Actualiteit

Pulse of internal audit In last year’s Pulse of Internal Audit report, The IIA challenged internal auditors to “move out of their comfort zone” beyond annual planning and typical audit areas to audit at the speed of risk. Today, with increasing pressure on organizational governance and additional burdens placed on audit committees and boards, it is critical that chief audit executives (CAEs) lead with courage and take actions that could instill: Internal auditor’s self-confidence. Management and the board’s confidence in internal audit. Stakeholders’ confidence in the organization.  Improving the effectiveness of risk management is a defining characteristic of internal auditing, yet even experienced CAEs may overlook some risks. This report looks at four areas where internal audit should take a closer look — both for the organization as a whole and for the internal audit function in particular. Not all risks are new or emerging. In fact, many critical risks have been around for a long time and perhaps have fallen just below or somehow dropped off the radar. CAEs need to have the courage to revisit these areas while ensuring their audit coverage aligns with what is important and top-of-mind to key stakeholders. In this report, we address two such areas: Company communications not traditionally subject to independent assurance (e.g., analyst presentations, sustainability reporting, some operational reporting). Environmental, health and safety risks. According to The IIA’s International Professional Practices Framework, internal audit’s mission is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. To do this effectively, leaders must have the courage to look inward with the same objective, professional skepticism used when assessing others. This report covers two areas where internal audit leaders have identified ongoing challenges: Internal audit’s use of data analytics. Interpersonal dynamics between internal audit and others in the organization. Using survey results, this report shows how CAEs in North America are currently looking at these areas, and where there are reasons for concern. The report also provides insights on how CAEs can instill confidence by “evaluating and improving the effectiveness of risk management, internal control, and governance processes.”2

In this white paper, we will look at how auditors can assess, respond to and analyze the risks they encounter during a risk-based audit.

As cyberattacks grow in frequency, severity, and complexity, cybersecurity professionals are urging organizations to move beyond a defensive and reactive approach to a more proactive approach, allowing for the prediction and anticipation of cybersecurity threats. Recognizing this emerging trend, the Institute of Internal Auditors’ Audit Executive Center (AEC), in collaboration with the Internal Audit Foundation, elected to supplement recent research by conducting a Quick Poll survey of chief audit executives (CAEs) to ask specific questions about their organizations’ use of security operations centers (SOCs) as part of their cybersecurity strategies. Responses were received from 130 CAEs, representing organizations of various size from many industries. In addition to providing insights into specific SOC policies and practices, the AEC Quick Poll survey results also suggest that some conclusions can be drawn about CAEs’ general levels of involvement in monitoring and reviewing their SOC operations. In order to assure complete anonymity, the survey respondents were not asked to provide identifying or qualifying information about their organizations. Using the survey findings as a starting point, researchers from Crowe Horwath conducted a series of follow-up interviews with information security executives in various organizational structures and geographic locations, and with various sensitivities to cybersecurity threats. The objective was to gather first-hand examples of current best practices. To protect the companies’ identities, the interview responses were normalized intom three general types of organizations: 1) large companies with global operations, 2) large companies with national operations, and 3) medium-size companies with regional operations. The responses were summarized along those lines in this report. The research team also interviewed representatives of a number of leading vendors that offer cybersecurity intelligence solutions and services. In addition to offering a summary of that research, this report is intended to help cybersecurity professionals, CAEs, and other stakeholders to explore broader issues and to answer two questions: 1) How can organizations move beyond merely reacting and responding to cybersecurity incidents and instead start to identify, anticipate, and actively defend against known and emerging threats? 2) What role can CAEs play in encouraging and facilitating this shift from a reactive to a proactive stance? By addressing—and ultimately answering—these questions, organizations can take the critical first steps to advancing their cybersecurity initiatives regardless of whether they are first establishing a SOC, or advancing further and establishing a fully functioning security intelligence center (SIC). 

