Actualiteit

This report provides an overview of the results from the 2015 Global Internal Audit Common Body of Knowledge (CBOK) Practitioner Survey regarding internal audit quality assurance and improvement programs (QAIPs), and evaluates the internal audit profession’s conformance with professional standards related to QAIPs. The 2015 CBOK practitioner survey found significant and troubling differences between approved professional standards and actual internal audit practices. Although The International Standards for the Professional Practice of Internal Auditing requires development and maintenance of QAIPs covering all aspects of internal audit activity, only 34% of participating chief audit executives (CAEs) stated that they fully conform with this requirement. Many CAEs who reported that they do not conform with this requirement also do not disclose their nonconformance to their audit committees or other governing bodies. The internal audit profession’s failure to abide by its own quality standards may have profound consequences because internal audit functions with fully developed QAIPs tend to be different from other internal audit functions. Compared to other CAEs in the CBOK study, those reporting conformance to professional standards related to internal audit quality: Were more likely to report functionally to a board, audit committee, or equivalent Were more likely to have complete and unrestricted access to information as appropriate for the performance of audit activities Worked in organizations with more highly developed risk management processes Used a wider variety of resources to develop audit plans Made more use of technology in internal audit processes Were more likely to have documented procedures in an internal audit manual Received more hours of training and were more likely to have formalized training programs Were more likely to report that funding for the internal audit function was “completely sufficient”

Organizations of all types are becoming more vulnerable to cyber threats due to their increasing reliance on computers, networks, programs and applications, social media, and data. Security breaches can negatively impact organizations and their customers, both financially and in terms of reputation. Global connectivity and accessibility to information by users outside the organization increase risk beyond what has been historically addressed by IT general and application controls. Organizations’ reliance on information systems and the development of new technologies render traditional evaluations of IT general and application controls insufficient to provide assurance over cybersecurity. Cybersecurity refers to the technologies, processes, and practices designed to protect an organization’s information assets — computers, networks, programs, and data — from unauthorized access. With the frequency and severity of cyberattacks on the rise, there is a significant need for improved cybersecurity risk management. The internal audit activity plays a crucial role in assessing an organization’s cybersecurity risks by considering: Who has access to the organization’s most valuable information? Which assets are the likeliest targets for cyberattacks? Which systems would cause the most significant disruption if compromised? Which data, if obtained by unauthorized parties, would cause financial or competitive loss, legal ramifications, or reputational damage to the organization? Is management prepared to react timely if a cybersecurity incident occurred? This practice guide discusses the internal audit activity’s role in cybersecurity, including: The role of the chief audit executive (CAE) related to assurance, governance, risk, and cyber threats. Assessing inherent risks and threats. The first, second, and third lines of defense roles and responsibilities related to risk management, controls, and governance. Where gaps in assurance may occur. The reporting responsibilities of the internal audit activity. In addition, the guide explores emerging risks and common threats faced by all three lines of defense and presents a straightforward approach to assessing cybersecurity risks and controls.

