Vaktechnische Publicaties

The internal audit function has an important role to play in providing assurance over the effectiveness and security of key processes outsourced from banks to third parties. It is crucial that key stakeholders, including management, the board and the bank’s supervisors can place reliance on the work of internal audit in respect of the risk management of third parties, while at the same time maintaining a reasonable expectation of the extent of the internal audit function’s responsibilities in this area. This paper sets out the view of the ECIIA Banking Committee (the Committee) on best practices that could be adopted by internal audit functions in respect of the audit of externally outsourced services. 

The objective of this position paper is to provide guidance to the audit departments of banking groups to assist in delivering consistent and adequate levels of assurance across the group, while considering both group and subsidiary regulatory requirements, with the intention of fostering consolidated supervision across the group. The primary principle outlined within this paper is that the group internal audit function is accountable for overseeing audit activity throughout the group. This view is aligned to that expressed in the Basel Committee’s guidance on internal audit (BCBS 223).

To manage risks effectively is an essential part of good corporate governance. An important role of each organisation is to identify all business risks and uncertainties which the organisation faces, quickly implementing risk mitigating measures and enhancing the system of internal controls. The internal audit function, as an essential part of the corporate governance framework, provides independent assurance that those risks have been properly managed. As the global business environment and its financial and regulatory requirements have become more complex, users of the audited processes have been calling for more pertinent information for their decision making. The rapidly evolving environment (e.g. digitalisation of services, sustainability, information technology) and a shortening life cycle of products requires organisations to embrace change. Agility and a short response time are critical to survival. This leads to new/enhanced risks which the organisation has to deal with and a new risk appetite. To be able to provide an assurance to senior management in a short time period, it is necessary to focus the audit plan on current and future risks and provide a risk-based approach for audit planning.

Internal control is an important cornerstone for banks’ long-term sound governance. It should be tailored to the business model, risks and organisational structure. As risks are more and more complex, there are several functions involved in the implementation and the evaluation of an internal control system. However, it is important to stress the distinctive contribution of internal audit functions. Indeed, as the third line of defence, reporting to senior management and the board, internal audit gives an overall assurance on internal control effectiveness including an independent review of risk and control functions as well as insights on efficiency.

Managing the Impact of Models Short of a crystal ball, there is no fool-proof way to predict outcomes in the financial services industry. However, models provide a powerful tool to empower organizations to make important decisions using information from a variety of sources. The IIA’s Practice Guide: Auditing Model Risk Management helps ensure that these models are working as effectively as possible for an organization. This practice guide* provides an overview of key areas related to model risk management including business significance, regulatory requirements and expectations, and model components. It is designed to help chief audit executives and their audit teams understand their roles in assessing model risk management and empower them to implement an audit plan coverage approach and program tailored to the size, scale, and risks facing their organization. *Under Review: This practice guide contains some outdated material and references. It remains available while a review is underway.  This is for members only. To access it and other valuable resources, become a member today.

Over the course of just a few years, cybersecurity has grown into one of the most significant risk management challenges facing virtually every type of organization. Is the internal audit function keeping pace with this rapidly changing area of risk? This report examines this question and, based on a survey of internal audit and cybersecurity professionals, offers some observations on how internal audit departments are adapting in order to address cybersecurity risks. A decade ago, the internal audit function evolved and adapted to the increasingly important role that information technology (IT) was playing in all aspects of business operations. Today, internal audit faces the need to adapt once again to address the critical risks associated with cybersecurity. Recognizing this need, the Internal Audit Foundation and Crowe Horwath, in collaboration with The Institute of Internal Auditors’ (IIA’s) Audit Executive Center, conducted a limited survey of IIA members in order to understand how internal audit has begun to adapt to this new risk landscape. This report offers a summary of key findings from that research and provides insights into some current internal audit and cybersecurity policies and practices. In addition, the report’s authors draw on industry experience and observation based on their working relationships with internal audit functions across a broad range of industries.

Special Three-part Series: Artificial Intelligence, Internal Audit’s Role, and Introducing a New Framework This special three-part edition of Global Perspectives and Insights explores internal audit’s role in Artificial Intelligence by discussing associated risks and opportunities. The paper also introduces an AI Auditing Framework comprised of six components, all set within the context of an organization’s AI strategy. Avaiable in multiple languages.  You can find part 1 here. You can find part 2 here.  This is for members only. To access it and other valuable resources, become a member today.

