Vaktechnische Publicaties

Er zijn aanvullende richtlijnen verschenen in de vorm van een Global Technology Audit Guide. Deze GTAG gaat over het auditen van ‘Insider Threats’ ofwel het risico dat eigen medewerkers bewust of onbewust informatiesystemen of data beschadigen. In het huidige digitale tijdperk wordt de bescherming daarvan steeds belangrijker, zowel tegen externe als interne bedreigingen. De 'Global Technology Audit Guide: Auditing Insider Threat Programs' is zodoende een zinvolle aanvulling op de vele publicaties op het gebied van cybersecurity. De GTAG gaat uitgebreid in op de aard van de interne bedreigingen alsmede op de rol die internal audit daarbij kan en moet spelen, zowel in audits als in mogelijke adviesdiensten. De guide geeft: Een overview van de risico’s en hun impact; Handvatten voor het opzetten van een audit, inclusief voorbeelden van te gebruiken control-frameworks; Tips om de resultaten te rapporteren. This is for members only. To access it and other valuable resources, become a member today.

Soft controls, oftewel cultuur en gedrag, zijn belangrijk. Ze kunnen een grote impact hebben op een organisatie. Maar hoe doe je soft controls audits? Hoe zorg je ervoor dat je gedrag en cultuur kunt meten en beoordelen? De IIA Young Professionals organiseerden op 3 juli 2018 een event bij Nuon om een antwoord te vinden op deze vraag. Sprekers van KPMG, DNB en ACS deelden ieder op bevlogen wijze hun eigen inzichten die in deze publicatie zijn terug te lezen.

Thomson Reuters heeft, voor het vijfde achtereenvolgende jaar, een rapport uitgebracht over cultuur en gedragsrisico's: Culture and Conduct Risk 2018: Benchmarking 5 years of implementation. Hieruit blijkt dat belang hiervan toeneemt, ook als onderwerp in het toezicht, maar dat het nog zoeken is hoe hier het beste vorm aan te geven. Slechts weinig organisaties hebben een robuust framework voor cultuur en het management van het gedragsrisico. Het rapport geeft een overzicht van de ontwikkelingen in regelgeving en toezicht alsmede in relevante factoren voor het gedragsrisico, waaronder een handzaam overzicht van de indicatoren voor een adequate risicocultuur. "Thomson Reuters has undertaken its fifth annual survey on how firms around the world are managing the challenges presented by the regulatory focus on culture and conduct risk. As in previous years, the research provides an opportunity for firms, and specifically compliance practitioners, to give their views and opinions on how they manage culture and mitigate conduct risk in the financial services industry. Since its inception, the survey has highlighted distinct industry-wide and year-on-year trends against which firms can benchmark their own progress and has proved to be a valuable and trusted resource for firms and their compliance officers." Klik hier om het rapport te downloaden

If internal auditors are to remain relevant and add real value to their organizations, their speed, flexibility, and proactive approach to problem solving must be optimized. The report Perspectives and Insights: Agility and Innovation defines what it means to be agile and innovative in today's marketplace and how the two are interdependent. The modern internal audit function needs to tie traditional audit activities more closely to the organization’s strategic objectives and risks. Most chief audit executives (CAEs) recognize that reality already — either at some visceral level, through conversations with the board and executives in the first line of defense, or through implementation of The International Standards for the Professional Practice of Internal Auditing. In fact, conformance to the Standards requires that internal audit evaluate risks from the perspective of achieving the organization’s strategic objectives. This is not optional, but rather a necessity to ensure internal audit serves its role to protect and enhance organizational value. Two realities thwart that need, however. First, organizations simply have more risks coming at them, and those risks can harm the organization in swift, painful ways: a social media campaign that emerges overnight; a sexual harassment scandal that ousts a key employee; a food safety incident; a merger of competitors or suppliers; a new trade or regulatory policy that upends years of carefully constructed business models. Second, the reality is that CAEs also must dedicate resources to additional tasks providing assurance support for other assurance providers within and for the organization, including monitoring how operational risks are managed; compliance testing; the preparation of evidence for external auditors; and the vetting of accounting policies to ensure compliance with anti-bribery statutes. By continuing to fulfill those more traditional audit tasks, while also becoming agile and innovative, internal audit can transform into something that works more swiftly to help the rest of the organization address an increasingly chaotic, unpredictable environment. That will be a struggle, but one that The IIA feels can be done with awareness of and alignment to the organization’s strategic objectives and risks.

Ceo's van private- en familiebedrijven maken zich het meeste zorgen over cyberdreigingen en gebrek aan talent. Dat blijkt uit de 21ste PwC CEO Survey. 39% van de ceo's ziet cyberdreigingen als de grootste bedreiging van groei. Veel ceo's maken zich zorgen over de snelheid waarmee technologie verandert, en of hun bedrijf opgewassen is tegen de nieuwe dreigingen die daaruit voortkomen, maar ook of hun bedrijf op tijd kan inspelen op de kansen die nieuwe technologieën bieden. Bij gebrek aan talent draait het vooral om het gebrek aan digitaal talent; bijna driekwart van de ceo's zegt zich daar zorgen over te maken, en 48 procent van de private bedrijven zegt dat het erg of enigszins moeilijk is om dit soort werknemers te vinden. Bij familiebedrijven is dit zelfs 57%.

