Vaktechnische Publicaties

Auditing, just like technology, is evolving. Once an exclusively on-site exercise, be it a face-to-face meeting with an auditee, having a coffee in the boardroom with a senior manager and discussing context and leadership, or having a site tour of the facilities with a member of the operational team, audits can now be carried out remotely using information communication technology. Due to the travel restrictions and obligation to work from home related to the COVID-19 pandemic remote auditing was not an option anymore but became a necessity. The purpose of this guidance is to describe what remote auditing is, how to assess whether or not an audit is suitable to be conducted remotely, the tools that are available for remote auditing and how to approach remote auditing in the organization. It describes a number of practices not yet commonly used in the organization, learned during the Covid 19 pandemic, which the auditors should consider when performing a remote audit. Next to this guidance there is a second publication on remote auditing released by IIA Global. Click here for the publication.  

Digitalisering speelt eens steeds grotere rol in ons (werk)leven. Kijk bij een gemiddeld bedrijf naar binnen en je ziet dat er altijd wel projecten gaande zijn om verder te digitaliseren. Elk bedrijf moet met de tijd meegaan anders wordt het ingehaald door de werkelijkheid. Datzelfde speelt ook voor een Interne Audit Functie (IAF).  Vanuit IAF’s en de Chief Audit Executive (CAE) bestond de behoefte om inzicht te krijgen in de markt van Audit Management Systemen (AMS) in Nederland en best practices wat betreft selectie en implementatie. Dit onderzoeksrapport helpt om een beeld te vormen van de markt AMS in Nederland. Als eerste heeft het onderzoeksteam een inventarisatie van de markt gemaakt, daarna is er een enquête gestuurd naar 220 CAE bekend bij het IIA om ervaringen te delen omtrent het gebruik van AMS, beweegredenen voor aanschaf, maar ook tips en leerpunten bij selectie- en implementatietrajecten. Vervolgens is er contact geweest met een aantal leveranciers waarbij informatie opgehaald is rondom de laatste trends op het gebied van AMS. Tot slot heeft er een validatieslag plaatsgevonden met een aantal CAE’s tijdens twee Roundtables. Een uitgebreide pakketvergelijking is niet het doel geweest van dit onderzoek, de resultaten kunnen wel als basis dienen voor de selectie van een AMS.   

Global Technology Audit Guide: Auditing Business Applications Business applications are crucial enablers of business processes and may comprise single software programs or a collection of hardware, firmware, and software applications operating as an integrated system. This GTAG helps auditors understand why it is important to provide assurance over business applications and how to identify and assess the relevant risks and standardized and system-specific controls when performing audit engagements. This guidance will enable internal auditors to: Understand relevant risks and opportunities related to business applications. Gain a working knowledge of the full life cycle of a business application, from planning and development to support and management reporting, along with the relevant risks and controls. Become familiar with relevant guidance from three widely used control frameworks. Plan and perform engagements to provide assurance over business applications. This is for members only. To access it and other valuable resources, become a member today.

Organisaties en hun internal auditfuncties zien zich geconfronteerd met een hoog tempo van veranderingen en ongekende onzekerheid. De pandemie heeft de bedrijfsvoering en wijze van werken ingrijpend veranderd, de verhouding tussen vraag en aanbod verstoord en heeft voorheen gezonde bedrijfsmodellen geraakt in een mate die weinigen voor mogelijk hielden. Inmiddels dreigt klimaatverandering dezelfde effecten te hebben. Ieder jaar werken de Europese instituten voor Internal Auditors samen om de belangrijkste risico’s te inventariseren voor het komende kalenderjaar. De resultaten zijn bedoeld als hulpmiddel voor het opstellen van de auditplannen voor 2022 én geven de bestuursorganen goed zicht op welke uitdagingen hen komend jaar te wachten staan.  Op de jaarlijks terugkerende enquête kwam het record aantal van 738 reacties. De instituten namen ook 50 kwalitatieve interviews af, onder 35 CAE’s, twaalf voorzitters van auditcommissies en drie CEO’s om dieper inzicht te krijgen in hoe deze risico's zich manifesteren en ontwikkelen.  Belangrijke bevindingen onderzoek Risk in Focus De belangrijkste bevinding is het toenemend belang van Climate change and environmental sustainability op de agenda. Het aantal CAE’s dat dit als een top5-risico ziet, is met 41% gestegen in vergelijking met vorig jaar, en is nu opgelopen tot 31%. Geen ander risicogebied heeft een grotere stijging; daarbij is het de voortzetting van een trend: in 2020 hadden slechts 14% van de respondenten Climate change in hun top vijf risico's. Het is nu tijd om te handelen, ook voor internal auditors! Een aantal risicogebieden met een ‘menselijke’ component in zich stijgt in belang, zoals Human capital, diversity and talent management, Organisational culture, and Health, safety and security. Organisaties maken zich zorgen over de gevolgen die de pandemie en de langdurige thuiswerkperiode hebben op de personele bezetting en de motivatie en mentale vermoeidheid van de medewerkers. Cybersecurity blijft het hoogste risicogebied: vier op de vijf (82%) bedrijven noemen het een van de belangrijkste risico's waarmee ze worden geconfronteerd, mede versterkt door het thuiswerken en de operationele verstoringen door de pandemie. Nog meer dan op preventie, liggen er grote uitdagingen op het gebied van ‘respons and recovery’  Organisational culture heeft, in het verlengde van voorgaande, een substantiële stijging van het belang gezien van 35%. In plaats van 20% vindt nu 27% van de CAE’s dit een top5-risico voor de organisatie. De cultuur dreigt aangetast te worden door het voorgaande punt hetgeen grote domino-effecten kan hebben. 

