EBA GL 44. Wording Amendments / Additions suggested. Amend ment /Comm ent # page

Similar documents
ECIIA Comments on the EBA consultation: Guidelines on Internal Governance (EBA/CP/2016/16)

Principles for enhancing corporate governance issued by Basel Committee. Comments of IFACI s Banking Professional Group

NATIONAL AUSTRALIA BANK LIMITED ACN BOARD RISK COMMITTEE CHARTER

Final Report. Guidelines. on internal governance under Directive 2013/36/EU EBA/GL/2017/ September 2017

PROMOTING A COLLABORATIVE ENVIRONMENT AMONG RISK MANAGEMENT, INTERNAL AUDIT, AND COMPLIANCE DEPARTMENTS. ANDREW SIMPSON, CISA COO CaseWare RCM Inc.

EUROPEAN CONFEDERATION OF INSTITUTES OF INTERNAL AUDITING (IVZW)

Internal Audit Quality Analysis Evaluation against the Standards International Standards for the Professional Practice of Internal Auditing (2017)

Libor. the risk lesson

1. Definition & Mission

WELLS FARGO & COMPANY AUDIT AND EXAMINATION COMMITTEE CHARTER

RREGULATION ON INTERNAL CONTROLS AND INTERNAL AUDIT FUNCTION IN MICROFINANCE INSTITUTIONS. Article 1 Scope and Purpose

Audit, Risk and Compliance Committee Terms of Reference. Atlas Mara Limited. (The "COMPANY") Amendments approved by the Board on 22 March 2016

SIAAB Guidance #02 Internal Audit Independence- Interaction with Agency Head, Senior Staff and Placement Within the Organizational Structure

Internal Audit Best Practices for Community Banks. A CSH White Paper

AUDIT COMMITTEE OF THE BOARD OF DIRECTORS OF THE TORONTO-DOMINION BANK CHARTER

International Standards for the Professional Practice of Internal Auditing (Standards)

CORPORATE GOVERNANCE GUIDE

Banks Internal Control System, the case of Albania

Internal Audit Mandate

1. Membership of the Committee

The NYSE Internal Audit Requirement

Final report. Joint ESMA and EBA Guidelines

(

CGIAR System Management Board Audit and Risk Committee Terms of Reference

Audit and Risk Management Committee Charter

BOM / BSD 7 /April 2001 BANK OF MAURITIUS. Guideline on Corporate Governance

Trends in European Governance and Internal Audit Martin Stevens CIA, CFSA, CRMA

The Sub-committee shall meet as and when required. Formal minutes of each meeting will be taken.

VIRGINIA POLYTECHNIC INSTITUTE AND STATE UNIVERSITY COMPLIANCE, AUDIT, AND RISK COMMITTEE OF THE BOARD OF VISITORS COMPLIANCE, AUDIT, AND RISK CHARTER

BOARD AUDIT AND COMPLIANCE COMMITTEE CHARTER June 2016

AUDIT AND RISK MANAGEMENT COMMITTEE CHARTER

CITIBANK N.A JORDAN. Governance and Management of Information and Related Technologies Guide

Audit & Risk Committee Charter

Internal Audit Charter

Governance and Risk Mitigation A Supervisor s Perspective

AIB Group plc (Holding Company)

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

BIOSCRIP, INC. CHARTER OF THE AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

THE ARCG CHARTER. Issued in March 2008

Appendix 4G. Key to Disclosures Corporate Governance Council Principles and Recommendations

Corporate Governance Manual

AUDIT COMMITTEE TERMS OF REFERENCE

Corporate Governance Manual Corporate Governance Manual

People, Culture and Remuneration Committee Charter. The Hospitals Contribution Fund of Australia Ltd (ACN ) (the Company )

Companies should establish the functions reserved to the board and those delegated to senior executives and disclose those functions.

