IIA/ISACA Joint Audit Topics Event

Transcription

1 IIA/ISACA Joint Audit Topics Event Future of Internal Audit October 2017

2 Agenda Introduction Future of Internal Audit Risk governance framework People and controls Tools and Technologies Wrap-up Page 2

3 Introduction Page 3

4 When I think future of internal audit, I think. Page 4

5 Disruptors to the Internal Audit organization Organizations are facing an efficiency and productivity crisis, with low returns on equity (ROE), rising costs and stagnant revenues. Organizations continue to face a cultural crisis, with little reliable evidence that companies have taken all the necessary steps to process vast amount of data globally, address controls issues and change employee behaviors to prevent future loss events, control breakdowns or instances of misconduct. Although significant change has been made, organizations continue to face a crisis of trust, with claims that companies have put their profits before the needs of their customers. With this backdrop, Internal Audit functions should explore opportunities to increase their effectiveness and optimize cost efficiencies. Cost pressure Falling ROE, pressure to reduce headcount, rising offshore costs New focus areas risk culture, conduct risk, outcomes, agile auditing, real time assurance, broad and targeted opinions Regulatory focus Demand for reliance, extension of regulators, new hot topics Disruptors to the Traditional Internal Audit Organization Ever increasing threats Financial crime, cyber attacks, misconduct, 3 rd parties Proliferation of control testers Multiple testers across 1 st, 2 nd LOD, no commonality, questionable reliability Global megatrends Digital everything, demographics, entrepreneurship, global marketplace, market entrants & FinTech Page 5

6 Internal Audit is facing pressure to evolve Evolving regulatory agenda Higher governance and control expectations in prudential agenda Broadening conduct agenda, including strategy, product design, and suitability Changes to business model Regulatory requirements have driven down ROEs, necessitating business-model changes Digital and FinTech are revolutionizing financial services Continually rising governance and culture expectations Stronger first line accountability Clearer roles/responsibilities across the three lines of defense Enhanced board oversight Internal Demand on people Ever increasing expectation of specialist knowledge (product, technology, regulation, risk) centers of excellence Competition for talent (inside organization, cross industry, service providers) audit Uncertainty Loss events continue to happen process & controls have not really improved Demand for faster change, e.g. Agile Acquisitions, new entrants, obsolescence Future of control Common taxonomy Centralized testing functions and control rationalization Reliable metrics & KPIs Future of work Gen X, millennial expectations Robotics, machine learning and process automation Significant improvement in data quality and analysis Stakeholder expectations Improving cost of controls ROI Better leverage analytic techniques and automation Contribute to organizational talent profile Prospective view on governance, risk and control Page 6

7 Stakeholder expectations for the future of internal audit Are we focused on the risks, processes and controls that matter? Do we truly understand the risks that the stakeholder is taking? Are we proactive and focusing on emerging risk areas? Are we duplicating or overlapping with other risk functions? Do we have the right mix of skills at the right cost and in the right locations? Can we use alternative sourcing strategies to reduce costs? Are we getting the right business return on our internal audit investment? Have we optimized the use of technology? Is IA aligned and coordinated to support business objectives and value creation? Do we have effective risk reporting for executive management and the board? Are we measured on the value we bring and the impact to the business? Page 7

8 Meeting the challenge In the next 3-5 years, Internal Audit has to adapt in the following key areas, supported by the board and management. Integrity of risk-governance framework Adopting a more dynamic people model Using new tools and techniques Test the framework, not the controls Don t take anything as given: analyze the strategy, business models, and products and services Get involved early on, not after, key design decisions have been made Develop risk-based, not coveragebased, audit plans Adopt flatter structures Grow and develop specialisms Increase use of external talent in highrisk areas to cross-train internal talent, not simply as a mechanism to control costs Deploy new centers of excellence Adopt an additional set of building blocks, e.g., even more flexible audit plans, broader and timelier reporting protocols Emphasize a greater dependence on judgment More use of data analytics Adapting to elements related to digital, e.g., digital change programs, social media, cloud computing, and cyber and data protection Strong board and senior management support Page 8

9 Risk governance framework Page 9

10 Integrated risk governance Internal audit has a major role to play in helping firms transform their risk governance. Organizations are improving risk governance in a number of areas: Embracing fully embedded risk appetite frameworks Strengthening risk accountability frameworks Increasing control effectiveness Enhancing risk transparency Creating an integrated approach to talent and incentives Further enhancing board oversight Fully aligning business culture with risk appetite Internal audit is integral to sound risk governance and a key enabler for the board and senior management to fulfil their riskgovernance responsibilities. Page 10

