IIA Compass pages 30-35 Article Anti-Corruption

The InTernal audITor Compass

N°4 - April 2011

Article oN BAsel iii from Deloitte

p. 15

coNtiNuous AuDitiNg

p. 18

electroNic DAtA ANAlysis AND DeDicAteD softwAre

p. 22

ANti-corruptioN policies uNDer scrutiNy

p.30

BusiNess coNtiNuity mANAgemeNt

p.38

expectations about ia from the

industry sector

françois Hinfray

you just turned the front page of the latest compass edition. the articles touch dif-ferent subjects. they cover both audit

techniques as well as audit related subjects. i’m convinced that some of them can really inspire you in your day-to-day job.

As auditors, we should know what our customers expect from us. i use the word «customers» on purpose in this context because it opens up a very specific framework which we, internal auditors, might not be used to. But how many amongst us can still put forward that internal Audit is the only department within our organisations that is dealing with risk management and internal control processes? so, what is our «unique selling pro-duct» ? the interview with mr françois Hinfray, ceo of Alcopa, without any doubt will enlighten us on that question.

Directly linked to the question on customer satis-faction, is the question whether the internal Audit departments dispose of the most adequate staff members in order to perform the job in a profes-sional way. the institute of internal Auditors has developed a competence model. the key prin-ciples of this model are explained further in this compass edition.

iiA Belgium actively tries to contribute to the knowledge development of its members through a vast offer of training sessions and workshops but also on an ad hoc basis. Different working groups are organised to develop a specific topic of common interest. recently a group of auditors of all major insurance companies started working on the solvency ii rules for insurance companies. what exactly is all about will be explained in a de-dicated article of our next publication.

Knowledge building, exchange of experience, advocacy and support of our members, it all are ways for iiA Belgium to fulfil its mission as the professional organisation of internal Auditors. it’s encouraging to notice that iiA Belgium can count on your support. in 2011 we continue to gather more than 1.500 audit professionals .

i wish you much pleasure with the reading of this compass issue.

Je hebt zonet het titelblad van de nieuwste editie van compass omgeslagen. tussen de verschillende topics die in dit nummer

behandeld worden, is er zeker wel iets dat je aan-dacht kan trekken, of het nu een audittechnisch dan wel een onderwerp binnen het ruimer activi-teitendomein van audit betreft.

Het is altijd verfrissend om te weten wat onze klanten van interne Audit verwachten. ik gebruik met opzet het woord «klanten» in deze context omdat het een referentiekader oproept dat niet zo gewoon is voor interne auditors. Nochtans hoe-veel van ons kunnen nog stellen dat interne Audit de enige dienst binnen onze onderneming is die zich met risicobeheer en interne controle bezig is? wat is ons «unique selling product» dan? Zon-der twijfel brengt het interview met Dhr. françois Hinfray, ceo van Alcopa, al een eerste antwoord op deze vraag.

Direkt gekoppeld aan de zorg voor klantentevre-denheid is ook de vraag of interne Audit wel over de juiste medewerkers beschikt om zijn opdracht goed te vervullen. Het institute of internal Audi-tors heeft onlangs een kennismodel ontwikkeld waarvan de krachtlijnen in deze compass worden meegegeven.

iiA Belgium tracht ook zijn steentje bij te dragen tot de kennisontwikkeling van onze leden. Dit ge-beurt niet enkel door ons rijk aanbod van trainin-gen en workshops. maar ook op een ad hoc basis worden werkgroepen opgericht om één of ander thema volledig uit de doeken te doen. recent is een groep auditors van de grootste verzekerings-maatschappijen begonnen met de nieuwe sol-vency ii reglementering voor verzekeringsonder-nemingen. waarover het precies gaat, zal je lezen in een desbetreffende artikel van onze volgende uitgave.

Kennisopbouw, ervaringsuitwisseling, pleitbezor-ging, ondersteuning van onze leden. Het zijn evenveel middelen waarmee iiA Belgium zijn op-dracht van professionele organisatie voor interne Auditors tracht waar te maken. Het is dan ook hartverwarmend dat iiA Belgium ook in 2011 kan rekenen op jullie steun want we blijven een orga-nisatie die meer dan 1.500 audit professionals verzameld.

ik wens je alvast veel leesplezier met dit compass nummer.

Vous venez de tourner la page de couverture de la dernière édition du compass. les articles abordent différents sujets. ils

couvrent tant les techniques d’audit que des sujets liés à l’audit. Je suis convaincu que certains d’entre eux peuvent vraiment vous inspirer dans votre travail quotidien.

en tant qu’auditeurs, nous devrions savoir ce que nos clients attendent de nous. J’utilise à dessein le mot «clients» dans ce contexte parce qu’il ouvre un cadre très spécifique auquel nous, les auditeurs internes, pourrions ne pas être habi-tués. mais combien parmi nous peuvent encore prétendre que l’Audit interne est le seul dépar-tement au sein de nos entreprises qui traite de gestion des risques et de processus de contrôle interne ? Aussi, quel est notre «produit de vente unique» ? l’entretien avec m. françois Hinfray, ceo d’Alcopa, nous éclairera sans aucun doute sur cette question.

en rapport étroit avec la satisfaction client, sur-vient la question de savoir si les départements d’Audit interne disposent des collaborateurs les plus adéquats pour exécuter le travail d’une façon professionnelle. l’institut des Auditeurs internes a développé un modèle de compétence. les prin-cipes-clés de ce modèle sont développés plus loin dans cette édition du compass.

iiA Belgium essaie activement de contribuer au développement des connaissances de ses mem-bres au travers d’une offre étendue de formations et ateliers. sur une base ad hoc, différents grou-pes de travail sont également organisés pour débattre un sujet spécifique d’intérêt commun. récemment, un groupe d’auditeurs des princi-pales compagnies d’assurance a commencé à travailler sur les règles de “solvency ii” imposées aux compagnies d’assurance. ce qu’il en ressort exactement sera expliqué dans un article de notre prochaine édition.

le développement de connaissances, l’échange d’expérience, le plaidoyer en faveur de nos membres et l’assistance à nos membres, sont tous des moyens pour l’iiA Belgium d’accomplir sa mission d’organisation professionnelle des Audi-teurs internes. il est encourageant de remarquer que l’iiA Belgium peut compter sur votre support. en 2011, nous continuons de fédérer plus de 1.500 professionnels de l’audit.

Je vous souhaite beaucoup de plaisir à lire cette édition du compass.

edito

© 2010 Deloitte Touche Tohmatsu

What is the significance of Deloitte becoming the world’s largest professional services firm? In all honesty, we believe, very little.

Our focus is on helping our clients establish, define and achieve their vision so that they can step ahead with confidence in all

aspects of their business. And our aim has always been, and will always be, to put our clients first. Visit www.deloitte.com

Step ahead

rudi hexpresident iiA Belgium

3

April

201

1eD

ito

Inhoud sommaireContents

You can send your comments,

suggestions or articles to:

[email protected]

edITor iiA Belgiumrue royale 109-111 Koningstraat - b 51000 Brusselstel. : +32 2 219 82 [email protected]

redaCTIon CommITTeeDanièle rousseltommaso capursophilip mariscalJacques couckesteve plasmanJean-marc de l’Arbremarc Vaelpieter peremans

produCed bYgreen [email protected]

pICTures bYfrédéric de Norman+32 475 941 [email protected]

the views expressed in the articles,reports reflect the view of the writers. iiA Belgium does not accept any responsibility for those views expressed herein.

5

April

201

1iN

HouD

- so

mm

Aire

- co

Nte

Nts

Edito

Career Corner

Interview with Mr François Hinfray

Article on Basel III from Deloitte

Continuous Auditing: an introduction

Electronic data analysis and dedicated software: with methods huge

volumes are no longer scaring

Competency Framework & Tasks

Anti-corruption policies under scrutiny

Good risk management and internal control systems help companies

go «faster, further and more safely»

Business Continuity Management: what internal auditors should know

Parcours qualité : un voyage plutôt qu’une destination

De weg nar kwaliteit: veeleer een reis dan een bestemming

ABIDJAN : 9ème Conférence Internationale de l’UFAI

New interesting publications

IIA Belgium events

IIA Corner

Upcoming Events & Trainings

3

7

8

15

18

22

26

30

36

38

46

49

52

54

56

58

59

Career Corner

New functions in Internal Audit Departments

Marc Vael

marc Vael is appointed since August 2010 as chief Audit executive at smals (www.smals.be). He has more than 15 years active experience and expertise in evaluating, designing, implementing and monitoring it governance, and solutions around risk and information security management, incident and business continuity management, privacy and it Audit.

He is a passionate speaker and published author closely involved with research and innovation in his core expertise areas. so is he invited as guest lecturer at Ams (www.antwerpmanagementschool.be) and Vlerick leuven management school and is a deputy member of the flemish supervisory commission (www.vlaamsetoezichtscommissie.be).

Michael De Groote

michael De groote has been appointed as the new head of internal audit at “société générale private Banking Belgium”.

in this role, he reports to the ceo, Audit committee, the société générale hub in luxemburg and coordinates all internal audit activities within the organization in Belgium. previously he worked as an auditor for the iNg group at record Bank and iNg Belgium covering areas such as retail sales, credit risk management and operational risk management. michael is a certified internal Auditor (ciA), certified financial services Auditor (cfsA) and has obtained the certificate in control self-Assessment (ccsA) and the Accreditation in internal Quality Assessment / Validation (iiA QA).

Martine Gelissen

martine gelissen has been appointed since march 15th, 2010 as general Auditor at Dexia Bank Belgium. she also performs the function of group Head of Audit “retail and commercial Banking”, supervising the audit coverage of this business line throughout the group Dexia.

she has a 18-years career within Dexia, of which one third within the deal-ing room, one third within public finance and within Audit for the last six years.

news from the Internal auditors

Community

CCH® TeamMate

Risk assessment Workpapers

Scheduling Timesheets

Issue tracking

The Industry StandardFind out what more than 70,000 auditors from more than 1,800

organisations worldwide have already discovered. TeamMate’s

award-winning audit management system has revolutionised

the audit industry, empowering audit departments of all sizes

to spend less time documenting and reviewing and more time

providing value-added services.

Do More with LessFrom start to finish, TeamMate software provides a streamlined

process for managing your audits. TeamMate’s advanced

reporting engine provides Management Information from

across the audit landscape at your fingertips, helping you to

make smarter decisions. Our clients report average productivity

increases of 20 - 25% during the first year of TeamMate use.

For more information, please contact Laurence VanhoenackerWolters Kluwer [email protected] +32 (0)15 36 21 90www. cchteammate.com

Gear up for faster auditing

7

April

201

1cA

reer

cor

Ner

Expectations about IA from industry sector

françois Hinfray

iiA Belgium/interview Alcopa février 2011

iiA Belgium/interview Alcopa februari 2011

Interview with mr François hinfray

est-ce un métier solitaire ou d’équipe ?

fH : “’c’est un peu, vous pardonnerez une réponse de Normand, les deux. l’audit a une position assez spécifique dans une entreprise parce qu’il se doit d’être indépendant. il a une approche qui lui est très spécifique en termes de méthodologie et donc cette compétence n’est pas partagée ou généralement peu partagée. par conséquent, cela peut créer non pas une certaine solitude mais une certaine spécificité, cette dernière pouvant peut-être entraîner dans certains cas un sentiment de solitude parce que l’on ne peut pas toujours partager. par contre, lorsqu’on considère la partie partenariat, on est dans la dynamique du partage, de l’échange. De plus, il faut entretenir avec le management une relation suffisamment proche de confiance pour faire progresser le management lui-même. Dans la position qui est la mienne, comme ceo du groupe, je dois faire en sorte que les gens – en nombre limité - qui incarnent cette fonction de l’audit ne se sentent pas seuls, mais soutenus. Je crois que ce serait une situation qui psychologiquement ne serait pas tenable et sans doute, à la fin, pas efficace parce que même dans dans une position de contrôle, l’audit doit avoir une prise réelle sur l’entreprise. mon souci est de faire en sorte que l’impact de l’audit soit toujours maximal par rapport au travail qu’il a fourni. il est donc vraiment nécessaire que l’audit ne soit pas “un contre tous mais “parmi tous”. il faut une structure audit très intégrée dont la qualité de conseil soit totalement reconnue.’’

est-ce que l’audit interne a une fonction stratégique ?

fH : “’Je ne suis pas sûr que l’audit interne ait une fonction stratégique dans le sens usuel du mot « stratégie ». on réalise un certain chiffre d’affaires avec une rentabilité donnée, on veut développer certains métiers. les opérationnels, les gens du métier prennent de temps en temps du recul par rapport à leur métier et se fixent des axes de développement. c’est ce que j’appelle la stratégie. en outre, ils mettent tout en œuvre pour que les développements s’exécutent avec succès. si c’est cela la stratégie, le rôle de l’audit n’en est pas au cœur. Je mettrais plutôt en parallèle, d’un côté la stratégie et de l’autre le système. une stratégie est un ensemble d’idées, de concepts, d’ambitions qui doivent se mettre en œuvre au travers d’outils, de systèmes informatiques, de procédures et surtout d’un système managérial. or l’audit est au cœur des systèmes parce qu’il va contribuer à en assurer la qualité. par conséquent, si l’entreprise a une très bonne stratégie, mais des systèmes défaillants, la stratégie ne sera pas un succès. le rôle de l’audit est d’aider à ce que l’ensemble des systèmes soit le plus performant possible et, cela va de soi, à ce que les risques que peut faire naître une stratégie soient les mieux maîtrisés possibles.’’

L’audit est une pièce importante de la gouvernance et de la gestion des risques

lorsque certaines décisions stratégiques sont prises, trouveriez-vous normal que le responsable audit soit présent ?

fH : “’le patron de l’audit est membre de mon comité de direction. il partage la vie de l’entreprise et connaît la stratégie. il doit s’interroger sur la manière d’aider à la réussite de cette stratégie. par exemple, dans le domaine de la distribution, l’informatique est fondamentale (si l’on veut développer tous les systèmes de crm, d’exploitation du capital client sans parler des sites internet, ...). la mise en place de ces systèmes constitue chaque fois des projets complexes, onéreux qui sont des enjeux managériaux difficiles. le rôle de l’audit, plus en partenaire qu’en contrôle, est crucial car un bon audit est une école de rigueur. généralement, les auditeurs sont plus sophistiqués, plus éduqués sur toutes ces méthodes que certains managers commerciaux venant plutôt du terrain et qui ont tendance à ignorer parfois les aspects d’organisation et de management.’’

Comment voyez-vous le rôle de la fonction d’audit interne en matière de gouvernance, contrôle interne et gestion des risques ?

fH : “’l’audit est une pièce importante de la gouvernance parce qu’au fond, il atteste de la qualité de processus, voire de chiffres ou en tout cas de systèmes qui produisent des chiffres. l’audit doit contribuer à la garantie d’une bonne gouvernance. Nous l’avons déjà évoqué, mais il y a des choses très claires pour moi au niveau du contrôle : aucune entreprise ne peut fonctionner sans contrôle ! on ne peut pas fonctionner uniquement sur une base de confiance. ce n’est pas que l’on ne doit pas faire confiance aux gens ; cela signifie tout simplement que l’on gère des choses complexes, que des erreurs peuvent se produire, qu’il existe parfois des zones d’incompétence et que cela entraîne la nécessité de corrections. si l’on veut corriger, il faut contrôler. et puis, la maîtrise des risques, c’est l’audit moderne qui va plus loin que le contrôle car ce dernier a peut-être un rôle un peu statique alors que la maîtrise des risques a une influence directe sur l’organisation et le mode de fonctionnement de l’entreprise. il ne s’agit pas simplement de dire : “il y a une procédure, il faut la respecter ; je vais la contrôler. si ce n’est pas bien, il faut agir en profondeur”. la maîtrise des risques vient contribuer à la façon dont l’entreprise s’organise et définit son propre fonctionnement pour optimiser sa performance et minimiser le risque parce que les deux sont liés. la gestion des risques n’est pas quelque chose qui est totalement étrangère à la production de la performance. on se situe toujours dans des compromis,

car on cherche aussi à minimiser les coûts et les efforts. De la même façon que toute politique d’extension ou de développement va provoquer des risques, il faut les accepter. mais il faut cependant bien les identifier et les limiter. c’est là où la fonction de maîtrise de risques est fondamentale dans la dynamique même d’une entreprise.’’

La compétence de l’auditeur est essentielle

Quels sont les facteurs de succès clés dans la construction d’une fonction d’audit interne adéquate et efficace ?

fH : “’la compétence des auditeurs ! sans quoi, il n’y a pas la moindre crédibilité et la moindre utilité. ensuite, le degré de culture d’une entreprise, le degré de maturité par rapport à une fonction d’audit. comment elle l’exploite. on peut très bien cantonner un auditeur dans un rôle de contrôle, un rôle finalement assez marginal et très administratif. c’est une culture archaïque. Au contraire, je crois qu’une culture mature visera à mettre, comme on l’a déjà souligné, l’audit au cœur des systèmes. une meilleure exploitation de la compétence. encore faut-il savoir utiliser la compétence et l’appeler là où elle est utile. Je crois que le degré de maturité d’une entreprise est fondamental et s’il n’est pas suffisant, il faut le faire évoluer. un troisième point est l’appui de la hiérarchie. elle est cruciale sinon l’auditeur risque d’être marginalisé.’’

Cet auditeur reste-t-il un genre de facilitateur dans la concrétisation de certains projets ?

fH : “’Dans sa partie, non pas de contrôle mais de maîtrise des risques et plutôt de conseil, même au-delà de la maîtrise des risques, il peut jouer un rôle de facilitateur. cela dépend un peu - nous parlions de la compétence, de la maturité du système – du tempérament de l’auditeur. si l’auditeur a un tempérament qui lui permet de bien transférer du savoir, de la méthode et cela d’une façon bien reçue par ses clients internes, alors oui, il peut jouer un rôle de facilitateur. un auditeur doit avoir la qualité de pouvoir bien s’entendre avec les gens sans pour autant perdre de vue d’être un contrôleur rigoureux qui ne fait pas toujours plaisir.’’

Qui contrôle les auditeurs ? Comment les choisit-on ?

fH : “’c’est tout simplement le comité d’Audit avec un président qui est un membre du conseil d’Administration. il s’agit d’un membre qui est choisi en fonction de ses compétences particulières et de ses dispositions en matière d’audit. il est aidé par le comité d’Audit. on accompagne la fonction d’audit dans ses tâches, on la challenge, on écoute ses problèmes et puis forcément, il s’en dégage une appréciation sur la qualité des auditeurs.’’

le rôle de l’audit interne a-t-il changé depuis la crise mondiale ? Y a-t-il eu des remises en question ? Comment voyez-vous la position de l’audit interne dans votre groupe ?

françois Hinfray : “’Dans notre métier de distribution - nous ne sommes pas dans un métier financier - cet impact s’est surtout marqué sur nos marchés par une forte baisse sur des volumes. par contre la crise n’a pas changé les paradigmes de notre métier. en ce sens, je ne pense pas que le rôle de l’audit a été transformé. en revanche, la crise a tendu les résultats, les ratios et a accru assurément certains risques. le rôle de l’audit a été de ce fait plus crucial car son rôle consiste en partie

à surveiller les risques possibles qui pourraient affecter le fonctionnerment et le résultat du groupe. en période de crise, les risques sont effectivement plus importants.’’

l’auditeur interne est-il devenu plus un partenaire du management ou son action est-elle avant tout axée sur le contrôle de la conformité ?

fH : “’l’audit a évolué de la fonction, disons assez strictement, de contrôle des processus et des chiffres vers plus une mission de partenaire, de façon justement à assurer une bonne maîtrise du risque par le management. ceci dit, l’audit n’a pas quitté non plus le

territoire du contrôle parce que, s’il le faisait, il y aurait un manque. il est nécessaire d’avoir des contrôles mais il ne faut pas que cette mission pèse excessivement sur la disponibilité de l’audit. Aujourd’hui, il est vrai que le rôle de l’audit est de faire en sorte que le management de l’entreprise soit à la hauteur de ses enjeux, conscient des risques et donc mette en œuvre tout ce qui pourra non seulement écarter ces risques mais optimiser la performance. par conséquent, le rôle de conseil et de partenaire de l’audit est important, pour cela il faut du temps et de l’intelligence. c’est un métier qui est peut-être plus exigeant, plus difficile aussi que le contrôle strict mais il ne faut pas non plus abandonner ce domaine d’activité.’’

alcopa: “’la fonction d’audit interne est un levier de progrès’’

Alcopa est un groupe multimétiers employant 1.600 collaborateurs. En 2010, son chiffre d’affaires avoisinait le 1,2 milliard d’euros. Nous avons rencontré François Hinfray, CEO, et Pieter Peremans, “Interne Audit Manager”, de cette holding qui n’a jamais enregistré de pertes dans son histoire!Avant d’aborder le sujet de cette interview, l’audit interne au sein de la holding Alcopa, découvrons un peu plus les origines et la structure de

ce groupe plutôt atypique même si son activité est très centrée sur la mobilité et la distribution.Le groupe Alcopa est issu d’une entreprise familiale créée par Albert Moorkens en 1937 qui a commencé ses activités par de l’assemblage de motos avec une usine mais également des activités de distribution. Par la suite, l’entreprise s’est tournée vers l’assemblage d’automobiles avec BMW. Elle a ensuite abandonné les activités d’assemblage pour se consacrer entièrement au métier de l’importation notamment de marques japonaises puis coréennes (2 et 4 roues) et plus particulièrement de l’importation d’automobiles et de deux roues.Ces deux branches historiques sont devenues aujourd’hui Alcadis et Moteo. Alcadis, importatrice de Hyundai, Suzuki, Isuzu, Hyundai Trucks et de SsangYong, est présente avec ces marques au Benelux, en Suisse, Allemagne et Pologne.L’autre activité historique Moteo est axée sur la moto et le scooter. Elle s’est développée longtemps avec les motos Suzuki, puis s’est étendue à de nouvelles marques notamment en scooter avec Sym et Peugeot Motor Cycle. Aujourd’hui, Moteo représente une dizaine de marques dans dix pays, en Europe et en Afrique du Sud. A ces activités historiques, se sont ajoutées à la fin des années ’80, la distribution de mobilier de bureau. Il s’agit aujourd’hui d’EOL qui exerce un métier de stockiste, cataloguiste et distributeur.L’immobilier (garages, bureaux...) est un autre métier qui s’est développé progressivement au sein d’Alcopa. Au travers de l’ entité AlcopaimmO, se sont ajoutés par la suite des projets immobiliers qui ne sont pas liés strictement au développement des activités commerciales comme le rachat de l’usine de Vilvorde et sa transformation.Dans le monde automobile, Alcopa dispose également de 2 groupes de concessions (hors importation) à Anvers distribuant diverses marques (FIDENCO et G-MAN). Cette activité a été rendue autonome et est développée sous l’appellation Moorkens Distribution.Enfin, une structure dénommée Alcodev a été mise en place récemment avec pour mission d’ouvrir le groupe sur de nouveaux métiers par des prises de participation ou des acquisitions dans des activités périphériques au groupe mais aussi avec une volonté de diversification.Le groupe Alcopa est multimétiers même si globalement son activité est très centrée sur la mobilité et la distribution. Il fonctionne sur un mode décentralisé, la plupart des métiers étant organisés sous la forme de filiales autonomes avec chacune un patron. La holding est concentrée sur des fonctions financières, des sujets stratégiques de développement, le choix des managers et les fonctions de contrôle ainsi que de maîtrise de risque, comme l’audit.

plus une mission de partenaire

8 9

April

201

1

April

201

1iN

terV

iew

iNte

rVie

w

B. Harel

alcopa: “de functie van interne audit is een hefboom voor vooruitgang’’

A lcopa is een multisectorale groep met 1.600 medewerkers. In 2010 bedroeg de omzet bijna 1,2 miljard euro. We hadden een ontmoeting met François Hinfray, CEO, en Pieter Peremans, Interne Audit Manager, van deze holding die in zijn geschiedenis nog nooit verliezen heeft genoteerd!

