Actualiteit

The IIA has released Auditing Liquidity Risk, An Overview—the first IPPF practice guide specifically for financial auditors. In the heavily regulated financial services industry, institutions must actively manage liquidity risk to ensure survival. Post crisis, supervisors have formalized liquidity risk management requirements within regulations and developed specific expectations of internal audit departments. In this environment, it is imperative that practitioners ensure their audit approaches are in line with international standards, regulations, and best practices. The IIA’s practice guide* provides a historical perspective on the regulatory environment related to liquidity risk, reviews the fundamental principle for the management of liquidity risk, and explains why it is so important for a financial institution. Additionally, the guidance highlights: Governance of liquidity risk management. Liquidity risk appetite/tolerance. Considerations for planning a Liquidity Risk audit. Measurement and management of liquidity risk. Public disclosure requirements. Role of supervisors. *Under Review: This practice guide contains some outdated material and references. It remains available while a review is underway.  This is for members only. To access it and other valuable resources, become a member today.  

At the recent annual symposium of the Internal Auditing & Advisory and IT Auditing & Advisory programmes of the Erasmus School of Accounting & Assurance (ESAA) we presented a report discussing the findings of a study into emerging trends in the professional practice of internal auditors. One of those trends is the ‘psychologisation of the internal audit profession’: it has become nearly impossible to separate risks from the related behaviour and the risk perceptions of those involved. The internal audit function plays a key role in assessing and identifying risks, and is at the same time looking for ways to improve the effectiveness of its assessments and interventions. This increasingly involves the use of concepts that extend beyond the content of the message and focus on the ‘form’ of the message, the timing of the message, etc. Experiments in the field of behavioural economics have shown that subtle changes to how a message is presented can influence people’s decision-making, particularity when it comes to decisions about risks. Knowledge about heuristics and biases in human decision-making has led to the successful application of ‘nudges’: simple interventions that ‘entice’ to adopt the desired behaviour and gently push them in the right direction. It has been shown that nudges are effective because they make the desired alternatives easier, more attractive, more socially engaging or timelier. So nudging could be an interesting addition to the classical repertoire of the internal auditor. In the public sector interest in nudging has been increasing in recent years because it provides an effective means to influence people’s behaviour. Lines are painted on dangerous roads to make the road appear narrower. As a result, drivers slow down and drive more safely. Applying the image of a fly in urinals and placing waste baskets near traffic lights for people to aim at are playful incentives for safer and more hygienic behaviour. By making smart use of our subconscious inclination to play games and improve our game playing skills, we can actually bring about safer, more hygienic and therefore less risky behaviour. These are special forms of nudging known as ‘gamification’, which plays an increasingly dominant role in risk management and safety management, for example in hospitals. Gamification is also slowly but surely receiving more attention from the Executive Board and the Supervisory Board or Board of Trustees. The application of nudging (and gamification as a special form of nudging) that we increasingly encounter in our day-to-day practice in the public and private sector obviously raises challenging questions for the internal audit practice: Are we able to, are we allowed to and do we want to use these types of tools to influence behaviour? Can we ignore these tools, which have such a big impact on risk behaviour in the public and private sector and which are increasingly incorporated into the risk management of all kinds of organisations, including hospitals? And how can gamification be reconciled to the professional seriousness of the internal audit profession, where contributing to the controlling of risks is a key priority, but focusing on the game element of this may nonetheless feel a bit awkward, to say the least? The emergence of the phenomenon of gamification raises challenging questions for the internal audit practice and demands in-depth research into the opportunities, dilemmas and limits of the application of gamification in the professional practice of internal auditors. In exploring this phenomenon, we will zoom in on the healthcare sector, where gamification plays an increasingly prominent role in the operational and governance practice with regard to risk control, and is therefore increasingly encountered by the internal audit function. Risks manifesting themselves in the healthcare sector have a major social impact and healthcare institutions face a rich palette of risk types that fall under the remit of the internal audit function. We believe that the lessons we have drawn from our exploration in this sector may also offer interesting starting points for a broader discussion about the application of gamification in the internal audit profession. The practical part of this exploration focuses on an initial exercise with gamification in the healthcare sector, but the findings are also relevant to the much larger Dutch internal audit profession as a whole, including internal auditors operating in entirely different fields.

