Vaktechnische Publicaties

The requirements placed on the Internal Audit function (IAF) by internal and external stakeholders seem to be constantly increasing. As a result of the financial crisis, new laws and regulations have been introduced in the financial sector and supervisory bodies have tightened up and expanded their supervision. In addition, increasing critical attention is paid in the public domain to the design and operating effectiveness of companies’ governance and their reporting of non-financial information. As the IAF plays an important role in the governance framework, there has been a corresponding increase in the requirements placed on the IAF. Various stakeholders quite regularly publish interesting documents that introduce additional requirements regarding the quality of the IAF. Recently, the Monitoring Committee for the Dutch Corporate Governance Code presented its proposals for revising this Code. These proposals envisage a prominent position for the IAF, which is considered “complementary to the external auditor.” According to the Monitoring Committee: “It is important to have a good interplay between the Executive Board, the Supervisory Board and the Audit Committee, as well as a good communication with the internal audit function and the external auditor.” An important element in the proposals in relation to the effectiveness of the IAF is also included in guidance 1.5.1, which states that the Audit Committee should supervise “the relationship with - and compliance with the recommendations of and followup given to comments of - the internal auditor and external auditor”.  

In 2013 voerde De Nederlandsche Bank (DNB) een onderzoek uit naar de internal audit functie (IAF) bij de Nederlandse banken. Daarbij kwam op een bepaald punt de uitdagende vraag naar voren: “Wanneer is een IAF eigenlijk als effectief te beschouwen?”. In de gesprekken die we als IIA-bestuur met DNB daarover hadden, worstelden we aan beide kanten met deze vraag. Duidelijk was toen al wel dat er vele facetten zijn die in het antwoord op deze vraag een rol spelen. Ongeveer anderhalf jaar geleden startte een aantal internal auditors, afkomstig uit de financiële industrie, met een discussie over dit onderwerp. Nationaal en internationaal werd geïnventariseerd wat er beschikbaar was aan normenkaders, best practices en performance-indicatoren. Veel gesprekken en veel discussies vonden plaats om te duiden wat in welke mate kon bijdragen aan de zojuist weergegeven uitdagende vraag. Een dankwoord is dan ook verschuldigd aan eenieder die vanuit zijn of haar eigen achtergrond input heeft geleverd om tot dit resultaat te komen. Omdat die groep nogal wisselend is geweest, laat ik naamvermelding achterwege. Een naam die echter wel genoemd moet en mag worden, is die van Dennis Webbers. Hij was namelijk degene die zich onvermoeibaar toonde op de momenten dat het onderwerp even te diffuus leek om af te ronden. ‘When the going gets tough, the tough get going’. Zijn we erin geslaagd om een antwoord te geven op de vraag wanneer een IAF effectief is? Ik durf het niet met zekerheid te zeggen, omdat het antwoord op deze vraag van vele factoren afhankelijk is, bijvoorbeeld: in welke industrie opereer je, hoe is je missie verwoord, en hoe werk je samen met bestuur, commissarissen en de externe accountant? Hoe dan ook kan iedereen die kennis neemt van dit boekwerk, daarna voor zichzelf een aantal relevante indicatoren selecteren en komen tot een volwassen performance-meting en rapportage daarover. En dat is een enorme winst!

The profession of internal auditing has been making great advancements in performance, positioning, and perception. The CBOK 2015 stakeholder study confirms these advancements but also highlights opportunities for internal audit to push even harder, moving to the next higher level of value for organizations. This report focuses on providing initial findings specifically from North America. While there is much to be explored in the survey responses, at a high level, a clear picture emerges regarding the importance of risk and relationships. Specifically, in the eyes of stakeholders: Internal audit does many things well that could be considered foundational elements of the assurance work of internal auditing. There are opportunities for internal audit to add value to their organizations by spending more time focusing on risk identification and management in addition to assurance work. Internal audit should focus more on strategic risks, but exactly what the stakeholders mean by that is less than clear or consistent. Increased demands on internal audit will require chief audit executives (CAEs) to prioritize competing demands. Managing these conflicts requires strong relationship and communication skills. A brief discussion is provided for each of these topics. Future CBOK stakeholder reports will delve deeper into the feedback from internal audit stakeholders and the implications.

