Audit | Accounting | Advisory services
+357 25 327770
Mon - Fri / 9:00am - 6:00pm

CySEC: findings on Compliance Officer’s and Internal Audit’s reports 2019

CySEC: findings on Compliance Officer’s and Internal Audit’s reports

CySEC issued today its findings on the Compliance Officer's and Internal Audit's reports in relation to money-laundering and terrorist financing for 2017 and the respective Board of Directors minutes submitted in 2018. Compared to the 2018, CySEC found an overall improvement to the content of these reports.

Summary of CySEC findings on the Compliance Officer's and Internal Audit's reports:

  • Insufficient analysis of the specific method/way of conduct of the inspections and reviews performed by the Compliance Officer;
  • Inadequate information provided in the Compliance Officers’ Annual Reports on the systems and procedures applied by the Regulated Entities for the ongoing monitoring of customers’ accounts and transactions
  • No or limited information provided in the Compliance Officers’ Annual Reports submitted by the Administrative Services Providers in relation to the country of origin and type of high-risk customers with whom a business relationship
  • No or limited reference was made in the Internal Audit Reports submitted by the Administrative Services Providers (ASPs) in relation to prior years’ findings and recommendations and ,sometimes, there was no indication of whether these had been adequately addressed and rectified within the reference year, in order


Full Content of the Report



: March 28, 2019  
Circular No.  


: C 307  
Subject    Findings of the assessment of Compliance Officers’ Annual Reports and the Internal Audit Reports on the prevention of money laundering and terrorist financing  

The Cyprus Securities and Exchange Commission (the ‘CySEC’) wishes, with this circular, to inform the Regulated Entities of the following:   

  1. For the purpose of assessing the compliance of the Regulated Entities with their obligations under the Prevention and Suppression of Money Laundering and Terrorist Financing Law (the ‘Law’) and the Directive DI144-2007-08 on the Prevention of Money Laundering and Terrorist Financing (the ‘Directive’), CySEC conducted its annual risk-based assessment of Compliance Officers’ Annual Reports and Internal Audit Reports (the Reports). This riskbased assessment reviews both Reports for this purposefor the year 2017 and the relevant minutes of the Board of Directors (the ‘BoD’) submitted to CySEC in 2018Regulated entities are obliged to submit Compliance Officers’ Annual Reports by end of March and the Internal Audit Reports by end of April to CySEC for the previous calendar year.  
  2. In carrying out these assessments, CySEC found an overall improvement in the content of the Reports. In most cases the findings were in line with the requirements set out in the Law, Directive, and Circular C033 on the Content of the Compliance Officer’s Annual Report on the prevention of money laundering and terrorist financing (‘the Circular’), which are enforced by CySEC.    
  3. From the review of the Compliance Officers’ Annual Reports, CySEC has also identified the following common and recurring weaknesses and/or deficiencies which in addition to the measures taken to ensure full compliance, CySEC calls upon all Regulated Entities to dully consider and immediately implement corrective measures.   
    • In some instances, there was not sufficient analysis of the specific method/way of conduct of the inspections and reviews performed by the Compliance Officer to determine the degree of compliance of the Regulated Entity in the policy, practices, measures, procedures and controls applied for the prevention of ML/TFThis relates to paragraph 10(4)(b) of the Directive and point 2 of Appendix 1 of the Circular.   
    • Following an assessment of Compliance Officers’ Annual Reports submitted by the Administrative Services Providers (ASPs), it was identified that occasionally no or limited information was provided in relation to the country of origin and type of high-risk customers with whom a business relationship was established or an occasional transaction had been executed, with little comparative data from the previous year. This refers to paragraph 10(4)(g) of the Directive and point 6 of Appendix 1 of the Circular.     
    • The information provided in the Compliance Officers’ Annual Reports on the systems and procedures applied by the Regulated Entities for the ongoing monitoring of customers’ accounts and transactions was not always adequate when compared with the data and information kept in the customer’s economic and risk profile. In particulardetails on the timing of ongoing monitoring of customers’ accounts and transactions (e.g. in real time or after the completion of an event) and the method used for documenting the ongoing monitoring of customers’ accounts and transactions (e.g. preparing a memo describing all relative actions and recording it in the customer’s file) were not sufficientThis refers to paragraph 10(4)(h) of the Directive and point 7 of Appendix 1 of the Circular.  
  4. As regards to the assessed Internal Audit Reports submitted by the Administrative Services Providers (ASPs), CySEC occasionally found that no or limited reference was made to prior years’ findings and recommendations. There was sometimes no indication of whether these had been adequately addressed and rectified within the reference year, in order to ensure compliance with the provisions of paragraph 6 of the Directive.    
  5. Under the Law and the Directive, Regulated Entities must ensure and adhere to:   
    • The Compliance Officer’s obligation for the correct preparation of the Annual Report and the sufficient assessment of the level of compliance of the Regulated Entity in relation to the prevention of ML/TF.  
    • The Internal Auditor’s obligation for the correct preparation of the Internal Audit Report and the sufficient review and evaluation of the appropriateness, effectiveness and adequacy of the policy, practices, measures, procedures and control mechanisms applied by the regulated entity for the prevention of ML/TF.  
    • The obligation of the Regulated Entity’s senior management officials to approve the policies, procedures and controls applied in relation to ML/TF, as well as monitor, and where appropriate, enhance the measures adopted – in reference to section 58C of the Law.  
    • The responsibility of a designated member of the BoD, to implement the provisions of the Law and Directives, circulars and regulations issued pursuant thereto including any relevant acts of the European Union – in reference to section 58D of the Law.   
    • The Regulated Entity’s BoD obligation for the sufficient assessment and approval of the Annual Report and the Internal Audit Report. The BoD must take all appropriate measures for the correction of any weaknesses and/or deficiencies identified, as well as the implementation timeframe of these measures.  
  6. CySEC expects that all Regulated Entities take into account the above-mentioned findings when preparing the Reports for the year 2018 and onwards, in order to ensure full compliance with the Law and the Directive. It is stressed that the Law provides strict administrative sanctions in case of non-compliance with the requirements of the Law and the Directive, which CySEC will not hesitate to use.  


