Actualiteit

In last year’s Pulse of Internal Audit report, The IIA challenged the profession to address emerging risks by realigning audit coverage continuously — to audit “at the speed of risk.” Today, the challenge remains to move beyond annual planning and typical audit areas. The consequences of a toxic culture, the destructive impact of a cyberattack, the exponential growth in the collection and reliance upon data — these represent just a sampling of today’s risks that increasingly fall outside of the traditional comfort zone in which many auditors operate. As risks change, as new risks emerge, and as stakeholder expectations continue to evolve, internal auditors must move out of their comfort zone to audit at the speed of risk. This year’s IIA Pulse of Internal Audit survey focused on areas where changes in the business environment, changes in technologies, and changes in people are affecting the risk environment for organizations. How are internal auditors keeping up with these changes? In a bygone era, audit professionals carved out a comfort zone focused on financial and operational risks. The results from the survey highlight opportunities for internal audit to move out of the comfort zone. High-profile scandals and organizational failures that have littered the landscape over the past year point to the critical role of culture in the governance of organizations. Unfortunately, only 42 percent of survey respondents are addressing the culture in their organizations. Lack of management and board support for internal audit’s involvement in culture, and lack of internal audit’s ability to identify and measure organizational culture, are closely associated with internal auditors avoiding this risk. The issue of cybersecurity continues to present itself as a major topic of concern for organizations. Most survey respondents believe prevention is the most important response to this risk. While not ignoring the critical role of preventing cyberattacks, it has proven to be naive for many organizations to assume they can prevent a successful attack. Organizations must be prepared to respond to cyber risks, and the survey results indicate they may not be as prepared as they should be. In addition, while internal auditors recognize this risk, the majority (52 percent) acknowledge lack of expertise among internal audit as an obstacle to addressing cybersecurity risk as they should. Increasingly, organizations are using more data — and in more sophisticated way — to drive decisions. Internal auditors are not as involved in all aspects of data use and only 29 percent are very or extremely confident in the strategic decisions their organizations make based on the data it collects and analyzes. Interpersonal skills have never been more important for internal auditors. Most CAEs are not satisfied with the level of these skills in their teams. Less than half of survey respondents reported their teams have more than a moderate level of proficiency in soft skills. The data suggests significant room for growth. Risks keep evolving and growing and there are areas where internal audit has to move out of its traditional comfort zone and catch up to the risks. Shifts in mindset and sense of urgency are necessary for internal audit to meet and exceed the needs of their organizations — and to become trusted advisers.  

Regional Relections: Latin America is a customized research report that provides a Latin American perspective on the indings from CBOK 2015, the largest ongoing study ofinternal audit professionals in the world. Building on the 10 imperatives for internal audit that were presented at he IIA’s 2015 International Conference, this report highlights unique concerns for Latin America and provides insights from several internal audit leaders in the region. In addition, an appendix at the end of this report gives key demographics about survey respondents from Latin America. In many ways, internal auditors in Latin America perform well in comparison with their colleagues around the world. hey have strong relationships with stakeholders, often align well with the strategic objectives of their organizations, and have high levels of expertise in automated audit technologies. Having their performance pegged to the expectations of stakeholders, they are well placed to satisfy their customers and create real value to the businesses in which they work. However, there are improvements to be made. Too few chief audit executives (CAEs) primarily report functionally to the boards of their organizations, a situation that can compromise their departments’ performance. Management stakeholders can have excessive inluence over the annual audit plan and how the work of internal audit is perceived. A strong relationship with these stakeholders can be a double-edged sword, causing some auditors to focus too much on compliance and not enough on mission-critical projects. It is perhaps not surprising that 1 out of 3 CAEs say they have had pressure put on them to alter valid audit indings, and the source of the pressure is usually the CEO. Latin America needs a larger number of boards, and those boards also need to be efective and supportive of internal audit.  If conformance to he IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) is relatively low when compared to global averages, and the proportion of people who hold IIA certiications is equally low, change is on the way. IIA ailiate bodies are working with the region’s governments to reduce the constraints on internal audit exerted by out-of-date regulations. CAEs are educating their boards and management about the value of the Standards, and individuals spend more hours in training than almost anywhere else in the world. he region’s internal auditors are moving forward.

Effectively Leverage Your Most Valuable Asset Regardless of organization size, sector, or industry, people are an organization’s most valuable asset. Ensuring the internal audit activity is adequately staffed is just one piece of the puzzle. It must comprise the right people, who have the right skill sets, and who are afforded the right opportunities for growth and development if internal auditing is to add real value and meet stakeholder expectations. Talent Management: Recruiting, Developing, Motivating, and Retaining Great Team Members outlines best practice recommendations for the various elements — everything from assessing competencies and selecting candidates to training and succession planning — that make up an organization’s talent management strategy. This is for members only. To access it and other valuable resources, become a member today. Non members: Purchase ($ 25,-) the practice guide, “Talent Management"

Beyond the Numbers: Internal Audit’s Role in Nonfinancial Reporting Internal auditors are familiar with annual reports — crisp recitations of organizational activities, a few words from the CEO, eye-catching graphics, pages of financial outcomes, and, for publicly traded companies, a long list of required disclosures relating a vast array of sometimes confusing and mind-numbing detail. The reports encompass everything the reader needs to know about the company, especially if that reader is contemplating investing in the organization. Right? Maybe not. Increasingly, investors and other stakeholders want more from company reporting. They want to know if the organization is operating sustainably, if it monitors its impacts on the environment, if it is mindful of social issues such as diversity and equal opportunity. When making decisions about supporting a company, stakeholders increasingly expect a more comprehensive report — one that goes beyond financial health. Many organizations also want stakeholders to have improved insight into activities they perform that benefit the greater public good or serve a public interest. Nonfinancial reporting fills the void by reporting quantitative and qualitative information that falls outside the scope of mainstream financial statements. Though not an exhaustive list, related terms include corporate social responsibility (CSR) reporting; sustainability reporting; integrated reporting; holistic reporting; enhanced reporting; service efforts and accomplishments reporting; and environmental, social, and governance (ESG) reporting.1 This is not a passing trend — the European Union has required nonfinancial reports for some 6,000 organizations across member countries;2 global frameworks and standardized approaches to nonfinancial reporting are gaining recognition;and globally, organizations are expected to increase spending on sustainability assurance by 20 percent over the next five years.3 In 2013, KPMG et al published the results of a survey on corporate reporting in 45 countries.4 It found 134 mandatory policies and 53 voluntary policies related to at least some aspects of nonfinancial reporting, among countries such as Australia, Brazil, China, France, India, Indonesia, Japan, Mexico, Singapore, and South Africa.

It can be a daunting task for internal auditors to grapple with how geopolitics impacts their organizations. After all, geopolitics includes broad and complex interrelated topics such as climate change, the outbreak of disease, political instability, economics, war, and conflict, all of which can present risks to the organization with little or no notice. Geopolitical risks cannot be considered in isolation; these risks are quite interrelated. This paper briefly describes the impact of economics, war, and conflict on one particular topic that has pervaded global business news headlines — the price of oil. The authors consider the impact of the price of oil on multiple industries. Finally, they explore the key considerations for internal audit in addressing geopolitical risks to the organization.