Audit Career Trends

Hot Risk Topics for Internal Audit 2018 in European Countries – Digital version

A wider group of European Institutes of Internal Auditors have taken an ambitious approach, interviewing Chief Audit Executives (CAEs) from major organizations in six European countries – France, Italy, the Netherlands, Spain, Switzerland and the UK – to home in on key themes requiring the attention of internal audit to mitigate risk and protect and add value in their organizations.

These Hot Topics were identified through in-depth, qualitative interviews with CAEs across a diverse range of critically important sectors – construction/infrastructure, financial services, IT, manufacturing, public sector, retail/ consumer, telecoms and utilities/energy – and from organizations that truly lead these industries. These topics are:

1.       GDPR and the Data Protection Challenge: The regulation foresees a strengthened role for security measures such as robust firewalls and encryption, and obliges companies (data controllers) to report any personal data breaches within 72 hours, even if it occurs at the third party (data processor) level. This will require enshrining data protection and governance measures into supplier contracts.

2.       Cybersecurity, a path to maturity: Organizations needs to view cybersecurity through a technical lens by investing in the latest security tools, and then seek assurance that these are working and controls and procedures are of a sufficiently high standard. However, while the behaviour of correctly configured and maintained software and technology is relatively predictable.

3.       Regulatory Complexity and Uncertainty: Assessing whether compliance functions are on top of the latest applicable regulations and that appropriate steps have been taken to ensure that the organization is compliant, and – where there is uncertainty or conflict with existing or other incoming rules – that dialogue with the relevant regulators has been established.

4.       Pace of Innovation: R&D and innovation projects should be audited to ensure they are effectively managed to mitigate project risk and, as they near commercial roll-out, delivery risk. All the while internal audit must strike a balance by not slowing or standing in the way of rapid innovation that will be crucial to the organization’s future success, but equally providing an assurance that projects deliver the promised benefits.

5.       Political Uncertainty, Brexit and other unknown: Given the unpredictability of Brexit, the future of the EU, the policy direction of the Trump administration and other political and geopolitical unknowns, it is difficult for internal audit and other assurance providers to give specific and detailed advice to their organization. Internal audit will be expected to provide an assurance that organizations are agile and responsive enough to swiftly adapt their operations to an uncertain, changing political landscape.

6.        Vendor Risk and Third Party Assurance: Internal audit can add value by reviewing the governance around procurement and contract management, checking that audit rights are written into supplier contracts, that suppliers have robust whistleblowing procedures in place and by working with the procurement function to ensure that due diligence processes are comprehensive and meet the risk mitigation needs of the organization.

7.       The Culture Conundrum: Internal audit has a critical role to play in assessing whether the existing culture and staff behaviour reflects the company’s stated ethos and values, whether it stands in the way of the organization achieving the transformation it seeks and how effective measures to reshape the culture are.

8.       Workforces – Planning for the future: Internal audit must be able to assess whether HR risk is being effectively managed and provide assurance that the organization’s workforce planning strategy is in line with its strategic vision. Where does the organization want to be five years from now and how do its recruitment and retention policies support that? IT, technology and digital skills are going to be in high demand for the foreseeable future, so internal audit should assess whether the organization is making efforts to reduce any IT skills gap that exists today and could widen in the coming years.

9.       Evolving the Internal audit function: With every audit, we’re constantly looking at whether the work we’re doing is going to be valuable to management a year down the track, or are we ticking a box and moving on? Are we really looking at what matters and then looking at it in a way that maintains audit’s relevance? Because you can look at the right topic area but if you’re looking at it in a static way when it’s a moving feast then people are going to start ignoring you.

Audit International are specialists in the recruitment of Internal Auditors and Corporate Governance Professionals across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95.


Pulling fraud out of the shadows: Global Economic Crimes and Fraud Survey 2018

In PwC’s 2018 Global Economic Crime and Fraud Survey, only 49% of global organizations said they’d been a victim of fraud and economic crime. However, we know this number should be much higher. So, what about the other 51%?

Today, fighting fraud has moved front and centre to become a core business issue. Long gone are the days when it was viewed as an isolated incident of bad behaviour, a costly nuisance, or a mere compliance issue. That’s because the scale and impact of fraud has grown so significantly in today’s digitally enabled world. Indeed, it can almost be seen as a big business in its own right – one that is tech-enabled, innovative, opportunistic and pervasive. Think of it as the biggest competitor you didn’t know you had. This article sets out to plug that awareness gap. In it, we explore not only the visible fraud that companies say they are facing, but also the blind spots that stop them seeing the big picture – and what they can and should do about them.