In een goed gebalanceerde en gestructureerde corporate governance zijn de Auditcommissie (AC), de Interne Audit Functie (IAF) en de externe accountant (EA) op elkaar aangewezen. De IAF wordt steeds vaker gezien als een essentieel onderdeel van de governance van de organisatie. De IAF ondersteunt de AC door het verschaffen van inzicht in en assurance over de opzet en effectiviteit van de governance, het risicomanagement en de interne beheersingsmaatregelen. De AC kan de juiste randvoorwaarden en condities voor de IAF creëren, die het onafhankelijk en objectief functioneren van de IAF optimaliseren en het complementair functioneren van de IAF en de EA bevorderen. De relatie tussen de AC en de IAF werd voor het eerst geformaliseerd in de eerste Nederlandse Corporate Governance Code (de Code) in 2003. Vijf jaar daarna onderzochten de Koninklijke Nederlandse Beroepsorganisatie van Accountants (NBA) (destijds NIVRA) en het Instituut van Internal Auditors Nederland (IIA) de toenmalige praktijk en publiceerden de bevindingen en best practices in ‘Bondgenoten in Governance’ (2008). In het voorjaar van 2016 stelden het IIA en de NBA een werkgroep samen om de relatie tussen de AC en de IAF opnieuw te onderzoeken. In verband met het voorstel tot herziening van de Code, waarin de driehoek AC, IAF en EA prominent naar voren komt, heeft de werkgroep ook aandacht besteed aan de relatie tussen de IAF en de EA. De belangrijkste conclusies uit het onderzoek zijn: De formele relatie tussen de AC en de Chief Audit Executive (CAE) is over het algemeen goed ingevuld. Deze relatie is gedefinieerd in het charter van de IAF. De meeste AC’s zijn zich bewust van het belang van het benoemen van een gekwalificeerde CAE. Zij zijn dan ook actief betrokken bij diens aanstelling of het ontslag. Deze betrokkenheid kan nog worden verbeterd indien elke voorzitter van een AC een gesprek heeft met de beoogde CAE, voorafgaand aan diens aanstelling. Bijna alle AC’s (80%) zijn betrokken bij de beoordeling van de CAE. Dit verbetert diens functioneren omdat zijn objectiviteit beter is gewaarborgd als zijn beoordeling niet uitsluitend wordt opgesteld door direct betrokkenen. De CAE wordt gezien als een volwaardige gesprekspartner en is bij de meeste organisaties aanwezig bij de gehele vergadering van de AC. Daardoor kan de CAE zijn inzichten delen met de AC, ook op terreinen die hij (nog) niet heeft onderzocht. Tevens levert dit de CAE belangrijke informatie op die hij bij de invulling van zijn functie nodig heeft. Bij de meeste organisaties spreken de voorzitter van de AC en de CAE elkaar meerdere malen per jaar bilateraal. Dit versterkt de onafhankelijkheid en de vertrouwensband. Om goed te kunnen functioneren als ‘trusted advisor’ van zowel de voorzitter van het bestuur als die van de AC is transparantie over de inhoud van deze gesprekken belangrijk. De AC bespreekt het auditplan en de beschikbaar gestelde middelen. De wijzigingen in de auditplanning worden (tenminste) jaarlijks besproken met de CAE. Beperking van beschikbaar gestelde middelen heeft impact op de keuzes die moeten worden gemaakt bij het opstellen van het auditplan. Het is belangrijk dat de AC begrijpt welke risico’s niet kunnen worden afgedekt met de beschikbare middelen. Beter inzicht bij de AC kan leiden tot een aanpassing van de beschikbare middelen, zodat de gewenste ‘audit coverage’ wordt bereikt. De AC kan de beoordeling van de effectiviteit van de IAF verbeteren door in overleg met de CAE een breed scala aan KPI’s af te spreken. Het programma voor de kwaliteitsbeheersing en -verbetering van de IAF behoort daarvan onderdeel uit te maken. Gezien het toenemende belang van cultuur en gedrag als onderdeel van de governance van organisaties dienen AC’s de aanpak van audits op dit terrein te bespreken met de CAE. Niet alle CAE’s achten zich op dit moment in staat om deze handschoen op te pakken. Het IIA en de NBA dienen de leden op dit gebied te ondersteunen, door ze te helpen met het ontwikkelen van een aanpak via opleidingen en publicaties. Naar aanleiding van het voorstel tot herziening van de Code dient de samenwerking tussen de IAF en de EA een nieuwe benadering te krijgen, draaiend om de vraag waar ze elkaar treffen en aanvullen in het totaalveld van financiële en niet-financiële informatie. Het optimaliseren van de relatie tussen de IAF en de EA en kansen om in complementariteit de governance van de organisatie te verbeteren, dient op de agenda van de AC te worden geplaatst. Te overwegen valt om jaarlijks gezamenlijk aan het bestuur en de AC te rapporteren over de opzet, het bestaan en de werking van de governance en risicobeheersing- en interne controlesystemen.

