What are the expectations from the regulators for IA and AC



And now I leave the floor to Maria ronto Jani again head of internal audit at alpab bank and Francisco Martinez uh Chief audit executive and Deputy general manager at bankinter group Spain the floor is your enjoy okay thank you very much Claudia for a introductions ER good afternoon everyone

And welcome to this new SE of uh this banking H Forum the topic that we are going to discuss now is related to the expectation from The Regulators for internal audit and audit committee with the new regulations on sustainability we are very lucky today because we have two high level panelist

To talk about this interesting them H first is Maria julbe that is the head of the non-financial RIS experts division at the ACB within the directory General H horizontal line supervision currently hi Maria currently she leads a team uh she leads a team of international highly qualified managers and experts on

Governance uh risk management anti-money laundering and counterterrorism financing operational risk and resilience information communication and technology and fintech in the non- Financial Risk division Maria and her team support and provide guidance to SSM supervisors conduct horizontal and benchmarking assessments and uh contribute to developing a policies methodologies and supervisory

Tools the other panelist is uh Federico Pon that is head bonera federo and federo is the head of section at the European Central Bank he leads the team responsible for the coordination of the supervisory review and evaluation program and for the development and M maintenance of the methodologies through

Which SSM off-site supervisor assess non-financial risk federo started his career as a supervisor at banad Italia we have a lot of questions for them and uh if time permits we will take questions from the audience at uh at the end of the session through through Z

Okay Maria thank you Paco uh allow me to start where um allow me to start the discussion where uh Patrick amiss left off earlier this morning uh in a call to all Auditors to reach out to their jsts to um be proactive as we heard earlier

Uh in case of doubt and compliance with uh regulatory expectations so Maria in keeping that in mind we are reaching out to you collectively now today uh and uh looking for you to share with us how you assess the effectiveness of internal control functions um in terms of progress and in terms of

Attention areas of attention thank you very much Maria and thank you very much Pak I hope that you can hear me well so first let me thanks again Andrea and Pascal for inviting us here I think I was here in the in the conference last year and clearly this is

A a very big opportunity for us to to engage with the internal Auditors and of course with the audit committee members I think Patrick mentioned the please feel free and and I’m really encouraging you to reach out to the jsts from the horizontal functions this is really an

Opportunity and the idea is to take this as an exchange and dialogue with you today no so Maria you were asking how do we assess the effectiveness of the internal audit function let me just highlight first of all the importance that we do place in the internal audit

Functions okay and the third line of defense to ensure really that that that institutions operate with sound risk management governance and internal control I really do not need to to highlight how do we assess it in the sense of that we use a regular an annual rep cycle that jsts assess the internal

Governance Effectiveness and functioning but also what we wanted today or I wanted just to to take a bit opportunity you mention or or PAC that we do a lot of in horizontal supervision a lot of benchmarking and and horizontal activities no and I do think that this

Give a lot of value added for us and and also for jst to see where the banks stand compared to others and and I think also for you know to see okay which are the areas where you are better off or areas where you are worse off what are

The things that you might have adapt and what others are doing I think this really helps H to understand what can be done to to to to enhance the the the functioning and Effectiveness so this year we run a a a benchmarking review H for 27 significant institutions in the

SSM which is a is quite a a relevant number and and I wouldn’t say that this would apply to all significant institutions but of course the the learnings and the things that we saw I think they are comprehensive enough and and I will try to to to share with you a

Couple of ideas so what we what we assess mainly when we look at the internal audit function is really four main topics no I think the ones would be the governance around the internal audit function the second one the methodologies the third one resources and then lastly H stature and

Effectiveness no so when we refer to governance mainly what we are talking is the the the appropriate reporting line of the head of internal audit function no and the and the and the reporting lines of this third line of defense and and and what we are seeing here is that

H overall ER we assess that there is an adequate reporting line that is ensuring the independence of the internal audit functions however we are still see that I need to say that there are very few cases okay where still H this reporting line and and direct access to the

Management board ER could be enhanced but this is not really what is concerning us in overall we see that there is a regular communication H with the board and there is regular dialogue regular exchange of information uh relevant reports are shared with the audit committee at least on a quarterly

Basis and as at good practices what we are seeing is that for example something that is very important for us is that the head of internal audit H holds regular meetings with the audit committee chair h on a regular basis only with him no so bilateral meetings

