Indicateurs de mesure de la performance des fonctions d’audit interne


Denis Lefort, CPA, expert-conseil en gouvernance, audit et contrôle, porte à ma connaissance un rapport de recherche de l’IIA qui concerne « les indicateurs de mesure de la performance des fonctions d’audit interne ».

Encore aujourd’hui, les indicateurs utilisés sont souvent centrés sur la performance en interne de la fonction et non sur son réel impact sur l’organisation.

Par exemple, peu de services d’audit interne évaluent leur performance par la réduction des cas de fraude dans l’entreprise, par une meilleure gestion des risques, etc.

On utilise plutôt les indicateurs habituels comme le taux de recommandations implantées, la réalisation du plan d’audit, etc.

Voici, ci-dessous, l’introduction au document de l’IIA. Pour consulter le rapport détaillé, cliquez sur le titre du document.

Bonne lecture. Vos commentaires sont les bienvenus

 

Measuring Internal Audit Value and Performance

 

Résultats de recherche d'images pour « audit interne »

 

In 2010, The IIA recognized a need to capture a simple, memorable, and straightforward way to help internal auditors convey the value of their efforts to important stakeholders, such as boards of directors, audit committees, management, and clients. To that end, the association introduced the Value Proposition for Internal Auditing, which characterizes internal audit’s value as an amalgam of three elements: assurance, insight, and objectivity.

 

But identifying the conceptual elements of value is only part of what needs to be done. How does that construct look in the workplace? What activities does internal audit undertake that deliver the most value? What should be measured to determine that the organization’s expectations of value are being met? How does internal audit organize and structure the information that populates the metrics? And, most critically, do the answers to all these questions align; that is, does internal audit’s perception of its value, as measured and tracked, correlate with what the organization wants and needs from the internal audit function? (Exhibit 1)

Exhibit 1

The Internal Audit Value Proposition

 

1. ASSURANCE = Governance, Risk, Control

Internal audit provides assurance on the organization’s governance, risk management, and control processes to help the organization achieve its strategic, operational, financial, and compliance objectives.

2. INSIGHT = Catalyst, Analyses, Assessments

Internal audit is a catalyst for improving an organization’s effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business process.

3. OBJECTIVITY = Integrity, Accountability, Independence

With commitment to integrity and accountability, internal audit provides value to governing bodies and senior management as an objective source of independent advice.

These are the kinds of questions the CBOK 2015 global practitioner survey posed to chief audit executives (CAEs) from around the world. The activities these CAEs believe bring value to the organization are consistent with the three elements of The IIA’s value proposition. In fact, the nine activities identified by CAEs as adding the most value can be mapped directly to the three elements, as shown in exibit 2

However, in looking at the performance measures and tools used by the organization and the internal audit function, a gap appears to form between value-adding activities and the ways performance is measured. This report explores that gap in greater detail and clarifies the respondents’ view of value-adding activities, preferred performance measures, and the methodologies and tools most commonly used to support internal audit’s quality and performance processes. Where appropriate, responses tabulated by geographic regions and organization types are examined.

Finally, based on the findings, the final chapter of the report provides a series of practical steps that practitioners at all levels can implement to help their internal audit department deliver on its value proposition of assurance, insight, and objectivity.

Exhibit 2

The Internal Audit Value Proposition (mapped to response options from the CBOK Survey)

 

ASSURANCE ACTIVITIES

  1. Assuring the adequacy and effectiveness of the internal control system
  2. Assuring the organization’s risk management processes
  3. Assuring regulatory compliance
  4. Assuring the organization’s governance processes

INSIGHT ACTIVITIES

  1. Recommending business improvement
  2. Identifying emerging risks

OBJECTIVE ADVICE ACTIVITIES

  1. Informing and advising management
  2. Investigating or deterring fraud
  3. Informing and advising the audit committee

Indicateurs de mesure de la performance des fonctions d’audit interne


Denis Lefort, CPA, expert-conseil en gouvernance, audit et contrôle, porte à ma connaissance un rapport de recherche de l’IIA qui concerne « les indicateurs de mesure de la performance des fonctions d’audit interne ».

Encore aujourd’hui, les indicateurs utilisés sont souvent centrés sur la performance en interne de la fonction et non sur son réel impact sur l’organisation.

Par exemple, peu de services d’audit interne évaluent leur performance par la réduction des cas de fraude dans l’entreprise, par une meilleure gestion des risques, etc.

On utilise plutôt les indicateurs habituels comme le taux de recommandations implantées, la réalisation du plan d’audit, etc.

Voici, ci-dessous, l’introduction au document de l’IIA. Pour consulter le rapport détaillé, cliquez sur le titre du document.

Bonne lecture. Vos commentaires sont les bienvenus

Measuring Internal Audit Value and Performance

 

In 2010, The IIA recognized a need to capture a simple, memorable, and straightforward way to help internal auditors convey the value of their efforts to important stakeholders, such as boards of directors, audit committees, management, and clients. To that end, the association introduced the Value Proposition for Internal Auditing, which characterizes internal audit’s value as an amalgam of three elements: assurance, insight, and objectivity.

opsione-audit-assistance-audit-interne2

But identifying the conceptual elements of value is only part of what needs to be done. How does that construct look in the workplace? What activities does internal audit undertake that deliver the most value? What should be measured to determine that the organization’s expectations of value are being met? How does internal audit organize and structure the information that populates the metrics? And, most critically, do the answers to all these questions align; that is, does internal audit’s perception of its value, as measured and tracked, correlate with what the organization wants and needs from the internal audit function? (Exhibit 1)

Exhibit 1

The Internal Audit Value Proposition

 

1. ASSURANCE = Governance, Risk, Control

Internal audit provides assurance on the organization’s governance, risk management, and control processes to help the organization achieve its strategic, operational, financial, and compliance objectives.

2. INSIGHT = Catalyst, Analyses, Assessments

Internal audit is a catalyst for improving an organization’s effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business process.

3. OBJECTIVITY = Integrity, Accountability, Independence

With commitment to integrity and accountability, internal audit provides value to governing bodies and senior management as an objective source of independent advice.

These are the kinds of questions the CBOK 2015 global practitioner survey posed to chief audit executives (CAEs) from around the world. The activities these CAEs believe bring value to the organization are consistent with the three elements of The IIA’s value proposition. In fact, the nine activities identified by CAEs as adding the most value can be mapped directly to the three elements, as shown in exibit 2

However, in looking at the performance measures and tools used by the organization and the internal audit function, a gap appears to form between value-adding activities and the ways performance is measured. This report explores that gap in greater detail and clarifies the respondents’ view of value-adding activities, preferred performance measures, and the methodologies and tools most commonly used to support internal audit’s quality and performance processes. Where appropriate, responses tabulated by geographic regions and organization types are examined.

