Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Enhancing governance through internal audit www.eciia.eu
Enhancing governance through internal audit
Trends in European Governance and Internal Audit
Martin Stevens CIA, CFSA, CRMA
1
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
Trends in European Governance and Internal Audit
1. The ECIIA a) PAC
b) Magazine
c) Publications
2. Specific focus areas a) 3 LoD and beyond
b) Integrated reporting
c) Social media and cyber security
d) Role of IA in the financial sector
e) Risk culture
f) Data privacy
3. Conclusion
2
Enhancing governance through internal audit www.eciia.eu
Enhancing governance through internal audit
1. The ECIIA
3
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
1. European Confederation of Institutes of
Internal Auditing (ECIIA)
The ECIIA represents the beacon of the Internal Audit profession in the wider geographic area of Europe and the Mediterranean basin:
• 36 countries
• 40.000 members Our mission is to promote the Internal Audit
profession at the European Level
4
Primary objective of furthering the development of corporate
governance and internal audit through knowledge sharing,
key relationships and regulatory environment oversight
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
1 a) ECIIA Public Affairs Committee
Industry Players Banking (ECB, EBA) Insurance (EIOPA) Public Sector (EUROSAI) ………..
New Committee with Key CAEs from
different countries and different sectors
5
Coordination Committee (3 Board members, European Research Group Chair, 3 CEOs)
-EUROSAI -Banking
-Insurance
General European Players
European Parliament European Commission Business Europe European Issuers
New Committee with Key CAEs from different
countries and different sectors
European Stakeholder Associations Risk : Ferma Audit Committee & Board members : ecoDa External auditors : FEE,ACCA, ICAEW …
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
1 b) ECIIA MAGAZINE
6
ECIIA semi annual magazine:
Forcefully communicating to our stakeholders,
promoting good Corporate Governance
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit 7
1 c) ECIIA publications Published 2010 – 2015 see ECIIA website www.eciia.eu :
• Guidance on the 8th EU Company Law Directive Article 41 (with FERMA) Parts 1 & 2
• Reinforcing audit committee oversight over global assurance and internal audit
• Corporate Governance Codes on Internal Audit
• Making the most of the internal audit function (with Ecoda)
• The role of internal audit under Solvency II
• Improving cooperation between external and internal audit
• Audit and risk committees (with Ferma)
• Non-financial reporting: building trust with internal audit
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
1 c) Making the most of the Internal Audit Function: Recommendations for Directors and Board Committees
1. Evaluate the need for establishing an internal audit function when such function does not exist
2. Assess and approve the internal audit charter 3. Ensure effective communication lines between the Chief
Audit Executive and the Board 4. Evaluate the internal audit plan 5. Assess the staffing of the internal audit function 6. Gain assurance regarding the quality of the internal audit
functions 7. Oversee the relationship between the internal audit function
and the organization's centralized Risk monitoring function 8. Coordination of the internal audit function with the work of
external audit 9. Assess internal audit reporting 10. Monitor management follow-up of internal audit
recommendations
8
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
1 c) Audit and Risk Committees: News from EU Legislation and Best Practices (with Ferma)
• Where Risk Committees are established: 10 potential responsibilities for Risk and Audit Committees
• Establishment of a separate Risk Committee for the following reasons:
• Regulatory requirement
• Alignment between risk management and strategy
• Need for a more detailed oversight of the risk management infrastructure (people, process, infrastructure)
• Complexity of the major/critical risks to be assessed
“The challenges for risk committee Chair and also audit committee Chair is to be constructively critical and use common sense advising the Board. The board needs to trust the committees and also to challenge and ask the right questions”
HEF Andersson, Board member Gjensidige
9
Enhancing governance through internal audit www.eciia.eu
Enhancing governance through internal audit
2 a) 3 LoD
10
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
2 a) 3LoD
11
http://www.ferma.eu/ http://www.eciia.eu/
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
2 a) The Three Lines of Defence for risk assurance mapping
12
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
2a) Internal audit positioning Application of the 3-lines of defence model
To ensure clarity of roles and responsibilities in organizational governance, the “3 lines of Defence” model defines three levels of control:
13
1ST
LIN
E
Operational management has ownership, responsibility and accountability for assessing, controlling and mitigating risks
2N
D L
INE
Internal governance functions
(Group support and control functions)
monitors and facilitates the implementation of effective risk management practices by the 1st line and assists risk owners in reporting adequate risk-related information throughout the organization
3R
D L
INE
Internal Audit
provides assurance to the Group governing body and senior management on the organization’s effectiveness in assessing and managing its risks and related internal control systems, including the manner in which the 1st and 2nd lines operate.
