To stay relevant in today’s business environment, internal audit functions must maintain an innovative mindset, update existing audit methods, and use evolving technologies such as governance, risk, and control (GRC) to improve collaboration.
This report shares how GRC software can support risk management and internal audit, and explores practical applications of GRC from a value perspective across The IIA’s Three Lines Model.
This report includes:
- GRC Technology: Today and Tomorrow
- Emerging GRC Technology Use Cases
- Moving to an Integrated Architecture
- Maintaining Independence
It also explores the importance of zero-code and low-code applications, and demonstrates ways assurance functions can harness future value.
Conversations and focus on sustainability, typically grouped into environmental, social and governance (ESG) issues, are quickly evolving — from activist investor groups and inquisitive regulators pushing for change to governing bodies and C-suite executives struggling to understand and embrace the concept. At the forefront of this new risk area is pressure for organizations to make public commitments to sustainability and provide routine updates to ESG-related strategies, goals, and metrics that are accurate and relevant. However, ESG reporting is still immature, and there is not a lot of definitive guidance for organizations in this space. For example, there is no single standard for what should be reported.
What is clear is that strong governance over ESG — as with effective governance overall — requires alignment among the principal players as outlined in The IIA Three Lines Model. As with any risk area, internal audit should be well-positioned to support the governing body and management with objective assurance, insights, and advice on ESG matters.
The following provides an overview of risks related to ESG reporting along with context on the growing sustainability movement. It also outlines internal audit’s role in ESG reporting and how internal audit can support ESG objectives and add value.
A Guide to Understanding, Aligning, and Optimizing Risk offers an eye-opening and in-depth examination of the top 12 risks for 2022, along with six key observations from the boardroom, C-suite, and internal audit.
This unique report again captures the views of key risk management players and identifies troubling misalignment on perceptions of what risks matter most.
The report not only digs deeper during these unprecedented times but also exposes new twists on risks brought about by the COVID-19 pandemic and expanding reliance on technology. Additionally, it provides actionable guidance on how to bring all parties’ perceptions of 12 critical risks facing organizations into closer alignment.
Practice Guide – Recommended Guidance from IIA global
Regardless of the geographic location, industry, or type of organization or program, opportunities for corruption present significant risks. Approximately six billion people around the world live in a country with a serious corruption problem. Worldwide, corruption puts businesses and governments at risk and affects organizations, private individuals, and public officials.
This newly updated practice guide discusses the role of internal audit in anti-corruption efforts and describes an effective anti-corruption program, including controls related to preventing, detecting, responding to, and recovering from the risks associated with corruption in many of its forms.
The guide provides an approach to assessing the maturity of an organization in terms of management’s assessment of and measures implemented to mitigate the risks of corruption, and offers a closer look at the internal audit activities and procedures that may be performed as a function of that level of maturity.
After reading this practice guide, internal auditors will be able to identify:
- The elements an organization needs to fight corruption.
- Risks and controls related to preventing, detecting, responding to, and recovering from corruption.
- The roles of the internal audit activity and others in the organization’s anti-corruption program.
- New approaches to assessing anti-corruption programs.
While the coronavirus pandemic continues to disrupt the corporate landscape in the present, the new edition of the ECIIA Risk in Focus report highlights climate change as the rising risk of the future.
The Risk in Focus 2022, tracks the risks facing organisations year-on-year as ranked by more than 700 Chief Audit Executives (CAEs) representing a range of organisations including leading businesses, public sector organisations, and NGOs from across Europe.
The ECIIA has run its Risk in Focus research project for the last five years to help Chief Audit Executives understand how their peers view today’s risk landscape and assist in developing their forthcoming audit plans. The Risk in Focus 2022 research was conducted in March and April of 2021. Data was collected through a quantitative survey among CAE members of 12 Institutes of Internal Auditors in Austria, Belgium, France, Germany, Greece, Italy, Luxembourg, the Netherlands, Spain, Sweden, Switzerland, and the UK & Ireland. The survey elicited 738 responses. Further insight was gathered through 50 interviews with a sample of 35 Chief Audit Executives, 12 Audit Committee Chairs, and 3 CEOs from across the above-listed countries.