In a properly balanced and structured corporate governance framework, the Audit Committee (AC), the Interne Audit Function (IAF) and the external accountant (EA) rely on each other. The IAF is increasingly seen as an essential element of the organisation’s governance. The IAF supports the AC by providing insight into and assurance about the design and effectiveness of the governance, the risk management and the internal control measures. The AC is in a position to create the correct prerequisites and conditions for the IAF that optimise the IAF’s independence and objective functioning and promote the complementary functioning of the IAF and the EA. The relationship between the AC and the IAF was first formalised in the original Dutch Corporate Governance Code (the Code) in 2003. Five years later, the Royal Netherlands Organisation of Chartered Accountants (NBA) (then NIVRA) and the Institute of Internal Auditors Netherlands (IIA) surveyed the practice at the time and published the findings and best practices in ‘Allies in Governance’ (2008). In the spring of 2016, the IIA and the NBA jointly set up a working group to look anew at the relationship between the AC and the IAF. In connection with the proposal to revise the Code, in which the AC, IAF and EA triangle features prominently, the working group also focused on the relationship between the IAF and the EA. The main conclusions from the survey are: The formal relationship between the AC and the Chief Audit Executive (CAE) is generally well structured. This relationship is defined in the IAF charter. Most ACs are aware of the importance of appointing a qualified CAE. They are therefore also involved in their appointment or dismissal. This involvement can be further improved if every chair of an AC has an interview with the prospective CAE prior to the latter’s appointment. Almost all the ACs (80%) are involved in assessing the CAE. This improves his functioning because his objectivity is better guaranteed if his performance appraisal is not only prepared by people directly involved. The CAE is seen as a valuable discussion partner and, in most organisations, is present at the entire AC meeting. This enables the CAE to share insights with the AC, also in areas that he has not (yet) studied. It also gives the CAE important information that he requires in fulfilling his job. In most organisations, the chairs of the AC and CAE have bilateral discussions several times a year, which strengthens the independence and the bond of trust. To function optimally as ‘trusted advisor’ to both the chair of the board and that of the AC, transparency about the content of these discussions is essential. The AC discusses the audit plan and the available resources. Changes in the audit planning are discussed annually (at least) with the CAE. Restricting the available resources has an impact on the choices that have to be made when preparing the audit plan. It is important that the AC understands which risks cannot be covered with the available resources. Better insight by the AC can result in adaptation of the available resources in order to achieve the desired audit coverage. The AC can strengthen the assessment of the effectiveness of the IAF by agreeing a wide range of KPIs in consultation with the CAE. The IAF’s quality control and improvement programme has to be part of it. Given the increasing relevance of culture and conduct as part of the organisations’ governance, ACs should discuss the audit approach in this field with the CAE. Not all CAEs currently feel themselves up to the task of picking up this gauntlet. The IIA and the NBA should offer the members support in this area by assisting them in developing an approach through training and publications. In view of the proposal to revise the Code, there should be a new approach to the collaboration between the IAF and EA, centred on the question of where they encounter and complement one another in the overall field of financial and non-financial information. Optimisation of the relationship between the IAF  and the EA and opportunities to improve the organisation’s governance in partnership should be put on the AC’s agenda. An option is to report jointly each year to the board and the AC on the design, existence and operation of the governance and the risk management and internal control systems.

