Vaktechnische Publicaties

Beyond the Numbers: Internal Audit’s Role in Nonfinancial Reporting Internal auditors are familiar with annual reports — crisp recitations of organizational activities, a few words from the CEO, eye-catching graphics, pages of financial outcomes, and, for publicly traded companies, a long list of required disclosures relating a vast array of sometimes confusing and mind-numbing detail. The reports encompass everything the reader needs to know about the company, especially if that reader is contemplating investing in the organization. Right? Maybe not. Increasingly, investors and other stakeholders want more from company reporting. They want to know if the organization is operating sustainably, if it monitors its impacts on the environment, if it is mindful of social issues such as diversity and equal opportunity. When making decisions about supporting a company, stakeholders increasingly expect a more comprehensive report — one that goes beyond financial health. Many organizations also want stakeholders to have improved insight into activities they perform that benefit the greater public good or serve a public interest. Nonfinancial reporting fills the void by reporting quantitative and qualitative information that falls outside the scope of mainstream financial statements. Though not an exhaustive list, related terms include corporate social responsibility (CSR) reporting; sustainability reporting; integrated reporting; holistic reporting; enhanced reporting; service efforts and accomplishments reporting; and environmental, social, and governance (ESG) reporting.1 This is not a passing trend — the European Union has required nonfinancial reports for some 6,000 organizations across member countries;2 global frameworks and standardized approaches to nonfinancial reporting are gaining recognition;and globally, organizations are expected to increase spending on sustainability assurance by 20 percent over the next five years.3 In 2013, KPMG et al published the results of a survey on corporate reporting in 45 countries.4 It found 134 mandatory policies and 53 voluntary policies related to at least some aspects of nonfinancial reporting, among countries such as Australia, Brazil, China, France, India, Indonesia, Japan, Mexico, Singapore, and South Africa.

It can be a daunting task for internal auditors to grapple with how geopolitics impacts their organizations. After all, geopolitics includes broad and complex interrelated topics such as climate change, the outbreak of disease, political instability, economics, war, and conflict, all of which can present risks to the organization with little or no notice. Geopolitical risks cannot be considered in isolation; these risks are quite interrelated. This paper briefly describes the impact of economics, war, and conflict on one particular topic that has pervaded global business news headlines — the price of oil. The authors consider the impact of the price of oil on multiple industries. Finally, they explore the key considerations for internal audit in addressing geopolitical risks to the organization. 

The word ‘strategy’ can nowadays be found in almost every internal audit activity plan. But what does it actually mean? There are many different manners in which organizations and internal audit functions deal with organizational strategy. This discussion paper ‘Strategy-related auditing’ explores the role of Internal Audit Functions (IAFs) in the strategic management process of an organization. It is based on documentation and desk research, a questionnaire-based survey amongst Chief Audit Executives (CAEs), personal interviews with CAEs and board members (both executive and non-executive), and several round table discussions with CAEs (in charge of both large and small IAFs). The objective of this research was to assess the degree to which IAFs are currently considering organizational strategy and the organization’s strategic management process in their audit assignments and annual audit plans. Based on this discussion paper we encourage the profession to further explore the topic and for the Institute of Internal Auditors to provide more guidance. Our exploratory research reveals that there is a wide variety in how IAFs deal with strategic risks and organizational strategy. We found nine appearances of strategy-related auditing during our research. These can be divided into two distinct categories: strategic risk audits and strategy process audits. Strategic risk audits focus on risks that are the result of pursuing certain strategically important organizational goals. Strategy process audits, on the other hand, assess formulation, implementation, evaluation and control of the strategic management process or (the content of) the formulated strategy itself. Four out of nine identified appearances we categorize as strategic risk audits, five we categorize as strategy process audits.

Mede naar aanleiding van fraude en corruptieschandalen die de media haalden, is de laatste decennia het belang van soft controls voor de governance en de interne beheersing van organisaties duidelijk geworden. Ontoereikende soft controls hebben een belangrijke impact op het realiseren van de ondernemingsdoelstellingen. Daarnaast stellen toezichthouders en regelgevers soft controls steeds dwingender aan de orde en voor een enkele branche, de financiële sector, heeft dit al tot wet- en regelgeving geleid. Verwacht kan worden dat een soortgelijke ontwikkeling zich ook in andere sectoren voordoet/ gaat voordoen. Organisaties zijn verantwoordelijk voor een adequate integratie van soft controls in het interne beheersingskader. Dit beheersingskader is een belangrijk object van onderzoek voor de Internal Auditor. Als een logische consequentie behoort Internal Audit de beoordeling van soft controls als een essentieel onderdeel van de governance en interne beheersing in haar audit planning en werkzaamheden op te nemen. Het Institute of Internal Auditors besteedt in de International Standard for the Professional Practice 2110 expliciet aandacht aan de bedrijfsethiek als onderdeel van de governance. Uit deze Standard blijkt dat de Internal Auditor, naast de hard controls, expliciet aandacht moet besteden aan de soft controls. Cruciaal is hierbij de vraag: “Hoe kan de audit op soft controls het beste worden ingevuld en welke aanknopingspunten heeft de Internal Auditor?” Een werkgroep van de IIA Commissie Professional Practices heeft dit nader onderzocht. Deze werkgroep bestond uit deelnemers uit diverse bedrijfstakken. De hoge response op de door de werkgroep uitgestuurde enquête geeft duidelijk aan dat het onderwerp in onze beroepsgroep leeft. Op basis van een literatuurstudie, de uitkomsten van de enquête en praktijkervaringen is deze handreiking opgesteld om tot een pragmatische aanpak voor een audit op soft controls te komen. Deze publicatie zal beslist niet het laatste woord zijn over dit onderwerp. De ambitie is, dat deze handreiking ook leidt tot verdere discussie en door de discussie bijdraagt aan de verdere ontwikkeling voor audits op soft controls. De Commissie Professional Practices bedankt de werkgroep soft controls, de geïnterviewden, de Internal Audit Functies die hebben gereageerd op de enquête en alle overige vakgenoten die hebben bijgedragen aan de totstandkoming van deze handreiking. Leen van der Plas, Commissie Professional Practices