Source: CySEC

Hot Topics for 2019 Internal Audit Plan

Hot topics for internal auditors: the 2019 report from the IIA

Risk in Focus puts a spotlight on priority risk areas that organisations face as they look ahead to next year. It reveals how heads of internal audit across Europe view today’s risk landscape.

Key findings

Download the complete report

  1. The single biggest risks that chief audit executives believe their organisation faces as they prepare their audit plans for 2019 are cyber security, compliance, digitalisation, regulatory change and political uncertainty.
  2. As the frequency of cyber attacks on supply chains and cloud-based software providers rises, there will be an increase in assurance required around organisations’ exposure to third-party cyber security risk.
  3. The two areas of compliance that internal audit most commonly expects to assess over the next 12 months are the GDPR and anti-bribery and corruption laws, which are being actively enforced and updated in a number of territories.
  4. Recent protectionism in global trade, in particular tariffs brought by the US administration, represents a risk to organisations’ revenue growth. Boards/audit committees and their internal audit functions may choose to keep a watching brief on these developments.
  5. There is a mismatch between where internal audit spends its time auditing and the perceived priority risks that organisations face. Therefore, boards/audit committees should re-evaluate whether internal audit is being used effectively to deliver risk-based assurance.


About the report

Risk in Focus provides a touchpoint for the internal audit profession that helps HIAs to understand how their peers view today’s risk landscape. Working hand-in-hand with boards, audit committees and other stakeholders, internal audit should already have a rigorous understanding of their organisations and the greatest financial, operational and strategic risks they face. However, it is vital that knowledge and thinking is shared within the profession to reinforce risk assessments and mapping and, ultimately, to support the provision of greater assurance.

While many audit functions will be preoccupied with business-as-usual operational audits, and all should be focused on areas specific to the assurance needs of their organisations, the hot topics in this report represent themes that are relevant across industries, with an emphasis on new and emerging risks. To be clear, this list is not exhaustive and we expect internal audit to take an appropriately risk- based approach to its work by addressing organisations’ greatest priorities. The topics listed herein should therefore be treated as a reference point rather than audit planning guidance.