11 Approach to culture Industry practice is evolving, with internal audit adopting two distinct approaches to building cultural and behavioral factors into their audit approach. While some firms have chosen to wait, some firms have limited their input to managers attitudes to control in firm-wide annual performance reviews of senior and middle management while others have added a question or two on behaviors to audit questionnaires. Management controls assessment (MCA) A stand-alone commentary or rating of management s focus and support for controls is increasingly a common starting point: MCA rating given in addition to control environment rating Firms are using a range of factors Range of practice in formality, quality and use of MCAs MCAs can incentivize management to be more aware of key risks and how well existing controls address those risks. This is even more important in the context of regulatory and supervisory pressure for stronger front-line accountability for risk. Embedded in audit approach Some firms have embedded behavioral or cultural factors explicitly into their audit methodology: Overall audit planning process Built into every audit Culture deeply embedded in internal audit methodologies, tools and reports Cultural findings evaluated, documented and reported Few firms have gone this far, but others may follow as the profession s approach to culture develops. Page 11

12 Risk culture framework Incentives Providing the right motivations Rewards Risk transparency Employee life cycle Risk appetite Taking the right risks Risk framework Risk culture Leadership Communicating the right message Tone from the top Risk governance Risk behavior standards Roles and responsibilities Establishing right environment Organization Attributes Leadership Organization Risk framework Incentives Risk culture mechanisms Tone from the top clearly establishes desired risk behaviors, with middle-management approaches and behaviors in alignment. Risk behavior standards are established, assessed and embedded into performance management processes. Roles and responsibilities are clearly articulated and well-understood, and accountability for risk management is well-defined and established. Risk governance is effective and facilitates open communication and challenge. Risk appetite is clearly articulated and well-understood, and it is consistent with business strategy and embedded into decision-making throughout the organization. Risk transparency is enabled by clear and comprehensive risk reporting, including forward-looking and aggregated views of risk. Rewards, including compensation and promotions, are risk- and behavior-adjusted. Employee life cycle, including recruiting, onboarding and exiting processes, promotes desired behaviors and effective risk management. Page 12

13 Future of people and controls Page 13

14 The future of people The future of people The future of work Mind clarity Teaming ability Collective purpose Performance / rewards Physical environment Technology experience Digital leadership Page 14

15 The future of people How do you enable your people to cultivate a mental state of clarity and focus to drive innovation? How do you foster a culture of compassion and connectedness with your colleagues? What collaboration processes do you have to foster innovation? Do you have teaming capabilities with other organizations? How do you encourage innovation across levels/ ranks? How are you enhancing your employee s experience through technology? How do you use technology to better communicate with your colleagues and business partners? How are you using technology to create a more productive and cost efficient function? Technology experience Mind clarity Teaming ability IA future work now Digital leadership Do you have the right soft and technical skill-sets to lead? Is your leadership team flexible to change? Do you have an active level of engagement with your teams? How do you foster real-time performance feedback? How do you non-monetarily reward your people (e.g., health, time-off)? What processes exist increase employee retention and level of engagement? Performance and rewards considerations How is IA making a difference to the organization and industry? How do you motivate your Physical environment Collective purpose employees? How do you thank your employees for what the do? How does your workspace enable a creatable and energized environment? How do you encourage flexible working arrangements and physical/mental health? Page 15

16 The future of control The present is Eager to transform from performing testing in siloed functions to eliminate: Duplication Multiple methodologies Inefficient and ineffective Highly manual, limited automation The future is Testing functions that provide testing for end-to-end risk and control coverage Ability to thematically report control testing issues across all testing functions Boards and Senior Management are looking for efficient processes to perform control testing, identify issues, report issues, etc. There is a significant drive to be able to define roles and responsibilities for centralized testing functions Page 16

17 The future of control (continued) Evolution in 3LOD frameworks Ongoing Industry Focus Areas Challenges with defining a 3LOD operating model including appropriate roles of 1LOD and 2LOD 3LOD model is partially formalized; continued challenges with 1LOD and 2LOD roles in practice. Transition to target 3LOD operating model is nearly complete with further opportunity to drive 1LOD accountability Target State Target 3LOD model is fully operationalized with supporting tools and infrastructure Emerging Non-Financial (Post Crises) Financial Non-Financial (Operational Risk Basel) Page 17

