Vaktechnische Publicaties

In this white paper, we will look at how auditors can assess, respond to and analyze the risks they encounter during a risk-based audit.

As cyberattacks grow in frequency, severity, and complexity, cybersecurity professionals are urging organizations to move beyond a defensive and reactive approach to a more proactive approach, allowing for the prediction and anticipation of cybersecurity threats. Recognizing this emerging trend, the Institute of Internal Auditors’ Audit Executive Center (AEC), in collaboration with the Internal Audit Foundation, elected to supplement recent research by conducting a Quick Poll survey of chief audit executives (CAEs) to ask specific questions about their organizations’ use of security operations centers (SOCs) as part of their cybersecurity strategies. Responses were received from 130 CAEs, representing organizations of various size from many industries. In addition to providing insights into specific SOC policies and practices, the AEC Quick Poll survey results also suggest that some conclusions can be drawn about CAEs’ general levels of involvement in monitoring and reviewing their SOC operations. In order to assure complete anonymity, the survey respondents were not asked to provide identifying or qualifying information about their organizations. Using the survey findings as a starting point, researchers from Crowe Horwath conducted a series of follow-up interviews with information security executives in various organizational structures and geographic locations, and with various sensitivities to cybersecurity threats. The objective was to gather first-hand examples of current best practices. To protect the companies’ identities, the interview responses were normalized intom three general types of organizations: 1) large companies with global operations, 2) large companies with national operations, and 3) medium-size companies with regional operations. The responses were summarized along those lines in this report. The research team also interviewed representatives of a number of leading vendors that offer cybersecurity intelligence solutions and services. In addition to offering a summary of that research, this report is intended to help cybersecurity professionals, CAEs, and other stakeholders to explore broader issues and to answer two questions: 1) How can organizations move beyond merely reacting and responding to cybersecurity incidents and instead start to identify, anticipate, and actively defend against known and emerging threats? 2) What role can CAEs play in encouraging and facilitating this shift from a reactive to a proactive stance? By addressing—and ultimately answering—these questions, organizations can take the critical first steps to advancing their cybersecurity initiatives regardless of whether they are first establishing a SOC, or advancing further and establishing a fully functioning security intelligence center (SIC). 

Hoe meet je cultuur en gedrag? Hoe gaan we om met de toenemende invloed van IT? En wat is de oplossing voor de schaarste op de arbeidsmarkt? In de auditwereld is verandering een van de weinige constanten. Iedere organisatie zoekt op haar eigen manier naar de antwoorden op deze vragen. Daarbij staat elke discipline voor eigen uitdagingen: de accountant in business, de openbaar accountant en de interne en overheidsaccountant. Welke ontwikkelingen zien zij? Hoe spelen ze hierop in? En hoe ziet de toekomst van het auditvak eruit? De afgelopen tijd vroegen we een aantal vooraanstaande professionals met een auditachtergrond naar hun visie. Het resultaat: vier verhalen die – ieder vanuit een eigen perspectief – een interessante inkijk in een veranderende wereld bieden. Dat de kijk op de ontwikkelingen per discipline en per persoon verschilt, bleek overduidelijk toen we het onderwerp ‘beroepseed’ ter sprake brachten. De meningen over de invoering hiervan liepen uiteen van ‘onzin’ tot ‘een goede zaak’. Hoe dan ook: voor 1 mei 2017 moet elke accountant de beroepseed hebben afgelegd. Het is een van de 53 maatregelen die het vertrouwen in de beroepsgroep moeten herstellen. Naast alle trends en ontwikkelingen in het vakgebied zelf, gebeurt er ook veel op de arbeidsmarkt. Audit is voor Yacht Finance een focusgebied en een discipline waarin we veel expertise hebben, ook vanwege de alsmaar toenemende schaarste op de arbeidsmarkt. Daarbij zetten we vooral in op de combinatie van audit en finance & control. Enerzijds omdat onze opdrachtgevers veel baat hebben bij professionals die beide beheersen, anderzijds omdat juist deze combinatie medewerkers een unieke positie op de arbeidsmarkt geeft en carrières in een stroomversnelling brengt. Hoe de nieuwe realiteit er precies uitziet weet niemand. Toch tekenen de contouren zich langzaam af. Graag nemen wij u in deze whitepaper mee in de ontwikkelingen, uitdagingen en vraagstukken in de auditwereld. 