Moral courage bridges the gap between making judgments and acting on them. According to the philosopher Aristotle, courage is the golden mean between cowardice and recklessness, and where that golden mean lies, depends on the specific circumstances. How do you determine that golden mean? How can you act courageously? What does acting courageously look like? And what can help you to do it? In this report we will look for answers to these questions. Our research for this report is based on insights gained in the field of philosophy and from the practice of internal auditors. In addition, we studied literature in the field of internal auditing, including the aforementioned studies conducted by the IIA Research Foundation. We also conducted empirical research in collaboration with IIA Netherlands. As part of our preparations for the IIA Netherlands Conference in June 2017, we also conducted a survey among the members of IIA Netherlands. In this report we present the findings of our research.

The internal audit activity is uniquely positioned and staffed within an organization to assess whether the information technology governance of the organization supports the organization’s strategies and objectives and to make recommendations as needed. Internal audits of IT governance should focus beyond the implementation of governance practices. Internal audit adds value to the organization by assessing the effectiveness of IT governance components, and providing assurance to stakeholders that principles and practices are followed and working as intended. Internal audit assessments will likely include activities such as: Assessing the degree to which IT governance activities and standards are consistent with the internal audit activity’s understanding of the organization’s risk appetite. Conducting consulting engagements as allowed by the audit charter and approved by the board. Ongoing dialogue with senior management and the board to ensure that substantial organizational and risk changes are being addressed in a timely manner. As the second edition of “Auditing IT Governance,” this GTAG* has been updated to reflect the 2017 International Professional Practices Framework and to be more directly practical to internal auditors. This edition provides tools and techniques to help internal auditors build a work program and perform engagements involving IT governance. *Under Review: This practice guide contains some outdated material and references. It remains available while a review is underway.  This is for members only. To access it and other valuable resources, become a member today.

The IIA's Artificial Intelligence Auditing Framework The IIA's AI Framework will help internal auditors approach AI advisory and assurance services in a systematic and disciplined manner. This report describes the Framework's components and elements, and provides practical recommendations for implementation. Available in multiple langages.  You can find part 1 here. You can find part 3 here.  This is for members only. To access it and other valuable resources, become a member today.

Om zijn rol als ‘truth teller’ waar te kunnen maken, moet een internal auditor morele moed tonen. Het hebben van alleen een moreel kompas is niet genoeg. Dit is het uitgangspunt van het onderzoeksrapport Morele moed en internal auditors dat is geschreven door dr. Edgar Karssing, prof. dr. Ronald Jeurissen en dr. Raymond Zaal van Nyenrode Business Universiteit in samenwerking met het Instituut van Internal Auditors Nederland (IIA). Alle leden van IIA, de beroepsorganisatie voor internal auditors, zijn verplicht zich te houden aan de ethische code voor internal auditors. Deze code bestaat uit de principes die relevant zijn voor professionele uitoefening van internal auditing. Deze principes zijn integriteit, objectiviteit, vertrouwelijkheid en vakbekwaamheid. Daarnaast wordt er gebruik gemaakt van een ethische code met gedragsregels. ‘Gevaarlijke’ situaties In het rapport wordt een groot aantal handvatten gegeven om met ‘gevaarlijke’ situaties om te gaan. De uitdaging daarbij is morele moed klein maken. Moedig handelen hoeft niet per se op grootse en meeslepende wijze. Soms is een kritische vraag stellen voldoende, of kan men een bestuurder wijzen op de kernwaarden van zijn of haar organisatie. Ook zijn in het onderzoek bemoedigende handreikingen benoemd die internal auditors kunnen helpen om morele moed te tonen. Hierbij onderscheiden de onderzoekers persoonlijke, governance- en cultuur-hulpbronnen.

Op 16 januari 2018 vond het seminar over de Internal Auditfunctie bij Nederlandse beursfondsen plaats in het karakteristieke Nyenrode kasteel. Dit seminar werd georganiseerd door IIA Nederland samen met NBA-LIO en het Nyenrode Corporate Governance Instituut. Commissarissen, Internal Auditors en andere stakeholders namen in de Wapenzaal plaats om te discussiëren over het belang en de toegevoegde waarde van een Internal Auditfunctie (IAF) bij Nederlandse beursfondsen.

Waar bij grotere beursgenoteerde ondernemingen een Internal Auditfunctie (IAF), steeds vaker wordt ingevoerd, beschikken kleinere beursfondsen hier nog zelden over. De belangrijkste reden die hiervoor wordt aangevoerd, is dat deze bedrijven zichzelf hiervoor te klein vinden. Dit is een van de conclusies uit de Internal Audit Monitor 2017 die FSV Risk Advisory in opdracht van de Stichting Vaktechnisch Onderzoek IIA in samenwerking met Nyenrode Business Universiteit heeft uitgevoerd.

