireland

• Produced by an independent committee established by IIA UK and Ireland, consisting of: o 3 experienced board members

o 1 academic

o 3 CAE’s

i.e. internal auditors in a minority.

• Wherever possible, the guidance has attempted to use layman’s language

http://www.iia.org.uk/media/354788/0758_effective_internal_audit_financial_webfinal.pdf




2 d) A. The role of IA in the financial sector

29

1. The primary role of Internal Audit should be to help the Board and Executive Management protect organisation’s:

○ Assets

○ Reputation

○ Sustainability.

Achieved by assessing all significant risks

○ identified and appropriately reported by management and the Risk function to the Board and Executive Management;

○ are adequately controlled;

and by challenging Executive Management to improve the effectiveness of governance, risk management and internal controls.

Less emphasis on adding value more on protecting value

From consulting to challenge

Not just processes but structure


2 d) B. Scope of internal audit 6.d Scope to include the risk and control culture of the organisation.

Assess: o processes (e.g. appraisal and remuneration)

o actions (e.g. decision making)

o “tone at the top”.

Whether in line with the values, ethics, risk appetite and policies of the organisation.

Consider attitude and assess approach taken by all levels of management to risk management and internal control.

Including management’s: o actions taken in addressing known control deficiencies

o regular assessment of controls.


2 d) C. Reporting

8. Report to the Board, Audit and Risk Committees should include:

o a focus on significant control weaknesses and breakdowns together with a robust root-cause analysis;

o any thematic issues identified across the organisation;

o an independent view of Management’s reporting on the risk management of the organisation, including a view on Management’s remediation plans highlighting areas where there are significant delays;

o at least annually, an assessment of the overall effectiveness of the governance, and risk and control framework of the organisation, together with an analysis of themes and trends emerging from Internal Audit work and their impact on the organisation’s risk profile.


2 d) Effect of financial services code in UK

1. Appreciated by Audit Committees “The audit committee chairs we interviewed have all engaged in developing the role of internal audit, where necessary moving it in line with the Code. They see the Code as an important tool for supporting corporate governance, are embarked on a process of continuous improvement and welcome the improvements in the support they are getting from their internal audit functions. The Code has given them a benchmark against which they can judge the function, and where necessary, they are using it as an agent for change.”

2. Supervisor’s response The Code was prepared at the suggestion of the financial regulators. The PRA and FCA welcomed it, indicating in their joint press release that, “in exercising their supervisory judgement, the regulators will consider the nature and extent of compliance with the guidance in any assessment of internal audit effectiveness within regulated firms”.

3. Scope of audit work The Code has also extended the areas where internal audit involvement is seen as critical. The Code ecommended that, within an unrestricted scope, internal audit should ensure it covers the seven areas (of Corporate governance, The setting of risk appetite, The risk and control culture, Customer treatment, Capital and liquidity risks, Key corporate events and Outcome of processes). As can be seen there has been a significant effect, in particular in the areas of culture (both risk and customer treatment), processes, key corporate events and risk appetite.

4. Resources In terms of budgets, the change is most noticeable in banking, with 57% experiencing an increase. Larger functions have seen the greatest increase in the seniority or experience of staff.


2d) Banking – Guidelines and response

33


2 d) EU Insurance supervision

• Guidelines in the Insurance sector: o EIOPA has issued guidelines for the implementation of solvency II e.g. use

of internal models, system of governance and own risks and solvency assessment (ORSA), supervisory review processes and methodology for equivalence assessments

o ECIIA gave comments in August 2014 - Need to be more specific about how the independence of internal audit is to be achieved.

o 2015 issued the first set of Solvency II Implementing Regulations laying down implementing technical standards with regard to inter alia internal models

o The second set of Implementing Regulations is expected to be adopted before the end of 2015.

The accompanying Guidelines have been published in all the EU official languages on EIOPA's website.

34


2 d) Internal audit’s role under SII

• Article 45 The internal audit function shall include an evaluation of the adequacy and effectiveness of the internal control system and other elements of the system of governance.

