Continuous Assurance. December 2017

Transcription

1 Continuous Assurance December 2017

2 Information is becoming new CURRENCY Page 2

3 A new strategy and vision for Risk teams Why now? Current State The Business landscape is changing and there is demand for even more Risk-related services Risk teams faces a constant challenge: Making the business better vs. keeping the business out of trouble Greater desire to leverage automated tools and analytics Issues While there is a strong desire to better leverage technology, to make the best use of the tools available might not be a core skill of risk managers / auditors. There is limited realisation on Technology investment Packaged solutions do not address the needs of Risk teams Implications Existing IT and reporting infrastructure (Business warehouses) are unable to effectively support the requests Risk teams have still potential to integrate technology into the assurance approach The full benefits that technology could deliver might not be realized. The effective application of a data analytics within Risk teams is a key enabler for the move from compliance officer to strategic business advisor Audit Committee and management expectations Strategic business advisor Business insights Risk teams Core competency Reinforce and monitor control environment and compliance Business issues, risks, initiatives and key objectives Page 3

4 Economist The future of jobs the onrushing wave (2014) Is this really the case? Page 4

5 Buzzwords Continuous Assurance Stagnant reports Cost Cutting Value ERP Upgrade Audit tools Substantive testing Teaming Delivery Process Efficiency Tools and Technology Cost of control KRI / KPI Continuous Audit Dashboards Data Visualization Audit Efficiency Risk Analytics Continuous Monitoring GRC on a budget Audit Effectiveness Big Data Helicopter view Residual risk Compensating controls CAATs Change Data Quality and many more what words have you come across? Page 5

6 Can analytics transform the way we see Risk? Risk Analytics a closer look The better the question. The better the answer. The better the world works.

7 Risk analytics in context Three lines of defence Why? What? Process level (1st line of defence) Risk Advisory & Compliance (2nd line of defence) Internal Audit and Investigations (3rd line of defence) Process optimization and Risk reduction Efficiency in Internal Control and Risk Management Optimization of audits to enhance audit efficiency and effectiveness and deliver value End to end process performance (KPI s) Confirming controls effectiveness (KCI s) Identification of control failures by testing entire populations (KCI s and KRI s) Continuous Performance Monitoring Continuous Controls Monitoring *Analytics and Continuous Auditing Continuous Monitoring Continuous Assurance Analytics is the first step in the development of a continuous assurance capability and true risk enabled performance management Page 7

8 Clear tangible benefits through using analytics Efficiency, effectiveness and value add The following are some of the benefits that Risk teams could expect to achieve once an analytical approach has been fully embedded within the methodology, and the analytics capability is fully operational. Increase efficiency Deliver more effective projects Business value delivered Ability to deliver analytics centrally will eliminate some travel and third party support: e.g. support to perform fieldwork in remote locations High ratio of implementable value: Implementable value vs. Cost to acquire insight Issues based reporting takes you down to user level. Making the implementation of changes very specific to individuals or groups in the business Full population testing ensures that the full extent of control failures can be quantified and the impact understood, without having to resort to inefficient substantive testing All data points (Master data, Transactional data and configuration data) can be analysed to enable identification of the root cause behind control failures Absolute insight into what individuals are doing, how processes are really being performed across the business Leverages your existing data to deliver insight and value, delivering a cross business view that others cannot provide IT typically do not have the necessary technology to deliver this insight Can deliver opportunities to directly recover cash (incorrect payments, Expense recovery, VAT recovery) Can deliver value from improved effectiveness (Working capital, better negotiated deals with suppliers) Can identify potential savings through eliminating inefficiencies (reduction in transaction processing volumes) Efficiency may be gained in subsequent financial audits, specifically in mature markets with high transaction volumes. This is because analytics would already have been developed and tested in Finance audits More effective audits could be delivered on a number of processes where full population testing would provide greater depth of coverage than a sample based approach. For example Purchase to pay audits T&E audits Value, through recoverable cash, and more significantly process and business insight, could be delivered in a number of areas Page 8

9 Risk analytics Capability framework The successful application of Analytics is dependent in integrating the Analytics elements of Define, Produce, Consume and Govern fully within the IA framework and Methodology. DEFINE Define objectives, requirements, and clear action plans to be followed by Auditors and Investigators through Risk assessment, audit execution, and investigations Ownership: Chief Internal Auditor PRODUCE CONSUME Convert Data to Insight and report to the Business to enhance the control environment and act as strategic business advisor Ownership: Chief Internal Auditor Delivery and management of Analytics platform, for the production and delivery of analytics outputs as per the defined requirements, to the Audit team for consumption Ownership: Explore options (Insource, outsource, build) to meet requirements at lowest cost of ownership, and should remain aligned with corporate IT and BI strategy) GOVERN Oversight of the entire process including ensuring independence and objectivity Page 9

10 What does a successful capability build look like? A proven approach at a glance The better the question. The better the answer. The better the world works.

