Vaktechnische Publicaties

Anyone who was in the business world some 15 years ago remembers the debacles associated with organizations such as Enron, WorldCom, and Adelphia. (While all United States-based examples, similar debacles have played out globally.) People watched astonished, dismayed, and disgusted as the stories unfolded, revealing a world of alleged corporate misdeeds and misconduct that rocked global financial markets and saddled innocent employees and stockholders with irreparable financial damage. Financial pundits wondered how the controls designed to make this sort of malfeasance impossible could have failed so completely. Cynics nodded their heads knowingly and suggested that perhaps this would awaken naïve consumers to the ugly realities of corporate life and underscore the negative aspects of capitalism run amok. Surely, a decade and a half removed, we can breathe a sigh of relief and feel confident that this sort of corporate malfeasance is behind us. Sadly, given current events that are ever-present through every media channel, that is not the case. There appears to be no shortage of corporate misbehavior and other manifestations of unsavory corporate culture, which begs the question of not only, “Where were the board and executive management?” but quite frankly, “Where is internal audit?” Perhaps more than ever, internal audit is faced with both a challenge and an opportunity. It is uniquely positioned to bring value to the organization by doing the hard work on the soft stuff — auditing culture.Anyone who was in the business world some 15 years ago remembers the debacles associated with organizations such as Enron, WorldCom, and Adelphia. (While all United States-based examples, similar debacles have played out globally.) People watched astonished, dismayed, and disgusted as the stories unfolded, revealing a world of alleged corporate misdeeds and misconduct that rocked global financial markets and saddled innocent employees and stockholders with irreparable financial damage. Financial pundits wondered how the controls designed to make this sort of malfeasance impossible could have failed so completely. Cynics nodded their heads knowingly and suggested that perhaps this would awaken naïve consumers to the ugly realities of corporate life and underscore the negative aspects of capitalism run amok. Surely, a decade and a half removed, we can breathe a sigh of relief and feel confident that this sort of corporate malfeasance is behind us. Sadly, given current events that are ever-present through every media channel, that is not the case. There appears to be no shortage of corporate misbehavior and other manifestations of unsavory corporate culture, which begs the question of not only, “Where were the board and executive management?” but quite frankly, “Where is internal audit?” Perhaps more than ever, internal audit is faced with both a challenge and an opportunity. It is uniquely positioned to bring value to the organization by doing the hard work on the soft stuff — auditing culture.

As governance and monitoring functions collaborate more closely to avoid duplication of effort, internal audit may be asked to take on responsibilities for risk management, compliance, regulatory oversight, and other governance activities. The chief audit executive (CAE) plays a critical role in navigating between internal audit’s traditional role and assuming responsibilities for risk management, compliance, and other governance functions. The CAE should be held accountable for preserving independence and objectivity, communicating with management and the board, and confirming management’s acceptance of risk to internal audit’s independence and/or auditor objectivity. To navigate through these competing challenges, internal auditors can look to The IIA’s guidance on effective risk management and control, and promulgated standards related to independence and objectivity.  

What do board members and C-suite executives view to be the top risks for their organizations this year? Not surprisingly, according to an annual survey from North Carolina State University’s ERM Initiative and Protiviti, regulatory changes, the economy and cyberthreats top their lists of concerns.

In last year’s Pulse of Internal Audit report, The IIA challenged the profession to address emerging risks by realigning audit coverage continuously — to audit “at the speed of risk.” Today, the challenge remains to move beyond annual planning and typical audit areas. The consequences of a toxic culture, the destructive impact of a cyberattack, the exponential growth in the collection and reliance upon data — these represent just a sampling of today’s risks that increasingly fall outside of the traditional comfort zone in which many auditors operate. As risks change, as new risks emerge, and as stakeholder expectations continue to evolve, internal auditors must move out of their comfort zone to audit at the speed of risk. This year’s IIA Pulse of Internal Audit survey focused on areas where changes in the business environment, changes in technologies, and changes in people are affecting the risk environment for organizations. How are internal auditors keeping up with these changes? In a bygone era, audit professionals carved out a comfort zone focused on financial and operational risks. The results from the survey highlight opportunities for internal audit to move out of the comfort zone. High-profile scandals and organizational failures that have littered the landscape over the past year point to the critical role of culture in the governance of organizations. Unfortunately, only 42 percent of survey respondents are addressing the culture in their organizations. Lack of management and board support for internal audit’s involvement in culture, and lack of internal audit’s ability to identify and measure organizational culture, are closely associated with internal auditors avoiding this risk. The issue of cybersecurity continues to present itself as a major topic of concern for organizations. Most survey respondents believe prevention is the most important response to this risk. While not ignoring the critical role of preventing cyberattacks, it has proven to be naive for many organizations to assume they can prevent a successful attack. Organizations must be prepared to respond to cyber risks, and the survey results indicate they may not be as prepared as they should be. In addition, while internal auditors recognize this risk, the majority (52 percent) acknowledge lack of expertise among internal audit as an obstacle to addressing cybersecurity risk as they should. Increasingly, organizations are using more data — and in more sophisticated way — to drive decisions. Internal auditors are not as involved in all aspects of data use and only 29 percent are very or extremely confident in the strategic decisions their organizations make based on the data it collects and analyzes. Interpersonal skills have never been more important for internal auditors. Most CAEs are not satisfied with the level of these skills in their teams. Less than half of survey respondents reported their teams have more than a moderate level of proficiency in soft skills. The data suggests significant room for growth. Risks keep evolving and growing and there are areas where internal audit has to move out of its traditional comfort zone and catch up to the risks. Shifts in mindset and sense of urgency are necessary for internal audit to meet and exceed the needs of their organizations — and to become trusted advisers.  

