Getting comfortable with being uncomfortable! Using Agile IA to transform your internal audit function. IIA Phoenix December 4, 2018

Transcription

1 Getting comfortable with being uncomfortable! Using Agile IA to transform your internal audit function IIA Phoenix December 4, 2018 Copyright 2018 Deloitte Development LLC. All rights reserved. 1

2 Presenting today Rob Creighton Manager Risk and Financial Advisory Deloitte & Touche LLP Billy Whala Senior Consultant Enterprise Technology Deloitte Consulting LLP Copyright 2018 Deloitte Development LLC. All rights reserved. 2

3 Time for innovation is now! The birth of modern internal auditing with the establishment of The Institute of Internal Auditors (IIA) Agile IA! COSO integrated control framework Cyber risk - Oxley Integrated audits and subject matter expert support IT internal audit Data analytics Copyright 2018 Deloitte Development LLC. All rights reserved. 3

4 What do our survey findings reflect? Adoption of agile approach by the Internal Audit function* Agile Internal Audit - the application of principles and practices of agile development to Internal Audit work - is rapidly winning acceptance, with 55 percent of surveyed CAEs indicating that they are either using agile or considering doing so Considering informally adopting an agile approach Considering formally adopting an agile approach Currently formally operates under agile principles 15% 27% 14% 14% 25% 5% Not sure what agile Internal Audit is Not considering adopting an agile approach Not sure These findings reflect many companies goals of achieving strategic and operational agility in order to respond to a fast-paced, often disruptive business environment. *Figures do not add to 100% due to rounding. Source: Deloitte Touche Tohmatsu Limited 2018 Global Chief Audit Executive Research Survey Copyright 2018 Deloitte Development LLC. All rights reserved. 4

5 Why bring Agile to IA? Enables IA to respond quickly to changing business needs IA should transform to deliver on a broader set of expectations, providing assurance but also advising and anticipating risks Reduces the time between requirement and delivery Builds the risk-specific insights the customer needs Avoids delivering insights without quality problems Meets business commitments by reprioritizing scope Copyright 2018 Deloitte Development LLC. All rights reserved. 5

6 What is Agile? Agile is a group of methods based on iterative development, where requirements and solutions evolve through collaboration between self-organizing, crossfunctional teams Agile is not: a single methodology a set of tools that easy (it is easy to understand, not easy to implement) Agile Lean Scrum Featuredriven Development (FDD) Kanban Adaptive Software Development These are now collectively referred to as agile methodologies, after the Agile Manifesto was published in Agile is not a silver-bullet Copyright 2018 Deloitte Development LLC. All rights reserved. 6

7 Agile Manifesto While there is value in the items on the right, we value the items on the left more Individuals and interactions over Process and procedures Working software over Comprehensive documentation Customer collaboration over Contract negotiation Responding to change over Following a plan Source: Copyright 2018 Deloitte Development LLC. All rights reserved. 7

8 Characteristics of Agile Increased communication Frequent delivery of results Collaboration Short, time-boxed iterations Flexible audit plan Self directed teams Characteristics of Agile IA Customer engagement Adaptability Point of view Cross-functional teams Copyright 2018 Deloitte Development LLC. All rights reserved. 8

9 Agile focuses on Agile development enables Internal Audit to focus on delivering the utmost business value in the shortest amount of time allowing for fast feedback and rapid validation Delivering business value Self organizing The business sets the priorities - Agile teams selforganize to determine the best way to deliver the top priority items Build multiple, recurring feedback loops into the process, to inspect work and for teams to implement changes quickly and continually improve Rapid / repeatable Working product At the end of regular cadences, anyone can see actual products and the customer/stakeholder may decide to release it as is or ask for it to be enhanced in an upcoming iteration Copyright 2018 Deloitte Development LLC. All rights reserved. 9

