Vaktechnische Publicaties

The IIA's Artificial Intelligence Auditing Framework The IIA's AI Framework will help internal auditors approach AI advisory and assurance services in a systematic and disciplined manner. This report describes the Framework's components and elements, and provides practical recommendations for implementation. Available in multiple langages.  You can find part 1 here. You can find part 3 here.  This is for members only. To access it and other valuable resources, become a member today.

Om zijn rol als ‘truth teller’ waar te kunnen maken, moet een internal auditor morele moed tonen. Het hebben van alleen een moreel kompas is niet genoeg. Dit is het uitgangspunt van het onderzoeksrapport Morele moed en internal auditors dat is geschreven door dr. Edgar Karssing, prof. dr. Ronald Jeurissen en dr. Raymond Zaal van Nyenrode Business Universiteit in samenwerking met het Instituut van Internal Auditors Nederland (IIA). Alle leden van IIA, de beroepsorganisatie voor internal auditors, zijn verplicht zich te houden aan de ethische code voor internal auditors. Deze code bestaat uit de principes die relevant zijn voor professionele uitoefening van internal auditing. Deze principes zijn integriteit, objectiviteit, vertrouwelijkheid en vakbekwaamheid. Daarnaast wordt er gebruik gemaakt van een ethische code met gedragsregels. ‘Gevaarlijke’ situaties In het rapport wordt een groot aantal handvatten gegeven om met ‘gevaarlijke’ situaties om te gaan. De uitdaging daarbij is morele moed klein maken. Moedig handelen hoeft niet per se op grootse en meeslepende wijze. Soms is een kritische vraag stellen voldoende, of kan men een bestuurder wijzen op de kernwaarden van zijn of haar organisatie. Ook zijn in het onderzoek bemoedigende handreikingen benoemd die internal auditors kunnen helpen om morele moed te tonen. Hierbij onderscheiden de onderzoekers persoonlijke, governance- en cultuur-hulpbronnen.

Op 16 januari 2018 vond het seminar over de Internal Auditfunctie bij Nederlandse beursfondsen plaats in het karakteristieke Nyenrode kasteel. Dit seminar werd georganiseerd door IIA Nederland samen met NBA-LIO en het Nyenrode Corporate Governance Instituut. Commissarissen, Internal Auditors en andere stakeholders namen in de Wapenzaal plaats om te discussiëren over het belang en de toegevoegde waarde van een Internal Auditfunctie (IAF) bij Nederlandse beursfondsen.

Waar bij grotere beursgenoteerde ondernemingen een Internal Auditfunctie (IAF), steeds vaker wordt ingevoerd, beschikken kleinere beursfondsen hier nog zelden over. De belangrijkste reden die hiervoor wordt aangevoerd, is dat deze bedrijven zichzelf hiervoor te klein vinden. Dit is een van de conclusies uit de Internal Audit Monitor 2017 die FSV Risk Advisory in opdracht van de Stichting Vaktechnisch Onderzoek IIA in samenwerking met Nyenrode Business Universiteit heeft uitgevoerd. In jaarverslagen van kleine vennootschappen is de kwaliteit van de uitleg waarom een IAF ontbreekt, vaak onvoldoende. “Organisaties zonder Internal Auditfunctie missen een belangrijk element van een goede corporate governance. Zij hebben dan vaak geen volledig en objectief inzicht in de effectiviteit van hun processen van risicomanagement, interne beheersing, governance en het evalueren en verbeteren hiervan. Commissarissen (RvC) en Bestuur (RvB) missen een onafhankelijk en deskundig inzicht en mogelijkheden tot organisatieverbetering.” Dit stellen onderzoekers Robert Bogtstra van FSV Risk Advisory en Remko Renes van het Nyenrode Corporate Governance Instituut naar aanleiding van de onderzoeksuitkomsten. Bogtstra vervolgt: “Juist in een tijd waarin bekend is geworden dat bij gecontroleerde bedrijven de interne beheersing vaak niet op orde is, kan een IAF van grote waarde zijn. Bezuinigen op het inrichten van een volwaardige IAF kan dan op de lange termijn wel eens ‘penny wise, pound foolish’ blijken.” De onderzoekers bepleiten dat organisaties nooit te klein zijn voor een Internal Auditfunctie. Een IAF kan juist ook voor kleinere organisaties van grote meerwaarde zijn. “De uitdaging voor het vak is nadrukkelijk te laten zien waarin die waarde zit en ook welke mogelijkheden er zijn voor een kostenefficiënte aanpak.

