Actualiteit

IT Internal Audit (ITIA) is coming under increasing pressure to measure the management and mitigation of technology risks that are proliferating. Resources are stretched and demands are ever increasing. As technology risks multiply, ITIA is being asked to do more. For some, budgets are rising, but not for all. IA professionals are rising to the challenge, but nonetheless this latest survey of the market shows there are significant gaps in resources and capabilities. To bridge the gap, ITIA must redouble its efforts to enhance the skills of existing personnel, to partner with third parties and to hire talented professionals where necessary. It is becoming critical to present a forward-looking and compelling business case for more resources, where needed, to the Board, Audit Committee and senior management. The findings in this report are based on a survey of 250 ITIA professionals around the world and the Netherlands. Insights are also included from KPMG’s 2016 IT Internal Audit conference. It is the third report of its kind (the previous ones were published in 2009 and 2013). We would like to thank all of the respondents who participated in the survey, including many of our member firms’ clients. We hope that you will find it a valuable and insightful assessment of the state of ITIA globally and in the Netherlands providing you with information that broadens your understanding of the critical contribution ITIA can make to the business. At a time when demands placed on ITIA are steadily growing, we expect this report will stimulate your thinking and provide fresh perspectives.

As governance and monitoring functions collaborate more closely to avoid duplication of effort, internal audit may be asked to take on responsibilities for risk management, compliance, regulatory oversight, and other governance activities. The chief audit executive (CAE) plays a critical role in navigating between internal audit’s traditional role and assuming responsibilities for risk management, compliance, and other governance functions. The CAE should be held accountable for preserving independence and objectivity, communicating with management and the board, and confirming management’s acceptance of risk to internal audit’s independence and/or auditor objectivity. To navigate through these competing challenges, internal auditors can look to The IIA’s guidance on effective risk management and control, and promulgated standards related to independence and objectivity.

Internal Audit and Crisis Resilience The possibility of a crisis severely disrupting an organization’s ability tooperate looms today like never before, given the pace with which global threats evolve. Incidents of sophisticated cyber sabotage, volatile weather patterns, terrorism attacks, and labor disruptions are escalating, and can strike, obviously, without warning. With these crisis events and the inability to continue operations and meet objectives comes damage to an organization’s reputation and its ability to meet stakeholder expectations. Yet a recent study reveals a broad gap between board members’ awareness of potential crises and their organizations’ actual crisis readiness. Being able to recognize potential crises, effectively handle such interruptions, and return to normal operations is extremely difficult. Gaining the capacity to do this quickly and efficiently with the minimum amount of impact — to be crisis resilient — is that much harder, and the ultimate goal. Crisis experts agree the key to being crisis resilient is preparation and that internal audit is positioned to play a key role in the process. Auditors’ breadth of skills, position in the organization, and deep knowledge of operations can help their businesses prepare for the inevitable crisis and move the organization from crisis aware to crisis resilient — ready to resist, react to, and recover from major disruptive events.  

Successful internal audit activities are built on a strong foundation - a foundation sturdy enough to withstand increased pressures from internal and external stakeholders, a turbulent geopolitical landscape, and evolving business practices. Unfortunately, weaknesses in a foundation are not apparent until the foundation is stressed, and then it's too late - the foundation crumbles. When the foundation crumbles, it becomes more difficult for internal audit to provide valuable services to the organization. This Pulse Report is intended for chief audit executives (CAEs) who are building new internal audit activities, as well as CAEs who want to examine the structural soundness of established internal audit activities. This report covers resources, competence, structure, IIA standards, and other foundational elements necessary to deliver world-class internal auditing.