The insights on leading practices shared by CAEs are by turns familiar and fascinating when these leaders open up about how their internal audit functions work with management and the board to address three specific areas of strategic risk for their organizations: cybersecurity, IT projects, and capital projects. The familiarity stems from the risk-based approach of audit leaders for these strategic risk areas, as well as what they say about the underlying enablers of effective “strategic auditing” – an activity that more board members, CEOs, CFOs, and other C-suite executives are encouraging internal audit to perform. CAEs consistently point to the value of internal audit’s early involvement in strategic initiatives, its risk-based auditing approach, internal audit’s credibility in the eyes of business partners, and the function’s capacity to thrive in an advisory manner. These critical building blocks have existed within top-performing audit functions for some time.

Conformance to the IPPF is essential in meeting the responsibilities of internal auditors and the internal audit activity (IAA). It provides a measure of confidence that the IAA is operating to a strict code of ethics and defined professional standards, and that its staff is trained to specified standards of education and continued professional development.  

The word governance has become a staple of the boardroom and C-suite lexicon, but just what governance is, can sometimes become muddled. At its core, governance simply is the amalgam of processes and structures designed to help the organization achieve its objectives.

Knowledgeable and competent resources within internal audit are needed to ensure assurance and advisory work are performed in alignment with the organization’s expectations and in conformance with widely accepted principles and standards. Careful and thoughtful consideration should be given to partially or fully outsourcing the internal audit activity.  

Deloitte heeft een wereldwijde survey uitgevoerd naar de staat van de IAF, waarbij met name gekeken is naar de functies met de grootste impact en invloed in hun organisatie. Het rapport biedt elke IAF een spiegel om te kijken op welke punten verdere innovatie zou kunnen plaatsvinden. Innovatie van de IAF is een ‘must’ gegeven de veranderingen en innovaties die in de organisaties zelf plaatsvinden. Daarbij blijkt dat IAF’s die een grote impact (menen te) hebben, relatief sterk innoveren. Innovaties die worden besproken betreffen zowel de aard en scope van de audits, de werkmethoden die worden gehanteerd als de sourcing van de functie. Concrete topics zijn bijvoorbeeld het gebruik van data analytics en Robotic Process Automation (RPA), agile werken en het auditen van cyber risico’s en cultuur.

Businesses around the globe recognise that transformation is necessary to survive. Digital transformation brings promise — and uncertainty — to organisations. As companies commit to and make progress with digital transformation, many are looking squarely at their internal audit team to provide guidance and insight along the journey. In Volume XIV of Protiviti’s Internal Auditing Around the World, we take a closer look at internal auditors’ challenges and opportunities as they help to support the business through digital transformation.

Even the most well-prepared audit plans need to be flexible. The 2018 Global Risk Report outlines the top risks faced by CAEs: Talent Management, Data Analytics, Cyber, Regulations, and Responding to Disruption. Are your audit plans flexible and adequate to address these risks?  Presenting 2018 — a new year, new laws, regulations, opinions, ideas, technology, and risks. Today's business environment is significantly different than it was in the past; it is more complex and more connected. Organizations face new and unknown risks, but also new and untapped opportunities. Considering in the year ahead the new opportunities and number of potential challenges and risks — some of which are expected and some of which are unique to 2018 — audit plans should be viewed as frameworks that will change as events occur, including those that are disruptive. 

This report from the Internal Audit Foundation highlights the increasing importance of implementing a comprehensive anti-bribery program in today’s marketplace to combat corruption. It discusses internal audit’s role in evaluating the design, implementation, and effectiveness of the organization’s anti-bribery program. It supports practitioners’ efforts to take a proactive role in anti-bribery initiatives by outlining the elements of a structured anti-bribery program and providing a “how-to” approach for auditing anti-bribery measures. 

The Basel Committee on Banking Supervision (BCBS) strengthened capital adequacy guidelines following several global financial crises. If observed, banking institutions should be able to absorb the volatility of potential credit, market, and operational risks in the wake of another serious market shift. This new practice guide, developed for financial services auditors but useful to any auditor working with statistical models and capital, focuses on how to provide assurance that an institution is well capitalized to meet the guidelines and prepared for cyclical business changes. This guide will help readers understand, measure, and assess the appropriateness and completeness of an institution’s capital planning process. Topics include: How to evaluate whether capital processes support the institution’s stated risk appetite. Strategies and methods to model credit, market, and operational risk. Audit tools and techniques. This is for members only. To access it and other valuable resources, become a member today.

Potential improvements are presented to the auditee by means of a recommendation mainly based on an audit finding. An audit report generally includes the management action defined as a response to the recommendation, together with a due date and an action owner. Every internal audit function should have a process for monitoring follow-up on implementation of management actions. This can be an indicator for the Internal audit function’s effectiveness. This paper relates specifically to the followup of findings and recommendations issued by internal audit, not those identified by first or second line of defence functions. It can also be applied to actions taken in response to issues identified by regulators or external auditors. Implementation of management actions is a first line or second line of defence responsibility. However, in case of insufficient implementation of management actions, the Internal audit function should investigate and document the reason. Therefore, a well-established follow-up monitoring process is crucial to evaluate an internal audit’s effectiveness.