The Institute of Internal Auditors’ (IIA’s) 2015 Global Internal Audit Common Body of Knowledge (CBOK) Practitioner Survey reveals that women make up a large portion of the internal audit profession around the world; however, women still face considerable challenges as they navigate through their careers in internal auditing. This report has two goals: To describe how women currently fit into the internal audit landscape around the world, based on results from the 2015 CBOK Practitioner Survey To share perspectives and advice for achieving success as a woman in the internal auditing profession, using interviews and roundtable discussions conducted with chief audit executives (CAEs) from around the world The 2015 CBOK survey revealed several important differences between men and women in internal auditing that may tend to influence career success. On average, women self-assessed themselves lower in all 10 of the core competencies defined in The IIA’s Global Internal Audit Competency Framework, especially early in their careers. Female participants were also less likely than men to diversify their expertise, either through formal education or through attainment of professional certifications. There were also notable differences in the tools used by male and female CAEs to assess internal audit quality. Men and women were equally likely to report having a well-defined quality assurance and improvement program (QAIP); but on average, the men were significantly more likely to report the use of balanced scorecards, surveys of audit clients, and peer reviews to assess the quality of their internal audit functions. Especially at larger organizations, the CBOK survey data indicates that top management positions in internal auditing are more often held by men than by women. But while there is a distinct “gender gap” in internal auditing, that gap seems to be narrowing. On average, the women who participated in the survey held lower-level positions than the men, but they were also generally younger than their male counterparts. This suggests that as the relatively younger female workforce ages, the number of women moving into senior positions in internal auditing may increase.

This report provides an overview of results from the 2015 Global Internal Audit Practitioner Survey regarding The Institute of Internal Auditors’ (IIA’s) International Standards for the Professional Practice of Internal Auditing. The Standards represent minimum expected requirements that normally should be found in all internal audit functions. They provide a foundation for performing efficiently and effectively, and are intended for use wherever internal auditing is practiced. Yet despite the fact that conformance to the Standards is mandatory for all members of The IIA and for all Certified Internal Auditors (CIAs), the survey found significant levels of nonconformance. Almost half of surveyed chief audit executives (CAEs) report that they do not use all the Standards, and fewer still say that they are in conformance with the Standards. An underlying objective of the Standards is to ensure that internal audit is effective, of high value, and of high and consistent quality. Nonconformance undermines this objective, and significant levels of nonconformance are detrimental to the image and reputation of the internal audit profession. Fortunately, the CBOK survey also found that significant progress is being made toward more consistent conformance. The CBOK 2015 Global Internal Audit Practitioner Survey found: While use of the Standards is increasing, almost half of CAEs still report that they do not use all of the Standards. Auditors holding internal audit-related professional certifications use the Standards more often than auditors without such certifications. Members of The IIA use the Standards more often than nonmembers. Standards use is more likely in highly regulated industries than in less-regulated industries, and more likely in publicly traded organizations than in privately owned organizations. Use of all of the Standards is higher in the regions of North America, Europe, and Sub- Saharan Africa than in other parts of the world. More work may be needed in learning to apply the Standards and other elements of The IIA’s International Professional Practices Framework (IPPF) effectively. Almost a quarter of internal auditors evaluate themselves as being below the competent level in applying the IPPF to their work. Use of the Standards may be particularly challenging for internal auditors working at smaller internal audit departments. Auditors in one- to three-person departments use all of the Standards at a rate of 6% to 18% below the global average. Other reasons given for nonconformance include lack of board/management support, lack of perceived benefit compared to cost, and impacts on conformance caused by government regulations or standards.

Smart devices, such as cell phones and tablets, offer truly mobile and convenient options for working remotely. Like any new or expanding technology, smart devices also introduce additional risks for organizations. Internal auditing’s approach to assessing risks and controls related to smart devices is evolving as new technologies emerge and the variety of devices increases. To meet these challenges, internal auditors are tasked with: Understanding the organization’s smart device strategy. Evaluating the effect of smart device technology on the organization. Providing assurance over the smart device environment by: - Identifying and assessing risks to the organization arising from the use of such devices. - Determining the adequacy of applicable governance, risk management, and controls related to such devices. - Reviewing the design and effectiveness of related controls. Chief audit executives (CAEs) should have a thorough understanding of the opportunities and threats that smart devices present to the organization and the internal audit activity. The internal audit activity can support management’s efforts to mitigate risks associated with the use of smart devices. This guidance should help internal auditors better understand the technology, risks, and controls associated with smart devices. Appendix C provides an engagement work program, including a risk assessment, designed specifically to evaluate risk management and controls related to smart devices.