Hier een teaser in te vullen

The following report, ‘Analytics: good practices for (smaller) IAFs’, sets out the findings of a field study commissioned by the Professional Practices Committee of IIA Netherlands. The aim of this report is to encourage and support the use of analytics in Internal Audit Functions (IAFs). Analytics has been part of our ‘toolset’ for many years, but recently rapid advances have been in the available techniques. “The world hates change, yet it is the only thing that has brought progress.” (Charles Franklin Kettering). The auditing profession first emerged during the industrial revolution, and its original aims were to provide (additional) assurance to clients such as executive and supervisory directors and other stakeholders such as regulators and the general public. Since that time, the profession has steadily progressed and professionalised. However, in recent years many audit and control functions seem to struggle to keep up with the pace of the increasing digitisation and real-time developments in the economy. Traditional auditing in the sense of ‘retrospectively checking the figures’ is becoming increasingly inadequate. (2012, AICPA White Paper). Solutions to this are sought, including by: involving non-financial perspectives, such as client perspectives and those based on operational management and innovation, increasingly using (upfront) system audits, and increasingly incorporating ‘soft controls’ (culture and behaviour). These are all useful steps, but they are not sufficient. A promising solution that is already feasible for many audit functions is the use of analytics. It is expected that the use of analytics will enable auditors to substantially improve their effectiveness and efficiency. Furthermore, in the near future the use of analytics will no longer be the exclusive domain of IT auditors, but will increasingly expand to other audit disciplines such as financial and operational auditing, as well as ‘second-line’ functions such as the internal audit, risk management and compliance functions. All this calls for research into the use of analytics that looks into the wishes and requirements of IAFs as well the practical experiences they have gained. We hope this field study will inspire and support professionals in the use of analytics and will contribute to the further development and embedding of analytics in the internal audit profession. We would like to thank the auditors who contributed to this study for sharing their experiences and insights.

Dit rapport bevat de resultaten van een praktijkonderzoek uitgevoerd in opdracht van de Commissie Professional Practices van IIA Nederland. Hiermee hopen we de inzet van analytics binnen Internal Audit Functies te bevorderen en te ondersteunen. Analytics behoort al jarenlang tot ons ‘gereedschap’, maar de beschikbare technieken hebben een snelle ontwikkeling doorgemaakt. “The world hates change, yet it is the only thing that has brought progress” (Charles Franklin). Het vakgebied Auditing is ontstaan ten tijde van de industriële revolutie met als doel het verschaffen van (additionele) zekerheid aan opdrachtgevers zoals bestuurders en commissarissen en andere belanghebbenden zoals externe toezichthouders en het ‘maatschappelijk verkeer’. Sinds die tijd heeft het vakgebied diverse ontwikkelingen en professionaliseringslagen doorgemaakt. Echter, de laatste jaren lijken veel auditen controlefuncties de voortgaande digitalisering en ‘real-time ontwikkelingen’ in de economie niet meer goed te kunnen ‘bijbenen’. Traditioneel auditen in de zin van ‘achteraf kijken of de cijfers kloppen’ voldoet steeds minder (2012, AICPA whitepaper). Oplossingen worden gezocht in onder meer: het betrekken van niet-financiële perspectieven zoals klanten, bedrijfsvoering en innovatie, het meer systeemgericht (vooraf) gaan auditen en het nadrukkelijker daarbij betrekken van de ‘zachte kant’ (cultuur en gedrag). Dit alles is nuttig, maar niet afdoende. Een veelbelovende en voor veel auditfuncties inmiddels bereikbare oplossing is de inzet van ‘analytics’. De verwachting is dat de auditor door de inzet daarvan substantiële verbeteringen in effectiviteit en efficiëntie kan realiseren. En dat analytics daarbij al snel niet meer het exclusieve domein van IT-auditors is, maar meer en meer verbreedt naar andere auditdisciplines zoals financial en operational auditing en ‘tweedelijns’ functies zoals interne controle, risk management en compliance. Kortom, tijd voor een onderzoek dat de wensen en behoeftes vanuit Internal Audit functies combineert met ervaringen uit de praktijk. We hopen dat dit onderzoek inspireert en ondersteunt bij de inzet van analytics en dat het bijdraagt aan de verdere ontwikkeling en inbedding van analytics in het vakgebied van internal audit.  U kunt het rapport hier downloaden. 