18 The future of control (continued) Benefits of integrated testing 4. Harmonized testing requirements, methodologies, rating scales, and standards for issue / action plan documentation. Central approach prioritizes risks, reduces overlaps and identifies gaps in coverage. 1. Coordinated Testing 4. Reduction of Risk Assessment Fatigue Relieve fatigue experienced by business and risk managers from uncoordinated interactions with and requests from several risk and control functions. Streamlined risk and control assessments and testing, improves efficiency resulting in reduced spend around control and testing activities. Relieve fatigue experienced by business and risk managers from uncoordinated interactions with and requests from several risk and control functions. 2. Efficiency Aligned Reporting Step 1: Inventory Step 2: Evaluate Step 3: Prioritize Reinforce Risk Culture 5. Clarified Roles & Responsibilities Clear approach to control testing across lines of defense to promote consistent implementation of the three lines of defense model. From a consistent approach to measuring control performance, supported by LOB scorecards to strengthen accountability, incentivizes a culture of control and compliance. Page 18

19 Using new tools and techniques Page 19

20 Emerging trends changing the industry Business Integration Advanced Technologies Continuous Auditing Analytics programs are further integrating themselves within the Internal Audit department by developing self service tools. Organizations are evaluating ways to incorporate advanced analytic technologies within their analytics programs. Organizations are making considerable efforts into developing continuous auditing programs. Creation of self service tools allows the business auditors to further incorporate data analytics within their programs by analyzing data in real-time To provide accurate and effective self service tools, analytics programs stress the importance of following clearly defined documentation standards and developing a strong review process Firms are evaluating how to incorporate robotics within Internal Audit in order to increase efficiencies and focus efforts on more complicated processes Firms are utilizing text analytics to analyze customer complaints for risk identification and to enhance the risk evaluation process Uses include: mapping risk areas to regulatory rules and requirements or validating risk evaluation in RCMs Continuous auditing is innovating the audit process by helping to analyze how risk is imbedded across the firm Key focus is not on responding to every exception but developing a robust program that provides confidence in the audit process Page 20

21 Business integration: Data analytics Analytics advancements In the past few years the industry had made significant advancements in the use of analytics for Internal Audit. Although the analytics teams at different organizations may be at different stages of maturity, it is clear that significant progress has been made across the industry. Analytics 1.0 Analytics 2.0 Analytics 3.0 Incorporating analytics within the audit framework to increase efficiency of the audit process. Developing Documentation Standards Utilizing analytics to identify trends, develop thresholds, and drive insights. Data Visualization Transforming the business of auditing by using analytics to drive the audit process and risk identification. Embedding Analytics within the Business Descriptive Data Analytics Shared Cloud and Big Data Services Prescriptive Analytics / Risk Identification Unstructured Data Continuous Auditing Page 21

22 Business integration: Data analytics The analytics field of play for IA Analytics offerings help address audit, functional and sector specific challenges through the application of advanced analytics methods Analytics Management, Governance & Validation Analytics Strategy, Architecture & Enablement Descriptive Analytics What has happened? Visualization & Enhanced Reporting Unstructured Data Processing Diagnostic Analytics Why did it happen? Outcome Attribution & Insight Extraction Testing, Inference & Estimation Anomaly Identification Predictive Analytics What is likely to happen? Analytics Data Technology Network & Link Analysis Prescriptive Analytics What should be done next? Forecasting & Projection Simulation & Optimization Prediction & Scoring Machine Learning Page 22

23 Business integration: Data analytics Analytics strategy The assessment of these areas should be conducted through interviews with key stakeholders, review of available standards and methodology documentation and an analysis of how leading analytics practices could be implemented in the organization. The following depicts the framework we use to define the needs and develop an analytics strategy. Framework: Area Activities Purpose and Mandate Governance Defines Scope & Expectations Organizational Approach Define analytics scope, support from management for its use, and appropriate organizational approach Define process to plan, design, execute, document and review analytics and standards Resourcing Competency Development Sustaining People Excellence People Facilitates Alignment Execution Stakeholder Satisfaction Define required skills sets and competencies, including updating or augmenting employee incentives Identify paths for filling in skill set gaps via training, strategic hiring or consultant support Methodology Tools and Technology Knowledge Management Operations Quality Infrastructure & Operations Provides Efficient Delivery Effective Delivery High Quality Define required tool(s) for developing analytics within internal audit Define key data repositories and data sets, and data hosting and storage repositories Define knowledge management enablers Define methodology impact considerations Page 23

