Vaktechnische Publicaties

De IAF heeft zich ontwikkeld tot een essentieel zintuig van de board, een voelspriet, een sonde die het topmanagement en de raad van commissarissen voortdurend belangrijke informatie geeft over de beheersing van de risico’s binnen de onderneming – risico’s die veel verder gaan dan de betrouwbaarheid van de financiële verantwoording of compliance met wet- en regelgeving, maar die ook betrekking hebben op de uitvoering van de strategie, het creëren van waarde op lange termijn en de continuïteit van de onderneming. Deze speciale uitgave omvat negen artikelen en twee prikkelende essays van auteurs die ruimschoots hun sporen binnen het vakgebied hebben verdiend. De eerste drie bijdragen beschouwen de IAF in zijn huidige context. Vervolgens gaan twee artikelen over de menselijke factor binnen de IAF. Hierna behandelen drie artikelen de actuele ontwikkelingen die de IAF doormaakt, zoals de betekenis van digitalisering en algoritmes en aansluitend twee bijdragen over de werkwijze van de IAF in de praktijk. Het themanummer sluit af met een prikkelend essay over de rol van de IAF in een complexe wereld waarin innovatie essentieel is om te overleven. De artikelen in deze speciale uitgave geven een caleidoscopisch beeld van de IAF dat elke MAB-lezer zal kunnen boeien. Daarnaast leveren zij een bijdrage aan de bestaande onderzoeksliteratuur en aan eventueel toekomstig onderzoek over dit onderwerp. Deze publicatie is tot stand gekomen in samenwerking met de Stichting Vaktechnisch Onderzoek van het Instituut van Internal Auditors Nederland. De redactie houdt zich uiteraard aanbevolen voor suggesties en opmerkingen naar aanleiding van dit bijzondere nummer van het MAB. Naar de online uitgave van het themanummer De internal auditfunctie van het MAB

Diversity is a broad and extremely timely topic in today’s environment. A conversation regarding diversity within an organization is worth having because significant research shows that it has a tangible impact on both workplace productivity and organizational value. In contrast, a lack of diversity is an organizational risk as relevant as any other risk worth being recognized by an internal audit activity. According to the International Professional Practices Framework (IPPF), it is internal audit’s mission “to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight.” This edition of Global Perspectives and Insights sheds lights on how diversity impacts the workplace and affects productivity and organizational value. It will also explain why internal audit should be an advocate for diversity in all its forms within both its own activity and the organization as a whole.   This is for members only. To access it and other valuable resources, become a member today.

Over the past few decades, enterprise risk management (“ERM”) has been receiving increased attention by boards and executives and has undergone a continuing evolution in its development and uses. Along the way, lessons have been learned and ERM has been better understood regarding its benefits, objectives, and role in the organization. This COSO thought paper takes advantage of lessons learned and new guidance on enterprise risk management published by COSO to provide directors and executives with a better understanding of the role of enterprise risk management in creating and preserving value and its relationship to the key strategies of the organization. While not a detailed implementation guide, this paper includes overall guidance and an outline of succinct tangible steps that can used to implement an effective ERM program.  This thought paper outlines and provides clarity on the role and value of enterprise risk management to help directors and executives answer several key questions including: “What is the real value of enterprise risk management?” “What is its role and objectives? “What are the practical steps that can be taken to implement enterprise risk management?  The approach and steps contained in this thought paper are based on successful practices that organizations have used to take an incremental, step-by-step approach to implement enterprise risk management. While this is not the only way to implement ERM, this incremental approach is designed to be very adaptable and flexible. The approach provides practical steps that can help take conceptual ideas of strategy and risk and actualize them through a series of basic steps.    