Given expectations for slow growth and economic and political uncertainty, technology advances and business model disruption, cyber threats, greater regulatory scrutiny, and investor demands for transparency, it’s hardly surprising that most audit committees around the world point to risk management as the top challenge facing the company in the year ahead. More than 40 percent of respondents say their risk management systems require substantial work. Audit committees, by and large, continue to express confidence in financial reporting and audit quality; yet, along with risk management, our 2017 Global Audit Committee Pulse Survey highlights ongoing concerns about legal and regulatory compliance, managing cyber security risk, and managing the control environment in the company’s extended organization. Of the more than 800 audit committee members responding to our survey, nearly 4 in 10 said the committee’s effectiveness would be most improved by having a “better understanding of the business and key risks,” while nearly a third said additional expertise related to technology or cyber security would be helpful. Overall, audit committees are largely satisfied that their agendas are properly focused on legal and regulatory compliance issues, maintaining internal controls over financial reporting, and key assumptions underlying critical accounting estimates. However, they see room for improvement when it comes to focusing on CFO succession planning, talent and skills in the finance organization, tone at the top and culture, and aligning the company’s short- and long-term priorities. Most audit committees say their organizations have a long way to go in their efforts to implement major new accounting standards. Fewer than 15 percent report a clear implementation plan for the new revenue recognition standard, and fewer than 10 percent reported a clear plan for implementation of the new leasing standard. And of those whose companies are affected by the Organisation for Economic Co-operation and Development’s (OECD) country-by-country tax reporting, many expressed concern about the lack of clarity or communication with their committee on that issue. Survey respondents also cited ongoing opportunities to improve their company’sability to manage cyber risks. Of course, these challenges will vary by company and by country (and it is difficult to compare data from 15 countries, often with markedly different business environments, regulatory requirements, and corporate governance practices). But our survey findings offer insights that audit committees around the world can use to sharpen the committee’s focus, benchmark its responsibilities and practices, and strengthen its oversight.

Competing in a rapidly changing world, companies must grapple with emerging challenges seemingly every day: cyber threats, emerging and potentially disruptive technologies, business performance risk and more. In this increasingly complex environment, Internal Audit (“IA”) has a crucial role to play to help the organization in managing risks associated with these diverse business trends. This is also in line with the UK and Dutch Corporate Governance Codes. An impactful IA function will stay current with these wide-ranging business issues as they emerge so it can help monitor related risks and their potential effects on the organization. To provide the greatest value, IA must find opportunities to challenge the status quo to reduce risk, improve controls and identify potential efficiencies and cost benefits across the organization. To help IA functions achieve these goals, KPMG surveyed IA functions from companies in multiple industries globally and in the Netherlands. The result is KPMG Internal Audit: Top 10 Considerations for 2017, which outlines areas where IA should focus so it can effectively add value across the organization and maximize its influence on the company. Top 10 Considerations for 2017: Cybersecurity Culture/Soft Controls Integrated Assurance Regulatory compliance Third party relationships Anti-bribery/anti-corruption Emerging technologies Data analytics and continuous auditing Performance risk Strategic alignment

The increasing importance of internal audit’s role as the third line of defense in effective risk management and control has raised its visibility both within and outside of the organization. As a result, chief audit executives (CAEs) and internal audit departments are looking for ways to utilize their unique expertise to enhance their value to the overall corporate mission. This leads to the question — asked by all high performing support areas such as finance, human resources, IT, and legal — how can we have a strategic impact on the organization? Internal audit is uniquely positioned to be a strategic partner. With reporting relationships to the chief executive officer (CEO) or other executive officer, audit committee, and the board, high performing CAEs combine intelligence, expertise, diligence, and curiosity in a manner that positions internal audit for a critical strategic role. Despite this, CAEs are not generally recognized for the potential strategic impact that they can have on their organizations. For CAEs looking to elevate the strategic role of internal audit, several questions should be answered to take this next logical and desired step. Does the CAE understand the strategic mission of the organization at a deep level? Does the CAE understand the perspective of the CEO and board and make the effort to become a trusted partner, offering advice and solutions that address key problems? Is internal audit aligned with the strategic mission? Is internal audit anticipatory and proactive (rather than reactive)? Does the CAE provide assurance on risk management? Unfortunately, traditional perceptions of internal auditing can lead to wariness on the part of others to embrace internal audit as a strategic partner. Further, internal audit must balance the independence that is required for its role against the level of involvement in the tactical duties necessary to achieve the organization’s goals. After all, it is the mandate of internal audit to assess these tactics. But proactively addressing these challenges can lead to a real opportunity for internal audit to be recognized as a strategic partner and contributor.

