1. Slide 1 The 9 th European Financial Markets Convention “Towards true integration by 2009” Brussels 26-27 May 2005 Corporate Governance Session by the ECGI Risk Management and Internal Control in the EU David Devlin – FEE President (Fédération des Experts Comptables Européens - European Federation of Accountants)

2. Slide 2 FEE  Corporate Governance – Risk Management Aspects  Sarbanes-Oxley Act : Section 404  Proposed EU Requirements  FEE Survey of Member States  FEE Discussion Paper

3. Slide 3 Corporate Governance  Risk Management and Internal Control addressed in most codes; for example  Combined Code (UK)  Peters Report (NL)  Vienot (F)  OECD Principles

4. Slide 4 Sarbanes-Oxley Act (1) S 404:Financial Reporting Controls and Assessment of Effectiveness PCAOB:Auditing Standard No. 2 Public reporting on effectiveness and material weaknesses Recent SEC Round Table  Support for objectives  Concerns about compliance costs PCAOB statement – greater use of judgement

5. Slide 5 Sarbanes-Oxley Act (2) Some Personal Impressions from SEC Round Table  Broad support for Section 404  Top management involvement in controls  More awareness throughout organisation  Greater confidence of management, board, investors  Deeper audits  Cost and effort far higher than expected  FEI estimate average $4.3 million

6. Slide 6 Sarbanes-Oxley Act (3) Some Personal Impressions from SEC Round Table  Will not  Eliminate fraud or operational risk  Provide more than reasonable assurance  Aim to  Keep the benefits  Reduce the costs

7. Slide 7 Risk Management and Internal Control Proposed EU Requirements  Very high level  8 th Directive  Audit committee to monitor effectiveness of risk management  Seems to cover operational and compliance risks too  4 th and 7 th Directive Amendments  Published description of internal control and risk managements systems and financial reporting  No agreed high level criteria to facilitate reporting

8. Slide 8 FEE Survey of National Requirements  Summary of requirements in US and nearly 30 European countries  Source of requirements  Types of risk addressed  Risk management only or disclosure too?  Effectiveness conclusions?  Auditor involvement My Conclusion:  Could be a suitable area for convergence

9. Slide 9 FEE Proposals (1)  Evolutionary path, from legal requirements to best practice:

10. Slide 10 FEE Proposals (2)  Managing risks:  Widely recognised best practice for companies to establish systems of risk management and internal control across the whole of the business  To be embedded in business processes and corporate behaviour  Audit committees to monitor such systems  Need for a framework (COSO, Turnbull)

11. Slide 11 FEE Proposals (3)  Disclosure of process  Listed companies to disclose process of risk management and internal control  Need for high level criteria for disclosure  Need to clarify practical and commercial issues

12. Slide 12 FEE Proposals (4)  Disclosure of management of specific risks  Major concerns about: commercial sensitivity potential liability reputational damage for directors practical issues

13. Slide 13 FEE Discussion Paper “Risk Management and Internal Control in the EU”  Best Practice  Principle Based Requirements  Regulatory Options and Proposals  External Assurance  Invitation to Comment by 31 July

14. Slide 14 The 9 th European Financial Markets Convention “Towards true integration by 2009” Brussels 26-27 May 2005 Corporate Governance Session by the ECGI Risk Management and Internal Control in the EU David Devlin – FEE President (Fédération des Experts Comptables Européens - European Federation of Accountants)