Vaktechnische Publicaties

Onlangs hebben wij tijdens het jaarlijks symposium van de ESAA-opleidingen Internal Auditing & Advisory en IT-Auditing & Advisory een onderzoeksrapport gepresenteerd met de resultaten van onderzoek naar trends die zich aftekenen in de professionele beroepspraktijk van internal auditors. Een daarvan betreft ‘de psychologisering van het beroep van internal auditor’: risico’s kunnen nauwelijks nog worden losgezien van het gedrag dat ermee samenhangt en de risicopercepties van de betrokkenen. De internal audit functie speelt een belangrijke rol bij het beoordelen en signaleren van risico’s en is tegelijkertijd op zoek naar manieren om de effectiviteit van eigen oordelen en interventies verder te verbeteren. Steeds vaker vallen daarbij termen die verder gaan dan de inhoud van de boodschap en die zich richten op de ‘vorm’ van boodschap, de timing van de boodschap, et cetera. Uit experimenten in de gedragseconomie blijkt dat subtiele aanpassingen in de presentatie van een boodschap van invloed zijn op de beslissingen die mensen nemen, in het bijzonder waar het besluitvorming over risico’s betreft. Kennis over heuristieken en vertekeningen (‘biases’) in de menselijke besluitvorming, heeft geresulteerd in succesvolle toepassing van zogenoemde ‘nudges’: simpele interventies die ‘verleiden’ tot het gewenste gedrag en mensen een duwtje in de goede richting geven. Nudges blijken effectief doordat zij de gewenste keuzeopties gemakkelijker, aantrekkelijker, socialer of tijdiger maken en kunnen derhalve een interessante uitbreiding vormen op het klassieke repertoire van de internal auditor. In de publieke sector staat nudging de afgelopen jaren steeds meer in de belangstelling omdat het op een effectieve manier van beïnvloeding biedt voor het gedrag dat mensen vertonen. Op gevaarlijke wegen worden strepen geplaatst die de weg optisch smaller doen lijken. Dit resulteert in verlaging van de rijsnelheid en in veiliger verkeersgedrag. De vlieg die is afgebeeld in urinoirs en de baskets die soms naast stoplichten staan nodigen - in alle speelsheid - uit tot veiliger en hygiënischer gedrag van passanten. Door slim gebruik te maken van onze onbewuste neiging tot spelen en onszelf daarin te willen verbeteren valt daadwerkelijk veiliger, hygiënischer en derhalve minder risicovol gedrag te realiseren. Dergelijke vormen van gamification als bijzondere vorm van nudging krijgen bijvoorbeeld in ziekenhuizen een steeds dominanter rol in het risicomanagement en veiligheidsmanagement en komen ook langzaam maar zeker steeds meer in de belangstelling van bestuurders en toezichthouders. De toepassing van nudging (en gamification als bijzondere vorm daarvan) die we in de dagdagelijkse publieke en private praktijk steeds vaker tegen komen, roept natuurlijk uitdagende vragen op voor de internal audit praktijk: kunnen, mogen en willen wij gebruik van maken van dit type gedragsbeïnvloeding? Kunnen wij dergelijke instrumenten negeren als zij zo’n grote invloed hebben op het risicogedrag in publieke en private omgevingen en steeds meer onderdeel gaan uitmaken van het risicomanagement van organisaties zoals ziekenhuizen. Hoe verhoudt gamification zich tot de professionele ernst van het internal audit beroep, waarbij de bijdrage tot risicobeheersing weliswaar hoog in het vaandel staat, maar aandacht voor de spelcomponent daarin toch tenminste enig ongemak oproept. 