Global macroeconomic uncertainty and rock-bottom interest rates, soaring regulatory expectations, cybersecurity threats and attacks, legacy information technology (IT) systems, Fintech, blockchain, and other disruptive innovations are all examples of the staggering collection of market and regulatory challenges that confront the financial services industry (FSI), making it the most demanding sector in which internal auditors operate. Amid the industry’s growing macroeconomic, regulatory, procedural, and technological complexity, internal audit within FSI must fulfill its core mission of delivering assurance excellence. Yet, internal auditors must do more. Effective assurance alone no longer guarantees success. This is an important message conveyed by FSI participants in the 2015 Global Internal Audit Common Body of Knowledge (CBOK) Stakeholder Survey. The results of this global survey of stakeholders— specifically, the results from the responses of executives and board members who work closely with internal auditors—reveal best practices that internal auditors in FSI should consider in their quest to continually improve performance and deliver more value to their organizations. Among the key findings: Internal audit reporting structure, the chief audit executive’s (CAE’s) relationships with the boards and the executive teams, and the entire function’s communication skill and style represent key success factors. Assurance is paramount. The consultative, value-added work that stakeholders clearly want auditors to deliver cannot detract from assurance. Assurance work is most valuable when it is aligned with the strategic risks of the organization and provides credible challenges to the effectiveness of risk management activities within the organization. CAEs and internal auditors should convey both good and bad news while exerting their influence to focus attention (at the board level and throughout the organization) on specific risks. CAEs also should possess the authority necessary to elevate and communicate strategic issues quickly to executive management and the board. Stakeholders expect internal audit to assess governance effectiveness and to monitor the values and behaviors that influence the organization’s risk culture. Stakeholders believe that internal audit should take on a more active role in assessing and evaluating the organization’s strategic risks and emerging risks

Your work as an audit professional is fundamentally about trust. It's important to explore how you can continue to promote trust during this time of profound change across the business landscape. Given the explosion of data and the digitization of our lives, we want to promote a discussion about how the audit profession must evolve its tools and approach to keep up with the pace of change and remain relevant in a dynamic marketplace. Specifically, our profession must embrace the use of advanced technologies, including data and analytics (D&A), robotics, automation and cognitive intelligence, to manage processes, support planning and inform decision making. KPMG is constantly thinking about the development of innovative capabilities and technologies that will enhance quality and strengthen the relevance of audits into the future. Where auditors once searched manually through reams of financial information to hunt down the anomaly that may give pause to the appropriateness of a company’s assertion, the accumulation of large data sets and the application of advanced analytics and cognitive technologies make it possible to rapidly and precisely analyze larger, more complete populations of financial and non-financial data. The use of these technologies can also generate richer, more detailed audit evidence for evaluation and provide executives with actionable insights about their organizations, their core processes and their controls. What’s more, supervised cognitive systems can learn from each encounter with new information enabling continuous refinement of the knowledge and analytical capabilities of the system. It’s really simple: Cognitive technology isn’t just changing the face of financial reporting and auditing, it’s revolutionizing it. To prepare for this environment, tomorrow’s teams of professionals must possess more than just an understanding of accounting and auditing – they will need stronger critical thinking, analytical, data science and IT skills to complement their financial and business acumen. To that end, KPMG is committed to fostering a culture of innovation and learning, especially within the Audit Practice.