Voor een Internal Auditdienst is het een uitdaging om met juiste aanbevelingen te komen bij het management. Aanbevelingen die oplossingsrichtingen bieden om de kernoorzaak van een tekortkoming weg te nemen. Immers dan is er sprake van een structurele aanpak van de tekortkoming. Het is een uitdaging om een goede oorzaakanalyse uit te voeren. Men moet over voldoende kennis van de oorzaakanalyse methoden beschikken om, afhankelijk van de context, een geschikte methode te kunnen kiezen en over voldoende vaardigheden om die vervolgens goed toe te passen. In het IIA-artikel ‘Oorzaakanalyses in het kader van audits’ d.d. december 2014  is aandacht besteed aan een aantal methoden/technieken die gebruikt kunnen worden bij een oorzaakanalyse. In bijgaand artikel gaan we hierop verder door een beschrijving te geven van onze ervaringen met het toepassen van enkele root cause analyses in de praktijk. De overeenkomst tussen deze ervaringen is dat het root cause analyses zijn die betrekking hebben op complexe bevindingen. Hiermee willen wij aangeven dat het ook mogelijk is om bij ingewikkelde problematieken een deugdelijke root cause analyse uit te voeren. We beschrijven in dit artikel zes voorbeelden voor het uitvoeren van een oorzaakanalyse, ieder vanuit een ander gezichtspunt gestart. De methoden geven bij elk voorbeeld inzicht in de grondoorzaken van de onderkende problematieken. Kenmerkend is dat bij deze aanpakken sprake is van een complexe bevinding c.q. problematiek. Een algemene definitie van ‘complex’ is: “zeer samengesteld en daardoor moeilijk te doorgronden”. In het kader van dit artikel breiden we deze definitie uit met elementen van oorzaakanalyses en komen we tot de volgende omschrijving van ‘een complexe bevinding’: “Een complexe bevinding is een uitkomst van een onderzoek waarbij de oorzaak niet eenvoudig (bij één partij) te achterhalen is. Het is mogelijk dat er sprake is van meerdere oorzaken, die eventueel een relatie met elkaar hebben en in samenhang een probleem hebben veroorzaakt. Kenmerkend is dat er een diepgaande analyse nodig is, hetzij met behulp van meerdere deskundigen, hetzij door het toepassen van meerdere methoden en technieken om de oorzaak/oorzaken te kunnen achterhalen”. In dit artikel zullen we, na een inleiding in hoofdstuk 1, in hoofdstukken 2 en 3 achtereenvolgens een beschrijving geven van de verschillende aanpakken voor oorzaakanalyses en een voorbeeld van de toepassing. Uit onze ervaring blijkt tevens dat de rol van de auditor bij het uitvoeren van de oorzaakanalyse kan verschillen. We zullen hier dan ook in hoofdstuk 4 specifieke aandacht aan besteden. 

De Rijksoverheid en Gemeenten hechten steeds meer waarde aan de gedragseffecten van beleid en communicatie. Aandacht voor het inzicht dat kennis niet de belangrijkste drijfveer van gedrag is, neemt toe. Gedrag verandert niet vanzelf in de goede richting, wanneer je zorgt voor informatie. Onderzoeken die de effectiviteit van gedragsbeïnvloedende communicatie onderschrijven strekken van de gezondheidszorg (Johnson en Goldstein 2003), educatie (Castleman 2003), tot het stimuleren van naleving van wet en regelgeving (Blumenthal et al. 2001). Lezers van auditrapportages wordt (impliciet) gevraagd de boodschap van het rapport over te nemen. Ontvankelijkheid voor communicatie is voor de effectiviteit van rapportages een randvoorwaarde (Renes e.a. 2011: 13). Dit roept de vraag op in hoeverre wij als auditors gebruik maken van kennis over gedragsbeïnvloedende communicatie. Het voorbeeld waar dit onderzoek zich op richt is het bewuste, of onbewuste gebruik framing in auditrapportages. 