How does digitalization change the role and way of working of internal audit: an exploratory overview The current humanitarian crisis has made it clear that we are living in a digital environment and this trend will increase during the following years. Most probably, working in a digital environment will be the new normal.  IIA Netherlands in collaboration with EY have conducted a study on how the Internal Audit Function (IAF) is using digitalization technologies as Robotic Process Automation (RPA), Predictive Analytics (PA) and Artificial Intelligence (AI)  and how digital theory and methodology can be imbedded best into the business practice of the IAF.  The study findings suggest the RPA, PA and AI have not profoundly found their way into the Internal Audit activities of Dutch IAF’s yet. However this paper gives the Internal Auditor directions and points off attention to implement further digitalization to improve efficient and effectiveness of the IAF.   

Climate Change and Environmental Risk is a very relevant and important subject for most organisations. For many organisations this is a reason to reconsider and adjust their future course. In view of the strategic importance for the organisation, there is also a role for the internal auditor here. Risk in Focus (RiF), the annual survey of auditors in Europe (ECIIA) confirms this. Climate change is in the top 10 of current risks and is increasing in importance. However, we see that the time spent on climate risk is still limited. This seems to be the right moment to look at how the Internal Audit Function (IAF) can properly support the organisation on this theme. The aim of the research conducted by IIA Netherlands is therefore to provide IAF’s with tools to do so. The report answers questions such as: What role could the IAF play? What 'products' can it offer? Which tools can be used for this? What expertise is needed (extra) for this? And how do you implement this within the IAF?

Climate Change and Environmental Risk is een zeer actueel en ingrijpend onderwerp voor vrijwel alle organisaties. Het is voor veel organisaties aanleiding voor een heroverweging en aanpassing van de koers. Met het oog op het strategisch belang voor de organisatie ligt hier ook een rol voor de internal auditor.  Risk in Focus (RiF), het jaarlijks onderzoek van auditors in Europa (ECIIA) bevestigd dit. Klimaatverandering staat in de top 10 van actuele risico’s en stijgt in belang. We zien echter dat de tijdsbesteding op het gebied van klimaatrisico nog gering is. Dit lijkt hét moment om te kijken hoe de Internal Audit Functie (IAF) de organisatie goed kan ondersteunen op dit thema.  Het doel van het door IIA Nederland uitgevoerde onderzoek is dan ook Internal Audit Functies (IAF’s) daartoe handvatten te bieden. Het rapport geeft antwoord op vragen als: Welke rol zou de IAF kunnen spelen? Welke ‘producten’ kan zij bieden? Welke hulpmiddelen zijn daarvoor te gebruiken? Welke deskundigheid is daarvoor (extra) nodig? En hoe implementeer je dit binnen de IAF? 