10 Agile Internal Audit Traditional Internal Audit Traditional audit vs. Agile audit Planning Fieldwork Review Reporting Impacts to customer Am I losing money? 8 -? weeks What is going on? POV POV POV POV POV Planning 2 Weeks Planning 2 Weeks Planning 2 Weeks Planning 2 Weeks Planning 2 Weeks Planning 2 Weeks Sprint 0 Sprint 1 Sprint 2 Sprint 3 Sprint 4 Sprint H I am now more informed I can react to and modify my plan based on the interim point of views I have collaborated with the right individuals Key terms defined Sprint: A time-boxed period during which the team will complete a set of prioritized stories. Point of View (POV): A summary of the relevant insights gained from observations and stories. It is a condensed understanding of the area with highlights to relevant insights of the state of risk and controls. Time-box: Defined timeframe no longer than 2-3 weeks. Copyright 2018 Deloitte Development LLC. All rights reserved. 10

11 Effective Agile IA team makeup Manage relationships & communications with business executive stakeholders Champion the agile process in the department and organization Socialize and advocate Internal Audit s Agile approach to the business Serve as a project escalation point Support strategic decision making Primarily engages with: Business executives Key stakeholders Product owners Facilitates efforts in: Identifying projects Obtaining project approvals Audit Project Champion Ensure the project team s alignment with Business executives and project key stakeholders / points of contacts Set the direction / vision for the team Identify and prioritize the sprint backlog Assist in translating stakeholder needs into value/outcomes Audit Product Owner Primarily engages with: Project champion Business executive Key stakeholders Scrum master Facilitate efforts in: Audit canvassing Story mapping Definition of ready and done Backlog refinement Conduct testing and validate results Identify, draft, and communicate project observations Develop iterative sprint deliverables Execute on the product owner s vision Attend and participate in all ceremonies Contribute in periodic daily scrums Audit Scrum Team Primarily engages with: Scrum master Key stakeholders Audit Scrum Master Facilitates team s identification of stories for sprints and breaks down stories Clear impediments and protect team from outside interruptions Drive tactical team-level improvement Manage relationship between the team, product owner and others outside the team Primarily engages with: Product owner Key stakeholders Scrum team Facilitates efforts in: Sprint planning Daily stand-up Sprint closing/demo Sprint retrospective Copyright 2018 Deloitte Development LLC. All rights reserved. 11

12 How is planning different? Planning differently Internal Audit canvas Executive engagement Approaching from top down Flexible planning cycle Epics / features / user stories Copyright 2018 Deloitte Development LLC. All rights reserved. 12

13 How is execution different? Executing differently Agile ceremonies Interactive sprint planning Rules of the engagement Daily standup meetings Definition of ready done release New audit management tools Copyright 2018 Deloitte Development LLC. All rights reserved. 13

14 How is reporting different? Reporting differently Point of view (POV) Faster feedback loop Ties back to strategy Focuses on the relevance of work performed Articulates the so what? Insights to relevant risks and exposures Copyright 2018 Deloitte Development LLC. All rights reserved. 14

15 Perception / reality of Agile IA Perception of Agile IA Anti-planning Agile IA in reality Enhanced, high value planning Less or no documentation Flexibility to define have to want to haves More rework Iterative delivery with a focus on quality One-size fits all Applies test, learn, and adapt mentality Copyright 2018 Deloitte Development LLC. All rights reserved. 15

16 Continuous improvement Executive sponsorship Delivering audit results without bringing the executives along the journey upfront on the have to haves Transforming leadership behavior For true mindset shifts and transformations there needs to be executive level mindset shift Harnessing the power of the project canvas Upfront buy-in on why, what, and how much to audit impacts stakeholder buy-in and shorter reporting cycles Emphasis on the right risks Use the power of iteration to revisit risks, going deeper, stopping or taking a turn as dictated by your results Distributed teams Coordinating with resources across the globe requires extra effort to get the maximum results Transformation leader + change agents Transformations need a central POC to drive the transformation vision Commitment to fast feedback Socializing results at the end of every sprint rather than one big bang report enhances insights and reduces cycle time Emphasis on collaboration Agile relies on cross functional teams that audit through cross functional collaborations Copyright 2018 Deloitte Development LLC. All rights reserved. 16

