Actualiteit

Climate Change and Environmental Risk is a very relevant and important subject for most organisations. For many organisations this is a reason to reconsider and adjust their future course. In view of the strategic importance for the organisation, there is also a role for the internal auditor here. Risk in Focus (RiF), the annual survey of auditors in Europe (ECIIA) confirms this. Climate change is in the top 10 of current risks and is increasing in importance. However, we see that the time spent on climate risk is still limited. This seems to be the right moment to look at how the Internal Audit Function (IAF) can properly support the organisation on this theme. The aim of the research conducted by IIA Netherlands is therefore to provide IAF’s with tools to do so. The report answers questions such as: What role could the IAF play? What 'products' can it offer? Which tools can be used for this? What expertise is needed (extra) for this? And how do you implement this within the IAF?

Climate Change and Environmental Risk is een zeer actueel en ingrijpend onderwerp voor vrijwel alle organisaties. Het is voor veel organisaties aanleiding voor een heroverweging en aanpassing van de koers. Met het oog op het strategisch belang voor de organisatie ligt hier ook een rol voor de internal auditor.  Risk in Focus (RiF), het jaarlijks onderzoek van auditors in Europa (ECIIA) bevestigd dit. Klimaatverandering staat in de top 10 van actuele risico’s en stijgt in belang. We zien echter dat de tijdsbesteding op het gebied van klimaatrisico nog gering is. Dit lijkt hét moment om te kijken hoe de Internal Audit Functie (IAF) de organisatie goed kan ondersteunen op dit thema.  Het doel van het door IIA Nederland uitgevoerde onderzoek is dan ook Internal Audit Functies (IAF’s) daartoe handvatten te bieden. Het rapport geeft antwoord op vragen als: Welke rol zou de IAF kunnen spelen? Welke ‘producten’ kan zij bieden? Welke hulpmiddelen zijn daarvoor te gebruiken? Welke deskundigheid is daarvoor (extra) nodig? En hoe implementeer je dit binnen de IAF? 

Internal audit’s role in ESG reporting Conversations and focus on sustainability, typically grouped into environmental, social and governance (ESG) issues, are quickly evolving — from activist investor groups and inquisitive regulators pushing for change to governing bodies and C-suite executives struggling to understand and embrace the concept. At the forefront of this new risk area is pressure for organizations to make public commitments to sustainability and provide routine updates to ESG-related strategies, goals, and metrics that are accurate and relevant. However, ESG reporting is still immature, and there is not a lot of definitive guidance for organizations in this space. For example, there is no single standard for what should be reported. What is clear is that strong governance over ESG — as with effective governance overall — requires alignment among the principal players as outlined in The IIA Three Lines Model. As with any risk area, internal audit should be well-positioned to support the governing body and management with objective assurance, insights, and advice on ESG matters. The following provides an overview of risks related to ESG reporting along with context on the growing sustainability movement. It also outlines internal audit’s role in ESG reporting and how internal audit can support ESG objectives and add value.

A pivot is a change in strategy without a change in vision. Internal auditors, by nature, like order and certainty. But the global health crisis has allowed for none of that. Its disruption thrust internal auditors into the uncomfortable position of having to completely abandon or revise their well-thought-out plans and familiar checklists and processes — fast. They had to pivot — often, multiple times — to ensure they did not falter in providing independent assurance that their organization’s risk management, governance and internal control processes were operating effectively. But many internal audit functions needed to be more agile and flexible than ever before for another critical reason: The business needed their help to survive. The internal audit organizations most successful at pivoting, and helping the business to do the same, are those that had already embraced next-generation internal audit practices before the COVID-19 pandemic. These functions, which are more agile and technology-enabled, were well-positioned to support the business in new, innovative ways driven by the crisis. For this edition of Internal Auditing Around the World®, we thought it would be appropriate to focus on the topic of resilience, given everything internal audit teams and their companies have been through lately. More specifically, we asked chief audit executives (CAEs) and their colleagues: “What is internal audit’s role in business resilience?” To summarize their responses: It’s pivotal. Featured Companies The organizations profiled in the latest edition represent a cross section of countries and industries, including Booking Holdings, Centene Corporation, DBS Bank, FIS, GlobalFoundries, Grupo Bepensa, Inchcape plc, Knowles Corporation, Masonite International Corporation, stc (Saudi Telecom Company) and Standard Chartered. The new edition of Internal Auditing Around the World addresses how internal audit functions early into the evolution process have found that changes they’ve made so far — whether it was automating a critical process, expanding analytics capabilities, learning about agile auditing or encouraging an innovative mindset — allowed them to be more adaptable and resilient amid unprecedented disruption. Eleven organizations were interviewed and their experiences dealing with this transformation are presented as case studies in the book.

