Vaktechnische Publicaties

This report contains the findings of a study into the extent to which Internal Audit Functions (IAFs) conduct audits focused on culture and behaviour (C&B), the extent to which C&B is discussed in the meetings between the IAF and the Audit Committee (AC) and the ambitions of IAFs in this area. Much has been published about C&B in recent years. This publication occupies a unique position in the literature on this topic. It does not focus on the importance of the topic, the possible role of the IAF or the research methods, but on the state of affairs, the ambitions and the tools to achieve these ambitions. In a careful process, the working group defined a practical theoretical framework for this, conducted a survey among Chief Audit Executives (CAEs), discussed the survey results in interviews with a number of Supervisory Board members, and reflected on them in a roundtable meeting with participating CAEs. The report contains a number of key insights and tools, which are elaborated step by step and summarised in a clearly structured way in a concluding section. What is striking in the findings in any case is that many IAFs want C&B to receive more attention, and that the IAF is the main internal supplier of C&B-related audits and the Supervisory Board / AC is seen as an important sponsor, but also that CAEs need to take the initiative on this and ‘pitch’ such audits. The report is an excellent tool for (even) further integrating C&B in management, auditing and supervision. In addition, it provides CAEs with an excellent point of reference for benchmarking their own situation and ambitions and entering into discussions with their Management Board and Supervisory Board / AC. It would be good if the publication also triggered a further professional debate in which the following question can be raised: How can the increasing attention paid to C&B deliver not only effectiveness, but also efficiency for audits that currently still rely primarily on hard controls?  

Culture can be difficult to define, including individual belief systems and preferences of each employee — from line workers to the corner office. Culture captures the complexity of defining and then assessing intangible organization-wide qualities or aspects that comprise human belief systems, social norms, and other psychological factors. This practice guide will help internal auditors understand risks associated with an organization’s culture, how effective management of those risks supports a successful control environment, and how to approach an assessment of culture. This guidance will enable internal auditors to: Understand the business significance of culture and conduct risk in an organization’s control environment. Identify the key components of culture and conduct risk. Understand key stakeholder concerns and expectations related to culture and conduct risk. Recognize internal audit’s role in assessing and reporting on organizational culture. Understand, based on example tools/guidance, possible approaches to assess and report on an organization’s culture and management of conduct risk. The eBook Practice Guide: Auditing Culture costs $25.00

The IIA’s new report, Global Perspectives and Insights: Talent Management, explores the evolving challenges organizations are facing when trying to recruit and retain top internal audit talent. It discusses factors like the expanded ground internal audit is charged with covering as well as issues that compound the situation, like technology advancements and tech-based risks. If you are an internal audit candidate with a background in IT, data analytics, or related tech-based specialties, congratulations. You are the unicorn audit leaders across the globe will be bidding on just for the privilege of basking in the breadth of your knowledge. Life is good, and you will soon have the bank account you have always dreamed about.  One person’s dream, however, is another person’s nightmare. In today’s talent market, audit leaders are losing sleep over how best to maintain functions capable of fulfilling an expanding list of obligations company stakeholders expect of them. As the business risk landscape continues to shift at an ever-increasing rate — driven by emerging technologies, macroeconomics, geopolitics, and more — internal audit functions are tasked with somehow navigating a talent market that is spread thin and demands financial compensation far beyond what some audit functions can offer.  However, no challenge is insurmountable, and this multi-faceted one can be resolved with a comprehensive talent management strategy that spans the entire lifecycle of talent, from recruitment to development to long-term retention. What is needed is an understanding of the factors that have created such a volatile environment for talent, and an informed evaluation of what a talent management strategy should entail.   

The European Confederation of Institutes of Internal Auditing (ECIIA) released a report on Auditing Cybersecurity within Insurance firms. Internal Audit plays a vital role in the provision of assurance regarding the efficiency and effectiveness of the key cybersecurity processes and controls in insurance and reinsurance undertakings. Key stakeholders such as Management and the Board rely on the work of Internal Audit in regard to cyber-related risks. This position paper aims to set out the view from the ECIIA Insurance Committee and intends to provide guidance to Chief Audit Executives (CAEs) in the Insurance sector in regard to the audit of cybersecurity. Cyber risk is important, in light of the recent increase of cyberattacks and the new European Regulations: General Data Protection Regulation and the Network and Information Systems Directive in 2018. The need for effective IT Cybersecurity controls has been highlighted by the European Insurance and Occupational Pensions Authority (EIOPA), saying that cyber risk is becoming a growing concern for institutions, individuals and also financial markets and is now at the top position of the list of global risks for businesses. The Solvency II Directive encourages Own Risk Self-Assessment and the use of risk categories based on the specific characteristics of the undertakings and not just the Solvency II standard classification The paper does not aim to provide a one size fits all solution for auditing Cybersecurity risks, but it provides a framework from which internal audit departments may build a multi-year long term approach to auditing cyber risks.

Public sector organizations are expected to serve the public good, uphold the principles of ethical governance, and comply with myriad laws and regulations. Yet the nature of politics may put pressure on, or conflict with, ethical governance principles. Based on professional guidance from the International Standards for the Professional Practice of Internal Auditing and practical insights from global internal audit professionals, the guide advises CAEs and internal auditors about planning and performing internal audit engagements while properly managing the opposing forces of political pressures and ethical principles. This guidance will enable internal auditors to: Understand the definition of public sector and the types of public sector organizations. Recognize public sector governance roles and how they may affect internal audit principles such as organizational independence and unrestricted access. Incorporate additional standards and requirements specific to the public sector. Assess the organization’s commitment to ethical governance principles. Identify the types of engagements performed in the public sector and how to plan them. The eBook Practice Guide: Unique Aspects of Internal Auditing in the Public Sector $25.00