Actualiteit

In keeping with its overall mission, the COSO Board commissioned and published in 2004 Enterprise Risk Management—Integrated Framework. Over the past decade, that publication has gained broad acceptance by organizations in their efforts to manage risk. However, also through that period, the complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of enterprise risk management while asking for improved risk reporting. This update to the 2004 publication addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. The updated document, now titled Enterprise Risk Management—Integrating with Strategy and Performance, highlights the importance of considering risk in both the strategy-setting process and in driving performance. The first part of the updated publication offers a perspective on current and evolving concepts and applications of enterprise risk management. The second part, the Framework, is organized into five easy-to-understand components that accommodate different viewpoints and operating structures, and enhance strategies and decision-making. 

IT Internal Audit (ITIA) is coming under increasing pressure to measure the management and mitigation of technology risks that are proliferating. Resources are stretched and demands are ever increasing. As technology risks multiply, ITIA is being asked to do more. For some, budgets are rising, but not for all. IA professionals are rising to the challenge, but nonetheless this latest survey of the market shows there are significant gaps in resources and capabilities. To bridge the gap, ITIA must redouble its efforts to enhance the skills of existing personnel, to partner with third parties and to hire talented professionals where necessary. It is becoming critical to present a forward-looking and compelling business case for more resources, where needed, to the Board, Audit Committee and senior management. The findings in this report are based on a survey of 250 ITIA professionals around the world and the Netherlands. Insights are also included from KPMG’s 2016 IT Internal Audit conference. It is the third report of its kind (the previous ones were published in 2009 and 2013). We would like to thank all of the respondents who participated in the survey, including many of our member firms’ clients. We hope that you will find it a valuable and insightful assessment of the state of ITIA globally and in the Netherlands providing you with information that broadens your understanding of the critical contribution ITIA can make to the business. At a time when demands placed on ITIA are steadily growing, we expect this report will stimulate your thinking and provide fresh perspectives.

As governance and monitoring functions collaborate more closely to avoid duplication of effort, internal audit may be asked to take on responsibilities for risk management, compliance, regulatory oversight, and other governance activities. The chief audit executive (CAE) plays a critical role in navigating between internal audit’s traditional role and assuming responsibilities for risk management, compliance, and other governance functions. The CAE should be held accountable for preserving independence and objectivity, communicating with management and the board, and confirming management’s acceptance of risk to internal audit’s independence and/or auditor objectivity. To navigate through these competing challenges, internal auditors can look to The IIA’s guidance on effective risk management and control, and promulgated standards related to independence and objectivity.

Internal Audit and Crisis Resilience The possibility of a crisis severely disrupting an organization’s ability tooperate looms today like never before, given the pace with which global threats evolve. Incidents of sophisticated cyber sabotage, volatile weather patterns, terrorism attacks, and labor disruptions are escalating, and can strike, obviously, without warning. With these crisis events and the inability to continue operations and meet objectives comes damage to an organization’s reputation and its ability to meet stakeholder expectations. Yet a recent study reveals a broad gap between board members’ awareness of potential crises and their organizations’ actual crisis readiness. Being able to recognize potential crises, effectively handle such interruptions, and return to normal operations is extremely difficult. Gaining the capacity to do this quickly and efficiently with the minimum amount of impact — to be crisis resilient — is that much harder, and the ultimate goal. Crisis experts agree the key to being crisis resilient is preparation and that internal audit is positioned to play a key role in the process. Auditors’ breadth of skills, position in the organization, and deep knowledge of operations can help their businesses prepare for the inevitable crisis and move the organization from crisis aware to crisis resilient — ready to resist, react to, and recover from major disruptive events.  

Successful internal audit activities are built on a strong foundation - a foundation sturdy enough to withstand increased pressures from internal and external stakeholders, a turbulent geopolitical landscape, and evolving business practices. Unfortunately, weaknesses in a foundation are not apparent until the foundation is stressed, and then it's too late - the foundation crumbles. When the foundation crumbles, it becomes more difficult for internal audit to provide valuable services to the organization. This Pulse Report is intended for chief audit executives (CAEs) who are building new internal audit activities, as well as CAEs who want to examine the structural soundness of established internal audit activities. This report covers resources, competence, structure, IIA standards, and other foundational elements necessary to deliver world-class internal auditing.