The Covid-19 pandemic has been the most significant disruptive event for decades, impacting the political, social and economic environment of insurance companies for years to come. It has been a catalyst for several distinct pre-existing macro trends: use of technology, workforce and ESG (sustainability). This research paper by the ECIIA addresses the following topics: Impact of macro trends: on insurance and Internal Audit, focusing on those directly resulting from the Covid-19 pandemic Reaffirming the Purpose of Internal Audit: Judgement at the Core of Audit Assurance; Impact of the New Ways of Working: Environment and risks; Remote Auditing: Opportunities, Audit needs and limits; Future of Audit Work in the light of process automation and remote working

For directors seeking to promote DEI in their organizations, it’s a good idea to start at the top. The April issue of Tone at the Top, “Diversity: An Accepted Business Value,” provides strong evidence that promoting diversity is a worthwhile effort because a diversified organization offers numerous business benefits — from additional skills and measurable performance improvements to broadened perspectives and connections. The percentages are poignant and the data is a driving force behind a number of regulators and stakeholders setting new DEI rules or expectations for organizations. The good news? There are a few guidelines that boards can follow in their efforts to enhance diversity. A Quick DEI DIY Checklist: Have a conversation Don’t overlook the risks Carefully consider your definition of diversity Ask the right questions Measure effectiveness Don’t just check a box Don’t add diversity then stifle it Keep in mind that internal audit can provide value throughout the process as the sole source of independent assurance within the company by performing holistic and objective reviews of the board and organization’s DEI efforts and their effectiveness.

Given the importance of IA’s role, a regular evaluation of the IA activity can give boards and audit committees confidence that the internal auditors are performing their job effectively based on the International Standards for the Professional Practice of Internal Auditing, best practices, and the board and audit committee’s specific expectations. This assessment tool offers suggestions for issues to be addressed in an evaluation based on established best practices. It is not intended as mandatory guidance, but rather as a resource that boards and audit committees can use in whole or in part to explore: The quality of the services the company is receiving from IA and the sufficiency of resources at its disposal. The level of communication and interaction with the IA team. The independence, objectivity, and skepticism of the IA team. Each section includes a series of questions in fundamental areas that boards, audit committees, and others can ask to better understand the IA activity and to develop their own plans for enhancing the input and value of this important area.

This practical guidance is part of the Risk in Focus 2021 publication. It aims to provide a concise overview of key publications and existing tools developed by the 10 European institutes of internal auditors in Austria, Belgium, France, Germany, Italy, Luxembourg, the Netherlands, Spain, Sweden, the UK & Ireland and publications from IIA Global. This guidance is developed to help internal auditors address some of the key risks identified in Risk in Focus 2021, with the aim of contributing to the reduction of their impacts on businesses and stakeholders. Where the Risk in Focus report itself addresses the ‘WHAT-could be important to audit’, this guidance helps you address the ‘HOW-to audit’ this topic. For the 2021 edition, practical guidance and webinars will be available on the following three chosen topics from the report: Guidance Cybersecurity and data security Webinar Cyber and Data Security  Guidance Macroeconomic and geopolitical uncertainty Guidance Climate change and environmental sustainability These topics have been selected due to their current and foreseen importance for most organisations and take into consideration the needs of Chief Audit Executives to strengthen or expand their knowledge and experience in auditing these three fast-developing risks. Please keep in mind that we intentionally chose to dive into some specific components of these three risks. Whilst we have endeavored to explore what we think are the key focus areas of these risks, a thorough understanding of their application may require additional research on your part, but we aim to provide a selection of what would benefit the most to the profession in the current context. All practical guidance is designed to firstly, help practitioners learn from experienced professionals (experts, operational teams or internal audit), and, secondly, offer practitioners useful reflections that we believe are of particular interest when auditing these topics and their associated risk management processes.   About climate change and environmental sustainability Why should climate change and environmental sustainability be on your radar? Firstly, because environmental challenges are of a growing importance for all organisations. It is undeniable that this is now a strategic preoccupation for all organisations, encouraged by their internal and external stakeholders - to become more resilient to environmental risks and to directly contribute to the environmental sustainability of our society. In fact, the risk is already proven, the consequences on businesses are measurable.