Credit risk has always been considered a key risk for financial services organizations and, for a good number of organizations, maybe the most critical risk. This guidance provides internal auditors with a baseline skill set that allows them to test and evaluate the effectiveness of their organization’s credit risk management framework and processes. This guidance will enable internal auditors to: Understand the importance of credit risk in a financial services context. Understand the regulatory environment and requirements related to credit risk. Understand the risk governance and risk management processes surrounding credit risk. Describe the nature and basis of measurement of the probability of default. Design an audit engagement that assesses the appropriateness and effectiveness of the credit risk management framework and the adequacy of the institution’s credit profile. Be able to apply IPPF and risk-based internal audit techniques to assess and audit credit risk in their organization. The eBook Practice Guide: Auditing Credit Risk Management costs $25.00

Change management in the IT environment is, as the guide’s title states, critical for organizational success. Organizations are bombarded with change requests ? not only to improve or update existing application functionality, but also to implement necessary patches to help secure those applications, and in some cases to comply with relevant regulatory requirements. Managing the flow of requests should be handled efficiently and effectively to avoid mishaps, rework, unintended consequences, or even system failure. The updated third edition of this topic will help internal auditors understand the risks and controls associated with IT change management and how to assess the operational efficiency of processes involving change management. This guide provides tools to help internal auditors obtain and evaluate evidence that management’s assertions are accurate, and explains how to provide assurance over this critical area. This guidance will enable internal auditors to: Have a working knowledge of IT change management processes. Distinguish effective change management processes from ineffective ones. Recognize red flags and indicators that IT environments are having control issues related to change management. Understand that effective change management hinges on implementing appropriate preventive, detective, and corrective controls to ensure adequate management supervision. Recommend best practices for addressing issues, both for assurance of risks and increasing effectiveness and efficiency. This is for members only. To access it and other valuable resources, become a member today.

Even as companies become more digital savvy, they continue to confront new and emerging data risks that pressure financial and reputational vulnerabilities. To help address these challenges, the Committee of Sponsoring Organizations of the Treadway Commission (COSO), in collaboration with Deloitte Risk & Financial Advisory, is releasing new guidance, “Managing Cyber Risk in a Digital Age.” Written to boards of directors, audit committee members, executive management, and cyber practitioners, the new guidance addresses how companies can apply COSO’s Enterprise Risk Management–Integrating with Strategy and Performance (ERM Framework), one of the most widely recognized and applied risk management frameworks in the world, to protect against cyberattacks. The guidance provides insight into how organizations can leverage the five components and 20 principles of the ERM Framework to identify and manage cyber risks. This guidance provides context related to the fundamental concepts of cyber risk management techniques but is not intended to be a comprehensive guide to develop and implement technical strategies.

This report contains the findings of a study into the extent to which Internal Audit Functions (IAFs) conduct audits focused on culture and behaviour (C&B), the extent to which C&B is discussed in the meetings between the IAF and the Audit Committee (AC) and the ambitions of IAFs in this area. Much has been published about C&B in recent years. This publication occupies a unique position in the literature on this topic. It does not focus on the importance of the topic, the possible role of the IAF or the research methods, but on the state of affairs, the ambitions and the tools to achieve these ambitions. In a careful process, the working group defined a practical theoretical framework for this, conducted a survey among Chief Audit Executives (CAEs), discussed the survey results in interviews with a number of Supervisory Board members, and reflected on them in a roundtable meeting with participating CAEs. The report contains a number of key insights and tools, which are elaborated step by step and summarised in a clearly structured way in a concluding section. What is striking in the findings in any case is that many IAFs want C&B to receive more attention, and that the IAF is the main internal supplier of C&B-related audits and the Supervisory Board / AC is seen as an important sponsor, but also that CAEs need to take the initiative on this and ‘pitch’ such audits. The report is an excellent tool for (even) further integrating C&B in management, auditing and supervision. In addition, it provides CAEs with an excellent point of reference for benchmarking their own situation and ambitions and entering into discussions with their Management Board and Supervisory Board / AC. It would be good if the publication also triggered a further professional debate in which the following question can be raised: How can the increasing attention paid to C&B deliver not only effectiveness, but also efficiency for audits that currently still rely primarily on hard controls?  