Onlangs hebben wij tijdens het jaarlijks symposium van de ESAA-opleidingen Internal Auditing & Advisory en IT-Auditing & Advisory een onderzoeksrapport gepresenteerd met de resultaten van onderzoek naar trends die zich aftekenen in de professionele beroepspraktijk van internal auditors. Een daarvan betreft ‘de psychologisering van het beroep van internal auditor’: risico’s kunnen nauwelijks nog worden losgezien van het gedrag dat ermee samenhangt en de risicopercepties van de betrokkenen. De internal audit functie speelt een belangrijke rol bij het beoordelen en signaleren van risico’s en is tegelijkertijd op zoek naar manieren om de effectiviteit van eigen oordelen en interventies verder te verbeteren. Steeds vaker vallen daarbij termen die verder gaan dan de inhoud van de boodschap en die zich richten op de ‘vorm’ van boodschap, de timing van de boodschap, et cetera. Uit experimenten in de gedragseconomie blijkt dat subtiele aanpassingen in de presentatie van een boodschap van invloed zijn op de beslissingen die mensen nemen, in het bijzonder waar het besluitvorming over risico’s betreft. Kennis over heuristieken en vertekeningen (‘biases’) in de menselijke besluitvorming, heeft geresulteerd in succesvolle toepassing van zogenoemde ‘nudges’: simpele interventies die ‘verleiden’ tot het gewenste gedrag en mensen een duwtje in de goede richting geven. Nudges blijken effectief doordat zij de gewenste keuzeopties gemakkelijker, aantrekkelijker, socialer of tijdiger maken en kunnen derhalve een interessante uitbreiding vormen op het klassieke repertoire van de internal auditor. In de publieke sector staat nudging de afgelopen jaren steeds meer in de belangstelling omdat het op een effectieve manier van beïnvloeding biedt voor het gedrag dat mensen vertonen. Op gevaarlijke wegen worden strepen geplaatst die de weg optisch smaller doen lijken. Dit resulteert in verlaging van de rijsnelheid en in veiliger verkeersgedrag. De vlieg die is afgebeeld in urinoirs en de baskets die soms naast stoplichten staan nodigen - in alle speelsheid - uit tot veiliger en hygiënischer gedrag van passanten. Door slim gebruik te maken van onze onbewuste neiging tot spelen en onszelf daarin te willen verbeteren valt daadwerkelijk veiliger, hygiënischer en derhalve minder risicovol gedrag te realiseren. Dergelijke vormen van gamification als bijzondere vorm van nudging krijgen bijvoorbeeld in ziekenhuizen een steeds dominanter rol in het risicomanagement en veiligheidsmanagement en komen ook langzaam maar zeker steeds meer in de belangstelling van bestuurders en toezichthouders. De toepassing van nudging (en gamification als bijzondere vorm daarvan) die we in de dagdagelijkse publieke en private praktijk steeds vaker tegen komen, roept natuurlijk uitdagende vragen op voor de internal audit praktijk: kunnen, mogen en willen wij gebruik van maken van dit type gedragsbeïnvloeding? Kunnen wij dergelijke instrumenten negeren als zij zo’n grote invloed hebben op het risicogedrag in publieke en private omgevingen en steeds meer onderdeel gaan uitmaken van het risicomanagement van organisaties zoals ziekenhuizen. Hoe verhoudt gamification zich tot de professionele ernst van het internal audit beroep, waarbij de bijdrage tot risicobeheersing weliswaar hoog in het vaandel staat, maar aandacht voor de spelcomponent daarin toch tenminste enig ongemak oproept. 

Fraud can disrupt operations, pose compliance risks, blemish an organization’s reputation, and cost an organization and its stakeholders substantial amounts of money. While management, with board oversight, holds the primary responsibility for establishing and monitoring effective controls to deter and detect fraud, the internal audit activity is required to evaluate the risk of fraud, according to the International Standards for the Professional Practice of Internal Auditing. Additionally, the chief audit executive (CAE) must report significant risk and control issues, including fraud, to senior management and the board (Standard 2060 – Reporting to Senior Management and the Board). The Standards require the internal audit activity to assess fraud risks at the organizational and engagement level. To ensure adequate review of the risks relevant to each engagement, internal auditors should conduct a fraud risk assessment as part of engagement planning (Standard 2210.A1). Over time, the knowledge the internal audit activity obtains during individual engagements can be compiled into a more robust and comprehensive organizationwide fraud risk assessment. This practice guide describes the characteristics of fraud and the process of identifying and assessing fraud risks during engagement planning. The exact process of incorporating a fraud risk assessment into engagement planning may vary according to the needs of the individual organization, internal audit activity, and engagement. However, the process generally includes the following steps: Gather information to understand the purpose and context of the engagement, as well as the governance, risk management, and controls relevant to the area or process under review. Brainstorm fraud scenarios to identify potential fraud risks. Assess the identified fraud risks to determine which risks require further evaluation during the engagement.

The interests, roles, responsibilities, and activities of internal auditors and external auditors are complementary and sometimes similar; in some cases,they overlap at one point or another. For example, the overlap between an internal auditor and an external auditor may include carrying out an efficient analysis of transactions; becoming intimately familiar with an organization’s governance, risk management, and internal control systems; and sharing and developing accurate final reports. This is not a surprise; each role is based on a professional discipline and operates to that discipline’s standards. As such, the external auditor’s professional concerns include the inaccuracies and misstatements that affect final business accounts (financial information). Internal auditors are concerned with the wide range of governance, risk management, and internal controls (nonfinancial information). Keep in mind, internal audit and external audit do not compete and they do not conflict; rather, one complements the other. Both are crucial to good governance, and they should meet at some point and work together. However, there are distinct differences in the roles, and certainly in the boundaries of the work that they perform. The differences, summarized below, are often under-recognized, and are perhaps even misunderstood and confused by stakeholders.