With h with him on this however we see also some areas of attention that I would like to share with you which are ER in some cases The Limited involvement of the board and the audit committee h on the oversight of the internal audit function this could be enhanced and in

Some cases also well and this is not in some cases I think here and the point is a bit bigger is that there is limited involvement of the board or the audit Committee in the appraisal the objective setting of the internal audit function head or the staff okay and maybe this is

Something that we would like let’s say you especially the audit committee members to take forward and to think how you are in your organization if we move to the methodology and I think this was raised a bit before no that internal audits need to be everywhere in the

Organization I took this idea I think of course we would expect H the audit Universe to cover all the risk all the business activities all the control activities and and all the control lies uh group entities and branches okay overall I think ER we see that there has

Been a lot of development on the risk-based methodology and I would like to highlight three areas also for further attention on on your side where we see that that in some cases this could be enhanced the first one is the the audits on risk appetite framework

Okay in some cases we are seeing that the the either the content is not as comprehensive as it should be or H the periodicity where this is done is a bit longer than what we would expect also considering the change in environment that I think you have been

Discussing also the other point would be a bit on group subsidiaries and Bank branches sometimes they are not included or they are not included as they should okay and finally I think non Financial Risk I think this is a an area that there is no doubt that this is

Increasing importance on this I think last year we were covering operational resilience this year we are covering or or the topic of the day is ESG no so I think this is something that in some cases could be enhanced the third point that I mentioned was a bit on the

Resources and I think this uh in the previous panel this has been raised also h um there is a a difficulty in attract talent talent okay skills and knowledge are ER becoming much more technical also and what we are seeing and what are jsts are telling is that in some cases the

Internal audit function might be a bit under staff okay so I think I would encourage you also to discuss with George to to tell you how how they see this compared to other Banks also no so I think of course um it resources are scarse okay and

Sometimes it’s even difficult for us no there is a tendency to first let’s say cover the business lines or what is the need for business then we move a bit on risk management and then sometimes internal audit I don’t don’t know how you think about it so I think this is

Something that I would like to raise with you and then finally the last point that I wanted to highlight is a bit on the stature and Effectiveness so I think here what I mean is to H apart from having the appropriate stature within the organization um it’s important the the

Process of H following up on the findings that internal audit raises no and I think here we have Identify some areas in the followup on recommendations on the classification of findings sometimes escalation of findings or disagreement okay when there is a disagreement between the internal audit function and the business lines sometime

There is a bit of unclarity of what the final decision and the re for why the things are taken and in some cases the level of intrusiveness of the reports however we have also seen very good practices also that I wanted just to raise with you today so in case you are

Not one of this you could see that or in case you are one of them maybe you could expand a little bit on this so we have on the followup procedures banks that clearly defines the Rosal responsibilities that there is a a clear engagement with the OD on the closure

Criteria that the any delays on the implement ation is clearly reported and escalated and even in some cases discussed specifically on this on the statute of the internal audit functions ER we see also that in in in some of the cases when there is a a disag there is a

Lot of good practices on the rating of the issues and internal audit um judgment prevails in case of disagreements ER or um in some of the things in case there is a discarded findings also this is escalated also so I think ER really to to complement that again I

Think if I would encourage you and and especially those banks that have been in this targeted in this horizontal analysis to Le with your jst and to see how this can be improved because ER I think one of the things of the BCBS principles of internal audit is really

The close interaction that we need to have the supervisor and the internal audit function so try to leverage a bit on on this so I hope Maria this ansers your question thank you Mania yes you touched upon many several uh good practices and areas for improvement that

Are tangible I thought it was quite interesting on the St the the uh stature and the effectiveness uh one being more tangible with the issue followup while the stature is also supporting what we heard all day long in uh making sure that internal audits voice is uh is heard holistically across the

Organization and uh it’s challenging uh thank you for that but Maria I can resist you have been talking about the internal AIT function and and you have mentioned several ER good practices um how do you assess the effectiveness of the um Banks board to oversee the the international the internal audit

Function and and if you can uh put some uh you have seen uh some U good practices in in that area could you could you share them with with us thank you very much Paco indeed also the let’s say the oversight role of the board and the audit committee ER over