Culture can be difficult to define, including individual belief systems and preferences of each employee — from line workers to the corner office. Culture captures the complexity of defining and then assessing intangible organization-wide qualities or aspects that comprise human belief systems, social norms, and other psychological factors. This practice guide will help internal auditors understand risks associated with an organization’s culture, how effective management of those risks supports a successful control environment, and how to approach an assessment of culture. This guidance will enable internal auditors to: Understand the business significance of culture and conduct risk in an organization’s control environment. Identify the key components of culture and conduct risk. Understand key stakeholder concerns and expectations related to culture and conduct risk. Recognize internal audit’s role in assessing and reporting on organizational culture. Understand, based on example tools/guidance, possible approaches to assess and report on an organization’s culture and management of conduct risk. The eBook Practice Guide: Auditing Culture costs $25.00

The IIA’s new report, Global Perspectives and Insights: Talent Management, explores the evolving challenges organizations are facing when trying to recruit and retain top internal audit talent. It discusses factors like the expanded ground internal audit is charged with covering as well as issues that compound the situation, like technology advancements and tech-based risks. If you are an internal audit candidate with a background in IT, data analytics, or related tech-based specialties, congratulations. You are the unicorn audit leaders across the globe will be bidding on just for the privilege of basking in the breadth of your knowledge. Life is good, and you will soon have the bank account you have always dreamed about.  One person’s dream, however, is another person’s nightmare. In today’s talent market, audit leaders are losing sleep over how best to maintain functions capable of fulfilling an expanding list of obligations company stakeholders expect of them. As the business risk landscape continues to shift at an ever-increasing rate — driven by emerging technologies, macroeconomics, geopolitics, and more — internal audit functions are tasked with somehow navigating a talent market that is spread thin and demands financial compensation far beyond what some audit functions can offer.  However, no challenge is insurmountable, and this multi-faceted one can be resolved with a comprehensive talent management strategy that spans the entire lifecycle of talent, from recruitment to development to long-term retention. What is needed is an understanding of the factors that have created such a volatile environment for talent, and an informed evaluation of what a talent management strategy should entail.   

The European Confederation of Institutes of Internal Auditing (ECIIA) released a report on Auditing Cybersecurity within Insurance firms. Internal Audit plays a vital role in the provision of assurance regarding the efficiency and effectiveness of the key cybersecurity processes and controls in insurance and reinsurance undertakings. Key stakeholders such as Management and the Board rely on the work of Internal Audit in regard to cyber-related risks. This position paper aims to set out the view from the ECIIA Insurance Committee and intends to provide guidance to Chief Audit Executives (CAEs) in the Insurance sector in regard to the audit of cybersecurity. Cyber risk is important, in light of the recent increase of cyberattacks and the new European Regulations: General Data Protection Regulation and the Network and Information Systems Directive in 2018. The need for effective IT Cybersecurity controls has been highlighted by the European Insurance and Occupational Pensions Authority (EIOPA), saying that cyber risk is becoming a growing concern for institutions, individuals and also financial markets and is now at the top position of the list of global risks for businesses. The Solvency II Directive encourages Own Risk Self-Assessment and the use of risk categories based on the specific characteristics of the undertakings and not just the Solvency II standard classification The paper does not aim to provide a one size fits all solution for auditing Cybersecurity risks, but it provides a framework from which internal audit departments may build a multi-year long term approach to auditing cyber risks.