Finally, based on the findings, the final chapter of the report provides a series of practical steps that practitioners at all levels can implement to help their internal audit department deliver on its value proposition of assurance, insight, and objectivity.

Exhibit 2

The Internal Audit Value Proposition (mapped to response options from the CBOK Survey)

 

ASSURANCE ACTIVITIES

  1. Assuring the adequacy and effectiveness of the internal control system
  2. Assuring the organization’s risk management processes
  3. Assuring regulatory compliance
  4. Assuring the organization’s governance processes

INSIGHT ACTIVITIES

  1. Recommending business improvement
  2. Identifying emerging risks

OBJECTIVE ADVICE ACTIVITIES

  1. Informing and advising management
  2. Investigating or deterring fraud
  3. Informing and advising the audit committee

Indicateurs de mesure de la performance des fonctions d’audit interne


Denis Lefort, CPA, expert-conseil en gouvernance, audit et contrôle, porte à ma connaissance un rapport de recherche de l’IIA qui concerne « les indicateurs de mesure de la performance des fonctions d’audit interne ».

Encore aujourd’hui, les indicateurs utilisés sont souvent centrés sur la performance en interne de la fonction et non sur son réel impact sur l’organisation.

Par exemple, peu de services d’audit interne évaluent leur performance par la réduction des cas de fraude dans l’entreprise, par une meilleure gestion des risques, etc.

On utilise plutôt les indicateurs habituels comme le taux de recommandations implantées, la réalisation du plan d’audit, etc.

Voici, ci-dessous, l’introduction au document de l’IIA. Pour consulter le rapport détaillé, cliquez sur le titre du document.

Bonne lecture. Vos commentaires sont les bienvenus

Measuring Internal Audit Value and Performance

 

In 2010, The IIA recognized a need to capture a simple, memorable, and straightforward way to help internal auditors convey the value of their efforts to important stakeholders, such as boards of directors, audit committees, management, and clients. To that end, the association introduced the Value Proposition for Internal Auditing, which characterizes internal audit’s value as an amalgam of three elements: assurance, insight, and objectivity.

opsione-audit-assistance-audit-interne2

But identifying the conceptual elements of value is only part of what needs to be done. How does that construct look in the workplace? What activities does internal audit undertake that deliver the most value? What should be measured to determine that the organization’s expectations of value are being met? How does internal audit organize and structure the information that populates the metrics? And, most critically, do the answers to all these questions align; that is, does internal audit’s perception of its value, as measured and tracked, correlate with what the organization wants and needs from the internal audit function? (Exhibit 1)

Exhibit 1

The Internal Audit Value Proposition

 

1. ASSURANCE = Governance, Risk, Control

Internal audit provides assurance on the organization’s governance, risk management, and control processes to help the organization achieve its strategic, operational, financial, and compliance objectives.

2. INSIGHT = Catalyst, Analyses, Assessments

Internal audit is a catalyst for improving an organization’s effectiveness and efficiency by providing insight and recommendations based on analyses and assessments of data and business process.

3. OBJECTIVITY = Integrity, Accountability, Independence

With commitment to integrity and accountability, internal audit provides value to governing bodies and senior management as an objective source of independent advice.

These are the kinds of questions the CBOK 2015 global practitioner survey posed to chief audit executives (CAEs) from around the world. The activities these CAEs believe bring value to the organization are consistent with the three elements of The IIA’s value proposition. In fact, the nine activities identified by CAEs as adding the most value can be mapped directly to the three elements, as shown in exibit 2

However, in looking at the performance measures and tools used by the organization and the internal audit function, a gap appears to form between value-adding activities and the ways performance is measured. This report explores that gap in greater detail and clarifies the respondents’ view of value-adding activities, preferred performance measures, and the methodologies and tools most commonly used to support internal audit’s quality and performance processes. Where appropriate, responses tabulated by geographic regions and organization types are examined.

Finally, based on the findings, the final chapter of the report provides a series of practical steps that practitioners at all levels can implement to help their internal audit department deliver on its value proposition of assurance, insight, and objectivity.

Exhibit 2

The Internal Audit Value Proposition (mapped to response options from the CBOK Survey)

 

ASSURANCE ACTIVITIES

  1. Assuring the adequacy and effectiveness of the internal control system
  2. Assuring the organization’s risk management processes
  3. Assuring regulatory compliance
  4. Assuring the organization’s governance processes

INSIGHT ACTIVITIES

  1. Recommending business improvement
  2. Identifying emerging risks

OBJECTIVE ADVICE ACTIVITIES

  1. Informing and advising management
  2. Investigating or deterring fraud
  3. Informing and advising the audit committee

Le rôle de l’audit interne dans l’identification des risques émergents *


Denis Lefort, CPA, expert-conseil en Gouvernance, audit et contrôle, porte à ma connaissance un document de la firme Thomson Reuters (White Paper) très intéressant sur le rôle de l’audit interne dans l’identification des risques émergents.

EYE ON THE HORIZON : INTERNAL AUDIT’S ROLE IN IDENTIFYING EMERGING RISKS

Key elements of emerging risks

Reinsurance company Swiss Re defines emerging risks as “newly developing or changing risks which are difficult to quantify and which may have a major impact on the organisation.” This identifies their key elements.

Emerging risks may be entirely new, such as those posed by social media or technological innovation. Or they may come from existing risks that evolve or escalate – for example, the way counterparty credit risk or liquidity risk sky-rocketed during the 2008 financial crisis.

Newly developing risks lack precedent or history, and their precise form may not be immediately clear, which makes them difficult to measure or model. Changing risks are at least familiar in their shape and nature, although the rate of transformation and intensity can make them hard to quantify.

The final key element of emerging risks is their potential impact. New or changing risks can be as menacing as those the organisation deals with on a daily basis, and sometimes even more so. To give just one example, the way in which the music business failed to address the implications of digital downloads allowed a complete outsider, the computer company Apple, to step in and define and dominate the new market.

Emerging risks also threaten through their apparent remoteness or their obscurity. US Secretary of State Donald Rumsfeld distinguished between things we know we do not know (‘known unknowns’), and things we do not know we do not know (‘unknown unknowns’). In the first category are risks whose shape might be familiar, but where we do not necessarily understand all of their elements – causes, potential impact, probability or timing. Unknown unknowns are events that are so out of left field or seemingly farfetchedthat it takes great insight or a leap of the imagination to even articulate them. These include the ‘black swan’ events highlighted by the investor-philosopher Nassim Nicholas Taleb, where the human tendency is to dismiss them as improbable beforehand, then rationalise them after they occur. The 9/11 terrorist attack, or the financial crash of 2008, or the invention of the internet show that not only do black swan events happen, but they do so more frequently than is generally recognised, and they have an historically significant impact (and not always negative).