The internal control functions and internal audit in particular is something that we do assess also regularly as part of this rep and also as part of some other specific ongoing activities whether it’s in on-site inspections or horizontal analysis or on think I don’t know if you

Are familiar or for many of you are familiar one of the key ER Flagship projects that we have within the context of the SSM priorities is the the targeted review of management body and indeed this year also our teams and so Federico and mine together with the jsts

Have also a done a targeted review on management body steering capabilities and this included a bit of the assessment of some of the nomination committee the remuneration committee and the audit committee no and I think we had a one uh exercise that was conducted last year for around 20 Banks and then

The we will have a second round of this exercise ER in this year no so um I think we have seen progress Paco going to your point regarding the role of the audit committee ER and and the oversight of the the internal h control functions and indeed I think we see that the

Overall the audit committee is H one of the most mature board committees that we see so I think this is very good news and and we really would encourage you to to continue or the audit committee members here to continue doing that I think just a couple of of areas for

Attention that I would like to to to call out the first one is the role of the audit Committee in drawing up the the internal audit plan okay so er and pro approving and providing its opinion we have seen that in some cases we would expect more from the audit committee

Here okay so I think maybe this is something that we can discuss a bit further because we have seen that a number of Banks and here I could say about around half of the banks that we saw in the samples let’s say the assessment so that we would have a or we

Would our expectations were not fully met okay and then I think the other area that that I would like also to highlight is a I think on the performance assessments and the objective setting on the kpis no and I think here er er we think that this is something that the

That the board audit committee needs to needs to have a closer look at it here so what we have seen for example is that in some cases there is the dominance that could hinder a bit the independent oversight of the internal audit functions we have seen maybe

Variable remunerations a bit too high we have seen that the the control setting um er er targets ER are not ER as they should be okay so I think this is something that we would like the the audit committee to have a look at it and

Then I think ER the last Point really that I would like to hi to highlight is er also in some cases the the internal audit the audit committee whether it could push a bit more to detect areas for further Improvement regarding the resources that we were talking before

The backlog the audit Universe the audit cycle so I think those are some of the things that maybe the audit committee members could push a bit harder on the other hand I think we have detected some very good practices that could be expanded ER for H some other audit

Committee know so we have many cases where the audit committee has established tools and processes to enable oversight kpi is to follow up and to regularly monitor how the audit plant is Going H the follow up on the findings the backlog we have seen even cases

Where this point that the we see on the on the staff okay that there is a followup on the turnover on the rotation which I guess is an issue almost everywhere now but the really the audit committee really making sure that the the internal audit function has the

Enough resources to do that some cases where there is a very fluid fluid communication between the head of internal audit and the audit committee and then this is translated also to the overall board oneto one meetings on this so I think this is a very important and then the role the interlinkage between

The audit committee and the board also so I think those are areas where we have seen also a lot of good practices here thank you Maria for sharing with us your views and your and this interesting H good practices I’m I’m very sure that uh all of us will

Check the gaps H in our organizations in in in immediately you you touched upon a few challenges already um at the end there and and having the audit committees focus on us how do you see the challenges faced by the internall functions in this rapidly evolving environment I

Think in the session that I attended some of them have been mentioned already no so and some of the challenges are not only related to the internal audit functions but are let’s say more on the environment that we live in first of all I think we should not forget the

Traditional risks okay and I think this is something that we need to to think about it and I think given the the the rapid things the volatility having really a close look at the IAP the ra the ey laap also I think unfortunately I think we missed an

Opportunity ER several years ahead no where liquidity was not an issue it’s not an I mean funding is still there but I think focusing on the risk control so I think this is something that we need to look look however the portfolio of topics that the internal audit function

Need to looks at is much broader now also no so I think the challenge is to make sure that this portfolio of topics is well understood okay and that is clear what need to be done and and I think here we would have topics like operational resilience we cover it last

Year okay not just digital but everything digital transformation we could have a within this we would have ICT we would have cyber risk data aggregation capabilities this has also been a priority for the SSM and it continues to be and and having good data and timely data this is critical

And also for you no all the non Financial the ESG geopolitical tensions which means also AML increasing AML risk been very high on the agenda sanction so that means that the overall portfolio I think again I would mention it again internal audit needs to be everywhere so