24 Advanced technologies When I think robots, I think. Page 24

25 Advanced technologies: Robotics Robotics introduction Robots link capabilities together to simplify, accelerate efficiency and provide flexibility. They allow for the creation of sustainable operations in a heightened quality and customer-centric environment. Unwind legacy of people-based quick fixes Perform laborious and repetitive tasks reliably Scale up and down to match peak loads Emulate the best business user behavior Shift control toward the business and reduce reliance on IT to get things done Deliver ROI in weeks through a rapid, agile approach Robotics enables organizations to automate existing high volume and/or complex data handling actions as if the business users were doing the work. Page 25

26 Advanced technologies: Robotics Identifying potential RPA opportunities Robotics process automation (RPA) can play a critical role in allowing IA to meet its capacity, audit coverage and efficiency objectives. Internal Audit Process Enhancement Opportunities As expectations for internal audit functions increase, the ability to manage workload, increase efficiency and effectiveness, while meeting a changing regulatory landscape will be a differentiator Firms may look to technology to address IA testing needs and increase efficiency. A number of technical approaches such as RPA can help achieve targeted automation of the audit process. Key Benefits of Testing Automation Deploying automation solutions allows the audit function to maintain a core team dedicated to interpret and review of audit testing results and minimize the highly transactional work of data collection, execution of test steps, tracking, and reporting. Utilizing process automation allows IA to focus on increase in coverage and population testing in historical areas that were challenged due to the manual nature of the control and related efforts Where Automation Can Make a Difference Reduce cycle time for heavily manual data collection and preparation for testing Reduce cost associated with non-decision making manual process Increase traceability test steps performed Increase consistency of test supporting documentation and execution Ability to execute a variety of tests by using/modifying previously built test steps Easily scalable and time to market is small Page 26

27 Advanced technologies: Robotics Identifying potential RPA opportunities Manual, repetitive activities that are common to all internal audit engagements can place undue burden on engagement teams. RPA can help alleviate this burden and enhance documentation consistency, while freeing up resources to more valuable activities: Internal audit activities Example of key workstep Planning Collect data and metrics to define audit scope Send initial document request list based on the audit scope Opportunities for RPA Automate the gathering of background information and metrics from multiple systems or sources to better define audit scope Pre-populate audit planning documentation Pre-populate documentation requests based on audit scope and planning documentation Create test of control lead sheets based on the RCM or inventory of controls Pre-populate testing templates with background information and test attributes Provides for standardized testing documentation Fieldwork Perform control testing Conduct entire population based control testing based on established parameters (e.g., repetitive rule-based tests) Enables consistent application of rules based control testing for defined attributes Issue Follow-up and validation Create test of control lead sheets for issue validation Perform issue validation Pre-populate documentation requests based on issues and action plans noted in audit reports Pre-populate testing templates with background information and validation testing attributes Selects sample based on established parameters and executes testing (e.g., repetitive rule-based tests) Enables for the testing of complete populations in a short amount of time Quality assurance Perform review of data drive quality checklist items (e.g., timeliness of report issuance, budget vs actual, etc.) Enables automation of quality assurance for review rules based or calculated compliance requirements Page 27

28 Wrap-up Page 28

29 Future Rise of the technology and data enabled internal audit function Evolution Internal Audit: past, present and the future Evolving from a control testing and independent assurance function to providing broad opinions, ongoing assurance, targeted responses and ultimately assisting the Board and Management to protect the assets, reputation and sustainability of the organization Boards and regulators place greater reliance on Internal Audit to identify and escalate issues and challenge the business to prevent and resolve problems Significant drive to improve effectiveness of 1 st and 2 nd lines of defense, specifically the first line s primary ownership for controlling various risks and 2nd line s effective oversight, providing significant synergistic opportunities Alignment on taxonomy, risk and control definitions, testing standards & issues Audit approach Process, systems and controls activity supported by focus on conduct, culture and outcomes Greater flexibility, dynamic audit responses developed, broad and targeted opinions Internal Audit Transformation Revolutionary opportunity to align the organization and apply innovative technologies to the audit process to dramatically increase reliability and efficiency of controls Data and metrics Data analytics and robotics employed to provide reliable continuous auditing Audit deliverables Reliable, relevant, targeted and broad opinions Increase in reliance Verify and rely on the work of others Internal audit remains current with business and technological change and is agile to respond Page 29

30 Questions? Page 30

31 EY Assurance Tax Transactions Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com. Ernst & Young LLP is a client-serving member firm of Ernst & Young Global Limited operating in the US Ernst & Young LLP. All Rights Reserved ED None This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey.com