Conflicthantering en onderhandelen is een belangrijke competentie voor internal auditors. Deze scriptie heeft als doel het vaststellen van effectieve stijlen van conflicthantering. Het tweede doel is het leggen van de relatie tussen persoonlijkheid en conflicthantering en het in kaart brengen van de samenstelling van de beroepsgroep internal auditors op het gebied van hun persoonlijkheid. Er is literatuuronderzoek gedaan naar de effectiviteit van de stijlen van conflicthantering in relatie tot persoonlijkheidsdimensies. Daarnaast is gebruik gemaakt van de survey, Personality for Professionals Inventory (PfPI) om de samenstelling van de beroepsgroep internal auditors op persoonlijkheidsdimensies in kaart te brengen. De PfPI is gebaseerd op het Five Factor Model, dat vijf dimensies van persoonlijkheid beschrijft. Deze vijf dimensies zijn Emotionele Stabiliteit, Extraversie, Openheid voor ervaringen, Altruïsme en Consciëntieusheid. De resultaten van het literatuuronderzoek laten zien dat de conflictstijl Collaboratie voor internal auditors de meest effectieve stijl van conflicthantering en onderhandelen is. In deze stijl van conflicthantering staat de balans tussen de inhoud en de relatie centraal. Het is belangrijk om zowel oog te hebben voor de jezelf (inhoud) als de ander (relatie). Soms moeten auditors, als gevolg van regelgeving, een Competitieve stijl hanteren, omdat zij hiertoe verplicht zijn. Op basis van de survey is naar voren gekomen dat internal auditors op vier van de vijf dimensies significant verschillen van de normgroep en dat zij gelijk scoren op de dimensie Altruïsme. Op basis van deze resultaten kan geconcludeerd worden dat Nederlandse internal auditors meer dan gemiddeld in staat moeten kunnen zijn tot het vertonen van effectief gedrag in conflicten en onderhandelingen. Tenslotte worden beperkingen van onderzoek besproken en aanbevelingen gedaan voor de praktijk.

Hier een teaser in te vullen

Regional Reflections: Africa is a customized research report that provides an African perspective on the findings from CBOK 2015, the largest ongoing study of internal audit professionals in the world. Building on the 10 imperatives for internal audit that were presented at The IIA’s 2015 International Conference, this report highlights unique concerns for Africa and provides insights from internal audit leaders in the region. Ongoing changes in African economies and governance systems have created notable differences between regions within Africa, which will be described throughout this report. See appendix A for key demographic information about each of the regions analyzed. South Africa clearly leads the way in building a strong foundation in corporate governance, risk management, and internal audit processes. One of the key drivers is the King Report on Corporate Governance (King III), which has encouraged organizations to strengthen their boards and helped push the relevance and importance of internal audit up the agenda. These reforms have had a ripple effect across much of the continent. Good governance is now often seen as key to strengthening the competitive performance of African business and a crucial tool in the fight against corruption in some government departments and in the private sector. Africa’s internal auditors are well placed to support better governance and are playing a leading role within their organizations. They generally have good reporting lines to the board and involve their stakeholders in the audit process—crucially seeking feedback about their activities against agreed objectives to maintain the relevance of internal audit’s work. But many improvements are a work in progress. Risk management systems, for example, are not always formalized and reporting lines can be confused or not independent from executive management in some organizations. That has put too many chief audit executives (CAEs) under pressure from their chief executives to alter audit findings. These issues echo concerns shared by auditors in other parts of the globe. Africa’s CAEs are making the case for extra resources but need to continue to secure significant increases in expenditure on automated auditing tools. CAEs need to be seen playing a lead role in their organizations—and in their ambition for their departments, its skills, and training. But every auditor can join the fight. Investing in training and development—particularly those crucial, intangible communication and leadership skills, and technology-related skills—is going to be key if the region’s auditors are to fulfill their potential. 