Hier een teaser in te vullen

Internal auditors often face challenges to their judgment and to their core ethical values. How they handle those challenges determines the value of the profession. his report provides an overview of results from the 2015 Global Internal Audit Common Body of Knowledge (CBOK) Practitioner Survey regarding ethics in internal auditing. It also provides a framework that can be used to analyze internal audit professional ethics and related pressures. While all internal auditors are likely to face ethical pressures at some point during their careers, the CBOK practitioner survey data indicates that there are distinct diferences in pressures on internal auditors in various regions across the globe. here are also diferences in the strength of support for the function when internal auditors face ethical dilemmas. Both the strength of ethical codes and internal audit responsibilities related to those codes have increased in the ive years since the last CBOK survey was conducted, but the 2015 survey demonstrates that there are many ways in which the ethical environment can be improved. Too many organizations, especially in the public sector, do not have organizational codes of conduct or codes of ethics, and many internal auditors receive little or no training regarding he IIA’s Code of Ethics. Relatively few ethics audits are taking place and the data suggests that it may be diicult to perform an audit of the ethical environment if an organization does not have a code of ethics. In an ideal environment, internal auditors should always be able to present indings without the threat of personal recrimination. Unfortunately, internal auditors do not always operate in such environments. Internal auditors who resist pressure to change their indings are at times subjected to negative consequences such as pay cuts, involuntary transfers to other positions, or even termination of employment. he internal audit profession could not exist without a strong foundation based on a commitment to ethical conduct. he framework provided by this report demonstrates a clear need for all internal auditors to adopt he IIA’s Code of Ethics to help guide performance when they face ethical pressures.   

Hier een teaser in te vullen

This report provides an overview of the results from the 2015 Global Internal Audit Common Body of Knowledge (CBOK) Practitioner Survey regarding internal audit quality assurance and improvement programs (QAIPs), and evaluates the internal audit profession’s conformance with professional standards related to QAIPs. The 2015 CBOK practitioner survey found significant and troubling differences between approved professional standards and actual internal audit practices. Although The International Standards for the Professional Practice of Internal Auditing requires development and maintenance of QAIPs covering all aspects of internal audit activity, only 34% of participating chief audit executives (CAEs) stated that they fully conform with this requirement. Many CAEs who reported that they do not conform with this requirement also do not disclose their nonconformance to their audit committees or other governing bodies. The internal audit profession’s failure to abide by its own quality standards may have profound consequences because internal audit functions with fully developed QAIPs tend to be different from other internal audit functions. Compared to other CAEs in the CBOK study, those reporting conformance to professional standards related to internal audit quality: Were more likely to report functionally to a board, audit committee, or equivalent Were more likely to have complete and unrestricted access to information as appropriate for the performance of audit activities Worked in organizations with more highly developed risk management processes Used a wider variety of resources to develop audit plans Made more use of technology in internal audit processes Were more likely to have documented procedures in an internal audit manual Received more hours of training and were more likely to have formalized training programs Were more likely to report that funding for the internal audit function was “completely sufficient”

Organizations of all types are becoming more vulnerable to cyber threats due to their increasing reliance on computers, networks, programs and applications, social media, and data. Security breaches can negatively impact organizations and their customers, both financially and in terms of reputation. Global connectivity and accessibility to information by users outside the organization increase risk beyond what has been historically addressed by IT general and application controls. Organizations’ reliance on information systems and the development of new technologies render traditional evaluations of IT general and application controls insufficient to provide assurance over cybersecurity. Cybersecurity refers to the technologies, processes, and practices designed to protect an organization’s information assets — computers, networks, programs, and data — from unauthorized access. With the frequency and severity of cyberattacks on the rise, there is a significant need for improved cybersecurity risk management. The internal audit activity plays a crucial role in assessing an organization’s cybersecurity risks by considering: Who has access to the organization’s most valuable information? Which assets are the likeliest targets for cyberattacks? Which systems would cause the most significant disruption if compromised? Which data, if obtained by unauthorized parties, would cause financial or competitive loss, legal ramifications, or reputational damage to the organization? Is management prepared to react timely if a cybersecurity incident occurred? This practice guide discusses the internal audit activity’s role in cybersecurity, including: The role of the chief audit executive (CAE) related to assurance, governance, risk, and cyber threats. Assessing inherent risks and threats. The first, second, and third lines of defense roles and responsibilities related to risk management, controls, and governance. Where gaps in assurance may occur. The reporting responsibilities of the internal audit activity. In addition, the guide explores emerging risks and common threats faced by all three lines of defense and presents a straightforward approach to assessing cybersecurity risks and controls.

