Actualiteit

The internal audit function has an important role to play in providing assurance over the effectiveness and security of key processes outsourced from (re)insurance undertakings to third parties. It is crucial that key stakeholders, including management, the board and the (re)insurance undertaking’s supervisors can place reliance on the work of internal audit in respect of the risk management of third parties, while at the same time maintaining a reasonable expectation of the extent of the internal audit function’s responsibilities in this area. This paper sets out the view of the ECIIA Insurance Committee (the Committee). It is based on the position paper on Internal Audit Oversight of external outsourcing issued by the ECIIA Banking Committee, on best practices that could be adopted by internal audit functions in respect of the audit of externally outsourced services. This paper was adapted to the specifics of the (re)insurance undertakings, in particular the regulatory requirements of Solvency II. This paper does not consider: Outsourcing of internal audit as a function Internal outsourcing (from one legal entity to another within the same group), albeit many of the same concepts could be applied

Internal Auditing Around the World, Volume 16 - The future auditor had arrivedThe future auditor has arrived. It’s a bold statement — and it’s true. The future auditor is a vision, inspired partly by the definition of internal auditing from The Institute of Internal Auditors: ‘‘an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations.’’ When Protiviti first articulated this vision in 2014, we explained that the future auditor, once personified, would be recognized as a ‘‘positive change agent’’ in the organization. We also asserted that chief audit executives (CAEs) who embraced this vision would be ‘‘better positioned to demonstrate to executive management and the board the value contributed by internal audit through their comprehensive risk focus and forward-looking, change-oriented and highly adaptive behavior.’’ Six years later, we see that many internal audit leaders around the globe have answered that call to action — and are committed to bringing forth a next-generation internal audit function. They, and their teams, have disrupted their function’s status quo by thinking differently about how internal audit performs its work and delivers results that do, in fact, add value to the business.

This Global Perspectives and Insights describes the Internal Audit Ambition Model from the perspective of several CAEs who have applied it. Looking toward to its potential applications, the report considers how the model may be used as part of the internal audit activity’s quality assurance and improvement program (QAIP). In today’s unprecedented and volatile business environment, organizations face a future that is as difficult to predict as it is open for creativity and innovation. The internal audit activity can play a vital role in helping organizations anticipate, evaluate, and respond to risks and opportunities. And CAEs must effectively demonstrate that value. CAEs need robust tools to continuously enhance the value that the internal audit activity provides to management and the board. Perhaps equally important, the right tool should enrich the ability to clearly express internal audit’s potential. The Internal Audit Ambition Model seeks to help CAEs achieve those goals. The Internal Audit Ambition Model may help the internal audit activity: Adopt a common approach and consistent criteria for conducting self-assessments of its current (“achieved”) quality. Help drive conformance with the The IIA’s International Professional Practices Framework. Establish a peer benchmark against which to compare itself. Create a visualization of its achievements in key process areas. Identify the “ambition” level to which it aspires. Identify gaps that must be filled to achieve its desired ambition level. Communicate with senior management and the board about its achieved level of quality and its level of ambition. According to the model’s authors, the word “ambition,” distinguishes this model from maturity models because it communicates the CAE’s choice about the level to which the internal audit activity should aspire. The choice takes into account the input of senior management and the board in light of factors such as the complexity of the organization, the size of the internal audit activity, and the industry in which the organization operates. The word “ambition” moves the focus from simply meeting the requirements to inspiring intentionally chosen improvements.  

This paper offers a practical approach to directly address the scenario of an increased risk of fraud (corruption, misappropriation of assets, fraudulent financial statements) in organizations due to the pandemic. It considers related key actions, including assessment of vulnerabilities, risk mitigation, and monitoring fraud alerts (red flags). This report also presents a useful analysis on how to face a possible increase in the risk of fraud in these times of COVID-19 (pre- and post-pandemic) from the perspectives of the fraud triangle, the Three Lines of Defense model, cybersecurity, and global risk. People and organizations around the world are fighting to overcome the crisis caused by the COVID-19 pandemic and its direct and collateral effects. In this fight, internal auditors are actively helping organizations overcome and recover from the crisis. Download it today and watch Continuing the Conversation for a deeper dive.

Organisaties zijn ondernemingen van mensen, die actief zijn in een wereld die steeds onzekerder, complexer, meer onderling verbonden en volatiel wordt. Vaak hebben ze meerdere stakeholders met verschillende, veranderende en soms tegengestelde belangen.

The Three Lines Model helps organizations identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management.