The most sophisticated audit functions will not only test internal control systems but support their business in identifying risks looming on the horizon. We hope this report serves as a valuable resource for HIAs in evaluating risks they may not have considered, or contemplate from fresh angles risks that are already on their radar screens. Some readers may recognise themes from their own risk assessments and they should take comfort from this. It is confirmation that they are risk-aware. Others may find the highlighted topics help them to shape their forthcoming audit plans.


Source: IIA

Introducing our Expanded Range of Services

We are delighted to introduce our expanded range of services and to be able to call ourselves Certified Public Accountants and Registered Auditors.

Our firm is now regulated by ICPAC ("Institute of Certified Public Accountants in Cyprus") and has obtained license to provide Accounting (E989/G/2018) and Audit services (E989/A/2018).

On top of our specialised internal audit services, our services have now been expanded to cover external audit & assurance services, accounting services including payroll services, tax services and corporate services. Our Values (Excellence, Trust, Integrity, Respect and Enhancement) will continue to drive our services with the objective of maximise the value passed to our clients.

Our Range of Services

Audit & Assurance ServicesAudit and Assurance services - Evidentrust Financial Services Ltd

Our Audit & Assurance services are tailored to meet our client’s unique business characteristics which enables us to provide value adding services starting from day one with the minimum business disruption.

Through our in-depth knowledge and experience in risk based engagements, our Audit & Assurance team is able to effectively apply a risk based approach which enables the execution of an efficient and effective engagement.

  • Performing Statutory Audits based on the In-ternational Auditing Standards (IAS).
  • Drafting and compiling Financial Statements based on the International Financial Report-ing Standards (IFRSs).
  • Filling of Financial Statements to Regula-tors (CySEC) and other governmental bodies (Taxation, VAT Authorities).
  • Conducting Management Letters to the Company’s Board of Directors sighting areas for improvement.

 Accounting & Payroll ServicesAccount and Payroll Services

Our Accounting & Payroll department deliv-ers reliable outsourced accounting services in-line with the requirements and unique characteristic of each organisation. Our de-partment is staffed with qualified individuals with experience in accounting, auditing and tax services.

Coupled with our internal review proceduresour department is able to deliver top-notch accounting services.


Our Accounting Services

  • Bookkeeping: Systematic and comprehensive book-keeping services keeping accurate and updated accounting records.
  • Management Accounts: Insightful and detailed management reporting with the objective to im-prove management information and decision making.
  • Financial StatementsPreparation of financial statements compliant with the International Ac-counting Standards (IAS) and Interna- tional Financial Reporting Standards(IFRS).

Our Payroll Services

  • Payroll Calculations: Preparation of weekly and/or monthly pay-roll calculations correctly accounting for all contributions and deductions.
  • Payroll Reporting: Preparation of monthly Payslips, Payroll analysis and Journal Entries for account-ing.
  • Tax Compliance Support: Timely preparation and submission of an-nual tax returns e.g IR63 (Employees’ Cer-tificate of Emoluments), IR7 (Employer’s  Return), etc.

Risk Advisory - Internal Audit

Our Risk Advisory service line specialises in the provision of Internal Audit services for financial service companies including asset managers, brokers and investment firms.

The Risk Advisory team has knowledge and exposure in Internal Audits, Compliance/Legal and IT areas, therefore, we are capable to de-liver a comprehensive range of Internal Audit services. Our people have had substantial ex-posure in servicing the financial services sector in Cyprus and abroad, covering the FCA and CySEC jurisdictions, which enables us to bring insight and knowledge to our clients.

Our Internal Audit Services

  • Outsourced Internal Audit Services
  • Co-sourced Internal Audit Services
  • External Quality Assurance
  • Internal Audit Transformation
  • Internal Audit Advisory

Tax Services

Corporations and individuals are required to con-tinually comply with direct and indirect tax require-ments. Our Tax services are tailored to meet our client’s unique requirements through a reliable and personalised service.

Our Tax services can be offered either as stand- alone tax support service or as integrated service through the provision of other related services such as accounting and payroll services.