The IIA (“Institute of internal auditors”) in cooperation with the University of Amsterdam performed an exploratory research into personality traits of internal auditors in relation to specific aspects of their work. This research was led by projectleader Dr. J.R.H.J. van Kuijck RA RC (Director of Lime Tree Research and Education). This thesis is part of this project and describes the study on source personality traits of persuasive internal auditors. I would like to thank my coach Dr. J.R.H.J. van Kuijck RA RC for giving me the opportunity to participate in this research and for his guidance and feedback during my dissertation trajectory. I would like to thank Talentlens for their expertise and their professional help with collecting and preparing the data. Off course I would like to thank all the Dutch members of the Institute of Internal Audit (IIA) that have filled out the questionnaires. Many thanks to my employer MN, and especially to my manager Hans Manson, for investing in my development as an internal auditor and providing me the opportunity and the time to study. I would like to thank Jan van Praat and Anita Fijnekam-Schoffelmeer for their useful comments and suggestions and for always making time for me. Mom and dad, I would really like to thank you for always having faith in my abilities and for your endless support. It really means the world to me. Finally I would like to thank Alex, my love and best friend, for his support in everything I do, and for cheering me up when I needed it the most. Without him, this thesis would not have been what it is today

Dit referaat is de weerslag van mijn onderzoek naar tone of voice in Nederlandstalige geschreven tekst. Voor zover de aanduiding van dat onderwerp nog geen ontzag inboezemt zal de toegepaste methode van subjectivity analysis dat toch doen: geautomatiseerd zoeken naar patronen die moeten duiden op iets subjectiefs in ongestructureerde dataverzamelingen. Dapperder dan zo'n zoektocht naar de Heilige Graal van de Digital Humanities is toch nauwelijks denkbaar. Dapper of niet, mijn onderzoek, hoe spannend, leuk en boeiend ík het ook vond, is niet meer gebleken dan een houterige vingeroefening. Op een onderzoeksterrein dat voorlopig misschien wel meer pretenties heeft dan prestaties. Of, zoals Ewoud Sanders het verwoordde in zijn Woordhoek-column in het NRC Handelsblad van 31 maart 2016: "De verwachtingen van automatische patroonherkenning zijn erg hooggespannen [...] maar mijn ervaring is dat handmatig slim en creatief zoeken in big data tot nu toe gemiddeld twee keer zoveel nuttige bronnen oplevert." Na afloop van het onderzoek deel ik die visie maar had ik mijzelf de lol van de poging niet willen ontzeggen. In de voorbereiding en uitvoering van het onderzoek heb ik van velen hulp gehad. Om te beginnen ben ik dank verschuldigd aan collega's bij De Nederlandsche Bank, die hebben geholpen bij het samenstellen van lexicons of bij het selecteren van toezichtbrieven of bij het meedenken over het schrijven van dit referaat zonder de vertrouwelijkheid van toezichtinformatie te schenden. Verder wil ik in het bijzonder Michiel Boswinkel, Jolanda Breedveld, Maarten Hoornweg, Miranda Snel, en Tigran Spaan bedanken voor hun procesmatige en inhoudelijke medewerking tijdens de afgelopen maanden. En, last but not least, degenen uit mijn privéomgeving de me de afgelopen jaren met raad, daad en veel geduld hebben gesteund.

Een onderzoek naar de relatie tussen het leiderschap, de afdelingscultuur en het type interne auditdienst in Nederland. 