Many emerging risks are characterised by their global nature, their scale or their longer-term horizon – climate change is an example that displays all of these elements. In other cases, it is less the individual events themselves, some of which may be relatively moderate or manageable on their own, as the conflation of circumstances that creates a ‘perfect storm’.

Vous pouvez aussi consulter l’enquête de Thomson Reuters Accelus Survey on Internal Audit dont nous avons parlé dans notre billet du 7 juin.

New duties on horizon for internal auditors

“The clear message from the survey is that internal audit functions need to stop thinking about themselves as compliance specialists and start taking on a much larger, more strategic role within the organization,” Ernst & Young LLP internal audit leader Brian Schwartz said in a news release. “IA is increasingly being asked by senior management and the board to provide broader business insights and better anticipate traditional and emerging risks, even as they maintain their focus on non-negotiable compliance activities.”

New risks

As strategic opportunities emerge, internal auditors also are adjusting to new compliance duties, according to the survey. Globalization has resulted in increased revenue from emerging markets for many companies, so new regulatory, cultural, tax, and talent risks are emerging.

Thomson Reuters Messenger
Thomson Reuters Messenger (Photo credit: Wikipedia)

Internal audit will play a more prominent role in evaluating these risks, according to the survey report. Although slightly more than one-fourth (27%) of respondents are heavily involved in identifying, assessing, and monitoring emerging risks now, 54% expect to be heavily involved in the next two years.

The biggest primary risks that respondents said their organizations are tracking are:

  1. Economic stability (54%).
  2. Cybersecurity (52%).
  3. Major shifts in technology (48%).
  4. Strategic transactions in global locations (44%).
  5. Data privacy regulations (39%).

Survey respondents said the skills most often found to be lacking in internal audit functions are:

  1. Data analytics;
  2. Business strategy;
  3. Deep industry experience;
  4. Risk management; and
  5. Fraud prevention and detection.

“As corporate leaders demand a greater measure of strategy and insight from their internal audit functions, CAEs will need to move quickly to close competency gaps and ensure that they have the right people in the right place, at the right time.” Schwartz said. “If they fail to meet organizational expectations, they risk being left behind or consigned to more transactional compliance activities.”

__________________________________________

* En reprise

Keeping Internal Auditors Up to the Challenge (forbes.com)

Internal Audit Has To STOP Focusing On Internal Controls (business2community.com)

Changement important dans la relation auditeur externe/interne | Financial Reporting Council (FRC) (jacquesgrisegouvernance.com)

Useful Internal Auditing in 4 Easy Steps (isocertificationaustralia.com)

Thomson Reuters Develops Accelus Governance, Risk and Compliance Platform (risk-technology.typepad.com)

Enhanced by Zemanta

PLANIFICATION D’AUDIT INTERNE BASÉE SUR LES RISQUES


Denis Lefort, CPA, expert-conseil en Gouvernance, audit et contrôle, porte à ma connaissance un document de la firme Thomson Reuters (White paper) qui aborde les écueils que n’ont pas su toujours éviter les responsables d’audit interne lors du déploiement de leur processus de planification annuelle/triennale fondé sur les risques.

  1. Votre planification prend-t-elle vraiment en compte les objectifs stratégiques de votre organisation ainsi que les risques qui pourraient prévenir leur réalisation…
  2. Votre planification prend-t-elle vraiment en compte les travaux réalisés par les autres fonctions d’assurance de votre organisation (Gestion des risques, Conformité, Finance, etc..)…
  3. Votre planification prend-t-elle vraiment en compte les préoccupations des dirigeants….

Voici un aperçu de la table des matières du document. Bonne lecture et bonne réflexion.

PLANIFICATION D’AUDIT INTERNE BASÉE SUR LES RISQUES

A TYPICAL INTERNAL AUDIT SCENARIO

REVIEW STANDARD INTERNAL AUDIT PROCEDURES

LISTEN TO MANAGEMENT: THE REAL OPPORTUNITY

LAY THE FOUNDATIONS: THE IMPORTANCE OF A ROBUST METHODOLOGY

KNOW YOUR COMPANY’S RISK APPETITE

PLAN FOR SUCCESS

UNDERSTAND THE BUSINESS AND ITS CULTURE

As the COSO Internal Control – Integrated Framework (2013) states, « risk assessment involves a dynamic and iterative process for identifying and assessing risks to the achievement of objectives ». Yet many in-house internal audit functions look at the annual internal audit risk assessment process as a check-the-box activity, required mainly to be in compliance with the IIA professional practices framework.

Audit

Typically, a three or five-year review cycle for the entire organization is already in place, and the annual internal audit risk assessment barely scratches the surface: It is merely used to justify minor modifications in the risk-based internal audit plan. Yet the internal audit risk assessment presents an often missed opportunity for internal auditors to understand their organization’s evolving objectives and implement a more dynamic risk-based approach to the internal audit process. Let’s take a look at a typical scenario played out every day and see if we, as uninvolved by-standers, can audit the process and see it if falls short in any way.

In advance of this year’s risk assessment, the internal audit department reviewed and revised their risk assessment process and the various preparation materials for management participants. The preparation materials included a list of key management participants with their preferred contact method, a list of internal audit risk assessment questions, an announcement letter explaining the importance of the annual risk assessment process, and a presentation that provided examples of beneficial insight received from the previous year’s risk assessment.

During the risk assessment, the internal audit staff rigorously captures each management remarks in an effort to record each detail, be it quantitative or qualitative. As the « scribe, » the internal audit staff is responsible for note taking, while the internal audit director asks management a series of questions from the annual list of internal audit risk assessment queries. The internal audit director conducts the interview in a way that illustrates both their tremendous understanding of the business and their ability to not get bogged down in the details. The individual representing management, on the other hand, usually provides general responses highlighting a few generic risks inherent in their business, but not enough for one to actually audit. One of those general responses was around an increase in the organization’s credit risk exposure.

Enhanced by Zemanta

La transformation de l’audit interne par l’utilisation de la pensée critique | KPMG


Denis Lefort, CPA, expert-conseil en Gouvernance, audit et contrôle, porte à ma connaissance un document de la firme KPMG qui présente le concept de pensée critique (critical thinking) adapté à l’audit interne. Ce document présente également une pyramide des différents niveaux de maturité de l’audit interne, laquelle culmine avec la pensée critique, puis la création de valeur.

Ce document propose trois ajustements au cycle d’audit interne pour bien refléter une approche intégrant la pensée critique.

