Actualiteit

The European Confederation of Institutes of Internal Auditing (ECIIA) released a report on Auditing Cybersecurity within Insurance firms. Internal Audit plays a vital role in the provision of assurance regarding the efficiency and effectiveness of the key cybersecurity processes and controls in insurance and reinsurance undertakings. Key stakeholders such as Management and the Board rely on the work of Internal Audit in regard to cyber-related risks. This position paper aims to set out the view from the ECIIA Insurance Committee and intends to provide guidance to Chief Audit Executives (CAEs) in the Insurance sector in regard to the audit of cybersecurity. Cyber risk is important, in light of the recent increase of cyberattacks and the new European Regulations: General Data Protection Regulation and the Network and Information Systems Directive in 2018. The need for effective IT Cybersecurity controls has been highlighted by the European Insurance and Occupational Pensions Authority (EIOPA), saying that cyber risk is becoming a growing concern for institutions, individuals and also financial markets and is now at the top position of the list of global risks for businesses. The Solvency II Directive encourages Own Risk Self-Assessment and the use of risk categories based on the specific characteristics of the undertakings and not just the Solvency II standard classification The paper does not aim to provide a one size fits all solution for auditing Cybersecurity risks, but it provides a framework from which internal audit departments may build a multi-year long term approach to auditing cyber risks.

Public sector organizations are expected to serve the public good, uphold the principles of ethical governance, and comply with myriad laws and regulations. Yet the nature of politics may put pressure on, or conflict with, ethical governance principles. Based on professional guidance from the International Standards for the Professional Practice of Internal Auditing and practical insights from global internal audit professionals, the guide advises CAEs and internal auditors about planning and performing internal audit engagements while properly managing the opposing forces of political pressures and ethical principles. This guidance will enable internal auditors to: Understand the definition of public sector and the types of public sector organizations. Recognize public sector governance roles and how they may affect internal audit principles such as organizational independence and unrestricted access. Incorporate additional standards and requirements specific to the public sector. Assess the organization’s commitment to ethical governance principles. Identify the types of engagements performed in the public sector and how to plan them. The eBook Practice Guide: Unique Aspects of Internal Auditing in the Public Sector $25.00    

Er is een Nederlandse vertaling uitgegeven van de Practice Guide ‘Demonstrating the Core Principles for the Professional Practice of Internal Auditing, Enablers and Key Indicators’. Deze Nederlandse praktijkgids heet: ‘Blijk geven van de Grondbeginselen van de beroepsuitoefening van internal auditing, Instrumenten en Indicatoren’.  In de praktijkgids worden de grondbeginselen en hun belang ervan voor de IAF nog eens toegelicht. Daarbij worden voor elk van de beginselen concrete instrumenten of handvatten gegeven om te zorgen dat aan het betreffende beginsel wordt voldaan. Eveneens worden indicatoren gegeven om te meten of (en in welke mate) de IAF daarin succesvol is geweest. Met deze praktijkgids biedt het IIA een praktisch hulpmiddel om de mate van conformiteit met de grondbeginselen te evalueren en te bespreken.

Click on 'To publication' for English text IIA Global heeft het rapport OnRisk uitgebracht, als handvat voor het onderkennen én managen van de belangrijkste risico’s. Net als het rapport ‘Risk in Focus 2020, Hot topics for internal auditors’ benoemt het risico’s waarmee organisaties (kunnen) worden geconfronteerd. Deze risico’s zijn zeer vergelijkbaar met de benoemde risico's in Risk in Focus 2020. Anders dan Risk in Focus vergelijkt OnRisk de percepties van de CAE’s met die van het management en de board. Daar blijken grote verschillen tussen te zitten. Dat benadrukt nogmaals het belang voor de IAF om de eigen inschatting te vergelijken met die van de andere ‘spelers’. Daarnaast is er een tweede verschil. Terwijl Risk in Focus met name ingaat op de betekenis van de risico’s voor het auditjaarplan voor 2020, gaat OnRisk vooral in op de acties die board, management én de IAF zouden kunnen nemen om de betreffende risico’s te managen. Kortom, een nuttig rapport om kennis van te nemen en om in de eigen organisatie te bespreken. For English go to publication

Cultuur & Gedrag is een belangrijk onderdeel van de interne beheersing van organisaties. Het staat hoog op de bestuurlijke agenda. En ook de Nederlandse Corporate Governance Code (de Code) onderstreept het belang van een constructieve cultuur. De prioriteiten van de Raad van Commissarissen (RvC) en Auditcommissie (AC) beïnvloeden in sterke mate de agenda en effectiviteit van de Internal Auditfunctie (IAF). Daarom organiseren IIA Nederland en NBA LIO regelmatig kennisuitwisselingen met commissarissen. De laatste tijd leren we van de commissarissen dat zij niet alleen meer aandacht voor C&G willen, maar ook behoefte hebben aan verdere verdieping op deze onderwerpen. Met dit rapport wordt in dat opzicht een belangrijke stap gezet. De laatste jaren is al veel gepubliceerd over C&G. Deze publicatie neemt in dat geheel een unieke plaats in. Het gaat nu niet over belang, de mogelijke IAF-rol of de onderzoeksmethoden, maar over: de stand van zaken, de ambities en de handvatten om die ambities te verwezenlijken. Het rapport bevat diverse belangrijke inzichten en handvatten die stapsgewijs zijn uitgewerkt en in een afsluitend hoofdstuk overzichtelijk zijn samengevat.