Dexia Group Audit Charter

Tab No. F-2 TERMS OF REFERENCE FOR THE AUDIT COMMITTEE

INTERNAL AUDIT CHARTER

Corporate Governance. Basic Approach to Corporate Governance. 1. Outline of corporate governance structure

Strate Compliance with King III. Prepared by: Company Secretary

CORPORATE GOVERNANCE KING III COMPLIANCE REGISTER 2017

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

INTERNAL AUDIT CHARTER

1.1 Policy Statement. 1.2 Purpose

1.3.1 The responsibilities of the Parent Board include, but are not limited to, the following 1 :

Network Rail Limited (the Company ) Terms of Reference. for. The Audit and Risk Committee of the Board

C O R P O R A T E G O V E R N A N C E S T A T E M E N T

Lake County School District. Quality Assurance & Improvement Program. Internal Self-Assessment for. The Internal Audit Department

2.2. Attendance: Others may be invited by the Chair to attend all or part of any meeting (but they will not be entitled to vote).

B&M EUROPEAN VALUE RETAIL S.A. TERMS OF REFERENCE OF THE AUDIT AND RISK COMMITTEE

Corporate Governance Statement

Audit and Risk Committee Charter

International Standards for the Professional Practice of Internal Auditing (Standards)

SENIOR MANAGEMENT ASSESSMENT CRITERIA1

CHARTER AUDIT COMMITTEE

Audit, Finance and Risk Committee charter

Risk Committee Charter ISSUE DATE: 15 NOVEMBER 2018 RISK COMMITTEE CHARTER. ISSUE DATE 15 NOVEMBER 2018 PAGE 1 OF 7

AUDIT COMMITTEE HANDBOOK

MARINDI METALS LIMITED ABN

CHARTER OF THE BOARD OF DIRECTORS

Statement of Guidance Corporate Governance

Group Internal Audit Charter

Risk Oversight Committee - Terms of Reference

CORPORATE GOVERNANCE GUIDELINE

NHF 2015 Code of Governance: compliance checklist

Consultation paper (CP 24) High-level principles for risk management

Abu Dhabi Commercial Bank PJSC Code of Corporate Governance

AUDIT COMMITTEE OF THE BOARD OF DIRECTORS

2012 IIA Standards Update

CHARTER OF THE AUDIT COMMITTEE NATIONWIDE MUTUAL INSURANCE COMPANY NATIONWIDE MUTUAL FIRE INSURANCE COMPANY NATIONWIDE CORPORATION

NATIONAL AUSTRALIA BANK LIMITED ACN

Compliance assurance programmes

NEWMARK GROUP, INC. AUDIT COMMITTEE CHARTER. (as of December 2017)

MPAC BOARD OF DIRECTORS MANDATE

ECB guide to internal models. General topics chapter

In carrying out the responsibilities and powers set out in this Charter, the Board of Digital CC Limited (Company):

Internal Audit Charter

For personal use only

CORPORATE GOVERNANCE STATEMENT. Version 1.2

Bank of Ireland Group plc Compliance with the Capital Requirements Directive (CRD IV) - Governance Disclosures

ConvaTec Group Plc (the Company) AUDIT AND RISK COMMITTEE - TERMS OF REFERENCE adopted by the board on 12 October 2016

NHF 2010 Governance Code: compliance checklist

Corporate Governance Report 2017 Application by Nordea Mortgage Bank Plc

Report. Quality Assessment of Internal Audit at <Organisation> Draft Report / Final Report

B. The Committee assists the Board in its oversight of: D. The Committee is entitled to place reasonable reliance on:

GARMIN LTD. Audit Committee Charter. (Amended and Restated as of July 25, 2014)

This charter defines the purpose, authority and responsibility of News Corporation s (the Company ) Corporate Audit Department.