There are four steps to fight fraud:

Recognize fraud when you see it:

Fraud risk assessments are the first step in preventing fraud before it takes root: Fraud risk assessments can help organizations do so by identifying the specific frauds they need to look for. Moreover, these assessments are increasingly looked on favourably by regulators in enforcement actions.

Conduct risk: the ‘hidden risk’ behind many internal frauds: It enables a company to better measure and manages compliance, ethics and risk management horizontally and embedded them in its strategic decision-making process. It also means fraud and ethical breaches can be approached more dispassionately, with less emotion, as a fact of life that every organization has to deal with. Moreover, adopting this more systemic – and realistic – stance towards conduct risk can enable cost efficiencies between ethics, fraud and anti-corruption compliance programs.

Looking for fraud in the right places: Survey revealed a significant increase in the share of economic crime committed by internal actors (from 46% in 2016 to 52% in 2018) and a dramatic increase in the proportion of those crimes attributed to senior management (from 16% in 2016 to 24% in 2018). Indeed, internal actors were a third more likely than external actors to be the perpetrators of the most disruptive frauds.

Take a dynamic approach: A chief executive is increasingly seen as the personal embodiment of an organization – with their finger on the pulse of every facet of its culture and operations at all times. So, when ethical or compliance breakdowns happen, these individuals are often held personally responsible – both by the public and, increasingly, by regulators. Whether merited or not, one thing is clear: the C-suite can no longer claim ignorance as an excuse.

Harness the protective power of the technology: Today, organizations have access to a wealth of innovative and sophisticated technologies with which to defend themselves against fraud, aimed at monitoring, analyzing, learning and predicting human behaviour. These include machine learning, predictive analytics and other artificial intelligence techniques.

Invest in people, not just machines: Confronted with the seeming intractability of dealing with fraud, many organizations decide to pour ever more resources into technology. Yet these investments invariably reach a point of diminishing returns, particularly in combating internal fraud. So, while technology is clearly a vital tool in the fight against fraud, it can only ever be part of the solution. This is because fraud is the result of a complex mix of conditions and human motivations. The most critical factor in a decision to commit fraud is ultimately human behaviour – and this offers the best opportunity for combating it. There is a powerful method for understanding and preventing the three principal drivers of internal fraud – the fraud triangle. The fraud triangle starts with an incentive (generally a pressure to perform from within the organization) followed by an opportunity, and finally a process of internal rationalization. Since all three of these drivers must be present for an act of fraud to occur, each of them should be addressed individually.

Audit International are specialists in the recruitment of Internal Auditors and Corporate Governance Professionals across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95.

What are the requirements of an Internal Audit function for European listed companies?

The ECIIA previously conducted a review of the Corporate Governance Codes currently in place in its member bodies in order to determine the extent that internal audit is considered in the governance structure of listed companies under the typical “comply or explain” regulations.

The research revealed that approximately 90% of EU member countries require or recommend the presence of an internal audit function in listed companies  as per the below summary:

  1. 41% of the codes consider an internal audit function mandatory.
  2. 48% of the codes strongly recommend the presence of an internal audit function and;
  3. 11 % of the codes do not have a specific requirement or recommendation about internal audit

In addition, internal audit is generally compulsory within the financial institution’s , in relation to the Basel Committee and insurance regulatory requirements. At the same time, there is little regulation provided as to how to ensure that this function is effective mainly as regards to essential requisites such as independence and scope.

The ECIIA believes the following key principles below are applicable universally to all organizations regardless of sector or industry. The governing body of an organization is responsible for strategic risk oversight. The board and audit committee (or equivalent) should be required to, among other things, define a clear delegation and accountability for risk management and internal control through the “Three Lines of Defense” model. In this model, internal audit assumes responsibility for providing overall assurance to the governing bodies, consistent with existing financial sector regulation. On this basis, internal audit should be required for most organizations. Factors that need to be considered are the complexity of the organization and the need for the governing body to obtain systematic, continuous independent assurance, rather than the size of the company.

Internal audit must be properly structured in order to achieve the objective of global assurance. i.e.

  1. Organizational independence
  2. Exclusion of limitations to its scope of review
  3. Full and unrestricted access to any information and person necessary to achieve its objective
  4. The adoption of The IIA’s International Standards for the Professional Practice of Internal Auditing (the Standards), including internal and external quality assessment reviews
  5. In addition, regulatory references to ‘the auditor’ should be specific as to whether they are referring to the external audit or  internal auditing.