The IIA has released Auditing Liquidity Risk, An Overview—the first IPPF practice guide specifically for financial auditors. In the heavily regulated financial services industry, institutions must actively manage liquidity risk to ensure survival. Post crisis, supervisors have formalized liquidity risk management requirements within regulations and developed specific expectations of internal audit departments. In this environment, it is imperative that practitioners ensure their audit approaches are in line with international standards, regulations, and best practices. The IIA’s practice guide* provides a historical perspective on the regulatory environment related to liquidity risk, reviews the fundamental principle for the management of liquidity risk, and explains why it is so important for a financial institution. Additionally, the guidance highlights: Governance of liquidity risk management. Liquidity risk appetite/tolerance. Considerations for planning a Liquidity Risk audit. Measurement and management of liquidity risk. Public disclosure requirements. Role of supervisors. *Under Review: This practice guide contains some outdated material and references. It remains available while a review is underway.  This is for members only. To access it and other valuable resources, become a member today.  

At the recent annual symposium of the Internal Auditing & Advisory and IT Auditing & Advisory programmes of the Erasmus School of Accounting & Assurance (ESAA) we presented a report discussing the findings of a study into emerging trends in the professional practice of internal auditors. One of those trends is the ‘psychologisation of the internal audit profession’: it has become nearly impossible to separate risks from the related behaviour and the risk perceptions of those involved. The internal audit function plays a key role in assessing and identifying risks, and is at the same time looking for ways to improve the effectiveness of its assessments and interventions. This increasingly involves the use of concepts that extend beyond the content of the message and focus on the ‘form’ of the message, the timing of the message, etc. Experiments in the field of behavioural economics have shown that subtle changes to how a message is presented can influence people’s decision-making, particularity when it comes to decisions about risks. Knowledge about heuristics and biases in human decision-making has led to the successful application of ‘nudges’: simple interventions that ‘entice’ to adopt the desired behaviour and gently push them in the right direction. It has been shown that nudges are effective because they make the desired alternatives easier, more attractive, more socially engaging or timelier. So nudging could be an interesting addition to the classical repertoire of the internal auditor. In the public sector interest in nudging has been increasing in recent years because it provides an effective means to influence people’s behaviour. Lines are painted on dangerous roads to make the road appear narrower. As a result, drivers slow down and drive more safely. Applying the image of a fly in urinals and placing waste baskets near traffic lights for people to aim at are playful incentives for safer and more hygienic behaviour. By making smart use of our subconscious inclination to play games and improve our game playing skills, we can actually bring about safer, more hygienic and therefore less risky behaviour. These are special forms of nudging known as ‘gamification’, which plays an increasingly dominant role in risk management and safety management, for example in hospitals. Gamification is also slowly but surely receiving more attention from the Executive Board and the Supervisory Board or Board of Trustees. The application of nudging (and gamification as a special form of nudging) that we increasingly encounter in our day-to-day practice in the public and private sector obviously raises challenging questions for the internal audit practice: Are we able to, are we allowed to and do we want to use these types of tools to influence behaviour? Can we ignore these tools, which have such a big impact on risk behaviour in the public and private sector and which are increasingly incorporated into the risk management of all kinds of organisations, including hospitals? And how can gamification be reconciled to the professional seriousness of the internal audit profession, where contributing to the controlling of risks is a key priority, but focusing on the game element of this may nonetheless feel a bit awkward, to say the least? The emergence of the phenomenon of gamification raises challenging questions for the internal audit practice and demands in-depth research into the opportunities, dilemmas and limits of the application of gamification in the professional practice of internal auditors. In exploring this phenomenon, we will zoom in on the healthcare sector, where gamification plays an increasingly prominent role in the operational and governance practice with regard to risk control, and is therefore increasingly encountered by the internal audit function. Risks manifesting themselves in the healthcare sector have a major social impact and healthcare institutions face a rich palette of risk types that fall under the remit of the internal audit function. We believe that the lessons we have drawn from our exploration in this sector may also offer interesting starting points for a broader discussion about the application of gamification in the internal audit profession. The practical part of this exploration focuses on an initial exercise with gamification in the healthcare sector, but the findings are also relevant to the much larger Dutch internal audit profession as a whole, including internal auditors operating in entirely different fields.