Slide 1
The 9th European Financial Markets Convention
“Towards true integration by 2009”
Brussels 26-27 May 2005
Corporate Governance Session by the ECGI
Risk Management and Internal Control in the EU
David Devlin – FEE President
(Fédération des Experts Comptables Européens - European Federation of Accountants)
Slide 2
FEE
 Corporate Governance – Risk Management Aspects
 Sarbanes-Oxley Act : Section 404
 Proposed EU Requirements
 FEE Survey of Member States
 FEE Discussion Paper
Slide 3
Corporate Governance
 Risk Management and Internal Control addressed in
most codes; for example
Combined Code
Peters Report
Vienot
OECD Principles
(UK)
(NL)
(F)
Slide 4
Sarbanes-Oxley Act (1)
S 404
:
PCAOB :
Financial Reporting Controls and
Assessment of Effectiveness
Auditing Standard No. 2
Public reporting on effectiveness and material weaknesses
Recent SEC Round Table
 Support for objectives
 Concerns about compliance costs
PCAOB statement – greater use of judgement
Slide 5
Sarbanes-Oxley Act (2)
Some Personal Impressions from SEC Round Table
 Broad support for Section 404
Top management involvement in controls
More awareness throughout organisation
Greater confidence of management, board,
investors
Deeper audits
 Cost and effort far higher than expected
FEI estimate average $4.3 million
Slide 6
Sarbanes-Oxley Act (3)
Some Personal Impressions from SEC Round Table
 Will not
Eliminate fraud or operational risk
Provide more than reasonable assurance
 Aim to
Keep the benefits
Reduce the costs
Slide 7
Risk Management and Internal Control
Proposed EU Requirements
 Very high level
 8th Directive
Audit committee to monitor effectiveness of risk
management
Seems to cover operational and compliance risks
too
 4th and 7th Directive Amendments
Published description of internal control and risk
managements systems and financial reporting
 No agreed high level criteria to facilitate reporting
Slide 8
FEE Survey of National Requirements
 Summary of requirements in US and nearly
30 European countries
 Source of requirements
 Types of risk addressed
 Risk management only or disclosure too?
 Effectiveness conclusions?
 Auditor involvement
My Conclusion:
 Could be a suitable area for convergence
Slide 9
FEE Proposals (1)
 Evolutionary path, from legal requirements to best
practice:
Slide 10
FEE Proposals (2)
 Managing risks:
 Widely recognised best practice for companies to
establish systems of risk management and
internal control across the whole of the business
 To be embedded in business processes and
corporate behaviour
 Audit committees to monitor such systems
 Need for a framework (COSO, Turnbull)
Slide 11
FEE Proposals (3)
 Disclosure of process
 Listed companies to disclose process of risk
management and internal control
 Need for high level criteria for disclosure
 Need to clarify practical and commercial issues
Slide 12
FEE Proposals (4)
 Disclosure of management of specific risks
 Major concerns about:
• commercial sensitivity
• potential liability
• reputational damage for directors
• practical issues
Slide 13
FEE Discussion Paper
“Risk Management and Internal Control in the EU”
 Best Practice
 Principle Based Requirements
 Regulatory Options and Proposals
 External Assurance
 Invitation to Comment by 31 July
Slide 14
The 9th European Financial Markets Convention
“Towards true integration by 2009”
Brussels 26-27 May 2005
Corporate Governance Session by the ECGI
Risk Management and Internal Control in the EU
David Devlin – FEE President
(Fédération des Experts Comptables Européens - European Federation of Accountants)