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
2 a) Internal auditing positioning
• The 3LoD model has helped articulate internal audit’s role / value
• The new Basel Committee guidelines, and the new OECD Corporate Governance guidelines refer to the 3 LoD model
• Encroachment between 2nd and 3rd lines of defense is occurring
• Audit/oversight fatigue presents challenges and opportunities
• Internal audit can be a leader in coordinating key players
14
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit 15
2 a) 3LoD
Are we just defenders or should we be providing more direct assistance to the front line ?
Reserves ? or Cavalry ? Or Scouts – Intelligence – Strategic advisors ?
Enhancing governance through internal audit www.eciia.eu
Enhancing governance through internal audit
2 b) Nonfinancial reporting
16
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit 17
|
17
2 b) Nonfinancial reporting
EU Directive 2014/95/EU on disclosure of non-financial and diversity information by certain large undertakings and groups
- Guidelines to be issued by 2016
- National legislation by 2016, first reporting 2017
- Large companies (> 500 employees) will have to disclose in their management report, information on policies, risks and outcomes as regards :
• Environmental matters,
• Social and employee related aspects
• Respect for human rights
• Anti-corruption and bribery issues
• Diversity in the Board
- Significant flexibility for companies to disclose relevant information
- May use international, European or national guidelines
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
2 b) Some international guidelines
• GRI Sustainability Reporting Guidelines Reporting Principles, Standard Disclosures and Implementation Manual for the preparation of sustainability reports.
• International reference for disclosure of governance approach and of the environmental, social and economicI
• Last update: 5 August 2015
18
The IIRC released December 2013 its framework of corporate reporting
Enhanced integrated reporting
• Published 2015
• Overview of research to those charged with governance and senior management.
• Guide for internal audit and risk practitioners
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
2 b) Non-financial reporting: building trust with internal audit
• Aim to clarify the different roles that internal audit may play and how it can add value to organizations and assist the Board in the fulfilment of its new duties.
• Describes sustainability in European context
• The roles of the 3 Lines of Defence in collection and preparation of information
• Internal audit’s role dependent on maturity
19
Published ECIIA 2015
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
2b) Non-financial reporting: building trust with internal audit
• Integrated assurance and the role of internal audit
• Conclusion:
o Internal audit may play various roles: from advisory to assurance or both.
o IA may also assist companies in the implementation of combined assurance.
o It is important that IA’s role and responsibilities clearly defined
20
“Internal audit has a crucial role to play..
because it is in a unique position to provide a helicopter view of an organisation and help
develop a forward-thinking strategy on
these issues.” Thijs Smit,
ECIIA Past President
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
2b) Tax transparency
Internal Audit’s role • European Commission (EC) consultation on tax
transparency. • Internal auditors could play a key role in the EC’s efforts to
improve corporate tax transparency by reviewing organisations’ disclosures to the tax authorities, or to the general public o “Internal auditors are ideally placed to give assurance over the
contents of the disclosure document and the controls governing the processes in place to generate it….”
o “….So we see no need for an external reviewer to check whether the report has been properly compiled and is based on sound data.” Thijs Smit, ECIIA Past President
21
Enhancing governance through internal audit www.eciia.eu
Enhancing governance through internal audit
2 c) Social Media and Cybersecurity
22
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
2c) Social media and cybersecurity
23
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
2c) Social media and cybersecurity
• Biggest growing fraud goes through to people obtaining money by pretending to be something/someone else.
• Selling customer databases.
• IT is so pervasive in everything we do.
• Start looking at risk from high level - examine policies, plans and business issues
• Network with peers and special interest groups e.g. ISACA and ACFEs and Security Services
• Invest in training
24
Enhancing governance through internal audit www.eciia.eu
Enhancing governance through internal audit
2 d) Role of Internal Audit in the financial sector
25
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
2 d) Role of Internal Audit inn the financial sector
26
“Internal control and internal audit are at the centre of sound management, especially for credit institutions in advanced financial systems….” “..the internal audit function has a vital and prominent role, being responsible for an independent review of the first two lines of defence, and for proactively promoting best practices within the organisation by addressing the existing main weaknesses in the business areas to the management body and asking for prompt remedial actions.”
