Trends in European Governance and Internal Audit Martin Stevens CIA, CFSA, CRMA

Transcription

1 Trends in European Governance and Internal Audit Martin Stevens CIA, CFSA, CRMA 1

2 Trends in European Governance and Internal Audit 1. The ECIIA a) PAC b) Magazine c) Publications 2. Specific focus areas a) 3 LoD and beyond b) Integrated reporting c) Social media and cyber security d) Role of IA in the financial sector e) Risk culture f) Data privacy 3. Conclusion 2

3 1. The ECIIA 3

4 1. European Confederation of Institutes of Internal Auditing (ECIIA) The ECIIA represents the beacon of the Internal Audit profession in the wider geographic area of Europe and the Mediterranean basin: 36 countries members Our mission is to promote the Internal Audit profession at the European Level Primary objective of furthering the development of corporate governance and internal audit through knowledge sharing, key relationships and regulatory environment oversight 4

5 1 a) ECIIA Public Affairs Committee Coordination Committee (3 Board members, European Research Group Chair, 3 CEOs) General European Players European Parliament European Commission Business Europe European Issuers New Committee with Key CAEs from different countries and different sectors Industry Players Banking (ECB, EBA) Insurance (EIOPA) Public Sector (EUROSAI).. -EUROSAI -Banking -Insurance European Stakeholder Associations Risk : Ferma Audit Committee & Board members : ecoda External auditors : FEE,ACCA, ICAEW New Committee with Key CAEs from different countries and different sectors 5

6 1 b) ECIIA MAGAZINE ECIIA semi annual magazine: Forcefully communicating to our stakeholders, promoting good Corporate Governance 6

7 1 c) ECIIA publications Published see ECIIA website : Guidance on the 8 th EU Company Law Directive Article 41 (with FERMA) Parts 1 & 2 Reinforcing audit committee oversight over global assurance and internal audit Corporate Governance Codes on Internal Audit Making the most of the internal audit function (with Ecoda) The role of internal audit under Solvency II Improving cooperation between external and internal audit Audit and risk committees (with Ferma) Non-financial reporting: building trust with internal audit 7

8 1 c) Making the most of the Internal Audit Function: Recommendations for Directors and Board Committees 1. Evaluate the need for establishing an internal audit function when such function does not exist 2. Assess and approve the internal audit charter 3. Ensure effective communication lines between the Chief Audit Executive and the Board 4. Evaluate the internal audit plan 5. Assess the staffing of the internal audit function 6. Gain assurance regarding the quality of the internal audit functions 7. Oversee the relationship between the internal audit function and the organization's centralized Risk monitoring function 8. Coordination of the internal audit function with the work of external audit 9. Assess internal audit reporting 10. Monitor management follow-up of internal audit recommendations 8

9 1 c) Audit and Risk Committees: News from EU Legislation and Best Practices (with Ferma) Where Risk Committees are established: 10 potential responsibilities for Risk and Audit Committees Establishment of a separate Risk Committee for the following reasons: Regulatory requirement Alignment between risk management and strategy Need for a more detailed oversight of the risk management infrastructure (people, process, infrastructure) Complexity of the major/critical risks to be assessed The challenges for risk committee Chair and also audit committee Chair is to be constructively critical and use common sense advising the Board. The board needs to trust the committees and also to challenge and ask the right questions HEF Andersson, Board member Gjensidige 9

10 2 a) 3 LoD 10

11 2 a) 3LoD

12 2 a) The Three Lines of Defence for risk assurance mapping 12

13 3 RD LINE 2 ND LINE 1 ST LINE 2a) Internal audit positioning Application of the 3-lines of defence model To ensure clarity of roles and responsibilities in organizational governance, the 3 lines of Defence model defines three levels of control: Operational management has ownership, responsibility and accountability for assessing, controlling and mitigating risks Internal governance functions (Group support and control functions) monitors and facilitates the implementation of effective risk management practices by the 1st line and assists risk owners in reporting adequate risk-related information throughout the organization Internal Audit provides assurance to the Group governing body and senior management on the organization s effectiveness in assessing and managing its risks and related internal control systems, including the manner in which the 1st and 2nd lines operate. 13

