José Manuel Muries.
Internal Audit General Manager MAPFRE S.A.
Madrid - Spain

Background

On 1 July 2010, the Spanish Official State Gazette¹ published Act 12/2010, of 30 June, amending the Accounts Auditing Act², the Securities Market Act³ and the revised text of the Spanish Public Limited Companies Act⁴, in order to bring them into line with Community regulations.

The main reason for that Act was to adapt to Directive 2006/43/EC, which regulates aspects relating to external auditing, such as:

• the authorisation and registration of auditors and audit firms, including ones in other Member States of the European Union and third countries;
• ongoing training, professional ethics standards, independence and objectivity, and the confidentiality and professional secrecy that auditors and audit firms must observe;
• the performance of audits in accordance with the international auditing standards adopted by the European Union;
• the full responsibility of the auditor who carries out the audit of consolidated financial statements;
• the quality control of auditors and audit firms;
• effective investigation and penalty systems;
• the appointment and dismissal of auditors and audit firms;
• the compulsory entry of auditors and audit firms in a public register, and
• cooperation with the competent authorities of Member States of the European Union and of third countries.

At the same time, the reform is being used to modify certain aspects of the regulations contained in the Act, which have to be adapted to the changes in commercial legislation that have occurred, and to incorporate the technical improvements recommended by experience and the practice developed since it entered into force.

On 1 July 2010, the Spanish Official State Gazette published Act 12/2010, amending the Accounts Auditing Act in order to bring them into line with Community regulations

Following this introduction, I am going to focus my briefing on the aspects of the Act that most affect insurance companies listed on the stock exchange, like MAPFRE for example, and in particular on the changes which the Act introduces to the functions of the Audit Committee and Internal Control.

Main changes to the Accounts Auditing Act

The auditor’s responsibility

Article 4. Auditing of Consolidated Accounts, of the Accounts Auditing Act, paragraph 2 of which is now worded as follows:

“The auditor who carries out the audit of the accounts or consolidated accounting documents assumes full responsibility for the audit report issued, even where the auditing of affiliated companies’ annual accounts has been carried out by other auditors.”

This is a significant change compared with the previous provision, in which the auditor of the consolidated accounts could limit his liability by excluding affiliated companies audited by other firms.

The annual transparency report

Another relevant aspect is the inclusion in the provision for the first time of the Annual Transparency Report, which is included in Article 14B and lays down the following:

1. “Auditors and audit firms which audit the accounts of public interest entities⁵, and also audit firms in third countries, shall in the three months following the end of the financial year make public through their Internet pages an Annual Transparency Report containing at least the following information:
   • Description of the entity’s legal form and owners where the entity is an audit firm.
   • Where the audit firm or the auditor are linked to the entities or persons referred to in Article 8 c) and d) of that Act⁶, a description of those entities and persons and also of the agreements or Articles of Association which regulate that link.
   • Description of the audit firm’s governing bodies.
   • Description of the auditor’s or audit firm’s internal quality control system, and a declaration from the administrative or management body on the effectiveness of its operation, indicating when the last quality control took place.
   • List of public interest entities for which they have carried out auditing work in the last financial year.
   • Information about procedures or action plans followed by the auditor or audit firm in order to guarantee their independence, and mention of internal reviews carried out in order to comply with the duty of independence.
   • Information on the policy followed with respect to the ongoing training of auditors.
   • Information on the total volume of business, with a breakdown of income according to whether it comes from auditing activity or from the performance of other non-auditing services.
   • Information on the bases for members’ remuneration.
2. The transparency report shall be signed by the auditor or, in the case of audit firms, by those to whom representation has been assigned.”

The reform is being used to modify certain aspects of the regulations contained in the Act, which have to be adapted to the changes in commercial legislation that have occurred, and to incorporate the technical improvements recommended by experience

The Securities Market

The fourth Final Provision of Act 12/2010 changes Act 24/1988, of 28 July, on the Securities Market in the following aspects:

• A new paragraph is added to paragraph 2 of Article 117 of the Securities Market Act:

  “On the company’s webpage an Electronic Shareholder Forum shall be enabled, to which both individual shareholders and any voluntary associations they may set up shall be able to have access, with the proper guarantees, in order to facilitate their communication prior to the holding of Annual General Meetings. In the Forum they shall be able to publish proposals that they intend to present as a complement to the agenda announced in the AGM notification, requests for support for such proposals, initiatives for reaching the percentage sufficient to exercise a minority right as provided for in the Act, as well as offers or requests for voluntary representation.”

