To All National Institute Members of ECIIA

EUROPEAN CONFEDERATION OF INSTITUTES OF INTERNAL AUDITING (IVZW)

======

Head Office: c/o IIA Belgium – Koningstraat 109-111, bus 5 - B-1000 Brussels (Belgium)

Phone: +32 2 217 33 20 Fax: +32 2 217 33 20 Email: [email protected] Brussels, June 26 2014.

Dear Sir, Madam,

The ECIIA (European Confederation of Institutes of Internal Auditing) would like to thank you for the opportunity to comment on the open discussion document: “The Future of Audit and Assurance”.

Our main concern with this document is that it focuses exclusively on the role of external audit in providing assurance to boards and does not recognise the central role also played by other functions such as internal audit and risk. An essential aspect of assurance is the way external audit works with these other functions to ensure that boards receive a full and coordinated picture of governance, risk and control.

Internal audit is an important part of the governance model, helping governing bodies to monitor the effectiveness of the company’s internal control and risk management systems and providing them with independent and objective assurance on governance, risk and control. For this reason, we believe that the final version of the FEE document needs to cover these aspects of assurance. In particular this will need to explain the interaction and cooperation between external and internal audit. In this respect, please see the ECIIA position paper: “improving cooperation between internal and external audit” (in appendix).

The ECIIA is the professional representative body for 35 national Institutes of Internal Audit in the wider geographic area of Europe and the Mediterranean basin representing a membership base of over 40.000 internal audit professionals. The mission of ECIIA is to be the consolidated voice for the profession of internal auditing in Europe and to promote the enhancement of corporate governance through internal audit.

As such, the ECIIA is an Associated Organisation of the global Institute of Internal Auditing (the IIA), a professional organisation of more than 181.000 members in some 190 countries. Throughout the world, the Global IIA is recognised as the internal audit profession's leader in certification, education and research regarding internal auditing. The Global IIA also maintains the

Head Office: c/o IIA Belgium – Koningstraat 109-111, bus 5 - B-1000 Brussels (Belgium) Phone: +32 2 217 33 20 Fax: +32 2 217 33 20 Email: [email protected] Web: www.eciia.eu EUROPEAN CONFEDERATION OF INSTITUTES OF INTERNAL AUDITING (IVZW)

======

Phone: +32 2 217 33 20 Fax: +32 2 217 33 20 Email: [email protected] International Professional Practices Framework (IPPF) which includes the International Standards for the Professional Practice of Internal Auditing, the definition of internal auditing, the code of ethics, practice advisories and other guidance. (http://www.theiia.org/guidance/standards-and- guidance/interactive-ippf/

The IIA endorses the “three lines of defence model” as an important tool for integrating, coordinating and aligning all assurance functions within an entity.

As the first line of defence, operational managers own and manage risks. As a second line, senior management establishes various support functions like: accounting; legal; risk management and compliance to help build and/or monitor the first line of defence controls. The third line comprises the internal audit function that provides the governing body and senior management with comprehensive assurance on the effectiveness of risk management, governance and internal controls. This includes the manner in which the first and second lines of defence achieve risk management and control objectives, based on the highest level of independence and objectivity within the organization.

Internal auditors evaluate the internal governance mechanisms of the enterprise through a comprehensive and integrated approach. Their work is related to all processes of an entity taking into consideration all possible risk factors (e.g. strategic, operational, reporting, compliance and fraud risks) in order to plan the audit in relation to the diverse control objectives. The internal auditors must be independent and have adequate resources. In this context, the internal audit

======

Phone: +32 2 217 33 20 Fax: +32 2 217 33 20 Email: [email protected] function is the primary provider of independent assurance to the Audit Committee and the senior management from within the entity.

In the “three lines of defence model”, the External Auditors can play an important role in the assurance process, based on the mandate and the specific scope. They are considered as an additional line of defence, providing assurance to the organization’s stakeholders, including the governing body and senior management. In the appendix we have responded to the most relevant questions for the internal audit profession.

We remain at your disposal for further discussions and would like to meet you shortly to discuss further the future of the audit profession of which we are all part.

Sincerely

MH Laimay Th Smit Vice President President

======

Phone: +32 2 217 33 20 Fax: +32 2 217 33 20 Email: [email protected] Question 1:

Stakeholders’ expectations on audit and assurance are, inter alia, driven by cost/benefit aspects. Good cooperation and interactions between the different actors will help governing bodies obtain a comprehensive view of operations and risks whilst eliminating areas of possible duplication of audit efforts. Most particularly, internal and external auditors should, as a minimum, coordinate their audit plans, communicate their findings, have regular meetings and provide assistance to the Audit Committees. The degree of audit cooperation should be discussed at Board/Audit Committee level.

Question 2:

Internal Audit covers broader topics than those covered by the statutory auditors (reporting on the financial statements). Greater interactions between internal and external audit are recommended in order to provide assurance in the most effective and efficient manner. ECIIA would be happy to share with FEE the view of the internal audit profession and the experience of Audit Committee members.

Question 3:

In the International Professional Practices Framework (IPPF) for internal audit, the International Standards for the Professional Practice of Internal Auditing (Standards), the Definition of Internal Auditing and the Code of Ethics are mandatory while the practice advisories and other guidance are recommended. This way, internal auditors have flexibility to adapt their work to the context of their organization while the same basic rules are applied internationally.

Question 5:

As described above, cooperation and interactions between internal and external audit are key to the effective and efficient provision of assurance. According to the International Standards for the Professional Practice of Internal Auditing, the internal auditor may rely on or use the work of

======

Phone: +32 2 217 33 20 Fax: +32 2 217 33 20 Email: [email protected] external auditors in providing governance, risk management and internal control assurance to senior management and the governing body (Standard 2050, supplemented by Practice Advisory 2050-3). The internal auditor must evaluate the independence and objectivity of the external auditors and adapt the reliance accordingly.

In Standard 1100, the following definitions of independence and objectivity are given: "Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship. Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels.

Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels."

Question 6:

We agree that IT has a huge impact on the audit profession, resulting in new challenges. This is also the case for internal audit. Part of the challenge will be to develop compatibility between IT systems and software used by internal and external audit in order to promote closer cooperation between the two audit professions.

Question 7:

According to a survey recently conducted by IIA Global (Pulse Survey, IIA Inc, 2013), it appears that more emphasis on operational skills and soft skills (communication, project management,…) will be required for internal auditors in the future.

Question 19:

A new directive of the EU has recently been approved by the European Parliament regarding the disclosure of non-financial and diversity information. Large companies will have to disclose information on policies, risks and results as regards environmental matters, social and employee

======

Phone: +32 2 217 33 20 Fax: +32 2 217 33 20 Email: [email protected] related aspects, human rights, anti- corruption, bribery issues and diversity on board of Directors. Additionally the GRI has released its framework of corporate reporting. Internal auditors will play a major role in these new requirements by ensuring that the social and environmental aspects function properly through an assessment of the risks and internal controls in these areas.

Head Office: c/o IIA Belgium – Koningstraat 109-111, bus 5 - B-1000 Brussels (Belgium) Phone: +32 2 217 33 20 Fax: +32 2 217 33 20 Email: [email protected] Web: www.eciia.eu