Hier een teaser in te vullen

This report provides an overview of results from the 2015 Global Internal Audit Practitioner Survey regarding The Institute of Internal Auditors’ (IIA’s) International Standards for the Professional Practice of Internal Auditing. The Standards represent minimum expected requirements that normally should be found in all internal audit functions. They provide a foundation for performing efficiently and effectively, and are intended for use wherever internal auditing is practiced. Yet despite the fact that conformance to the Standards is mandatory for all members of The IIA and for all Certified Internal Auditors (CIAs), the survey found significant levels of nonconformance. Almost half of surveyed chief audit executives (CAEs) report that they do not use all the Standards, and fewer still say that they are in conformance with the Standards. An underlying objective of the Standards is to ensure that internal audit is effective, of high value, and of high and consistent quality. Nonconformance undermines this objective, and significant levels of nonconformance are detrimental to the image and reputation of the internal audit profession. Fortunately, the CBOK survey also found that significant progress is being made toward more consistent conformance. The CBOK 2015 Global Internal Audit Practitioner Survey found: While use of the Standards is increasing, almost half of CAEs still report that they do not use all of the Standards. Auditors holding internal audit-related professional certifications use the Standards more often than auditors without such certifications. Members of The IIA use the Standards more often than nonmembers. Standards use is more likely in highly regulated industries than in less-regulated industries, and more likely in publicly traded organizations than in privately owned organizations.] Use of all of the Standards is higher in the regions of North America, Europe, and SubSaharan Africa than in other parts of the world. More work may be needed in learning to apply the Standards and other elements of The IIA’s International Professional Practices Framework (IPPF) effectively. Almost a quarter of internal auditors evaluate themselves as being below the competent level in applying the IPPF to their work. Use of the Standards may be particularly challenging for internal auditors working at smaller internal audit departments. Auditors in one- to three-person departments use all of the Standards at a rate of 6% to 18% below the global average. Other reasons given for nonconformance include lack of board/management support, lack of perceived benefit compared to cost, and impacts on conformance caused by government regulations or standards.

The board of directors—whether it is the board in a unitary or single-tier structure or the supervisory board in a dual or two-tiered structure—is a key stakeholder of internal audit with needs that internal auditors are= uniquely positioned to provide. Most often, the board’s primary interface with internal audit is through its audit committee.* The CBOK 2015 stakeholder study offers insights as to the expectations of audit committees of internal audit. For audit committees, the insights provide a catalyst for taking stock of committee members’ interactions with and use of the internal audit function. For any progressive chief audit executive (CAE), these expectations offer opportunities to take the initiative to advance relationships with this vitally important stakeholder group by improving internal audit’s value proposition. Thus, the insights offer a pathway to continuous improvements that benefit all. Three broad themes emerged from the study. Audit committees should: Enable internal auditors to think more broadly and strategically as they plan for, execute, and report on their work. Encourage internal audit to move beyond assurance to enhance its value proposition. Take steps to ensure CAEs and the internal audit function are effectively positioned to deliver to expectations.  The survey responses from directors serving on audit committees surfaced six imperatives of interest to audit committees that support these three themes. Following is a brief discussion on each of the six imperatives. 