Fraud can disrupt operations, pose compliance risks, blemish an organization’s reputation, and cost an organization and its stakeholders substantial amounts of money. While management, with board oversight, holds the primary responsibility for establishing and monitoring effective controls to deter and detect fraud, the internal audit activity is required to evaluate the risk of fraud, according to the International Standards for the Professional Practice of Internal Auditing. Additionally, the chief audit executive (CAE) must report significant risk and control issues, including fraud, to senior management and the board (Standard 2060 – Reporting to Senior Management and the Board). The Standards require the internal audit activity to assess fraud risks at the organizational and engagement level. To ensure adequate review of the risks relevant to each engagement, internal auditors should conduct a fraud risk assessment as part of engagement planning (Standard 2210.A1). Over time, the knowledge the internal audit activity obtains during individual engagements can be compiled into a more robust and comprehensive organizationwide fraud risk assessment. This practice guide describes the characteristics of fraud and the process of identifying and assessing fraud risks during engagement planning. The exact process of incorporating a fraud risk assessment into engagement planning may vary according to the needs of the individual organization, internal audit activity, and engagement. However, the process generally includes the following steps: Gather information to understand the purpose and context of the engagement, as well as the governance, risk management, and controls relevant to the area or process under review. Brainstorm fraud scenarios to identify potential fraud risks. Assess the identified fraud risks to determine which risks require further evaluation during the engagement.

The interests, roles, responsibilities, and activities of internal auditors and external auditors are complementary and sometimes similar; in some cases,they overlap at one point or another. For example, the overlap between an internal auditor and an external auditor may include carrying out an efficient analysis of transactions; becoming intimately familiar with an organization’s governance, risk management, and internal control systems; and sharing and developing accurate final reports. This is not a surprise; each role is based on a professional discipline and operates to that discipline’s standards. As such, the external auditor’s professional concerns include the inaccuracies and misstatements that affect final business accounts (financial information). Internal auditors are concerned with the wide range of governance, risk management, and internal controls (nonfinancial information). Keep in mind, internal audit and external audit do not compete and they do not conflict; rather, one complements the other. Both are crucial to good governance, and they should meet at some point and work together. However, there are distinct differences in the roles, and certainly in the boundaries of the work that they perform. The differences, summarized below, are often under-recognized, and are perhaps even misunderstood and confused by stakeholders.  

Artificial Intelligence, Internal Audit’s Role, and Introducing a New Framework Part 1 Part I of a three part series, this thought leadership piece explores the concept of artificial intelligence and presents a high level overview o f considerations for the internal auditing pr ofession with regard to AI goverance; data architecture and infrastructure; the human factor: measuring performance; data quality; and the black box factor. The article ends with recommendations on what internal auditors can do now to prepare to provide assurance and advisory services related to AI. Avaiable in multiple languages. You can find part 2 here. You can find part 3 here.  This is for members only. To access it and other valuable resources, become a member today.

Hier een teaser in te vullen

Dat het Internal Audit vak behoorlijk in de lift zit, daarover is nauwelijks discussie. Zowel in kwalitatieve als in kwantitatieve zin. In opdracht van het Instituut van Internal Auditors hebben drs. Robert Bogtstra RA en drs. Remko Renes RA onderzoek uitgevoerd naar de Internal Audit Functie bij beursgenoteerde vennootschappen in Nederland. Dit onderzoek laat zien dat het aantal Internal Audit Functies bij Nederlandse beursvennootschappen de afgelopen jaren stijgt, een trend die ook in 2017 doorzet. Zes Nederlandse beursfondsen hebben in 2017 aangegeven in de loop van 2017 te starten met een eigen IAF, zowel binnen de MidCap (IMCD Group, Sligro Food Group), SmallCap (Beter Bed, Brunel, ForFarmers) als een lokale vennootschap (Neways Electronics).

In 2016, IFACI , IIA Italy and IIA Spain published ‘Hot Topics for Internal Audit 2017’. Tis year, a wider group of European Institutes of Internal Auditors have taken a more ambitious approach, interviewing Chief Audit Executives (CAEs) from major organisations in six European countries – France, Italy, the Netherlands, Spain, Switzerland and the UK – to home in on key themes requiring the atention of internal audit to mitigate risk and protect and add value in their organisations.