11 Analytics roles & responsibilities Key resources The table highlights the different types of resourcing considerations that should be taken into account for a successful analytics implementation. Roles Description of function / responsibility IA / Risk teams Internal Audit, includes client-assigned program liaison and IA SME s responsible for Risk and Control Matrix reviews Investigations Investigators and Forensic staff within the business Analytics SMR Specialist Analytics subject matter resource Architect Identification of required information sources based on business input, development of data models Analytics modeler Definition of analytics logic and script development, based on input from Data Architect and analytics SMR Visualisation Designer Visualization design to enable Reporting IT Environmental setup / associated tools and technologies PMO Project Management Office tracking progress, measuring benefit Page 11

12 Building an analytics capability In-source vs Co-source Increasingly, organisations are exploring different options to find the right approach to working with a service provider to embed analytics capability. Selecting a service provider means you can leverage tools and methods immediately to support quick wins while future capability model is identified In House Capability Hybrid approach Co-sourced Analytics Capability Clear ownership & data custody Ease of access IT services support Licensing, technology TCO Skill requirements Limited flexibility in tools and techniques Quicker time to value Fit for purposes production, flexible platform Ease of access Data custody for sensitive data sets Licensing and technology TCO Variety of skills required Fit for purposed production, flexible platform Subscription based, pay for usage not for license Ease of access No in house production skills Data custody Dependent on service-provider Limited integration with IT services Page 12

13 What must go right? Based on our extensive experience Effectiveness A focus on the following key points will deliver an initial immediate uplift, while ensuring that in the long term the full benefits of using analytics will be realized and sustained An effectively run program will: Greater realised benefits + Have the right program sponsorship and stakeholder involvement + Complete a technical sizing exercise, understand the limits of the technology and select the right tool for the right outcome + Consider change and journey management + Define a data lifecycle and manage data effectively + Deliver training on how to interpret and action the results of the analytics + Build momentum and deliver early success + Build in continuous feedback driving refinement of analytics and education for users + Focus on what Risk teams should stop doing = A function that is Better, Faster, Different Immediate uplift Investment over time Current level The risks Effectiveness If the program is not run effectively there is the risk that the effectiveness of the function will be adversely impacted in the short term as Auditors either try to deliver analytics in addition to the existing audit plan in full. Things to avoid: - Analytics that are additive - Data implications are not fully understood - Auditors and Investigators are not included in the scoping of the analytics - Training that is not practical Short term decrease in effectiveness Current level Page 13

14 Risk analytics Maturity model BENEFITS 5 Optimized Practices evolved in level 1 through 4 are used to continually improve analytics processes, procedures and results Continuous control monitoring tools 5 OPT 4 MANAGED 3 DEFINED 2 REPEATABLE Managed Forensically sound methodology is institutionalized Management involved in the on going analytics efforts and understand of business issues and root cause Re-performance of analytics procedures and use advanced tools Defined Enforced analytics policy and established analytics methodology Use of analytics championed by IA / Risk management Understanding of the business meaning of analytics procedures and results. Quality of analytics results are evaluated. Enforced analytics policy and established forensically sound methodology for data analytics Repeatable Recognized as a value-add to the audit Not yet institutionalized. Relies on a central group or single person Tools are at a disposal. Not applied consistently or correctly Awareness for importance of forensic readiness raised 1 INITIAL 1 Initial No formal analytics approach, procedures or methodology Performed occasionally at best Tools are not readily available Dependent on skills of limited number of SMRs No forensic readiness given Page 14

15 Can visualization help me see the big picture? Correlation vs. Causation examples The better the question. The better the answer. The better the world works.

16 Correlation vs. causation Spurious correlations Page 16

17 RTR process JE stratification Page 17

18 P2P process Material purchase price benchmarking Page 18

19 OTC process Credit note assessment Page 19

20 Applicability of CA for Risk teams Qualification, scoping and effort The better the question. The better the answer. The better the world works.

21 Qualification, scoping and effort Can it technically be performed? General considerations: Have the risk teams deemed that data quality is a potential issue? What is the IT general controls posture of the systems of interest? Are there any interfaces or front-end / back-end integration that need to be considered? Has another part of the organization attempted to perform analytics in the past? How was this coordinated and can this be leveraged? Does the data need to reside within the organization s premises? What are the data handling protocols? ERP systems: Are there any major customisation activities to the systems of interest? What is the system version? What is the process for downloading / obtaining the required data tables? Non-standard systems: Is documentation available? Can the underlying data tables be downloaded? Does IT have the skill / capability to download the underlying data tables, or is there an external consultant required for legacy systems? Can the system support a data download? The above is intended as general guidance, a detailed discussion with an Analytics SMR is still recommended. Page 21

22 Qualification, scoping and effort What do I need to consider effort-wise? General considerations: Is this performed independently or as part of risk management / audit activities? How much time is needed from the core Risk teams for analytics definition and consumption? What manual procedures can be dropped for automated testing? Who are the end-customers? Is it just IA, or compliance, or more? Cost factors: Base effort (deployment, process documentation, IT protocols) Number of systems Number of processes Number of tests Number of visualisations Time factors: When are the results needed? How long does IT need to provide access to the files? Are there any pre-approvals? The above is intended as general guidance, a detailed discussion with an Analytics SMR is still recommended. Page 22

23 How much have we really done? LinkedIn view on structured vs unstructured data Typical remit structured data (today) Page 23

24 Contact Benjamin Lee Senior Manager, Risk Analytics Lead for EY MENA Ernst & Young Abu Dhabi 25th Floor, Nation Towers 2 Corniche Road P.O. Box 136, Abu Dhabi United Arab Emirates Mobile benjamin.lee@ae.ey.com Fadi Seif, CIA Manager, Internal Audit and Risk Advisory Abu Dhabi Ernst & Young Abu Dhabi 25th Floor, Nation Towers 2 Corniche Road P.O. Box 136, Abu Dhabi United Arab Emirates Mobile fadi.seif@ae.ey.com Page 24

25 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com EYGM Limited. All Rights Reserved.