This Global Perspectives and Insights provides a straightforward view to help organizations identify structures, design processes, and assign responsibilities that assist the achievement of objectives to facilitate strong governance and risk management. As a tool, The Three Lines Model is meant to be adaptive, which means that application of the model’s core elements will vary depending on the individual organization and its goals. Needed now more than ever, this Global Perspectives and Insights will clarify these essential governance elements and answer questions about implementing The Three Lines Model in different industries.

This practical guidance is part of the Risk in Focus 2021 publication. It aims to provide a concise overview of key publications and existing tools developed by the 10 European institutes of internal auditors in Austria, Belgium, France, Germany, Italy, Luxembourg, the Netherlands, Spain, Sweden, the UK & Ireland and publications from IIA Global. This guidance is developed to help internal auditors address some of the key risks identified in Risk in Focus 2021, with the aim of contributing to the reduction of their impacts on businesses and stakeholders. Where the Risk in Focus report itself addresses the ‘WHAT-could be important to audit’, this guidance helps you address the ‘HOW-to audit’ this topic. For the 2021 edition, practical guidance and webinars will be available on the following three chosen topics from the report: Guidance Cybersecurity and data security Webinar Cyber and Data Security  Guidance Macroeconomic and geopolitical uncertainty Guidance Climate change and environmental sustainability These topics have been selected due to their current and foreseen importance for most organisations and take into consideration the needs of Chief Audit Executives to strengthen or expand their knowledge and experience in auditing these three fast-developing risks. Please keep in mind that we intentionally chose to dive into some specific components of these three risks. Whilst we have endeavored to explore what we think are the key focus areas of these risks, a thorough understanding of their application may require additional research on your part, but we aim to provide a selection of what would benefit the most to the profession in the current context. All practical guidance is designed to firstly, help practitioners learn from experienced professionals (experts, operational teams or internal audit), and, secondly, offer practitioners useful reflections that we believe are of particular interest when auditing these topics and their associated risk management processes.   About Macroeconomic and geopolitical uncertainty 33% of the CAEs surveyed in Risk in Focus 2021 cited macroeconomic and geopolitical uncertainty as a top five risk, and 8% say that this is the biggest single risk their company is currently exposed to. However, only 3% say that this is an area where internal audit currently spends most time and effort.  We have taken this as an opportunity to take a closer look at how internal audit should approach macroeconomic and geopolitical uncertainty risks. What can internal audit do to ensure that the organisations they serve are prepared for these risks?

This practical guidance is part of the Risk in Focus 2021 publication. It aims to provide a concise overview of key publications and existing tools developed by the 10 European institutes of internal auditors in Austria, Belgium, France, Germany, Italy, Luxembourg, the Netherlands, Spain, Sweden, the UK & Ireland and publications from IIA Global. This guidance is developed to help internal auditors address some of the key risks identified in Risk in Focus 2021, with the aim of contributing to the reduction of their impacts on businesses and stakeholders. Where the Risk in Focus report itself addresses the ‘WHAT-could be important to audit’, this guidance helps you address the ‘HOW-to audit’ this topic. For the 2021 edition, practical guidance and webinars will be available on the following three chosen topics from the report: Guidance Cybersecurity and data security Webinar Cyber and Data Security  Guidance Macroeconomic and geopolitical uncertainty Guidance Climate change and environmental sustainability These topics have been selected due to their current and foreseen importance for most organisations and take into consideration the needs of Chief Audit Executives to strengthen or expand their knowledge and experience in auditing these three fast-developing risks. Please keep in mind that we intentionally chose to dive into some specific components of these three risks. Whilst we have endeavored to explore what we think are the key focus areas of these risks, a thorough understanding of their application may require additional research on your part, but we aim to provide a selection of what would benefit the most to the profession in the current context. All practical guidance is designed to firstly, help practitioners learn from experienced professionals (experts, operational teams or internal audit), and, secondly, offer practitioners useful reflections that we believe are of particular interest when auditing these topics and their associated risk management processes. About Cybersecurity Cybersecurity and data security has been one of the top three priority risks identified in Risk in Focus over the past five editions. It is documented as the number one priority risk for 2021, and this trend is expected to continue for the next three years. As a result, a number of resources have been produced within the IIA network to support practitioners navigating this risk.  

