European Confederation of Institutes of Internal Auditing (ECIIA)
The definition of outsourcing proposed by point 11, pg. 18, includes a list of activities which are not normally performed by financial institutions and some are not excluded by the guidelines from the outsourcing definition (Title 2, Point 23), it will lead to an extensive interpretation including all kind of supply services agreements (e.g. including the provision of legal advice services or include critical and important processes forbidden in some local country (eg Norway)).
We encourage EBA to provide, a more detailed list of examples of services that are not considered as outsourcing.
The following remarks are related to the section 3 but we found important to mention them:
Point 26 considers intra-group outsourcing as being part of outsourcing.
It should not be the case as the existence of a homogeneous internal control framework within a Group provides another level of security than a third party.
Outsourcing within Europe, where the regulatory environment is homogeneous, or outsourcing “regulated” services do not represent the same risk as outsourcing in another regulated environment.
Moreover, the selection of the intra group provider is based on organizational and financial rationale within the Group rather than on an “objective” selection.
We recommend to delete the article 28 E.
Regarding Section 5: conflicts of interest: we should encourage EBA to provide more details or examples to identify conflict interests
Regarding section 7 Internal Audit - p. 42:
The inclusion of the outsourced arrangements in the audit plan is dependent on the results of the risk based approach and it should be more emphasized in the text.
Regarding section 7 Internal Audit - par. 44 sub.d:
The risk appetite, risk management and control procedure of the service provider are part of the responsibility of the management body of the service provider. The internal audit should focus on the outsourced activities and assess the compliance with the outsourcing agreement.
We recommend the following text: “the outsourcing agreement is in line with the risk appetite of the institution/payment institution and that the service provider’s risk management and control procedures related to the outsourced activities comply with the outsourcing agreement”.
Regarding section 7 Internal Audit - par. 44 sub.f:
It should be added that monitoring of the outsourcing arrangements is performed by the process owner (first line) and by the second line of defense.
Regarding section 7 Internal Audit - par. 45:
It is not clear enough if the findings are the ones resulting from the audits performed by the institution/payment institution or from the service provider. The internal audit of the institution/payment institution performs detailed follow up of the recommendations they have made. Those from the service providers are considered in the risk assessment performed by the internal audit of the institution/payment institution and by the first line in charge of the managing of the outsourcing relationship.
We recommend to take the paragraph out as it is included in EBA regulation (GL11)
The article 72.a is not feasible in practice as the internal audit department will not have access to all information in all payment organisations: some legal constrains may refrain.
Regarding section 10.3 point 74:
The service provider could commission to an independent third party a control assessment, generally by adopting the International Standard on Assurance Engagement (ISAE 3402). The EBA recommendations on outsourcing to CSPs define more clearly the external certification and more specifically the work to perform on top of the external certification and should be mentioned.
Regarding section 10.3 point 75:
Pooled audits can be a good solution when it is difficult to audit the service provider (see section 7 point 43 above). but we encourage EBA to decline same samples for pooled audits (i.g. money treatment).
Proposed text for point 74: “Without prejudice to their final responsibility, institutions and payment institutions may use third party certifications and third-party reports made available by the service providers for the audits. However, they should scrutinize the reliability, relevance and sufficiency of the information provided and decide whether further action is needed”.
References should be made to the three lines of defense model in the oversight of the outsourced functions. A clear reference to the Operational Risk Management is important as the second line plays an important role in the process.