Voor we het onderwerp van dit interview, de interne audit in de holding Alcopa, aansnijden, laten we u wat kennismaken met de oorsprong en de structuur van deze eerder atypische groep, hoewel de activiteiten vooral op mobiliteit en distributie gericht zijn.De groep Alcopa ontstond uit een familiebedrijf dat in 1937 werd opgericht door Albert Moorkens. Hij begon zijn activiteiten met het assembleren van motos, met een fabriek maar tegelijkertijd met distributieactiviteiten. Na motos van BMW richtte de onderneming zich vervolgens op de assemblage van wagens van BMW. Daarna werden de assemblageactiviteiten opgegeven. Men ging zich volledig aan de invoer wijden, met name van Japanse en later Koreaanse merken (2- en 4-wielers), meer bepaald aan de invoer van wagens en tweewielers.Vandaag zijn deze twee historische takken verworden tot:Alcadis, de invoerder van Hyundai, Suzuki, Isuzu, Hyundai Trucks en SangYong. Het is met deze merken aanwezig in de Benelux, Zwitserland, Duitsland en Polen.Moteo, de andere historische activiteit, gericht op motos en scooters. Moteo heeft zich lange tijd ontwikkeld met motos van het merk Suzuki en breidde zich dan uit, vooral naar nieuwe scootermerken zoals Sym en Peugeot Motor Cycle. Tegenwoordig vertegenwoordigt het een tiental merken in tien landen in Europa en in Zuid-Afrika. Aan deze historische activiteiten werd eind jaren ’80 de distributie van kantoormeubilair toegevoegd. Tegenwoordig gaat het om EOL, dat als voorraadhouder, catalogist en verdeler werkzaam is.Vastgoed (garages, kantoren, ...) is nog een sector die gaandeweg binnen Alcopa tot ontwikkeling kwam. Via de entiteit AlcopaimmO kwamen er vervolgens vastgoedprojecten bij die niet strikt te maken hebben met de ontwikkeling van commerciële activiteiten, zoals de aankoop van de fabriek in Vilvoorde en de renovatie daarvan.Ook in de automobielwereld beschikt Alcopa in Antwerpen over 2 groepen concessies (naast de invoer) die verschillende merken (FIDENCO en G-MAN) verdelen. Deze activiteit werd zelfstandig gemaakt en heeft zich onder de naam Moorkens Distribution verder ontwikkeld.Ten slotte werd er onlangs een structuur met de naam Alcodev opgericht met als opdracht het openstellen van de groep voor nieuwe sectoren door het nemen van participaties of door aankopen in de perifere activiteiten van de groep, maar ook vanuit de wil om te diversifiëren.De groep Alcopa werkt in verschillende sectoren, hoewel zijn activiteit globaal gezien op mobiliteit en distributie is toegespitst. De groep werkt op een gedecentraliseerde wijze, de meeste sectoren zijn georganiseerd in de vorm van autonome filialen met elk een eigen baas. De holding focust op financiële functies, strategische ontwikkelingsonderwerpen, de selectie van managers, controle, en risicobeheer zoals de audit.

Meer een opdracht als partner

dans quelle mesure la fonction d’audit interne doit-elle prendre en compte la culture d’entreprise?

fH : “’Nous avons déjà parlé de niveau de maturité; je ne reviendrai donc pas sur ce sujet. evoquons plutôt la culture d’une entreprise ou plus exactement de ses métiers. Je n’ai pas idée du rôle de l’audit dans un laboratoire médical qui fait de la recherche et du développement, mais j’imagine que l’audit ne joue pas le même rôle que dans une entreprise de distribution comme la nôtre. Nous serons axés sur les prix de transfert, les aspects fiscaux internationaux, le management à distance... il y a donc un certain nombre d’enjeux caractéristiques de nos métiers. la façon d’exercer l’audit, le rôle de conseil, la nature même des risques sont différents. Dans toutes les entreprises, on retrouve certainement des éléments communs comme le risque informatique. mais il existe aussi des risques très spécifiques. Nous gérons, par exemple, beaucoup de capital. les voitures sont chères. Nous les achetons très tôt quand elles quittent les usines. Nous les conservons donc longtemps. le risque de stock est important, une particularité de notre métier.’’

Justement par le fait de ce côté multimétiers, y a-t-il une seule culture d’entreprise au sein d’alcopa ?

fH : “’Non, en effet. il existe certes des points commun à la distribution et la mobilité, la gestion de stocks, la définition de l’offre commerciale, la gestion des réseaux. A côté de cela, la culture est fort différente entre le monde des deux roues et celui des quatre roues, par exemple. le coût diffère déjà beaucoup. Dans le monde de l’automobile, les marques contrôlent leur distribution alors que dans l’univers du deux roues, la distribution est plus souvent multimarques. le monde de la moto est aussi beaucoup plus fragmenté avec des entreprises généralement plus petites. Quant au monde du mobilier, il s’agit de tout autres clients. ’’

Face à ces différences, l’auditeur n’est-il pas parfois un peu perdu ? ne faudrait-il pas un auditeur pour chacune des spécificités ?

fH : “’il y a jusqu’à présent, un périmètre du groupe et une certaine communauté des sujets qui étaient, je crois, appréhendables par un seul esprit. il faut que ce soit un bon esprit, avec une certaine flexibilité et une réelle puissance intellectuelle. si le groupe se développe sur d’autres périmètres et avec des métiers beaucoup plus différents, il faudra qu’il y ait au sein de l’audit des auditeurs plus spécialisés sur tel ou tel métier. c’est évident parce que ce qui est important pour un auditeur, c’est de savoir comment cela fonctionne. il faut vraiment qu’il possède une bonne connaissance opérationnelle du métier. on ne peut pas maîtriser dix métiers en même temps. mais à côté de ces connaissances métier, les auditeurs s’appuient aussi sur des

méthodes qui permettent d’être performants même dans des secteurs qui ne leur sont pas très familiers. c’est un métier très structuré qui permet heureusement de passer à des métiers nouveaux en étant assez rapidement efficace.’’

L’auditeur « complice » de fonctions centrales

Comment voyez-vous l’interaction entre l’audit interne et d’autres fonctions d’assurance dans l’entreprise (CFo, contrôle, risk managers, conformité, ...) ? reparle-t-on plutôt de partenariat ?

fH : “’tel que je comprends l’emploi du mot partenariat au début de l’interview, je l’appliquerai plutôt à la relation entre l’audit et les métiers opérationnels, partenaire des métiers. en revanche, s’agissant des fonctions centrales, je parlerai plutôt de proximité. il y a entre l’audit et la finance, forcément – j’espère en tout cas – une forme de « complicité ». il faut que cela soit deux fonctions qui “marchent bien ensemble”. Je dirais qu’il faut aussi une grande proximité entre l’audit et l’informatique, qui est peut-être moins fréquente et qui me paraît aujourd’hui très importante. il existe des fonctions pures qui doivent “bien marcher” avec l’audit et dans lesquelles, l’auditeur doit posséder une compétence particulière.

Voyez-vous une évolution des activités d’audit interne par rapport à la nature de sa mission ? Y a-t- il par exemple plus d’assistance au niveau de la gestion des risques ou de projets importants ?

fH : “’on revient en partie à un point déjà évoqué. pour compléter ce que j’ai dit précédemment, dans mon rôle, l’utilité de l’audit réside dans tout ce qui permet de faire progresser la fonction managériale et l’organisation de l’entreprise, c’est à dire l’aptitude à efficacement déployer des objectifs, en ordre, selon des plannings tenus. le management est une mécanique qui est parfois complexe quand elle se combine à des outils comme l’informatique ou concerne le pilotage de longue durée. la qualité du management est un facteur en soi de performance. finalement, les produits que nous commercialisons, nous les achetons ; nous n’avons pas tellement de mérite quant à la qualité de ces produits en dehors du mobilier de bureau que nous définissons en partie. Notre valeur ajoutée réside donc dans le déploiement de notre politique commerciale, dans la qualité de notre management, économique et humaine : aptitude à comprendre rapidement ce qui se passe sur le marché, à le transformer en actions efficaces, à piloter et corriger ces actions pour avoir un meilleur impact... si, par rapport à de grands groupes, notre maturité en termes de management est moindre, en termes d’entrepreneur, elle est cependant plus grande. Nous avons un grand

sentiment de responsabilité et en même temps de précarité. Nous savons que nous pouvons perdre un contrat d’importation, qu’il y a de gros enjeux. Je crois que nous sommes de bons entrepreneurs et parfois de moins bons managers. entrepreneurs conscients des risques financiers, réactifs sur les stocks, sur le financement. là, je crois que nous sommes meilleurs que les grandes organisations. en revanche, nous sommes plus artisanaux sur les déploiements stratégiques, sur la qualité du management, la gestion de projets. et sur tous ces sujets, j’ai demandé à pieter peremans de m’aider à nous aider à progresser. c’est la fonction partenariat et son rôle est grand. Au cours des deux dernières années, le rôle de pieter en conseil en management s’est beaucoup accru.’’

le reporting constitue-t-il une tâche importante en matière d’audit interne ?

fH : “’Je ne crois pas que cela soit très original chez nous par rapport à la pratique. les rapports sont adressés à la hiérarchie et aux audités. il y a discussion entre l’audit et les audités sur des plans d’action. pieter me tient au courant en amont et au-delà des rapports d’audit d’éléments que nous discutons en profondeur. le comité d’Audit revient sur l’ensemble de ces sujets. il y a un rapport établi métier par métier. Nous nous employons à boucler ensemble les actions à mener après les missions d’audit de façon à ce que cela ne reste pas tout simplement des rapports. il y a en tout cas une activité de production de documents et d’informations dans l’audit, qui est lourde mais qu’il importe de savoir limiter.’’

Y a-t-il un aspect particulièrement difficile dans la fonction d’audit ?

pieter peremans : “’le follow up est extrêmement important. c’est aussi un sujet très difficile qui exige beaucoup de ressources et pèse sur les organisations. force est de constater la présence de certains points importants mais on n’est pas toujours convaincu qu’il faille changer. comme l’a souligné monsieur Hinfray en évoquant la maturité : on sait qu’il faut modifier des choses. si l’on veut vraiment aboutir à un changement, il ne faut cependant pas les brusquer. mais il faut avant tout que la maturité de l’organisation augmente.’’

en conclusion, considérez-vous la fonction d’audit interne comme un renfort de valeur ajoutée stratégique à l’entreprise ou est-elle plutôt un mal et un coût nécessaires?

fH : “’la fonction d’audit interne est un levier de progrès ! sans compter qu’il s’agit aussi d’une façon de faire entrer dans une entreprise des collaborateurs de qualité, bien formés, qui n’ont peut-être pas toujours pour vocation de rester dans l’audit. certains approfondiront leurs compétences dans l’audit, mais il y en a d’autres à qui cela aura donné en quelques années un bon bagage pour d’autres fonctions.’’

Is de rol van de interne audit veranderd sinds de wereldwijde crisis? Werden er bepaalde zaken in vraag gesteld? hoe ziet u de positie van interne audit in uw groep?

françois Hinfray: “in onze distributieactiviteit – we zitten niet in een financiële sector – werd die impact op onze markten vooral gekenmerkt door een sterke daling van de volumes. De crisis heeft de paradigma’s van onze sector echter niet veranderd. in die zin denk ik niet dat de rol van de audit veranderd is. integendeel, de crisis heeft de resultaten en de ratio’s uitgerekt en bepaalde risico’s zeker doen toenemen. De rol van de audit is daarom des te crucialer omdat die gedeeltelijk bestaat uit het bewaken van risico’s die de werking en de resultaten van de groep mogelijk kunnen aantasten. in een crisisperiode zijn de risico’s effectief groter.’’

Is de interne auditor meer een partner van het management geworden of is zijn actie vooral gericht op het controleren van de conformiteit ...?

fH: “’De audit is geëvolueerd van de, laat ons zeggen, strikte functie van controle op processen en cijfers, meer naar een opdracht als partner, zodat het management in staat is om risico’s goed te beheren. Dat gezegd zijnde heeft de audit het gebied van de controle ook

niet verlaten omdat, als hij dat zou doen, er een gebrek zou optreden. controles zijn nodig, maar die opdracht moet niet overdreven doorwegen op de beschikbaarheid van de audit. tegenwoordig is het inderdaad de rol van de audit om zo te handelen dat de directie op de hoogte is van de uitdagingen, zich bewust is van de risico’s en dus alles in het werk kan stellen om niet alleen de risico’s te spreiden maar ook om de performantie te optimaliseren. Bijgevolg is de adviseur- en partnerrol van de audit belangrijk en daar is tijd en intelligentie voor nodig. Het is misschien een beroep dat veeleisender en moeilijker is dan alleen maar de strikte controle, maar ook dat deel van de activiteit mag niet verwaarloosd worden.’’

Is het een eenzaam beroep of gaat het om teamwerk?

fH: “Het is een beetje van beide, sorry voor dit dubbelzinnige antwoord. De audit neemt een vrij specifieke plaats in binnen een onderneming omdat het onafhankelijk moet zijn. Audit heeft een heel eigen aanpak op gebied van methodologie en dus wordt deze competentie niet, of over het algemeen weinig met anderen gedeeld. Dat kan dus niet alleen een bepaalde eenzaamheid teweegbrengen maar ook een bepaalde specificiteit die in sommige gevallen tot een gevoel van eenzaamheid kan leiden omdat men niet altijd met anderen

kan delen. Als men daarentegen het deel partnerrol bekijkt, zitten we in een dynamiek van delen en van uitwisselen. Bovendien moet men met de directie een voldoende nauwe vertrouwensband onderhouden om de directie zelf te laten vooruitgaan. in mijn positie, als ceo van de groep, moet ik zodanig optreden dat de mensen – een beperkt aantal mensen – die deze auditfunctie bekleden, zich niet eenzaam, maar gesteund voelen. ik geloof dat dat een situatie is die psychologisch niet houdbaar zou zijn en ongetwijfeld uiteindelijk ook niet efficiënt zou zijn omdat de audit, zelfs in een controlepositie, een echte greep op de onderneming moet hebben. ik probeer zodanig te handelen dat de impact van de audit altijd maximaal is in verhouding tot het werk dat het heeft geleverd. Het is dus echt noodzakelijk dat de audit niet “één tegen allen, maar één onder allen’ is. er is een zeer goed geïntegreerde auditstructuur nodig waarbij de kwaliteit van de adviezen volledige erkenning geniet.’’

heeft de interne audit een strategische functie?

fH: “’ik weet niet zeker of de interne audit een strategische functie heeft in de gewone zin van het woord “strategie’. we behalen een zekere omzet met een bepaalde rendabiliteit, en we willen bepaalde vakgebieden ontwikkelen. De operationelen, de vakmensen, nemen af en

de holding focust op financiële functies,

strategische ontwikkelingsonderwerpen, de selectie van managers, controle, en risicobeheer

zoals de audit.

10 11

April

201

1

April

201

1

iNte

rVie

w

iNte

rVie

w

gemeenschappelijke punten tussen distributie en mobiliteit, stockbeheer, de bepaling van het commerciële aanbod, het netwerkenbeheer. Daarnaast heerst er bijvoorbeeld een groot cultuurverschil tussen de wereld van de twee- en de vierwielers. Alleen de kostprijs is al erg verschillend. in de automobielwereld controleren de merken hun distributie terwijl de distributie van tweewielers dikwijls diverse merken heeft. De motowereld is ook veel meer versnipperd en de bedrijven zijn over het algemeen kleiner.’’ in de meubelwereld gaat het om heel andere klanten.

Voelt de auditor zich niet een beetje verloren tussen al die verschillen? Zou er geen auditor voor elk van die typische kenmerken moeten zijn?

fH: “tot op heden was er een groepsperimeter en een bepaalde gemeenschap van mensen die, naar ik geloof, dezelfde mentaliteit deelden. Het moet een goede mentaliteit zijn met een zekere flexibiliteit en een werkelijke intellectuele kracht. Als de groep zich naar ander perimeters uitbreidt en naar erg verschillende sectoren, dan moeten er binnen de audit auditoren zijn die in een bepaalde sector gespecialiseerd zijn. Dat is evident want het belangrijkste voor een auditor is dat hij/zij weet hoe het werkt. De auditor moet echt een goede operationele kennis van de sector hebben en men kan geen tien sectoren tegelijk beheersen. maar naast kennis over de sector steunen auditoren ook op methoden die hen toelaten om sterk te presteren, zelfs in sectoren waar ze niet goed vertrouwd mee zijn. Het is een erg gestructureerd beroep waarin het gelukkig mogelijk is om naar nieuwe sectoren over te schakelen en vrij snel efficiënt te zijn.’’

De auditor als medeplichtige van de centrale functies

hoe ziet u de interactie tussen interne audit en andere beheersfuncties in de onderneming (CFo, controle, risk managers, conformiteit, ...)? spreken we dan weer eerder van een partnerrol?

fH: “Zoals ik het gebruik van het woord partnerrol in het begin van het interview begrepen heb, zou ik het eerder toepassen op de relatie tussen de audit en de operationele beroepen, een partner van de sectoren. Als het daarentegen over centrale functies gaat, zou ik eerder van verwantschap spreken. tussen de audit en de financiële dienst bestaat er noodzakelijkerwijs – dat hoop ik tenminste – een soort van medeplichtigheid. Dat moeten twee functies zijn die “goed door één deur kunnen’. ik zou zeggen dat audit en it ook een vrij nauwe band moeten hebben, wat misschien minder vaak voorkomt en

wat mij tegenwoordig zeer belangrijk lijkt. er zijn zuivere functies die goed met de audit “overweg moeten kunnen’ en waar de auditor een bijzondere competentie moet voor hebben.

Ziet u een evolutie in de interne auditactiviteiten ten opzichte van de aard van de opdracht? Is er bijvoorbeeld meer bijstand op het gebied van risicobeheer of bij belangrijke projecten?

fH: “we komen gedeeltelijk terug op een reeds besproken punt. ter aanvulling op wat ik eerder al zei, berust het nut van de audit op alles wat vooruitgang mogelijk maakt in de managersfunctie en de organisatie van de onderneming, het is met andere woorden de bekwaamheid om doelstellingen efficiënt te verwezenlijken, in de juiste volgorde, volgens de planning. Het management is soms een complex mechanisme als het gecombineerd wordt met instrumenten zoals it of als het de richting op de lange termijn betreft. De kwaliteit van de directie is op zich een factor van de performantie. tenslotte verkopen we producten die we aankopen; onze verdienste is niet erg groot als het over de kwaliteit van deze producten gaat, buiten het kantoormeubilair dat we gedeeltelijk zelf ontwerpen. onze toegevoegde waarde ligt dus in het toepassen van ons commercieel beleid, in de kwaliteit van ons economisch beheer en ons Hr beheer: de bekwaamheid om snel door te hebben wat er op de markt gebeurt, om dat om te zetten in efficiënte acties, om deze acties te sturen en te corrigeren zodat ze een betere impact hebben ...

ondanks het feit dat ons management minder matuur is dan dat van grote groepen, vertonen we als ondernemer echter meer maturiteit. we hebben een groot gevoel voor verantwoordelijkheid maar tegelijk ook van kwetsbaarheid. we weten dat we een invoercontract kunnen verliezen en dat er dan veel op het spel staat. ik geloof dat we goede ondernemers zijn en soms minder goede managers. ondernemers die zich bewust zijn van de financiële risico’s, en de

reacties op de stocks en op de financiering. ik geloof dat we daarin beter zijn dan de grote organisaties. Aan de andere kant zijn we ambachtelijker in strategische ontplooiingen, in de kwaliteit van het management en in projectbeheer. en voor al die onderwerpen heb ik aan pieter peremans gevraagd om mij te helpen om ons te helpen om vooruitgang te boeken. Dat is de partnerrolfunctie en hij heeft een belangrijke rol te vervullen. De rol van pieter als adviseur van de directie is de laatste twee jaar sterk toegenomen.’’

Is rapportering een belangrijke taak op het vlak van interne audit?

fH: “ik geloof niet dat dat heel origineel is bij ons als we kijken naar de praktijk. De rapporten worden naar de hiërarchie en naar de geauditeerden gestuurd. De audit en de geauditeerden bespreken samen de actieplannen. pieter houdt me hogerop en achteraf op de hoogte van de elementen van de auditrapporten en we bespreken ze grondig. Het Auditcomité komt op al deze onderwerpen terug. er wordt sector per sector een rapport opgesteld. we zorgen ervoor dat alle te ondernemen acties na de auditopdrachten worden samengebundeld zodat het niet bij rapporten blijft. Audits produceren in elk geval veel documenten en informatie, wat een zware taak is, maar waarbij het belangrijk is dit te beperken.’’

Is er een specifiek moeilijk aspect aan de auditfunctie?

pieter peremans: “De opvolging is uiterst belangrijk. Het is ook een erg moeilijk onderwerp dat veel middelen eist en op de organisaties doorweegt. we moeten vaststellen dat er bepaalde belangrijke

punten zijn, maar men is er niet altijd van overtuigd dat verandering noodzakelijk

is. Zoals meneer Hinfray beklemtoonde toen hij het over maturiteit had: men weet dat men dingen moet veranderen. Als men echt tot een verandering wil komen, moet men deze echter niet forceren. maar men

moet vooral de maturiteit van de organisatie verhogen.’’

Tot besluit: beschouwt u de interne auditfunctie als een aanvulling op de strategische toegevoegde waarde voor de onderneming of is het eerder een noodzakelijk kwaad en kost?

fH: “De interne auditfunctie is een hefboom voor vooruitgang! Daarnaast is het ook een manier om kwaliteitsvolle, goed opgeleide medewerkers in de onderneming te brengen die misschien niet altijd tot doel hebben om in de audit te blijven. sommigen scherpen hun competenties in de audit aan, maar er zijn anderen bij wie dit in een aantal jaren een goede bagage geeft voor andere functies.”

toe wat afstand van hun vak en focussen op de ontwikkelingsassen. Dat is wat ik strategie noem. Bovendien doen ze er alles aan om de ontwikkelingen succesvol uit te voeren. Als dat strategie is, dan speelt de audit geen centrale rol.

ik zou het eerder parallel plaatsen: enerzijds de strategie en anderzijds het systeem. een strategie is een geheel van ideeën, concepten en ambities die uitgevoerd moeten worden met gereedschappen, informaticasystemen, procedures en vooral met een directiesysteem. welnu, de audit staat centraal in deze systemen omdat het de kwaliteit ervan zal helpen waarborgen. Bijgevolg, als de onderneming een zeer goede strategie heeft, maar met systemen die tekortschieten, dan zal de strategie geen succes zijn. Het is de rol van de audit om te helpen bij het optimaliseren van alle systemen zodat ze de best mogelijke prestaties leveren en uiteraard om de risico’s die uit een strategie voortvloeien zo goed mogelijk te beheersen.’’