17 Let s get started Those interested in implementing Agile IA should consider participating in a one-day lab session to explore the value proposition for Agile IA and answer the challenge question: How can Agile principles be applied to Internal Audit to assure, advise, and anticipate risk most effectively? 1 Clear definition of what Agile is and is not Define Brainstorm Manifesto Brainstorm on the current pain points faced by IA team & determine how to apply Agile principles to current practices Differentiate Agile from the current internal audit life cycle approach Identify Must Haves and Want to Haves Action Identify projects to pilot Agile principles Copyright 2018 Deloitte Development LLC. All rights reserved. 17

18 Deloitte Agile IA Resources Becoming agile A guide to elevating Internal Audit s performance and value Internal Audit Insights 2018 High-impact areas of focus Part 1: Understanding agile internal audit Part 2: Putting Agile IA into action Copyright 2018 Deloitte Development LLC. All rights reserved. 18

19 Q&A Copyright 2018 Deloitte Development LLC. All rights reserved. 19

20 Appendix Copyright 2018 Deloitte Development LLC. All rights reserved. 20

21 Internal audit canvas template Business Highlights / Concerns How does the business area align with the Corporate Strategy? What are the business objectives? What are the risks to the business achieving its objectives? Relevant business metrics? Concerns raised by the business? Issues identified by the business? Business initiatives to resolve Guidance: Interviews with Executive Accountable and key business area stakeholders to agree on the so what Business process narratives /flowcharts Internal management reports Revenue/Expenses; Costs to Operate Geographical Distribution Prior internal/external reports Self reported issues of business and current initiatives 1 Project Drivers 2 Cross-functional Impact 3 Why is this project important to the business? Why is it on the audit plan? Drivers from the risk assessment? What is going on within the business? What is the value-add (relevance) to the enterprise? What are we solving for? What questions will be answered at the end of the review? Value Proposition What is the value of doing an Agile audit in this area? How is an Agile audit going to bring value to the business? Guidance: Understanding of the control environment. Internal /External influences Qualitative and/or Quantitative Alignment with business strategy, goals and/or objectives. Alignment with business area risk. 4 Key IT systems/reports supporting and/or monitoring the business process? Implications of change Compliance considerations? Financial Reporting/Impact? Guidance: Compliance elements Data Available/Reports Used Exception Reports Financial Impact Operational Impact Global Functional Team Involvement Cross Business Area Impact Key Stakeholders Executive Accountable - Who is most concerned about the value of the project? Cross functional Executive(s) - What other functions will be most impacted? Internal Audit Market Leader Guidance: Executive Accountable ** (Officer 1 person removed from the EC) Internal Audit Market Leader(CAE Direct Report) Metrics/KPIs 5 6 Key metrics used by the business to measure achievement of it objectives? Sales, Markdowns, Throws, Shrink, Profit, OSCA What are the measures of success for the audit? Audit timeline and target dates?/number of Findings?/Business Acceptance of findings? Additional Information Key call outs Comments from business Parking lot i Project Objectives & Scope What will this project accomplish? What is needed to achieve the project objectives? What are the concludeable areas for the project? 7 Risk and Control Backlog Business Risks and Controls Identify and prioritize the sprint backlog. Define project sprint timeframe? 8 Project Team Audit Product Owner Audit Scrum Master/Team Members 9 Guidance: Applicable business areas (sub-processes) Business Policies & Procedures Laws & Regulations Data/Transactions Timing Locations Guidance: Hierarchy of Sprint backlog based on risk and value/importance to the business and achieving the audit objectives. Additional Sprints resulting from audit results and sprint retrospective Guidance: Finance / Operations / IT / Compliance Data Analytics Global Functional Team Business area Subject Matter Expertise Copyright 2018 Deloitte Development LLC. All rights reserved. 21