- Danièle Nouy, Chair of the Supervisory Board of the Single Supervisory Mechanism (SSM)
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
2 d) EU Banking supervision
27
• Controls and the internal governance of credit institutions key feature of SSM methodology
• Internal audit a vital role ensuring the overall governance framework was effective – as 3rd LoD
• SSM assesses during the yearly Supervisory Review and Evaluation Process:
1. How effective and reliable IA functions were. 2. How independent IA was from management 3. Whether IA had the right resources to do its job 4. Whether IA had enough power to enforce any remediation actions.
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit 28
2 d) The Financial Services Code
• Background the financial crisis – where was internal audit?
• “Effective Internal Audit in the Financial Services Sector”
• Published July 2013 by IIA UK and Ireland
• Produced by an independent committee established by IIA UK and Ireland, consisting of: o 3 experienced board members
o 1 academic
o 3 CAE’s
i.e. internal auditors in a minority.
• Wherever possible, the guidance has attempted to use layman’s language
http://www.iia.org.uk/media/354788/0758_effective_internal_audit_financial_webfinal.pdf
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
2 d) A. The role of IA in the financial sector
29
1. The primary role of Internal Audit should be to help the Board and Executive Management protect organisation’s:
○ Assets
○ Reputation
○ Sustainability.
Achieved by assessing all significant risks
○ identified and appropriately reported by management and the Risk function to the Board and Executive Management;
○ are adequately controlled;
and by challenging Executive Management to improve the effectiveness of governance, risk management and internal controls.
Less emphasis on adding value more on protecting value
From consulting to challenge
Not just processes but structure
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit 30
2 d) B. Scope of internal audit 6.d Scope to include the risk and control culture of the organisation.
Assess: o processes (e.g. appraisal and remuneration)
o actions (e.g. decision making)
o “tone at the top”.
Whether in line with the values, ethics, risk appetite and policies of the organisation.
Consider attitude and assess approach taken by all levels of management to risk management and internal control.
Including management’s: o actions taken in addressing known control deficiencies
o regular assessment of controls.
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit 31
2 d) C. Reporting
8. Report to the Board, Audit and Risk Committees should include:
o a focus on significant control weaknesses and breakdowns together with a robust root-cause analysis;
o any thematic issues identified across the organisation;
o an independent view of Management’s reporting on the risk management of the organisation, including a view on Management’s remediation plans highlighting areas where there are significant delays;
o at least annually, an assessment of the overall effectiveness of the governance, and risk and control framework of the organisation, together with an analysis of themes and trends emerging from Internal Audit work and their impact on the organisation’s risk profile.
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit 32
2 d) Effect of financial services code in UK
1. Appreciated by Audit Committees “The audit committee chairs we interviewed have all engaged in developing the role of internal audit, where necessary moving it in line with the Code. They see the Code as an important tool for supporting corporate governance, are embarked on a process of continuous improvement and welcome the improvements in the support they are getting from their internal audit functions. The Code has given them a benchmark against which they can judge the function, and where necessary, they are using it as an agent for change.”
2. Supervisor’s response The Code was prepared at the suggestion of the financial regulators. The PRA and FCA welcomed it, indicating in their joint press release that, “in exercising their supervisory judgement, the regulators will consider the nature and extent of compliance with the guidance in any assessment of internal audit effectiveness within regulated firms”.
3. Scope of audit work The Code has also extended the areas where internal audit involvement is seen as critical. The Code ecommended that, within an unrestricted scope, internal audit should ensure it covers the seven areas (of Corporate governance, The setting of risk appetite, The risk and control culture, Customer treatment, Capital and liquidity risks, Key corporate events and Outcome of processes). As can be seen there has been a significant effect, in particular in the areas of culture (both risk and customer treatment), processes, key corporate events and risk appetite.
4. Resources In terms of budgets, the change is most noticeable in banking, with 57% experiencing an increase. Larger functions have seen the greatest increase in the seniority or experience of staff.
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
2d) Banking – Guidelines and response
33
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
2 d) EU Insurance supervision
• Guidelines in the Insurance sector: o EIOPA has issued guidelines for the implementation of solvency II e.g. use
of internal models, system of governance and own risks and solvency assessment (ORSA), supervisory review processes and methodology for equivalence assessments
o ECIIA gave comments in August 2014 - Need to be more specific about how the independence of internal audit is to be achieved.
o 2015 issued the first set of Solvency II Implementing Regulations laying down implementing technical standards with regard to inter alia internal models
o The second set of Implementing Regulations is expected to be adopted before the end of 2015.