Hoe meet je cultuur en gedrag? Hoe gaan we om met de toenemende invloed van IT? En wat is de oplossing voor de schaarste op de arbeidsmarkt? In de auditwereld is verandering een van de weinige constanten. Iedere organisatie zoekt op haar eigen manier naar de antwoorden op deze vragen. Daarbij staat elke discipline voor eigen uitdagingen: de accountant in business, de openbaar accountant en de interne en overheidsaccountant. Welke ontwikkelingen zien zij? Hoe spelen ze hierop in? En hoe ziet de toekomst van het auditvak eruit? De afgelopen tijd vroegen we een aantal vooraanstaande professionals met een auditachtergrond naar hun visie. Het resultaat: vier verhalen die – ieder vanuit een eigen perspectief – een interessante inkijk in een veranderende wereld bieden. Dat de kijk op de ontwikkelingen per discipline en per persoon verschilt, bleek overduidelijk toen we het onderwerp ‘beroepseed’ ter sprake brachten. De meningen over de invoering hiervan liepen uiteen van ‘onzin’ tot ‘een goede zaak’. Hoe dan ook: voor 1 mei 2017 moet elke accountant de beroepseed hebben afgelegd. Het is een van de 53 maatregelen die het vertrouwen in de beroepsgroep moeten herstellen. Naast alle trends en ontwikkelingen in het vakgebied zelf, gebeurt er ook veel op de arbeidsmarkt. Audit is voor Yacht Finance een focusgebied en een discipline waarin we veel expertise hebben, ook vanwege de alsmaar toenemende schaarste op de arbeidsmarkt. Daarbij zetten we vooral in op de combinatie van audit en finance & control. Enerzijds omdat onze opdrachtgevers veel baat hebben bij professionals die beide beheersen, anderzijds omdat juist deze combinatie medewerkers een unieke positie op de arbeidsmarkt geeft en carrières in een stroomversnelling brengt. Hoe de nieuwe realiteit er precies uitziet weet niemand. Toch tekenen de contouren zich langzaam af. Graag nemen wij u in deze whitepaper mee in de ontwikkelingen, uitdagingen en vraagstukken in de auditwereld. 

Given expectations for slow growth and economic and political uncertainty, technology advances and business model disruption, cyber threats, greater regulatory scrutiny, and investor demands for transparency, it’s hardly surprising that most audit committees around the world point to risk management as the top challenge facing the company in the year ahead. More than 40 percent of respondents say their risk management systems require substantial work. Audit committees, by and large, continue to express confidence in financial reporting and audit quality; yet, along with risk management, our 2017 Global Audit Committee Pulse Survey highlights ongoing concerns about legal and regulatory compliance, managing cyber security risk, and managing the control environment in the company’s extended organization. Of the more than 800 audit committee members responding to our survey, nearly 4 in 10 said the committee’s effectiveness would be most improved by having a “better understanding of the business and key risks,” while nearly a third said additional expertise related to technology or cyber security would be helpful. Overall, audit committees are largely satisfied that their agendas are properly focused on legal and regulatory compliance issues, maintaining internal controls over financial reporting, and key assumptions underlying critical accounting estimates. However, they see room for improvement when it comes to focusing on CFO succession planning, talent and skills in the finance organization, tone at the top and culture, and aligning the company’s short- and long-term priorities. Most audit committees say their organizations have a long way to go in their efforts to implement major new accounting standards. Fewer than 15 percent report a clear implementation plan for the new revenue recognition standard, and fewer than 10 percent reported a clear plan for implementation of the new leasing standard. And of those whose companies are affected by the Organisation for Economic Co-operation and Development’s (OECD) country-by-country tax reporting, many expressed concern about the lack of clarity or communication with their committee on that issue. Survey respondents also cited ongoing opportunities to improve their company’sability to manage cyber risks. Of course, these challenges will vary by company and by country (and it is difficult to compare data from 15 countries, often with markedly different business environments, regulatory requirements, and corporate governance practices). But our survey findings offer insights that audit committees around the world can use to sharpen the committee’s focus, benchmark its responsibilities and practices, and strengthen its oversight.