14 2 a) Internal auditing positioning The 3LoD model has helped articulate internal audit s role / value The new Basel Committee guidelines, and the new OECD Corporate Governance guidelines refer to the 3 LoD model Encroachment between 2nd and 3rd lines of defense is occurring Audit/oversight fatigue presents challenges and opportunities Internal audit can be a leader in coordinating key players 14

15 2 a) 3LoD Are we just defenders or should we be providing more direct assistance to the front line? Reserves? or Cavalry? Or Scouts Intelligence Strategic advisors? 15

16 2 b) Nonfinancial reporting 16

17 2 b) Nonfinancial reporting EU Directive 2014/95/EU on disclosure of non-financial and diversity information by certain large undertakings and groups - Guidelines to be issued by National legislation by 2016, first reporting Large companies (> 500 employees) will have to disclose in their management report, information on policies, risks and outcomes as regards : Environmental matters, Social and employee related aspects Respect for human rights Anti-corruption and bribery issues Diversity in the Board - Significant flexibility for companies to disclose relevant information - May use international, European or national guidelines 17 17

18 2 b) Some international guidelines GRI Sustainability Reporting Guidelines Reporting Principles, Standard Disclosures and Implementation Manual for the preparation of sustainability reports. International reference for disclosure of governance approach and of the environmental, social and economici Last update: 5 August 2015 The IIRC released December 2013 its framework of corporate reporting Enhanced integrated reporting Published 2015 Overview of research to those charged with governance and senior management. Guide for internal audit and risk practitioners 18

19 2 b) Non-financial reporting: building trust with internal audit Aim to clarify the different roles that internal audit may play and how it can add value to organizations and assist the Board in the fulfilment of its new duties. Describes sustainability in European context The roles of the 3 Lines of Defence in collection and preparation of information Internal audit s role dependent on maturity Published ECIIA

20 2b) Non-financial reporting: building trust with internal audit Integrated assurance and the role of internal audit Internal audit has a crucial role to play.. because it is in a unique position to provide a helicopter view of an organisation and help develop a forwardthinking strategy on these issues. Thijs Smit, ECIIA Past President Conclusion: o o o Internal audit may play various roles: from advisory to assurance or both. IA may also assist companies in the implementation of combined assurance. It is important that IA s role and responsibilities clearly defined 20

21 2b) Tax transparency Internal Audit s role European Commission (EC) consultation on tax transparency. Internal auditors could play a key role in the EC s efforts to improve corporate tax transparency by reviewing organisations disclosures to the tax authorities, or to the general public o o Internal auditors are ideally placed to give assurance over the contents of the disclosure document and the controls governing the processes in place to generate it..so we see no need for an external reviewer to check whether the report has been properly compiled and is based on sound data. Thijs Smit, ECIIA Past President 21

22 2 c) Social Media and Cybersecurity 22

23 2c) Social media and cybersecurity 23

24 2c) Social media and cybersecurity Biggest growing fraud goes through to people obtaining money by pretending to be something/someone else. Selling customer databases. IT is so pervasive in everything we do. Start looking at risk from high level - examine policies, plans and business issues Network with peers and special interest groups e.g. ISACA and ACFEs and Security Services Invest in training 24

25 2 d) Role of Internal Audit in the financial sector 25

26 2 d) Role of Internal Audit inn the financial sector Internal control and internal audit are at the centre of sound management, especially for credit institutions in advanced financial systems...the internal audit function has a vital and prominent role, being responsible for an independent review of the first two lines of defence, and for proactively promoting best practices within the organisation by addressing the existing main weaknesses in the business areas to the management body and asking for prompt remedial actions. - Danièle Nouy, Chair of the Supervisory Board of the Single Supervisory Mechanism (SSM) 26