• A new fourth paragraph is added to Article 117 of the Securities Market Act:

  “The shareholders of each listed company shall be able to set up specific voluntary Associations in order to exercise their rights and better defend their common interests. Shareholders’ Associations shall be entered in a special Register for that purpose at the Spanish Securities and Exchange Commission (CNMV⁷). The legal system of Shareholders’ Associations shall be developed in due form and comprise at least the requirements and limits for their constitution, the bases of their organic structure, rules for their operation and the relevant rights and obligations, especially in relation to the company listed.”

The new regulation replaces the word “Know” with “Monitor”, considerably increasing the Audit Committee’s responsibility as regards matters relating to Internal Control, Risk Management and the process of preparing and presenting regulated financial information

The Audit Committee

The role of supervisor

As far as the Audit Committee is concerned, certain aspects are being changed. In the table below, the provisions of the previous Securities Market Act (Column A) can be compared with the Audit Committee’s new authorities (Column B) under the current Act.

At the same time, Column C includes the broad outlines of the Audit Committee included at MAPFRE’s Good Governance Code, which coincide with the Good Governance Unified Code on the same aspects.

Authorities of the Audit Committee

A Securities Market Act (former) 18th Additional Regulation	B Securities Market Act) (new) 18th Additional Regulation	C MAPFRE Good Governance Code 18th Article
1. – Inform the General Meeting.	1. – Inform the General Meeting.
2. – Supervision of internal audit services.	2. – Supervision of internal audit services.	1º b - Periodically review the internal control and risk management systems.
3. – Knowledge of the financial information process and internal control systems.	3. – MONITOR the process of preparing and presenting regulated financial information.	1ºa - Monitor the process of preparing and the integrity of financial information.
4. - Propose the appointment of the auditors. 5. – Establish relations with the auditors in order to receive information on matters that may put their independence at risk.	4. – Propose the appointment of the auditors. 5. – Establish relations with the auditors in order to receive information on matters that may put their independence at risk. Each year they must receive from the auditors written confirmation of their independence, as well as information on additional services performed. 6. – Issue each year a report in which an opinion is given on the independence of the auditors.	2ºa - Submit to the Board proposals for the selection, appointment, re-election and replacement of the external auditor. 2ºb - Regularly receive information from the external auditor. 2ºc - Ensure the independence of the external auditor.
		1ºc - Ensure the independence and effectiveness of the Internal Audit function. 1ºd - Establish and monitor a mechanism that allows employees to report irregularities.

Note: Numerical references at columns A and B are sections that belong to the 18th Additional regulation included at the Securities Market Act (former and new, respectively).
In Column C, numbers correspond to sections within the 18th article at MAPFRE’s Good Governance Code.


Print table

Among the Audit Committee’s new authorities, the regulation clearly establishes that the Audit Committee must MONITOR:

• the effectiveness of the company’s Internal Control, the internal audit and risk management systems;
• the process of preparing and presenting regulated financial information.

It should be noted that the new regulation replaces the word “Know” with “Monitor”, considerably increasing the Audit Committee’s responsibility as regards matters relating to:

• Internal Control,
• Risk Management and
• the process of preparing and presenting regulated financial information.

What does the CNMV’s Working Party recommend?

As regards this new monitoring role which Act 12/2010 confers on the Audit Committee, both in the process of preparing and presenting the regulated financial information and in the process of monitoring the effectiveness of the internal control system, it is appropriate to mention the recommendations that the Working Party created by the Spanish Securities and Exchange Commission (CNMV) issued in June 2010, the main results of which were as follows:

• Submit a policy development proposal on the subject.
• Establish a frame of reference which includes a set of general principles and good practice from the Financial Information Internal Control System (FIICS), in order to help listed companies with the design, implementation, operation and monitoring of their FIICSs, thereby strengthening the reliability of the financial information. This framework took the COSO (Committee of Sponsoring Organizations of the Treadway Commission) report as its reference.
• Propose a guide for the preparation of information on their FIICS which is to be disseminated in the markets.
• Provide some guidelines for carrying out the Audit Committees’ monitoring work with respect to the FIICS.
• Issue a glossary of terms.

The company shall draw up a report on the effectiveness of its internal control procedures, stressing any significant deficiencies identified and their implications and proposing the measures considered appropriate for their correction

For these recommendations to be normative in nature, the CNMV must submit a Circular containing the recommendations of the aforementioned Working Party. And for that, it must approve two laws which have in fact already been approved by the Spanish Parliament:

1. The Auditing Act which –as has already been mentioned– affects the powers of the Audit Committee.
2. Act 2/2011 of 4 March on Sustainable Economy, which includes the minimum content of the Corporate Governance Annual Report.

