Internal Audit of the Future Evolution of Internal Audit Due to Digitisation. Cheryl Khor Asia Pacific Operational Risk Leader Deloitte

Transcription

1 Internal Audit of the Future Evolution of Internal Audit Due to Digitisation Cheryl Khor Asia Pacific Operational Risk Leader Deloitte

2 The Age of Disruption and Digitalisation 2

3 Business Leaders are increasingly focusing on risks that threaten to disrupt the fundamental assumptions of their Organization s strategies. Disruptions in the forms of emerging technologies, business model transformations, and ecosystem changes will force Executives to make significant strategic choices to drive organizational success. Driving forces behind these disruptions: Globally distributed business models are increasing dependencies on Stakeholders across geographies, making brands more vulnerable to geopolitical risks. Growing connections between businesses are expanding the sources of potential disruption Traditional industries are converging to create new markets Business model innovation (such as sharingbased and subscription-based) is driving organizations to constantly reinvent themselves Advancements in social, mobile, analytics, and cloud-enabled emerging technologies are creating opportunities for startups to disrupt incumbents Customers are increasingly expecting more personalised products and services 3

4 How have these disruptions affect Assurance Providers and Internal Audit ( IA ) Practitioners? Digital and disruptive technologies are transforming the nature of organisations Assurance can be more timely and proactive; spotting problems before the become issues Organisations face an increasingly diverse risks Assurance functions struggle to keep pace; they lack the skills, technology, and capacity to meet the needs of business The speed of risks impacting organisations has never been so high Assurance functions fail to create impact 4

5 Copyright 2018 Deloitte Development LLC. All rights reserved. Internal Audit of the Future Lab 5

6 Global Insights and Trends in IA The following are the key findings from our 2018 Global CAE Research Survey: Internal Audit s impact and influence are stronger - but awareness and views of the function across the organisation still need to improve Internal Audit innovation is linked to stronger impact and influence Data analytics (22%) RPA/cognitive technologies (15%) Predictive analytics (14%) Risk anticipation (13%) Adopting agile approaches (8%) Advanced analytics is seeing greater adoption Resourcing models are evolving, but must evolve faster Advanced analytics (22%) Data query and manipulation (84%) Basic analytics (54%) 6

7 Global Insights and Trends in IA The following are the key findings from our 2018 Global CAE Research Survey: Key challenges facing Internal Audit include a shortage of new skills, while analytics is the highest priority Organisation culture audits are conducted by less than 30% Cyber risk assessments are conducted by only about half of Internal Audit groups KPIs are used by most groups, but needs updating Robotic Process Automation ( RPA ) is starting to make inroads Reporting is poised to become more agile and dynamic 7

8 Global Insights and Trends in IA In interviews with more than 200 Senior Executives and Audit Committee chairs, three (3) value dimensions have been revealed: Assurance Advising Anticipating This is central to Internal Audit s role but must not be the limit. All sources confirm that a strong advisory role is key to maximising the value of Internal Audit. Internal Audit becomes a forward-looking function that prompts awareness of what could go wrong, and what to do about it, before it happens. 8

9 Time for Innovation is Now IA 3.0! 9

10 Internal Audit of the Future Internal Audit 3.0 Assure Advise Anticipate Skills and Capabilities Enablers Core processes 3 LoD enhancements Risk Sensing Polymath Automated core Assurance Truly greatest risks Assurance by Design Risk Learning Decision governance Control Effectiveness Purple Person Agile IA Behaviours During change SMEs High Impact reporting 3 LoD Digital technologies Digital assets Next Generation Resourcing Response teams Analytics RPA AI Automated QA Dashboards Relationship management Change catalyst Intelligent Assurance 10

11 Value Proposition #1 - Assure Unlocking the value of core processes through automation The following are potential benefits from the application of automated core assurance approach: 01 Internal Audit can cover both core process assurance and strategic risk 02 Enables allocation of resources to address the truly greatest risks 03 Frees resources to analyse why issues occur, including behaviors 04 Shift Internal Audit s role from issue identifier into Trusted Advisor 05 Internal Audit can leverage knowledge to help businesses 11

12 Value Proposition #2 - Advise Maximising value to stakeholders 3 LoD enhancements By involving IA to advise the first and second lines of defense on ways to improve their own assurance capabilities, IA will be able to provide advise and share methods and tools, while still maintaining Internal Audit objectivity and independence. During change IA should have a seat at the table on strategic projects and transformation initiatives. This will result in IA having the ability to call out concerns, challenge Management s approach to risk management and advise on ways to enhance and provide assurance. Assurance by design By considering how assurance will be achieved before new systems or processes are implemented, IA can help business reduce the need for the second or third line to provide assurance on processes or controls. Control effectiveness By assessing operational effectiveness through analytics and/or walkthroughs and sample testing once the controls have been embedded, IA will be able to advise the business when they assess the design effectiveness of a control prior to implementation. 12