The challenge really is to make sure that there is a the right prioritization and the prioritization if needed I think overall we tend to be very good at prioritization the prioritization sometimes it’s not that easy to find the room to do that and I think the skills

No I think of course you need to have the right resources the right skills and the right knowledge in the organization to do that and then I think the last point that I would like to cover is the audit planning okay so the audit planning of course need to be somehow

Stable everybody needs to have a a plan to try to work along this plan but this needs to be flexible enough and being able to be adapted very quickly to to whatever happens no we saw the war a couple of years ago now we see the new developments then we have many crisis

Cases so I think it’s important really to to remain flexible to adjust to to these type of things and then the other challenge that might be and I think that was speak a bit upon before and I think federo might touch a bit upon is the role of the of the internal audit

Between the typical Assurance role okay to the advisor role okay so I think in in my View ER even when internal audit function is asked about the Strategic topics which I think is a very good symptom in an organization because that means that internal audit

Has the stature and and has a say in many of the things but you need to be very careful about it because you need always to have the independence of mind you do not need ever to be the decision making on these type of things but this is more isy saying that really

Implemented it on a day-to-day basis so I think this this point I think might create some frictions and it’s very important that the that the in all these topics or these tasks is really been discussed and understood what is the role of the internal audit function and

Then the last point that I could highlight is that I of course I mention it in the the sense of the risk that the internal audit functions need to assess no within the organization but of course we there are many tools also that can help and new technologies that can help

So I think the internal audit function in general need to adapt to this new er opportunities that might come but understanding what are they know and how you can leverage on that and making sure that no matter what tools you might use H you need to understand what’s going on

Behind it you need to understand the data so all the um the the risk and opportunities beh behind H digital transformation within their own internal audit function yes indeed I think that for internal audit function as you mentioned it’s a very big uh challenge we Face to

A changing and complex uh regulation so we need to have a very well prepared and updated um Team with the appropriate skills with multiple multiple knowledges um and um we live in a very competitive world so uh we have to be able to attract talent and and retain the team

So it will force us to make a significant efforts in in training in compensation in culture um so big challenge definitely um I would like just to to ask to federo because well during the whole day we have been um repeating that the ESG regulation is

A complex and it’s evolving and it’s not uh always easy to identify what Assurance is about when we look H we look at ESG so what’s mandatory for for a bank what is h coming in terms of new regulation and what what is important or

Or nice to have but not a must have federo please thanks a lot Paco I hope you hear me well yes um thank you and uh also good afternoon to you all for myself very happy to be here with you um many thanks many thanks for inviting us um

And indeed that’s a case that the uh sort of breath the span that Maria mentioned before is evolving very rapidly you know frankness it’s evolving for you as it is evolving for us um uh so we are also coping with limited resources and a change in landscape and

A broadening landscape and this can only be achieved if we have some I think guiding principles um to to illuminate a bit of our work at least I will try to get there um in my answer so indeed theity landscape is evolving we have the uh ebaa report ongis the BCBS principles

On the management of um climate related Financial re the FSB has also written a report and as you know the crdc um is about to award new mandates to the EV in particular to work on more guidelines for the assessment of the climate risk both for banks and for

Supervisors in this rep uh for example and also something around the climate risk stress testing so uh a lot more to come um and a lot more new uh new elements to come given that what are the minimum set of expectation sort that we can have um

The you mentioned a bit the mandatory part not to say what is mandatory um but what are the areas that have been a bit stabilized and I think um I would have a few um first is something that I haven’t heard in the previous discussion and that’s related to data data availability

Um good data availability um data gaps that are filled no blind spot and is also affecting The credibility of the information that is to be disclosed by bank to the external so there is both a data element uh the correctness of the disclosure outside the bank and there’s

An element of the indicators that I use both financial and non-financial indicators um uh to identify the risks and any potential any potential Gap so that’s a bit an infrastructure infrastructure mandate on on um on climate at least then there is a transition itself uh so here it’s about

The timing between the performance and evaluation cycle um and the timing that the the bank has for transitioning to meet it Target um this comes together with the strategy the identification of the areas that are not yet um you know isg or were there some gaps um in the materiality

Assessment in the factors that affect the business and so on and so forth and that you know sort of strategic Dimension calls in that the governance Arrangements which are very broad I mean you recall before the management body the role and efficiency of the Committees the awareness at the

