Vaktechnische Publicaties

Fraud and Emerging Tech: Identity and Authentication with the Paycheck Protection Program During the pandemic, the US government provided economic relief to many organizations and their employees through the Paycheck Protection Program (PPP), which helped businesses continue to compensate their staff. The program dispensed more than $800 billion with few requirements to ensure recipients were entitled to those funds. This Fraud and Emerging Tech publication, written by The IIA's David Petrisky and produced in partnership with the Anti-Fraud Collaboration of which The IIA is a member, uncovers which controls and technology should have been implemented to mitigate the risk of fraud.

Covid, ‘me too’, ESG zijn ontwikkelingen die vragen om (nog) meer aandacht voor cultuur, van het bestuur én van de auditor. Cultuur is veelomvattend, dynamisch en complex en leent zich niet voor één blauwdruk van hoe de organisatiecultuur eruit zou moeten zien. Het ontbreken van een dergelijke norm én de ‘’zachtheid’’, oftewel de moeilijke meetbaarheid van het begrip, maken het voor de internal auditor een uitdaging om cultuur mee te nemen in de werkzaamheden. Tegelijkertijd kan de internal auditor, als relatieve buitenstaander, bestuurders onafhankelijk informeren, ook over de mate waarin houding en gedrag ondersteunend zijn aan de strategie.  Het rapport ‘Cultiveer een gezonde cultuur’, een samenwerking tussen IIA Nederland en KPMG biedt een groot aantal handvatten om te reflecteren op je eigen ambitie en aanpak als internal auditor, en waar nodig bij te dragen aan de doorontwikkeling van cultuuraudits. Centraal in het rapport staat de vraag hoe internal auditors op dit moment cultuur en gedrag meenemen in hun audits, gegeven de hiervoor geschetste ontwikkelingen.  Het rapport is tot stand gekomen middels een combinatie van kwalitatieve en kwantitatieve onderzoekstechnieken. Er is gebruik gemaakt van een enquête, groepsinterview en verdiepende gesprekken.    

This final installment of The IIA’s Global Knowledge Brief series on GRC addresses how GRC systems are evolving from the incorporation of new technologies as well as what inherent risks are involved in embracing digital transformation. This brief also addresses where internal audit fits into this conversation and how it might best aid organizations as they continue this critical journey. You can find part 1 here. You can find part 2 here.  This is for members only. To access it and other valuable resources, become a member today.

De nieuwste handreiking van IIA Nederland ‘’Tekstanalyse, gewoon doen!’’ beschrijft de belangrijkste mogelijkheden en aandachtspunten in het toepassen van tekstanalyse in audits. Tekstanalyse is een verzameling geautomatiseerde technieken die leidt tot het extraheren van nieuwe informatie en bruikbare inzichten uit tekstuele gegevens. Ook in de auditpraktijk zijn er allerhande vraagstukken waarvoor tekstanalyse een toegevoegde waarde is.  Begin 2022 is er een enquête uitgestuurd onder de leden van het IIA als opmaat naar deze handreiking. Hieruit bleek dat zij zowel kansen als uitdagingen voorzien bij het gebruik van tekstanalyse. Deze handreiking van de Commissie Professional Practices van het IIA, helpt auditors daarbij.