In een goed gebalanceerde en gestructureerde corporate governance zijn de Auditcommissie (AC), de Interne Audit Functie (IAF) en de externe accountant (EA) op elkaar aangewezen. De IAF wordt steeds vaker gezien als een essentieel onderdeel van de governance van de organisatie. De IAF ondersteunt de AC door het verschaffen van inzicht in en assurance over de opzet en effectiviteit van de governance, het risicomanagement en de interne beheersingsmaatregelen. De AC kan de juiste randvoorwaarden en condities voor de IAF creëren, die het onafhankelijk en objectief functioneren van de IAF optimaliseren en het complementair functioneren van de IAF en de EA bevorderen. De relatie tussen de AC en de IAF werd voor het eerst geformaliseerd in de eerste Nederlandse Corporate Governance Code (de Code) in 2003. Vijf jaar daarna onderzochten de Koninklijke Nederlandse Beroepsorganisatie van Accountants (NBA) (destijds NIVRA) en het Instituut van Internal Auditors Nederland (IIA) de toenmalige praktijk en publiceerden de bevindingen en best practices in ‘Bondgenoten in Governance’ (2008). In het voorjaar van 2016 stelden het IIA en de NBA een werkgroep samen om de relatie tussen de AC en de IAF opnieuw te onderzoeken. In verband met het voorstel tot herziening van de Code, waarin de driehoek AC, IAF en EA prominent naar voren komt, heeft de werkgroep ook aandacht besteed aan de relatie tussen de IAF en de EA. De belangrijkste conclusies uit het onderzoek zijn: De formele relatie tussen de AC en de Chief Audit Executive (CAE) is over het algemeen goed ingevuld. Deze relatie is gedefinieerd in het charter van de IAF. De meeste AC’s zijn zich bewust van het belang van het benoemen van een gekwalificeerde CAE. Zij zijn dan ook actief betrokken bij diens aanstelling of het ontslag. Deze betrokkenheid kan nog worden verbeterd indien elke voorzitter van een AC een gesprek heeft met de beoogde CAE, voorafgaand aan diens aanstelling. Bijna alle AC’s (80%) zijn betrokken bij de beoordeling van de CAE. Dit verbetert diens functioneren omdat zijn objectiviteit beter is gewaarborgd als zijn beoordeling niet uitsluitend wordt opgesteld door direct betrokkenen. De CAE wordt gezien als een volwaardige gesprekspartner en is bij de meeste organisaties aanwezig bij de gehele vergadering van de AC. Daardoor kan de CAE zijn inzichten delen met de AC, ook op terreinen die hij (nog) niet heeft onderzocht. Tevens levert dit de CAE belangrijke informatie op die hij bij de invulling van zijn functie nodig heeft. Bij de meeste organisaties spreken de voorzitter van de AC en de CAE elkaar meerdere malen per jaar bilateraal. Dit versterkt de onafhankelijkheid en de vertrouwensband. Om goed te kunnen functioneren als ‘trusted advisor’ van zowel de voorzitter van het bestuur als die van de AC is transparantie over de inhoud van deze gesprekken belangrijk. De AC bespreekt het auditplan en de beschikbaar gestelde middelen. De wijzigingen in de auditplanning worden (tenminste) jaarlijks besproken met de CAE. Beperking van beschikbaar gestelde middelen heeft impact op de keuzes die moeten worden gemaakt bij het opstellen van het auditplan. Het is belangrijk dat de AC begrijpt welke risico’s niet kunnen worden afgedekt met de beschikbare middelen. Beter inzicht bij de AC kan leiden tot een aanpassing van de beschikbare middelen, zodat de gewenste ‘audit coverage’ wordt bereikt. De AC kan de beoordeling van de effectiviteit van de IAF verbeteren door in overleg met de CAE een breed scala aan KPI’s af te spreken. Het programma voor de kwaliteitsbeheersing en -verbetering van de IAF behoort daarvan onderdeel uit te maken. Gezien het toenemende belang van cultuur en gedrag als onderdeel van de governance van organisaties dienen AC’s de aanpak van audits op dit terrein te bespreken met de CAE. Niet alle CAE’s achten zich op dit moment in staat om deze handschoen op te pakken. Het IIA en de NBA dienen de leden op dit gebied te ondersteunen, door ze te helpen met het ontwikkelen van een aanpak via opleidingen en publicaties. Naar aanleiding van het voorstel tot herziening van de Code dient de samenwerking tussen de IAF en de EA een nieuwe benadering te krijgen, draaiend om de vraag waar ze elkaar treffen en aanvullen in het totaalveld van financiële en niet-financiële informatie. Het optimaliseren van de relatie tussen de IAF en de EA en kansen om in complementariteit de governance van de organisatie te verbeteren, dient op de agenda van de AC te worden geplaatst. Te overwegen valt om jaarlijks gezamenlijk aan het bestuur en de AC te rapporteren over de opzet, het bestaan en de werking van de governance en risicobeheersing- en interne controlesystemen.