13 Value Proposition #3 - Anticipate Delivering forward-looking insights Risk sensing: Viewing the risk landscape Risk learning: Getting to why Advanced analytics + human judgement = panoramic view of risks. Focuses on emerging risks and allows realtime assessments Pattern recognition + root cause analysis = proactive assurance work 13

14 Risk sensing realized Supplier Risk Intelligence (SRI) How has my risk profile changed? Continuous monitoring via regular data refreshes Track the way your supply chain risk changes Keep an eye on deteriorating conditions Who do I rely on? Suppliers with greatest spend Single supplier dependencies Suppliers who are critical links in the supply chain Dashboards provide summary views as well as allowing drill down into details 30+ separate risk metrics across 5 categories of risk Governance Social Environmental Regulation How do I protect my business? Economic Conditions Who can I trust? Risk assessment of every supplier Objective, evidence based analysis from reputable data sources Early identification of emerging risks Early warning risk indicators enable changes to be made before they impact operations Visibility of the impact to the supply chain to allow informed decision making How do I prevent disruption? ASSESSMENT MONITORING ACTION 14

15 Internal Audit s long-held paradigms 1. Internal Auditors plan, execute, and report results of point-in-time audits 2. Internal Auditors assess internal controls and report opinions on whether they believe controls are effective 3. Internal Auditors report what they believe to be control deficiencies, material weaknesses, significant deficiencies 4. The profession has been primarily supply-driven rather than demand-driven, as Boards and C-Suites have often not specified their assurance needs - leaving Internal Audit Departments to form their own views regarding which objectives/topics to focus on 5. Internal Audit often does not know, or require that Management and Boards define, the type and amounts of residual risk the Company and its Board are prepared to accept 15

16 What is IA Analytics 2.0? Industry 16

17 Enabler to Internal Audit 3.0 Applied Analytics [1/2] When the CIO of a leading company wanted to know if the business was effectively controlling its technology spend, he asks the Internal Audit Team to audit the Company s technology purchases. The Internal Audit Team decides to take an insightsdriven approach enabled by analytics. The Team chose to represent the issue if higher than expected levels of business spend on technology in a simple timeline. Dollar value of spend on Y axis and time on the X axis. The blue line represents what IT had purchased The shading represents the range of forecasted spend to help educate Management on the direction and impact of not addressing spend challenges The orange line in the graph represents business spending on IT equipment (Source: Internal Audit Analytics: The Journey to 2020, Deloitte, 2016.) 17

18 Enabler to Internal Audit Applied analytics [2/2] The Internal Audit Team drilled further down into the data, shedding greater light on the nature and extent of the spending variance; A treemap allows the Team to depict the answers with a surprising degree of granularity by illustrating every purchase as a box, with the size of the box representing the relative dollar spend; and This set the stage for the Internal Audit Team to pursue an even deeper line of what if and root-cause questioning. Drill-downs into departmental level spend help to give context to this issues Using a variety of visual design cues, the team effectively communicated big data issues The treemap helps to highlight that troubling spending patterns are systemic throughout the organisation (Source: Internal Audit Analytics: The Journey to 2020, Deloitte, 2016.) 18

19 Key Takeaways 1. Future of IA to adapt to disruptions, or become irrelevant 2. Maximise value to Stakeholders 3. Risk Sensing and Digitalise IA 19

20 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited ( DTTL ), its global network of member firms, and their related entities. DTTL (also referred to as Deloitte Global ) and each of its member firms are legally separate and independent entities. DTTL does not provide services to clients. Please see to learn more. Deloitte is a leading global provider of audit and assurance, consulting, financial advisory, risk advisory, tax and related services. Our network of member firms in more than 150 countries and territories serves four out of five Fortune Global 500 companies. Learn how Deloitte s approximately 264,000 people make an impact that matters at About Deloitte Southeast Asia Deloitte Southeast Asia Ltd - a member firm of Deloitte Touche Tohmatsu Limited comprising Deloitte practices operating in Brunei, Cambodia, Guam, Indonesia, Lao PDR, Malaysia, Myanmar, Philippines, Singapore, Thailand and Vietnam was established to deliver measurable value to the particular demands of increasingly intra-regional and fast growing companies and enterprises. Comprising approximately 340 partners and 8,800 professionals in 25 office locations, the subsidiaries and affiliates of Deloitte Southeast Asia Ltd combine their technical expertise and deep industry knowledge to deliver consistent high quality services to companies in the region. All services are provided through the individual country practices, their subsidiaries and affiliates which are separate and independent legal entities. About Deloitte in Malaysia In Malaysia, services are provided by Deloitte Risk Advisory Sdn Bhd (formerly known as Deloitte Enterprise Risk Services Sdn Bhd) and its affiliates. Sdn Bhd (formerly known as Deloitte Enterprise Risk Services Sdn Bhd)