27 2 d) EU Banking supervision Controls and the internal governance of credit institutions key feature of SSM methodology Internal audit a vital role ensuring the overall governance framework was effective as 3 rd LoD SSM assesses during the yearly Supervisory Review and Evaluation Process: 1. How effective and reliable IA functions were. 2. How independent IA was from management 3. Whether IA had the right resources to do its job 4. Whether IA had enough power to enforce any remediation actions. 27

28 2 d) The Financial Services Code Background the financial crisis where was internal audit? Effective Internal Audit in the Financial Services Sector Published July 2013 by IIA UK and Ireland Produced by an independent committee established by IIA UK and Ireland, consisting of: o 3 experienced board members o 1 academic o 3 CAE s i.e. internal auditors in a minority. Wherever possible, the guidance has attempted to use layman s language 28

29 2 d) A. The role of IA in the financial sector 1. The primary role of Internal Audit should be to help the Board and Executive Management protect organisation s: Assets Reputation Sustainability. Achieved by assessing all significant risks identified and appropriately reported by management and the Risk function to the Board and Executive Management; are adequately controlled; Less emphasis on adding value more on protecting value and by challenging Executive Management to improve the effectiveness of governance, risk management and internal controls. From consulting to challenge Not just processes but structure 29

30 2 d) B. Scope of internal audit 6.d Scope to include the risk and control culture of the organisation. Assess: o o o processes (e.g. appraisal and remuneration) actions (e.g. decision making) tone at the top. Whether in line with the values, ethics, risk appetite and policies of the organisation. Consider attitude and assess approach taken by all levels of management to risk management and internal control. Including management s: o o actions taken in addressing known control deficiencies regular assessment of controls. 30

31 2 d) C. Reporting 8. Report to the Board, Audit and Risk Committees should include: o o o o a focus on significant control weaknesses and breakdowns together with a robust root-cause analysis; any thematic issues identified across the organisation; an independent view of Management s reporting on the risk management of the organisation, including a view on Management s remediation plans highlighting areas where there are significant delays; at least annually, an assessment of the overall effectiveness of the governance, and risk and control framework of the organisation, together with an analysis of themes and trends emerging from Internal Audit work and their impact on the organisation s risk profile. 31

32 2 d) Effect of financial services code in UK 1. Appreciated by Audit Committees The audit committee chairs we interviewed have all engaged in developing the role of internal audit, where necessary moving it in line with the Code. They see the Code as an important tool for supporting corporate governance, are embarked on a process of continuous improvement and welcome the improvements in the support they are getting from their internal audit functions. The Code has given them a benchmark against which they can judge the function, and where necessary, they are using it as an agent for change. 2. Supervisor s response The Code was prepared at the suggestion of the financial regulators. The PRA and FCA welcomed it, indicating in their joint press release that, in exercising their supervisory judgement, the regulators will consider the nature and extent of compliance with the guidance in any assessment of internal audit effectiveness within regulated firms. 3. Scope of audit work The Code has also extended the areas where internal audit involvement is seen as critical. The Code ecommended that, within an unrestricted scope, internal audit should ensure it covers the seven areas (of Corporate governance, The setting of risk appetite, The risk and control culture, Customer treatment, Capital and liquidity risks, Key corporate events and Outcome of processes). As can be seen there has been a significant effect, in particular in the areas of culture (both risk and customer treatment), processes, key corporate events and risk appetite. 4. Resources In terms of budgets, the change is most noticeable in banking, with 57% experiencing an increase. Larger functions have seen the greatest increase in the seniority or experience of staff. 32