Public sector organizations are expected to serve the public good, uphold the principles of ethical governance, and comply with myriad laws and regulations. Yet the nature of politics may put pressure on, or conflict with, ethical governance principles. Based on professional guidance from the International Standards for the Professional Practice of Internal Auditing and practical insights from global internal audit professionals, the guide advises CAEs and internal auditors about planning and performing internal audit engagements while properly managing the opposing forces of political pressures and ethical principles. This guidance will enable internal auditors to: Understand the definition of public sector and the types of public sector organizations. Recognize public sector governance roles and how they may affect internal audit principles such as organizational independence and unrestricted access. Incorporate additional standards and requirements specific to the public sector. Assess the organization’s commitment to ethical governance principles. Identify the types of engagements performed in the public sector and how to plan them. The eBook Practice Guide: Unique Aspects of Internal Auditing in the Public Sector $25.00    

Er is een Nederlandse vertaling uitgegeven van de Practice Guide ‘Demonstrating the Core Principles for the Professional Practice of Internal Auditing, Enablers and Key Indicators’. Deze Nederlandse praktijkgids heet: ‘Blijk geven van de Grondbeginselen van de beroepsuitoefening van internal auditing, Instrumenten en Indicatoren’.  In de praktijkgids worden de grondbeginselen en hun belang ervan voor de IAF nog eens toegelicht. Daarbij worden voor elk van de beginselen concrete instrumenten of handvatten gegeven om te zorgen dat aan het betreffende beginsel wordt voldaan. Eveneens worden indicatoren gegeven om te meten of (en in welke mate) de IAF daarin succesvol is geweest. Met deze praktijkgids biedt het IIA een praktisch hulpmiddel om de mate van conformiteit met de grondbeginselen te evalueren en te bespreken.

Click on 'To publication' for English text IIA Global heeft het rapport OnRisk uitgebracht, als handvat voor het onderkennen én managen van de belangrijkste risico’s. Net als het rapport ‘Risk in Focus 2020, Hot topics for internal auditors’ benoemt het risico’s waarmee organisaties (kunnen) worden geconfronteerd. Deze risico’s zijn zeer vergelijkbaar met de benoemde risico's in Risk in Focus 2020. Anders dan Risk in Focus vergelijkt OnRisk de percepties van de CAE’s met die van het management en de board. Daar blijken grote verschillen tussen te zitten. Dat benadrukt nogmaals het belang voor de IAF om de eigen inschatting te vergelijken met die van de andere ‘spelers’. Daarnaast is er een tweede verschil. Terwijl Risk in Focus met name ingaat op de betekenis van de risico’s voor het auditjaarplan voor 2020, gaat OnRisk vooral in op de acties die board, management én de IAF zouden kunnen nemen om de betreffende risico’s te managen. Kortom, een nuttig rapport om kennis van te nemen en om in de eigen organisatie te bespreken. For English go to publication

Cultuur & Gedrag is een belangrijk onderdeel van de interne beheersing van organisaties. Het staat hoog op de bestuurlijke agenda. En ook de Nederlandse Corporate Governance Code (de Code) onderstreept het belang van een constructieve cultuur. De prioriteiten van de Raad van Commissarissen (RvC) en Auditcommissie (AC) beïnvloeden in sterke mate de agenda en effectiviteit van de Internal Auditfunctie (IAF). Daarom organiseren IIA Nederland en NBA LIO regelmatig kennisuitwisselingen met commissarissen. De laatste tijd leren we van de commissarissen dat zij niet alleen meer aandacht voor C&G willen, maar ook behoefte hebben aan verdere verdieping op deze onderwerpen. Met dit rapport wordt in dat opzicht een belangrijke stap gezet. De laatste jaren is al veel gepubliceerd over C&G. Deze publicatie neemt in dat geheel een unieke plaats in. Het gaat nu niet over belang, de mogelijke IAF-rol of de onderzoeksmethoden, maar over: de stand van zaken, de ambities en de handvatten om die ambities te verwezenlijken. Het rapport bevat diverse belangrijke inzichten en handvatten die stapsgewijs zijn uitgewerkt en in een afsluitend hoofdstuk overzichtelijk zijn samengevat.

As companies transform into next-generation competitors, internal audit (IA) functions are working on their next-gen game as well. Protiviti’s latest edition of Internal Auditing Around the World, Volume 15, looks at ways IA departments around the world are reinventing themselves, using aligned governance, more agile methodologies and new enabling technologies to become more efficient, more future-focused and value-adding.