Internal audit’s role in ESG reporting Conversations and focus on sustainability, typically grouped into environmental, social and governance (ESG) issues, are quickly evolving — from activist investor groups and inquisitive regulators pushing for change to governing bodies and C-suite executives struggling to understand and embrace the concept. At the forefront of this new risk area is pressure for organizations to make public commitments to sustainability and provide routine updates to ESG-related strategies, goals, and metrics that are accurate and relevant. However, ESG reporting is still immature, and there is not a lot of definitive guidance for organizations in this space. For example, there is no single standard for what should be reported. What is clear is that strong governance over ESG — as with effective governance overall — requires alignment among the principal players as outlined in The IIA Three Lines Model. As with any risk area, internal audit should be well-positioned to support the governing body and management with objective assurance, insights, and advice on ESG matters. The following provides an overview of risks related to ESG reporting along with context on the growing sustainability movement. It also outlines internal audit’s role in ESG reporting and how internal audit can support ESG objectives and add value.

A pivot is a change in strategy without a change in vision. Internal auditors, by nature, like order and certainty. But the global health crisis has allowed for none of that. Its disruption thrust internal auditors into the uncomfortable position of having to completely abandon or revise their well-thought-out plans and familiar checklists and processes — fast. They had to pivot — often, multiple times — to ensure they did not falter in providing independent assurance that their organization’s risk management, governance and internal control processes were operating effectively. But many internal audit functions needed to be more agile and flexible than ever before for another critical reason: The business needed their help to survive. The internal audit organizations most successful at pivoting, and helping the business to do the same, are those that had already embraced next-generation internal audit practices before the COVID-19 pandemic. These functions, which are more agile and technology-enabled, were well-positioned to support the business in new, innovative ways driven by the crisis. For this edition of Internal Auditing Around the World®, we thought it would be appropriate to focus on the topic of resilience, given everything internal audit teams and their companies have been through lately. More specifically, we asked chief audit executives (CAEs) and their colleagues: “What is internal audit’s role in business resilience?” To summarize their responses: It’s pivotal. Featured Companies The organizations profiled in the latest edition represent a cross section of countries and industries, including Booking Holdings, Centene Corporation, DBS Bank, FIS, GlobalFoundries, Grupo Bepensa, Inchcape plc, Knowles Corporation, Masonite International Corporation, stc (Saudi Telecom Company) and Standard Chartered. The new edition of Internal Auditing Around the World addresses how internal audit functions early into the evolution process have found that changes they’ve made so far — whether it was automating a critical process, expanding analytics capabilities, learning about agile auditing or encouraging an innovative mindset — allowed them to be more adaptable and resilient amid unprecedented disruption. Eleven organizations were interviewed and their experiences dealing with this transformation are presented as case studies in the book.

The Covid-19 pandemic has been the most significant disruptive event for decades, impacting the political, social and economic environment of insurance companies for years to come. It has been a catalyst for several distinct pre-existing macro trends: use of technology, workforce and ESG (sustainability). This research paper by the ECIIA addresses the following topics: Impact of macro trends: on insurance and Internal Audit, focusing on those directly resulting from the Covid-19 pandemic Reaffirming the Purpose of Internal Audit: Judgement at the Core of Audit Assurance; Impact of the New Ways of Working: Environment and risks; Remote Auditing: Opportunities, Audit needs and limits; Future of Audit Work in the light of process automation and remote working

For directors seeking to promote DEI in their organizations, it’s a good idea to start at the top. The April issue of Tone at the Top, “Diversity: An Accepted Business Value,” provides strong evidence that promoting diversity is a worthwhile effort because a diversified organization offers numerous business benefits — from additional skills and measurable performance improvements to broadened perspectives and connections. The percentages are poignant and the data is a driving force behind a number of regulators and stakeholders setting new DEI rules or expectations for organizations. The good news? There are a few guidelines that boards can follow in their efforts to enhance diversity. A Quick DEI DIY Checklist: Have a conversation Don’t overlook the risks Carefully consider your definition of diversity Ask the right questions Measure effectiveness Don’t just check a box Don’t add diversity then stifle it Keep in mind that internal audit can provide value throughout the process as the sole source of independent assurance within the company by performing holistic and objective reviews of the board and organization’s DEI efforts and their effectiveness.

Given the importance of IA’s role, a regular evaluation of the IA activity can give boards and audit committees confidence that the internal auditors are performing their job effectively based on the International Standards for the Professional Practice of Internal Auditing, best practices, and the board and audit committee’s specific expectations. This assessment tool offers suggestions for issues to be addressed in an evaluation based on established best practices. It is not intended as mandatory guidance, but rather as a resource that boards and audit committees can use in whole or in part to explore: The quality of the services the company is receiving from IA and the sufficiency of resources at its disposal. The level of communication and interaction with the IA team. The independence, objectivity, and skepticism of the IA team. Each section includes a series of questions in fundamental areas that boards, audit committees, and others can ask to better understand the IA activity and to develop their own plans for enhancing the input and value of this important area.