The market context in which insurance companies operate is fundamentally changing. The use of data and Artificial Intelligence (AI) algorithms is growing significantly and is expected to be a key currency of future success. With the huge quantities of data created across the insurance value chain, AI provides tremendous opportunities for further automation of processes, development of new, more customer-centric products and the assessment of insurance risks. With these new possibilities, processes are becoming more complex and risks need to be handled. AI algorithms may have a direct impact on people and therefore ethical and privacy questions arise, which in turn brings regulators and industry bodies to the discussion to avoid adverse effects, without stifling the innovation and potential of AI. Insurance companies must achieve the right balance between improving their operations with the new solutions which AI will make possible and managing the corresponding risks. This requires rigorous risk assessment and management of the development, implementation and use of AI. The importance is reflected by various legislation currently under development across the world, including the European Union’s AI Act, which includes penalties of up to 6% of total worldwide annual turnover. With these regulatory requirements and the potential reputational implications, AI risk management cannot be completely diversified or assessed proportionally. No matter the size of the insurance company, it can be catastrophic for reputation and business if customers are harmed by AI. That’s why Internal Audit should play a role in providing assurance and advice on mitigating risks arising from implementing AI. The Internal Audit function can, according to its mandate, help organizations with the balancing act between risk mitigation and business innovation. This could include developing strategies for assurance to govern AI, data privacy and security, reviewing processes for potential bias and ensuring compliance with relevant laws and regulations. In addition, internal auditors can provide insights and advice for companies in understanding and mitigating the risks associated with AI adoption and use. Internal Audit should be involved from the start of new AI implementations to provide advice on how to implement AI securely, according to policies and regulation. Following a top down approach is wise, starting with auditing the AI strategy, governance and test individual instances, algorithms and models, starting with high risk AI. This will ensure that the development is being conducted in an efficient and effective manner and that controls are in place tailored to the risks related to the specific AI implementation. Internal Audit should not only provide assurance over the process of developing AI, but also perform risk-based deep dives to ensure AI implementation is compliant and working effectively. Auditing AI includes technical aspects, data governance and quality, ethical themes and business application. Therefore, a multidisciplinary audit team should be formed. The team should have representatives from IT audit, data science, business audit and specific technical expertise such as actuaries, as well as ethics, to ensure each aspect is thoroughly assessed. Hence, Internal Audit departments should upskill their staff where needed, to stay ahead of key new developments, and be able to independently assess the risks, plan and execute audits as required. Our research has shown that most Internal Audit departments are at an early state of establishing the required skills and processes, and often not keeping up with the rapid development in use of AI in the Insurance industry. For these reasons, this paper contains a proposal of an AI Audit Program, where the most important AI related risks, possible root causes and testing strategies are identified.

Management guru Peter Drucker once said, “[only] what gets measured, gets managed.” So, how are organizations quantifying non-financial risk? Internal audit can play a key role in helping organizations develop strategies that tackle this issue.  This Global Knowledge Brief, the second in a three-part series on governance, risk, and control (GRC), examines the challenges of quantifying non-financial risks and how companies are addressing them, as well as the important role that internal audit can play in advancing understanding in this area.  You can find part 1 here. You can find part 3 here.  This is for members only. To access it and other valuable resources, become a member today.

This new report, “Building a Best-In-Class Whistleblower Hotline Program,” by The IIA and ACFE identifies key elements of a best-in-class whistleblower hotline program, especially as it pertains to fraud detection. The report includes practical, data-driven guidance on how internal audit leaders, anti-fraud professionals, and others can most effectively manage and support these programs within their organizations.  The report: Provides benchmarking data for hotline programs at organizations around the world. Evaluates the factors that contribute to the effectiveness of whistleblower hotline programs. Explores the reasons organizations do not have a hotline program, as well as regional differences in hotline programs. Infographic: The ACFE and The IIA collaborated on a study to identify key elements of a best-in-class whistleblower hotline program, especially as it pertains to fraud detection. How does your Whistleblower Program Measure Up? Less than half (44%) of organizations train managers and supervisors on how to avoid, recognize, and respond to potential retaliation against whistleblowers.  Download the infographic now for key study findings.

The Fraud Risk Management Guide: 2nd Edition offers a blueprint for helping organizations establish an overall Fraud Risk Management Program. An update to the original version released in 2016, the 2nd Edition addresses more recent anti-fraud developments, revises terminology, and adds important information related to technology developments - specifically data analytics. It is intended to give organizations of all sizes across all industries the information necessary to design a plan specific to the risks for that entity. There is no “one size fits all approach” to managing fraud risk. But with the right approach, an organization can create a custom-fitted program tailored to its specific needs.????  