As companies transform into next-generation competitors, internal audit (IA) functions are working on their next-gen game as well. Protiviti’s latest edition of Internal Auditing Around the World, Volume 15, looks at ways IA departments around the world are reinventing themselves, using aligned governance, more agile methodologies and new enabling technologies to become more efficient, more future-focused and value-adding.

For four years now the Risk in Focus report has sought to shed light on key business risks as identified by Chief Audit Executives (CAEs) across Europe. This latest edition is the result of a working partnership between no fewer than eight European institutes of internal auditors and draws upon qualitative interviews with 46 CAEs in Belgium, France, Germany, Italy, the Netherlands, Spain, Sweden and the UK & Ireland working in a range of industries. In the previous edition we introduced a quantitative survey to the report for the first time. The report is becoming a more data-rich offering, with a full 528 responses to this year's CAE survey compared with 311 for Risk in Focus 2019. This is a resounding endorsement of our engagement with CAEs in the field, providing vital day-to-day assurance, advice and insight to their organisations.  Risk in Focus is an annual barometer of what CAEs perceive as their organisations’ risk priorities and what is preoccupying their thinking as they prepare their forthcoming audit plans. We see Risk in Focus as a vital point of reference for the internal audit profession Not just in Europe where the annual surveys and interviews are carried out, but worldwide. Risk is not solely the domain of internal audit, of course. Therefore, while the report may serve as a valuable document for CAEs and internal auditors in helping to shape and challenge their own audit plans for 2020, we hope it serves as an important benchmarking and consultation tool for a wide stakeholder group. Indeed, this report is as relevant for boards and audit committees as it is for risk managers and other assurance providers. Inevitably risk assurance is an idiosyncratic exercise that meets the specific needs of an organisation. There is also a board briefing available. 

Why Risk in Focus 2020 matters for you As a board member, it is imperative that you understand the key risks (and opportunities) your organisation faces and assure yourself that internal audit is addressing them. Some of these risks will no doubt be specific to your company, its unique operations and senior management’s growth strategy; others, however, are pervasive issues that are relevant for all businesses, big or small. With this in mind, we are briefing you on a newly published report, Risk in Focus 2020 (RiF20), a collaboration between eight institutes of internal auditors and available at iia.org.uk/riskinfocus.  RiF20, the fourth instalment of this annual report, highlights salient risks that have been identified by Chief Audit Executives (CAEs) and which you should be aware of in your discussions with senior management, audit committees and CAEs. RiF20 is the product of 46 qualitative interviews in Belgium, France, Germany, Italy, the Netherlands, Spain, Sweden and the UK & Ireland, and a quantitative survey that this year received 528 responses, a 70% annual increase in engagement.  The complete report Risk in Focus 2020 can be downloaded as well on the IIA website.

The IIA’s Core Principles for the Professional Practice of Internal Auditing are part of the Mandatory Guidance of the International Professional Practices Framework (IPPF). Demonstrating the Core Principles validates the effectiveness, credibility, and value of the internal audit activity within the organization's governance structure. By achieving the Core Principles, the internal audit activity also achieves the Mission of Internal Audit: “to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” This practice guide explains the concepts embodied in the Core Principles and describes enablers, or specific ways to enable and demonstrate them. The guide also identifies measurable key indicators that enable the internal audit activity to define, measure, assess, and monitor demonstration of the Core Principles. The chief audit executive (CAE) should use these enablers and key indicators to customize an approach to demonstrating the Core Principles that is most applicable to its internal audit team. This customized approach may be used as the basis for a selfassessment tool that may supplement the internal audit activity’s quality assurance and improvement program (QAIP), as well as providing an easy-to-understand, high-level communication of the internal audit activity’s value and effectiveness to key stakeholders, such as senior management and the board. The eBook Practice Guide: Demonstrating the Core Principles for the Professional Practice of Internal Auditing costs $25.00

Fraude kan de bedrijfsactiviteiten verstoren, zorgen voor compliance risico’s, de naam van een organisatie in diskrediet brengen en aanzienlijke kosten voor een organisatie en haar stakeholders opleveren. Al heeft het management, onder toezicht van het bestuur, de primaire verantwoordelijkheid voor het vaststellen en bewaken van effectieve beheersingsmaatregelen om fraude tegen te gaan en op te sporen, het is de plicht van de internal auditfunctie om het risico op fraude te beoordelen volgens de internationale standaarden voor de beroepsuitoefening van internal auditing. In deze praktijkgids worden de kenmerken van fraude beschreven, evenals het proces van het tijdens de planning van de opdracht vaststellen en beoordelen van frauderisico’s. Hoe de frauderisicobeoordeling precies moet worden opgenomen in de planning van de opdracht, kan variëren al naargelang de behoeften van de individuele organisatie, de internal auditfunctie en de opdracht. Over het algemeen omvat het proces echter de volgende stappen: • het verzamelen van informatie om inzicht te krijgen in het doel en de context van de opdracht, alsook in de governance, het risicomanagement en de beheersingsmaatregelen die van belang zijn voor het te beoordelen domein of proces; • het brainstormen over fraudescenario’s om potentiële frauderisico’s te identificeren; • het beoordelen van de geïdentificeerde frauderisico’s om te bepalen welke risico’s tijdens de opdracht verder moeten worden geëvalueerd.