WANGLE TECHNOLOGIES LIMITED CORPORATE GOVERNANCE STATEMENT

Corporate Governance Statement John Bridgeman Limited

Transcription:

EBA GL 44 Amend ment /Comm ent # page Wording Amendments / Additions suggested 4f. 8. The fourth chapter on Internal Control includes the section entitled The role of Chief Risk Officer and the risk management function stemming from the High Level Principles on Risk Management and is aimed at ensuring the proper staffing of the control function, as one weakness identified in the CEBS survey mentioned above was that the control functions were not given sufficient resources to fulfil their duties. The principles also deal with the issue of unapproved exposures, aimed at implementing adequate processes for monitoring the set limits and taking appropriate actions where necessary. 9. The fifth chapter 8. The fourth chapter on Internal Control Framework starts with a description of the Three Lines of Defence model. The chapter includes the section entitled The role of Chief Risk Officer and the risk management function stemming from the High Level Principles on Risk Management and is aimed at ensuring the proper staffing of the control function, as one weakness identified in the CEBS survey mentioned above was that the control functions were not given sufficient resources to fulfil their duties. The principles also deal with the issue of unapproved exposures, aimed at implementing adequate processes for monitoring the set limits and taking appropriate actions where necessary. The section Internal Audit Function describes the role of Internal Audit as the third line of defence and as such - even though being a part of the overall Internal Control Framework itself - independently auditing the control functions of the first and second line of defence. 9. The fifth chapter 8 23. The EBA s predecessor, the CEBS, had already addressed some of the most significant issues arising from the financial crisis within its High Level Principles on Remuneration published in April 2009 and in its High Level Principles on Risk Management published in 23. The EBA s predecessor, the CEBS, had already addressed some of the most significant issues arising from the financial crisis within its High Level Principles on Remuneration published in April 2009 and in its High Level Principles on Risk Management published in February 2010. However, taking into account the findings of its 2009 survey and recent work by other European and international bodies on corporate ECIIA comments on GL 44 May 2016 1

February 2010. However, taking into account the findings of its 2009 survey and recent work by other European and international bodies on corporate governance (especially the Basel Committee's Principles for enhancing corporate governance), the EBA saw merit in enhancing these High Level Principles. Accordingly, guidelines concerning the functioning and composition of the management body as well as the qualifications, appointment and succession of its members, as well as improved principles dealing with the Risk Control function, were added. governance (especially the Basel Committee's Principles for enhancing corporate governance), the EBA saw merit in enhancing these High Level Principles. Accordingly, guidelines concerning the functioning and composition of the management body as well as the qualifications, appointment and succession of its members, as well as improved principles dealing with the Risk Control function and the Internal Audit Function were added. 10 30. Internal governance includes all standards and principles concerned with setting an institution s objectives, strategies, and risk tolerance/appetite; how its business is organised; how responsibilities and authority are allocated; how reporting lines are set up and what information they convey; and how internal control is organised. Internal governance also encompasses sound IT systems, outsourcing arrangements and business continuity management. 10 33. The Guideline is consistent with the threelines-of-defence model. The first line of defence provides that an institution should have in place effective processes to identify, measure or assess, monitor, mitigate and report on risks. These processes are referred to as Risk Management. 30. Internal governance includes all standards and principles concerned with setting an institution s objectives, strategies, and risk tolerance/appetite; how its business is organised; how responsibilities and authority are allocated; how reporting lines are set up and what information they convey; and how internal control is organised, monitored and audited. Internal governance also encompasses sound IT systems, outsourcing arrangements and business continuity management. 33. The Guideline is consistent with the three-lines-of-defence model, all three lines of which form the Internal Control Framework of an organization. The first line of defence provides that an institution should have in place effective processes to identify, measure or assess, monitor, mitigate and report on risks. These processes are referred to as Risk Management. 11 34. An institution should as a second line of defence 34. An institution should as a second line of defence have an ECIIA comments on GL 44 May 2016 2