Our Tax Services

  • Tax registration and tax returns preparation
  • VAT registration and preparation for submission
  • Social Insurance registration and filling/payment assistance
  • Assistance in the preparation of personal tax returns
  • Tax compliance advice

Corporate ServicesCorporate Services - Evidentrust Financial Services Ltd

Our Corporate Services team, along with our ex-ternal partners, aim to assist our clients in comply-ing with the applicable corporate, legal and statu-tory requirements. The range of our Corporate Services consists of registration services, legal support and company administration support.

Our Corporate Services coupled with our auditing, accounting, payroll, tax and risk advisory services form a complete bundle of reliable-high quality services.

Our Corporate Services

  • Registration Services
  • Legal Services
  • Company Administration Services

Download our brochure

Internal Audit and GDPR

The General Data Protection Regulation (GDPR) has been on many organisations’ corporate minds, and rightly so, for some time. However, with the regulation coming into force on 25 May 2018, awareness must now become action – and internal audit should be involved at all levels, to help management better understand and mitigate the related risks.

From DPA to GDPR

The European Parliament passed GDPR on 27 April 2016 through European Directive 2016/679 ‘on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)’. The previous regulation had led to data protection legislation in all member states, such as the UK’s Data Protection Act of 1998. While this approach allowed for national legislation to reflect national concerns and priorities, it led to a ‘patchwork of rules’, as the ACCA has phrased it: Any company handling the data of EU residents should start preparing now for its stringent new data-protection rules.

More data, and more personal data, is being shared than ever before, and both cyber-commerce and the digital economy as a whole are increasing daily. As more people trust their information to virtual rather than physical businesses and platforms, it seems appropriate that the laws governing that information and its safe use keep pace.

Significant differences between the Data Protection Act 1998 (DPA) and General Data Protection Regulation (GDPR) include the introduction of:

  1. explicit guidance on how children’s data and data consent should be managed
  2. the highly publicised ‘right to be forgotten’, also known as the right of erasure
  3. data portability – individuals will have the right to request their data in an easily accessible, portable yet secure format
  4. the need to appoint data protection officers and, in many organisations, a representative based in an EU member state
  5. increased accountability and consequences for individuals and organisations who hold and/or process personal data
  6. reduced timescales to report data breaches and respond to subject access requests
  7. greater consequences for non-compliance.

Whatever your organisation’s purpose, sector or location, you are overwhelmingly likely to need to comply with, and demonstrate compliance with, GDPR. Customers, members of staff, members of the public who share personal data of any sort – any individual who interacts with your organisation is protected.

Internal Audit and GDPR

Internal audit can and should take the lead before, during and after 25 May 2018. If your function has not yet been involved, then make sure you are! It will mean adjusting your annual audit plan and beyond, but GDPR is exactly the kind of event that should, in risk-based auditing terms, be top priority. Providing consultancy and advisory services throughout the organisation, internal audit can firstly advise on and assess the governance over GDPR.

Consultancy engagements can assess organisational readiness for 25 May, whereas assurance engagements will assess whether the organisation is compliant as of 25 May. Whether at board level or below, how senior leaders and decision-makers approach GDPR and communicate its importance to their colleagues will influence how compliant and successful the organisation is.

Internal audit should be constantly creating and building relationships at all levels of the organisation. This does not mean telling people what they want to hear, but rather developing a mature, professional basis to exchange information and views. Only when internal audit makes its voice heard can it truly help enhance risk management and provide meaningful assurance.

ICO's 12 step checklist

GDPR will be either a test or confirmation of many internal audit functions’ place and influence. According to the ICO, there are 12 steps all organisations need to take nowto prepare for GDPR:

  1. Awareness

You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

  1. Information you hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

  1. Communicating privacy information

You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

  1. Individuals’ rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

  1. Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

  1. Lawful basis for processing data

You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

  1. Consent

You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

  1. Children

You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

  1. Data breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

  1. Data protection by design and data protection impact assessments

You should familiarise yourself now with the ICO’s code of practice on privacy impact assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

  1. Data protection officers

You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a data protection officer.