Management level but also very completely how banks are remunerated how the the internal incentive structures work um for that matters so I think these are all areas where our expectations are well codified they uh sort of infrastructure component uh the VIS model strategic mement and the and

The Govern ones um however I mean let’s be clear as I said it’s a rapidly evolving environment so we cannot leave by uh in a compliance oriented fashion um and here is where uh you know I think requirements will get you this far honestly uh and that’s why we have

Principle based expectations I think Marco Pico before um recall to that I think it’s really um it’s really what can help you distinguish what’s mandatory from what’s nice to have but also reflect the speed of individual institutions and here I would offer a bit my personal sort of overing

Principle and that would be that um uh you know institution should consider climate related environmental risk as drivers of their existing risks so uh it’s not just about you know making sure that we comply with the rules but uh climate consideration should really be part of the RIS management toolkit the standard

Management toolkit and this is not because ECB or some other Proactive or less proactive supervisor um you know is prompting you to data because these risk are increasing so uh these are the new landscape of risk that banks are facing does include does include CL related

Ones um I don’t have to I think patrique has Pur you enough um into action this morning uh I don’t have to recall here um floats in Slovenia um you know disruptions in Germany not so far from here uh the wildfires um in Greece um this summer I was on an island over

There was pretty pressing but I think this is really changes to the risk landscape that are to be reflected in the risk management tool kit and this is the at most and foremost I think goal um also for you as one of the line of defense of the

Bank okay thank you federo I’m sure that Maria wants to answer to ask you questions federo you know this time of year all of us are all of the audit functions across the banks are uh preparing their analyses and working hard to develop their annual audit plans or their their plans for

2024 um in that light um could you share with us your insights on how should we integrate ESG into those audit plans for instance shall we take sustainability and make a dedicated audit uh or shall we look at sustainability across all of our audits so across all of the the

Audits that we do and that are relative on to sustainability or both thank you Maria that’s a fair point absolutely and I think you were discussing before the reactive or proactive role um and here it’s also another sort of layer of ambiguity that is not too destructive I hope uh but it is

Um it is true that a certain level of reactivity is embedded in the um in a sort of audit plan element at the same time uh we do expect you to be proactive in shaping how this work and FOC was one of the most important um the most

Important element let go back to to sort of the Target that is to make sure that the ESG considerations are well embedded in the standard RIS management toolit of the bank climate effects banks credit risk operational component um you know the external communication and what not

I don’t think we want you to develop a separate sustainability driven AIT program per se uh rather you as a third line of defense could reflect in our view on the level of maturity reach by the institutions and calibrate your audit plans according that may mean embedding for some institutions that are

Bit more advanced embedding climate risk considerations or ESG consideration at large into the standard audit program um you know in whatever type of audit is done say internal models um uh you know validation or review of of the setup uh from you know governance Arrangements in the board remuneration compensation so

On uh for some other institutions um some more preliminary initiatives make sense uh I think or at least is what we see the level of speed is not the same and uh uh it’s a very conscious and aware institution the one that calibrates its responses in the um in

Relation to to what it sees here I hope the ECB TI um on you know climate risk supervision provideed a few example of best practice reviews um I’m sure Patrick referred to those this morning uh there’s a whole list of section that um it’s um you know it’s been there I

Wouldn’t repeat uh the words here before we do expect um certain level of agility uh so we see that a special in advisory role um the internal a can be asked by the management body to undertake several um you know tasks um in some cases it

May be part of the formal AIT program that you’re working on um in some other cases may be something more ad do to be developed or delivered on the tip timelines um and I think here Al important to leave some room for these uh um uh sort of more agile needs uh

Because your independent review and support institution I think is pretty vital in a in a context of Rapid change so thank you for that I think we heard all morning uh about you know the advisory role maybe non-traditional being agile or having or not having a

Rated report um and it sounds to me like um there’s no uh wrong or right um we all need to consider and use our judgment in regards to the maturity of our organizations and how we integrate these whether it’s ESG as a topic e the

S or the G uh in dedicated and a mix of both in accordance to the to the maturity so thank you for that Federico that was um very important for us yeah um I agree um we have a in in bankin we have a dedicated team to to ESG that leads um

I’m coordinat the war but it’s impossible to have inducting all the experience in the different r that that we Face H when we talk about the E so because uh we can forget that e is totally cross so um I think that many banks have a a specific programs but uh