De audit is een belangrijk stuk van de governance en het risicobeheer

Vindt u het normaal dat de audit-verantwoordelijke aanwezig is als er belangrijke strategische beslissingen worden genomen?

fH: “Het hoofd van de audit is lid van mijn directiecomité. Hij neemt deel aan het ondernemingsleven en kent de strategie. Hij moet zich afvragen hoe hij aan het slagen van die strategie kan bijdragen. Bijvoorbeeld, in het domein van de distributie is informatica van fundamenteel belang (als men alle crm-systemen, het exploiteren van het klantenkapitaal, wil ontwikkelen, om nog maar te zwijgen over de websites, ...). De implementatie van dergelijke systemen bestaat elke keer weer uit complexe projecten die een moeilijke uitdaging vormen voor de directie. De rol van de audit, meer als partner dan als controle, is hierbij cruciaal omdat een goede audit een strenge leerschool is. over het algemeen zijn auditors gesofisticeerder, beter opgeleid in al deze methoden terwijl sommige commerciële managers eerder uit de praktijk komen en soms de neiging hebben om de organisatorische en managementaspecten te verwaarlozen.’’

hoe ziet u de rol van de interne audit op gebied van governance, interne controle en risicobeheer?

fH: “’De audit is een belangrijk onderdeel van governance omdat het in feite getuigt van de proceskwaliteit, zelfs van de cijfers of in elk geval van de systemen die cijfers opleveren. De audit moet een goede governance helpen waarborgen. we hebben het al aangehaald,

maar voor mij zijn sommige dingen op gebied van controle zeer duidelijk: geen enkele onderneming kan zonder controle werken! men kan niet uitsluitend op basis van vertrouwen functioneren. Het is niet dat men geen vertrouwen moet hebben in mensen; het betekent gewoon dat men complexe zaken beheert, dat vergissingen kunnen gebeuren, dat er soms bepaalde incompetentiegebieden zijn en dat er daarom correcties moeten gebeuren. Als men wil corrigeren, dan moet men controleren. en dan, de beheersing van risico’s: de moderne audit gaat verder dan controle, want die is misschien een beetje statisch terwijl risicobeheersing een rechtstreekse invloed heeft op de organisatie en op de manier van werken van de onderneming. Het volstaat niet om simpelweg te zeggen: “er is een procedure, ze moet nageleefd worden; ik ga ze controleren. Als het niet goed is, moet men grondig reageren’. risicobeheersing draagt bij aan de manier waarop de onderneming zich organiseert en omschrijft zijn eigen werking om zijn prestaties te optimaliseren en het risico te minimaliseren omdat die twee met elkaar verbonden zijn. risicobeheer is niet iets dat totaal vreemd is aan het opleveren van prestaties. men zit altijd met compromissen omdat men ook de kosten en de inspanningen probeert te minimaliseren. Juist zoals het hele uitbreidings- of ontwikkelingsbeleid risico’s gaat opleveren, moet men dat accepteren. maar men moet ze goed identificeren en beperken. Juist daar is risicobeheersing fundamenteel in de dynamiek zelf van een onderneming.’’

De competentie van de auditor is van essentieel belang

Wat zijn de belangrijkste succesfactoren om tot een adequate en efficiënte interne auditfunctie te komen?

fH: “De competentie van de auditoren! Als die ontbreekt, dan is er niet de minste geloofwaardigheid of het minste nut. Vervolgens, het cultuurniveau van een onderneming, het maturiteitsniveau in verhouding tot een auditfunctie. Hoe ze die benut. Je kunt een auditor heel goed in een controlefunctie duwen, een functie die uiteindelijk vrij marginaal en zeer administratief is. Dat is een verouderde cultuur. ik geloof daarentegen dat een mature cultuur zal proberen, zoals ik reeds benadrukt heb, om de audit een centrale plaats in de systemen te geven. een betere exploitatie van de competentie. en moet men de competentie kunnen gebruiken en ze inzetten waar ze nuttig is. ik geloof dat het maturiteitsniveau van een onderneming van fundamenteel belang is en als het niet hoog genoeg is, moet men deze laten evolueren. een derde punt is de steun vanuit de hiërarchie. Die is van cruciaal belang, anders riskeert de auditor gemarginaliseerd te worden.’’

blijft die auditor een soort facilitator bij het concreet realiseren van bepaalde projecten?

fH: “in zijn deel, niet controle, maar risicobeheersing en dan nog eerder advies, zelfs meer dan in risicobeheersing, kan audit de rol van facilitator spelen. Dat hangt een beetje af - we hadden het over de competentie, de maturiteit van het systeem - van het temperament van de auditor. Als het temperament van de auditor hem/haar toelaat om zijn kennis en werkwijze goed door te geven en dat op een manier die goed valt bij zijn interne klanten, dan ja, dan kan een auditor de rol van facilitator vervullen. een auditor moet als eigenschap hebben om goed met mensen overeen te komen, zonder dat hij/zij ophoudt met een strenge controleur te zijn die niet altijd plezant is.’’

Wie controleert de auditoren? hoe worden ze gekozen?

fH: “Het is eenvoudigweg het Auditcomité, met een voorzitter die lid is van de raad van Bestuur. Het is een lid dat gekozen is voor zijn specifieke competenties en zijn aanleg voor audit. Deze persoon wordt bijgestaan door het Auditcomité. De auditfunctie wordt in de taken begeleid, uitgedaagd, er wordt geluisterd naar de problemen en tenslotte volgt uiteraard een beoordeling over de kwaliteit van de auditors.’’

In welke mate moet de interne auditfunctie rekening houden met de ondernemingscultuur?

fH: “we hadden het al over het maturiteitsniveau en dus kom ik daar niet meer op terug. we kunnen het beter hebben over de ondernemingscultuur of beter gezegd die van de vakgebieden. ik heb geen idee van de rol van de audit in een medisch labo dat aan onderzoek en ontwikkeling doet, maar ik kan me indenken dat de audit in een distributiebedrijf als het onze een andere rol speelt. wij focussen op transfertprijzen, internationale fiscale aspecten, management op afstand, ... er zijn dus een aantal uitdagingen die typisch zijn voor onze vakgebieden. De manier om een audit uit te voeren, de rol van adviseur, zelfs de aard van de risico’s is anders. in alle organisaties vindt men ongetwijfeld bepaalde gemeenschappelijke elementen zoals het informatica-risico. maar er bestaan ook zeer specifieke risico’s. wij beheren bijvoorbeeld veel kapitaal. De auto’s zijn duur. wij kopen ze zodra ze de fabriek verlaten. we houden ze dus lang in bewaring. Het grote stockrisico is een typisch kenmerk van onze sector.’’

Kan men van één enkele ondernemingscultuur bij alcopa spreken als het in meerdere sectoren bedrijvig is?

fH: in feite niet. er bestaan zeker

het is een erg gestructureerd beroep

waarin het gelukkig mogelijk is om naar nieuwe sectoren over te schakelen

en vrij snel efficiënt te zijn.

12 13

April

201

1

April

201

1

QAs

reVi

ew

iNte

rVie

w

Dr. frank De Jonghe ( partner/enterprise risk services / financial & Actuarial risk Advisory – Deloitte Belgium)

1 this article is an update of 3 articles we published in the newspaper tageblatt

in this article1, we will briefly introduce the current regime (Basel II), explore the main reasons supporting its amendments and

provide an overview of main changes that will be made to the Basel II/CRD framework.” Parallel to the Dodd-Frank Act in the US (signed into law by President Barack Obama on July 21, 2010), the European Union has started implementing the first wave of changes in its regulatory framework.

basel II reform – overview of major changes

crD stands for capital requirement Directive more commonly known as Basel ii which itself stands for the international name for the solvency regime applicable to banks (crD is also applicable to investment firms) and proposed by the Basel committee for Banking supervision (BcBs). this framework organizes the prudential supervision for solvency under 3 pillars: •the first pillar: imposes a minimum

ratio of own funds in comparison of the risk weighted assets detained by the institutions;

•the second pillar: Aims to improve risk management processes and capital planning and encourages active dialog with regulators and the institutions; and

•the third pillar: Aims to promote greater stability in the financial sector by enhancing the degree of transparency via the publication of a set of information from the previous 2 pillars.

in comparison with Basel i, the crD, first introduced during 2007 in europe, was seen as a more comprehensive framework especially with the 2 new pillars. more precisely pillar ii’s objective was to apprehend exhaustively risks taken by the entities and pillar iii to impose transparency on those exposures to the benefit of the various stakeholders of the financial sector.

Despite such a comprehensive framework, how did the financial crisis of the last two years have such a magnitude on the financial sector in general and on the european institutions in particular?

several weaknesses within the regulatory framework laid the foundation for an internal financial crisis that was spread out across borders. the main shortcomings identified were: •underscoring of credit risk in the models

of rating agencies and internal credit risk models developed as part of Basel ii, underestimation of concentration risk or settlement risk and ignorance of liquidity risk enabled by several excessively favorable economic trends since 2002 (low inflation, low interest rates, excess of liquidity...);

•heavily interconnected and complex financial system (distribution of risks

Article on Basel III from Deloitte

14 15

April

201

1

April

201

1

iNte

rNAl

AuD

it c

AN l

eAD

tHe

turN

of

grc

The foundersof change

are people like You

Keep reaching

R.E

: W

. Tor

fs, F

orti

s B

ank

SA-N

V, M

onta

gne

du P

arc

3, 1

000

Bru

ssel

s, R

PM

/RP

R B

russ

els

- VA

T B

E040

3.19

9.70

2.

bnpparibasfortis.com

S330590A6 corporate A4 UK.indd 4 18/02/11 09:48

BAse

l iii

fro

m D

eloi

tte

lAureNt BerliNer (partner – enterprise risk services – Deloitte luxembourg)

roeland Baeten (manager – enterprise risk services/ financial & Actuarial risk Advisory– Deloitte Belgium)

2 source : revue Banque, no. 73, Avril 2010.

through securitization « originate to Distribute model » ) ;

•inadequate governance models (aggressive remuneration policies, no conflict of interests policies between the various activities of the institutions) ; and

•lack of transparency of the financial information (pillar iii not implemented, procyclicality introduced by international financial reporting standards).

Basel ii/crD, being the most widespread regulatory framework has been widely criticized, but it can’t be held responsible for all the downturns of the financial crisis. on top of the issue, is the fact that Basel ii wasn’t implemented, at the epicenter of the financial crisis (the united states of America) and, where implemented, had never been back and stress tested (Basel ii was implemented in 2007 only in europe and canada not enabling to learn from back testing). However this unprecedented financial crisis played the role of a live exercise of back testing for the regulatory framework.therefore the Basel committee on Banking supervision proposed over the past two years a series of measures in order to address the weaknesses identified. these measures have been endorsed by the european commission and are the ones forming the three waves of crD (directive for crD ii, crD iii and still to be voted crD iV).the patches to the regulatory framework can be divided in 10 different subjects: •increase level and quality of own funds

of the institutions; •better apprehend the risks linked

to securitization, re-securitization transactions;

•better apprehend concentration risk through a revised large exposures regime;

•better apprehend the market risk linked to the trading portfolio;

•apprehend the counterparty risk especially for over the counter and repo transactions;

•improve transparency on publication of

information on securitization, complex transaction and trading portfolio transactions;

•encourage better risk management processes and governance;

•enhance liquidity risk management processes and liquidity risk measurements though two liquidity ratios (short term and stable funding);

•create a measurement of leverage implied by the institutions by a leverage ratio (total exposures against capital); and •create a specific supervision to

the systemic risk entities.

some of these measures are complementing the previous

framework and some others like the new ratios are reshaping totally the framework implying quantitative impact studies and impact on the

financial sector as a whole.

the schedule for the reform regarding the solvency regime

as per the european union can be presented as follows:

•crD ii has been implemented in Belgium law in 2010 and is applicable from 31 December 2010.

•crD iii: on 7 July 2010, the european parliament voted and approved the crD iii. the council approved the crD iii at its meeting of 11 october 2010. member states are to implement this Directive from 1 January 2011and this directive will be applicable from 31 December 2011.

•crD iV is still in an early stage and a european initiative is foreseen for June 2011.

crDii and crD iii are mainly introducing light changes to the solvency regime and putting to life the long awaited reform of large exposures. the main changes foreseen under the crD ii/iii deal with: •the review of the eligibility of hybrid

instruments as part of original own funds (pillar 1) implementing stricter criterion (mainly permanence, loss absorbency and flexibility of payments of these items) and new limits applicable to these instruments and proper disclosure of the various components of regulatory capital in order to improve the resilience of own funds.

•the adjustment of the capital requirements in relation with trading portfolio (pillar i), introducing the concept of stressed Var and incremental risk capital charge in order to better apprehend the risks implied by the trading activities and avoid

arbitrage between trading book and banking book;

•the enhancement of the securitization risk management processes doubling the weights to be applied to securitization exposures and introducing retention factor for the originators of securitization transactions (pillar i ) and guidelines on the consideration to be given to securitization risk as part of pillar ii;

•the enhancement of liquidity risk management framework (pillar ii) in order to apprehend qualitatively liquidity risk, which significantly impacted most of the banking institutions during the crisis (see detail below);

•the introduction of guidelines on remuneration policies in the financial sector (pillar ii) in order to neutralize incentives and lack of governance noticed before and during the financial crisis (see detail below);

•the improvement of quantitative and qualitative information published on securitizations, re-securitizations, trading portfolio and complex transactions (pillar iii) in order to ensure that transparency is achieved on such exposures;

•the formalization of cross border banking institutions supervision through international colleges that were in existence before the crisis, but not harmonized in the way of performing their duties. A particular attention has been given to the supervision of liquidity risk management by the colleges;

•the complete reshaping of concentration risk limits through the new large exposures regime as announced as part of Basel ii reform. the main features of the new large exposure regime are:

•Exposure to a client or group ofconnected clients should be smaller than 25% of own funds, after crm is accounted for. if, however, the client or at least one member of the group of connected clients is a credit institution, an absolute alternative limit of eur 150 millions is introduced. the limit for interbank exposures becomes therefore 25 % of own funds or eur 150 millions with a limit to be defined between 25% and 100% of own funds.

•The list of potential exemptionsis greatly reduced, in particular those related to exposures to credit institutions.

•Breaches are no longer authorized!Accepting a breach subject to holding additional capital requirements is no longer considered.

•In addition, the Belgian regulatorhas opted to subject intra-group exposures to the large exposure regime with the definition of a limit of 100% of own funds.

crD ii and crD iii have been seen as punctual responses to the issues revealed by the financial crisis, but can’t be seen as a comprehensive response to the symptoms of the biggest financial crisis since the 30s.

for this specific purpose, the BcBs (Basel committee for Banking supervision) issued in December 2010 the final Basel iii rules which have been endorsed by the european commission as crD iV: • “Basel iii: A global regulatory framework

for more resilient banks and banking systems”;and

• “Basel iii: international framework for liquidity risk measurement, standards and monitoring”

A major difference of crD iV compared to crD ii and crD iii is actually the innovative side of it: many of these propositions are new requirements, not amendments of existing ones. this probably explains why they are so hotly debated! some studies even indicate that strict application of the provisions would lead to a negative impact of 1.5% on the gDp of the euro zone in the short term and that the whole banking industry would need an additional eur 167 billion of own funds to cope with the new requirements2.

these revised measures, expected to be implemented by the end of 2012, cover seven key topics: 1. A revision of the definition of the capital

base eligible for computing pillar i solvency ratio;

2. the introduction of a leverage ratio;3. A set of new guidelines for liquidity

risk management, including two new regulatory liquidity ratio;

4. Dealing with procyclicality through counterbalance measures focusing on forward looking provisioning, capital conservation and building capital buffers in times of excessive credit growth;

5. strengthening of counterparty risk requirements for derivatives and repo-style transactions;

6. Definition of measures to limit systemic risk implied by the existence of very large institutions; and

7. A series of proposals to harmonize the regulatory corpus applicable to banks at european level (e.g. treatment of mortgages).

the overall reaction of the industry has been especially vigorous with regards to the three first elements, which we will describe in further details below.

CapITal base

the recent market turmoil and solvency issues faced by many credit institutions highlighted inconsistency across countries on the criteria for capital to be eligible under pillar i rules and opacity regarding the full

and true nature of capital used for regulatory purposes.in an attempt to strengthen and harmonize the definition of regulatory eligible capital instruments, supervisors have proposed a series of amendments whose overarching objectives are: •tier 1 capital must help a bank to remain

a going concern; •regulatory adjustments must be

applied to the appropriate component of capital;

•regulatory capital must be simple and harmonised across jurisdictions; and

•the components of regulatory capital must be clearly disclosed.

in particular, the “three tier” approach currently in place will be streamlined and the notion of tier 3 capital will be abolished. Among the worthwhile noting requirements, core tier 1 capital (“common equity”) will need to be clearly and separately disclosed on balance sheet, while additional tier 1 capital and tier 2 capital elements shall not have credit sensitive dividend features or shall not be callable within at least 5 years.

leVerage raTIo

this ratio is new and is intended to provide supervisors with an additional measure to the Basel ii risk-based ratio. it is deemed to be a simple and transparent non-risk-based “backstop” measure based on gross exposure (current pillar i ratio involved risk-weighted positions that do not reflect the full size of the activities of the banks). the objective of the leverage ratio is to fix a limit to leverage in the banking sector, helping avoid destabilizing deleveraging processes which can damage the broader financial system and the economy. Based on current text, this ratio is obtained by dividing the total gross amount of exposures by the tier 1 capital. for on-balance sheet items, the total exposures are to be measured consistently with financial accounts and include all assets (including high quality liquid assets) in the measure of exposure.

off-balance sheet items would be valued with a 100% credit conversion factor, meaning for instance that commitments would be accounted for the whole committed credit line, not only the drawn amounts. the capital is proposed to meet a high quality definition of capital, after deduction of intangibles and other adjustments.

lIQuIdITY raTIos

so far, limited regulatory requirements existed for liquidity risk and existing regulations were country specific. the proposals create the first internationally harmonised and binding minimum standards for liquidity risk.the core of these proposals consists of two ratios, which have been developed to achieve two separate but complementary objectives: •the liquidity coverage ratio (lcr) aims

at strengthening short-term liquidity profile by defining level of liquidity buffer to be held to cover short-term (< 30 days) funding gaps under severe liquidity stress. it adopts a cash flow perspective and relies on predefined stress scenarios with parameters fixed by the regulators. the implementation date of this new ratio has been set to 2015.

•the Net stable funding ratio (Nsfr) aims at strengthening mid- to long-term (horizon of 1 year) liquidity profile by defining minimum acceptable amount of stable funding in an extended firm-specific stress scenario. contrary to lcr, the Nsfr adopts a balance sheet perspective. parameters are here again defined by the regulators. the implementation date of this new ratio has been set to 2018.

while most observers agree on the need of improved management of liquidity risk, critics have been harsh on the calibration of the parameters.

ConClusIon

the regulator has foreseen a very long transition period (until 2019) in order to allow banks to adapt gradually to the new requirements under crD iV. the new regulation will have a significant impact on the industry as we know it today and more particularly it will impact banks’ business model and will require banks to make some tough strategic decisions.

16 17

April

201

1

April

201

1BA

sel

iii f

rom

Del

oitt

e

BAse

l iii

fro

m D

eloi

tte

CrdII and Crd III are mainly introducing light changes to the solvency regime and putting to life

the long awaited reform of large exposures.

This ratio is new and is intended to provide supervisors with an

additional measure to the basel II risk-based ratio.

the concept of continuous auditing has been around since the 1960s. it has always been an attractive

sounding concept, and the title seems to imply a healthy situation where audits are carried out without the emphasis on historical data, time delays and a long tail between the transactions occurring and the Audit committee being informed of any weaknesses.

The concept has been kept simmering on the back burner, occasionally being flamed by a new publication, a revised article in the Internal Auditing journals, or by occasional workshops. In recent times however a number of factors have become aligned and the time is right for a serious look at the concept. Along with many other professions, auditors are being asked to produce more results with less resource. Many Boards are concerned that in a world crowded with rules, regulations and

regulators there is still a sizeable assurance gap facing their organisations. Although technology development continues apace and offers many obvious advantages the audit profession seems to lag behind, both in embracing the technology available to them but also in their ability to audit the increasing volumes of data being produced. Perhaps continuous auditing is the tool the audit profession needs to address all these issues.

But before auditors start to add “Software for a Continuous Auditing process” to their software budget a word of caution needs to be introduced. There is no universal agreement on how to implement a continuous auditing process, or indeed what is a continuous auditing process. This paper attempts to explain the concepts and to give one or two examples of how the concept has been implemented. The paper also highlights the benefits but also the changes that may occur in the traditional internal audit role

regarding the provision of assurance and the relationship with the management team.But first things first. Has continuous auditing suddenly arrived? If so – why now? Let us look at the development of the concept.

Continuous audITIng

Andy robertsoncass Business school

An introduction by Andy Robertson

brief history

those auditors with long experience will recall the use of embedded audit modules (eAm). these modules were an early attempt to install software options the current isAcA definition of eAm is: integral part of an application system that is designed to identify and report specific transactions or other information based on pre-determined criteria. identification of reportable items occurs as part of real-time processing. reporting may be real-time online, or may use store and forward methods. Also known as integrated test facility or continuous auditing module.this is a modern interpretation of the eAm. Back in the 1960s the eAm proved to have a limited usefulness, as it systems changed the eAm maintained frequently got left behind and the usefulness diminished. eventually, by the 1980s eAms were by-passed or turned off.the same decade saw the introduction of computer aided tools and techniques. most auditors will be familiar with the concepts and in fact the evolution of readily available audit software and the flexibility of accounting packages have led to the acceptance and widespread use of computer aided tools and techniques. these were and, to some extent still are, simply tools to help internal auditing be more productive and efficient.the 1990s saw the grow of data analytics that allowed testing of the effectiveness of internal controls. this was a move away from transactional testing but traditional auditing still relied on representative sample testing. risk and control problems could still escalate and cause problems.the more recent history reflects the more widespread growth of technology, both in sophistication and pervasiveness. there is better technology, but far many more systems, more complexity and far more data. processes and technologies exist today that had not been developed 20 years ago, or were not reliable and within sensible cost ranges. cloud computing is such an example. so better technology exists, can be exploited by auditors and is increasingly being used. the increased demand for assurance both due to the global financial crisis and to section 404 of soX has been one of the reasons for this increase. Boards in both the private and the public sector are looking for ongoing, not periodic, assessments on the health of internal controls. Another contributory development is the emergence of XBrl, which will in theory, make the analysis of different systems easier through a common technology. there are also the demands involved when organisations move towards implementing coso. And of course the iiA expects internal Auditors to add value, especially via continual improvement.But perhaps the biggest incentive to move towards cA is the realisation in the minds of many cAes that iA has not covered itself in

glory in recent years. Despite membership of the iiA increasing and examination successes providing more qualified iA than ever before, internal audit has been virtually a spectator during the global financial crisis. Board members may well be looking to others to provide assurance to fill the assurance gap, functions such as risk management, the company secretariat and compliance functions. with the sense of becoming an irrelevant and endangered species, cAes are looking for new tools, new approaches and new opportunities to bring iA back into the assurance world. continuous Auditing may be just the vehicle to bring audit back to centre stage.

definition

there are a number of publications that cover the subject, including several from the iiA. the best of these is a publication in the gtAg series (global technology Audit guide) called gtAg 3, which was written in 2005. gtAg 3 provides the following definition:“continuous Auditing is a unifying structure that brings control assurance, risk assessment, audit planning, digital analysis and the other audit tools, techniques and technologies together. it supports micro and macro audit issues”there are examples of continuous auditing dating back to 1980’s when At&t introduced the technique but many academic papers were issued on the subject mostly addressing the topic from the external audit point of view. the audit firms saw continuous auditing as a way of delivering more assurance to clients than is possible with more traditional techniques. this can be seen in the definition currently given by AicpA:“A methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors reports issued simultaneously with or a short period of time after the occurrence of events underlying the subject matter.”this paper is concerned with the use of continuous auditing from the internal auditing point of view. the concept of continuous auditing has been interpreted in different ways by different sectors and different users. the following paragraphs give a short description of two of these interpretations.