Information technology is a fundamental part of all organizations, so internal auditors should have a fundamental understanding of their organization’s IT functions and processes. Because IT is imperative to business strategy, understanding the impact technology can have on business processes and making accurate and timely recommendations can elevate internal audit as a trusted advisor and value creator. This guidance will enable internal auditors to understand: The relationship between IT and the business. The various network structures, components, and related concepts. IT infrastructure, including hardware, software, and databases. How organizations use, implement, and develop applications. Relevant topics such as data analytics, social media, machine learning, RPA, and more. This is for members only. To access it and other valuable resources, become a member today.

Na de practice guide (PG) over Auditing Culture (eind 2019), is nu een specifieke PG verschenen over Auditing Conduct Risk. Zoals wordt aangegeven is ‘gedrag’ niet gemakkelijk te scheiden van de cultuur; gedrag kan worden gezien als de manifestatie van cultuur. Deze PG is vooral gericht op de financiële sector en op het evalueren van het management van  het ‘conduct risk, ofwel het risico van wangedrag. Daarbij wordt uitgegaan van de ‘nalevingsstrategie’ (de organisatie vertelt duidelijk wat het gewenste gedrag is, bewaakt dat en sanctioneert bij overschrijdingen). Minder aandacht wordt besteed aan de zogenaamde ‘stimueringsstrategie’, gericht op het moreel redeneren door de medewerkers in lastige situaties (dilemma’s), zoals vaak ook onderdeel is van compliance- en integriteitsprogramma’s binnen organisaties. English The issue of conduct is not easily separated from an organization’s culture; rather, it is a distinct segment of culture as a whole. Internal auditors can add value by assessing and reporting on their organization’s conduct risk management. The internal audit activity can help drive strong internal control risk management frameworks (including conduct risk) that align with stakeholder expectations, supporting boards, audit committees, and executive management in their oversight roles. This guidance will enable internal auditors to understand: The business significance of conduct risk in an organization’s control environment. The key components of conduct risk. Key stakeholder (including regulator) concerns and expectations related to conduct risk. Internal audit’s role in assessing and reporting on organizational culture and management of conduct risk. An approach to assess and report on an organization’s culture and management of conduct risk. The eBook Practice Guide: Auditing Conduct Risk costs $25.00

In today’s unprecedented environment, effective internal auditing requires thorough planning coupled with nimble responsiveness to quickly changing risks. To add value and improve an organization’s effectiveness, internal audit priorities should align with the organization’s objectives and should address the risks with the greatest potential to affect the organization’s ability to achieve its goals. Ensuring alignment between internal audit priorities and the organization’s objectives is the essence of Standards 2010 – Planning, 2010.A1, 2010.A2, and 2010.C1, which task the chief audit executive (CAE) with the responsibility of developing a plan of internal audit engagements based on a risk assessment. This practice guide will help the CAE and internal auditors create and maintain a risk-based internal audit plan. The guide describes a systematic approach to: Understand the organization. Identify, assess, and prioritize risks. Coordinate with other providers. Estimate resources. Propose the plan and solicit feedback. Finalize and communicate the plan. Assess risks continuously. Update the plan and communicate updates. The eBook Practice Guide: Developing a Risk-based Internal Audit Plan costs $25.00

The first in a three-part series, this report serves as a how-to guide to assist internal auditors in assessing their current level of preparedness regarding privacy and data protection issues, particularly as their approaches relate to the present state of the profession overall.  Further, the report is intended to help internal auditors understand specific risks and threats and to help them ensure that relevant controls are developed, implemented, and operated effectively. The framework, audit plan, and implementation discussions in the later sections of the report are designed to provide a foundation on how internal audit departments can build their own structures. You can find part 2 here.