Regional Relections: Latin America is a customized research report that provides a Latin American perspective on the indings from CBOK 2015, the largest ongoing study ofinternal audit professionals in the world. Building on the 10 imperatives for internal audit that were presented at he IIA’s 2015 International Conference, this report highlights unique concerns for Latin America and provides insights from several internal audit leaders in the region. In addition, an appendix at the end of this report gives key demographics about survey respondents from Latin America. In many ways, internal auditors in Latin America perform well in comparison with their colleagues around the world. hey have strong relationships with stakeholders, often align well with the strategic objectives of their organizations, and have high levels of expertise in automated audit technologies. Having their performance pegged to the expectations of stakeholders, they are well placed to satisfy their customers and create real value to the businesses in which they work. However, there are improvements to be made. Too few chief audit executives (CAEs) primarily report functionally to the boards of their organizations, a situation that can compromise their departments’ performance. Management stakeholders can have excessive inluence over the annual audit plan and how the work of internal audit is perceived. A strong relationship with these stakeholders can be a double-edged sword, causing some auditors to focus too much on compliance and not enough on mission-critical projects. It is perhaps not surprising that 1 out of 3 CAEs say they have had pressure put on them to alter valid audit indings, and the source of the pressure is usually the CEO. Latin America needs a larger number of boards, and those boards also need to be efective and supportive of internal audit.  If conformance to he IIA’s International Standards for the Professional Practice of Internal Auditing (Standards) is relatively low when compared to global averages, and the proportion of people who hold IIA certiications is equally low, change is on the way. IIA ailiate bodies are working with the region’s governments to reduce the constraints on internal audit exerted by out-of-date regulations. CAEs are educating their boards and management about the value of the Standards, and individuals spend more hours in training than almost anywhere else in the world. he region’s internal auditors are moving forward.

Effectively Leverage Your Most Valuable Asset Regardless of organization size, sector, or industry, people are an organization’s most valuable asset. Ensuring the internal audit activity is adequately staffed is just one piece of the puzzle. It must comprise the right people, who have the right skill sets, and who are afforded the right opportunities for growth and development if internal auditing is to add real value and meet stakeholder expectations. Talent Management: Recruiting, Developing, Motivating, and Retaining Great Team Members outlines best practice recommendations for the various elements — everything from assessing competencies and selecting candidates to training and succession planning — that make up an organization’s talent management strategy. This is for members only. To access it and other valuable resources, become a member today. Non members: Purchase ($ 25,-) the practice guide, “Talent Management"

Beyond the Numbers: Internal Audit’s Role in Nonfinancial Reporting Internal auditors are familiar with annual reports — crisp recitations of organizational activities, a few words from the CEO, eye-catching graphics, pages of financial outcomes, and, for publicly traded companies, a long list of required disclosures relating a vast array of sometimes confusing and mind-numbing detail. The reports encompass everything the reader needs to know about the company, especially if that reader is contemplating investing in the organization. Right? Maybe not. Increasingly, investors and other stakeholders want more from company reporting. They want to know if the organization is operating sustainably, if it monitors its impacts on the environment, if it is mindful of social issues such as diversity and equal opportunity. When making decisions about supporting a company, stakeholders increasingly expect a more comprehensive report — one that goes beyond financial health. Many organizations also want stakeholders to have improved insight into activities they perform that benefit the greater public good or serve a public interest. Nonfinancial reporting fills the void by reporting quantitative and qualitative information that falls outside the scope of mainstream financial statements. Though not an exhaustive list, related terms include corporate social responsibility (CSR) reporting; sustainability reporting; integrated reporting; holistic reporting; enhanced reporting; service efforts and accomplishments reporting; and environmental, social, and governance (ESG) reporting.1 This is not a passing trend — the European Union has required nonfinancial reports for some 6,000 organizations across member countries;2 global frameworks and standardized approaches to nonfinancial reporting are gaining recognition;and globally, organizations are expected to increase spending on sustainability assurance by 20 percent over the next five years.3 In 2013, KPMG et al published the results of a survey on corporate reporting in 45 countries.4 It found 134 mandatory policies and 53 voluntary policies related to at least some aspects of nonfinancial reporting, among countries such as Australia, Brazil, China, France, India, Indonesia, Japan, Mexico, Singapore, and South Africa.