33 2d) Banking Guidelines and response 33

34 2 d) EU Insurance supervision Guidelines in the Insurance sector: o EIOPA has issued guidelines for the implementation of solvency II e.g. use of internal models, system of governance and own risks and solvency assessment (ORSA), supervisory review processes and methodology for equivalence assessments o ECIIA gave comments in August Need to be more specific about how the independence of internal audit is to be achieved. o 2015 issued the first set of Solvency II Implementing Regulations laying down implementing technical standards with regard to inter alia internal models o The second set of Implementing Regulations is expected to be adopted before the end of The accompanying Guidelines have been published in all the EU official languages on EIOPA's website. 34

35 2 d) Internal audit s role under SII Article 45 The internal audit function shall include an evaluation of the adequacy and effectiveness of the internal control system and other elements of the system of governance. The role of internal audit under Solvency II - ECIIA June 2013 o o o o o o Introduction Does the role of Internal Audit change with Solvency II? Solvency II requirements for the Internal Audit function The standards of the profession Internal Audit s role in the governance system defined by Solvency II Conclusions 35

36 2 d) Internal audit s role under SII 36

37 2 e) Risk culture 37

38 2 e) Risk Culture Background in the financial crisis 38

39 2 e) Culture and the role of Internal Audit Internal audit s role - Processes - Actions - Tone at the top Are they in sync? - Values - Ethics - Risk Appetite - Policies 39

40 2 e) Risk culture Definition Risk culture is a term describing the values, beliefs, knowledge and understanding about risk shared by a group of people with a common purpose, in particular the employees of an organisation or of teams or groups within an organisation. (Under the Microscope Guidance for Boards, Institute of Risk Management, 2012) Auditing cultural indicators main approaches: 1. Incorporate into each audit (e.g. root cause analysis) 2. Thematic - auditing cultural indicators throughout organisation (e.g. recruitment, training, performance management and reward) 40

41 2 e) Auditing culture Challenges How to gather evidence and demonstrate that statement of values is reality that the organisation is walking the talk Limitations of surveys and interviews Skills and training surveys, soft skills, root cause analysis, communication Written reports risk of putting management on defensive or creating a witch hunt Internal audit part of the culture? 41

42 2 f) Data Privacy 42

43 2 f) Data privacy Growing area of public concern Data Supervisors more active Risk of damage to company reputation New rules coming 43

44 2 f) Data privacy National legislation How are the principles understood and applied in your organisation? Article 6 1. Member States shall provide that personal data must be : ( a ) processed fairly and lawfully; ( b ) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. (c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed ; ( d ) accurate and, where necessary, kept up to date ; (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed Article 7 Member States shall provide that personal data may be processed only if: ( a ) the data subject has unambiguously given his consent; or ( b ) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or (c) processing is necessary for compliance with a legal obligation to which the controller is subject; or Article 17 Security of processing 44

45 2 f) Why need for change? Current directive - weaknesses o Not 100% binding o Different levels of implementation and different interpretations o Unclear in international context One General Data Privacy Regulation 45

46 2 f) Current status of regulation 3 draft regulations (Commission, Parliament and Council) /EDPSWEB/edps/Consultation/ Reform_package 46

47 2 f) Key elements of proposed regulation Applicability to businesses in third countries targeting EU citizens with their services (Art. 3) Right to be forgotten (Art. 17) Data portability (Art. 18) Responsibility/accountability of controller (Art. 22) - IC/compliance systems Privacy by design/default (Art. 23) Commissioned data processing (Art f) processor liable (as if controller) if fails to conform with instructions Data breach notification to supervisor within 72 hrs. (Art. 31) Privacy impact assessment (Art. 33) For a Group can have single Data Protection Officer (Art. 35) Certifications (Art. 39) One-stop shop (Art. 54a) co-ordinated supervision European Data Protection Board (Art. 57 and 64) Fines / sanctions (Art. 78, 79) Administrative sanctions up to between 2 and 5% of annual revenues 47

48 3. Conclusion 48

49 Conclusion The world is changing, Europe is changing More demands are being made on corporate governance but the good news is that Internal Audit has a vital role to play in future developments 49