In a properly balanced and structured corporate governance framework, the Audit Committee (AC), the Interne Audit Function (IAF) and the external accountant (EA) rely on each other. The IAF is increasingly seen as an essential element of the organisation’s governance. The IAF supports the AC by providing insight into and assurance about the design and effectiveness of the governance, the risk management and the internal control measures. The AC is in a position to create the correct prerequisites and conditions for the IAF that optimise the IAF’s independence and objective functioning and promote the complementary functioning of the IAF and the EA. The relationship between the AC and the IAF was first formalised in the original Dutch Corporate Governance Code (the Code) in 2003. Five years later, the Royal Netherlands Organisation of Chartered Accountants (NBA) (then NIVRA) and the Institute of Internal Auditors Netherlands (IIA) surveyed the practice at the time and published the findings and best practices in ‘Allies in Governance’ (2008). In the spring of 2016, the IIA and the NBA jointly set up a working group to look anew at the relationship between the AC and the IAF. In connection with the proposal to revise the Code, in which the AC, IAF and EA triangle features prominently, the working group also focused on the relationship between the IAF and the EA. The main conclusions from the survey are: The formal relationship between the AC and the Chief Audit Executive (CAE) is generally well structured. This relationship is defined in the IAF charter. Most ACs are aware of the importance of appointing a qualified CAE. They are therefore also involved in their appointment or dismissal. This involvement can be further improved if every chair of an AC has an interview with the prospective CAE prior to the latter’s appointment. Almost all the ACs (80%) are involved in assessing the CAE. This improves his functioning because his objectivity is better guaranteed if his performance appraisal is not only prepared by people directly involved. The CAE is seen as a valuable discussion partner and, in most organisations, is present at the entire AC meeting. This enables the CAE to share insights with the AC, also in areas that he has not (yet) studied. It also gives the CAE important information that he requires in fulfilling his job. In most organisations, the chairs of the AC and CAE have bilateral discussions several times a year, which strengthens the independence and the bond of trust. To function optimally as ‘trusted advisor’ to both the chair of the board and that of the AC, transparency about the content of these discussions is essential. The AC discusses the audit plan and the available resources. Changes in the audit planning are discussed annually (at least) with the CAE. Restricting the available resources has an impact on the choices that have to be made when preparing the audit plan. It is important that the AC understands which risks cannot be covered with the available resources. Better insight by the AC can result in adaptation of the available resources in order to achieve the desired audit coverage. The AC can strengthen the assessment of the effectiveness of the IAF by agreeing a wide range of KPIs in consultation with the CAE. The IAF’s quality control and improvement programme has to be part of it. Given the increasing relevance of culture and conduct as part of the organisations’ governance, ACs should discuss the audit approach in this field with the CAE. Not all CAEs currently feel themselves up to the task of picking up this gauntlet. The IIA and the NBA should offer the members support in this area by assisting them in developing an approach through training and publications. In view of the proposal to revise the Code, there should be a new approach to the collaboration between the IAF and EA, centred on the question of where they encounter and complement one another in the overall field of financial and non-financial information. Optimisation of the relationship between the IAF  and the EA and opportunities to improve the organisation’s governance in partnership should be put on the AC’s agenda. An option is to report jointly each year to the board and the AC on the design, existence and operation of the governance and the risk management and internal control systems.