Different countries (approx 28) in Europe has enacted Internal audit through Corporate Governance codes, some of them are Finland (Finnish Corporate Governance Code 2010), France (Recommendations on Corporate Governance March 2011), Greece (Corporate Governance Codes and Principles – Greece December 2010) and so on with a motive that “ The board of directors should establish the corporate risk management policy as well as control and ensure the proper functioning of the company’s risk management and internal audit systems”.

Audit International are specialists in the recruitment of Internal Auditors and Corporate Governance Professionals across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95.

The Importance of Internal Audit / Corporate Governance in digitization world.

During the last few years, the discussion about Corporate Governance has increased globally. This can be seen as a result of several scandals like Satyam Computers and prominent bankruptcies of corporate giant i.e. Lehman Brothers, CITI Bank & recently Punjab National Bank arising from non-compliances with rules and internal controls over the world, but mainly is in the US and in Europe.

The most common law to mitigate such non-compliance has been introduced namely the Sarbanes Oxley Act 2002 (SOX), which defines numerous requirement for those companies which are listed on the American Stock Exchange. With this background, the Management Board of the European Confederation of the Institute of Internal Auditing (ECIIA) has conducted a survey on the status of Corporate Governance in Europe with a specific view on Internal audit and drawn up the paper to give importance of Internal Audit for the following

  1. To give an overview of the most important regulation with respect to Corporate Governance,
  2. To summarize the common understanding of an up-to-date Internal Audit function and
  3. Finally to formulate proposals for an enhanced role of Internal Audit in the whole Corporate Governance in Europe

With the increased pace of digitization, the risk focus in Internal audit has changed a lot. In 2018 ECIIA have been interviewing Chief Audit Executives from major organization in European Countries to home in key themes requiring the attention of internal audit to mitigate risk and protect and add value to an organization. These themes are:

  1. General Data and Protection Regulation (GDPR): Data governance and management of data is not only related to security and privacy – it’s also related to the internal processes to really optimize, to own data, to be aware of which data are available and the way they are utilized and managed for commercial purposes.
  2. Cyber Security: The maturity level of the organization to mitigate and monitor the risk still requires attention from the board, the risk committees and senior management. Then there’s the maturity from a technical perspective, the teams and the skills is the focus of internal audit.
  3. Regulatory Complexity and Uncertainty: The ongoing pace, scale and complexity of regulatory change is something that our emerging risk team is having to air-traffic control and understand what the organization must focus on – whether it’s changing systems, processes or reporting required by regulators and our ability to land that change at the appropriate times
  4. And lastly, the pace of innovation: The digital world is increasingly replacing the physical world and the pace of innovation, digitalisation and e-commerce is rapid and constantly changing. Tat results in a lot of changes to systems, processes, controls and risks themselves. Many of this links to third parties that are used for new kinds of operations such as logistics, which for us is a very important risk.

Audit International are specialists in the recruitment of Internal Auditors and Corporate Governance Professionals across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us on 0041 4350 830 95.

Internal audit—connecting the dots

The world of business is constantly changing and globalization has proved to be of paramount importance for this changing world. This globalization has produced widespread dots or operations as the challenge for management to govern in an efficient manner.

Proper establishment and operations of internal audit generate reliance which connects the dots and builds trust and confidence over the widespread operations of an organization.
For an internal audit to be comprehensive and target oriented, it must be planed systematically with a documentary approach.

Analytical procedures as the tool of internal audit further helps in assessment of dot’s position in the galaxy to ascertain fluctuation and smoothness of operations.

This further clarifies the relative performance of a specific operation in financial and operational terms.
This is the key concept for the ascertainment of figures in specific heads of financials and numbers from different departments. This tool is also used to obtain an evidence or assurance during fieldwork. This is thought to have an essential ability to identify potential errors, potential fraud and unusual transactions or events that affect the organization in an adverse manner. Timely identification of potential errors and fraud helps an organization in the eradication of control weaknesses and loopholes from a system.

Global expansion of Multinationals further brings some additional challenges as topics such as local regulation, economies of scale by integration of different regional economies, currency risk, consistency in financial and other reporting across organization and understanding of local norms of stock exchange for listed companies is an additional management challenge.

Internal audit procedures specifically designed for specific risk produces remarkable results to address the vulnerability of risks.
Widespread dots or operations of organizations produce additional risks which can be controlled to bring things in risk appetite of the organization.

In addition to analytical procedures, Corporate Governance is another tool that can be used by internal auditors to control the operations of a company.