Mitigating operational risk is becoming a priority for banks that want to avoid penalties, reduce the likelihood of regulatory investigations and rebuild tarnished reputations. That’s prompting a step-change in the way operational risk is viewed and managed – moving away from a siloed, backward-looking approach, and towards a culture in which operational risk is managed proactively, strategically and on an organization-wide basis.

The most effective chief audit executives (CAEs) position their internal audit departments to add value and inspire business improvement by maximizing the productivity and contribution of their internal audit cohort. But how do they: Set goals that inspire auditors to deliver insights that matter? Boost productivity with appropriate rewards? Address differences between generations? This report provides GREAT insights on how CAEs and other audit leaders can improve their practices for evaluating and motivating internal auditors. You will learn strategies for: Goal Setting: Align personal goals of internal auditors to internal audit department goals and the organization’s strategies. Retaining Talent: Retain talent amidst changing needs of internal audit and the business.  Equipping Employees: Build capability and capacity for internal audit overall and individually. Assessing Performance: Evaluate internal auditors against overall internal audit department performance. Treating Success: Provide incentives and recognition to motivate internal auditors. Plus, you will also learn the implications of generational differences among Baby Boomers, Generation X, and Millennials in the internal audit workforce. Finally, insights are shared from the CBOK 2015 Global Internal Audit Practitioner Survey, the largest ongoing study of internal auditors in the world.

As the leader of the internal audit function, the chief audit executive (CAE) is responsible for its effective and efficient management. Although these traditional advisor/internal watchdog responsibilities are still the CAE’s primary priorities, that role is increasingly being called on to provide the services of a business partner or consultant as well.* This expanded sphere of responsibility requires the CAE to acquire and augment certain soft skills in addition to the technical audit skills that are needed to perform the traditional CAE role. What are those skills? What sort of education, experience, and certifications tend to lead to the CAE position? Organizations want to know so they can identify and groom their next internal audit leaders. Internal auditors who aspire to be CAEs also want to know so they can carefully shape their career paths with the desired target in mind. The CBOK 2015 Global Internal Audit Practitioner Survey addresses many of these questions. Data was gathered on the demographic characteristics of CAEs worldwide and interviews were conducted with global CAEs to identify the types of skills that tend to facilitate a move into the CAE position. The data shows that the CAEs surveyed are predominantly males between the ages of 40 and 49. They have obtained at least a bachelor’s degree, most likely with a major in accounting. They have spent about 13 years in internal audit, seven of them in the CAE position. Most have an internal audit certification, likely a Certified Internal Auditor (CIA) credential. Of course, those characteristics vary based on geographic region and organization type and size. For example, CAEs in North America tend to be older than CAEs from other regions and more likely to have obtained the CIA certification. In addition to examining current demographic differences, this report takes a look back in time, comparing data from prior CBOK surveys to the 2015 results to uncover meaningful trends. For example, the percentage of CAEs with an internal audit certification has increased significantly from the 41% reported in 2006 to 53% in 2015. While education, experience, and certifications are important, they alone are not sufficient to propel someone to the CAE ranks. Personal skills and attributes are also evaluated by organizations seeking to appoint a CAE. This report discusses those soft skills by relaying insights gathered through interviews with a number of global CAEs. These leaders share some of the characteristics and skills they believe are must-haves for aspiring CAEs. 