Big data is a popular term used to describe the exponential growth and availability of data created by people, applications, and smart machines. The term is also used to describe large, complex data sets that are beyond the capabilities of traditional data processing applications. The proliferation of structured and unstructured data, combined with technical advances in storage, processing power, and analytic tools, has enabled big data to become a competitive advantage for leading organizations that use it to gain insights into business opportunities and drive business strategies. However, the challenges and risks associated with big data must also be considered. Increased demand, immature frameworks, and emerging risks and opportunities that are not widely understood or systematically managed by organizations have created a need for more guidance in this area. Internal auditors, in particular, must develop new skill sets and obtain knowledge of big data principles to effectively provide assurance that risks are addressed and benefits are realized. Risks associated with big data include poor data quality, inadequate technology, insufficient security, and immature data governance practices. Internal auditors working with big data should engage with the organization’s chief information officer (CIO) and other key leaders to better understand the risks in terms of data collection, storage, analysis, security, and privacy. This guidance provides an overview of big data: its value, components, strategies, implementation considerations, data governance, consumption, and reporting, as well as some of the risks and challenges these may present. This guide also explains internal auditors’ roles and responsibilities when performing assurance or advisory procedures related to big data efforts.

The internal audit department is an essential part of a successful organization, and the chief audit executive (CAE) has a critical role in leading that function. As internal audit becomes more visible and more essential to an organization, so does the demand for effective CAEs—audit leaders who drive high-performing teams and deliver value by consistently addressing stakeholder needs, top-down risks, and the expectations of an evolving marketplace. Boards and executive management expect CAEs to bring innovation, strategic thinking, leadership, and expertise to the internal audit function—inspiring strong and effective internal audit departments. However, while CAEs are expected to have all of these qualities, there may be room for improvement. What advice does senior leadership have for their CAE to help them improve, continue to grow, and better serve the organization and its stakeholders? The results of the 2015 Global Internal Audit Common Body of Knowledge (CBOK) Stakeholder Study—specifically, the results from the questions asked of executives and board members who work closely with internal auditors—reveal four key messages for the CAE on how they can perform better in their roles, lead high-performing internal audit teams, and positively impact their organizations. The points of advice from stakeholders to CAEs:  Exhibit strong business acumen, including knowledge of the industry, the ability to understand business strategy, and the insight to understand and assess risks. Demonstrate leadership skills, technical competence, innovation, and relational competence with audit staff and stakeholders. Manage competing priorities, demands, and conflicts within the organization, including communication with all areas of the organization with objectivity and integrity. Seek to influence the culture of the organization. Modeling right behavior and thinking, inspiring discussion, and acting as a change agent is crucial to helping improve organizational culture.

Pulse of internal audit In last year’s Pulse of Internal Audit report, The IIA challenged internal auditors to “move out of their comfort zone” beyond annual planning and typical audit areas to audit at the speed of risk. Today, with increasing pressure on organizational governance and additional burdens placed on audit committees and boards, it is critical that chief audit executives (CAEs) lead with courage and take actions that could instill: Internal auditor’s self-confidence. Management and the board’s confidence in internal audit. Stakeholders’ confidence in the organization.  Improving the effectiveness of risk management is a defining characteristic of internal auditing, yet even experienced CAEs may overlook some risks. This report looks at four areas where internal audit should take a closer look — both for the organization as a whole and for the internal audit function in particular. Not all risks are new or emerging. In fact, many critical risks have been around for a long time and perhaps have fallen just below or somehow dropped off the radar. CAEs need to have the courage to revisit these areas while ensuring their audit coverage aligns with what is important and top-of-mind to key stakeholders. In this report, we address two such areas: Company communications not traditionally subject to independent assurance (e.g., analyst presentations, sustainability reporting, some operational reporting). Environmental, health and safety risks. According to The IIA’s International Professional Practices Framework, internal audit’s mission is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. To do this effectively, leaders must have the courage to look inward with the same objective, professional skepticism used when assessing others. This report covers two areas where internal audit leaders have identified ongoing challenges: Internal audit’s use of data analytics. Interpersonal dynamics between internal audit and others in the organization. Using survey results, this report shows how CAEs in North America are currently looking at these areas, and where there are reasons for concern. The report also provides insights on how CAEs can instill confidence by “evaluating and improving the effectiveness of risk management, internal control, and governance processes.”2