At the end ER includes in the in many in many audits the performance of the of The Specialist of other risks credit financial Capital operational governance so federo I would like just to to ask you a question about how do you recommend to address um some specific

Challenge related to E for example um sustainability and remuneration or data Readiness so how do you recommend that thanks a lot thanks a lot pako uh so indeed these are two rather specific and and pretty challenging areas um so happy to to spend a minute on those um

On remuneration I think what we see is that institutions the one supervis are increasingly adopting some climate related metrics in the compensation Frameworks and this comes from you know the reduction of cover footprint uh how much sustainable Finance is provided to clients um and also some kind of accountability measures uh for example

Some banks are Keen to uh you know be leaders in a certain area and includeed amount their kpis um it’s where the financial sort of U uh indicators or market share of certain products merge into the non-f financial ones um that’s also important we have scorecards uh or um you know any

Other indications um but also you know third party sort of valuation assessments on on um how well the bank is performing under the ESG that incorporates very broad factors like diversity and inclusion for example um it’s a landscape evolving very quickly um these also these indicators are um you

Know as at any rating sort of their sub to external scrutiny they’re visible um we do get impressional sometimes um have a bit jump and down but in general there’s many many many indicators over there and they’re used to uh you know shape remuneration packages and individual levels or the

Collective level for the management body um for example for the senior management team um we do see the overall impact as a bit um modest at the moment so um I think I’m just trying to provide a bit of an overview what we see before going into the various challenges but we’re

Not talking about a huge um you know sort of part of the compensation packages for the time being um now given this you know very terog genous rapidly evolving yet not too material um sort of work how can the internal loaded help um and and and drive forward the agenda for

The bank I think here uh it’s a point that is a bit related to your your second part of the question the one on data uh but in general this is pretty difficult um and it’s about you know not just how it can be measured what are the right indicators but examply

Understanding very well the risks um in the first place and this is where I think you were stting also Maria commenting the expert judgment the you know the maturity interview this is essentially a um you know something where I think having looked at various ways way of financial innovation in the

Past and how they had affected Banks or um institutional large and their risk management um internal audits can be in a position to um you know to incorporate in in the war plan and assessments having said that they not doesn’t come without challenges so there’s you know

It would be easy if we were to um uh be clear about all you know the regulatory requirements and there is a certain element of ambiguity there admittedly some jurisdictions have start incorporate or preper some more specific guidance um but there’s no one siiz framework and I think these available

Pieces of input can also be um you know making sort of an input into um the te function taking a principle Bas view on What’s um what’s there there’s a second dimension a second challenge that gets a gets me a bit into the data point that is understanding what are the right

Indicators um um what is a what is a good proxy we do I think as as consumers or you know part of the public we do get a sense that most people most institutions reporting about their ESG um compliance or advancements are among the top top 10% or whatever indicator

Because these indicators are bit you know not standard at the moment so um I think we do get a perception that we need to understand better the risk before and then decide what are the B metrics and that comes to uh the second the second part on data availability and

Data quality um and here I would really like to sound I was referred to that before but I would really like to sound up as a um sort of a call um to make sure that this is really well understood and concrete advancements are needed here good data is a prerequisite for

Many other processes and we do still see recurs to um proxy sources of information for example for greenhouse gases emissions or for the energy efficient of collateral um and there’s many providers out there external providers are making a a hell of you know good money in providing with

Information um uh to sort of compensate for the lack in internal information at Banks uh but some banks have not yet thinken a sort of a buy or make um sort of decision and um we are a bit worried in a way um I think you know the broader

Stance on the quality of his data U by the ECB and SSM at large uh but essentially as um one of my previous bosses used to say in whatever financial model garbage in garbage out that is how can we trust um the quality of the information or what is the decision that

Have been taken uh for example in relation to the pricing or certain loans taken into account the G factors um if the input information flow is so bad in quality or is not reliable at all um and this is where I think we get a sense of

Urgency a bit and I’m not sure how much is shared um by you as internal functions um but we as supervisor are bit worried about the quality of the land decision making when the data that we see being use is so um inadequate or patchy or you know relying on Legacy