  1. International

If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

Internal Audit Role

Throughout preparation, internal audit needs to help raise awareness at all levels of the organisation and promoting a risk-based approach at all times.

After May 2018, internal audit, while still valued for its consultancy work and insights is likelier to emphasise assurance. How adequate and effective are the policies and processes in place as controls? What about the biggest control of all – governance? Are the right people in the right roles to promote sound data controlling and processing? How rigorous and timely is the reporting of data breaches? Are we fully compliant? How do we learn from incidents?

Once GDPR has started to become business as usual, how will internal audit reflect this in its annual plans? Should GDPR be a consideration for every audit engagement, in the way culture now should be?


Use this for internal audit involvement in GDPR activity before, during and after 25 May 2018 for both consultancy and assurance engagements.

ICO's 12 steps to take for GDPR

Pre May 2018

May 2018

Post 25 May 2018

Information you hold
Communicating privacy information
Individuals’ rights
Subject access requests
Legal basis for processing personal data
Data breaches
Data protection impact assessments
Data protection officers


Source: IIA

Internal Audit in the age of Disruption

A great report highlighting disruption as a great challenge for internal audit executives ("IAE")  today. To achieve an effective internal audit function, it is vital for IAE to recognise what’s coming and providing insight to the organization on how to harness that disruptive power.

Although, this should be nothing new for internal audit, there are many cases in todays world that IAE take a more conformance approach , instead of taking a more proactive and forward looking approach. This post presents the key points from IIA's report on Disruption.


Disruption is sometimes described as a wave, crashing upon established business practices; or as an earthquake, upending the stable ground upon which the organization has stayed solid for years.

Neither metaphor is quite right. Disruption is more like a herd of horses galloping toward you. Sometimes you can see the herd coming, other times it catches you by surprise. With enough skill and preparation, the organization can climb astride the herd, harness its strength, and go in a new direction.

Or you can do nothing and get flattened.

The great challenge for internal audit executives today is to perceive disruptions in their true form. Recognizing what’s coming and providing insight to the organization on how to harness that disruptive power is truly valuable. This is nothing new for internal audit. Insight is core to the Mission of Internal Audit — to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight...

Examples of slow-rolling disruption are many, and usually they involve “the rise” of something: of the internet in the 1990s, of China as an economic power in the 2000s, of cloud computing in the 2010s. Audit executives can take their pick of possible disruptions for the 2020s: self-driving cars, artificial intelligence (AI), the Internet of Things (IoT), protectionist trade policies — and, most likely, many more.

The forces that propel disruption include technology (advances in wireless communication, GPS satellites, and so forth); policy (the advent of free trade after World War II, and its possible retreat today); demographics (baby booms that shift political moods, or ageing populations that trim economic dynamism). And sometimes random events shake standard business environments to the core (the Sept. 11, 2001 attacks, the financial crisis of 2008, the Spanish flu epidemic of 1918)...


Finding Internal Audit’s ‘Value-Add’

CAEs want to serve in the role of trusted advisor. Boards and senior managers say they want that, too. The question is whether CAEs actually are living up to that role, especially as the business landscape sees more disruption...

On a straightforward level, one way to escape that trap is to improve the work of the internal audit function. For example, an internal audit department could embrace innovation by working smarter with data analytics and robotics. Using robotic process automation, internal audit could develop software tools that enable the first lines of defense to analyze an entire universe of data, rather than a small sample. In this way, internal audit becomes a source of disruption, providing the first line of defense with a way to automate its risk management activities. That, at least, gives a CAE more time to think strategically about business risks...

Get There on Time

A principal challenge of disruption today — one that didn’t exist for prior generations — is how quickly and easily it can emerge. Blame advances in digital technology...

In today’s world the most pointed disruptive threats look different. They are not asset-heavy. They are asset-light. And while that may seem appealing to unsavvy onlookers, it can be the kiss of death for a CEO facing disruptive entrants.

Why? Asset-light businesses are not financed with debt. They’re financed with equity. That’s a resource that is much less expensive for new businesses with no track record than for established businesses with all the credibility in the world.