Artificial intelligence (AI) has and will continue to transform business strategies, solutions, and operations. AI-related risks need to be top of mind and a key priority for organizations to adopt and scale AI applications and to fully realize the potential of AI. Applying enterprise risk management (ERM) principles to AI initiatives can help organizations provide integrated governance of AI, manage risks, and drive performance to maximize achievement of strategic goals.
The COSO ERM Framework, with its five components and twenty principles, provides an overarching and comprehensive framework, can align risk management with AI strategy and performance to help realize AI’s potential.
CHALLENGES AND TOOLS FOR INTERNAL AUDIT
Climate Change and Environmental (CCE) Risk is a very relevant and important subject for most organisations. The following survey results offer tools to make it easier for Internal Audit Functions to perform audits on this subject.
The results provide insight into the (possible) impact of the risks and what organisations are currently doing to prepare. The key question was what role internal audit play in this, and what the possibilities are to identify, limit and/or control the opportunities and threats of climate change.
The survey was conducted among 63 heads of internal audit functions in the Netherlands. A literature study was also performed, and interviews conducted with 8 internal functions who already have experience with audits on climate change and environmental risk. These case studies produced additional concrete tools in the form of good practices.
Challenges, Risks, Fraud, Technology, and Staff Morale
This new Global Perspectives and Insights report outlines the benefits of remote auditing, as well as the abilities auditors will need to successfully do their jobs in the post-pandemic environment. The top essential aptitudes include emotional intelligence, communications skills, business acumen, flexibility, agility, and imagination and curiosity.
Recommended Guidance from IIA: Global Technology Audit Guide (GTAG)
Identity and access management covers the policies, processes, and tools for ensuring users have appropriate access to IT resources.
The “Auditing Identity and Access Management” GTAG will help internal auditors understand key terms and how to approach an audit to ensure their organization’s IAM protocols help mitigate potential security and regulatory risks. This knowledge will help internal auditors provide assurance that controls for managing access to IT resources are well designed and effectively implemented.
This guidance will enable internal auditors to understand:
- IAM and develop a working knowledge of relevant processes, including related governance and security controls.
- Risks and opportunities associated with IAM.
- Components of the IAM process, including provisioning IDs, administering and authorizing access rights, and maintaining enforcement through authentication, reauthorization reviews, and automated account deactivation processes.
- Some of the considerations and strategies for implementing IAM controls.
- The basics of auditing IAM, including specific controls that should be evaluated.
The objective of the Guidelines
Any enterprise, whether it operates in the private or public sector, will need to tackle frequent changes in the framework conditions in which it operates. These changes take place with an increasing frequency and enterprises are faced with the challenge of crises, disasters, business scandals and global pandemics. Systematic, efficient, and effective governance is critical to an enterprise’s ability to achieve its goals, and these Guidelines identify components which are key to an enterprise’s good management, survival, and success over time. For each component a suggested practical approach to successful treatment is described. The thinking behind the components is that they contribute to the creation and maintenance of a robust and durable enterprise with the ability to adapt itself to meet various and changing framework conditions.
The Guidelines are not a tutorial, neither are they fashioned to address all the detailed requirements of a given industry and sector specific laws and regulations. The components will address many of these requirements but not necessarily all of them. Users of these Guidelines must therefore adapt the various components to the detailed requirements of their own industry and sector, as well as to the enterprise’s size, complexity, culture etc. The guidelines allow for flexibility in their use. Adherence to the components should be a goal, but some components can have limited relevance in certain situations and especially for smaller enterprises. As an enterprise grows in size and complexity, the need will grow for a clarity of structure, objectives and planning processes as well as risk management and control. The suggested practical approach should assist in this development process.