À l’instar de Denis Lefort, je vous encourage à lire ce document très intéressant lequel saura peut-être vous inspirer !

Transforming Internal Audit Through Critical Thinking

In an uncertain and challenging economy, organizations are seeking an approach to internal audit that goes beyond reviewing past activities. Instead, they want internal audits that are insightful, forward looking, and go beyond preserving value to creating value on a departmental, divisional, or organization-wide level.

The logo of KPMG.

To meet these expectations, internal audit leaders must strive to migrate to more advanced stages of maturity that evolve basic auditing processes and skills towards an approach to create value and insight to an organization. Many internal audit functions establish goals to achieve higher value; however, they fall short in one of two ways:

  1. The skill sets and competencies of the team are not sufficiently cross-functional or developed in each team member to deliver the expected value
  2. The internal audit approach is not redesigned to facilitate a new approach in planning, execution, and reporting of results.

This is where the critical thinking approach comes into play. Critical thinking is defined as an open-minded approach to analyzing a situation or task for the development of supportable conclusions and conveying the assessed results in a logical manner. The application of this concept in internal audit is where value can be unleashed within an organization. Applying critical thought to internal audit is more than just a planning exercise, but one in which every element of your process is challenged. This step-by-step exercise of identifying existing or new interdependencies, inputs, relationships, and opportunities in each phase of the audit can create new information for eager business leaders about how to approach risks and improvement opportunities from a new angle.

Critical thinking can help shift the purpose of internal audit to create value and expand or develop the positive perception of the department across the organization. The full maturity, when successfully implemented, goes a level beyond operational auditing and should result in opening more doors for internal audit to sit on steering committees, task forces, and other strategic initiatives. Critical thinking as a core approach for internal audit establishes a strategic partner within the business, focused on achieving balance between risk management and business performance.

Enhanced by Zemanta

Comité des C.A. sur la surveillance des risques


Ci-dessous, vous trouverez un billet, partagé par Denis Lefort, expert-conseil en gouvernance et en audit interne, qui vous incite à prendre connaissance du Bulletin de janvier 2014 du Conference Board intitulé « Risk Oversight: Evolving expectation for Board« .

Risk Oversight : Evolving Expectations for Boards

Présenté par Denis Lefort, CPA, CA, CIA, CRMA

Ce document, très intéressant, fait un retour en arrière sur les différentes analyses et recommandations effectuées par différents groupes dont, le NACD, la SEC, le SSG, Dodd-Frank, ICGN, FSB, FRC (les acronymes sont explicitées dans le document de 10 pages), dans la foulée des scandales financiers de 2008.

English: Contribution and prioritizing threats...
English: Contribution and prioritizing threats and risks to Risk Management Effectiveness (Photo credit: Wikipedia)

Le document est très critique quant au rôle très actif que devraient jouer les conseils d’administration au niveau de la surveillance des risques. Il est aussi très critique des approches mises en œuvre par les fonctions Gestion des risques et audit interne. Enfin, des recommandations sont formulées pour ces trois instances.

Bien qu’au départ, le document ait ciblé les institutions financières, ses propos peuvent s’appliquer à un grand éventail d’organisations. C’est pourquoi je vous encourage tous à en prendre connaissance et à le partager avec vos dirigeants, membres de conseils, collègues et contacts professionnels. Voici un extrait. Bonne lecture !

The Risk Oversight Committee is responsible for :

a. determining where and when formal documented risk assessments should be completed, recognizing that additional risk management rigor and formality should be cost/benefit justified

b. ensuring that business units are identifying and reliably reporting the material risks to the key objectives identified in their annual strategic plans and core foundation objectives necessary for sustained success, including compliance with applicable laws and regulations

c. reviewing and assessing whether material risks being accepted across XYZ are consistent with the corporation’s risk appetite and tolerance

d. developing, implementing, and monitoring overall compliance with this policy

e. overseeing development, administration and periodic review of this policy for approval by the board of directors

f. reviewing and approving the annual external disclosures related to risk oversight processes required by securiti esregulators

g. reporting periodically to the CEO and the board on the corporation’s consolidated residual risk position

h. ensuring that an appropriate culture of risk-awareness exists throughout the organization

Business unit leaders are responsible for:

a. managing risks to their unit’s business objectives within the corporation’s risk appetite/tolerance

b. identifying in their business when they believe the benefits of formal risk assessment exceed the costs, or when requested to by the CEO or risk oversight committee

Risk management and assurance support services unit is responsible for :

a. providing risk assessment training, facilitation, and assessment services to senior management and business units upon request

b. annually preparing a consolidated report on XYZ’s most significant residual risks and related residual risk status, and a report on the current effectiveness and maturity of the Corporation’s risk management processes for review by the risk oversight committee, senior management, and the corporation’s board of directors

c. completing risk assessments of specific objectives that have not been formally assessed and reported on by business units when asked to by the risk oversight committee, senior management, or the board of directors; or if the risk management support services team leader believes that a formal risk assessment is warranted to provide a materially reliable risk status report to senior management and the board of directors

d. conducting independent quality assurance reviews on risk assessments completed by business units and providing feedback to enhance the quality and reliability of those assessments

e. participating in the drafting and review of the corporation’s annual disclosures in the Annual Reports and Proxy Statement related to risk management and oversight

Redefining The Role Of Internal Audit: Part Two (business2community.com)

Redefining The Role Of Internal Audit: Avoiding Redundancy (business2community.com)

Risk Based Internal Audit Planning (learnsigma.co.uk)

The difference between internal audit and external audit, by a firm consulting (iareportg5.wordpress.com)

Getting from Continuous Auditing to Continuous Risk Assessment (mjsnook.co)

The Internal Audit Activity’s Role in Governance, Risk, and Control (IIA Certified Internal Auditor – Part 1) (examcertifytraining.wordpress.com)

Enhanced by Zemanta

Le rôle de l’audit interne dans l’identification des risques émergents


Denis Lefort, CPA, expert-conseil en Gouvernance, audit et contrôle, porte à ma connaissance un document de la firme Thomson Reuters (White Paper) très intéressant sur le rôle de l’audit interne dans l’identification des risques émergents.

C’est un rôle très stimulant pour les administrateurs et les gestionnaires prêts à relever les défis. Voici un extrait du document. Bonne lecture ! Vos commentaires sont les bienvenus.

EYE ON THE HORIZON : INTERNAL AUDIT’S ROLE IN IDENTIFYING EMERGING RISKS

Key elements of emerging risks

Reinsurance company Swiss Re defines emerging risks as “newly developing or changing risks which are difficult to quantify and which may have a major impact on the organisation.” This identifies their key elements.