Systems and um oldfashioned um and this is perhaps an area in which uh we do see the internal audit to provide some independent reviews independent advisory to the board uh about how much progress is needed here in Sy the management framework uh and uh you know it’s it’s

One of those cases which you may want to have full regulatory guidance or expectations to take the box and have a compliance um sort of more compliance driven approach and this would be very tempting but it’s not such a thing um at the moment uh and I think we ourselves

Are not there um in of providing something more but good principles solid principles for you to exert your judgment and your knowledge and we are very committed to facilitate Shing best practices let the knowledge accumulates in our community to emerge and to be used by the broader system uh but

Ultimately the the the sort of expert call um I think is yours okay federo thank you very much um well we have more than 400 people connected right now and I’m sure that we will have a lot of questions from the audience they are sending us by slid and

Uh well we have the first one I would like just to to ask to Maria H how could internal audit cooperate with the compliance function Maria I think the question or my answer could be Toof fault I think for of for sure internal audit needs to cooperate with the compliance functions

But then there is an additional role is that the internal audit needs to ensure the adequate of the second line of defense also no so I think this is the the two aspects that I would like to to raise here sometimes it’s not um there needs to be a really well

Defined what is within the scope and within the Mandate of the compliance function okay and and and making sure that they er do what is expected from their side okay and then the internal audit function ER in their in their Assurance role okay they need to make sure that the compliance fulfill its

Mandate no so I think there is a we go back a bit again to the point on the assurance and the working together here no it’s it’s not just working together with the business also the internal a functions work very closely together with a risk management or with a AML

Function if separate from the compliance no but I think I would like really to convey that the point of this assurance is also critical for us Maria perhaps you can uh support us in in looking at the the next question that’s come up on slido which is uh internal audit always has different

Roles advisory assurance and we deliver different types of reports and what are the recommendations from the ECB on the types of reports we deliver whether they be advisory or Assurance I think we heard a lot earlier today about rating not rating agility so if you can take that for us

Please I think if I I think on the on the on the on the advisor role I think the the critical point that I that I mentioned a bit before is really there needs to be a clear ER delineation of what is the role of the internal audit here ER internal audit

Should never be ER in the driver seat of the things it would never be a decision making here and then um is a relevant stakeholder in the organization that has a view on the things no and and of course this is a bit what happened with the risk management function or so risk

Management function should not just enter ER or speak when the risk has been taken no because otherwise it might be a bit late on this but if we think about the Assurance ER on this I I think the report um at least from my experience especially when I was a the jst

Coordinator here H from from an ECB or from a supervisor perspective the Scopes need to be very clear okay H what is the scope of the activity what the techniques were used what were the findings what is the severity of the findings of this what is the reasoning

What are the root CA what are the implementation ER plans uh whether in the report or later what is the deadline I think the report needs needs to serve it purpose no and to serve it its purpose is like as as as I think we are

The supervisors our our aim or our goal is not to raise findings it’s not to issue as rep letter with 400 findings no or get to as rep score of four or a P2 r or a p2g of X is to ensure ER the F the soundness of the governance

And of the system and I think the report should help on that okay so there needs to be Clarity on the report Clarity on the roles and responsibilities clarities on who needs to do what clarities in there is a disagreement what happens with that disagreement it doesn’t need

To be a Noel of course but it needs to be very clear and to the point who needs to do what and by when and what happens if not no so I think the reports need to be very clear ER on that and and this

Needs to be done in written form I don’t know if this address is a bit no you you you definitely um supported us in in making sure that the the techniques the findings the scope needs to be clear and and for for all expectations our voice needs to be

Documented and that’s clear for me uh a clear message from from you here today and that uh our advisory role takes on uh active participation in meetings and committees and U many times um that’s not always documented and so the expectation from the ECB here is clear

That our advice needs to be um in written form so thank you for that and if I may Maria just to to add on this is on the severity of the things I think sometimes it’s very difficult to rank depending on exactly where they where they are but again the severity of the

Findings or saying okay where is in the scale is because then that helps prioritizing making sure that everybody’s aware they know what the the things are really s that needs to be tackled on the first place or not so I think it’s important because we need to

Convey the message the things will need to convey to you you will need to escalate to the audit committee and this requires expert judgment to to tell the people okay this is where we need to focus and and and you need to raise this point also