Chinese national audit office – The golden auditing project

An excellent study published on the iiA website (see www.theiia.org/itauditarchive/) demonstrates one interpretation of continuous auditing, in this case continuous on-line auditing.this project was to build an audit information system with the objective of tracking the government’s budget management process throughout its lifecycle. it allowed the simultaneous use of budget tracking and

online continuous auditing. in effect the system is constructed to provide not only the budget processing and monitoring system, but also to facilitate continuous on-line auditing.the system featured • a special wide area network to provide a

safe continuous auditing platform; • a control environment to evaluate the

quality of data and securely switch between data retrieval and data analysis;

•data retrieval interface to controlfiltering, extraction, processing or conversion, verification, transferring and loading; and

• continuous auditing.the overall concept is that the auditors are able to take real, live data, copy it and transfer in to the audit system and perform either automatic or manual interrogation of the data.the key to this process is the data retrieval interface, as it controls the transfer between the system being audited to the audit system itself. this is done both in manual mode and in automatic mode. As the names suggest, the manual mode is used by an authorised auditor to retrieve data, the automatic mode works when various triggers such as time, interval and predetermined events occur.once data is retrieved, there is strict security to ensure the audited system and the retrieved data (to be used by the audit software) is always separated. the audit department operates both a manual mode, where authorised auditors can operate the audit software to interrogate the data (by query language, sorting and performing the usual database checks) and an automatic mode where the system executes pre-defined audit procedures to detect a deviation from an agreed standard.

healthCare sectorhCa (healthcare)

Another excellent example of an interpretation of implementation of continuous auditing at HcA (Healthcare) was given in an iiA journal article that is again freely available. the audit team chose to develop two streams of continuous audit • direct reporting of clear violations to the

client. this is done in real time, reports are run on a fixed schedule and sent directly to the relevant management team; and

• indirect reporting - producing exceptions that need manual intervention to determine if a problem actually exists (i.e. - an entity possesses assets but no reported earnings).

Various testing methods were considered for the continuous auditing process. the team discounted embedded audit modules but this was considered as routine monitoring, something management should do with proper controls.

18 19

April

201

1

April

201

1co

Nti

Nuo

us A

uDit

iNg

- AN

iNtr

oDuc

tioN

coN

tiN

uous

AuD

itiN

g - A

N iN

troD

ucti

oN

This paper attempts to explain the concepts and to give one or two examples of how the

concept has been implemented.

they also considered trending the financial indicators and flagging anomalies for further research, but felt this was redundant as management performed this task. in addition investigating the root cause of anomalies would have required extensive audit resource.the approach adopted was to monitor transactions, master file changes and account balances using audit developed software to review data extracted from the source systems.HcA set two criteria before deploying continuous auditing: • firstly a test must be able to fulfil a

defined audit objective (for example identifying employees posting manual journal entries); and

• secondly the test must provide clear results to management.

the testing process required an automated process. However, the development costs were not high. much of the software was “off the shelf” and cost less than $100. the audit team used the existing centralised security software, managing the core business applications, for identifying users needing access to exception reports to report results - tracking and feedback are via system security co-ordinators.the self audit software was available to managers via the internal audit intranet site to enable management to conduct a self audit as and when required.

What are the key points when considering a continuous auditing process?

we have seen two different case studies. let us try to identify the major components in a continuous auditing system and put together some thoughts that iA departments can use.

Important features

the internal audit product is the provision of assurance. the board and senior management needs to know not only that the risks facing the operation are known and understood, but that risk management process is effectively mitigating those risks. internal audit need to provide that assurance.firstly we identify the objective as the provision of continuous assurance. in simplistic terms, controls and risks are the opposite sides of the same equation. controls are part of the weaponry that helps in mitigating risk. Auditors need to examine the whole raft of controls, and we are all familiar with the need to examine the adequacy, effectiveness and efficiency of the controls, whether the risks have all been identified and even if controls are needed but do not exist. this is what auditors do.the move to continuous auditing is advocating a step up in this process. the risk control equation will remain the same, but the continuous element reflects all the aspects of risk and control.

the elements can be restated as follows. the objective of the process is to give continuous assurance. this requires that controls are continuously monitored. this in turn requires that risks are continuously assessed. the audit role now? to ensure that the process of continuous monitoring is properly performed, and that the continuous risk assessment is being properly performed.Before proceeding further, a few myths need to be dispelled.

1 meaning of “continuous” (continuous means continuous right?)

the choice of words has confused the issue. continuous for purposes of this paper has several meanings. firstly it refers to a time frame that is close to the time of the actual operation of the control. the second is the frequency of the occurrence. continuous in this context clearly means frequent, more frequent than auditors usually think when conducting audits.some would say that with both these considerations, many auditors have carried out reviews on this basis for years. this is entirely true, and continuous auditing has been a feature of the auditing landscape for many years. But a perception has grown up that continuous auditing has to be tied into an it process, partly because of the gtAg 3 being written by the iiA’s Advanced technology committee.so continuous means more frequent, and closer to the actual event being managed and reviewed.

2 Continuous auditing is an IT thing – right?

wrong. continuous Auditing can leverage it but – as in the paragraphs above – continuous auditing routines can be performed at all stages. the it aspects may represent the subject area being audited, the method of audit or a combination of the two. continuous auditing could also be performed on manual systems with only minimal use of it technology. it is an error to think continuous auditing is purely concerned with it aspects of an organisation.

3 Continuous auditing and continuous monitoring are the same thing – right?

wrong. this area has caused the most confusion. A manager or supervisor reviews the output from systems constantly, looking for exceptions that need to be handled when outside of the normal parameters. An auditor traditionally reviews a sample of transactions when testing, also looking for exceptions. so if the auditor starts to sample data on a regular basis, is he not performing the same task as the manager or supervisor? we need to look at the graphic below in order to answer this important question. generally the answer is that it is management’s role to monitor the systems, and it is the auditor’s role to check:

• the efficacy of the management checks; • the effectiveness of the control in

place.

However, this could clearly cause a change in responsibility where the auditor has set up a similar process to detect exceptions on a regular basis. what does the auditor do with the output?By reviewing the graphic below, the answer becomes clearer. one of the pre-conditions for establishing continuous auditing is for the organisation to agree the split between the role of the auditor and the role of the manager in terms of assurance. in a typical scenario, an audit department can take on the role of testing the monitoring processes, examining the exceptions prompted by those processes and comment on the acceptability. the iA department may also develop new options for detecting exceptions and run those options for an agreed period as part of their audit brief. the new systems – once used and proven to be accurate – can then be passed to the management team for on-going operation. the audit department will audit the controls in the normal way at the next scheduled audit and the cycle will repeat. this is a valid way of portraying the scenario, with a clear delineation between the audit and management role.

But what of the time where audit is running the new system? clearly they are picking up exceptions that the system reports. what do they do with the data?Back to the graphic. it needs to be established before this starts whether the internal auditor:

• checks that management have picked up the same exception;

• checks that the matter has been resolved; and

• passes the data to management with a request that management confirms they have satisfactorily resolved the issue.

the way in which this is done in each organisation will impact the extent to which the audit department needs to define the line between objectivity and moving towards the management role. the end position is clear, managers manage and the auditor audits, but the starting position needs to be

fully transparent.

Impact on the normal audit planning process

the reader can see quite easily that an audit function planning to conduct continuous auditing will need to re-evaluate the traditional concept of an audit plan and its timing. As can be seen from the two case studies reviewed above, the timing aspect and the need to report, investigate and follow up on exceptions reported in real time, or near real time, require a different approach to audit planning, assigning different roles to the audit team. in most case studies reviewed by the author the advice has usually been to introduce continuous auditing in a small way and increase incrementally, to allow for the identification and use of new auditor skills in line with the new concept.

summary

there is far more to the topic than the areas touched upon here, and the reader is advised to look further into gtAg 3 and start to understand:

• continuous controls monitoring; • continuous Data Assurance; and • continuous risk Assessment.some of the important issues to consider are:

1 continuous doesn’t mean continuous;2 the concept of continuous auditing is

not confined to it and digital technology although clearly there is major leverage in this area;

3 continuous auditing changes the iA profile and will impact on the iA plan, the skills required and the understanding by iA of the business; and

4 continuous auditing may well impact on the position of the chinese wall between iA responsibility and management responsibility.

this short article has hopefully shown that continuous auditing potentially represents an important way to help cAes produce a more relevant stream of assurance for senior management and the Board than traditional approaches. continuous auditing is gathering ground and its introduction and implementation is not without potential problems, but the concept offers cAes an opportunity to make their internal audit function more relevant and assist in closing the assurance gap for their senior management team and the Board.

Radisson Blu EU Hotel Rue d’Idalie 35, 1050 Brussels, BelgiumTel: +32 2 626 81 11, Fax: +32 2 626 81 12Contact: [email protected]/euhotel-brussels

6 meeting rooms located next to the European Parliament as from 150 euros for a 24h “Meet and Stay”*

* (Accommodation and meeting package) This offer is available upon request and availability

- are you?”Your meeting is ready

20 21

April

201

1

April

201

1

coN

tiN

uous

AuD

itiN

g - A

N iN

troD

ucti

oN

coN

tiN

uous

AuD

itiN

g - A

N iN

troD

ucti

oNContinuous auditing is gathering ground and its introduction

and implementation is not without potential

problems.

management response

Comprehensivemonitoring of internal controls

signifianteffort/greaterresources

Little monitoring of controls

ReducedEffort

audit effort

inverse relationship: level of effort expended by management and the Audit Activity

extract from gtAg 3

using today the same audit methods than 20 years ago is no longer possible. auditors are still basing

their opinion on facts but when it comes to financial or operational data, volume of data becomes so important that computer assistance is sought. generic or dedicated audit softwares have become key element of a CaaTT approach (Computer assisted auditing Tools and Technique).

InTroduCTIon

performing audit engagements implies that “internal auditors must identify, analyze, evaluate, and document sufficient information to achieve the engagement’s objectives.” (standard 2300 – performing the engagement). Analysing data is part of the testing defined in the work program (standard

2240.A1 “work programs must include the procedures for identifying, analyzing, evaluating, and documenting information during the engagement.”). to cope with the volume of data handled by organizations auditors have today to conduct electronic file reviews. the purpose of this paper is to present the key process steps of an electronic data review and some of the common tools used in that respect. see figure 1 for a comparative overview of the most frequently used generic and dedicated softwares.

proCess sTeps

to fulfil the engagement, auditor proceeding to data analysis will have to (1) define the requirement, (2) obtain the data, (3) validate the data received, (4) conduct the analysis, and (5) document his work.

step 1 – Defining the requirement: Data review must relate to the engagement work program. to conduct a relevant and useful testing, auditors must therefore bear in mind the engagement objectives and scopes: what is the process audited and its objectives? what are the risks and the related controls? what is the scope of the test (period, units, product lines)? the auditor has then to define the details of his test: precise nature of the questions he will check and the data set to review. the nature of the tests could be viewed in relation with a cAeVop approach (completeness, Accuracy, existence, Valuation, ownership, and presentation): e.g. checking completeness (in value and numbers) of items, identifying duplicates or missing items, checking VAt rates applied on products, recalculating, ... tests must be

electronic data analysis and

dedICaTed soFTWare:

françois godet

With methods huge volumes are no longer scaring

by François Godet

precisely documented at this stage. time availability may limit the number of tests. Data set has to be defined in terms of objects and filters. the objects may be identified by a field on computer screens, printouts or existing electronic files. the information contained in the field must be clearly understood by the auditor and its name must be clearly mentioned in a way non ambiguous to auditees or other information suppliers (e.g. it Dept or data experts). selection criteria (filters) must then be defined in accordance with the engagement scope (countries, business units, products, period).

step 2 – requesting the data: Data can be obtained by the own resources of the internal Audit team or through a provider external to the audit team. option selection may vary between cases since they both present advantages and risks. obtaining data through the skills of an auditor limits the risk of fraud but presents another risk: does the internal Audit expert in data mining have sufficient understanding of the business and of the data structure to identify correctly the data needed in the jungle of the organization it tables? relying on an external data provider could limit that risk if the requirement has been correctly expressed and discussed. But can the audit department trust and rely blindly on the auditee or on the it department for supplying the correct set of data (misunderstanding of requirement, fraud, ...)?

step 3 – Validating data received: the first action of the auditor must be to ascertain the quality of the data received. the first controls concerns the correctness of the data received against those requested: are the information contained in the file matching other sources such as computer printout or it screen information? the second control concerns the comprehensiveness of the data received. the file received should be compared to other sources: e.g. comparison against financial statement or mi (number of records, total values, etc.).

step 4 – executing the analysis: the quality of the analysis will depend on the quality of the preparation work made in the previous steps. prior to answer the questions set in step 1, it is useful to have a first overview of the data received: number of records / highest, lowest, average values / standard deviation / presence of negative or null values / empty cells / ... if this initial data overview leads auditors to question subjects that are not included in the engagement work program, auditors may consider to modify the engagement work program. the testing defined in step 1 can then start by answering the questions raised. cases found “abnormal” by the auditor should be referred to auditees for clarification. in addition to this analytical selection of cases to study, auditor

should select through a random sampling a number of cases appearing as “normal” and review them with the auditee. size of this sample depends of the level of confidence the auditor needs to obtain and the time available. sampling is not developed here: auditor willing to investigate this further will easily find relevant papers and forum on the subject. including fraud investigation aspects in the analysis means considering additional elements: e.g. identification of unusual repeated or rounded up amounts / transactions carried outside standard working hours / ...

step 5 – Document the work: Analysis made and communication with the auditee must be kept and properly documented. practice standard 2330 Documenting information is very clear on this requirement: “internal auditors must document relevant information to support the conclusions and engagement results”. the role of the chief Audit executive is developed in 2330.A1 (“cAe must control access to engagement records ...”), A2 (“cAe must develop retention requirements ...”) and c1 (“cAe must develop policies governing custody and retention ...”). when documenting their fieldwork, auditors should not only have these guidelines in mind but they should also remember two basics elements. on the one hand, evidences related to reported issues should be properly documented, referenced and filed, taking also into consideration that follow up activity on the corrective measure will be carried later on. on the other hand, tests having led to no finding or issue must also be properly documented.

some oF The IT Tools aVaIlable

this section will present a brief comparison between data analysis software developed for auditors (Acl and caseware iDeA) and standard tools as ms excel and ms Access. comparing these softwares will highlight the benefits of the software dedicated to auditors. this approach will also assist auditors in determining the extent to which the software they are currently using (when not listed here) assists them in fulfilling their assignments.

Although most actions can be achieved without dedicated software, the benefits to an internal audit department may be substantial. A first benefit is the reduction of the time spent to conduct the analysis: ease of use during key processes (e.g. import), immediate statistical overview of tables, gap detection in series, ... A second key benefit is the knowledge and the respect of audit methodology: all tests results are stored in specific files, all tests are documented and can be reproduced, whole work is documented to provide a precise audit trail supporting the audit sign off. A third benefit is the guarantee that data integrity is protected.

These benefits could be achieved by the elements highlighted in the enclosed matrix: •quality of the interface: interface is

based on a worksheet display and powerful tools are piloted from there (e.g. linking or append tables). User interfaces will not puzzle Windows users;

•protection of data integrity: sourcedata integrity is guaranteed by the software;

•importing capabilities: include reportor print files, PDF files and EBCDIC;

•volumeofdata:limitationinvolumeisrelated to the operating system, not the software;

•sampling: beyond the identification ofodd patterns, software can randomly select a sample of the file whose size will be statistically defined according to auditor’s needs;

•audit trail: analyses are documentedand can be reviewed under text or visual format (see Figure 2);

•specific tools: e.g.: gap detection,Benford’s law application.

Nevertheless, these softwares have their own costs: licence (about € 2.500), annual support (about € 500) and training. It is up to each department to balance the benefits against the costs of the set up it would choose (number and type of licence, staff trained ...).

ConClusIon

efficiency and relevance of data analysis as required within audit engagements are enhanced by the respect of a systematic approach (see process steps above).

softwares dedicated to audit work are reducing the time dedicated to data analysis and support the audit requirements. Key advantages are: user interface, protection of data integrity, importing capabilities, volume of data handled, sampling, audit trail and availability of specific tools. these advantages need to balance against the costs involved (purchase, maintenance and training).

Data analysis is an area where method, experience, common sense and creativity meet. with professional tools, data analysis could become an exciting part of audit engagement where auditors will realise that the key constraint against executing more testing will come from the time they have available, not from their skills nor from their tools.

22 23

April

201

1

April

201

1

elec

troN

ic D

AtA

ANAl

ysis

AN

D De

DicA

teD

soft

wAr

e:

wit

H m

etHo

Ds H

uge

Volu

mes

Are

No

loNg

er s

cAri

Ng.

elec

troN

ic D

AtA

ANAl

ysis

AN

D De

DicA

teD

soft

wAr

e:

wit

H m

etHo

Ds H

uge

Volu

mes

Are

No

loNg

er s

cAri

Ng.

figure 2: Visual display of audit trail (caseware iDeA)

figure 1: comparison of the generic and dedicated audit softwares

24 25

April

201

1

April

201

1el

ectr

oNic

DAt

A AN

Alys

is A

ND

DeDi

cAte

D so

ftw

Are:

w

itH

met

HoDs

Hug

e Vo

lum

es A

re N

o lo

Nger

scA

riNg

.

elec

troN

ic D

AtA

ANAl

ysis

AN

D De

DicA

teD

soft

wAr

e:

wit

H m

etHo

Ds H

uge

Volu

mes

Are

No

loNg

er s

cAri

Ng.

This section will present a brief comparison between data

analysis software developed for auditors (aCl and CaseWare Idea) and standard tools as ms

excel and ms access

MS EXCEL MS ACCESSDEDICATED SOFTWARE

(IDEA OR ACL)

Product at a glance spreadsheet application relational database system

Data access and analysis application created for auditors.Appears as a spreadsheet software.

widely used but with various level of expertise

Developing applications in ms Access requires proper training

rather intuitive software, usually: 3 days training with Acl, 2 days training with iDeA.

Cost estimates part of ms office part of ms office pro

estimates should be requested to suppliers. •Singlelicencecostsaround

€ 2.500•Annualmaintenancearound

€ 500•Training

Import capabilities most format accepted but Not eBcDic or report file.

most format accepted but Not eBcDic or report file.

most formats accepted, including eBcDic or report file (txt or pDf format). importing templates are stored and easy to reuse.

Volume of datatask are performed in rAm and requires a lot of resources once number of rows exceeds 30,000.

single table size limited to 1 gboverall Access database size limited to 2 gb.

No limit in software, up to limits of specific operating system.

Data integrityData integrity is not ensuredsource data are editable.

Data integrity is not ensured.source data are editable.

Data integrity is ensured.source data are protected and are not editable.

Using multiple tables Not designed for yesJoins, appends

yesJoins, appends, compares

Calculation / use of function

calculations and functions are developed in 1 cell and must then be copied and pasted in all cells.

calculations and functions used in queries / forms / reports.

calculations and functions are created in a new column of the spreadsheet itself, once and for all records of the table.

risk of error in process is significant.

process is secured but requires Access programming skills.

Very easy and secured.

Quick data overview - - - - - - statistics of tables available at a glance.

Sampling No specific tool No specific toolyes, using several different sampling methods.

Specific Tools (directly available) Duplicate yes

Duplicate yes gaps in series yesstratification yes

Fraud detection No specific tool No specific tool tool for Benford law

Audi Trail No No

yes e.g.: caseware iDeA keeps track of all actions done. info can be viewed as text or on diagram (see figure 2). Historic information can be retrieved in Visual Basic and included into scripts and macro.

inTroduCTIon

1. the context:

internal audit is evolving a lot over the last decade and the profession is more and more demanding in terms of technical and behavioral skills.

Now, more than ever, the internal audit profession requires innovative thinkers, who are ready to meet challenges, explore new technologies, identify and help to mitigate risks and develop creative solutions in today’s global business environment. in other words, organizations need internal auditors who have the traits of a statistician combined with the personality of a politician.

moreover, internal audit is now recognized as one of the four cornerstones of corporate governance, along with the Board of Directors, executive management and external Auditors.therefore, the internal auditors must keep technical and behavioral skills at highest level in order to fulfill their independent and objective role adequately.

2. the objectives:

iiA Belgium wants to help the members defining the skills and competencies requirements to operate at a particular level. in parallel, we have defined the “standard” tasks that internal audit practitioners perform at the different levels of the organization.Although each organization has its specificities and the size of the internal audit department may affect the organization of the service, we have tried to set up guidelines to assist in: • supporting the education program, • defining the profile for hiring, • writing the job descriptions.

COMPETENCY FRAMEWORK & TAsKs for internal auditors

COMPETENCY FRAMEWORK & TAsKs

for internal auditors

CompeTenCY FrameWorK & TasKs

1 iiA Belgium is aware that the iiA currently uses a ranking scale reduced, for the sake of simplification, to two levels (awareness, proficiency)

2 common Body of Knowledge: global survey conducted by iiA research foundation in 2007. the results have been published: cBoK: global results, iiA research foundation, 2008

The CompeTenCY FrameWorK & TasKs broChure

1. Definitions:

we have defined 3 levels of internal audit practitioners: • New internal auditor: somebody defined as a new entrant to internal audit. • experienced internal auditor: an experienced internal auditor either by training or by experience. • internal audit manager: somebody responsible for the management of an internal audit service.the skills required have been divided in 3 categories: • internal audit tools, techniques and methodology: knowledge required about internal audit process. • Knowledge areas: information needed to perform specific audits. • Behavioral skills: soft skills to interact with others effectively.

each competency has been ranked based on the following scale1:1: display awareness,2: demonstrate understanding,3: master the understanding in any situation (routine & complex).

2. sources:

the competency framework proposed is based on different approaches and methodologies. Different iiA’s around the world have made the exercise, iiA global has published a competency model based on the last cBoK2 survey and finally we have collected the models from different organizations in Belgium. the document published is a compilation of the different sources aiming to be general enough for all organization types.

3. competency framework:

we invite you to consult the complete competency framework by visiting the iiABel website.the following extract will however give you a flavour of its content:

Internal auditing tools, techniques and methodology

new Internal

auditor

experienced

Internal auditor

Internal audit

manager

1.Theory

- thorough knowledge of iiA standards 2 3 3

- thorough knowledge of iiA code of ethics 3 3 3

2.methodology

- Knowledge of the theories of internal control: understand the ic frameworks characteristics and usage

2 3 3

- Knowledge of the theories of risk management: understand erm methods and processes

2 3 3

- Knowledge of coBit for it audit 2 3 3

3.Tools and Techniques

- understanding and usage statistics methods (regression,...)

2 3 2

- Ability to set up interview questionnaires and surveys

2 3 3

- Ability to assess applications techniques 2 3 3

Knowledge areas1.business

- Knowledge of regulatory impacts, economics affecting the business

1 2 3

- understanding of the company’s culture 1 2 3

2.Finance and managerial accounting

- understanding of financial accounting practices 2 3 3

- Knowledge of the structure of various statements terminology & relationship

2 3 3

26 27

April

201

1

April

201

1

com

pete

Ncy

frAm

ewor

K &

tAsK

s

com

pete

Ncy

frAm

ewor

K &

tAsK

s

Grand Gala 2011

Grand Gala 2011 wordt voorafgegaan door academische sessie, thema ‘Impact Solvency II & Basel III’

Le Grand Gala 2011 sera précédé par la session académique qui aura comme thème ‘Impact Solvency II & Basel III’

Banker of the Year Awards 2011 *NEW*

***B&F ICT Innovation

Awardsvrijdag 2 december 2011le vendredi 2 décembre 2011

p r e S e n t e e r tp r é S e n T e

Venue: theatre Le plaza, Brussels

NIBE-SVV_B&F gala 270x210.indd 1 07-03-11 14:12

3.governance

- understanding of governance frameworks application and implementation

1 2 3

4.Fraud

- understanding of fraud concepts definition and applicability

2 3 3

- understanding of business ethics concepts 1 2 3

5.IT

- understanding of information systems operations and management

2 3 3

- understanding of it governance concepts 1 2 3

Behavioral skills1. operational

- Ability to delegate 1 2 3

- Having analytical skills 1 2 3

- Ability to create a team spirit 1 2 3

2.Communication

- Demonstrate competency in written skills 1 2 3

- Ability to manage interview 2 2 3

1: display awareness 2: demonstrate understanding 3: master the understanding in any situation (routine & complex).