How well are internal audit departments meeting the needs of the audit committee, and is the internal audit department receiving the proper support and oversight from the audit committee? The overall answer to these two questions is that both groups are doing better, but there are many opportunities for improvement. Key insights in this report include: Although the numbers are increasing, there are still too many organizations without effective audit committees (or their equivalent). The frequency of audit committee meetings varies dramatically between regions—sometimes related to the nature of governance in a country, other times related to the maturity of the governance function. The opportunity for internal audit to meet with the board or audit committee in executive sessions without management present is quite low in some regions and needs to be improved. Governmental (and some private) organizations are lagging in developing effective audit committees (or their equivalent). Author Larry Rittenberg, professor emeritus at the University of Wisconsin-Madison, served as chairman of the Committee of Sponsoring Organizations of the Treadway Commission (COSO) from 2004 to 2009. Current information about the interaction between audit committees and internal auditors was obtained from the CBOK 2015 Global Internal Audit Practitioner Survey, the largest ongoing survey of internal auditors in the world. 

Anyone who was in the business world some 15 years ago remembers the debacles associated with organizations such as Enron, WorldCom, and Adelphia. (While all United States-based examples, similar debacles have played out globally.) People watched astonished, dismayed, and disgusted as the stories unfolded, revealing a world of alleged corporate misdeeds and misconduct that rocked global financial markets and saddled innocent employees and stockholders with irreparable financial damage. Financial pundits wondered how the controls designed to make this sort of malfeasance impossible could have failed so completely. Cynics nodded their heads knowingly and suggested that perhaps this would awaken naïve consumers to the ugly realities of corporate life and underscore the negative aspects of capitalism run amok. Surely, a decade and a half removed, we can breathe a sigh of relief and feel confident that this sort of corporate malfeasance is behind us. Sadly, given current events that are ever-present through every media channel, that is not the case. There appears to be no shortage of corporate misbehavior and other manifestations of unsavory corporate culture, which begs the question of not only, “Where were the board and executive management?” but quite frankly, “Where is internal audit?” Perhaps more than ever, internal audit is faced with both a challenge and an opportunity. It is uniquely positioned to bring value to the organization by doing the hard work on the soft stuff — auditing culture.Anyone who was in the business world some 15 years ago remembers the debacles associated with organizations such as Enron, WorldCom, and Adelphia. (While all United States-based examples, similar debacles have played out globally.) People watched astonished, dismayed, and disgusted as the stories unfolded, revealing a world of alleged corporate misdeeds and misconduct that rocked global financial markets and saddled innocent employees and stockholders with irreparable financial damage. Financial pundits wondered how the controls designed to make this sort of malfeasance impossible could have failed so completely. Cynics nodded their heads knowingly and suggested that perhaps this would awaken naïve consumers to the ugly realities of corporate life and underscore the negative aspects of capitalism run amok. Surely, a decade and a half removed, we can breathe a sigh of relief and feel confident that this sort of corporate malfeasance is behind us. Sadly, given current events that are ever-present through every media channel, that is not the case. There appears to be no shortage of corporate misbehavior and other manifestations of unsavory corporate culture, which begs the question of not only, “Where were the board and executive management?” but quite frankly, “Where is internal audit?” Perhaps more than ever, internal audit is faced with both a challenge and an opportunity. It is uniquely positioned to bring value to the organization by doing the hard work on the soft stuff — auditing culture.

As governance and monitoring functions collaborate more closely to avoid duplication of effort, internal audit may be asked to take on responsibilities for risk management, compliance, regulatory oversight, and other governance activities. The chief audit executive (CAE) plays a critical role in navigating between internal audit’s traditional role and assuming responsibilities for risk management, compliance, and other governance functions. The CAE should be held accountable for preserving independence and objectivity, communicating with management and the board, and confirming management’s acceptance of risk to internal audit’s independence and/or auditor objectivity. To navigate through these competing challenges, internal auditors can look to The IIA’s guidance on effective risk management and control, and promulgated standards related to independence and objectivity.  

What do board members and C-suite executives view to be the top risks for their organizations this year? Not surprisingly, according to an annual survey from North Carolina State University’s ERM Initiative and Protiviti, regulatory changes, the economy and cyberthreats top their lists of concerns.