How mature is your internal audit department (or how mature can it be)? This subject is explored using responses from more than 2,500 chief audit executives (CAEs) in The IIA’s CBOK (Common Body of Knowledge) database. The findings were further supplemented through interviews with a small sample of CAEs from different regions in the world who commented on internal audit department maturity. Assessment of the internal audit department maturity is important because it helps build strategies to bridge the gaps between expected and realized internal audit quality. Maturity indicators are introduced to support principal stakeholders in deciding whether and how they can rely on internal audit departments’ services and guide CAEs in developing more mature internal audit departments. This report spans various industries in several global regions. It also reports on the influences of internal audit departments’ age and size, organization size, and degree of conformance with The IIA’s International Standards for the Professional Practice of Internal Auditing (Standards), among others. The report is organized in seven sections. Data was available to measure internal audit departmental maturity on the following indicators: Is almost fully aligned with the strategic plan of the organization Demonstrates agility and flexibility to adapt the internal audit planning and priorities to important changes in the strategic objectives of an organization Relies on a holistic risk assessment to build sufficient knowledge and understanding of the organization’s business at micro and macro levels Has an internal audit staff with a mixed background of traditional auditing skills and industry knowledge complemented with general business competence, critical thinking, and leadership skills Provides structured, documented, and diversified training programs for the internal audit staff Documents and continuously monitors the audit procedures to adapt them to the evolving environment Makes the internal audit strategy explicit and translates the strategy into key performance indicators (KPIs), which allow continuous monitoring of the achievement of the internal audit strategy Uses leading technology (like data mining, data analytics, and continuous/ real-time auditing) across the entire audit process to increase internal audit’s efficiency and effectiveness Has a Quality Assurance and Improvement Program (QAIP) for the internal audit department, which is aligned with the internal audit strategy and supported by a culture around continuous quality assurance and improvement In addition to these main findings, key action items are included in each section to help establish guidance in improving internal audit department maturity. 

Hier een teaser in te vullen

When an internal auditor elects to pursue certification, he or she takes a big step toward establishing a professional reputation that speaks loudly of integrity, dedication, and commitment to both the profession and his or her organization. This commitment is reflected in findings from the CBOK 2015 Global Internal Audit Practitioner Survey. For example: Forty-three percent of respondents worldwide say they hold at least one internal audit certification or qualification. The primary certification held globally is the Certified Internal Auditor (CIA) (held by 30% of respondents worldwide). The most popular internal audit specialty certification is the Certification in Risk Management Assurance (CRMA) (held by 9% of respondents worldwide). Non-internal audit certifications are held by 60% of respondents worldwide. Forty or more hours per year of internal audit training is achieved by 61% of respondentsworldwide.  Survey results also reveal which certifications are most popular in different parts of the world, providing valuable information for internal audit practitioners, aspiring internal auditors, and chief audit executives (CAEs). Other stakeholders such as regulators, executive management, audit committees, and executive recruiters will also find the information useful for purposes related to standards setting, benchmarking, and hiring. CBOK is the largest ongoing study of internal auditors in the world, with participation from 14,518 practitioners from 166 countries.

The evolution of the internal audit profession toward a more value-added risk assurance function continues to move forward. While technical skills are needed for day-to-day work, analytical/critical thinking and communication are personal skills that continue to be at the top of any chief audit executive’s (CAE’s) wish list. Practitioners with these skills have a higher probability of overcoming any technical deficiencies and stepping up to meet stakeholders’ value-added expectations. To find practitioners with these skills, CAEs need to have a deliberate talent management plan. They should prioritize identifying those candidates with key personal skills through behavioral assessments, looking at diverse academic backgrounds. When it is not feasible to hire staff for particular skills or needs, they can consider using resources in other areas of the organization (co-sourcing) or obtaining support from outside the organization (outsourcing). Finally, CAEs should establish development programs that further improve on personal skills while augmenting industry-specific knowledge and other technical skills. This report supports its conclusions with results from the CBOK 2015 Global Practitioner Survey, the largest ongoing study of internal auditors in the world. 

In 1941, when The Institute of Internal Auditors (The IIA) was founded, there was no internet, personal computers did not exist and open global communication among private citizens was a dream. Fast-forward to 2016: Technological innovation is rapid and disruptive, and touches almost every aspect of our lives. People and machines are becoming increasingly interconnected, accelerating digitization and shaping the Internet of Things. And almost every business today is, at its core, a technology business − one that relies on IT not only to operate, but also to innovate and enable future success. Another dramatic change that has occurred since The IIA’s founding: the number of companies across industries, and the globe, that are positioning women in board-level and leadership positions in increasing numbers. This is why, as The IIA celebrates its 75th anniversary, we chose to interview only female internal audit leaders for the latest edition of our Internal Auditing Around the World series. These women represent positive change in the business world and in the internal audit profession. Therefore, we believed they could offer a unique perspective on how technology is transforming internal audit functions for the better.