The IIA has released Auditing Liquidity Risk, An Overview—the first IPPF practice guide specifically for financial auditors. In the heavily regulated financial services industry, institutions must actively manage liquidity risk to ensure survival. Post crisis, supervisors have formalized liquidity risk management requirements within regulations and developed specific expectations of internal audit departments. In this environment, it is imperative that practitioners ensure their audit approaches are in line with international standards, regulations, and best practices. The IIA’s practice guide* provides a historical perspective on the regulatory environment related to liquidity risk, reviews the fundamental principle for the management of liquidity risk, and explains why it is so important for a financial institution. Additionally, the guidance highlights: Governance of liquidity risk management. Liquidity risk appetite/tolerance. Considerations for planning a Liquidity Risk audit. Measurement and management of liquidity risk. Public disclosure requirements. Role of supervisors. *Under Review: This practice guide contains some outdated material and references. It remains available while a review is underway.  This is for members only. To access it and other valuable resources, become a member today.  

At the recent annual symposium of the Internal Auditing & Advisory and IT Auditing & Advisory programmes of the Erasmus School of Accounting & Assurance (ESAA) we presented a report discussing the findings of a study into emerging trends in the professional practice of internal auditors. One of those trends is the ‘psychologisation of the internal audit profession’: it has become nearly impossible to separate risks from the related behaviour and the risk perceptions of those involved. The internal audit function plays a key role in assessing and identifying risks, and is at the same time looking for ways to improve the effectiveness of its assessments and interventions. This increasingly involves the use of concepts that extend beyond the content of the message and focus on the ‘form’ of the message, the timing of the message, etc. Experiments in the field of behavioural economics have shown that subtle changes to how a message is presented can influence people’s decision-making, particularity when it comes to decisions about risks. Knowledge about heuristics and biases in human decision-making has led to the successful application of ‘nudges’: simple interventions that ‘entice’ to adopt the desired behaviour and gently push them in the right direction. It has been shown that nudges are effective because they make the desired alternatives easier, more attractive, more socially engaging or timelier. So nudging could be an interesting addition to the classical repertoire of the internal auditor. In the public sector interest in nudging has been increasing in recent years because it provides an effective means to influence people’s behaviour. Lines are painted on dangerous roads to make the road appear narrower. As a result, drivers slow down and drive more safely. Applying the image of a fly in urinals and placing waste baskets near traffic lights for people to aim at are playful incentives for safer and more hygienic behaviour. By making smart use of our subconscious inclination to play games and improve our game playing skills, we can actually bring about safer, more hygienic and therefore less risky behaviour. These are special forms of nudging known as ‘gamification’, which plays an increasingly dominant role in risk management and safety management, for example in hospitals. Gamification is also slowly but surely receiving more attention from the Executive Board and the Supervisory Board or Board of Trustees. The application of nudging (and gamification as a special form of nudging) that we increasingly encounter in our day-to-day practice in the public and private sector obviously raises challenging questions for the internal audit practice: Are we able to, are we allowed to and do we want to use these types of tools to influence behaviour? Can we ignore these tools, which have such a big impact on risk behaviour in the public and private sector and which are increasingly incorporated into the risk management of all kinds of organisations, including hospitals? And how can gamification be reconciled to the professional seriousness of the internal audit profession, where contributing to the controlling of risks is a key priority, but focusing on the game element of this may nonetheless feel a bit awkward, to say the least? The emergence of the phenomenon of gamification raises challenging questions for the internal audit practice and demands in-depth research into the opportunities, dilemmas and limits of the application of gamification in the professional practice of internal auditors. In exploring this phenomenon, we will zoom in on the healthcare sector, where gamification plays an increasingly prominent role in the operational and governance practice with regard to risk control, and is therefore increasingly encountered by the internal audit function. Risks manifesting themselves in the healthcare sector have a major social impact and healthcare institutions face a rich palette of risk types that fall under the remit of the internal audit function. We believe that the lessons we have drawn from our exploration in this sector may also offer interesting starting points for a broader discussion about the application of gamification in the internal audit profession. The practical part of this exploration focuses on an initial exercise with gamification in the healthcare sector, but the findings are also relevant to the much larger Dutch internal audit profession as a whole, including internal auditors operating in entirely different fields.

