Vaktechnische Publicaties

In 2016, IFACI , IIA Italy and IIA Spain published ‘Hot Topics for Internal Audit 2017’. Tis year, a wider group of European Institutes of Internal Auditors have taken a more ambitious approach, interviewing Chief Audit Executives (CAEs) from major organisations in six European countries – France, Italy, the Netherlands, Spain, Switzerland and the UK – to home in on key themes requiring the atention of internal audit to mitigate risk and protect and add value in their organisations.

Planning is part of internal auditing’s systematic, disciplined, and risk-based approach and is mandated by the International Standards for the Professional Practice of Internal Auditing. Planning internal audit engagements involves considering the strategies and objectives of the area or process under review, prioritizing the risks relevant to the engagement, determining the engagement objectives and scope, and documenting the approach. This practice guide contains the engagement planning steps necessary to fulfill Standard 2200 – Engagement Planning through Standard 2220 – Engagement Scope and related assurance (.A) and consulting (.C) implementation standards. The exact order and details of planning an engagement, including establishing the objectives and scope, may vary according to the needs of the individual organization, internal audit activity, and engagement. However, the following planning steps are generally included: Understand the context and purpose of the engagement. Gather information to understand the area or process under review. Conduct a preliminary assessment of relevant risks. Form engagement objectives. Establish engagement scope. Allocate appropriate and sufficient resources. Document the plan. To plan the engagement effectively, internal auditors should start by understanding the context and purpose of the engagement, why it was included in the annual internal audit plan, and how the organization’s mission, vision, strategic objectives, and other elements align with those of the area or process under review. Internal auditors also consider whether the engagement is a request for assurance or consulting services, as stakeholder expectations and Standards requirements differ depending on the type of engagement. Next, internal auditors gather information about the area or process under review to determine the engagement objectives, scope, and plan. Internal auditors may examine documentation from prior assurance engagements, review applicable policies and procedures, and interview relevant stakeholders to understand and map the process flow and controls in the area or process under review. Conducting a preliminary assessment of the identified risks helps internal auditors prioritize the risks to be evaluated further during the engagement. Utilizing process maps and brainstorming potential risk scenarios are two techniques that help internal auditors identify risks and controls relevant to the area or process under review. This practice guide explains how internal auditors Practice Guide / Engagement Planning: Establishing Objectives and Scope can use a risk and control matrix and heat map to prioritize the risks, then use the results to form the engagement objectives and scope, in conformance with the Standards. In addition, this guide explores how to allocate resources and document the process of planning and establishing the engagement objectives and scope. 

In keeping with its overall mission, the COSO Board commissioned and published in 2004 Enterprise Risk Management—Integrated Framework. Over the past decade, that publication has gained broad acceptance by organizations in their efforts to manage risk. However, also through that period, the complexity of risk has changed, new risks have emerged, and both boards and executives have enhanced their awareness and oversight of enterprise risk management while asking for improved risk reporting. This update to the 2004 publication addresses the evolution of enterprise risk management and the need for organizations to improve their approach to managing risk to meet the demands of an evolving business environment. The updated document, now titled Enterprise Risk Management—Integrating with Strategy and Performance, highlights the importance of considering risk in both the strategy-setting process and in driving performance. The first part of the updated publication offers a perspective on current and evolving concepts and applications of enterprise risk management. The second part, the Framework, is organized into five easy-to-understand components that accommodate different viewpoints and operating structures, and enhance strategies and decision-making. 

IT Internal Audit (ITIA) is coming under increasing pressure to measure the management and mitigation of technology risks that are proliferating. Resources are stretched and demands are ever increasing. As technology risks multiply, ITIA is being asked to do more. For some, budgets are rising, but not for all. IA professionals are rising to the challenge, but nonetheless this latest survey of the market shows there are significant gaps in resources and capabilities. To bridge the gap, ITIA must redouble its efforts to enhance the skills of existing personnel, to partner with third parties and to hire talented professionals where necessary. It is becoming critical to present a forward-looking and compelling business case for more resources, where needed, to the Board, Audit Committee and senior management. The findings in this report are based on a survey of 250 ITIA professionals around the world and the Netherlands. Insights are also included from KPMG’s 2016 IT Internal Audit conference. It is the third report of its kind (the previous ones were published in 2009 and 2013). We would like to thank all of the respondents who participated in the survey, including many of our member firms’ clients. We hope that you will find it a valuable and insightful assessment of the state of ITIA globally and in the Netherlands providing you with information that broadens your understanding of the critical contribution ITIA can make to the business. At a time when demands placed on ITIA are steadily growing, we expect this report will stimulate your thinking and provide fresh perspectives.

As governance and monitoring functions collaborate more closely to avoid duplication of effort, internal audit may be asked to take on responsibilities for risk management, compliance, regulatory oversight, and other governance activities. The chief audit executive (CAE) plays a critical role in navigating between internal audit’s traditional role and assuming responsibilities for risk management, compliance, and other governance functions. The CAE should be held accountable for preserving independence and objectivity, communicating with management and the board, and confirming management’s acceptance of risk to internal audit’s independence and/or auditor objectivity. To navigate through these competing challenges, internal auditors can look to The IIA’s guidance on effective risk management and control, and promulgated standards related to independence and objectivity.