Vaktechnische Publicaties

Big data is a popular term used to describe the exponential growth and availability of data created by people, applications, and smart machines. The term is also used to describe large, complex data sets that are beyond the capabilities of traditional data processing applications. The proliferation of structured and unstructured data, combined with technical advances in storage, processing power, and analytic tools, has enabled big data to become a competitive advantage for leading organizations that use it to gain insights into business opportunities and drive business strategies. However, the challenges and risks associated with big data must also be considered. Increased demand, immature frameworks, and emerging risks and opportunities that are not widely understood or systematically managed by organizations have created a need for more guidance in this area. Internal auditors, in particular, must develop new skill sets and obtain knowledge of big data principles to effectively provide assurance that risks are addressed and benefits are realized. Risks associated with big data include poor data quality, inadequate technology, insufficient security, and immature data governance practices. Internal auditors working with big data should engage with the organization’s chief information officer (CIO) and other key leaders to better understand the risks in terms of data collection, storage, analysis, security, and privacy. This guidance provides an overview of big data: its value, components, strategies, implementation considerations, data governance, consumption, and reporting, as well as some of the risks and challenges these may present. This guide also explains internal auditors’ roles and responsibilities when performing assurance or advisory procedures related to big data efforts.

The internal audit department is an essential part of a successful organization, and the chief audit executive (CAE) has a critical role in leading that function. As internal audit becomes more visible and more essential to an organization, so does the demand for effective CAEs—audit leaders who drive high-performing teams and deliver value by consistently addressing stakeholder needs, top-down risks, and the expectations of an evolving marketplace. Boards and executive management expect CAEs to bring innovation, strategic thinking, leadership, and expertise to the internal audit function—inspiring strong and effective internal audit departments. However, while CAEs are expected to have all of these qualities, there may be room for improvement. What advice does senior leadership have for their CAE to help them improve, continue to grow, and better serve the organization and its stakeholders? The results of the 2015 Global Internal Audit Common Body of Knowledge (CBOK) Stakeholder Study—specifically, the results from the questions asked of executives and board members who work closely with internal auditors—reveal four key messages for the CAE on how they can perform better in their roles, lead high-performing internal audit teams, and positively impact their organizations. The points of advice from stakeholders to CAEs:  Exhibit strong business acumen, including knowledge of the industry, the ability to understand business strategy, and the insight to understand and assess risks. Demonstrate leadership skills, technical competence, innovation, and relational competence with audit staff and stakeholders. Manage competing priorities, demands, and conflicts within the organization, including communication with all areas of the organization with objectivity and integrity. Seek to influence the culture of the organization. Modeling right behavior and thinking, inspiring discussion, and acting as a change agent is crucial to helping improve organizational culture.

Pulse of internal audit In last year’s Pulse of Internal Audit report, The IIA challenged internal auditors to “move out of their comfort zone” beyond annual planning and typical audit areas to audit at the speed of risk. Today, with increasing pressure on organizational governance and additional burdens placed on audit committees and boards, it is critical that chief audit executives (CAEs) lead with courage and take actions that could instill: Internal auditor’s self-confidence. Management and the board’s confidence in internal audit. Stakeholders’ confidence in the organization.  Improving the effectiveness of risk management is a defining characteristic of internal auditing, yet even experienced CAEs may overlook some risks. This report looks at four areas where internal audit should take a closer look — both for the organization as a whole and for the internal audit function in particular. Not all risks are new or emerging. In fact, many critical risks have been around for a long time and perhaps have fallen just below or somehow dropped off the radar. CAEs need to have the courage to revisit these areas while ensuring their audit coverage aligns with what is important and top-of-mind to key stakeholders. In this report, we address two such areas: Company communications not traditionally subject to independent assurance (e.g., analyst presentations, sustainability reporting, some operational reporting). Environmental, health and safety risks. According to The IIA’s International Professional Practices Framework, internal audit’s mission is to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight. To do this effectively, leaders must have the courage to look inward with the same objective, professional skepticism used when assessing others. This report covers two areas where internal audit leaders have identified ongoing challenges: Internal audit’s use of data analytics. Interpersonal dynamics between internal audit and others in the organization. Using survey results, this report shows how CAEs in North America are currently looking at these areas, and where there are reasons for concern. The report also provides insights on how CAEs can instill confidence by “evaluating and improving the effectiveness of risk management, internal control, and governance processes.”2

In this white paper, we will look at how auditors can assess, respond to and analyze the risks they encounter during a risk-based audit.

As cyberattacks grow in frequency, severity, and complexity, cybersecurity professionals are urging organizations to move beyond a defensive and reactive approach to a more proactive approach, allowing for the prediction and anticipation of cybersecurity threats. Recognizing this emerging trend, the Institute of Internal Auditors’ Audit Executive Center (AEC), in collaboration with the Internal Audit Foundation, elected to supplement recent research by conducting a Quick Poll survey of chief audit executives (CAEs) to ask specific questions about their organizations’ use of security operations centers (SOCs) as part of their cybersecurity strategies. Responses were received from 130 CAEs, representing organizations of various size from many industries. In addition to providing insights into specific SOC policies and practices, the AEC Quick Poll survey results also suggest that some conclusions can be drawn about CAEs’ general levels of involvement in monitoring and reviewing their SOC operations. In order to assure complete anonymity, the survey respondents were not asked to provide identifying or qualifying information about their organizations. Using the survey findings as a starting point, researchers from Crowe Horwath conducted a series of follow-up interviews with information security executives in various organizational structures and geographic locations, and with various sensitivities to cybersecurity threats. The objective was to gather first-hand examples of current best practices. To protect the companies’ identities, the interview responses were normalized intom three general types of organizations: 1) large companies with global operations, 2) large companies with national operations, and 3) medium-size companies with regional operations. The responses were summarized along those lines in this report. The research team also interviewed representatives of a number of leading vendors that offer cybersecurity intelligence solutions and services. In addition to offering a summary of that research, this report is intended to help cybersecurity professionals, CAEs, and other stakeholders to explore broader issues and to answer two questions: 1) How can organizations move beyond merely reacting and responding to cybersecurity incidents and instead start to identify, anticipate, and actively defend against known and emerging threats? 2) What role can CAEs play in encouraging and facilitating this shift from a reactive to a proactive stance? By addressing—and ultimately answering—these questions, organizations can take the critical first steps to advancing their cybersecurity initiatives regardless of whether they are first establishing a SOC, or advancing further and establishing a fully functioning security intelligence center (SIC).