Wessell was writing for CEOs and CFOs worried about nimble competitors rushing over the horizon, but his point is just as valid for CAEs. Disruption happens more quickly today because disruption has never been easier and cheaper to do.

Given that fact, another best practice for CAEs becomes clear: work more closely with the business units, since they are a prime source of disruption. Whenever possible, be present at the moment of creation...

That is not necessarily easy to do with business disruption. But remember: disruption supplants one set of business practices with another. Those new practices, as surprising as they may be at the start, will evolve into a business model. So what types of models might emerge? What risks — operational, financial, compliance, reputational — would they bring? Those questions, a more open-ended form of risk assessment, are what CAEs should ask...

And that, after all, is what boards truly want: disruption, but disruption harnessed intelligently. Then the business can go with the herd: moving through it, and taking whatever position within it that seems best.

Practical Tips and Techniques

As outlined by Charlie Wright, director, Enterprise Risk Solutions at BKD LLP in Edmond Okla., in the December 2017 Internal Auditor magazine Risk Watch article “Tomorrow’s ERM Today,” there are several ways internal auditors can help manage the effect of disruptive technologies on their organizations.

Focus on Assurance

Internal audit should continue to focus on what it does best. By continuing to focus on risk management, control, and governance, auditors can help ensure that processes are designed and operating effectively — regardless of the speed of disruption. By proactively helping the organization anticipate emerging risks and technological changes, internal audit can be positioned as an authority and help prepare the organization to respond to disruptive events.

Engage with Stakeholders and Subject Matter Experts

Align internal audit’s work with the expectations of internal audit’s key stakeholders. Work closely with subject matter experts who are implementing disruptive technologies and focus on the most relevant and significant issues.

Invest in Training on Disruptive Technologies

Constantly pursue training to learn about new technologies and the complex and emerging risks being introduced to the organization. Chief audit executives should develop an adaptive, flexible, innovative staffing model to tap into a highly specialized talent pool with technological competence and the ability to rapidly understand and leverage new tools, techniques, and processes.

Put New Technologies to Work

Embrace and leverage new technologies in performing internal audit work. Internal auditors need to be at the forefront of adopting artificial intelligence, cognitive computing, and smart robots. Auditors need to understand how technologies such as blockchain work and how they can be used in their organizations. They must take advantage of machine learning and data analytics in their audit processes — real-time auditing should be a requirement as organizations implement new business processes.

Closing Thoughts

There may be a lack of synergy between internal audit and innovators or creative thinkers in the organization, but with regard to disruptive events that the organization either generates or reacts to, internal audit should be there from the beginning.

By focusing on assurance, engaging with subject matter experts, investing in training and disruptive technologies, putting new technologies to work, and providing insight into emerging risks and opportunities, internal audit may be seen as a key asset in helping the organization to harness the power of disruption.

Download: Internal Audit in the Age of Disruption Report

Source: IIA

Risk Based Internal Auditing

Risk Based Internal Auditing as defined by the Charted Institute of Internal Auditors


Over the last few years, the need to manage risks has become recognised as an essential part of good corporate governance practice. This has put organisations under increasing pressure to identify all the business risks they face and to explain how they manage them.

In fact, the activities involved in managing risks have been recognised as playing a central and essential role in maintaining a sound system of internal control. 

While the responsibility for identifying and managing risks belongs to management, one of the key roles of internal audit is to provide assurance that those risks have been properly managed.

The Chartered Institute of Internal Auditors (IIA) believes that a professional internal audit activity can best achieve its mission as a cornerstone of governance by positioning its work in the context of the organisation's own risk management framework. 

What is risk based auditing?

IIA's definition

IIA defines risk based internal auditing (RBIA) as a methodology that links internal auditing to an organisation's overall risk management framework. RBIA allows internal audit to provide assurance to the board that risk management processes are managing risks effectively, in relation to the risk appetite. 

Is the organisation ready?

Every organisation is different, with a different attitude to risk, different structure, different processes and different language. Experienced internal auditors need to adapt these ideas to the structures, processes and language of their organisation in order to implement RBIA. 

RBIA seeks at every stage to reinforce the responsibilities of management and the board for managing risk.