have an appropriate Internal Control framework to develop and maintain systems that ensure : effective and efficient operations; adequate control of risks; prudent conduct of business; reliability of financial and non-financial information reported or disclosed (both internally and externally); and compliance with laws, regulations, supervisory requirements and the institution's internal policies and procedures. The Internal Control framework should cover the whole organisation, including the activities of all business, support and control units. The third line of defence consists of the internal audit function, which provides an independent review of the first two lines of defence. 11 35. In assessing the efficiency of Internal Control within an institution, the management body should be able to rely on the work of control functions, including the Risk Control function, the Compliance function and the Internal Audit function. These control functions should be organisationally independent from the units they control. 14/15 D. Internal control... 37 24. Internal control framework... 37 25. Risk Control function (RCF)... 38 26. The Risk Control Function s role... 39 RCF s role in strategy and decisions... 39 RCF s role in transactions with related parties... 40 appropriate control and monitoring framework to develop and maintain systems that ensure : effective and efficient operations; adequate control of risks; prudent conduct of business; reliability of financial and non-financial information reported or disclosed (both internally and externally); and compliance with laws, regulations, supervisory requirements and the institution's internal policies and procedures. The Internal Control framework should cover the whole organisation, including the activities of all business, support, control and audit units. 35. The third line of defence is the internal audit function, which provides an independent review of the first two lines of defence. 36. In assessing the efficiency of Internal Control Framework within an institution, the management body should be able to rely on the work of control functions, including the Risk Control function and the Compliance function. These control functions should be organisationally independent from the units they control. Furthermore, in assessing the efficiency and effectiveness of the Internal Control Framework the management body should be able to rely on the functionality and results of the Internal Audit Function as the third line of defence. D. Internal Control Framework.. 24. The Three Lines of Defence model 25. Internal control framework... 26. Chief Risk Officer... 27. The Risk Control Function (RCF)... 28. The Risk Control Function s Role ECIIA comments on GL 44 May 2016 3

RCF s role in complexity of the legal structure... 40 RCF s role in material changes... 40 RCF s role in measurement and assessment... 40 RCF s role in monitoring... 41 RCF s role in unapproved exposures... 41 27. Chief Risk Officer... 42 RCF s role in strategy and decisions... RCF s role in transactions with related parties... RCF s role in complexity of the legal structure... RCF s role in material changes... RCF s role in measurement and assessment... RCF s role in monitoring... RCF s role in unapproved exposures... 28. Compliance function... 43 29. Internal Audit function... 43 29. Compliance function... E. Information systems and business continuity... 44 19 4. The management body of an institution s parent company should ensure the different group entities (including the institution itself) receive enough information for all of them to get a clear perception of the general aims and risks of the group. Any flow of significant information between entities relevant to the group s operational functioning should be documented and made accessible promptly, when requested, to the management body, the control functions and supervisors, as appropriate. 22 h. an adequate and effective internal control framework, that includes well-functioning Risk 30. Internal Audit function... E. Information systems and business continuity... 4. The management body of an institution s parent company should ensure the different group entities (including the institution itself) receive enough information for all of them to get a clear perception of the general aims and risks of the group. Any flow of significant information between entities relevant to the group s operational functioning should be documented and made accessible promptly, when requested, to the management body, the control functions, the Internal Audit function and supervisors, as appropriate. h. an adequate and effective Internal Control Framework, that includes well-functioning Risk Control, Compliance and Internal Audit functions ECIIA comments on GL 44 May 2016 4

Control, Compliance and Internal Audit functions as well as an appropriate financial reporting and accounting framework. 22 10. Management and supervisory functions of the management body 1. The management and supervisory function of the management body of an institution shall interact effectively. Explanatory note as well as an appropriate financial and supervisory reporting and accounting framework. 10. Management and supervisory functions of the management body 1. The management and supervisory function of the management body of an institution shall interact effectively. They are expected to set the right tone at the top to ensure an appropriate risk culture which includes support for, and acceptance of, Internal Audit at all levels of the institution. Explanatory note 22 Explanatory note The supervisory function oversees the management function and provides advice to it. Its oversight role consists in providing constructive challenge when developing the strategy of an institution; monitoring of the performance of the management function and the realisation of agreed goals and objectives; and ensuring the integrity of the financial information and effective risk management and internal controls. Explanatory note The supervisory function oversees the management function and provides advice to it. Its oversight role consists in providing constructive challenge when developing the strategy of an institution; monitoring of the performance of the management function and the realisation of agreed goals and objectives; and ensuring the integrity of the financial and supervisory reporting, an effective risk management and internal controls and the Internal Audit Function. 22 4. Each function should 4. The management body should appoint a suitable head of the Internal Audit Function (IAF), evaluate the adequacy of the IAF in accordance with national and international professional standards and reassess to what extent the IAF s reviews cover the whole range of ECIIA comments on GL 44 May 2016 5

