According to ECIIA, the EBA's draft technical standards on recovery plans for credit institutions and investment firms need to ensure the independence of internal audit.
ECIIA understands that the goal of this directive is to establish a framework for the recovery and resolution of credit institutions and investment firms, setting out a Union-wide framework for crisis prevention, management and resolution. Therefore the technical standards in question only touch the internal audit function to a minor extent.
The core task of the internal audit function is not being part of risk management itself, but, through a risk based approach, providing assurance to the organisation’s governing body and senior management on how effectively the organisation assesses and manages its risks, including the manner in which the first and second lines of defence operate. This assurance task covers all elements of an institution’s risk management framework, i.e. from risk identification, risk assessment and response to communication of risk-related information (throughout the institution and to senior management and the governing body). As such, internal audit acts as third and last line of defence of an organisation. All other operational functions of an organisation - such as risk management or risk control - act as the first resp. second lines of control and have clear roles and responsibilities within the operating model of a bank. Having said this, the involvement of internal audit in the process of establishing a recovery plan necessarily needs to be limited.
ECIIA identified two aspects where it deems adjustments necessary, as the chosen wording or suggestions endanger the independence of internal audit and do not meet international standards:
Firstly, Article 5 seems to regard the function of a risk committee and the internal audit function as being alternatives in the process of approving the recovery plan. So, according to EBA´s suggested standards, internal audit may or may not be involved, and if it is, it should be as part of the approval process.
As internal audit should be involved in all important new product processes or processes influencing risks and the internal control system, it is necessary to involve internal audit in developing a recovery plan. But this must be on a consultative basis. But its role must at no point in time be any part of the approval process. Moreover, internal audit must not officially “review” any plan which later it has to audit and on which it must give judgement otherwise its objectivity and independence might be compromised.
Secondly, internal audit’s role to review the recovery plan should not be during the process of establishing it, but at a later stage in the course of its normal audit activities. Hence, ECIIA believes it necessary to clarify that internal audit has to review the recovery plan as part of it’s audit activities.
Press release
Comment letter
© ECIIA
Key
Hover over the blue highlighted
text to view the acronym meaning
Hover
over these icons for more information
Comments:
No Comments for this Article