Emerging risks may be entirely new, such as those posed by social media or technological innovation. Or they may come from existing risks that evolve or escalate – for example, the way counterparty credit risk or liquidity risk sky-rocketed during the 2008 financial crisis.

Newly developing risks lack precedent or history, and their precise form may not be immediately clear, which makes them difficult to measure or model. Changing risks are at least familiar in their shape and nature, although the rate of transformation and intensity can make them hard to quantify.

The final key element of emerging risks is their potential impact. New or changing risks can be as menacing as those the organisation deals with on a daily basis, and sometimes even more so. To give just one example, the way in which the music business failed to address the implications of digital downloads allowed a complete outsider, the computer company Apple, to step in and define and dominate the new market.

Emerging risks also threaten through their apparent remoteness or their obscurity. US Secretary of State Donald Rumsfeld distinguished between things we know we do not know (‘known unknowns’), and things we do not know we do not know (‘unknown unknowns’). In the first category are risks whose shape might be familiar, but where we do not necessarily understand all of their elements – causes, potential impact, probability or timing. Unknown unknowns are events that are so out of left field or seemingly farfetchedthat it takes great insight or a leap of the imagination to even articulate them. These include the ‘black swan’ events highlighted by the investor-philosopher Nassim Nicholas Taleb, where the human tendency is to dismiss them as improbable beforehand, then rationalise them after they occur. The 9/11 terrorist attack, or the financial crash of 2008, or the invention of the internet show that not only do black swan events happen, but they do so more frequently than is generally recognised, and they have an historically significant impact (and not always negative).

Many emerging risks are characterised by their global nature, their scale or their longer-term horizon – climate change is an example that displays all of these elements. In other cases, it is less the individual events themselves, some of which may be relatively moderate or manageable on their own, as the conflation of circumstances that creates a ‘perfect storm’.

Vous pouvez aussi consulter l’enquête de Thomson Reuters Accelus Survey on Internal Audit dont nous avons parlé dans notre billet du 7 juin.

New duties on horizon for internal auditors

“The clear message from the survey is that internal audit functions need to stop thinking about themselves as compliance specialists and start taking on a much larger, more strategic role within the organization,” Ernst & Young LLP internal audit leader Brian Schwartz said in a news release. “IA is increasingly being asked by senior management and the board to provide broader business insights and better anticipate traditional and emerging risks, even as they maintain their focus on non-negotiable compliance activities.”

New risks

As strategic opportunities emerge, internal auditors also are adjusting to new compliance duties, according to the survey. Globalization has resulted in increased revenue from emerging markets for many companies, so new regulatory, cultural, tax, and talent risks are emerging.

Thomson Reuters Messenger
Thomson Reuters Messenger (Photo credit: Wikipedia)

Internal audit will play a more prominent role in evaluating these risks, according to the survey report. Although slightly more than one-fourth (27%) of respondents are heavily involved in identifying, assessing, and monitoring emerging risks now, 54% expect to be heavily involved in the next two years.

The biggest primary risks that respondents said their organizations are tracking are:

  1. Economic stability (54%).
  2. Cybersecurity (52%).
  3. Major shifts in technology (48%).
  4. Strategic transactions in global locations (44%).
  5. Data privacy regulations (39%).

Survey respondents said the skills most often found to be lacking in internal audit functions are:

  1. Data analytics;
  2. Business strategy;
  3. Deep industry experience;
  4. Risk management; and
  5. Fraud prevention and detection.

“As corporate leaders demand a greater measure of strategy and insight from their internal audit functions, CAEs will need to move quickly to close competency gaps and ensure that they have the right people in the right place, at the right time.” Schwartz said. “If they fail to meet organizational expectations, they risk being left behind or consigned to more transactional compliance activities.”

Keeping Internal Auditors Up to the Challenge (forbes.com)

Internal Audit Has To STOP Focusing On Internal Controls (business2community.com)

Changement important dans la relation auditeur externe/interne | Financial Reporting Council (FRC) (jacquesgrisegouvernance.com)

Useful Internal Auditing in 4 Easy Steps (isocertificationaustralia.com)

Thomson Reuters Develops Accelus Governance, Risk and Compliance Platform (risk-technology.typepad.com)

Le pouls de l’audit interne en 2013 | Rapport de l’Institut des auditeurs internes (IAI)


Vous trouverez, ci-dessous, un rapport de l’Institut des auditeurs internes (IAI), partagé par Denis Lefort, expert-conseil /Gouvernance, Audit interne, Contrôle, sur les résultats du premier sondage de l’année 2013 concernant l’Amérique du nord, portant sur le pouls de la profession de l’audit interne (Pulse of the profession).

La fonction de l’audit interne au sein des entreprises est de plus en plus importante. Ce document comporte une foule de tableaux et d’illustrations qui seront, selon moi, très précieux pour évaluer l’essor de la profession. Je présente ici l’introduction au rapport suivi du sommaire des résultats et de la méthodologie.

Bonne lecture.

Defining Our Role In a Changing Landscape | The Institute of Internal Auditors (IIA)

The IIA’s Audit Executive Center conducts the North American Pulse of the Profession Survey to assess the state of the internal audit profession. This survey looks at trends and emerging issues in the internal audit profession within the United States, Canada, and the Caribbean. Last year, the survey results indicated the strongest Outlook for internal audit resources seen since the 2008 economic downturn. Continuing this trend, the 2013 survey suggests that the vast majority of the 428 CAEs and others in audit management roles who responded to this recent Pulse survey expect that their staff and budget resources will increase or stay the same in 2014.

2013-02-06 11.17.03

With resource levels stabilizing close to pre-recession levels, the focus for internal audit seems to have settled into more diversified audit coverage than would have been seen a few years ago. The survey results indicate that audit departments are expecting a greater focus on compliance risks and less emphasis on Sarbanes-Oxley. At the same time, limited coverage of strategic business risks suggests a misalignment with the priorities of executive management and audit committees. “Historically, internal audit has witnessed that stakeholder expectations are a moving target,” states IIA President and CEO Richard Chambers. “Even if we are aligned today, those expectations may change tomorrow.” Chambers goes on to say that “at the end of the day, stakeholders expect us to be risk-based, and if we are not aligned with their priorities, then I think there is a risk that we will fail to meet their expectations.”

This year, as in previous years, The IIA focused a portion of the survey on emerging issues that affect the practice of internal auditing. This survey introduced two focus areas:

– 2014 Requirements of the U.S. Affordable Care Act and anticipated risks.

– Preparedness for COSO 2013 Internal Control–Integrated Framework implementation.