It can be a daunting task for internal auditors to grapple with how geopolitics impacts their organizations. After all, geopolitics includes broad and complex interrelated topics such as climate change, the outbreak of disease, political instability, economics, war, and conflict, all of which can present risks to the organization with little or no notice. Geopolitical risks cannot be considered in isolation; these risks are quite interrelated. This paper briefly describes the impact of economics, war, and conflict on one particular topic that has pervaded global business news headlines — the price of oil. The authors consider the impact of the price of oil on multiple industries. Finally, they explore the key considerations for internal audit in addressing geopolitical risks to the organization. 

The word ‘strategy’ can nowadays be found in almost every internal audit activity plan. But what does it actually mean? There are many different manners in which organizations and internal audit functions deal with organizational strategy. This discussion paper ‘Strategy-related auditing’ explores the role of Internal Audit Functions (IAFs) in the strategic management process of an organization. It is based on documentation and desk research, a questionnaire-based survey amongst Chief Audit Executives (CAEs), personal interviews with CAEs and board members (both executive and non-executive), and several round table discussions with CAEs (in charge of both large and small IAFs). The objective of this research was to assess the degree to which IAFs are currently considering organizational strategy and the organization’s strategic management process in their audit assignments and annual audit plans. Based on this discussion paper we encourage the profession to further explore the topic and for the Institute of Internal Auditors to provide more guidance. Our exploratory research reveals that there is a wide variety in how IAFs deal with strategic risks and organizational strategy. We found nine appearances of strategy-related auditing during our research. These can be divided into two distinct categories: strategic risk audits and strategy process audits. Strategic risk audits focus on risks that are the result of pursuing certain strategically important organizational goals. Strategy process audits, on the other hand, assess formulation, implementation, evaluation and control of the strategic management process or (the content of) the formulated strategy itself. Four out of nine identified appearances we categorize as strategic risk audits, five we categorize as strategy process audits.

Mede naar aanleiding van fraude en corruptieschandalen die de media haalden, is de laatste decennia het belang van soft controls voor de governance en de interne beheersing van organisaties duidelijk geworden. Ontoereikende soft controls hebben een belangrijke impact op het realiseren van de ondernemingsdoelstellingen. Daarnaast stellen toezichthouders en regelgevers soft controls steeds dwingender aan de orde en voor een enkele branche, de financiële sector, heeft dit al tot wet- en regelgeving geleid. Verwacht kan worden dat een soortgelijke ontwikkeling zich ook in andere sectoren voordoet/ gaat voordoen. Organisaties zijn verantwoordelijk voor een adequate integratie van soft controls in het interne beheersingskader. Dit beheersingskader is een belangrijk object van onderzoek voor de Internal Auditor. Als een logische consequentie behoort Internal Audit de beoordeling van soft controls als een essentieel onderdeel van de governance en interne beheersing in haar audit planning en werkzaamheden op te nemen. Het Institute of Internal Auditors besteedt in de International Standard for the Professional Practice 2110 expliciet aandacht aan de bedrijfsethiek als onderdeel van de governance. Uit deze Standard blijkt dat de Internal Auditor, naast de hard controls, expliciet aandacht moet besteden aan de soft controls. Cruciaal is hierbij de vraag: “Hoe kan de audit op soft controls het beste worden ingevuld en welke aanknopingspunten heeft de Internal Auditor?” Een werkgroep van de IIA Commissie Professional Practices heeft dit nader onderzocht. Deze werkgroep bestond uit deelnemers uit diverse bedrijfstakken. De hoge response op de door de werkgroep uitgestuurde enquête geeft duidelijk aan dat het onderwerp in onze beroepsgroep leeft. Op basis van een literatuurstudie, de uitkomsten van de enquête en praktijkervaringen is deze handreiking opgesteld om tot een pragmatische aanpak voor een audit op soft controls te komen. Deze publicatie zal beslist niet het laatste woord zijn over dit onderwerp. De ambitie is, dat deze handreiking ook leidt tot verdere discussie en door de discussie bijdraagt aan de verdere ontwikkeling voor audits op soft controls. De Commissie Professional Practices bedankt de werkgroep soft controls, de geïnterviewden, de Internal Audit Functies die hebben gereageerd op de enquête en alle overige vakgenoten die hebben bijgedragen aan de totstandkoming van deze handreiking. Leen van der Plas, Commissie Professional Practices