Okay uh thank you H one more question for federo how can internal audit Bas developed their a audit program in view of diversity of parameters uh evolving regulation Etc thank you thank you Paco uh thanks for the question I think the first starting point is really to understand

Well the risk that the bank is exposed to um as I said before there’s very limited uh there very Li room for you know ensuring that a full compliance sort of driven exercise takes place uh because expectations are evolving rapidly uh because regulatory framework is Patchwork at the moment or it’s

Itself evolving very quickly uh so I think a sound understanding of the risk the risk phas of Institutions and um you know a good determination of what um what’s there is the first is the first and foremost element the second second is to try and measure those risks and to

Try and find the right um you know as Maria said having a conversation not just on perception but on something that is rankable measurable a bit objective uh move on the disc scores to towards something that is um you know a bit more aligned to the standard management to

Kit I would say and I’m afraid that comes a bit with the quality of information in the first place uh so how reliable is the input how good is the coverage of ESG considerations um uh you know for the broader R management tool I think these are really the starting the starting

Point um have a concrete look at the risks uh try and rank and measures and then embed That Into You know a war plan that will be uh a bit reflecting the expert judgment I’m afraid there’s very little um little way around it with these emerging risk for the next um for

The next few years but you know having a robust a big principle Bas approach to to some of the RIS that um that you see and that we see in frankness okay well I I’m going to to take the floor and ask for what uh we asked previous the

Previous panels in that uh there’s over 400 people uh listening to us today here uh mostly Auditors and audit committee members any uh last pieces of advice for us either in our roles of auditors uh uh or uh AC members I think maybe if very quickly I think Patrick mentioned it no so

Dialogue with the supervisor this is critical I think you need really to have a dialogue with the supervisor both way okay so the jst should be able to explain to you how they see the risk in your in in the respective bank and for you to understand that and the same okay

So you need to have beyond the specific concrete thing how you see the risk how the Assurance how the control framework is working I would encourage really the the internal auditor to do that and also the audit committee no I think it’s important and I think on this we see

Different practices okay and and I would really encourage the the audit committee members and of course the chair of the audit committee to to to discuss from time to time ER with the jst and raise this and then I think internally I would encourage H for those places where there

Is no ER if if uh there is not enough dialogue or you think there is not enough dialogue directly between the internal audit and the audit committee to do that and then the role of the audit committee babis uh the board here so I think this is a critical for the

Internal audit to be able to fulfill its mandate and for the audit committee and the board to be able to fulfill their challenging role also and the oversight capacity so I think this could be my let’s say my two cents here and then H be ready for the for the evolving

Landscape this is very difficult we are supervisor are also ER evolving ourselves and this is a journey in which we are also embarking Federico don’t know if you want to thank you Maria I would stress the two-way nature of the dialogue that you mentioned before um so

I think we’re also evolving I meane the the unit responsible for coordinating this rep as a process and we also try to to have you read the recommendations from the expert group U we’re trying to evolve our framework to a bit of a less compliance oriented one um uh towards

Expert judgment and that’s you know it’s also a cultural shift on our part uh so I think we’re here to share our own challenges um and those have been publicly broadcast By Andreia um in in this closing this report so it’s not an issue and this is specifically relevant

For the dialogue I think we want to move away from this sort of yearly meeting with the uh chair of the AUD committee um that that is sort of a bit the the starting point that we have adopted and really this dialog should be something that adds value for both parts including

On your part if something is not clear on behalf of the supervisor um is some of the expectation some of the measures are um you know a bit too foggy if there are some ways uh in which the intended outcome under line the measure is not

Too clear or um something is a bit missing uh in between the sort of the finding and how you see the supervisor asking you to to remedy or to address issues um I think this is quite important and very valuable for us um as supervisor we’re trying to keep our

Teams to um deal at best with this sort of exchanges so many thanks and I think this is one of the occasions in which establishing a constructive dialogue is a inducive to better as move relationship going forward indeed thank you for that Federico thank you both uh for your

Valuable insights uh that will strengthen our internal audit practices and board committee practices and uh in one summation between uh this morning and this afternoon I think we go back to tradition and increase the dialogue uh between us on a regular basis and evolve that communication learning on risk and

Controls thank you both for your valuable insights thank you very much to you for having us here thank you thank you Maria and federo for your clear messages and advices and uh we have to reach to the end of the session