Responses pertaining to the U.S. Affordable Care Act suggest that a potential expectation gap is emerging related to internal audit’s ability to help stakeholders understand their associated risks. In contrast, survey results regarding COSO 2013 implementation indicate that internal audit departments that are implementing the revised framework by December 2014 foresee an easy transition.

SURVEY RESULTS AT-A-GLANCE

The IIA Audit Executive Center’s 2013 North American Pulse of the Profession Survey of 428 North American internal

audit professionals yielded the following overarching results:

1. The outlook for internal audit resources remains strong with steady increases in budget and staff levels and fewer decreases in some areas than in previous years.

2. One area of misalignment with stakeholder priorities appears to be strategic business risk.

3. Compliance risks are predicted to elicit greater audit coverage in 2014, pushing ahead of competing risk areas.

SURVEY DEMOGRAPHICS IN A NUTSHELL

The IIA Audit Executive Center’s 2013 North American Pulse of the Profession garnered responses from 428 CAEs and others in audit management roles within North American organizations, varying widely in type, size, and industry sector. Publicly traded organizations comprise the largest group of respondent organizations (38 percent). Privately held organizations and public sector entities also represent a significant portion of respondents — 27 percent and 23 percent, respectively. In addition, 14 percent of all respondents work in Fortune 500 companies.

The survey also shows a wide variation in staff size among respondent organizations, ranging from one person (11 percent) to more than 100 people (3 percent). The largest segment (38 percent) report staff sizes between two and five auditors. Participants represent more than 26 industries, with the highest representation from the financial services industry (22 percent). Other industries that participated at notable rates include insurance (8 percent), health services (8 percent), manufacturing (7 percent), and education (7 percent).

__________________________________

*The IIA’s Audit Executive Center is the essential resource to empower CAEs to be more successful. The Center’s suite of information, products, and services enables CAEs to respond to the unique challenges and emerging risks of the profession. For more information onthe Center, visit http://www.theiia.org/cae.

Redefining The Role Of Internal Audit: Part Two (business2community.com)

Redefining The Role Of Internal Audit: Avoiding Redundancy (business2community.com)

Risk Based Internal Audit Planning (learnsigma.co.uk)

The difference between internal audit and external audit, by a firm consulting (iareportg5.wordpress.com)

Getting from Continuous Auditing to Continuous Risk Assessment (mjsnook.co)

The Internal Audit Activity’s Role in Governance, Risk, and Control (IIA Certified Internal Auditor – Part 1) (examcertifytraining.wordpress.com)

Cadre international de communication intégrée de l’information | Enjeux pour les auditeurs internes


Denis Lefort, CPA, CA, CIA, CRMA, expert-conseil / Gouvernance, Audit interne, m’a fait parvenir le projet de référentiel très utile aux personnes intéressées par l’audit interne. Pour ceux qui n’en auraient pas encore pris connaissance, l’Institut des auditeurs internes (IAI) a publié un document de type Flash Alert en lien avec une initiative mondiale du IIRC (International Integrated Reporting Council) portant sur un cadre international de communication intégrée de l’information.

Le document joint de l’IAI résume les enjeux et l’opportunité que cela représente pour les auditeurs internes.

INTEGRATED REPORTING AND THE EMERGING ROLE OF INTERNAL AUDITING

La 2e version préliminaire du cadre de l’IIRC a été publiée en avril 2013 et la version finale est prévue pour décembre 2013. Comme vous le constaterez, ce cadre déborde largement les informations financières pour inclure aussi par exemple celles liées à la propriété intellectuelle, les opérations, et les RH.

The Rewarding Profession of Internal Audit / C...
The Rewarding Profession of Internal Audit / Corporate Management (Photo credit: danielleherner)

Pour information, je vous joins aussi la version française du cadre préliminaire proposé par l’IIRC, lequel est entré dans une phase de consultation pour commentaires.

Projet de référentiel international <IR> pour consultation

Useful Internal Auditing in 4 Easy Steps (isocertificationaustralia.com)

Should Internal Audit Be Responsible for Detecting Fraud? (cmswire.com)

EY joins call for internal audit to improve (normanmarks.wordpress.com)

Nouvelles responsabilités pour l’audit interne


Denis Lefort, CPA, expert-conseil en Gouvernance, audit et contrôle, porte à ma connaissance un article de Ken Tysiac paru dans le Journal of accountancy qui résume les résultats du sondage mondial 2013 d’Ernst & Young portant sur l’audit interne.

Cet article identifie les attentes principales des participants au sondage, chefs de l’audit interne et membres de comités d’audit, quant à l’évolution que devrait prendre les responsabilités de l’audit interne.

Vous pouvez aussi consulter l’enquête de Thomson Reuters Accelus Survey on Internal Audit dont nous avons parlé dans notre billet du 7 juin. Bonne lecture.

New duties on horizon for internal auditors

“The clear message from the survey is that internal audit functions need to stop thinking about themselves as compliance specialists and start taking on a much larger, more strategic role within the organization,” Ernst & Young LLP internal audit leader Brian Schwartz said in a news release. “IA is increasingly being asked by senior management and the board to provide broader business insights and better anticipate traditional and emerging risks, even as they maintain their focus on non-negotiable compliance activities.”

New risks

As strategic opportunities emerge, internal auditors also are adjusting to new compliance duties, according to the survey. Globalization has resulted in increased revenue from emerging markets for many companies, so new regulatory, cultural, tax, and talent risks are emerging.

Thomson Reuters Messenger
Thomson Reuters Messenger (Photo credit: Wikipedia)

Internal audit will play a more prominent role in evaluating these risks, according to the survey report. Although slightly more than one-fourth (27%) of respondents are heavily involved in identifying, assessing, and monitoring emerging risks now, 54% expect to be heavily involved in the next two years.

The biggest primary risks that respondents said their organizations are tracking are:

  1. Economic stability (54%).
  2. Cybersecurity (52%).
  3. Major shifts in technology (48%).
  4. Strategic transactions in global locations (44%).
  5. Data privacy regulations (39%).

Survey respondents said the skills most often found to be lacking in internal audit functions are:

  1. Data analytics;
  2. Business strategy;
  3. Deep industry experience;
  4. Risk management; and
  5. Fraud prevention and detection.

“As corporate leaders demand a greater measure of strategy and insight from their internal audit functions, CAEs will need to move quickly to close competency gaps and ensure that they have the right people in the right place, at the right time.” Schwartz said. “If they fail to meet organizational expectations, they risk being left behind or consigned to more transactional compliance activities.”