activities of an institution, including the risk appetite framework elements. 5. Each function should 37 D. Internal control D. Internal Control Framework 24. Internal control framework 2 24. The Three Lines of Defence model NB : Senior Management = Management body in its management function and Governing Body / Audit Committee = Management body in its supervisory function FOR EBA: THE FOLLOWING MIGHT BE SHORTENED IF DEEMED ECIIA comments on GL 44 May 2016 6

NECESSARY: The Three Lines of Defence model provides a simple and effective way, regardless of size or complexity, to assign specific roles and to coordinate effectively and efficiently among risk and control functions so that there are neither gaps in controls nor unnecessary duplications of coverage by clarifying essential roles and duties. Management control is the first line of defence in risk management, the various risk control and compliance oversight functions established by management are the second line of defence, and independent assurance is the third. Each of these three lines plays a distinct role within the organization s wider governance framework. The Three Lines of Defence model distinguishes among three groups (or lines) involved in effective risk management: 1. Functions that own and manage risks. 2. Functions that oversee risks. 3. Functions that provide independent assurance. 1. As the first line of defence, operational managers own and manage risks. They also are responsible for implementing corrective actions to address process and control deficiencies. Operational management is responsible for maintaining effective internal controls and for executing risk and control procedures on a day-to-day basis. Operational management identifies, assesses, controls, and mitigates risks, guiding the development and implementation of internal policies and procedures and ensuring that activities are consistent with goals and objectives. Through a cascading responsibility structure, mid-level managers design and implement detailed procedures that serve as controls and supervise execution of those procedures by their employees. ECIIA comments on GL 44 May 2016 7

Explanatory note In a perfect world, perhaps only one line of defence would be needed to assure effective risk management. In the real world, however, a single line of defence often can prove inadequate. 2. Management establishes various risk management and compliance functions to help build and/or monitor the first line-of-defence controls. Typical functions in this second line of defence include: A risk management function (and/or committee) that facilitates and monitors the implementation of effective risk management practices by operational management and assists risk owners in defining the target risk exposure and reporting adequate risk-related information throughout the organization. A compliance function to monitor various specific risks such as noncompliance with applicable laws and regulations. Explanatory note Management establishes these functions to ensure the first line of defense is properly designed, in place, and operating as intended. Each of these functions has some degree of independence from the first line of defence, but they are by nature management functions. As management functions, they may intervene directly in modifying and developing the internal control and risk systems. Therefore, the second line of defence serves a vital purpose regarding risk management and internal controls. 3. Internal auditors provide the governing body and senior management with reasonable assurance based on the highest level of independence and objectivity within the organization. Internal audit ECIIA comments on GL 44 May 2016 8

provides assurance on the effectiveness of governance, risk management, and internal controls, including the manner in which the first and second lines of defense achieve risk management and control objectives. 37 24. Internal control framework 1. An institution shall 25. Internal control framework 1. An institution shall 38 25. Risk Control function (RCF) 27. Risk Control Function (RCF) 39 26. The Risk Control Function s role 28. The Risk Control Function s role 42 27. Chief Risk Officer 26. Chief Risk Officer 1. An institution shall... 1. An institution shall 43 28. Compliance Function 29. Compliance Function 13 43f 29. Internal Audit function 30. Internal Audit function 44 29. Internal Audit Function 1. The Internal Audit Function 30. Internal Audit Function (IAF) Explanatory NoteThe following specific rules, regulations, guidelines and advices should apply for the Internal Audit Function: The Internal Audit Function in Banks, Basle Committee on Banking ECIIA comments on GL 44 May 2016 9