Planning is part of internal auditing’s systematic, disciplined, and risk-based approach and is mandated by the International Standards for the Professional Practice of Internal Auditing. Planning internal audit engagements involves considering the strategies and objectives of the area or process under review, prioritizing the risks relevant to the engagement, determining the engagement objectives and scope, and documenting the approach. This practice guide contains the engagement planning steps necessary to fulfill Standard 2200 – Engagement Planning through Standard 2220 – Engagement Scope and related assurance (.A) and consulting (.C) implementation standards. The exact order and details of planning an engagement, including establishing the objectives and scope, may vary according to the needs of the individual organization, internal audit activity, and engagement. However, the following planning steps are generally included: Understand the context and purpose of the engagement. Gather information to understand the area or process under review. Conduct a preliminary assessment of relevant risks. Form engagement objectives. Establish engagement scope. Allocate appropriate and sufficient resources. Document the plan. To plan the engagement effectively, internal auditors should start by understanding the context and purpose of the engagement, why it was included in the annual internal audit plan, and how the organization’s mission, vision, strategic objectives, and other elements align with those of the area or process under review. Internal auditors also consider whether the engagement is a request for assurance or consulting services, as stakeholder expectations and Standards requirements differ depending on the type of engagement. Next, internal auditors gather information about the area or process under review to determine the engagement objectives, scope, and plan. Internal auditors may examine documentation from prior assurance engagements, review applicable policies and procedures, and interview relevant stakeholders to understand and map the process flow and controls in the area or process under review. Conducting a preliminary assessment of the identified risks helps internal auditors prioritize the risks to be evaluated further during the engagement. Utilizing process maps and brainstorming potential risk scenarios are two techniques that help internal auditors identify risks and controls relevant to the area or process under review. This practice guide explains how internal auditors Practice Guide / Engagement Planning: Establishing Objectives and Scope can use a risk and control matrix and heat map to prioritize the risks, then use the results to form the engagement objectives and scope, in conformance with the Standards. In addition, this guide explores how to allocate resources and document the process of planning and establishing the engagement objectives and scope. 

In keeping with its overall mission, the COSO Board commissioned and published in 2004 Enterprise Risk Management—Integrated Framework. Over the past decade, that publication has gained broad acceptance by organizations in their efforts to manage risk. However, also through that period, the complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of enterprise risk management while asking for improved risk reporting. This update to the 2004 publication addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. The updated document, now titled Enterprise Risk Management—Integrating with Strategy and Performance, highlights the importance of considering risk in both the strategy-setting process and in driving performance. The first part of the updated publication offers a perspective on current and evolving concepts and applications of enterprise risk management. The second part, the Framework, is organized into five easy-to-understand components that accommodate different viewpoints and operating structures, and enhance strategies and decision-making. 

IT Internal Audit (ITIA) is coming under increasing pressure to measure the management and mitigation of technology risks that are proliferating. Resources are stretched and demands are ever increasing. As technology risks multiply, ITIA is being asked to do more. For some, budgets are rising, but not for all. IA professionals are rising to the challenge, but nonetheless this latest survey of the market shows there are significant gaps in resources and capabilities. To bridge the gap, ITIA must redouble its efforts to enhance the skills of existing personnel, to partner with third parties and to hire talented professionals where necessary. It is becoming critical to present a forward-looking and compelling business case for more resources, where needed, to the Board, Audit Committee and senior management. The findings in this report are based on a survey of 250 ITIA professionals around the world and the Netherlands. Insights are also included from KPMG’s 2016 IT Internal Audit conference. It is the third report of its kind (the previous ones were published in 2009 and 2013). We would like to thank all of the respondents who participated in the survey, including many of our member firms’ clients. We hope that you will find it a valuable and insightful assessment of the state of ITIA globally and in the Netherlands providing you with information that broadens your understanding of the critical contribution ITIA can make to the business. At a time when demands placed on ITIA are steadily growing, we expect this report will stimulate your thinking and provide fresh perspectives.