If the risk management framework is not very strong or does not exist, the organisation is not ready for RBIA. More importantly, it means that the organisation's system of internal control is poor. Internal auditors in such an organisation should promote good risk management practice to improve the system of internal control. 

Where RBIA is new to an organisation, the head of internal audit will need to market the concept to management and win their support, particularly since it may mean a change for them in the way that they think about risk.

A dynamic process

RBIA is at the cutting edge of internal audit practice. As a result, it is an area that is evolving rapidly and where there is still little consensus about the best way to implement it.

It is more difficult to manage than traditional methodologies. Monitoring progress against an annual plan that is constantly changing is a challenge. Setting targets and appraising staff may become more complex. 

But the advantages of RBIA are much greater. 


By following RBIA internal audit should be able to conclude that:

  1. Management has identified, assessed and responded to risks above and below the risk appetite

  2. The responses to risks are effective but not excessive in managing inherent risks within the risk appetite

  3. Where residual risks are not in line with the risk appetite, action is being taken to remedy that

  4. Risk management processes, including the effectiveness of responses and the completion of actions, are being monitored by management to ensure they continue to operate effectively

  5. Risks, responses and actions are being properly classified and reported. 

This enables internal audit to provide the board with assurance that it needs on three areas:

  1. Risk management processes, both their design and how well they are working

  2. Management of those risks classified as 'key', including the effectiveness of the controls and other responses to them 

  3. Complete, accurate and appropriate reporting and classification of risks

Read more about the benefits and drawbacks of RBIA

Implementation of RBIA

The implementation and ongoing operation of RBIA has three stages and IIA has produced detailed guidance on each of them:

Stage 1: Assessing risk maturity

Obtaining an overview of the extent to which the board and management determine, assess, manage and monitor risks. This provides an indication of the reliability of the risk register for audit planning purposes.

Stage 2: Periodic audit planning

Identifying the assurance and consulting assignments for a specific period, usually annual, by identifying and prioritising all those areas on which the board requires objective assurance, including the risk management processes, the management of key risks, and the recording and reporting of risks. 

Stage 3: Individual audit assignments

Carrying out individual risk based assignments to provide assurance on part of the risk management framework, including on the mitigation of individual or groups of risks.

Overview of the Stages

Source: Chartered Institute of Internal Auditors

Hot Topics for 2018 Internal Audit Plan

European Report: Risk in Focus Hot Topics for Internal Audit 2018

Risks are undoubtedly changing for all organisation, with each organisation having its own risk appetite. Irrespective of how rigid or fixed audit plans are, these are subject to change as new risks emerge at the operational, strategic and wider environmental level.


Six European IIA affiliates have jointly prepared and published the "Hot Topics for Internal Audit 2018" report which explores key themes requiring the attention of internal audit to mitigate risk, protect and add value in their organisations. Although, the report was prepared from a chief audit executive’s perspective, it can be used as a great source of knowledge for all levels of staff in forming their 2018 audit plans.


To download the report click on the document below:


Source: IIA

Cyber security and information risk guidance for Audit Committees

"Cyber security is the activity required to protect an organisation’s computers, networks, programmes and data from unintended or unauthorised access, change or destruction via the internet or other communications systems or technologies. Effective cyber security relies on people and management processes, as well as technical controls.

Government guidance makes it clear that cyber security is now an area of management activity that audit committees should scrutinise. Together with the rapidly changing nature of the risk, this means that audit committees need to understand whether management is adopting a clear approach, and whether the organisation is complying with its rules and standards, and is adequately resourced for cyber security.

‘Cyber security and information risk guidance for Audit Committees’ is fully consistent with and complements the guidance provided by the government. It provides a checklist of questions and issues covering:

  • The overall approach to cyber security and risk management
  • Capability needed to manage cyber security
  • Specific aspects, such as information risk management, network security, user education, incident management, malware protection, monitoring, and home and mobile working
  • Related areas, such as using cloud services and developing new services or technology

Our guidance is based on our previous work and our detailed systems audits, which have identified a high incidence of access-control weaknesses. It also provides links to other government guidance and NAO resources."

National Audit Office

Source: National Audit Office