This Global Perspectives & Insights examines fraud threats and opportunities in the current risk landscape, from lingering challenges associated with the waning COVID-19 pandemic to threats associated with the cryptosphere to developing new partners in the battle against fraud.  Part 1: Fraud in the Cryptosphere Part 2: Internal Auditors and Fraud Examiners: A Valuable Partnership Part 3: The Hangover: Fraud in the Post-COVID Era

This GTAG helps internal auditors understand insider threats and related risks by providing an overview of common dangers, key risks, and potential impacts. Additionally, the guide defines key terms in the insider threat universe, and presents security frameworks, techniques, considerations, and resources that can help during the planning and execution of audit engagements. By becoming aware of insider threats and the associated risks and by learning about insider threat programs, internal auditors have a tremendous opportunity to add value by helping their organizations strengthen governance, risk management, and control processes. Topics include: How to better understand insider threats and guidance for practical audit considerations. Ways to assess and prioritize insider threats in audit planning. How to increase collaboration with management. Ways to champion the communication of insider threats to management and the board. You can find part 2 here. You can find part 3 here.  This is for members only. To access it and other valuable resources, become a member today.

For the better part of two years, COVID-19 caused disruptions across the board, ranging from the way that people worked, where they worked, how their organizations dealt with suppliers and supply chain issues, and how they handled significant concerns, such as maintaining internal controls and detecting and preventing fraud Today, the world breathes easier as the worst of the pandemic slowly fades into history, but even still, one should not assume that the risks associated with COVID-19 are no longer a concern. Indeed, organizations that make that assumption could be making a grave mistake. This Global Knowledge Brief, the third in a three-part fraud series from The Institute of Internal Auditors (IIA), examines various pandemic-related fraud factors identified in the 2022 ACFE Report to the Nations, how they may impact organizations, and internal audit’s role in organizational efforts to mitigate those fraud risk factors.  You can find part 1 here. You can find part 2 here. This is for members only. To access it and other valuable resources, become a member today.

A premier source of data for internal audit leaders, the 2023 North American Pulse of Internal Audit report provides insights about internal audit budgets, staff, audit plans, risks, and more. This year’s report also features all-new data about audit frequency for key risk areas. Internal audit leaders can use this benchmarking report year-round as they plan and manage their internal audit activities. Learn about how internal audit functions are faring and continuing to evolve in key areas: Around 7 in 10 Pulse respondents say they audit high-risk areas such as cybersecurity and IT annually or continuously. Respondents reported that some areas are audited regularly, but not every year, particularly third-party relationships, ERM, and governance and culture. More than 8 in 10 respondents integrate fraud and IT considerations in audits generally. What’s more between 61% and 66% integrate cybersecurity, governance and culture, and third-part relationships into audits generally. The data reflect how audit leaders are effectively addressing critical risk areas even when they cannot dedicate a significant percentage of audit plans to them. On the staffing side, the post-COVID 19 recovery is showing steady improvements and appears to be on track to match the three-year recovery after the 2008 global financial crisis. The IIA produces the Pulse of Internal Audit report to provide internal audit leaders with a benchmarking tool that they can reference throughout the year as they plan and manage their internal audit functions. The Pulse report is designed to share with peers, audit committees, and executive management. 

Fraud is a serious and pervasive risk for organizations. The consequences can range from disruptive to dire, including financial losses; inefficiencies that damage operations, revenues, or profits; the cancellation of projects; and potentially the failure of the organization. This Global Knowledge Brief, the second in a three-part series on fraud, examines the benefits of building a symbiotic relationship between internal auditors and Certified Fraud Examiners in the battle to detect and deter fraud. You can find part 1 here. You can find part 3 here. This is for members only. To access it and other valuable resources, become a member today.

This guidance fills a gap in the GTAG series by covering objectives, risks, and controls related to an organization’s communications ecosystem. By offering references to controls in widely used frameworks, this GTAG can improve an internal auditor’s familiarity with and use of such tools in their work. “Auditing Network and Communications Management” offers a broad set of related processes that internal auditors should consider when auditing controls over an organization’s communications ecosystem. This is for members only. To access it and other valuable resources, become a member today.

The future demands internal audit services that are timely, relevant, and impactful. This requires standards that are insightful, prescient, clear and direct. To meet that demand, The IIA will release a public comment draft that dramatically changes how the Standards and other elements of the IPPF are presented and explained.  This SPECIAL EDITION of Global Perspectives & Insights provides an overview of the proposed new Global Internal Audit Standards, background on how they were developed, and considerations for how the updated Standards can be applied. It also examines how conformance to the updated Standards will help future generations of internal auditors meet and exceed the demands of our stakeholders and add value to their organizations.