This practical guidance is part of the Risk in Focus 2021 publication. It aims to provide a concise overview of key publications and existing tools developed by the 10 European institutes of internal auditors in Austria, Belgium, France, Germany, Italy, Luxembourg, the Netherlands, Spain, Sweden, the UK & Ireland and publications from IIA Global. This guidance is developed to help internal auditors address some of the key risks identified in Risk in Focus 2021, with the aim of contributing to the reduction of their impacts on businesses and stakeholders. Where the Risk in Focus report itself addresses the ‘WHAT-could be important to audit’, this guidance helps you address the ‘HOW-to audit’ this topic. For the 2021 edition, practical guidance and webinars will be available on the following three chosen topics from the report: Guidance Cybersecurity and data security Webinar Cyber and Data Security  Guidance Macroeconomic and geopolitical uncertainty Guidance Climate change and environmental sustainability These topics have been selected due to their current and foreseen importance for most organisations and take into consideration the needs of Chief Audit Executives to strengthen or expand their knowledge and experience in auditing these three fast-developing risks. Please keep in mind that we intentionally chose to dive into some specific components of these three risks. Whilst we have endeavored to explore what we think are the key focus areas of these risks, a thorough understanding of their application may require additional research on your part, but we aim to provide a selection of what would benefit the most to the profession in the current context. All practical guidance is designed to firstly, help practitioners learn from experienced professionals (experts, operational teams or internal audit), and, secondly, offer practitioners useful reflections that we believe are of particular interest when auditing these topics and their associated risk management processes.   About climate change and environmental sustainability Why should climate change and environmental sustainability be on your radar? Firstly, because environmental challenges are of a growing importance for all organisations. It is undeniable that this is now a strategic preoccupation for all organisations, encouraged by their internal and external stakeholders - to become more resilient to environmental risks and to directly contribute to the environmental sustainability of our society. In fact, the risk is already proven, the consequences on businesses are measurable.

This Global Perspectives and Insights provides a straightforward view to help organizations identify structures, design processes, and assign responsibilities that assist the achievement of objectives to facilitate strong governance and risk management. As a tool, The Three Lines Model is meant to be adaptive, which means that application of the model’s core elements will vary depending on the individual organization and its goals. Needed now more than ever, this Global Perspectives and Insights will clarify these essential governance elements and answer questions about implementing The Three Lines Model in different industries.

This practical guidance is part of the Risk in Focus 2021 publication. It aims to provide a concise overview of key publications and existing tools developed by the 10 European institutes of internal auditors in Austria, Belgium, France, Germany, Italy, Luxembourg, the Netherlands, Spain, Sweden, the UK & Ireland and publications from IIA Global. This guidance is developed to help internal auditors address some of the key risks identified in Risk in Focus 2021, with the aim of contributing to the reduction of their impacts on businesses and stakeholders. Where the Risk in Focus report itself addresses the ‘WHAT-could be important to audit’, this guidance helps you address the ‘HOW-to audit’ this topic. For the 2021 edition, practical guidance and webinars will be available on the following three chosen topics from the report: Guidance Cybersecurity and data security Webinar Cyber and Data Security  Guidance Macroeconomic and geopolitical uncertainty Guidance Climate change and environmental sustainability These topics have been selected due to their current and foreseen importance for most organisations and take into consideration the needs of Chief Audit Executives to strengthen or expand their knowledge and experience in auditing these three fast-developing risks. Please keep in mind that we intentionally chose to dive into some specific components of these three risks. Whilst we have endeavored to explore what we think are the key focus areas of these risks, a thorough understanding of their application may require additional research on your part, but we aim to provide a selection of what would benefit the most to the profession in the current context. All practical guidance is designed to firstly, help practitioners learn from experienced professionals (experts, operational teams or internal audit), and, secondly, offer practitioners useful reflections that we believe are of particular interest when auditing these topics and their associated risk management processes.   About Macroeconomic and geopolitical uncertainty 33% of the CAEs surveyed in Risk in Focus 2021 cited macroeconomic and geopolitical uncertainty as a top five risk, and 8% say that this is the biggest single risk their company is currently exposed to. However, only 3% say that this is an area where internal audit currently spends most time and effort.  We have taken this as an opportunity to take a closer look at how internal audit should approach macroeconomic and geopolitical uncertainty risks. What can internal audit do to ensure that the organisations they serve are prepared for these risks?