Draft revised internal governance guidelines: the audit impact

Stephanie Ford explains why audit teams must begin to prepare now for changes outlined in The European Central Bank’s draft proposed revisions to internal governance guidelines 

Flag of European Union waving in the wind in front of the modern parliament building on sunny day.

On 7 August 2025, The European Banking Authority (EBA) published a consultation on draft revised internal governance guidelines under the Capital Requirements Directive, open until 7 November 2025.

The guidelines will apply from a date to be determined and will capture credit institutions subject to the directive, investment firms under Title VII provisions per Investment Firm Regulation, third-country branches operating within the European Union (EU) and financial holding companies with Capital Requirements Directive (CRD) approval.

Investment firms specifically include large systemic entities with consolidated assets exceeding €15 billion, or those designated as systemically important by competent authorities.

Overview of proposed amendments

The revised guidelines are highly relevant for Irish entities with third-country branches or group connections in the European Union (EU).

Such branches must now demonstrate robust governance, including: having at least two fit and proper individuals directing local operations; substantive organisational presence; clear structure; and adequate risk management and resources, meaning “shell” branches will not be tolerated.

Irish financial services firms must also embed comprehensive environmental, social and governance (ESG) risk assessment over a ten-year horizon—developing actionable ESG strategies—and meet new diversity, equality and inclusion standards within governance structures.

These changes reflect broader EU trends, requiring Irish-headquartered groups and cross-border operations to enhance both substance and sustainability commitments, and ensure their management frameworks and documentation are consistent with current expectations for gender balance and transparent, well-resourced oversight.

Institutions must formally prepare, maintain and update individual role statements for all board members, executives, senior managers and key function holders (such as the heads of audit, compliance and risk management).

These statements must detail each person’s roles, duties, decision-making authority and accountabilities. Importantly, comprehensive duty-mapping is also mandated, requiring clear documentation of role allocation, reporting lines and oversight chains throughout the organisation.

Notably, these draft requirements closely mirror those already implemented under the Central Bank (CBI) Individual Accountability Framework (IAF) and the Senior Executive Accountability Regime (SEAR).

Most Irish firms are therefore familiar with maintaining Statements of Responsibilities and detailed mappings of management and control structures.

Audit teams remain responsible for validating and testing these documents to ensure that accountability is clear—signaling, for example, any overlaps, ambiguities or gaps in governance.

As required under Irish law, these documents must be up-to-date, accurate and accessible to both internal stakeholders and the Regulator. Overall, these changes reinforce and expand the best practices Irish firms are already obliged to follow under CBI rules.

Enhanced internal audit function

Auditors must continue to operate with full independence from operational activities and report directly to the board’s supervisory function.

The internal audit scope will expand to cover ESG risk frameworks, digital operational resilience in line with The Digital Operational Resilience Act, third-party risk management, AML/CTF controls and artificial intelligence (AI) governance under new EU regulations.

Audit must review not just financial controls but also the robustness and effectiveness of governance, risk management and compliance structures, ensuring they are consistently applied and independently tested across the business.

Heads of internal audit are now expected to be senior, independent leaders with clear authority and adequate resources. Auditors must review both the first and second lines of defence, maintaining clear separation from them.

This extends to validating controls over financial reporting, data quality, longer-term ESG disclosures and the resilience of accounting systems to operational or digital risks.

There are heightened expectations for external auditors to assess administrative and technological controls, particularly relating to digital and AI risks.

While some proportionality remains, all Irish audit teams must prepare now for a broader, more demanding scope and greater responsibility for independent assurance in these areas.

Stephanie Ford is Director, IM Regulatory Knowledge, Deloitte Ireland