Keeping Internal Auditors Up to the Challenge (forbes.com)

Internal Audit Has To STOP Focusing On Internal Controls (business2community.com)

Changement important dans la relation auditeur externe/interne | Financial Reporting Council (FRC) (jacquesgrisegouvernance.com)

Useful Internal Auditing in 4 Easy Steps (isocertificationaustralia.com)

Thomson Reuters Develops Accelus Governance, Risk and Compliance Platform (risk-technology.typepad.com)

Changement important dans la relation auditeur externe/interne | Financial Reporting Council (FRC)


Denis Lefort, CPA, expert-conseil en Gouvernance, audit et contrôle, porte à ma connaissance un article concernant une importante décision du Financial Reporting Council au Royaume-Uni. Cette décision concerne la relation entre les auditeurs externes et les auditeurs internes.

The Financial Reporting Council has banned internal auditors from providing « direct assistance » to external audit teams. The new rules will come into effect in June 2014.

Bonne lecture. Vos commentaires sont les bienvenus. Voici le sommaire de l’étude.

Internal audit staff can no longer work on external audit teams.The Financial Reporting Council (FRC) has prohibited external auditors from using internal audit staff as “direct assistance” members of the audit team. It is doing this to create a clearer division of responsibility between internal and external audit teams to safeguard against conflicts of interest. It is aiming both to ensure the independence of the external auditor and promote greater confidence in the integrity of the audit for investors.

The prohibition comes into effect for audits of financial statements for periods ending on or after 15 June 2014.

Article Image

“Prohibiting direct assistance supports stakeholders’ expectation that external auditors should be free from threats to their independence, » said Nick Land, FRC board member and chairman of the Audit and Assurance Council. « In determining the effective date of the prohibition, the FRC has taken into consideration that planning the use of the work of internal auditors may take place early in the financial period being reported on.”

The ban follows the announcement in February that the FRC would adopt the revised international auditing standards on the external auditor’s use of work carried out by internal audit. It also announced that it would consider going beyond the international standard by prohibiting the direct use of internal audit staff on the external audit team. Feedback to the consultation suggested that there could be logistical issues for audits that were under way when the prohibition began. The FRC therefore decided to delay implementation until 2014.

Other revisions to the FRC’s auditing and ethical standards to reflect the revised international auditing standards on the external auditor’s use of work carried out by internal audit will also have the same effective date.

L’état de la situation de l’Audit interne en 2013


Denis Lefort, CPA,  expert-conseil en Gouvernance, audit et contrôle, vient de me faire parvenir l’édition 2013 de l’étude de Thompson/Reuters sur l’audit interne. On le sait, le domaine des contrôles internes et de l’audit interne prennent de plus en plus d’importance dans la gouvernance des sociétés.

Ce document sera donc très utile à tout administrateur soucieux de parfaire ses connaissances de l’état de la situation en 2013 dans le monde.

Bonne lecture. Vos commentaires sont les bienvenus. Voici le sommaire de l’étude.

The State of Internal Audit 2013

Executive summary – the highlights

Regulatory guidance and industry best practice expects internal audit to take a higher-level view of risks and controls in a firm.

Process assurance and monitoring activities remain key areas of focus for internal audit functions.

Focus on corporate governance is down from last year.

Immature risk management processes in firms and insufficient input by internal audit functions.

Weaknesses in risk reporting to the board.

Insufficient communication with other risk and control functions.

Challenge to audit committees to reassess the activities of internal audit.

Thomson Reuters Accelus surveyed more than 1,100 internal audit practitioners worldwide in February and March 2013 to canvass their views on the state of internal audit and their greatest challenges for the year ahead.

The responses received covered 76 countries including Europe, the Americas, Australasia, Asia, Africa and the Middle East. The respondents represented firms from a wide set of industries including financial services, manufacturing, government, education, life sciences, energy and other highly-regulated industries. Feedback came from internal audit departments of all sizes, ranging from fewer than five auditors to global conglomerates exceeding 100 auditors.

Oracle Audit
Oracle Audit (Photo credit: Fenng(dbanotes))

The world of internal audit is diverse and challenging. The global financial crisis has sparked a reassessment of the internal audit function’s role in financial services in particular, but the deepening crisis has impacted all industries. The focus from policymakers and regulators alike has been on culture, corporate governance and risk management, together with a growing acknowledgement of the need for a strong, well-resourced independent audit function operating — and in particular reporting— in close coordination with other risk and compliance functions.

Expectations have changed and continue to change. On the one hand chief executives, boards, and audit and risk committees all have increased expectations of the depth and quality of the work which needs to be performed by internal audit functions, while on the other regulators and policy makers are placing more reliance on internal audit functions not only to ensure “fair play” in organizations but also to undertake their business at board level and to become actively involved with high-level strategic risk and corporate governance issues.

The Thomson Reuters Accelus Internal Audit Survey 2013 analyses the replies from respondents and highlights the specific challenges and priorities that the current fog of information has presented the industry. There are lessons to be learnt: When compared with the detailed yardstick of the policies and guidance published, the results present a challenging picture, and one that requires action at all levels. From the audit committee’s oversight role to the detailed testing behind audit findings, internal audit functions — many of which need to be able to accomplish more with fewer resources — are urged to review what they do and reprioritize to gain maximum effectiveness.

« We do want to see the internal audit profession taken seriously within the institutions that we regulate. We want it to have an appropriate profile and thereby bolster the standing of the professions, because it is important. »

(Andrew Bailey, deputy governor for prudential regulation at the Bank of the England and chief executive officer of the UK Prudential Regulation Authority, in an interview which appeared in Audit and Risk Magazine, May 2012).

A Day in the Life of an Internal Auditor (saicf.wordpress.com)

Why Did We Audit? (romilnehru.wordpress.com)

Oh No, It’s the Auditor! (saicf.wordpress.com)

L’État de la profession de l’audit interne en 2013 | une étude de pwc


Vous trouverez, ci-dessous, un document fort intéressant, partagé par Denis Lefort*, qui dresse l’état de la situation de la profession de l’audit interne en 2013. Environ 1 100 CAE (Chief Audit Executive) et plus de 630 membres de haute direction, dans 60 pays, ont participés à cette étude annuelle de pwc. Ainsi, selon Denis Lefort, il « semble que la situation est plus préoccupante d’une année à l’autre. De plus, l’étude met en lumière des écarts de perception/satisfaction importants sur la valeur ajoutée de l’audit interne selon que cette perception soit celle du comité de vérification ou celle de la direction ».

Quel est l’état de la situation de votre propre fonction d’audit interne ?

2013 State of the Internal Audit Profession Study | pwc

Évoluer au rythme du changement : améliorer la performance de la fonction d’audit interne

La volatilité, la complexité, les perturbations économiques, les changements politiques et l’évolution de la réglementation qui caractérisent le contexte commercial actuel vont continuer et entraîner une prolifération des risques. Malheureusement, la fonction d’audit interne n’a pas évolué au rythme de ces changements et de nombreuses entreprises ont désormais de la difficulté à déterminer la stratégie d’audit interne à adopter et à tirer profit de leurs investissements dans l’audit interne.

PWC Building on 41st and Madison
PWC Building on 41st and Madison (Photo credit: Mark Morgan Trinidad A)

Notre neuvième rapport d’enquête annuel State of the Internal Audit Profession, présente les résultats d’un sondage réalisé auprès de 1 100 auditeurs en chef et 630 parties prenantes (notamment des dirigeants d’entreprises, des présidents de comité d’audit, d’autres membres de conseils et des cadres supérieurs des finances et de la gestion du risque) de 60 pays et de 18 secteurs d’activités différents.Les résultats de notre sondage et de 140 entrevues réalisées en personne indiquent qu’il y a un consensus clair sur le fait que l’audit interne doit améliorer sa performance et maximiser sa contribution. Dans le cas contraire, l’audit interne risque de perdre toute pertinence face à d’autres fonctions qui contribuent davantage à la gestion du risque de l’entreprise.

Notre enquête s’intéresse de plus près aux questions suivantes :

    1. les positions communes des parties prenantes concernant des sujets importants
    2. les capacités et la performance de l’audit interne
    3. la couverture des risques importants et émergents par la fonction d’audit interne
    4. les caractéristiques des organisations d’audit interne de premier plan

Cette étude indique également comment l’audit interne peut et doit améliorer la valeur qu’elle ajoute à l’entreprise, notamment les mesures qui devront être prises par les membres du conseil d’administration, la direction et les auditeurs en chef.

______________________________

Denis Lefort* , CPA, CA, CIA, CRMA, Expert-conseil | Gouvernance, Audit, Contrôle

The role of critical risks in internal audits (net-security.org)

PwC 2013 « State Of The Profession Survey » Finds Strong Needs Exist For Internal Audit To Deliver More Value To Organizations (darkreading.com)

Audit watchdog to criticize PwC: memo from firm (Reuters) (newsdaily.com)

Gouvernance européenne | Documents de l’European Confederation of Directors’ Associations (ecoDa)


Vous trouverez dans ce billet deux documents produit par l’European Confederation of Directors’ Associations (ecoDa), partenaire du Collège des administrateurs de sociétés (CAS), qui sont susceptibles d’intéresser les personnes qui se préoccupent de gouvernance européenne.

Le premier document est un compte rendu d’une conférence commanditée par ecoDa et l’European Confederation of Institutes of Internal Auditors (ECIIA) et qui porte sur le processus d’audit interne. C’est un rapport synthèse vraiment pertinent pour les spécialistes du contrôle interne.

The legislative triangle of the European Union
The legislative triangle of the European Union (Photo credit: Wikipedia)

Making the most of the Internal Audit Function | ecoDa

Voici un extrait du rapport :

« This paper seeks to provide useful guidance to boards, governing bodies and individual directors that wish to make effective use of the internal audit function, particularly in respect of gaining assurance concerning the adequacy of an organisation’s risk management and internal control systems. Internal audit is a key component of modern corporate governance. However, board structures and corporate governance systems exhibit significant variation across Europe. In some countries (e.g. the UK, France), the board consists of both senior members of management and non-executive directors. In other countries (e.g. Germany, Netherlands, or the Nordic countries), the board or supervisory board may be entirely composed of non-executive board members. In such circumstances, senior management may sit on a separate executive board or be excluded from the board altogether. Notwithstanding the variation in corporate governance systems across Europe, there are some basic characteristics of governance frameworks that are typical in most countries:

  1. The board provides direction to senior management by setting the organisation’s risk appetite. It also seeks to identify the most significant risks facing the organisation. Thereafter, the board assures itself on an ongoing basis that senior management is responding appropriately to these risks.
  2. The CEO and senior management are delegated primary ownership responsibility for the operational functioning of an organisation’s risk management and control framework. It is management’s job to provide leadership and direction to the employees in respect of risk management, and to control the organisation’s overall risk-taking activities in relation to the agreed level of risk appetite.

To ensure the effectiveness of an organization’s risk management framework, the board and senior management need to be able to rely on adequate line functions – including monitoring and assurance functions – within the organisation. In order to conceptualise these line functions, ecoDa and the ECIIA endorse the use of the “Three lines of Defence” model which is already widely adopted within the financial industry, but which can also be productively utilised in a wide range of sectors. The “Three lines of Defence” structure is a conceptual delineation of an organisation’s internal control levels: first line controls, second level monitoring controls and third-line independent assurance. It also provides a framework with which the board can understand the role of internal audit in the overall risk management and internal control process of an organisation ».

Le deuxième document est également très intéressant; il concerne la position européenne en ce qui a trait au « Comply or Explain » et présente les recommandations d’ecoDa sur le sujet.

2012 Annual Conference – Comply or Explain | EcoDa

Voici un extrait de la récente conférence annuelle qui portait sur le « Comply or Explain » :

English: Constituency for the European Parliam...
English: Constituency for the European Parliament election in 2009 Español: Mapa por el Elecciones al Parlamento Europeo de 2009 Français : Circonscriptions aux élections européennes en 2009 (Photo credit: Wikipedia)

« Throughout Europe, the governance of listed companies is reigned by governance codes that offer the companies a frame of reference based on best practices, which companies are supposed to comply with, or in the case of non-compliance those companies are (now) legally obliged to explain why they deviate from the code’s recommendation. Consequently, comply-or-explain (CoE) in general and the quality of explanations more specifically is expected to be one of the top priorities of the European Action Plan on corporate governance.

The 2008 ISS/Risk Metrics study – to which ecoDa as a partner organization contributed actively – demonstrated that there was widespread support for this flexible approach but at the same time revealed that the quality of explanations deserved special attention. Although governance practices have improved considerably since then, the European Commission stated in its 2011Governance Green Paper that the quality of the explanations still offers substantial room for improvement. Although the Commission so far has dealt with this issue with caution and pragmatism, some make a plea for abandoning all together the flexibility the governance codes offer.

Convinced that such a move would be detrimental to a substantive improvement of thegovernance practices and would even be unfeasible for the largest part of the more qualitative governance recommendations, ecoDa – the Voice of European Directors – took the initiative to organize a European Conference on this theme. ecoDa is convinced that only an improvement of the quality of explanations can safeguard the flexibility offered today by the European governance approach ».

Strongest Outlook for Internal Audit Resources in Five Years, Reports The Institute of Internal Auditors (virtual-strategy.com)

‘Comply or explain’ gains traction for getting women on boards (theglobeandmail.com)