22 Internal audit canvas example 1. About the Business Business area alignment with the 2020 Game Plan Strengthen the Core Improve Title Data and Wire Disbursement Integrity Business objectives To assess wire controls that are aligned with the overall financial, strategic and security objectives of company Information Services Corporation ( company ) Possible risks to the business in achieving its objectives Inefficient wire controls do not support company s overall growth and can cause reputation risk and escrow and/or claims related losses. Inefficient wire integrity & training increases security risks to company Wire fraud fallout aggregates to excess spend while company continues to target cost reduction 5. Key Stakeholders 2. Project Drivers Wire Fraud is on the rise per the FBI and has overshadowed reported losses of ransomware and any other direct financial loss The number of wire fraud scams reported by title companies to the Internet Crime Complaint Center (IC3) spiked 480 percent in 2016, according to a warning issued to businesses by the FBI Increased instances of Business Compromise (BEC) and Account Compromise (EAC) 30 instances of wire fraud at company in last three years amounting to ~ $5 million in misappropriated funds 4. Value Proposition What is the value of performing an internal audit in this area? To identify gaps in the process around security for disbursement of wires. Discovering these gaps can address any concerns that the financial and security aspects may not be properly evaluated during the Direct Operations closing process 6. Metrics/KPIs 3. Cross-functional Impact Relevant Business Processes Centralized Escrow Accounting (CEA) All business functions are impacted by this process as a result of wire disbursements supporting ongoing business Compliance considerations Regulatory compliance requirements Adherence to Truth in Lending Act and Real Estate Settlement Procedures Act Integrated Disclosure (TRID) which require wire disbursements are made in accordance with the signed and acknowledged Closing Disclosure (CD) Adherence with American Land & Title Association (ALTA) Best Practices Framework requirements related to wire disbursements Use of a Subject Matter Resource (SMR) Project stakeholders: CFO, CRO, Corporate Controller, Treasurer, Group President Direct Operations Internal Audit Product Owner: Internal Audit (IA) Senior Manager 7. Project Objectives & Scope Audit objectives Provide recommendations as appropriate to further strengthen process design and controls related to company's wire disbursements made by the Direct Operations offices via Resware and WIMS What is needed to achieve the project objectives? Policy and Procedure documentation around disbursement of wires, wire instructions and training, population of wires, adherence to Agile audit methodology, and management teaming Understanding of WIMS and Resware systems used to manage wire transfers related to Direct Operations Concludeable areas Identifying gaps in the process around security for wire disbursements Identifying processes and systems that governs how wires are disbursed Providing reasonable assurance around the control environment and identifying risk indicators to target fraud Audit Timeline March 2018 April 2018 Key metrics used by the business: Wire fraud incidents Wire populations (volume & value) Measures of success for the audit: Audit timeline and target dates, management buy-in, value of recommendations, perception of value 8. Risk & Control Backlog Sprint 1 Performing fraud profiling based on past fraud occurrences and available industry data Sprint 2 Assessment of training, fraud awareness material and compliance Sprint 3 Control environment and wire fraud indicators assessment SMR: SMR will be utilized to get insight on the risk indicators associated with wire fraud. The risk indicators can be used to provide a risk analysis of Direct Operations offices, targeting the riskiest offices versus those operating at an optimal level with regard to wire security 9. Project Team Key Business Owner: CEA, Chief Corporate Development Officer Responsible: Internal Audit (IA) Manager, IA Senior Consultant Accountable: IA Senior Manager Consulted: CFO, CRO, Corporate Controller, Group President Direct Operations, IA Managing Directors Informed: CFO Copyright 2018 Deloitte Development LLC. All rights reserved. 22

23 This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the Deloitte name in the United States and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see to learn more about our global network of member firms. Copyright 2018 Deloitte Development LLC. All rights reserved. 23