This publication is a comprehensive overview of IIA NL’s research into non-traditional auditors. It provides a comprehensive overview of better practices identified related to competence, quality, independence, objectivity, selection and reward of non-traditional auditors. For readers interested in a more extensive publication; please read the extended edition with more guidance and background or a scientific version published in MAB.

To bring a high level of expertise on-board IAFs increasingly include persons that are not trained as auditor and/or have no experience in performing internal audits. These non-traditional auditors, often named rotational auditors, guest auditors or ‘subject matter  experts’, function as part of the IAF for a specific period of time and come from within the organization or are hired from the outside. The use of non-traditional auditors has several advantages for the non-traditional auditors themselves, the IAF and the organization. The purpose of this document is to share better practices regarding the use of non-traditional auditors in the IAF. These real-life examples are recommended protocols put in place to profit from the advantages of using non-traditional auditors, to ensure their valuable inputs contribute to the objectives of the audit function without compromising the quality of the audit process and its outputs.   You can read the comprehensive overview here  

Without question, 2020 was defined by the global coronavirus pandemic (GCP). By March, as the research for Risk in Focus got underway, Europe had become the epicentre of the biggest public health crisis in living memory. This caught most countries and businesses off guard, despite the fact the World Economic Forum and others had already been sounding the alarm on global health security and the probability of a pandemic event.  Not only has the virus had huge public health consequences, social distancing and lockdown measures have had profound economic impacts. The GCP is the most significant and far-reaching event for businesses since at least the global financial crisis of 2008, and is expected to cause a deeper recession, higher rates of unemployment and bigger increases in public debt.  Businesses and their risk profiles have been significantly affected by coronavirus. The safety of workers has been a priority, with staff sent home to work in the first half of 2020 under orders from governments and employers. Lockdowns inevitably caused immense operational disruption as companies were forced to rapidly adjust and sectors including manufacturing, construction and industrials had to reduce output in order to maintain distancing measures within their core business. The beginning of summer 2020 was marked by an easing of restrictions as governments managed the delicate balance of kickstarting their economies with resurgences in infections. It is expected that this challenge will have to be managed throughout 2021. Although the exact course of the pandemic’s development is uncertain, it was continuing to accelerate in the second half of 2020. The longer-term implications of this exceptional scenario are less clear. Lessons will be learned over the coming months and years by governments and businesses. Internal audit can and should assist in this regard. Its unique 360-degree view of the business and risk-control mindset can help organisations identify their blind spots and opportunities to improve their operations. Looking ahead to 2021, internal audit’s enterprise-wide perspective has never been more necessary. Boards and executive management teams will depend on this independent top-down viewpoint for insights into the business and its risks during what remains a significantly challenging period. This is the exceptional backdrop against which this year’s Risk in Focus is set. Also available: Board briefing Guidance Cybersecurity and data security Webinar Cyber and Data Security  Guidance Macroeconomic and geopolitical uncertainty Guidance Climate change and environmental sustainability

Putting risk into focus for the board Board members must be aware of their organisations’ principal risks (and opportunities) and the external threats to their operations and strategies. They should also have confidence that internal audit is prioritising these. Especially now. The risk landscape has taken a dramatic and unexpected turn. Looking ahead to 2021 we see that the global coronavirus pandemic (GCP) is likely to shape the risk profiles of organisations in many ways. Rather than posing a novel risk, the pandemic has exacerbated and magnified existing risks as well as opportunities that you as a board member should be mindful of.  This briefing summarises insights from the latest edition of our annual report, Risk in Focus 2021 (RiF21), which this year is a collaborative project between ten institutes of internal auditors from across Europe.