Vaktechnische Publicaties

The objective of this position paper is to provide guidance to the audit departments of banking groups to assist in delivering consistent and adequate levels of assurance across the group, while considering both group and subsidiary regulatory requirements, with the intention of fostering consolidated supervision across the group. The primary principle outlined within this paper is that the group internal audit function is accountable for overseeing audit activity throughout the group. This view is aligned to that expressed in the Basel Committee’s guidance on internal audit (BCBS 223).

To manage risks effectively is an essential part of good corporate governance. An important role of each organisation is to identify all business risks and uncertainties which the organisation faces, quickly implementing risk mitigating measures and enhancing the system of internal controls. The internal audit function, as an essential part of the corporate governance framework, provides independent assurance that those risks have been properly managed. As the global business environment and its financial and regulatory requirements have become more complex, users of the audited processes have been calling for more pertinent information for their decision making. The rapidly evolving environment (e.g. digitalisation of services, sustainability, information technology) and a shortening life cycle of products requires organisations to embrace change. Agility and a short response time are critical to survival. This leads to new/enhanced risks which the organisation has to deal with and a new risk appetite. To be able to provide an assurance to senior management in a short time period, it is necessary to focus the audit plan on current and future risks and provide a risk-based approach for audit planning.

Internal control is an important cornerstone for banks’ long-term sound governance. It should be tailored to the business model, risks and organisational structure. As risks are more and more complex, there are several functions involved in the implementation and the evaluation of an internal control system. However, it is important to stress the distinctive contribution of internal audit functions. Indeed, as the third line of defence, reporting to senior management and the board, internal audit gives an overall assurance on internal control effectiveness including an independent review of risk and control functions as well as insights on efficiency.

Managing the Impact of Models Short of a crystal ball, there is no fool-proof way to predict outcomes in the financial services industry. However, models provide a powerful tool to empower organizations to make important decisions using information from a variety of sources. The IIA’s Practice Guide: Auditing Model Risk Management helps ensure that these models are working as effectively as possible for an organization. This practice guide* provides an overview of key areas related to model risk management including business significance, regulatory requirements and expectations, and model components. It is designed to help chief audit executives and their audit teams understand their roles in assessing model risk management and empower them to implement an audit plan coverage approach and program tailored to the size, scale, and risks facing their organization. *Under Review: This practice guide contains some outdated material and references. It remains available while a review is underway.  This is for members only. To access it and other valuable resources, become a member today.

Over the course of just a few years, cybersecurity has grown into one of the most significant risk management challenges facing virtually every type of organization. Is the internal audit function keeping pace with this rapidly changing area of risk? This report examines this question and, based on a survey of internal audit and cybersecurity professionals, offers some observations on how internal audit departments are adapting in order to address cybersecurity risks. A decade ago, the internal audit function evolved and adapted to the increasingly important role that information technology (IT) was playing in all aspects of business operations. Today, internal audit faces the need to adapt once again to address the critical risks associated with cybersecurity. Recognizing this need, the Internal Audit Foundation and Crowe Horwath, in collaboration with The Institute of Internal Auditors’ (IIA’s) Audit Executive Center, conducted a limited survey of IIA members in order to understand how internal audit has begun to adapt to this new risk landscape. This report offers a summary of key findings from that research and provides insights into some current internal audit and cybersecurity policies and practices. In addition, the report’s authors draw on industry experience and observation based on their working relationships with internal audit functions across a broad range of industries.