• The role of internal audit under Solvency II - ECIIA June 2013

o Introduction o Does the role of Internal Audit change with

Solvency II? o Solvency II requirements for the Internal Audit

function o The standards of the profession o Internal Audit’s role in the governance system

defined by Solvency II o Conclusions


36

2 d) Internal audit’s role under SII



2 e) Risk culture

37


2 e) Risk Culture

38

Background in the financial crisis


2 e) Culture and the role of Internal Audit

Internal audit’s role

- Processes - Actions - Tone at the top

- Values - Ethics - Risk Appetite - Policies

Are they in sync?

http://www.iia.org.uk/policy/culture-and-the-role-of-internal-audit/















2 e) Risk culture

Definition

“Risk culture is a term describing the values, beliefs, knowledge and understanding about risk shared by a group

of people with a common purpose, in particular the employees of an organisation or of teams or groups within

an organisation.”

(Under the Microscope – Guidance for Boards, Institute of Risk Management, 2012)

Auditing cultural indicators – main approaches: 1. Incorporate into each audit (e.g. root cause analysis)

2. Thematic - auditing cultural indicators throughout organisation

(e.g. recruitment, training, performance management and reward)


2 e) Auditing culture

Challenges

• How to gather evidence and demonstrate that statement of values is reality – that the organisation is walking the talk

• Limitations of surveys and interviews

• Skills and training – surveys, soft skills, root cause analysis, communication

• Written reports – risk of putting management on defensive or creating a witch hunt

• Internal audit part of the culture?



2 f) Data Privacy

42


2 f) Data privacy

• Growing area of public concern

• Data Supervisors more active

• Risk of damage to company reputation

• New rules coming

43


44

Article 6 1 . Member States shall provide that personal data must be : ( a ) processed fairly and lawfully; ( b ) collected for specified , explicit and legitimate purposes and not further processed in a way incompatible with those purposes …. (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed ; ( d ) accurate and , where necessary, kept up to date ; …… (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed …………

2 f) Data privacy

How are the principles understood and applied in your organisation? Article 7

Member States shall provide that personal data may be processed only if: ( a ) the data subject has unambiguously given his consent; or ( b ) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or

Article 17 Security of processing

National legislation


2 f) Why need for change?

• Current directive - weaknesses

o Not 100% binding

o Different levels of implementation and different interpretations

o Unclear in international context

One General Data Privacy Regulation


• 3 draft regulations – (Commission, Parliament and Council)

• Timetable to complete discussions and agree on one final version by YE 2015 then 2 year implementation period therefore applicable from 1st January 2018

46

2 f) Current status of regulation

https://secure.edps.europa.eu/EDPSWEB/edps/Consultation/Reform_package






2 f) Key elements of proposed regulation • Applicability to businesses in third countries targeting EU citizens with their

services (Art. 3)

• Right to be forgotten (Art. 17)

• Data portability (Art. 18)

• Responsibility/accountability of controller (Art. 22) - IC/compliance systems

• Privacy by design/default (Art. 23)

• Commissioned data processing (Art. 26 2.f) processor liable (as if controller) if fails to conform with instructions

• Data breach notification to supervisor within 72 hrs. (Art. 31)

• Privacy impact assessment (Art. 33)

• For a Group can have single Data Protection Officer (Art. 35)

• Certifications (Art. 39)

• One-stop shop (Art. 54a) co-ordinated supervision

• European Data Protection Board (Art. 57 and 64)

Fines / sanctions (Art. 78, 79) • Administrative sanctions up to between 2 and 5% of annual revenues



3. Conclusion

48


Conclusion

• The world is changing, Europe is changing

• More demands are being made on corporate

governance

49

but the good news is that

Internal Audit has a vital role to play in future developments

Documents

Trends in European Governance and Internal Audit · Coordination Committee (3 Board members, European Research Group Chair, 3 CEOs) -EUROSAI -Banking-Insurance European Parliament