The economy of the world is constantly changing which brings new challenges every day to the organization. The governance’s control over an organization’s hierarchy at the strategic level offers the ability to believe segregation of duties and qualified personnel at the top in a hierarchy.

Corporate governance further ensures proper reporting hierarchies with the distribution of related work to equip an organization with strong controls. Another great challenge created by globalization is communication and e-commerce which are key to manage and control the organization in all aspects including normal operations of company and growth perspective. Another trend observed in the current market is decentralization with a large span of control to minimize the cost.

Decentralization exposes an entity to a greater vulnerability for control deficiency and increased risk.
Current trends and in-built risks produced by the globalization of multinationals create enhanced demand for the application of certain control techniques; especially, analytical procedures and Corporate Governance.

In addition to this, designing specific audit procedures for specific risk brings risk to the risk appetite of an entity.

As a matter of fact, control techniques equipped with strong governance structure connects the dots of widespread organizational operations and helps an organization to grow in a safe and sound control environment.

What are your thoughts on this?

Feel free to reach out to us to discuss!

Audit International are specialists in the recruitment of Internal Auditors and Corporate Governance professionals across Europe and the US.

Audit International are privileged to share some recent insights from Dr Rainer Lenz- Head of Corporate Audit at Villeroy & Boch on his thoughts about internal audit and its Independence.

“Recently, I was invited to share some thoughts about independence of internal auditors. I am basically challenging that concept:

The IIA definition positions internal auditing as an …

“ independent , objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”
To be blunt, in my view, independence is largely theory. It is overrated, I think. So is objectivity. But let’s stay with the subject matter of independence. There is nothing wrong with aspiring independence. But, who cuts the hand feeding him? There are inconsistencies among talk and action. Consequently, academic authors refer to the internal auditor’s “role dilemma” and “role confusion”, acknowledging for example the difficulties of internal auditors to strike the balance between being independent from operations and, at the same time, providing added value and benefit to operations. Being both watchdog and consultant is challenging.

Some authors view internal audit as a schizophrenic management function. On one hand, it needs to be completely integrated and knowledgeable. On the other hand, it needs a measure of independence required of all auditors. Thus, internal audit may have a built in cognitive disconnect. Organizations and Chief Audit Executives (CAEs) may cope at different levels of proficiency with such inconsistent demands. Those who can do that well may live longer. Thus, “organizational hypocrisy” may serve a useful purpose.

When you ask non-executive directors and audit committee chairmen what they think, how independent internal auditors are, what will they say? I recall surveys where those members of oversight bodies state that (some) heads of internal audit are not up to the job, internal audit lacks adequate independence, and internal audit has not properly defined the role that they wish internal audit to fulfill.

That points to the “who’s your boss” question. There is no congruence between what the board wants, what the audit committee wants, and what senior management wants. Aiming at satisfying all customer groups is likely to disappoint one or the other customer in some dimension, as all may expect something different from internal audit, such that no one is fully satisfied. In other words, internal audit may face tension from its attempt to serve – let’s say – its two prime customers: managers and the audit committee. The IIA acknowledges that there may be conflicts when internal audit tries to “serve two masters”. Thus, the “who’s your boss?” issue can present problems in terms of allegiances, independence, and effectiveness.

Academic studies confirm that role ambiguity and role conflict can negatively affect the independence of internal auditors. At the same time, CEOs (often) want the CAE to have no fear or favor. It is crucial that the CAE is able to work with other stakeholders in the organization and is not afraid to voice his or her opinion even in controversial situations. That draws particular attention to the importance of the CAE’s characteristics, possibly more important than the debate around independence.

There are authors who suggest that internal auditors must be independent of senior management, so that the board is to rely on internal audit to provide the assurance it needs; otherwise, the risk is that internal audit’s reports to the board/audit committee will be filtered by senior management in such a way that only what is palatable to senior management is communicated. Investing in these relationships and having a steady and robust dialogue is critical to the internal audit function’s success, given its organizational context.

My 2 cents about independence of internal auditors in a nutshell.”