There is a gap in internal audit-specific guidance supporting the education and training of financial services auditors. The industry requires its practitioners to have specific knowledge that addresses functions in a unique atmosphere, such as requirements and expectations of regulators, complexity of products, and the role of internal auditors. The demand for internal auditors with financial services knowledge and experience is growing rapidly, propelled by regulatory pressures to appropriately staff internal audit programs with the right volume and caliber of resources. This has led many internal audit activities within the highly regulated financial services industry to increase their staff in accordance with the new global operating environment and in terms of quality and quantity. This guidance will enable internal auditors to: Understand the financial sector environment, including key objectives, business areas, and related risks as well as the impact of globally accepted principles that provide the foundation for laws and regulations within the industry. Identify industry-specific risks relevant for the jurisdiction in which a company operates and commonly used frameworks. Identify the roles and assurance activities of the second line of defense functions within financial services that provide coverage of sector-specific risks. Understand the relationship internal audit has with its external regulator/supervisor and how to effectively manage expectations of the regulator while maintaining a reporting relationship to the board. Understand how the second-line functions can integrate activities such as risk assessment, planning, leveraging engagement work and conclusions, and reporting results. The eBook Practice Guide: Foundations of Internal Auditing in Financial Services Firms $25.00  

Before you can determine where to go and how to get there, you must figure out where you are. The concept of data analytics has become a mandate for internal audit functions. The question isn’t 'if'; it isn’t even 'when.' The time is now; the question is how? If you have not yet started or have only dabbled in the world of data analytics, it is time to learn about it and recognize the potential value you can contribute to your organization by implementing even a basic foundation and building on it as you appreciate the full value and power of information. Is it a daunting proposition? It can be, and there is a learning curve, but even small audit functions can take advantage of the power that data analytics can provide. It can further your reach into and visibility within your organization, allowing you to stay relevant and contribute to your organization’s betterment by providing greater value. “Analytics Refresher,” published almost five years ago in Internal Auditor magazine, is still on target today. “Internal audit can be a catalyst for expanding the use of analytics through the company to provide greater, more holistic business insights,” states the article’s author, Neil White. Those who are not fully engaging in data analytics can enhance their organizational profile and usefulness by making it a priority to introduce data analytics into the audit plan. You can find part 2 here.

Data analytics has become a strategic imperative Embracing data analytics is by no means a new idea for internal auditors, but judging by the number of “how to get started” articles that continue to be published, adoption is still in its infancy — particularly when it comes to smaller audit functions that may be resource constrained. Today’s world is overwhelmed with readily available data, and chances are your various departments or business units already are collecting bits of valuable information. If aggregated and analyzed with the aim of enabling your organization to achieve its objectives, this data may present myriad opportunities from which to boost profits, reduce expenses or waste, and grow.  One barrier to embracing the power of data analytics may be obtaining buy-in from your organization’s leaders. This is where internal auditors have an opportunity to make the case. Not only is data analytics the way of the future, but organizations of all shapes and sizes across all industries cannot afford to ignore a tool with the capacity to yield an irresistible bounty. The key for internal auditors is to win the hearts and minds of decisionmakers who can pave the way for adoption of a solid data analytics strategy. As noted in “Data Analytics Mandate, Part 1: Where do we go from here?,” this paper will review strategies and tactics for those in the early stages of data analytics adoption or those who have yet to begin. This is for members only. To access it and other valuable resources, become a member today.

The growing popularity of blockchain networks, coupled with blockchain’s potential to fundamentally transform the way many business processes are handled, raises an important question for internal auditors: What steps, if any, should the profession be taking in response to this transformational technology? Blockchain’s initial prominence arose from its use as the underlying technology for powering digital currencies such as bitcoin. But the technology has numerous other applications in a variety of business processes and entities beyond cryptocurrencies. As these applications become more widespread and commonplace, internal audit’s role as the third line of defense in risk management will be directly affected. Certain attributes and features of blockchain technology open up the possibility of numerous new and promising applications in a broad range of industries. Yet, in many ways, enterprisewide blockchain applications are still emerging. Evidence suggests that while some internal audit departments are responding to blockchain adoption by their companies, the profession as a whole has not yet taken a leading role in this area.

The IIA’s Global Perspectives and Insights: 5G and the 4th Industrial Revolution looks at keys issues that are bound to arise once 5G is a reality. From implementation challenges, legal issues, and regulatory tests to disruptive technologies, data management, and cybersecurity concerns, the report seeks to prepare organizations for the potential impacts of 5G so they can proactively address the issues. This is for members only. To access it and other valuable resources, become a member today. You can find part 1 here.