In last year’s Pulse of Internal Audit report, The IIA challenged the profession to address emerging risks by realigning audit coverage continuously — to audit “at the speed of risk.” Today, the challenge remains to move beyond annual planning and typical audit areas. The consequences of a toxic culture, the destructive impact of a cyberattack, the exponential growth in the collection and reliance upon data — these represent just a sampling of today’s risks that increasingly fall outside of the traditional comfort zone in which many auditors operate. As risks change, as new risks emerge, and as stakeholder expectations continue to evolve, internal auditors must move out of their comfort zone to audit at the speed of risk. This year’s IIA Pulse of Internal Audit survey focused on areas where changes in the business environment, changes in technologies, and changes in people are affecting the risk environment for organizations. How are internal auditors keeping up with these changes? In a bygone era, audit professionals carved out a comfort zone focused on financial and operational risks. The results from the survey highlight opportunities for internal audit to move out of the comfort zone. High-profile scandals and organizational failures that have littered the landscape over the past year point to the critical role of culture in the governance of organizations. Unfortunately, only 42 percent of survey respondents are addressing the culture in their organizations. Lack of management and board support for internal audit’s involvement in culture, and lack of internal audit’s ability to identify and measure organizational culture, are closely associated with internal auditors avoiding this risk. The issue of cybersecurity continues to present itself as a major topic of concern for organizations. Most survey respondents believe prevention is the most important response to this risk. While not ignoring the critical role of preventing cyberattacks, it has proven to be naive for many organizations to assume they can prevent a successful attack. Organizations must be prepared to respond to cyber risks, and the survey results indicate they may not be as prepared as they should be. In addition, while internal auditors recognize this risk, the majority (52 percent) acknowledge lack of expertise among internal audit as an obstacle to addressing cybersecurity risk as they should. Increasingly, organizations are using more data — and in more sophisticated way — to drive decisions. Internal auditors are not as involved in all aspects of data use and only 29 percent are very or extremely confident in the strategic decisions their organizations make based on the data it collects and analyzes. Interpersonal skills have never been more important for internal auditors. Most CAEs are not satisfied with the level of these skills in their teams. Less than half of survey respondents reported their teams have more than a moderate level of proficiency in soft skills. The data suggests significant room for growth. Risks keep evolving and growing and there are areas where internal audit has to move out of its traditional comfort zone and catch up to the risks. Shifts in mindset and sense of urgency are necessary for internal audit to meet and exceed the needs of their organizations — and to become trusted advisers.  

Regional Relections: Latin America is a customized research report that provides a Latin American perspective on the indings from CBOK 2015, the largest ongoing study ofinternal audit professionals in the world. Building on the 10 imperatives for internal audit that were presented at he IIA’s 2015 International Conference, this report highlights unique concerns for Latin America and provides insights from several internal audit leaders in the region. In addition, an appendix at the end of this report gives key demographics about survey respondents from Latin America. In many ways, internal auditors in Latin America perform well in comparison with their colleagues around the world. hey have strong relationships with stakeholders, often align well with the strategic objectives of their organizations, and have high levels of expertise in automated audit technologies. Having their performance pegged to the expectations of stakeholders, they are well placed to satisfy their customers and create real value to the businesses in which they work. However, there are improvements to be made. Too few chief audit executives (CAEs) primarily report functionally to the boards of their organizations, a situation that can compromise their departments’ performance. Management stakeholders can have excessive inluence over the annual audit plan and how the work of internal audit is perceived. A strong relationship with these stakeholders can be a double-edged sword, causing some auditors to focus too much on compliance and not enough on mission-critical projects. It is perhaps not surprising that 1 out of 3 CAEs say they have had pressure put on them to alter valid audit indings, and the source of the pressure is usually the CEO. Latin America needs a larger number of boards, and those boards also need to be efective and supportive of internal audit.  If conformance to he IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) is relatively low when compared to global averages, and the proportion of people who hold IIA certiications is equally low, change is on the way. IIA ailiate bodies are working with the region’s governments to reduce the constraints on internal audit exerted by out-of-date regulations. CAEs are educating their boards and management about the value of the Standards, and individuals spend more hours in training than almost anywhere else in the world. he region’s internal auditors are moving forward.