4. tasks:

the detailed task descriptions are also available on the iiABel website. these tasks may be summarized in the following main activities for the 3 levels of internal audit practitioners:

neW InTernal audITor

• Assist • observe the organization’s attitude to risks and controls • contribute to internal audit assignments (contribution to risk management, control systems and governance improvements) • observe the on-going assurance on risk, control and governance • training and professional development

experIenCed InTernal audITor

• perform research • perform internal audit assignments (contribution to risk management, internal control systems and governance improvements) • understand organizational risk • contribute to on-going assurance on risk, internal control and governance • understand the organization’s attitude to internal control • contribute to process management of internal Audit Department • understand the organization’s attitude to governance • training and professional development • contribute to internal Audit function management

InTernal audIT manager

• research management • contribute to risk management, internal control systems and governance improvements • perform organizational understanding about risk • contribute to on-going assurance on risk, internal control and governance • training and professional development • perform review of the organization’s attitude to internal control • collaborate to process management of internal Audit Department • contribute to internal Audit function management • collaborate with the Board and the Audit committee

the entire competency framework & tasks brochure is available on the iiABel website under the tab “the profession > iiABel guidance > other publications” or by copying the following address in your browser: (http://www.iiabel.be/uploads/Documents/m2%20iiABel%20guidance/competency_model.pdf).

•

28

April

201

1el

ectr

oNic

DAt

A AN

Alys

is A

ND

DeDi

cAte

D so

ftw

Are:

w

itH

met

HoDs

Hug

e Vo

lum

es A

re N

o lo

Nger

scA

riNg

.

After the belgian anti-corruption law came into effect in 1999, there has been zero criminal sanctioning of commercial organizations under this law (2). so why should belgian companies bother reinforcing their anti-corruption policies? Well, there are many good reasons, and in 2011, two more will be added to that list: the new uK bribery act, and the Transparency International Framework for

Voluntary Independent assurance of Corporate anti-bribery programmes. The authors of this article are both experienced forensic auditors with specific expertise in the domain of anti-corruption policies. In their opinion these new developments will have a significant impact on belgian companies and senior management. The authors will first explain why this topic should be put high on the corporate agenda. Then they will present the key features of an effective anti-corruption policy.

busIness Case

there are many reasons to call for strong anti-bribery policies in international companies. the basic reason being that corruption is the single greatest obstacle to economic and social development around the world and that it undermines the rule of law (3).

companies are subject to extortion and some play a role in paying bribes. they are part of the problem and can also be part of the solution. How to break the vicious circle “No corruption without business, but no business without corruption”?

in order to answer that question, let’s go straight to the business case for an effective anti-corruption programme in commercial organizations(4). this can be analyzed as follows:

anti-corruption policies

under sCruTInY

cécile louchard and evert-Jan lammers

By Cécile Louchard and Evert-Jan Lammers (1)

BEnEFITS OF EngAgIng (+) RISkS OF nOT EngAgIng (-)

InDIvIDuAL COMpAny ACTIOn

•Reducethecostofdoingbusiness•Attract investments from ethically oriented

investors•Attract and retain highly principled employees,

improving employee morale•Obtain a competitive advantage of becoming

the preferred choice of ethically concerned customers/consumers

•Qualifyforreducedlegalsanctionsinjurisdictionslike the us and italy

•Criminalprosecution,insomejurisdictionsbothat company and senior management levels which can lead to imprisonment, unlimited fines and debarment from government contracts

•Exclusion from bidding processes, for exampleexport credit agencies

•“Casinorisk”-nolegalremediesifacounterpartdoes not deliver as agreed and/or keeps increasing the price for doing so

•Damagetoreputation,brandandshareprice•Tougher fight for talent when hiring new

employees•Regulatorycensure•Costofcorrectiveactionandpossiblefines

COLLECTIvE ACTIOn By BuSInESS

•Create a “level playing field” overcoming the“prisoner’s dilemma” (5)

•Improvepublictrustinbusiness•Influencefuturelawsandregulation

•Missed business opportunities in distortedmarkets

•Increasedmagnitudeofcorruption•Policy-makers responding by adopting

tougher and more rigid laws and regulations - internationally, regionally and nationally

table 1: Business case for an effective anti-corruption programme

Not convinced yet? let’s take a closer look at the following new developments that will further increase the pressure on companies: • New uK Bribery Act • independent assurance of corporate anti-bribery programmes.

neW uK brIberY aCT

the New uK Bribery Act (6) is expected to become effective in 2011, possibly before the summer. it is the most comprehensive piece of anti-corruption legislation in the developed world at the moment. it is much broader than the us foreign corrupt practices Act (fcpA). it catches not just giving bribes but also receiving bribes or asking for bribes. it hits companies inside and outside the uK, including Belgium. corporate hospitality programmes may be in danger. Aggressive enforcement is expected, not only on behalf of companies incorporated in the uK but - for the purpose of a level playing field - also of their foreign subsidiaries and agents.

kEy pROvISIOnS OF ThE ACT: pEnALTIES: AppLIES TO:

1. under the Act it is unlawful to:•Pay / receive a bribe, including a wide

definition of gifts, sponsoring and “corporate hospitality”

•Bribeaforeignofficial•Fail to prevent bribery (no “adequate

procedures” in place)2. location of the bribe: anywhere in the world3. facilitating payments not allowed

1. legal entities: unlimited fines, 10 years debarment from government contracts2. individuals: unlimited fines, prison up to 10 years

1. Any person, if committed in uK2. British citizens/residents, if committed outside uK3. companies incorporated in uK4. group companies and “agents” outside uK

table 2: Key-features of the New uK Bribery Act

for someone to fall within the Act’s purview, they must have either committed a crime inside the uK, or acted outside of the uK in a way which would have constituted a crime had it happened in the uK. the person (legal person, individual) outside the uK must have a «close connection» to the uK-person, for example a group company or an “agent”. An “agent” can be any business partner of the uK person. this is generally considered a true pandora’s Box for foreign companies, including Belgian companies. smaller and medium-sized companies will be more at risk than us-subsidiaries that have been living with the fcpA for many years.

30 31

April

201

1

April

201

1

ANti

-cor

rupt

ioN

pol

icie

s uN

Der

scru

tiN

y

ANti

-cor

rupt

ioN

pol

icie

s uN

Der

scru

tiN

y

the uK Bribery Act 2010 creates a corporate offence for not having “adequate procedures” in place to prevent bribery. Key principles of “adequate procedures” are:

• Toplevelcommitment• Duediligence• Clear,practicalandaccessiblepoliciesandprocedures• Effectiveimplementation• Monitoringandreview

table 3: Key-principles of “adequate procedures”

Key attention points of “adequate procedures” are:

1. tone from the top2. Human resources3. risk assessment4. policies and procedures5. facilitation payments6. gifts, hospitality and expenses7. political contributions, charitable contributions and

sponsorships8. operational functions9. training10. complaints channels and advice lines11. internal communication

12. external communication13. support functions14. collective action15. internal controls16. Accurate books and records17. Dealing with incidents18. Business relationships policies19. subsidiaries20. significant investments21. Agents and other intermediaries22. contractors and suppliers23. monitoring and review

table 4: Key attention points of “adequate procedures”

the uK government will shortly issue guidance regarding the “adequate procedures”. companies should analyze this carefully.

IndependenT assuranCe oF anTI-brIberY programmes

in 2011, transparency international will launch the framework for Voluntary independent Assurance of corporate Anti-Bribery programmes (7). the purpose of this framework is to encourage the use of independent assurance as a means to strengthen and lend greater credibility to corporate anti-bribery programmes.

the framework advises entities on the steps to take in preparation for independent assurance. most importantly it proposes benchmarks, in the form of control objectives to be used by entities in designing and evaluating their anti-bribery programmes. these control objectives will also be used as criteria by assurance providers in evaluating and assuring an entity’s anti-bribery programme.

we expect that the control objectives of the framework - that are based on the coso-framework - will become generally recognized and accepted as suitable criteria, as soon as the early adopters will have set the tone.

to reflect the gradual process of implementing anti-bribery programmes, two types of assurance are specified in this framework: type 1 which provides assurance on the suitability of the design of anti-bribery controls implemented by an entity at a point in time; and type 2 which additionally provides assurance on the operating effectiveness of the entity’s controls over a specified period.

the framework requires that anti-bribery programmes include:

•Committingtotheanti-briberypolicy •Assessingbriberyrisks •Designingtheanti-briberyprogramme •Implementingthecontrols •Monitoringcontinuousimprovement •Internalauditsandreviews •Learningfromincidentsandviolations •Makingpublictheanti-briberyprogramme

the anti-bribery assurance includes:

1.management assertion (comparable to the “in-control statement”

•identify and describe scope of the assertion•RefertotheuseofthisFramework•Statethatataspecifieddatetheentityhasdevelopedand

implemented an appropriate range of anti-bribery controls•Listtheentity’srelevantcontrolobjectivesunderthisFramework•Providedetailsofsignificantchanges•Stateconfidenceinthesuitabilityofthesecontrols•Type2assurance:statethatthesecontrolshaveoperated

effectively

2. Detailed description of the process for developing controls and their evaluation

3. control objectives

4. Assurance report

table 5: Key provisions of anti-bribery assurance

we expect that the early adopters will set the tone, leaving the others with no option but stepping-in. transparency international (ti) puts more pressure on this development by frequently measuring the level of transparency in corporate reporting on anti-corruption (8).since independent assurance implies that outside parties (e.g. the Big-4) will be looking over management“s shoulder, this will increase the pressure even without an actual threat of prosecution under the New uK Bribery Act.

ImplemenTaTIon

Here we will not give a comprehensive overview of the required steps, but merely draw your attention to a few key elements of the action: the things that can make a difference. let’s pick the following four issues: continuous improvement, incentive systems, cash money and business partners.

continuous improvement

let’s first agree on the following: on a dangerous road you keep your children seat belts fastened at all times. in the corporate world it has become clear that annual risk assessments are no longer an option in the key risk areas. corruption and bribery have become key risk-areas for international organizations (commercial, public or social).Having said that, for many organizations, the internal monitoring of corruption and bribery risks is a brand new challenge. these organizations must first establish a sound knowledge base: what is corruption, who does it, where do we do it, why, how, how often, which functions are vulnerable, is everyone aware? etc.organizations that are already familiar with compliance monitoring must assure that their processes are properly focusing on corruption and bribery. Here we refer to the key attention points of “adequate procedures” that are set out in table 4 above.

incentive systems

Any compliance process is incomplete without an adequate incentive system. this is particularly important for reducing corruption and bribery, as we apply, most of the time, simple volume-driven incentives such as volume sold, recruits hired, or hours performed. generally speaking incentive systems need more balance, protecting both the employee and the organization: they must be a mix of performance-based and compliance-based incentives:

meTrICs: assessmenT:

1. maintaining the control environment

• Toneatthetop• Training• Policiesimplementation• Complianceorganizationand

transparency

• Corporateaudit

2. Incidents• Incidentsofnewseriouscases

(systematic failure)• Adequatesanctionstaken• On-timereporting

• Compliance,legal• Casetrackingandevaluation• Disciplinarysanctions

32 33

April

201

1

April

201

1

ANti

-cor

rupt

ioN

pol

icie

s uN

Der

scru

tiN

y

ANti

-cor

rupt

ioN

pol

icie

s uN

Der

scru

tiN

y

most importantly it proposes benchmarks,

in the form of control objectives to be used by entities in designing and

evaluating their anti-bribery programmes

3. Compliance perception survey • Employeeperception

• Surveyteams• Complianceindex• Benchmark

evaluation: evaluation of each country/business unit/department and deciding on the impact of the compliance level on the bonuses.

table 6: compliance-based incentives system

Cash moneY

A key condition for reducing bribery is a better management of cash money, varying from a limited petty cash to bank accounts and “slush funds”.

improving the controls around bank accounts and cash can be analyzed as follows

the corporate treasury centralizes the registration of all bank accounts

• Centralapproval• Restrictedsignatories• IncludedintheGeneralLedger

All payments executed pre-approved or via central payment system

• Zero-cashpaymentspolicy• Regularreconciliations• Limitsoncashbalances

regular review of cash balances• Cashrecordingcontrols• Regularreconciliations• Limitsoncashbalances

centrally maintained mater data• Dataenter/editcontrol• Independentdatareview• Segregationofduties

table 7: controls around bank accounts and cash

we all know that local payment methods may be “cash-only” but this is not a problem as such. the policies and procedures should force local staff to obtain approval and properly register the payment, in order to generate the required management information for monitoring purposes.furthermore the required segregation of duties may be impossible due to the limited size of the local operations. finally the cost effectiveness of the required procedures may be a hindrance to the implementation, which includes the complexity (time, cost) of integrated treasury management systems.

Business partners

the organization’s responsibility for risks in the supply chain is increasing. the New uK Bribery Act and ti are hammering on this nail regarding bribery. A risk based due diligence process, instruction and monitoring are the cornerstones of managing the corruption risks with business partners.

monITorIng and audIT

we will close this article with an illustration of the key issues of monitoring and auditing corporate anti-bribery programmes. for a more comprehensive overview, we refer to our website (9) and to the website of, for example, transparency international.

issue 1: tone at the top

The Company Issue:• TheCompanywassubjecttoaworldwidebriberyscandal• Anumberofseniormanagementworldwidehadbeen

arrested or subject to investigation• TheCompanywassynonymouswithgood,ethical

business practice

how was this addressed?• SeniorBoardmemberswereengagedtodeliverthekey

messages• Corporatewebcastsandpresentationswereusedtodeliver

the message – with local replication• Seniormanagementweredirectlyengagedinthe

compliance programme at every level

What did they find most challenging:• ObtainingpublicBuy-InfromManagement,particularlyin

entities that had been subject to investigation• Ensuringthatleadershipwasabletocommunicateand

demonstrate that this behaviour would not be tolerated

how was it tested?• Feedbackwasmonitoredthroughcomplianceofficersand

employee feedback at local level• Evidencetosupportactionsweresubjecttoindependent

review

(1) cécile louchard and evert-Jan lammers are partners at triforeNsic.(2) the first criminal sanction against a Belgian commercial company and its directors and senior management is expected soon.(3) According to the world Bank, corruption is the single greatest obstacle to economic and social development around the world. it distorts markets, stifles economic growth, debases democracy and undermines

the rule of law. estimates show that the cost of corruption equals more than 5% of global gDp (us $2.6 trillion), with over us $1 trillion paid in bribes each year. corruption adds up to 10% to the total cost of doing business globally, and up to 25% to the cost of procurement contracts in developing countries. moving business from a country with a low level of corruption to a country with medium or high levels of corruption is found to be equivalent to a 20% tax on foreign business.

(4) Based on “clean business is good business”, a joint publication from international chamber of commerce, transparency international, united Nations global compact and word economic forum, 2008, http://www.iccwbo.org/policy/anticorruption/id22638/index.html

(5) the “prisoner’s dilemma demonstrates the necessity for competing parties to break their isolation and communicate their options in order to resolve dilemmas. in corruption: “who will stop paying bribes first?”(6) New uK Bribery Act, 2010, http://www.justice.gov.uk/publications/bribery-bill.htm(7) “transparency international framework for Voluntary independent Assurance of corporate Anti-Bribery programmes” (Draft), 2010, http://www.transparency.org/global_priorities/private_sector(8) “transparency in reporting on Anti-corruption (trAc)”, 2009, http://www.transparency.org/policy_research/surveys_indices/trac(9) http://www.triforensic.be/en/media-and-publications

issue 2: compliance policies

The Company Issue:• Compliancepoliciesandguidelineswereoutofdateor

non-existent in a number of key areas• Apilotreviewatanumberofentitiesidentifiedsignificant

gaps and inconsistencies in implementation• Guidelineswerenotalwayscompleteenoughtoensurea

proper understanding

how was this addressed?• Theclientdevelopedan“implementationkit”whichwas

a document that guided local compliance officers and management

• Atthecorporatelevel,policieswerereviewedandupdatedto address current requirements

• Localentitieswererequiredtoadaptthepolicies(empowerment)

What did they find most challenging:• Developingpoliciesthatcouldberolledoutworldwideand

meet local legal and compliance requirements• Dealingwithdifferentlanguagesandthenecessitytotailor

policies locally

how was it tested?• Alllocallyadaptedpoliciesandguidelinesweresubjectto

central review• Entitieshadtodemonstratethatpolicieswerefully

understood locally

issue 3: training and communication

The Company Issue:• Theneedtodevelopanawarenessofthe importanceand

benefits of good individual & collective compliance• Making people aware of the Anti-Bribery guidance in the

core policies

how was this addressed?• Functions,territoriesandBusinessUnitsofgreaterrisk

were identified and trained sooner• Afullblendedprogrammeofcommunications(posters,

articles, briefings) and training (face to face; e-learning)

What did they find most challenging:• Dealingwiththepushback:• “Thisistherealityofhowbusinessisdone”• “Ourcompetitorsdothis-whyshouldn’twe?”• “It’snotthesortofthingourpeoplewoulddo”• Makingitrelevanttothenuancesofthebusiness• Ensuringthatmessagesweredeliveredtoalargeaudience

across a global business

how was it tested?• Feedbackmonitoredfromtrainingprogrammes• Staffsurveystotestembeddingandrecognitionofkey

messages• Fulldatabaseoftrainingattendancekeptforreportingto

the regulatory Authorities

issue 4: Business partners

The Company Issue:• Clientwassubjecttoinvestigationofsuspiciouspayments

relating to 3rd party• Bribery&corruptionwassuspected• Therewasinsufficientevidencetosupportthelegitimacy

of some transactions• No clear record of the 3rd partieswithwhom the client

should do business

how was this addressed?• Developmentofatooltosupportaconsistentdue

diligence process for all countries• Addressbothcontractandpaymentstagewith3rd

parties• Regularreviewoftherisksassociatedwith3rdparties• Centrallogofblacklistedbusinesspartners

What did they find most challenging:• Adopting a consistent approach where 3rd parties were

cross borders• Conflictingsituationbetweentheneedforproperduediligence

and the one of maintaining business with 3rd parties

how was it tested?• Contractfilesandlogswererequiredforall3rdparties

engagements and subject to review (+ independent testing)

table 8: Key issues of monitoring and auditing corporate anti-bribery programmes

34 35

April

201

1

April

201

1

ANti

-cor

rupt

ioN

pol

icie

s uN

Der

scru

tiN

y

ANti

-cor

rupt

ioN

pol

icie

s uN

Der

scru

tiN

y

Guidance on the 8th EU Company Law Directive article 41

Guidance on the 8th EU Company Law Directive article 41

press release 21 september 2010 good risk management and internal control systems help companies go «faster, further and more safely» In the Compass n°3 of 3rd april, 2010, an article was dedicated to the Iso 31000 norm and to this new vision of risk management. Ferma and eCIIa have tackled the same issue. here is the output of their reflection.

Businesses should not be afraid of the 8th european company law Directive, say two european associations who

understand it thoroughly. the systems of control and risk management that it mandates will not act as a brake on entrepreneurial activity but underpin it, if they are effectively embedded in an organisation. this is the message today for boards and audit

committees from the federation of european risk management Associations (fermA) and european confederation of institutes of internal Auditing (eciiA), as they launch their joint guidance on the 8th eu Directive for boards and audit committees. fermA and eciiA have produced the guidance because they believe that board members, especially those who sit on the audit committee, will find it useful to have practical and focused advice from practitioners on their duties under art. 41 of the Directive. this article requires the audit committee to «monitor the effectiveness of the company’s internal control, internal audit where applicable, and risk management systems...» As fermA and eciiA explain, this seems a rather simple statement, but «what to monitor» and «how to monitor» are considerably more complex. guidance for

boards and audit committees sheds light on the «what» and «how». the guidance •gives an overview on the role and

responsibilities for effective risk management and control assurance for the board/audit committee, ceo and senior management, operational management and monitoring and assurance functions;

•clarifies the recommended interaction between internal control, risk management and internal audit;

•suggests good practices for board and audit committee oversight as regards the risk management processes, internal control system and internal auditing function.

peter den Dekker, president of fermA, said: «A good risk management system is like management systems on a racing car - they help it to go faster, further and more safely.

good rIsK managemenT and InTernal ConTrol sYsTems

Help companies go «faster, further and more safely»

«what’s new with the 8th eu company law Directive is that there is a clear responsibility given to boards of directors and to their audit committees. senior management is expected to be involved in risk management and risk taking. Directors have to give direction depending on the risk appetite of shareholders.» claude cargou, president of eciiA, commented: «the duty assigned to the board and its audit committee by Art 41 of the 8th Directive translates the expectations of capital markets for transparent and reliable information on significant current and evolving risks and on the way these risks are managed. «internal auditing provides objective and independent assurance on the effectiveness of organisation-wide risk and control systems. As such, it becomes one of the cornerstones of good organisational governance, supporting boards and audit committees to effectively assume their fiduciary responsibilities towards the company’s stakeholders and the public.» paul taylor, fermA board member and one of the authors of the guidance, said: «the guidance is practical, focussed and user friendly.»

the guidance i s free to any interested organisation or director. fermA and eciiA are sending copies to members and stakeholders. it is also available on the associations’ websites at http://www.ferma.eu/ and http://www.eciia.eu/. Notes to journalists

the 8th european union company law Directive on statutory Audit went into effect on June 2006 and most countries have transposed the Directive into national law by now. Although the Directive is intended for stock exchange listed companies, many smaller companies and other organisations

will adopt its principles, and the guidance can help any of them. press inquiries: •for fermA, florence Bindelle on +32 (2)

761 94 32 ([email protected]) or lee coppack on +44 (0) 208 318 0330 and ([email protected])

•for eciiiA, Jean-pierre garitte at [email protected]

fermA: http://www.ferma.eu/ the federation of european risk management Associations (fermA) brings together 20 national risk management associations of 18 countries. it represents a wide range of business sectors from manufacturing to financial services, charities, health organisations and local government bodies. fermA’s objectives are to support its members by coordinating, enhancing awareness and effective use of risk management, insurance and risk financing in europe. eciiA: http://www.eciia.eu/the european confederation of institutes of internal Auditing (eciiA) is the professional representative body of 33 national institutes of internal Audit in the wider european area. its objective is to support the position of internal audit professionals in the european union and in the eciiA’s member countries and to promote the application of the global institute of internal Auditors’ standards and code of ethics to all internal audit professionals.

iso 31000:2009 provides principles and generic guidelines on risk management.iso 31000:2009 can be used by any public, private or community enterprise, association, group or individual. therefore, iso 31000:2009 is not specific to any industry or sector.iso 31000:2009 can be applied throughout the life of an organization, and to a wide range of activities, including strategies and decisions, operations, processes, functions, projects, products, services and assets.iso 31000:2009 can be applied to any type of risk, whatever its nature, whether having positive or negative consequences.Although iso 31000:2009 provides generic guidelines, it is not intended to promote uniformity of risk management across organizations. the design and implementation of risk management plans and frameworks will need to take into account the varying needs of a specific organization, its particular objectives, context, structure, operations, processes, functions, projects, products, services, or assets and specific practices employed.it is intended that iso 31000:2009 be utilized to harmonize risk management processes in existing and future standards. it provides a common approach in support of standards dealing with specific risks and/or sectors, and does not replace those standards.iso 31000:2009 is not intended for the purpose of certification.

press release 21 september 2010

36 37

April

201

1

April

201

1

gooD

ris

K m

ANAg

emeN

t AN

D iN

terN

Al c

oNtr

ol s

yste

ms

Hel

p co

mpA

Nies

go

«fA

ster

, fu

rtH

er A

ND

mor

e sA

fely

»

gooD

ris

K m

ANAg

emeN

t AN

D iN

terN

Al c

oNtr

ol s

yste

ms

Hel

p co

mpA

Nies

go

«fA

ster

, fu

rtH

er A

ND

mor

e sA

fely

»

The duty assigned to the board and its audit committee by art 41 of the 8th directive translates the expectations

of capital markets for transparent and reliable

information on significant current and evolving risks and on the way these risks

are managed.

marc Vael chief Audit executive at smals

InTroduCTIon

since I started as an IT auditor more than 15 years ago, business Continuity management (or bCm) has always been and still is a concern in many audit reports I either write or read today. high profile disaster events, such as the 1986 Tchernobyl nuclear explosion, the 1987 herald of Free enterprise boat accident, the 1995 Kobe earthquake, the terrorist attacks of september 11th, 2001, the 2001

enron fraud scandal, the 2004 ghislenghien gas explosion, the 2004 asian tsunami, hurricane Katrina in 2005, the terrorist attacks in london in 2005, the 2008 sub-prime financial crisis and the 2010 massive earthquakes in haiti and Chili, all these create a higher profile of business Continuity management and disaster recovery on board and management agendas in more and more organizations. The case for implementing a corporate strategy to manage the risk of major incidents has always been and will always be compelling. If disaster strikes and an organization cannot recover in a proper timely way, the consequences could include loss of revenue, loss of customers, deterioration of brand equity and (permanent) loss of shareholder value.