As governance and monitoring functions collaborate more closely to avoid duplication of effort, internal audit may be asked to take on responsibilities for risk management, compliance, regulatory oversight, and other governance activities. The chief audit executive (CAE) plays a critical role in navigating between internal audit’s traditional role and assuming responsibilities for risk management, compliance, and other governance functions. The CAE should be held accountable for preserving independence and objectivity, communicating with management and the board, and confirming management’s acceptance of risk to internal audit’s independence and/or auditor objectivity. To navigate through these competing challenges, internal auditors can look to The IIA’s guidance on effective risk management and control, and promulgated standards related to independence and objectivity.

Internal Audit and Crisis Resilience The possibility of a crisis severely disrupting an organization’s ability tooperate looms today like never before, given the pace with which global threats evolve. Incidents of sophisticated cyber sabotage, volatile weather patterns, terrorism attacks, and labor disruptions are escalating, and can strike, obviously, without warning. With these crisis events and the inability to continue operations and meet objectives comes damage to an organization’s reputation and its ability to meet stakeholder expectations. Yet a recent study reveals a broad gap between board members’ awareness of potential crises and their organizations’ actual crisis readiness. Being able to recognize potential crises, effectively handle such interruptions, and return to normal operations is extremely difficult. Gaining the capacity to do this quickly and efficiently with the minimum amount of impact — to be crisis resilient — is that much harder, and the ultimate goal. Crisis experts agree the key to being crisis resilient is preparation and that internal audit is positioned to play a key role in the process. Auditors’ breadth of skills, position in the organization, and deep knowledge of operations can help their businesses prepare for the inevitable crisis and move the organization from crisis aware to crisis resilient — ready to resist, react to, and recover from major disruptive events.  

Successful internal audit activities are built on a strong foundation - a foundation sturdy enough to withstand increased pressures from internal and external stakeholders, a turbulent geopolitical landscape, and evolving business practices. Unfortunately, weaknesses in a foundation are not apparent until the foundation is stressed, and then it's too late - the foundation crumbles. When the foundation crumbles, it becomes more difficult for internal audit to provide valuable services to the organization. This Pulse Report is intended for chief audit executives (CAEs) who are building new internal audit activities, as well as CAEs who want to examine the structural soundness of established internal audit activities. This report covers resources, competence, structure, IIA standards, and other foundational elements necessary to deliver world-class internal auditing.

Hier een teaser in te vullen

The following report, ‘Analytics: good practices for (smaller) IAFs’, sets out the findings of a field study commissioned by the Professional Practices Committee of IIA Netherlands. The aim of this report is to encourage and support the use of analytics in Internal Audit Functions (IAFs). Analytics has been part of our ‘toolset’ for many years, but recently rapid advances have been in the available techniques. “The world hates change, yet it is the only thing that has brought progress.” (Charles Franklin Kettering). The auditing profession first emerged during the industrial revolution, and its original aims were to provide (additional) assurance to clients such as executive and supervisory directors and other stakeholders such as regulators and the general public. Since that time, the profession has steadily progressed and professionalised. However, in recent years many audit and control functions seem to struggle to keep up with the pace of the increasing digitisation and real-time developments in the economy. Traditional auditing in the sense of ‘retrospectively checking the figures’ is becoming increasingly inadequate. (2012, AICPA White Paper). Solutions to this are sought, including by: involving non-financial perspectives, such as client perspectives and those based on operational management and innovation, increasingly using (upfront) system audits, and increasingly incorporating ‘soft controls’ (culture and behaviour). These are all useful steps, but they are not sufficient. A promising solution that is already feasible for many audit functions is the use of analytics. It is expected that the use of analytics will enable auditors to substantially improve their effectiveness and efficiency. Furthermore, in the near future the use of analytics will no longer be the exclusive domain of IT auditors, but will increasingly expand to other audit disciplines such as financial and operational auditing, as well as ‘second-line’ functions such as the internal audit, risk management and compliance functions. All this calls for research into the use of analytics that looks into the wishes and requirements of IAFs as well the practical experiences they have gained. We hope this field study will inspire and support professionals in the use of analytics and will contribute to the further development and embedding of analytics in the internal audit profession. We would like to thank the auditors who contributed to this study for sharing their experiences and insights.