Onlangs hebben wij tijdens het jaarlijks symposium van de ESAA-opleidingen Internal Auditing & Advisory en IT-Auditing & Advisory een onderzoeksrapport gepresenteerd met de resultaten van onderzoek naar trends die zich aftekenen in de professionele beroepspraktijk van internal auditors. Een daarvan betreft ‘de psychologisering van het beroep van internal auditor’: risico’s kunnen nauwelijks nog worden losgezien van het gedrag dat ermee samenhangt en de risicopercepties van de betrokkenen. De internal audit functie speelt een belangrijke rol bij het beoordelen en signaleren van risico’s en is tegelijkertijd op zoek naar manieren om de effectiviteit van eigen oordelen en interventies verder te verbeteren. Steeds vaker vallen daarbij termen die verder gaan dan de inhoud van de boodschap en die zich richten op de ‘vorm’ van boodschap, de timing van de boodschap, et cetera. Uit experimenten in de gedragseconomie blijkt dat subtiele aanpassingen in de presentatie van een boodschap van invloed zijn op de beslissingen die mensen nemen, in het bijzonder waar het besluitvorming over risico’s betreft. Kennis over heuristieken en vertekeningen (‘biases’) in de menselijke besluitvorming, heeft geresulteerd in succesvolle toepassing van zogenoemde ‘nudges’: simpele interventies die ‘verleiden’ tot het gewenste gedrag en mensen een duwtje in de goede richting geven. Nudges blijken effectief doordat zij de gewenste keuzeopties gemakkelijker, aantrekkelijker, socialer of tijdiger maken en kunnen derhalve een interessante uitbreiding vormen op het klassieke repertoire van de internal auditor. In de publieke sector staat nudging de afgelopen jaren steeds meer in de belangstelling omdat het op een effectieve manier van beïnvloeding biedt voor het gedrag dat mensen vertonen. Op gevaarlijke wegen worden strepen geplaatst die de weg optisch smaller doen lijken. Dit resulteert in verlaging van de rijsnelheid en in veiliger verkeersgedrag. De vlieg die is afgebeeld in urinoirs en de baskets die soms naast stoplichten staan nodigen - in alle speelsheid - uit tot veiliger en hygiënischer gedrag van passanten. Door slim gebruik te maken van onze onbewuste neiging tot spelen en onszelf daarin te willen verbeteren valt daadwerkelijk veiliger, hygiënischer en derhalve minder risicovol gedrag te realiseren. Dergelijke vormen van gamification als bijzondere vorm van nudging krijgen bijvoorbeeld in ziekenhuizen een steeds dominanter rol in het risicomanagement en veiligheidsmanagement en komen ook langzaam maar zeker steeds meer in de belangstelling van bestuurders en toezichthouders. De toepassing van nudging (en gamification als bijzondere vorm daarvan) die we in de dagdagelijkse publieke en private praktijk steeds vaker tegen komen, roept natuurlijk uitdagende vragen op voor de internal audit praktijk: kunnen, mogen en willen wij gebruik van maken van dit type gedragsbeïnvloeding? Kunnen wij dergelijke instrumenten negeren als zij zo’n grote invloed hebben op het risicogedrag in publieke en private omgevingen en steeds meer onderdeel gaan uitmaken van het risicomanagement van organisaties zoals ziekenhuizen. Hoe verhoudt gamification zich tot de professionele ernst van het internal audit beroep, waarbij de bijdrage tot risicobeheersing weliswaar hoog in het vaandel staat, maar aandacht voor de spelcomponent daarin toch tenminste enig ongemak oproept. 

Fraud can disrupt operations, pose compliance risks, blemish an organization’s reputation, and cost an organization and its stakeholders substantial amounts of money. While management, with board oversight, holds the primary responsibility for establishing and monitoring effective controls to deter and detect fraud, the internal audit activity is required to evaluate the risk of fraud, according to the International Standards for the Professional Practice of Internal Auditing. Additionally, the chief audit executive (CAE) must report significant risk and control issues, including fraud, to senior management and the board (Standard 2060 – Reporting to Senior Management and the Board). The Standards require the internal audit activity to assess fraud risks at the organizational and engagement level. To ensure adequate review of the risks relevant to each engagement, internal auditors should conduct a fraud risk assessment as part of engagement planning (Standard 2210.A1). Over time, the knowledge the internal audit activity obtains during individual engagements can be compiled into a more robust and comprehensive organizationwide fraud risk assessment. This practice guide describes the characteristics of fraud and the process of identifying and assessing fraud risks during engagement planning. The exact process of incorporating a fraud risk assessment into engagement planning may vary according to the needs of the individual organization, internal audit activity, and engagement. However, the process generally includes the following steps: Gather information to understand the purpose and context of the engagement, as well as the governance, risk management, and controls relevant to the area or process under review. Brainstorm fraud scenarios to identify potential fraud risks. Assess the identified fraud risks to determine which risks require further evaluation during the engagement.

The interests, roles, responsibilities, and activities of internal auditors and external auditors are complementary and sometimes similar; in some cases,they overlap at one point or another. For example, the overlap between an internal auditor and an external auditor may include carrying out an efficient analysis of transactions; becoming intimately familiar with an organization’s governance, risk management, and internal control systems; and sharing and developing accurate final reports. This is not a surprise; each role is based on a professional discipline and operates to that discipline’s standards. As such, the external auditor’s professional concerns include the inaccuracies and misstatements that affect final business accounts (financial information). Internal auditors are concerned with the wide range of governance, risk management, and internal controls (nonfinancial information). Keep in mind, internal audit and external audit do not compete and they do not conflict; rather, one complements the other. Both are crucial to good governance, and they should meet at some point and work together. However, there are distinct differences in the roles, and certainly in the boundaries of the work that they perform. The differences, summarized below, are often under-recognized, and are perhaps even misunderstood and confused by stakeholders.  

Artificial Intelligence, Internal Audit’s Role, and Introducing a New Framework Part 1 Part I of a three part series, this thought leadership piece explores the concept of artificial intelligence and presents a high level overview o f considerations for the internal auditing pr ofession with regard to AI goverance; data architecture and infrastructure; the human factor: measuring performance; data quality; and the black box factor. The article ends with recommendations on what internal auditors can do now to prepare to provide assurance and advisory services related to AI. Avaiable in multiple languages. You can find part 2 here. You can find part 3 here.  This is for members only. To access it and other valuable resources, become a member today.

Hier een teaser in te vullen

Dat het Internal Audit vak behoorlijk in de lift zit, daarover is nauwelijks discussie. Zowel in kwalitatieve als in kwantitatieve zin. In opdracht van het Instituut van Internal Auditors hebben drs. Robert Bogtstra RA en drs. Remko Renes RA onderzoek uitgevoerd naar de Internal Audit Functie bij beursgenoteerde vennootschappen in Nederland. Dit onderzoek laat zien dat het aantal Internal Audit Functies bij Nederlandse beursvennootschappen de afgelopen jaren stijgt, een trend die ook in 2017 doorzet. Zes Nederlandse beursfondsen hebben in 2017 aangegeven in de loop van 2017 te starten met een eigen IAF, zowel binnen de MidCap (IMCD Group, Sligro Food Group), SmallCap (Beter Bed, Brunel, ForFarmers) als een lokale vennootschap (Neways Electronics).

In 2016, IFACI , IIA Italy and IIA Spain published ‘Hot Topics for Internal Audit 2017’. Tis year, a wider group of European Institutes of Internal Auditors have taken a more ambitious approach, interviewing Chief Audit Executives (CAEs) from major organisations in six European countries – France, Italy, the Netherlands, Spain, Switzerland and the UK – to home in on key themes requiring the atention of internal audit to mitigate risk and protect and add value in their organisations.

Planning is part of internal auditing’s systematic, disciplined, and risk-based approach and is mandated by the International Standards for the Professional Practice of Internal Auditing. Planning internal audit engagements involves considering the strategies and objectives of the area or process under review, prioritizing the risks relevant to the engagement, determining the engagement objectives and scope, and documenting the approach. This practice guide contains the engagement planning steps necessary to fulfill Standard 2200 – Engagement Planning through Standard 2220 – Engagement Scope and related assurance (.A) and consulting (.C) implementation standards. The exact order and details of planning an engagement, including establishing the objectives and scope, may vary according to the needs of the individual organization, internal audit activity, and engagement. However, the following planning steps are generally included: Understand the context and purpose of the engagement. Gather information to understand the area or process under review. Conduct a preliminary assessment of relevant risks. Form engagement objectives. Establish engagement scope. Allocate appropriate and sufficient resources. Document the plan. To plan the engagement effectively, internal auditors should start by understanding the context and purpose of the engagement, why it was included in the annual internal audit plan, and how the organization’s mission, vision, strategic objectives, and other elements align with those of the area or process under review. Internal auditors also consider whether the engagement is a request for assurance or consulting services, as stakeholder expectations and Standards requirements differ depending on the type of engagement. Next, internal auditors gather information about the area or process under review to determine the engagement objectives, scope, and plan. Internal auditors may examine documentation from prior assurance engagements, review applicable policies and procedures, and interview relevant stakeholders to understand and map the process flow and controls in the area or process under review. Conducting a preliminary assessment of the identified risks helps internal auditors prioritize the risks to be evaluated further during the engagement. Utilizing process maps and brainstorming potential risk scenarios are two techniques that help internal auditors identify risks and controls relevant to the area or process under review. This practice guide explains how internal auditors Practice Guide / Engagement Planning: Establishing Objectives and Scope can use a risk and control matrix and heat map to prioritize the risks, then use the results to form the engagement objectives and scope, in conformance with the Standards. In addition, this guide explores how to allocate resources and document the process of planning and establishing the engagement objectives and scope. 

In keeping with its overall mission, the COSO Board commissioned and published in 2004 Enterprise Risk Management—Integrated Framework. Over the past decade, that publication has gained broad acceptance by organizations in their efforts to manage risk. However, also through that period, the complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of enterprise risk management while asking for improved risk reporting. This update to the 2004 publication addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. The updated document, now titled Enterprise Risk Management—Integrating with Strategy and Performance, highlights the importance of considering risk in both the strategy-setting process and in driving performance. The first part of the updated publication offers a perspective on current and evolving concepts and applications of enterprise risk management. The second part, the Framework, is organized into five easy-to-understand components that accommodate different viewpoints and operating structures, and enhance strategies and decision-making.