In this article, I want to share my top ten internal audit attention points around bCm.

What internal auditors should know

and has as end result a paper-based technical disaster recovery plan. As a consequence, mission critical services remain vulnerable when: •customers’ expectations of services are

increasing and their loyalty is harder to retain.

•integrated supply chains, running just-in-time inventory levels, require up to date information availability for all internal and external parties involved.

•investors and regulators demand more pro-active management of risk and corporate governance.

•major incidents can have a direct impact on mission critical processes and the bottom line of any organization.

in a sense, Bcm reveals to the internal auditor the culture of the organization and the vision of executive management towards risks and incident handling. As general eisenhower stated “when planning for war, i have always found plans to be useless, but planning to be invaluable.” finding out if there is evidence of executive management approval on Bcm is an easy task for the internal auditor.

2. Check if the scope on business Continuity management is properly defined (in-scope and out-of-scope) including a glossary with bCm definitions and acronyms.is Bcm a comprehensive activity with links to enterprise risk management, it, information security, facilities, insurance, Hrm and other business departments, or is the Bcm program solely focused on it?is there a Bcm glossary with a proper terminology within the organization?

Business continuity management has many definitions. i define it here as a business risk management process enabling an organization to build resilient, organization-wide operations in order to minimize disruptions to people, processes, facilities and technology in the event of an unplanned major interruption of operations safeguarding the interests of its stakeholders, its reputation and its operational activities. A Business continuity management strategy is usually translated in a Business continuity

plan (Bcp), which encapsulates for me at a minimum an incident & crisis management plan (icmp), a Disaster recovery plan (Drp) and a Business resumption plan (Brp). the key elements of business continuity management are: •pro-active approach: the organization

must examine the realistic risks and threats to which it is exposed up front and consider how best to deal with them should a major incident occur.

•focused on mission critical functions and processes: Bcm is not about plans and procedures for the operational things that go wrong. it is concerned with major incidents which have a direct impact on the core activities of the organization. of course, the top priority in any plan should always go to the protection of people.

•responding in a planned and rehearsed manner: A business continuity plan should manage the consequences of a major incident by limiting the improvisation of people through planned and rehearsed processes and procedures, thus limiting the consequences of the major incident so that the organization can absorb the impact.

•clear in terminology: people execute Bcm (not machines), thus people should be able to understand the approach, the procedures and each other. this implies a crystal-clear definition of what each term and abbreviation means that is used in the Bcm approach and that could give cause to different interpretations. this will avoid embarrassing situations.

in many organizations, the scope of Bcm is still limited to physical or it Disaster recovery plans. while physical and it disaster recovery plans are still very important, Bcm is nowadays concerned with every aspect of an organization’s operation - not just it or facilities. it is not just about recovering from a major incident, such as one caused by fire or flood or the failure of an it system. it can also be about the collapse of a key supplier or key customer, an industrial dispute which halts critical supplies, loss of a key executive officer, an infectious epidemic, massive fraud, unethical financial operations, environmental pollution, etc.while a business continuity plan (Bcp) refers to the activities required to keep the organization running during a period of interruption of normal operation, a disaster recovery plan (Drp) is the process of rebuilding the operations or infrastructure after the major incident has happened, and a business resumption plan (Brp) is the process of moving all operations back to normal as if the major incident never took place. Bcp does not neglect Drp or Brp, but sees it as a sub category.

obviously, the Bcm scope will impact the scope and objective of a Bcm audit. A Bcm audit plan should also explicitly state exclusions, if any, and clearly state the scope of the Bcm audit. the Bcm audit approach should keep in mind that Bcm design, development, maintenance, testing and activation are people driven efforts. the Bcm audit approach should be appropriately documented and requirements of external expert inputs should be identified where appropriate. the internal auditor’s Bcm review should include: •identification: identify potential threats

and risks of the business. •prevention: prevent or minimize the

probability of a major incident. •Detection: identify the circumstances

under which the organization determines entering contingency status.

•Declaration: specify the conditions on which Bcp is activated and identifies the person(s) who can activate it.

•escalation: specify the conditions on which Bcp is escalated and identifies the person(s) and order of escalation.

•containment: specify the immediate action required to contain or minimize the effect of a major incident on customers, suppliers, service providers, stakeholders, employees, assets and the business processes.

•implementation: specify the list of actions to be followed when the Bcp is activated (such as offsite processing, backup recovery and restoration, offsite media and manuals, employee transportation and distribution and providers’ contracts).

•recovery: include the advance planning and preparations necessary to minimize adverse business impact (such as financial loss and reputational damage), facilitate faster recovery and ensure continuity of the mission-critical functions of an organization in the event of major incident, within business acceptable timeframes.

3. Identify the real bCm roles and responsibilities.Is there a key contact person at board of directors and at executive management level? in which steering committee is Bcm treated? is this committee representative of all main functions / departments?is there a person appointed with overall responsibility and authority for managing Bcm.Are key executives aware of Bcm and of their roles in a major incident? is Bcm included in job specifications and does it rank as a Key performance indicator in the annual performance evaluation and appraisal process?

Bcm is performed by people. All Bcm

parT 2: busIness ConTInuITY

mANAgemeNt:

1. Check executive management support and buy-in regarding bCm.“Has executive management looked carefully at business continuity management from their responsibility point of view?”

the most critical aspect in any Bcm approach is a clear involvement and commitment

from executive management as they are accountable (ultimate responsible). the Bcm approach approved by executive management should be in line with the business requirements from the different departments. even though executive managers will agree that their organization must have a solid Bcm

strategy effectively in place, most of them also want to make sure that such strategy does not impact their organization’s bottom line. As a consequence, Bcm approaches lack proper executive management approval and/or budget. if there is a budget and approval available, Bcm is many times defined as a pure it project, which is temporary in nature

38 39

April

201

1

April

201

1

Busi

Nes

s co

Nti

Nui

ty m

ANAg

emeN

t: w

HAt

iNte

rNAl

AuD

itor

s sH

oulD

KNo

w.

Busi

Nes

s co

Nti

Nui

ty m

ANAg

emeN

t: w

HAt

iNte

rNAl

AuD

itor

s sH

oulD

KNo

w.

In many organizations,

the scope of bCm is still limited

to physical or IT disaster recovery

plans.

RACI Chart

components should have defined roles and responsibilities and identify the critical applications, operating systems, networks, personnel, facilities, data, hardware and time frames needed to assure high availability and system reliability, based on a proper and recent risk analysis (rA) and business impact analysis (BiA).

the easiest way for the internal auditor to establish the Bcm roles and responsibilities is through the review of a rAci model (responsible, Accountable, consulted, informed). such chart consists of two axes: horizontal axe with functions and vertical axe with Bcm activities from start to finish. the important element to remember is that there can only be one A (accountable) for each activity. this is easy to review. reviewing the activities is more difficult in terms of completeness and action-driven definitions. the example below is a rAci for an it Drp from isAcA cobit 4.1 (Ds4 ensure continuous service).

of course, if no such rAci chart exists, then the internal auditor should establish through interviews with the Bcm manager his/her own interpretation of the Bcm rAci chart for the organization. this can motivate the Bcm manager to develop and maintain a proper Bcm rAci chart.

4. Validate the business continuity risk exposures and the process for eliminating, transferring, accepting or addressing them.has executive management looked at business continuity management from the risk management point of view? Has a risk analysis and business impact analysis been executed on a regular basis and has executive management endorsed the outcome?

Have controls and safeguards been identified, implemented and reviewed to minimize loss related to major incidents?

organizations should integrate business continuity management with enterprise risk management. the rationale behind this is that Bcm is a component of an enterprise risk management program. such programs should report to the chief financial officer and the chief operations officer, providing visibility with executive management and board of directors. through the creation of either a chief risk officer or a risk committee, the risk process’ sole intent is to review and manage all relevant risks – financial, compliance, strategic, operational and technical – facing the organization and determining how best to address them. Bcm helps indicating the mission-critical risks that are possible in the organization.

A prerequisite for Bcm is the risk assessment, which involves the task of identifying and analyzing the potential vulnerabilities and threats, including the source. Here, the internal auditor focuses attention on reviewing the scope and methodology of risk assessment conducted by the organization. risk assessment starts with the valuation of assets followed by vulnerability analysis and threat analysis. the result of a vulnerability analysis is the identification of relevant threats, and the result of a threat analysis is the identification of relevant vulnerabilities. focus is maintained on the threats that can exploit existing and potential vulnerabilities. the probability of the threat, the degree of vulnerability and the severity of the impact are combined to conclude the risk assessment. the outcome of the risk assessment elaborates the potential threats and the related anticipated exposure, as well

as the contingency and mitigation action required, and concludes with the benefits arising from the covering of risks. risk assessment, followed by a Business impact Analysis (BiA), is performed to assess the overall financial exposures and operational effects due to a major incident in business activities.

A BiA is an exercise that determines the impact of losing the support of any resource in the organization and establishes the escalation of that loss over time, identifies the minimum resources needed to recover, and prioritizes the recovery of processes and supporting systems. A BiA identifies and prioritizes the critical business processes and workflow supported by the it infrastructure, including, but not limited to, cost-benefit analysis of controls in different major incident scenarios. A BiA helps the internal auditor to determine the qualitative and quantitative impact of a major incident and prioritize recovery time objectives (rto) and recovery point objectives (rpo). A BiA review has following questions: •what is the exposure to loss from

various risks that can be identified? •what is the magnitude of physical and

operational risk exposure? •How extensive are the risks relative

to loss of productivity, revenue and reputation?

•what can be done to mitigate the risk? •what are the costs of mitigating the

risk? •what is the cost/benefit of the various

mitigation measures that can be implemented?

Both risk analysis and business impact analysis make every Bcm unique, since it is tailored to each organization. Also important

for the internal auditor to verify is if both risk and business impact analysis have been (recently) updated and whether they are included in operational procedures in the organization.

5. Check if the bCm approach is truly integrated into business strategies, project, processes and proceduresis business continuity something which must be taken into consideration in preparing proposals for new projects or in seeking approval for capital expenditure? Does the approval process insist on this?

Bcm generates the review of the inventory of all processes used within an organization. this leads to a better understanding of the organization, which can lead to the improvement and streamlining of processes and potentially even cost reductions. Bcm helps for example identify the critical storage needs of the organization. it departments often over-resource storage and Bcm can be invaluable helping to focus and align it budgets to business needs. A major success factor for Bcm in any organization and a sign of a mature Bcm approach is the integration of risk and continuity requirements in normal business processes and procedures, such as project initiation documents, business cases, executive dashboards, etc. the main reason is obviously the continuous usage of risk and continuity by all people in the organization, so that it becomes a natural reflex to think about and one of the many operational criteria in the business decision-making process. the internal auditor can review this by looking at approved templates which are actively used in the organization.

6. Check the escalation path from incident to major crisis including the communication approach.Has executive management validated the escalation path? which are the criteria to move from incident to crisis?Have controls and safeguards been identified, implemented and reviewed to minimize loss related to major incidents?Does the business continuity plan deal with how to handle the media? Are employees aware of the procedures to be followed for both internal and external communications?

Another key element to review in Bcm is the awareness on proper escalation across the

organization when an incident happens. Adequate emergency response procedures should be in place, tested and updated (including an incident call tree). Alternative internal and external communication strategies must be identified and media liaison strategies must be in place. most important in the communication approach is the awareness with all employees on what they must escalate within the organization and what they can and cannot communicate with the outside world. the internal auditor should review if the appropriate people who are responsible for external communication (with media) have received a proper media training.

7. Check the expectations of the board of directors, executive management, customers, business partners, regulators and employees about business Continuity management. is Bcm communicated and understood? Does the organization understand its role?is Bcm installed and monitored? Does the organization accept and fulfill its role?is Bcm effective and efficient? Does the

resulting status meet expectations?

people support what they help create and what

they understand. this is especially true for

Bcm. All employees should have a basic understanding of the principles of Bcm and

its importance to their organization. employees

should also be actively involved in the planning

process for their own business unit or department. if executive management is worried that Bcm will be seen as another (project) hype that will not keep the interest of employees, then they must make sure that all employees are in some way or another involved in its development. An obvious way to channel the expectations of all relevant stakeholders are documented service level Agreements and operational level Agreements. Here also the key for the internal auditor is to find out via these agreements exactly who the relevant stakeholders are and how to translate their needs and requirements into the Bcm approach of the organization.

8. Check if bCm testing is performed (and on a regular basis).Are business continuity plans exercised regularly? Are these tests realistic? Are the tests results documented and used to adapt the Bcm approach?Are business continuity plans updated regularly? Are contact details up to date and do plans reflect the current organization structure and responsibilities?

Are user department processes taken into account in testing, or is testing limited to recovery of it hardware and software? Are recovery/restore procedures reviewed and tested regularly?Have user departments been involved in testing Bcm? Has a location for a crisis command and control centre been identified? Are arrangements in place to move to alternative sites if required?

As Bcm is enterprise-specific, the Bcm test resources must be competent and have an overall understanding of the business environment, including the organization’s mission, business objectives, relevant business processes, the information requirements for those processes, the strategic value of it and the extent to which such processes are aligned with the overall strategy of the organization. Bcm in place must be periodically tested, reviewed and verified for effectiveness in case of major incidents. this requires an appropriate budget and resource allocation for Bcm testing and maintenance. this should be easy to verify for the internal auditor. of course, Bcm tests should be designed carefully to avoid disruption to ongoing real life business processes. especially recovery/restore procedures are an important part of Bcm testing (and not just backup procedures). i am struck by the number of excuses that people come up with why they do not perform recovery/restore testing. None of them are valid. following key issues around Bcm testing must be addressed such as: •why should it be done? •How should it be done? •who needs to do it? •what needs to be done? •when should it be done? •where should it be done? •what policies, rules and standards

should be followed? •who can change the plan and under

what circumstances? •under what conditions is a major

incident declared “over”?

the internal auditor should consider the following phases of testing: •pre-test—set of actions required to set

the stage for actual test •test—the real action of a test •post-test—the cleanup of activities •post-invocation review—review of

actions following real invocation of the business continuity plan

the internal auditor should ensure that the Bcm test addresses at least the following objectives: •Verifies the completeness and precision

of the Bcm •evaluates the performance of the

40 41

April

201

1

April

201

1

Busi

Nes

s co

Nti

Nui

ty m

ANAg

emeN

t: w

HAt

iNte

rNAl

AuD

itor

s sH

oulD

KNo

w.

Busi

Nes

s co

Nti

Nui

ty m

ANAg

emeN

t: w

HAt

iNte

rNAl

AuD

itor

s sH

oulD

KNo

w.

bCm generates the review of the inventory

of all processes used within an organization.

personnel involved in the Bcm •Appraises the training and awareness

of the teams •evaluates the appropriate levels of

training, including test drills •evaluates coordination among Bcm

teams, Drp teams and external vendors and service providers

•measures the ability and capacity of the backup site to meet the organization’s requirements

•Assesses retrieval capability of vital records

•evaluates the state and quantity of equipment and supplies that have been relocated to the recovery site (hot, warm and cold sites) and that have been tested for availability, reliability, maintenance of records

•measures the overall performance of operational and processing activity of the organization

•evaluates the documentation level of the Bcm

•Assesses whether executive management has a copy of the Bcm at a location where it would be quickly accessible in the event of a major incident

•Assesses the people angle of Bcm – evacuation exercises, functional backups, relocation arrangements, communication with next of kind and provision for trauma counseling where necessary

•evaluates if alternative arrangements have been tested within the past six months

•Assesses if resources and their recovery have been prioritized and communicated to the recovery teams

review of available documentation should be used appropriately by the internal auditor in gathering, analyzing and interpreting available data. to identify changes to the environment, the internal auditor might consider interviewing Hrm personnel and service providers, analyzing spending records and reports, inspecting facilities, reviewing hardware and software asset inventories and using specialized software to analyze technical data.As eliza manningham-Buller, Director general of mi5, stated: “i am often asked what single piece of advice i can recommend that would be most helpful to the business community. my answer : a simple but effective business continuity plan that is regularly reviewed and tested”.

9. bCm on external parties (sourcing)Do contracts with key suppliers require that these organizations have Bcm? is Bcm included in the contracts for all outsourced business functions? Have these plans been reviewed by the organization during the past year?

Have tests / exercises with key suppliers been observed or reviewed?Has the role of, and relationship with, public authorities been considered? Has a good working relationship been established with the local emergency services?

the coordination with external service providers and customers must always be fully documented and appropriately communicated within the organization. Any major incident to the business of the service provider can have a direct impact on the organization and its customers. where the organization has partially or fully outsourced an activity to external service provider(s), the internal auditor should determine if the service provider also has a plan that is in conformance with the plan of the organization. such a review also verifies that the agreement with the outsourced service provider includes a description of the means, methods, processes and structure accompanying the offer of information and it services and products, as well as the control of quality.the internal auditor should obtain an understanding of the nature, timing and extent of the outsourced services and establish the controls the service provider has put in place to address the business requirement and business continuity of the organization towards the service provider’s Bcm. the internal auditor considers: •whether the agreement provides

open and unimpeded rights to audit the service provider as considered necessary by the organization without any additional costs

•whether the agreement adequately protects the organization in case of a major incident to the service provider

•whether the agreement provides for continuity of services in the event of a major incident

•the integrity, confidentiality and availability of the organization’s data at the service provider

•whether the organization’s personnel are disgruntled over the outsourcing

arrangement •Access control/security administration

at the service provider’s facilities •Network controls, change controls

and testing at the service provider’s facilities

•Violation reporting and follow-up by the service provider

10. Validate the nature and completeness of bCm reportsAre regular reports on business continuity management status, targets and achievements made to executive management and Board of Directors?

A Bcm report should be made by the Bcm manager (and his/her team) and should contain observations on the processes, people, facilities and technologies involved in Bcm, the risks assumed and how those risks are managed in case of a major incident. the report produced as a result of Bcm review should include aspects such as: •the scope, objective, period of coverage,

methodology followed and assumptions. •overall assessment of the solution in

terms of key strengths and weaknesses as well as the likely effects of the weaknesses.

•recommendations to overcome the significant weaknesses and improve the solution.

•reasonable assurance on Bcm process and relevant internal controls to ensure that services can be recovered within an acceptable time frame in the event of a disruption. the report should state the conclusions and recommendations, as well as any reservations or qualifications.

•recommendations regarding how the experience could be used to improve similar future solutions or initiatives.

•other topics, depending on the scope of the assignment, may be included.

the stakeholders and recipients of the report should be identified

and submitted to the executive management,

the Board of Directors and to the audit committee, if deemed relevant. such reports will help the internal auditor to get an

overview of the Bcm status as perceived

by the Bcm manager.

weaknesses identified in the Bcm approach should

be brought to the attention of the business process owner and to executive management. when weaknesses identified on Bcm are considered significant or material, executive management should be advised to

undertake immediate corrective action to strengthen controls and mitigate associated risks.to follow up on weaknesses identified in the Bcm report, the internal auditor may consider reviewing the following documents: •incident reports •previous Bcm examination reports •Bcm follow-up activities •Audit work papers from previous Bcm

audits •internal and external audit reports •internal Bcm test reports

Bcm recommendations must be based on an objective analysis and interpretation of available data. Appropriate Bcm trails must be maintained for the data gathered, analysis made and corrective actions recommended. it is also important that the observations and recommendations be validated with appropriate business process owner and executive management.

ConClusIon

In today’s interconnected economy, organizations are more vulnerable than ever to the possibility of technical difficulties disrupting business. any major incident, from floods or fire to viruses and cyber-terrorism, can affect the availability, integrity and confidentiality of information that is critical to business. Customers increasingly expect organizations to be there for them 24x7x365. With the increasing immediate impact of major incidents, the new challenge facing board members and executive management in any organization is delivering continuous information to its employees, partners, suppliers and customers.

more than an organizational survival strategy, bCm is an integral part of an organization’s process to responsibly protect the interest of all stakeholders. The internal auditor plays an important role in providing independent oversight in evaluating the process for designing, developing, testing and deploying bCm. as a competent professional, the internal auditor has the responsibility in conducting a proper bCm audit in an organization ensuring its alignment with the business objectives. The internal auditor’s role in auditing bCm is all the more critical as the primary objective of bCm is to protect the organization in the event that all or part of its operations and/or services are rendered unusable and to help the organization recover from the impact of such events.

I am often asked what single piece of advice I can recommend that

would be most helpful to the business community.

my answer : a simple but effective business continuity plan that is

regularly reviewed and tested.

bCm recommendations must be based on an

objective analysis and interpretation of

available data.

Marc Vaelmarc Vael, CIsm, CIsa, CIssp, CgeIT, ITIl service manager, is Chief audit executive at

smals, a belgian IT services organization with more than 1.800 employees located

in brussels, working primarily for social security governmental institutions

in belgium. he has been and still is involved in numerous business continuity

and disaster recovery deployment projects and audits. marc is an active board

member of the IsaCa belgium Chapter, responsible for certifications. marc is also

an executive professor at ams, solvay brussels school and Vlerick leuven gent

management school. In his spare time, marc runs marathons.

42 43

April

201

1

April

201

1

Busi

Nes

s co

Nti

Nui

ty m

ANAg

emeN

t: w

HAt

iNte

rNAl

AuD

itor

s sH

oulD

KNo

w.

Busi

Nes

s co

Nti

Nui

ty m

ANAg

emeN

t: w

HAt

iNte

rNAl

AuD

itor

s sH

oulD

KNo

w.