Supervision, June 2012; Corporate governance principles for banks, Basle Committee on Banking Supervision, July 2015; Speech of Danièle Nouy, Chair of the Supervisory Board of the Single Supervisory Mechanism, at the European Confederation of Institutes of Internal Auditing (ECIIA) conference, Paris, 22 September 2015; SSM Framework Regulation, published by ECB on 14 May, 2014; International Standards for the professional practice of Internal Auditing, The Institute of Internal Auditors, newest edition 1. The Internal Audit Function 44 1. The Internal Audit function ( IAF ) shall assess whether the quality of an institutions internal control framework is both effective and efficient. 1. As part of their mission to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight, the Internal Audit function shall assess whether the quality of an institution s internal control framework is both effective and efficient. If, in exceptional cases, the Internal Audit function may have roles and/or responsibilities that fall outside of internal auditing, safeguards must be in place to avoid impairments to independence or objectivity. 44 2. The IAF should have unfettered access to relevant documents and information in all operational and control units. 44 5. The management body should encourage the internal auditors to adhere to national and international professional standards Internal audit work should be performed in accordance with an audit plan and detailed audit programs following a risk based approach. The audit plan should be approved 2. The IAF is expected to have unfettered access to all relevant documents and information being relevant to the fulfilment of its duties. 5. The Chief Audit Executive is expected to be at a senior enough level within the institution (normally expected to be at management body level likewise CFO, CRO, etc.) to give him or her the appropriate ECIIA comments on GL 44 May 2016 10

by the audit committee and/or the management body. Explanatory note An example of professional standards referred to here is that of the standards established by the Institute of Internal Auditors. standing, access and authority to challenge the management body. Internal Audit is expected to have the right to attend and observe all or part of the management body meetings and any other key management decision making. 44 6. The Chief Audit Executive is expected to establish a multi annual risk based audit plan which is approved by the appropriate governing body. The audit plan should be reviewed on an ongoing basis and leave the necessary flexibility for unplanned audit reviews. High risk areas should be covered on a more regular basis. 44 7. The Chief Audit Executive is expected to ensure that the audit team has the skills and experience commensurate with the risk of the institution and to implement a strong quality assurance process for the IAF x) including a periodic formal external review. The Chief Audit Executive is expected to provide the Audit Committee with a regular assessment whether Internal Audit does have the resources, the skills and the experience required. This may entail training, recruitment and cosourcing with external third parties. ECIIA comments on GL 44 May 2016 11 X) e.g. according to the Quality Assessment Manual by The IIA, newest edition 8. Subsidiary and branch Heads of Internal Audit are expected to report primarily to the Group Chief Audit Executive, while taking the applicability of local governing law into consideration. It should be assured that the key processes of Internal Audit like the assessment and valuation of risks, audit planning processes, classification of findings, writing of reports, escalation processes and follow-up of the findings follow the same methology.

44 6. The IAF should report directly to the management body and/or its audit committee (where applicable) its findings and suggestions for material improvements to internal controls. All audit recommendations should be subject to a formal follow-up procedure by the respective levels of management to ensure and report their resolution. 9. The IAF is expected to report directly to the management body and/or its audit committee (where applicable) its findings and suggestions for material improvements. All audit recommendations should be subject to a formal follow-up procedure by the respective levels of management to ensure and report their resolution. If Management is not following up the recommendation and/or is taking risk which exceeds a level deemed suitable for the organization, the CAE must escalate this to the management function in its supervisory role. 44 10. The IAF is independent from external auditors. There should be an open communication between the IAF and the external auditors. The IAF can rely on the work of the external auditors when determining the annual audit plan. It is possible for the IAF to execute engagements in coordination with the external auditors activity as long as the coordination does not jeopardize its independence and the adherance to the IIA standards. ECIIA comments on GL 44 May 2016 12

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback