Vaktechnische Publicaties

Cybersecurity attacks are increasing as the tools for detecting and exploiting vulnerabilities in networked systems and devices become increasingly sophisticated or commoditized. Threatening technologies and methods are advanced by criminal enterprises, state-sponsored hackers, and others with malicious intentions. An organization’s stakeholders rely on independent, objective, and competent assurance services to verify whether cyber incident response and recovery controls are well-designed and effectively and efficiently implemented. The internal audit activity adds value to the organization when it provides such services in conformance with the Standards and with references to widely accepted control frameworks, particularly those used by the organization’s IT-IS functions.

A new report, "Diversity, Equity, and Inclusion 101: Internal Audit's Invaluable Role in Creating a Sense of Belonging at Work," from the Internal Audit Foundation and Deloitte, explains why it's essential for internal audit to be more involved in the organization's ESG efforts, and helps you get started today with tangible action items to add value and improve outcomes of DEI initiatives. The top five takeaways: Definitions of key terms like diversity, equity, inclusion, and anti-oppression are provided to help navigate confusing and often misused terminology. Internal audit's opportunity and obligation to foster a diverse, equitable, and inclusive culture starts within its own function. Establishing metrics and monitoring the DEI program are critical actions to ensure the program is meeting strategic objectives. Organizations need new ways to identify and manage DEI risks and examine business processes to expose strengths and deficiencies. Take the first steps on how to address DEI efforts as an assurance provider, trusted advisor, or agent of change. Download the report here  

The purpose of this practice guide is to increase the internal auditor's awareness of fraud risk, including the role the internal audit activity can play, and provide guidance on how to perform a fraud risk assessment at an organizational level. The IPPF requires internal auditors to consider the risk of fraud in their work. The internal audit activity must evaluate the potential for fraud and how the organization manages fraud risk, as per Standard 2120.A2. Implentation of this guide is intended to: Increase the internal auditor's awareness and understanding of organizational fraud risk governance and management. Explain the various roles responsible for preventing, detecting, assessing and investigating fraud at the organizational level and how they interact using The IIA's position paper, The Three Lines Model. Describe the purpose and benefits of utilizing a fraud risk management framework, with specific reference to COSO's Fraud Risk Management Guide.  Explain the role the internal audit activity may play in the organizational's fraud risk management program. Identify the requirements for the internal audit activity to provide assurance on organizationwide fraud risk governance and management. These include: - Evaluating structures and processes for fraud risk governance. - Performing an organizationwide assessment of fraud risks. - Evaluating the design of the fraud risk management program. - Evaluating operationalization of the fraud risk management program. - Communicating results and assurance to senior management and the board. The second edition practice guide supersedes Practice Guide "Internal Auditing and Fraud" originally issued in 2009. This is for members only. To access it and other valuable resources, become a member today. 

This report provides a comprehensive overview to help Audit Committee members properly prioritize and monitor one of the greatest business risks . We outline key questions to understanding why the cyber security perimeter has expanded, its connection with other risks, the greatest threats, the costs of a cyberattack and what can help to mitigate it. The question is not whether there will be attacks, but when. We need to be prepared..    

The conflict in Ukraine requires greater vigilance in cyber security. ISACA Belgium, the Institute of Internal Auditors Belgium and the Institut Français de l’Audit et du Contrôle Internes (IFACI) decided to issue a short impact briefing for all members. Although it remains silent about concrete actions and attacks, clear indications show in the wake of the Ukrainian conflict an expansion of malicious cyber activity, both inside and outside the conflict area. In a digital world, cyber attacks can have a huge impact on daily operations and business, rendering our private and public companies and organizations more vulnerable. Therefore, they need to prepare proactively a mitigation of the potential impact of such events. Introduction & Context This paper intends to raise awareness and to encourage organizations to reflect on their cyber readiness in the context of the conflict in Ukraine. This changing environment calls for a reassessment of the current cyber risk exposure and an evaluation of the need to implement additional measures. Whether or not cyber risk was considered in the past, the current situation may provide an opportunity to assess what needs to be done or to review the existing measures

Cybersecurity operations can be categorized into three high-level control objectives: security in design, prevention, and detection. Stakeholders must be able to rely on internal audit’s independent, objective, and competent assurance services to verify whether organizational cybersecurity operations controls are well-designed and effectively and efficiently implemented. The internal audit activity adds value when it provides such services in conformance with the Standards and with references to widely accepted control frameworks, particularly those used by the organization’s IT and IS functions. This is for members only. To access it and other valuable resources, become a member today.

The IIA's three-part Global Knowledge Brief series on cybersecurity presents an overview of the new SEC proposals, including the implications they have for cybersecurity reporting regulation in the U.S. as well as abroad. It also explores how internal auditors can play an important role in helping their organizations manage an altered compliance landscape that new regulations could soon create. You can find part 2 here. You can find part 3 here. 

Part 3 of this series addresses how internal auditors can better identify and evaluate ESG risks within their own organizations, as well as provides real-world strategies employed by internal audit functions currently in the field. Michelle Uwasomba, Principal, Consulting Enterprise Risk Practice, and Shannon Roberts, Principal, Climate Change and Sustainability Services Practice, of Ernst & Young LLP (EY US) share some of their experiences in supporting companies in the development and execution of management programs to identify, assess, and respond to ESG risks (both upside and downside). You can find part 1 here. You can find part 2 here. This is for members only. To access it and other valuable resources, become a member today.

This new report, part of the Risk in Focus 2022 publication, produced jointly by twelve institutes of internal auditors and the ECIIA, draws on roundtable debates and interviews with CAEs across Europe to explore the key issues for organisations and for internal audit teams and to suggest questions and actions that CAEs and their teams can use to raise awareness in their businesses. Each year, Institutes of Internal Auditors from across Europe and the ECIIA collaborate to survey and interview chief audit executives (CAEs) to produce the Risk in Focus report, highlighting the most important risks for the year ahead. This year, human capital, diversity and talent management rose to its highest position ever when it was cited by 40% of CAEs across Europe as one of their top five risks for 2022.  People with technology expertise have been in critically short supply for many years. The skills crisis has widened dramatically and organisations in all sectors and locations are struggling to find people at all levels and with a huge range of skills. It is clear that organisations need to find new ways to attract and retain talented employees and invest in training and education. Corporate reputations matter more than ever. Organisations that have already worked hard to improve their equality, diversity and inclusion will reap the benefits as they are able to reach out to larger pools of potential employees and to attract those who leave employers they perceive as unsupportive or unable to offer them opportunities. Those that have not will have more limited options and must scramble to catch up.   

This yearly report has gathered insight from leaders in the profession through the annual Pulse of Internal Audit Survey since 2008. Each survey collects information about established and emerging issues, and other topics of importance to the profession and internal audit management. In an era where disruptive change has become the norm, the need for accurate and reliable benchmarking is paramount. The IIA’s 2022 North American Pulse of Internal Audit report brings together more than a decade of survey results to reveal important trends in four key areas: Budget - Compared to 2020, staffing budgets showed some return to normal, but travel budgets continue to have widespread, sustained cuts. Staff - Initial COVID-related cutbacks have eased generally, but there is less willingness to increase staff levels than before the pandemic. Risk - Technology risks and third-party risks are trending up. For the first time, sustainability risk edged upwards in the survey data. Audit Plan - Cybersecurity is trending up on audit plans for all respondents. For publicly traded organizations, Sarbanes-Oxley is increasing steadily. Beyond benchmarking, the Pulse report offers insights into how CAEs lead their functions, including areas of responsibility outside of internal auditing (fraud, ERM, SOX, etc.), as well as how they determine top concerns and decide how they would spend extra budget. Updated with a new digital-friendly format, the Pulse report is designed to share with peers, audit committees, and executive management. 

The Internal Audit Foundation has released a new report in collaboration with Crowe: Privacy and Data Protection, Part 2: Internal Auditors’ Views on Risks, Responsibilities, and Opportunities. This second report in a three-part series reveals a number of potentially valuable opportunities for internal auditors to take an earlier, proactive role in helping to recognize, manage, and mitigate these risks, while still fulfilling their role as defined by the International Professional Practices Framework. Detailed examination of the results provided a number of insights that internal audit professionals can use to reflect on their own organizations’ preparedness and effectiveness in managing risks associated with privacy and data protection. Key takeaways include: Data privacy roles and responsibilities Data privacy as a material risk Internal auditors’ views of program effectiveness Internal auditors’ most critical concerns How internal auditors can add value

This is the second of a three-part series on the evolving ESG risk arena and internal audit's roles and responsibilities. The ESG Risk Landscape Part 2: Implementation, Reporting, and Internal Audit's Role The need for independent assurance on the design and efficacy of ESG-related processes and controls will soon be essential to the work of internal audit. As such, internal auditors should be prepared to act confidently and authoritatively in support of their organizations' ESG efforts. In Part 2 of this series we examine implementation, reporting and internal audit's role. You can find part 1 here. You can find part 3 here. This is for members only. To access it and other valuable resources, become a member today.

Understanding ESG Reporting Standards in 2022 and Beyond This knowledge brief discusses the major frameworks being used to manage ESG risk, along with regulatory concerns and reporting initiatives. The intent is to offer practitioners perspective on the eSG landscape and provide a roadmap for internal auditors as they solidify their role in their organizations' ESG journeys. You can find part 2 here. You can find part 3 here. This is for members only. To access it and other valuable resources, become a member today.

This new report, "Prioritizing ESG: Exploring Internal Audit's Role as a Critical Collaborator," by the Internal Audit Foundation, The IIA, and Ernst & Young LLP (EY) reveals how internal audit functions are currently involved in their organization's ESG efforts, current barriers within their organization that may hinder this involvement, and ways to move forward given impending regulations.

Internal auditors need to understand common technologies that enable remote work, the significant risks arising from remote access, and standard controls that prevent, detect, or remediate unauthorized access or sharing of information. The COVID-19 pandemic prompted a significant increase in those working from home and the resultant risks relating to a mobile or remote workforce. This guide supersedes the Global Technology Audit Guide (GTAG), "Auditing Smart Devices," and broadens the scope to focus on a wider range of risks and controls related to a mobile workforce. This guidance will enable internal auditors to: Define mobile computing hardware, software, and communication tools. Understand risks and opportunities associated with mobile computing. Understand components of remote access processes and related security controls. Understand the basics of auditing mobile computing, including specific controls that should be evaluated. This is for members only. To access it and other valuable resources, become a member today.