1 this article is an update of 3 articles we published in the newspaper tageblatt

le coNteXte

tout d’abord, un peu d’histoire. la sNcB s’est continûment transformée, en particulier depuis la promulgation de la loi du 21/03/1991, portant réforme de certaines entreprises publiques économiques. l’ « Audit interne » a alors été créé comme un organe d’aide à la Direction générale, avec une finalité orientée vers le contrôle centralisé des marchés/contrats.

le premier comité d’audit a été institué le 28/05/1999. l’Audit interne a alors évolué vers un « véritable » service d’audit interne au sens des normes professionnelles de l’iiA et a conservé en son sein les activités distinctes de « contrôle centralisé des marchés/contrats » et le « comité de contrôle » pour des enquêtes administratives internes.

l’Audit interne proprement dit entamait alors un processus de mutation et d’apprentissage.ces activités nouvelles ont démarré sur la base d’une méthodologie qui se résumait, en dehors des normes de l’iiA, à peu de chose près à une « feuille blanche ».

la plupart des nouveaux collaborateurs ont été engagés de l’extérieur de la sNcB et se sont formés à la profession d’audit interne en suivant une formation intensive de type « master » (ucl-iAg, uAms,...) ou en se lançant dans le ciA, avec l’objectif de développer les compétences nécessaires.

l’Audit interne H-Ai travaille pour l’ensemble du groupe sNcB, c’est-à-dire non seulement pour la sNcB Holding, mais également pour infrabel et la sNcB, en collaboration étroite avec leurs Audits internes respectifs (i-Ai et B-Ai).

les priNcipAuX cHAlleNges : pourQuoi uNe DémArcHe QuAlité ?

rapidement, il s’agissait de gagner, mériter et préserver la crédibilité du service d’audit interne. il fallait donc créer les bases de la légitimité et de la confiance (organisation solide, capacité à tenir ses promesses, processus fiabilisés, ...) pour assurer la pérennité de notre activité.De là, il était important de développer notre professionnalisme et formaliser nos processus de planification et de réalisation des missions d’audit, ainsi que les méthodologies détaillées de travail. un objectif explicite était aussi de produire un « langage commun », une « vision commune ». les toutes premières missions d’audit réalisées ont clairement mis en évidence la nécessité de réduire les variabilités de nos processus d’audit.

parCours QualITé :

Un voyage plutôt qu’une destination

tommaso capursochef de Division H-Ai.03 “Audit des opérations et des systèmes techniques”, sNcB Holding

françois Béfahygeneral manager Audit interne

H-Ai, sNcB Holding

44 45

April

201

1

April

201

1pA

rcou

rs Q

uAli

té :

uN V

oyAg

e pl

utôt

Qu’

uNe

Dest

iNAt

ioN

the certified internal Auditor (ciA) designation connects you with career opportunities that can set you apart from others.

it can all fit together in three easy-to-complete steps:

make it easy – with the IIa CIa learning system

make it Convenient – with computer-based testing and online registration on www.iiabel.be

Make a Statement – about your professionalism, commitment to quality, and dedication

More information on www.iiabel.be/certifications

CREATE YOUR PATH TO CIA SUCCESS!

the iiA’s ciA learning system includes everything you need to prepare for

the certified internal Auditor (ciA) exam. this preparation program was

developed by ciA certified subject-matter experts and is aligned with the

2009 international professional practices framework (ippf).

the kit is available at iiABel office.

Why wait? For more information contact us at [email protected]

Aider à « créer de la valeur ajoutée » pour nos clients n’était pas un concept évident.le chemin devant nous était long et ardu et pouvait se résumer sous le schéma ci-contre.

les motivations de maîtrise de nos activités présentaient une corrélation évidente avec les principes d’une démarche qualité bien comprise, et en particulier avec les 8 principes de la norme iso9001 (écoute du client, amélioration continue, approche processus, management par approche système, relation mutuellement bénéfiques,...).prendre le chemin d’une certification iso9001, alors que nous ne disposions que d’une page blanche - voire un peu grise - a été décidé dès octobre 1999 et est devenu un projet stimulant et fédérateur. la certification visée n’était pas considérée comme une fin en soi, mais devait être « la cerise sur le gâteau » d’un effort de mise à plat de nos activités pour se préparer au mieux aux challenges de la profession.

BeNcHmArKiNg : éVAluAtioN Des meilleures prAtiQues et stimulus pour Améliorer lA mAturité

Nous avons voulu conforter notre démarche à l’aide des meilleures pratiques du moment.

A cet effet, l’article “ten quality challenges for internal auditors”, de J.ridley (internal Auditing & Business risk, 09/1999, iiA-uK) a été un véritable encouragement.

l’expérience de l’Audit interne de « la poste » française, certifié depuis 16/06/1999 (iso9000 version 1994) (cf. D.Bretin, revue « Audit » de l’ifAci, n° 147, décembre 1999) nous a permis d’affiner les apports d’une démarche qualité. par exemple en terme de communication, le concept « qualité » se vend mieux que le « contrôle interne » et lui est complémentaire. par ailleurs, la crédibilité « qualité » pouvait faciliter l’appropriation des recommandations préconisées dans les rapports d’audit.

l’expérience d’electrabel, premier audit interne certifié au Benelux dès 1997, nous a aussi servi d’inspiration, en particulier pour son approche dynamique (modèle coco) combinée au pragmatisme d’une approche « processus » (cf. g.collin, revue « the institute of internal Auditors Benelux, novembre 1997).

complémeNtArité Norme iso9001 et corpus NormAtif iiA

pas d’amalgame entre les deux référentiels ! la norme iso9001 est un référentiel de bonne pratique de management de la qualité. or la qualité, c’est notamment la « conformité avec les exigences » (« compliance with requirements », définition de p.crosby, « Quality without tears ») et les exigences de la profession sont distinctement précisées dans le corpus normatif de l’iiA.

Dès lors, une action essentielle a été l’identification des exigences fondamentales des deux référentiels et de leurs correspondances.

une corrélation claire entre les 37 exigences des deux référentiels est donc apparue, justifiant dès lors leur bonne synergie et la rentabilité raisonnable de l’investissement de la double réflexion.

les étApes De lA certificAtioN

les étapes suivies sont relativement classiques : •10/1999: démarrage du projet et mise en place du « Quality

team » (4 membres du personnel et 1 conseiller externe) •2000: description des processus de réalisation d’une mission

d’audit selon les normes iiA; politique et objectifs qualité; communication à l’ensemble du personnel; actions de mise en conformité avec la norme iso9001; structure du manuel qualité; liste, numérotation et « layout » des documents

•2001: production et approbation interne des documents; implémentation progressive et évaluation; formations

•04-05/2002: certification “à blanc” et retour d’expérience •07/2002: obtention de la première certification iso9001:2000 •tous les 3 ans un audit externe de re-certification (2005 et

2008) et tous les ans un audit externe de suivi. Vu la révision des normes iso, la certification 2008 a été acquise sous l’appellation mise à jour « iso9001:2008 ».

uNe VisioN processus plutôt Que procéDures

un « piège » dans lequel nous ne voulions pas tomber est l’excès de formalisme : procédures, instructions

de travail, formulaires...une lecture attentive de

la norme iso9001 de l’époque a montré que

le mot « processus » y était indiqué 71 fois ; le mot « procédure », 25 fois. la norme iso ne demandait

par ailleurs que 6 procédures

obligatoires. Afin que l’auditeur interne

puisse facilement trouver son chemin, la philosophie de

construction du système de management de la qualité était donc toute trouvée : le fil d’Ariane. Qu’est-ce à dire ? la voie choisie a été de modéliser de manière graphique les processus d’audit, en les structurant sur la base des normes détaillées de l’iiA. ensuite quelques hyperliens, quelques clics et le tour est joué !

une corrélation claire entre les 37 exigences des deux référentiels

est donc apparue, justifiant dès lors leur bonne synergie et la

rentabilité raisonnable de l’investissement de la

double réflexion.

la planification des activités de mesure et de surveillance est réalisée

durant ces réunions du Quality Team ainsi

que lors de la revue de direction annuelle.

uNe ANAlyse De risQues sANs complAisANce Du foNctioNNemeNt Du serVice D’AuDit iNterNe, comme BAse D’uN plAN D’AméliorAtioN coNtiNue De lA QuAlité

finalement, la réflexion la plus stratégique a été de mener une analyse de risques de nos propres processus d’audit. ceux-ci ont été déclinés en 57 activités principales, sur lesquelles une autoévaluation des risques a été menée en petite équipe, qui a y consacré une centaine d’heures.pour mémoire, la méthode utilisée durant cet exercice de « self assessment » a été l’AmDec (Analyse des modes de Défaillances, de leurs effets et de leurs criticités). le risque (résiduel) est exprimé par le produit « rpN » (risk priority Number », qui est le produit de 3 facteurs : « gravité », « probabilité » et « Non-détection »), et ce pour chacun des 117 modes de défaillance identifiés. une évaluation ordinale (« pseudo-quantitative » ) a été réalisée, chaque facteur étant apprécié sur une échelle standardisée de 1 à 10.

Deux résultats majeurs méritent ici d’être partagés :1) une analyse causale fine des dysfonctionnements potentiels, inspirée de la méthode du prof. K. ishikawa (« fishbone diagram »)les « 5 m » classiques (main d’œuvre, méthodes, milieu, moyens et équipements, matière) ont été examinés. Nous avons ajouté la composante « mesure », sachant qu’on ne peut s’améliorer que si l’on prend la peine de mesurer la performance (p.ex. taux de satisfaction des clients/audités, taux de recommandations acceptées et/ou mise en œuvre,...).

2) une identification de la répartition des risques sur l’ensemble des processus d’audit (essentiellement selon les normes iiA 2200 à 2600).la question que nous nous sommes ensuite posée était : comment prioritiser les actions à mener pour mettre au point et entretenir notre système de management de la qualité et comment allouer de façon intelligente nos efforts et nos ressources limitées?

l’analyse de risque AmDec a fourni la répartition des risques recherchée.

clairement, la clef du succès apparaît dans la phase de préparation (planning, enquête préliminaire). Autrement dit, nous avons redécouvert le sens du dicton populaire : « un problème bien posé est déjà à moitié résolu » !

pilotAge De lA QuAlité et AppreNtissAge

Durant la phase de démarrage et d’apprentissage initial du service, des plateformes de partage d’expérience ont été régulièrement organisées en interne quant aux outils et méthodes employées.les éléments du système de management de la qualité ont été progressivement formalisés et mis en production. le retour d’expérience « d’usage » (la deuxième définition classique de la qualité est « fit for purpose », J.Juran) a permis de les faire continûment évoluer, voire de les simplifier, de sorte que la machinerie soit la plus « lean » et efficace possible.ces éléments constituent le « fil rouge » de l’Audit interne dans sa marche vers toujours plus de qualité. ce fil rouge - le fil d’Ariane mentionné plus haut- est un outil « ergonomique » permettant aux nouveaux auditeurs internes de se familiariser avec les pratiques d’audit, d’apprendre les normes iiA quasi sans s’en rendre compte et de devenir rapidement opérationnels.

pour stimuler cette quête du graal, il était important d’identifier et de mettre en place des objectifs qualité motivants et les « Kpi » associés, induisant les comportements adéquats sur plusieurs fronts : •la satisfaction des clients •l’optimisation des processus d’audit •le développement des compétences •la maîtrise des coûts pour ce faire, une vaste analyse des indicateurs de performance a été réalisée et formalisée sous la forme d’une « balanced scorecard ».en pratique, chaque année une demi-douzaine d’objectifs environ sont suivis.

une réunion du Quality team a lieu environ tous les deux mois. y sont abordés les sujets tels que l’atteinte des objectifs qualité; le suivi de la mise en place des actions correctives, actions préventives et opportunités d’amélioration; les rapports d’audit qualité interne et externe;...

la planification des activités de mesure et de surveillance est réalisée durant ces réunions du Quality team ainsi que lors de la revue de direction annuelle.

Afin de piloter la qualité, il est important de se confronter aux meilleures pratiques de la profession. A cet effet, plusieurs initiatives convergentes méritent d’être évoquées, par exemple : •un debriefing systématique (revue interne) d’évaluation de

l’exécution de la mission (conduite de la mission, opportunités d’amélioration, qualité de la communication, nouvelles techniques d’audit, valeur ajoutée,...)

46 47

April

201

1

April

201

1

pArc

ours

QuA

lité

: uN

Voy

Age

plut

ôt Q

u’uN

e De

stiN

Atio

N

pArc

ours

QuA

lité

: uN

Voy

Age

plut

ôt Q

u’uN

e De

stiN

Atio

N

•la réalisation d’un benchmarking « gAiN » (global Audit information Network). l’Audit interne y a participé à deux reprises, à l’initiative de l’iiA Belgium, qui a proposé ce service à ses membres

•la participation active à des tables rondes dans le monde de l’audit interne. De telle sessions existent dans le domaine ferroviaire (l’Audit interne H-Ai y participe depuis une dizaine d’année et a organisé la dernière en date en avril 2010 à Bruxelles) et aussi par exemple dans le secteur postal

•la démarche QAr (prévue par la N1312), qui comporte des critères d’évaluation de bonnes pratiques. A ce jour, une auto évaluation interne détaillée (avant revue éventuelle externe indépendante) a été effectuée.

coNclusioNs : Au serVice De lA VAleur AJoutée

la valeur ajoutée résulte de l’interaction entre l’audit interne et ses clients. elle repose sur la perception des clients sur la prestation qui leur est fournie.et pourtant, rétrospectivement, accepter de mesurer la satisfaction de nos clients n’a pas été une attitude qui allait de soi. Bien que mise en œuvre en effet près de trois ans après la première certification, cela a constitué, après les premières appréhensions naturelles, un élément primordial pour l’amélioration continue de nos processus et de notre performance.Actuellement, les membres des comités d’Audit et du senior management sont invités en fin d’année à exprimer leur opinion sur les missions d’audit réalisées durant l’année :

•clarté des rapports, pertinence des objectifs, des constats et des recommandations

•valeur ajoutée pour améliorer les processus de gouvernance, de gestion des risques et de contrôle interne

il est aussi demandé aux responsables opérationnels concernés, après chaque mission d’audit, de remplir un questionnaire sur le déroulement de la mission :

•contacts avec le service d’Audit interne, compétence et

conscience professionnelle des auditeurs •pertinence des constats et recommandations, utilité pour la

gestion de l’entité

finalement, l’iso9001, est-ce contraignant pour l’Audit interne?

pas du tout ! ce qui compte surtout, c’est la philosophie incluse dans les principes sous-jacents à la norme et les exigences déterminantes de notre propre métier (normes iiA).

en conclusion, la prestation de l’Audit interne est aujourd’hui - et de plus en plus - un “service”, qui a la spécificité d’être “coproduit” par le client lui-même et l“Audit interne, et dont les résultats dépendent de manière significative de l’engagement du client/bénéficiaire de la mission. Autrement dit, le service, c’est la somme de la vente d’une compétence technique et de la gestion d’une relation, soit un véritable défi ! la démarche qualité nous a beaucoup aidés à en comprendre les mécanismes et à les appliquer efficacement au contexte de l’audit interne.le challenge permanent est que le système qualité reste « vivant » au sein de toute l’équipe et que les actions d’amélioration continue soient poursuivies. le certificat iso9001 ne doit pas être qu’un cadre sur le mur, mais doit représenter un engagement constant !« la valeur d’un service repose d’abord sur la confiance, mais ne s’arrête pas à la confiance.une fois la confiance acquise, l’adaptation permanente aux demandes des clients et la capacité à anticiper leurs désirs, à les émerveiller sont les véritables voies de l’amplification de la création de valeur ». c. mAyeur (« management & services », AfNor).

De coNteXt

Vooreerst wat historische achtergrondinformatie . De NmBs verandert voordurend, vooral sinds de uitvaardiging van de wet van 21/03/1991 betreffende de hervorming van bepaalde economische overheidsbe-drijven. «interne Audit» werd toen opgericht als ondersteuningsor-gaan voor het Directiecomité, met als focus een gecentraliseerde controle op de aanbestedingen/contracten.Het eerste Auditcomité werd opgericht op 28/05/1999. De interne Audit is sindsdien uitgegroeid tot een «echte» interne auditdienst overeenkomstig de professionele normen van het iiA, met een afzon-derlijke afdeling «gecentraliseerde controle van de aanbestedingen/contracten» en een «controlecomité» voor interne administratieve onderzoeken. Dit was de start van een leer- en aanpassingsproces voor de eigenlijke interne Audit.De iiA-standaarden buiten beschouwing gelaten werden deze nieuwe activiteiten feitelijk opgestart van een «blanco blad».Het merendeel van de nieuwe medewerkers was afkomstig van bui-ten de NmBs, en hebben getracht zich het interne audit beroep eigen te maken via het volgen van een intensieve masteropleiding (ucl-iAg, uAms, ..) of door het behalen van het ciA-certificaat. De interne Audit H-Ai werkt voor de volledige NmBs-groep, dus niet alleen voor de NmBs-Holding, maar ook voor infrabel en de NmBs, in nauwe samenwerking met hun respectieve interne Audit (i-Ai en B-Ai).

De BelANgriJKste uitDAgiNg: wAArom eeN KwAlitAtieVe BeNADeriNg?

Al snel moest interne audit actie ondernemen om de nodige ge-loofwaardigheid te verwerven en behouden.. De fundamen-ten van legitimiteit en vertrouwen (door een sterke organisa-tie, de bekwaamheid om beloftes na te komen, betrouwbare processen, ...) moesten worden gecreëerd om het voortbestaan van audit te waarborgen.Zo was het ook belangrijk om ons professionalisme verder te ontwikke-len en om -naast gedetailleerde werkmethoden - ook onze processen voor planning en uitvoering van auditopdrachten te formaliseren. er diende vooral een «gemeenschappelijke taal» en een «gemeens-chappelijke visie» te worden ontwikkeld. De allereerste auditopdrachten hadden duidelijk aangetoond dat we de wisselvalligheden van onze auditprocessen moesten verminderen.«toegevoegde waarde» helpen creëren voor onze klanten was geen evident concept.we hadden nog een lange en moeilijke weg af te leggen, die kon wor-den samengevat aan de hand van het diagram hiernaast.

De redenen voor een goede beheersing van onze activiteiten waren duidelijk verbonden met een goed uitgewerkte kwaliteitsmethode, meer bepaald met de 8 principes van de norm iso9001 (klantge-richtheid, voortdurende verbetering, procesbenadering, kwaliteitsma-nagementsysteem, een wederzijds gunstige relatie, ...).Niettegenstaande we moesten starten van een wit (of ietwat grijs) blad, werd in oktober 1999 beslist dat we moesten streven naar een iso9001-certificering. Dit is inmiddels uitgegroeid tot een stimule-rend en eenheidsbevorderend project. De beoogde certificering werd evenwel niet beschouwd als een doelstelling op zich, maar moest «de kers op de taart» worden van de zelfreflectie die ons moest voorberei-den op de toekomstige uitdagingen van het beroep.

BeNcHmArKiNg: eeN eVAluAtie VAN De “Best prAtices“ eN eeN sti-mulANs Voor VerDere oNtwiKKeliNg

wij wilden onze methode aanvullen met de gangbare “best practices”.Het artikel «ten quality challenges for internal auditors», van J. ridley (internal Auditing & Business risk, 09/1999, iiA-VK) vormde hierbij een echte aanmoediging.De ervaringen van de interne Auditdienst van het franse postbedrijf, dat sinds 16/06/1999 gecertificeerd is (iso9000 versie 1994) (cf. D. Bretin, «Audit» magazine van het ifAci, nr. 147, december 1999), heb-ben ertoe bijgedragen onze kwaliteitsbenadering te verfijnen. op het vlak van communicatie bijvoorbeeld, slaat het concept «kwaliteit» be-ter aan dan «interne controle», en is het complementair. geloofwaar-digheid op het vlak van «kwaliteit» kon ook de aanvaarding van in de auditrapporten voorgestelde aanbevelingen vergemakkelijken.De ervaringen van electrabel, de eerste interne audit die in de Benelux werd gecertificeerd in 1997, hebben ons eveneens geïnspireerd, vooral de dynamische benadering (coco-model) in combinatie met het prag-matisme van een «procesbenadering» (cf. g. collin, «the institute of internal Auditors Benelux» magazine, november 1997).

complemeNtAriteit VAN De iso9001-Norm eN De iiA-stANDAArDeN

Beide referentiesystemen dienen echter afzonderlijk te worden bes-chouwd! De iso9001-norm is een referentie voor goede praktijk binnen kwaliteitsbeheer. Kwaliteit staat uiteindelijk voor «overeenstemming met de vereisten» («compliance with requirements», definitie van p. crosby, «Quality without tears») en de vereisten van ons beroep wor-den duidelijk bepaald in het normenstelsel van het iiA.Daarom was het essentieel om de basis vereisten van beide referentie-systemen en hun raakpunten te identificeren.

er bleek een duidelijk verband te bestaan tussen de 37 vereisten van de twee referentiesystemen waardoor de investering van een dubbele

de Weg naar KWalITeIT:

Veeleer een reis dan een bestemming

Avec le Groupe SNCB, construisons ensemble la mobilité d’aujourd’hui et de demain.

www.les chemins de fer engagent.beDécouvrez toutes nos offres d’emploi sur

48 49

April

201

1

April

201

1

pArc

ours

QuA

lité

: uN

Voy

Age

plut

ôt Q

u’uN

e De

stiN

Atio

N

De w

eg N

AAr

KwAl

itei

t: Ve

elee

r ee

N r

eis

DAN

eeN

Bes

tem

miN

g

Bouw met de NMBS-Groep mee aan de mobiliteit van vandaag en morgen.

www.de spoorwegen werven aan.beOntdek al onze vacatures op

reflectie in beide systemen voldoende synergie en een goed rende-ment hebben opgeleverd.

De certificeriNgsfAseN

De stappen die werden gevolgd zijn betrekkelijk klassiek: •10/1999: aanvang van het project en samenstelling van het

«Quality team» (4 personeelsleden en 1 externe consultant). •2000: beschrijving van het uitvoeringsproces van een auditop-

dracht volgens de iiA-normen; kwaliteitsbeleid en -doelstellin-gen; mededeling aan het voltallige personeel; conformiteit met de iso9001-norm; structurering van de kwaliteitshandleiding; lijsten, nummering en «lay-out» van de documenten.

•2001: productie en interne goedkeuring van de documenten; toenemende implementatie en beoordeling; opleidingen.

•04-05/2002: proefcertificering en gevolgtrekkingen. •07/2002: verkrijging van de eerste iso9001:2000-certificering. •elke 3 jaar volgt er een externe hercertificeringsaudit (2005 en

2008) en elk jaar is er een externe opvolgingsaudit. in functie van de herziening van de iso-normen werd de certificering voor 2008 behaald onder de nieuwe benaming «iso9001:2008».

eeN Visie gericHt op processeN iN plAAts VAN proceDures

we wilden absoluut niet in de «val» van te veel formalisme belanden: procedures, werkinstructies, formulieren, ...uit een aandachtige lezing van de toenmalige iso9001-norm bleek dat het woord «proces» er 71 keer in voorkwam; het woord «procedure» 25 keer. De iso-norm legde in feite slechts 6 verplichte procedures op.opdat de interne auditor gemakkelijk zijn weg zou vinden, werd de filoso-fie voor het opbouwen van een systeem voor kwaliteitsbeheer uitgestip-peld: de draad van Ariadne. wat bedoelen we hiermee? we kozen ervoor om de auditprocessen op grafische wijze te modelleren door ze op basis van de uitvoerig beschreven iiA-normen te structureren. Daarna vols-taan een aantal koppelingen, wat muisklikken en klaar is Kees!

eeN streNge risicoANAlyse VAN De werKiNg VAN De iNterNe AuDi-tDieNst, Als BAsis Voor eeN plAN Voor VoortDureNDe KwAli-teitsVerBeteriNg

een risicoanalyse van onze eigen auditprocessen bleek uiteindelijk de meest strategische zet te zijn. . Deze werden opgesplitst in 57 hoofdactiviteiten, waarop met een klein team op een honderdtal uur een zelfbeoordeling van de risico’s werd uitgevoerd.ter herinnering vermelden we dat deze «self assessment» oefening met de fmecA-methode (failure mode and effect criticality Analysis) werd uitgevoerd. Het (rest-) risico wordt uitgedrukt door het product «rpN» (risk prio-rity Number), dat bepaald wordt door 3 factoren: «ernst», «frequen-tie» en «Kans van opsporing», voor elk van de 117 geïdentificeerde faaltoestanden. Hiervoor vond een («pseudo-kwantitatieve») ordinale evaluatie plaats, waarbij elke factor op een gestandaardiseerde schaal van 1 tot 10 werd beoordeeld.

twee van de belangrijkste bevindingen zijn hierbij het vermelden waard:1) een verfijnde oorzakelijke analyse van de mogelijke problemen, naar de methode van prof. K. ishikawa («visgraatdiagram»)De klassieke «5 m’s» (mensen, methodes, milieu, middelen en uitrus-tingen, materialen) werden onder de loep genomen. wij voegden ook de factor «meting» toe, in het besef dat men alleen kan verbeteren indien de prestaties worden gemeten (bv. de klantentevredenheid of de tevredenheid van de geauditeerden, de mate waarin aanbevelingen werden aanvaard en/of toegepast, ...).2) een identificatie van de risicoverdeling over het geheel van auditpro-cessen (voornamelijk aan de hand van de iiA-normen 2200 tot 2600).Vervolgens hebben we ons afgevraagd hoe we de nodige acties konden vooropstellen om ons systeem voor kwaliteitsbeheer aan te passen en

bij te houden en hoe we op een intelligente wijze onze inspanningen en beperkte middelen konden inzetten?