The internal control of insurance companies

For its part, Royal Decree 239/2007, which modifies the Private Insurance Organisation and Supervision Code⁸, regulates in its Article 110 the internal control of insurance companies, establishing amongst other things the following aspects:

1. The Board of Directors shall have the ultimate responsibility for establishing, maintaining and improving internal control procedures appropriate to the organisation.
2. The internal control procedures shall in any case include:
   • the development of an appropriate review function, which shall be exercised by skilled and experienced staff with guaranteed full independence with respect to the different areas of the company, being the company’s Board of Directors committed to ensure the appropriate performance of the functions entrusted;
   • and the establishment of risk management systems appropriate to their organisation, allowing them to regularly identify and assess the internal and external risks to which the companies are exposed.
3. Each year, the company shall draw up a report on the effectiveness of its internal control procedures, stressing any significant deficiencies identified and their implications and, where necessary, proposing the measures considered appropriate for their correction. This report shall be signed by the Board of Directors and sent to the Spanish Insurance and Pensions Supervisory Authority⁹, along with the annual accounts statistical documentation.
4. The Board of Directors of the company obliged to submit the consolidated accounts statistical documentation shall be responsible for establishing the internal control procedures that prove to be necessary in order to ensure compliance with the provisions in the preceding paragraphs with reference to the Group.

Practical implementation of the new regulations

An insurance group operating internationally, like MAPFRE, therefore has the following obligations as regards Internal Control – obligations which fall to the Audit Committee, as this is the body entrusted with the supervision:

• In accordance with Article 110 of the Insurance Regulations.
  • Subsidiaries with their headquarters in their country of origin. These must send a report on the effectiveness of their Internal Control System to the supervisory body (in Spain, the Insurance and Pensions Supervisory Authority).
  • Subsidiaries abroad. Article 110 does not apply but, in most countries in which the Group is present with a permanent establishment, local regulations require a report on the effectiveness of the company’s internal control system to be submitted, and some countries also require this report to be reviewed by the external auditor.
  • The parent company must send to the Supervisory Body (in Spain, the Insurance and Pensions Supervisory Authority) a report on the effectiveness of the internal control system of the Group, in other words on a consolidated basis.
• In accordance with the Financial Information Internal Control System (FIICS).
  • This affects exclusively the parent company, as this is the company that issues and publishes information in the markets and has to issue a document, integrated into the Corporate Governance Annual Report, in which the company’s Internal Control System is explained in relation to the regulated financial information that is made known to the markets.

When the Solvency II Directive enters into force, the role of the Internal Audit as a supervisory body will increase considerably, as it will also supervise the Governance System and the Own Risk Solvency Assessment (ORSA)

In both cases, directly or indirectly, the internal control obligations of the holding company affect all the subsidiaries, which means that all the companies in the Group have to have high standards of internal control in order to adequately comply with internal control requirements.

Future authorities of the internal audit in the context of Solvency II

Within the scope of supervision, the Internal Audit’s role will constitute a valuable help for both the Group’s top management and subsidiaries and the Audit Committee. When the Solvency II Directive enters into force, the role of the Internal Audit as a supervisory body will increase considerably, as that Directive lays down that, in addition to Internal Control, the Internal Audit will also supervise the Governance System and the Own Risk Solvency Assessment (ORSA), which is no less than an internal assessment of the Risk Management System.

⁽¹⁾ Boletín Oficial del Estado de España.

⁽²⁾ Ley de Auditoría de Cuentas.

⁽³⁾ Ley del Mercado de Valores.

⁽⁴⁾ Ley de Sociedades Anónimas.

⁽⁵⁾ For the purposes of this Act, public interest entities shall mean entities (and the groups of companies in which they are integrated) which issue securities admitted to trading in official secondary securities markets, credit institutions and insurance undertakings subject to the system of supervision and control attributed to the Bank of Spain, the Spanish Securities and Exchange Commission, the Spanish Insurance and Pensions Supervisory Authority, and also to the autonomous bodies with powers to organise and supervise insurance entities. Entities (and the groups of companies in which they are integrated) which are established in due form in view of their significant public importance due to the nature of their activity, their size or their number of employees, shall also be deemed to be public interest entities.

⁽⁶⁾ Entities or persons in which the circumstances provided for in this or other laws come together and lead to the auditor or audit firm being deemed not to enjoy sufficient independence in the performance of their duties with respect to an audited entity.

⁽⁷⁾ Comisión Nacional del Mercado de Valores.

⁽⁸⁾ Reglamento de Ordenación y Supervisión de los Seguros Privados.

⁽⁹⁾ Dirección General de Seguros y Fondos de Pensiones (DGSFP).

go top