De IAF heeft zich ontwikkeld tot een essentieel zintuig van de board, een voelspriet, een sonde die het topmanagement en de raad van commissarissen voortdurend belangrijke informatie geeft over de beheersing van de risico’s binnen de onderneming – risico’s die veel verder gaan dan de betrouwbaarheid van de financiële verantwoording of compliance met wet- en regelgeving, maar die ook betrekking hebben op de uitvoering van de strategie, het creëren van waarde op lange termijn en de continuïteit van de onderneming. Deze speciale uitgave omvat negen artikelen en twee prikkelende essays van auteurs die ruimschoots hun sporen binnen het vakgebied hebben verdiend. De eerste drie bijdragen beschouwen de IAF in zijn huidige context. Vervolgens gaan twee artikelen over de menselijke factor binnen de IAF. Hierna behandelen drie artikelen de actuele ontwikkelingen die de IAF doormaakt, zoals de betekenis van digitalisering en algoritmes en aansluitend twee bijdragen over de werkwijze van de IAF in de praktijk. Het themanummer sluit af met een prikkelend essay over de rol van de IAF in een complexe wereld waarin innovatie essentieel is om te overleven. De artikelen in deze speciale uitgave geven een caleidoscopisch beeld van de IAF dat elke MAB-lezer zal kunnen boeien. Daarnaast leveren zij een bijdrage aan de bestaande onderzoeksliteratuur en aan eventueel toekomstig onderzoek over dit onderwerp. Deze publicatie is tot stand gekomen in samenwerking met de Stichting Vaktechnisch Onderzoek van het Instituut van Internal Auditors Nederland. De redactie houdt zich uiteraard aanbevolen voor suggesties en opmerkingen naar aanleiding van dit bijzondere nummer van het MAB. Naar de online uitgave van het themanummer De internal auditfunctie van het MAB

Diversity is a broad and extremely timely topic in today’s environment. A conversation regarding diversity within an organization is worth having because significant research shows that it has a tangible impact on both workplace productivity and organizational value. In contrast, a lack of diversity is an organizational risk as relevant as any other risk worth being recognized by an internal audit activity. According to the International Professional Practices Framework (IPPF), it is internal audit’s mission “to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” This edition of Global Perspectives and Insights sheds lights on how diversity impacts the workplace and affects productivity and organizational value. It will also explain why internal audit should be an advocate for diversity in all its forms within both its own activity and the organization as a whole.   This is for members only. To access it and other valuable resources, become a member today.

Over the past few decades, enterprise risk management (“ERM”) has been receiving increased attention by boards and executives and has undergone a continuing evolution in its development and uses. Along the way, lessons have been learned and ERM has been better understood regarding its benefits, objectives, and role in the organization. This COSO thought paper takes advantage of lessons learned and new guidance on enterprise risk management published by COSO to provide directors and executives with a better understanding of the role of enterprise risk management in creating and preserving value and its relationship to the key strategies of the organization. While not a detailed implementation guide, this paper includes overall guidance and an outline of succinct tangible steps that can used to implement an effective ERM program.  This thought paper outlines and provides clarity on the role and value of enterprise risk management to help directors and executives answer several key questions including: “What is the real value of enterprise risk management?” “What is its role and objectives? “What are the practical steps that can be taken to implement enterprise risk management?  The approach and steps contained in this thought paper are based on successful practices that organizations have used to take an incremental, step-by-step approach to implement enterprise risk management. While this is not the only way to implement ERM, this incremental approach is designed to be very adaptable and flexible. The approach provides practical steps that can help take conceptual ideas of strategy and risk and actualize them through a series of basic steps.    

Credit risk has always been considered a key risk for financial services organizations and, for a good number of organizations, maybe the most critical risk. This guidance provides internal auditors with a baseline skill set that allows them to test and evaluate the effectiveness of their organization’s credit risk management framework and processes. This guidance will enable internal auditors to: Understand the importance of credit risk in a financial services context. Understand the regulatory environment and requirements related to credit risk. Understand the risk governance and risk management processes surrounding credit risk. Describe the nature and basis of measurement of the probability of default. Design an audit engagement that assesses the appropriateness and effectiveness of the credit risk management framework and the adequacy of the institution’s credit profile. Be able to apply IPPF and risk-based internal audit techniques to assess and audit credit risk in their organization. The eBook Practice Guide: Auditing Credit Risk Management costs $25.00

Change management in the IT environment is, as the guide’s title states, critical for organizational success. Organizations are bombarded with change requests ? not only to improve or update existing application functionality, but also to implement necessary patches to help secure those applications, and in some cases to comply with relevant regulatory requirements. Managing the flow of requests should be handled efficiently and effectively to avoid mishaps, rework, unintended consequences, or even system failure. The updated third edition of this topic will help internal auditors understand the risks and controls associated with IT change management and how to assess the operational efficiency of processes involving change management. This guide provides tools to help internal auditors obtain and evaluate evidence that management’s assertions are accurate, and explains how to provide assurance over this critical area. This guidance will enable internal auditors to: Have a working knowledge of IT change management processes. Distinguish effective change management processes from ineffective ones. Recognize red flags and indicators that IT environments are having control issues related to change management. Understand that effective change management hinges on implementing appropriate preventive, detective, and corrective controls to ensure adequate management supervision. Recommend best practices for addressing issues, both for assurance of risks and increasing effectiveness and efficiency. This is for members only. To access it and other valuable resources, become a member today.