Guest Article Writer- Dr. Rainer Lenz-Head of Corporate Audit at Villeroy & Boch

Source: Lenz, R. (2016), Insights into the effectiveness of internal audit: a multi-method and multi-perspective study, LAP LAMBERT Academic Publishing, Saarbrücken, ISBN 978-3-659-85241-1

The job profile of the Data Scientist is still young, but is often searched for on the job market. They are required in many industries, such as:

• Banking and insurance 
• Trading
• Business and organizational consultancies, market researching
• Social Media, Telecommunications, online tradinging and network management
• Bio-, pharmaceutical, chemical and medical industries
• Logistics

In 2012, Tom Davenport, Professor at the Harvard Business School, has described the competence profile as following: „… a hybrid of data hacker, analyst, communicator, and trusted adviser. The combination is extremely powerful – and rare.“
In times of “big data”, Data Scientists are experts in demand, who are paid above average and enjoy great freedom in companies as “gold diggers”. Using methods of mathematics, computer science and statistics, they gain facts and knowledge from large amounts of data, the “gold of the 21st century”, and discover new business areas. In addition, they are something like interpreters. They formulate the data records into legible results and display the essential information in a comprehensible language.
Data Scientists are trained in statistics, graph theory and other mathematical fields, and are proficient in methods such as data mining, process mining, machine learning and natural language processing (NLP). Added to this is knowledge from practical computer science. Knowledge of operating systems, databases, networks and data integration tools, as well as the most important programming languages and analytics tools are mandatory. Furthermore, knowledge about the Hadoop ecosystem, social networks and other systems from the internet and big data environment is a compulsory requirement for professional practice. The competency profile is that of an all-round talent and accordingly (currently) difficult to find.
The Data Scientist and the financial function within the company
The question whether a controller can assume the tasks of a Data Scientist must be clearly denied in the context of the described competence profile. The current opinion in the industry is, that it is illusory to believe that controllers could also assume the tasks of a Data Scientist. However, controllers should know the job profile of a Data Scientist as well as the possibilities and limitations of Big Data. The cooperation between the tasks of a controller and a Data Scientist is an important source for the future economic success of companies.
The Data Scientist and Auditing
The advancing digitization also places new challenges on internal auditing in the selection of the audit methodology. Data Science offers the possibility to consider the analytics of data masses as a test step within an audit and in this way to create an additional benefit. This means, however, that the internal audit department must also acquire expertise in data science in addition to the already acquired competences, such as finance, business management and compliance. Since an individual auditor can hardly have all the competences mentioned above, these should be at least available within the team. If necessary, remember to include an external Data Scientist.
Along the lines of internal auditing, the external auditing is placed before conditions that were changed by digitization: the flood of data, the appropriate audit methods as well as the concern of finding young recruits within the auditors underline the need for efficiency gains. The surge in job advertisements for data scientists in audit centers, as well as first attempts to use artificial intelligence in this area, underscores this.

This feature blog was written by Prof. Dr. Nick Gehrke (Zapliance)

SAP Launched new Cloud version of their software with integrated analytics
Companies can now avail of new SAP technology as the software giant moves into the modern world of cloud computing. The new version will now allow their business customer perform the same accounting, financial, and manufacturing management tasks as before, but in a more modern and efficient manner. This is great news for SAP experts and financial auditors who use the software.
Customers will now avail of public-cloud deployment opposed to building and maintaining their own data centres. With extra features added they now deem the software to be “smart”. It is claimed that it will do everything from managing manufacturing processes, to tracking inventory, to paying bills, to logging payments.
This will be invaluable to large multinationals delivering complex on-prem ERP solutions for the largest organizations on the planet. Essentially it will allow these companies to handle all the “technical heavy lifting” by using public cloud products instead of their own private data centers. In addition it also offers integrated analytics package to take advantage of the increased intelligence.
The overall idea is to provide more automated insight into the company data being collected by the ERP system. The system acts as a more active contributor to assist and augment the human decision makers.
Going forward more and more companies during the hiring process are making SAP knowledge a prerequisite for their audit and accounting openings so this may very well be the next step in our technology driven world.

One of the new hottest tech trends for the IT Audit Market and in particular the Data Analytics Market is artificial intelligence (AI). As the consumption of data persists and the growth continues with no apparent limits, we see companies across the globe are investing not only in big data analytics hardware and software but more so in the people with the skills and knowledge to utilises them. They are also heavily investing in these hard to find individuals’ continuing education.
According to a recent article released by Forbes, the world’s biggest companies such as Google, Facebook, IBM and Amazon are heavily investing in hiring and acquiring new IT talent in the arena of data analytics.

This in turn will hopefully lead to the development of new tools for migrating data, and also analysing. The predications for the market are estimated to grow in excess of €200 billion so individuals with expertise and knowledge in these specialised fields and areas are certain to build a successful career with unlimited career options and growth.

This growth will also apply not only to individuals but also to the information-based products which are also set to increase with Fortune500 companies investing heavily in new technology and infrastructures for information gathering. The data acquired can then be either bought or sold which again will lead to further revenue generation.