De fmecA-risicoanalyse bezorgde ons de gezochte risicoverdeling.

De sleutel tot succes lag duidelijk bij de voorbereidingsfase (plan-ning, vooronderzoek). met andere woorden, we hebben de waarheid herontdekt van het oude gezegde: «un problème bien pose est déjà à moitié résolu»!

sturiNg VAN De KwAliteit eN Het leerproces

tijdens de aanvangsfase en de leerperiode van de dienst werden regel-matig interne bijeenkomsten georganiseerd om ervaringen te delen in verband met de aangewende tools en methoden.De elementen van het systeem voor kwaliteitsbeheer werden geleidelijk aan geformaliseerd en toegepast. De «gebruikservaringen» (de tweede klassieke definitie van kwaliteit is «fit for purpose», J. Juran) maakten het mogelijk om ze constant te laten evolueren en ze zelfs te vereenvou-digen zodat de machine zo «lean» en efficiënt mogelijk werd.Deze elementen vormen de «rode draad» van de interne Audit op weg naar een alsmaar betere kwaliteit. Deze rode draad - de hiervoor vermelde draad van Ariadne - is een «ergonomische» tool, waarmee nieuwe interne auditoren bekend kunnen raken met de auditpraktij-ken en de iiA-normen, bijna zonder zich ervan bewust te zijn, kunnen aanleren en snel operationeel worden.

om deze zoektocht naar de graal te stimuleren, was het belangrijk om motiverende kwaliteitsdoelstellingen en de bijhorende Kpi’s te identificeren en in te voeren, leidend tot een correcte houding op vers-chillende vlakken: •klantentevredenheid •optimalisering van de auditprocessen •ontwikkeling van competenties •kostenbeheersing Hiertoe werd een uitgebreide analyse van de prestatie-indicatoren uitge-voerd en geformaliseerd in de vorm van een «balanced scorecard».in de praktijk worden elk jaar een zestal doelstellingen nagestreefd. ongeveer elke twee maanden komt het Quality team samen. Zij behan-delen onderwerpen zoals het behalen van kwaliteitsdoelstellingen; de invoering en opvolging van eventuele preventieve of corrigerende han-delingen, of van mogelijkheden tot verbetering; verslagen van interne en externe kwaliteitsaudits; ...tijdens deze bijeenkomsten van het Quality team en bij de jaarlijkse mana-gement review worden activiteiten voor meting en monitoring gepland. teneinde de kwaliteit te sturen, dient men zich te meten met de beste

praktijken van het beroep. Hiertoe kunnen een aantal gelijkgerichte initiatieven worden aangehaald, zoals: •een systematische debriefing (interne review) ter beoordeling

van de uitvoering van de opdracht (verloop van de missie, mo-gelijke verbeteringen, de communicatiekwaliteit, nieuwe audit-technieken, toegevoegde waarde, ...);

•uitvoering van een benchmarking «gAiN» (global Audit infor-mation Network). De interne Audit heeft hier tweemaal aan dee-lgenomen, op initiatief van iiA Belgium, dat deze dienst aan haar leden aanbiedt.

•Actieve deelname aan ronde tafelgesprekken binnen de interne auditwereld: dergelijke sessies bestaan voor de spoorwegsector (de interne Audit H-Ai neemt hier sinds een tiental jaren aan deel en heeft de laatste zelf georganiseerd in april 2010 te Brussel) en ook voor bijvoorbeeld de sector van de post.

•Het uitvoeren van QAr’s (voorzien door de N1312) met beoorde-lingscriteria voor goede praktijken. tot op heden werd intern een gedetailleerde zelfbeoordeling uitgevoerd (vóór een eventuele externe onafhankelijke controle).

coNclusies: iN Het teKeN VAN toegeVoegDe wAArDe

De toegevoegde waarde komt voort uit de interactie tussen de interne audit en haar klanten. Deze berust op het beeld dat de klanten hebben van de prestatie die werd geleverd.Achteraf bekeken bleek toch dat de invoering van het meten van klanten-tevredenheid niet echt vanzelfsprekend was. Dergelijke meting werd al uitgevoerd vanaf het derde jaar na onze eerste certificering, en vormde - na de begrijpelijke initiële aarzelingen - een essentieel element in de voortdurende verbetering van onze processen en prestaties.De leden van het Auditcomité en het senior management worden nu eind van het jaar verzocht om hun oordeel te geven over de auditop-drachten van het afgelopen jaar: •de duidelijkheid van de verslagen, relevantie van de doelstellin-

gen, vaststellingen en aanbevelingen; •de toegevoegde waarde voor de verbetering van governance ,

risicobeheer en interne controle.er wordt ook gevraagd aan de betrokken operationele verantwoorde-lijken om na elke auditopdracht een vragenlijst in te vullen over het

verloop ervan: •de contacten met de dienst interne Audit, de bekwaamheid en

professionele nauwgezetheid van de auditoren; •de relevantie van de vaststellingen en aanbevelingen, het nut

voor het beheer van de entiteit.

uiteindelijk dan de vraag: «is de iso9001-norm lastig voor de interne Audit?»

Helemaal niet! wat vooral telt, is de filosofie die blijkt uit de onderlig-gende principes van de norm en de belangrijkste eisen van ons eigen beroep (iiA-normen).we kunnen besluiten dat de prestaties van de interne Audit vandaag - en alsmaar meer - een «dienst» zijn, die door de klant eN de interne Audit samen wordt geleverd, en waarvan de resultaten in grote mate afhangen van het engagement van de klant/begunstigde van de missie. met andere woorden: de dienst is de som van de verkoop van een technische competentie en het beheer van een relatie - een ware uitdaging dus! De toepassing van een kwaliteitsmethode heeft ons in grote mate geholpen om de mechanismen te begrijpen en ze op doeltreffende wijze toe te passen binnen het kader van de interne audit. De permanente uitdaging bestaat erin dat het kwaliteitssysteem blijft «leven» binnen het team en dat de acties voor voortdurende verbetering worden verdergezet. Het iso9001-certificaat moet niet alleen netjes ingekaderd aan de muur prijken, het moet een continu engagement vertegenwoordigen!«De waarde van een dienst berust in de eerste plaats op vertrouwen, maar daar houdt het niet op.Zodra het vertrouwen is gewonnen, bestaat de echte toegevoegde waarde erin zich altijd aan de eisen van de klant aan te passen, hun wensen te voorzien en hen te verbazen.» c. mAyeur («management & services», AfNor).

50 51

April

201

1

April

201

1

De w

eg N

AAr

KwAl

itei

t: Ve

elee

r ee

N r

eis

DAN

eeN

Bes

tem

miN

g

De w

eg N

AAr

KwAl

itei

t: Ve

elee

r ee

N r

eis

DAN

eeN

Bes

tem

miN

g

tommaso capursochef de Division

Audit interne, sNcB HoldingVice –président de l’ufAi

pour l’europe (hors france)philip mariscalpremier Auditeurcour des comptes de Belgiqueconférencier iiA Belgium à Abidjan

1 la capitale administrative est yamoussoukro2 l’ufAi dispose d’un site internet www.ufai.org.3 institut français de l’Audit et du contrôle interne4 Accueilli lors de l’Assemblée générale du trois octobre 2010

9ème Conférence Internationale de l’UFAI

abIdJan :

UN éVéNEMENT RECENT ET IMPORTANT

octobre 2010, abidjan, capitale économique de la Côte d’Ivoire1. un événement important s’est déroulé au palais de la Culture : la 9ème Conférence Internationale de l’uFaI. Cet événement qui se déroule tous les deux ans nous permet de parler de l’uFaI.

L’UFAI : QU’EST-CE QUE C’EST ET QUE FAIT-ELLE ?

« union francophone de l’audit interne » mieux la connaître ...

Tout d’abord, Abidjan 2010 constituait la 9ème conférence, les autres conférences tenues à ce jour sont :

Abidjan (4-5 octobre 2010)paris (13-14 octobre 2008)Bamako (octobre 2006)yaoundé (mars 2005)Québec (octobre 2002)paris (octobre 2000)Dakar (décembre 2004)casablanca (décembre 1992)tunis (octobre 1990)

CREATION

l’union francophone de l’Audit interne – ufAi2 – a été fondée en 1988 à l’initiative de l’ifAci3. elle a pour vocation de promouvoir

et de développer la pratique professionnelle de l’audit interne dans les pays totalement ou partiellement d’expression française, en regroupant les associations d’auditeurs internes de ces pays.

STATUTS

l’ufAi dispose de statuts qui règlent son fonctionnement (catégories de membres, ressources, organisation des assemblées générales, bureau directeur, ... )

LES PAYS MEMBRES

les membres se divisent en plusieurs groupes : membres titulaires, membres associés et observateurs.

MEMBRES TITULAIRES :

Actuellement, les membres titulaires sont : la Belgique, le Burkina faso, le Burundi4, le cameroun, le canada (sections montréal

5 Diplôme professionnel de l’Audit interne6 le programme complet et les interventions peuvent être téléchargés à partir du site web de l’ufAi7 la presse malienne s’est d’ailleurs faite l’écho de la riche interview qu’il a par ailleurs eu l’amabilité d’accorder à la publication «l’Auditeur francophone» dans sa 5ème édition, disponible sur le site web de l’ufAi

et Québec), le congo Brazzaville, , la côte d’ivoire, la france, la guinée, Haïti, le liban, le luxembourg, madagascar, le mali, le maroc, la république Démocratique du congo, le sénégal, la suisse et la tunisie.

MEMBRE ASSOCIé :

Actuellement, l’Algérie est membre associé de l’ufAi.

MEMBRES OBSERVATEURS:

le Bénin, le gabon, la mauritanie, le Niger et le togo sont membres observateurs de l’union.

LES MISSIONS

l’ufAi a quatre objectifs majeurs : •Développer les échanges, les contacts,

les rencontres afin de mettre en commun les expertises de chacun.

•Accroître le nombre de publications de langue française, en leur assurant une plus grande diffusion.

•Apporter une aide à la formation d’auditeurs internes et assurer la promotion du DpAi5 et du ciA en français.

•Aider à la constitution d’associations d’auditeurs internes

l’ufAi met en œuvre tous les moyens qu’elle juge utiles ou nécessaires à la réalisation de ses objectifs, notamment le partage des connaissances et de l’expérience entre ses membres, par exemple dans le domaine méthodologique. elle organise la mise en commun des travaux de recherche. elle participe à l’organisation de séminaires de formation, de colloques, de congrès ou de conférences en langue française et prête son concours à la réalisation et la publication de revues, d’ouvrages (originaux ou traduits d’autres langues) et de tous supports adaptés à la diffusion, en langue française, d’informations en rapport avec son objet.

ABIDJAN 2010

rappelons que la conférence tenue au mali (Bamako, 2006) avait été un succès sans ambiguïté. De même, les 20 ans de l’ufAi ont été fêtés en france (paris, 2008). ces deux dernières conférences avaient particulièrement marqué les esprits et stimulé l’élan de promotion de la profession d’audit interne dans la communauté francophone.la tenue d’une conférence internationale de l’ufAi en côte d’ivoire, décidée lors de l’Assemblée générale de paris en octobre 2008, était donc un véritable challenge, qu’a brillamment relevé l’iiA côte d’ivoire.plusieurs évènements marquants se sont déroulés à Abidjan dont l’Assemblée générale et la réunion de coordination ufAi/iiA global le 3 octobre2010 et la conférence proprement dite des 4 et 5 octobre 2010.

L’ASSEMBLéE GéNéRALE

l’Assemblée générale a confié à la tunisie l’organisation, en 2012, de la prochaine conférence internationale de l’ufAi qui se tiendra à Hammamet. l’Assemblée générale a aussi nommé, pour la période 2010-2012, le bureau directeur de l’ufAi, bureau qui a vu un changement structurel par la création d’un poste supplémentaire de Vice-président pour l’Afrique. le bureau est maintenant constitué comme suit :président

Denis Neukomm suisse

Vice-président pour l’europe (hors France)

tommaso capurso Belgique

Vice-président pour l’afrique subsaharienne

octave goh Bi côte d’ivoireVice-président pour l’afrique du nord et le moyen-orientZied Boudriga tunisie

Vice-président pour l’amérique et les Caraïbes

michel paré canada

secrétaire général (fondateur de l’uFaI)

louis Vaurs france

Trésorier

christian Van Nedervelde luxembourg

il faut souligner que l’institut des Auditeurs internes du togo, nouvellement créé, a participé pour la première fois à l’Assemblée générale de l’ufAi générale de l’ufAi en tant qu’observateur.Dans les autres points discutés lors de l’Assemblé générale, on relèvera qu’afin de profiter des retombées de la conférence organisée à Abidjan et des contacts établis auprès de l’uemoA (union economique et monétaire ouest Africaine), une conférence régionale est prévue au début juin 2011 à ouagadougou (Burkina faso).

LA CONFéRENCE PROPREMENT DITE

la conférence a fait l’objet d’une importante couverture médiatique et la participation y a été plus que significative (400 personnes environ) ; de nombreux thèmes y ont été abordés6. les sujets traités ont été variés et de haut niveau d’intervention. Nous retiendrons : •les enjeux et challenges de l’audit

interne aujourd’hui (superbe exposé de louis Vaurs, dont nous recommandons la lecture)

•la bonne gouvernance et l’évolution de l’audit interne, tant dans les entreprises privées que dans les services publics

•l’apport de l’audit interne dans la gestion des risques

•le contrôle interne, comme fondement de l’activité d’audit interne

•la fraude, corruption et cybercriminalité •les comités d’audit •la contribution de l’audit interne en

situation de crise (pcA) •la contribution de l’audit interne à

la performance des organisations (financières, publiques ou industrielles)

•les revues qualité •la réglementation de la profession •un certain nombre de fondamentaux

indispensables : plan d’audit, positionnement de l’audit interne, la création et le pilotage d’un service d’audit interne, les relations de l’audit interne avec d’autres fonctions comme l’inspection générale, ...

A souligner : la tout à fait remarquable intervention de monsieur sidi sosso Diarra, Vérificateur général du mali7.

SOIRéE DE CLôTURE

Au cours de la soirée de gala du cinq octobre 2010, en clôture de la conférence, les prix de la reconnaissance professionnelle ont été remis pour chacune des 4 « régions de l’ufAi » à : Annie Bressac, directrice de l’audit et du contrôle interne de la fondation « les apprentis d’Auteuil», pour le continent européen, Nicole mendenhall, consultante après de nombreuses années d’expérience notamment de gestion auprès du gouvernement fédéral canadien, pour l’Amérique du Nord et les caraïbes, mohamed meziane, président de l’AAciA (Association des Auditeurs consultants internes Algériens), pour le maghreb, y compris la mauritanie et le liban, octave goh Bi, président de l’iiA-ci (institut de l’Audit interne de la côte d’ivoire), pour l’Afrique subsaharienne.

UN PROJET

par ailleurs, une formation de trois jours destinée aux inspecteurs d’administration de la côte d’ivoire, avait été préparée, à la demande de l’iiA-ci, par les auteurs du présent article et planifiée pour les 6-7-8 octobre 2010 (« conduite d’une mission d’audit interne »). Dans le contexte des élections présidentielles, il a été ensuite envisagé de reporter cette formation et/ou la transférer à l’occasion de la conférence régionale d’audit interne, qui est programmée au Burkina faso (ouagadougou, juin 2011). De toute manière, tant le support rédigé que les conférenciers restent à disposition de l’ufAi.

52 53

April

201

1

April

201

1

ABiD

JAN

: 9è

me

coN

fére

Nce

iNte

rNAt

ioN

Ale

De l’

ufAi

ABiD

JAN

: 9è

me

coN

fére

Nce

iNte

rNAt

ioN

Ale

De l’

ufAi

International professional

practices Framework

(IppF) 2011 - The IIA

Research Foundation

the institute of internal Auditors’ (iiA’s) inter-national professional practices framework (ippf) is the authoritative guidance on the internal audit profession. the ippf presents current, relevant, internationally consistent information that is required by internal audit professionals worldwide.

Measuring Internal Auditing’s Value

measuring internal Auditing’s Value, is one of five deliverables of the iiA’s global inter-nal Audit survey: A component of the cBoK study. this is the most comprehensive study ever to capture current perspectives and opi-nions from a large cross-section of practicing internal auditors, internal audit service pro-viders, and academics about the nature and scope of assurance and consulting activities on the profession’s status worldwide.

Measuring Internal

Audit Effectiveness and

Efficiency - The Institute

of Internal Auditors

the institute of internal Auditors’ (iiA’s) inter-national professional practices framework (ippf) is the authoritative guidance on the internal audit profession. the ippf presents current, relevant, internationally consistent information that is required by internal audit professionals worldwide.

Assessing the Adequacy of Risk

Management Using ISO 31000 -

The Institute of Internal Auditors

the iiA has released a new practice guide en-titled “Assessing the Adequacy of risk man-agement using iso 31000.” the use of en-terprise-wide risk management frameworks has expanded as organizations recognize the advantages of coordinated approaches to risk management. the risk manage-ment framework must be designed to suit the organization: its internal and external environment.

Auditing Human Resources - The IIA Research

Foundation

Human resource (Hr) management covers a broad spectrum of workforce activities. Despite its integral role, Hr is often consid-ered a “soft” area and management may not understand the inherent risks involved with this function, including employment law is-sues, compensation and benefit plan design, recordkeeping, and potential fraud issues.

What’s Next for Internal Auditing?

Characteristics of an Internal Audit Activity

Effective Sizing of Internal Audit Departments -

The IIA Research Foundation

Core Competencies for Today’s Internal Auditor

what’s Next for internal Auditing?, is one of five deliverables of the iiA’s global internal Audit survey: A component of the cBoK study. this is the most comprehensive study ever to capture current per-spectives and opinions from a large cross-section of practicing internal auditors, internal audit service providers, and academics about the nature and scope of assurance and consulting activities on the profession’s status worldwide.

characteristics of an internal Audit Activity, is one of five deliv-erables of the iiA’s global internal Audit survey: A component of the cBoK study. this is the most comprehensive study ever to capture current perspectives and opinions from a large cross-section of practicing internal auditors, internal audit service providers, and academics about the nature and scope of as-surance and consulting activities on the profession’s status worldwide.

How much of a company’s resources should be allocated to the function of in-ternal auditing? it is widely accepted that internal auditing is a key element of internal control, and regulators and stock exchange requirements demand the presence of internal auditing for registered companies. yet, companies often struggle to know whether the investments they make in resource allocations for internal auditing are appropriate and effective.

core competencies for today’s internal Auditor, is one of five deliverables of the iiA’s global internal Audit survey: A component of the cBoK study. this is the most comprehensive study ever to capture current perspectives and opinions from a large cross-section of practicing internal auditors, internal audit service providers, and academics about the nature and scope of assurance and consulting activities on the profession’s status worldwide.

new interestingpublications

moreinformation on

www.theiia.org/bookstore/

54 55

April

201

1

April

201

1N

ew iN

tere

stiN

g pu

BlcA

tioN

s

New

iNte

rest

iNg

puBl

cAti

oNs

19 October 2010

IIA Belgium - Brussels

Certification Celebration event

new Year Cocktail26 January 2011 – hotel Crowne plaza, le palace – brussels

Thank you for your participation.

April

201

1

April

201

1

iiA B

elgi

um e

VeN

ts

57

iiA B

elgi

um e

VeN

ts

56

IIa cornerNews from Global

1. reVIsIons To The InTernaTIonal sTandardsthe iiA’s internal Audit standards Board (iAsB) publicly exposed changes to the international standards for the professional practice of internal Auditing (international standards) from february to may 2010. After reviewing and analyzing the responses and comments from the 90-day exposure period, the iAsB has now released the final approved revisions to the standards.please visit http://www.theiia.org/guidance/standards-and-guidance/ippf/standards/ to view the revised standards, and the marked-up version in comparison with the standards released in January 2009. conformance with the standards is required and essential for the professional practice of internal auditing.

2. neW IIa program elIgIbIlITY polICYthe certification program’s eligibility policy has changed, requiring candidates to complete the program certification process within four years of application approval. if a candidate has not completed the certification process within four years, all fees and exam parts will be forfeited. candidates currently enrolled in the program will have until 31 December 2014 to complete the certification.

3. IIa hQ KICKs oFF Year-long 70Th annIVersarY CelebraTIonthe iiA has played a monumental role in the development of internal auditing and is proud to celebrate seven decades of achievement. Visit the iiA’s special 70th anniversary website to read about the history of the organization and those who founded it 70 years ago.

4. Coso releases ThoughT papers on enTerprIse rIsK managemenT (erm)the committee of sponsoring organizations of the treadway commission (coso) – an organization providing thought leadership and guidance on internal controls, enterprise risk management (erm), and fraud deterrence – is releasing two additional new thought papers relating to erm aimed at providing guidance to help organizations advance along the erm maturity curve.embracing enterprise risk management: practical Approaches for getting started describes how an organization can begin implementing an erm process. it also examines perceived barriers to effective erm and how to work through those barriers. Developing Key risk indicators to strengthen enterprise risk management discusses the importance of developing key risk indicators to be used to monitor emerging risks that might affect the strategic success of the enterprise.copies of these thought papers and other resources can be downloaded free from www.coso.org.

News from IIA Belgium

Cso VaCanCY and neW admInIsTraTIVe supporT

pascale Vandenbussche, chief supporting officer, left iiA Belgium at the end of october 2010. iiA Belgium is still looking for a new cso. A job offer is published on the iiABel website.

Delphine gorloo, responsible for certifications and events left iiA Belgium as per 1 march 2011 . she is replaced by Jelena Zivkovic who has joined iiA Belgium on 4 April. we wish Jelena all the best in her new job.

upcoming events& Trainings

2 - 3 Quality Assessment of an audit activity

9 - 13 Inleiding tot de praktische werking van interne audit

23 - 25 Introduction to general accounting basics

26 - 27 Introduction to Financial Audit

30 - 31 IT Risks workshop

6 - 9 Introduction à l’audit interne - secteur public

15 - 17 Integrated audit of automated business processes

20 IT Governance Introduction

21 - 22 Using Control Self Assessment

23 - 24 Information Security Audit

27 - 28 Auditing the contracting process

29 The Insurance Activity - an introduction for auditors

5 - 6 Voorbereiding en opstelling van een auditrapportering

7 - 8 Leadership skills for auditors

13 Improve Audit Efficiency with Project Management and CAATT’s

15-16 Risk Based Internal Auditing

19 - 20 Revue Qualité d’un département d’audit interne

21-22 Introduction and Auditing Cost Accounting

26 - 27 Interviewtechnieken voor auditoren

28 La création d’un departement d’audit interne

28 - 4 General Assembly

12 -5 Certification Celebration Event

eVenTs 2011

June - TraInIngsmaY - TraInIngs

sepTember - TraInIngs

59

April

201

1

58

iiA c

orN

erAp

ril 2

011

upco

miN

g eV

eNts

www.roberthalf.beCheck our internal audit jobs

Div

isio

ns o

f R

ober

t H

alf

BV

BA

/SP

RL

10 offices in Belgium

Antwerpen � Brussels � Charleroi � Gent � Groot-Bijgaarden � Hasselt �

Liège � Roeselare � Wavre � Zaventem

IAM 0409 3/04/09 15:12 Page 1