The accompanying Guidelines have been published in all the EU official languages on EIOPA's website.
34
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit 35
2 d) Internal audit’s role under SII
• Article 45 The internal audit function shall include an evaluation of the adequacy and effectiveness of the internal control system and other elements of the system of governance.
• The role of internal audit under Solvency II - ECIIA June 2013
o Introduction o Does the role of Internal Audit change with
Solvency II? o Solvency II requirements for the Internal Audit
function o The standards of the profession o Internal Audit’s role in the governance system
defined by Solvency II o Conclusions
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
36
2 d) Internal audit’s role under SII
Enhancing governance through internal audit www.eciia.eu
Enhancing governance through internal audit
2 e) Risk culture
37
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
2 e) Risk Culture
38
Background in the financial crisis
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit 39
2 e) Culture and the role of Internal Audit
Internal audit’s role
- Processes - Actions - Tone at the top
- Values - Ethics - Risk Appetite - Policies
Are they in sync?
http://www.iia.org.uk/policy/culture-and-the-role-of-internal-audit/
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit 40
2 e) Risk culture
Definition
“Risk culture is a term describing the values, beliefs, knowledge and understanding about risk shared by a group
of people with a common purpose, in particular the employees of an organisation or of teams or groups within
an organisation.”
(Under the Microscope – Guidance for Boards, Institute of Risk Management, 2012)
Auditing cultural indicators – main approaches: 1. Incorporate into each audit (e.g. root cause analysis)
2. Thematic - auditing cultural indicators throughout organisation
(e.g. recruitment, training, performance management and reward)
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit 41
2 e) Auditing culture
Challenges
• How to gather evidence and demonstrate that statement of values is reality – that the organisation is walking the talk
• Limitations of surveys and interviews
• Skills and training – surveys, soft skills, root cause analysis, communication
• Written reports – risk of putting management on defensive or creating a witch hunt
• Internal audit part of the culture?
Enhancing governance through internal audit www.eciia.eu
Enhancing governance through internal audit
2 f) Data Privacy
42
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
2 f) Data privacy
• Growing area of public concern
• Data Supervisors more active
• Risk of damage to company reputation
• New rules coming
43
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
44
Article 6 1 . Member States shall provide that personal data must be : ( a ) processed fairly and lawfully; ( b ) collected for specified , explicit and legitimate purposes and not further processed in a way incompatible with those purposes …. (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed ; ( d ) accurate and , where necessary, kept up to date ; …… (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed …………
2 f) Data privacy
How are the principles understood and applied in your organisation? Article 7
Member States shall provide that personal data may be processed only if: ( a ) the data subject has unambiguously given his consent; or ( b ) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
Article 17 Security of processing
National legislation
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit 45
2 f) Why need for change?
• Current directive - weaknesses
o Not 100% binding
o Different levels of implementation and different interpretations
o Unclear in international context
One General Data Privacy Regulation
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
• 3 draft regulations – (Commission, Parliament and Council)
• Timetable to complete discussions and agree on one final version by YE 2015 then 2 year implementation period therefore applicable from 1st January 2018
46
2 f) Current status of regulation
https://secure.edps.europa.eu/EDPSWEB/edps/Consultation/Reform_package
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit 47
2 f) Key elements of proposed regulation • Applicability to businesses in third countries targeting EU citizens with their
services (Art. 3)
• Right to be forgotten (Art. 17)
• Data portability (Art. 18)
• Responsibility/accountability of controller (Art. 22) - IC/compliance systems
• Privacy by design/default (Art. 23)
• Commissioned data processing (Art. 26 2.f) processor liable (as if controller) if fails to conform with instructions
• Data breach notification to supervisor within 72 hrs. (Art. 31)
• Privacy impact assessment (Art. 33)
• For a Group can have single Data Protection Officer (Art. 35)
• Certifications (Art. 39)
• One-stop shop (Art. 54a) co-ordinated supervision
• European Data Protection Board (Art. 57 and 64)
Fines / sanctions (Art. 78, 79) • Administrative sanctions up to between 2 and 5% of annual revenues
Enhancing governance through internal audit www.eciia.eu
Enhancing governance through internal audit
3. Conclusion
48
Enhancing governance through internal audit www.eciia.eu Enhancing governance through internal audit
Conclusion
• The world is changing, Europe is changing
• More demands are being made on corporate
governance
49
but the good news is that
Internal Audit has a vital role to play in future developments