Does a disrupted Internal Audit (IA) function mean a ... Event... · Does a disrupted Internal...
Transcript of Does a disrupted Internal Audit (IA) function mean a ... Event... · Does a disrupted Internal...
The better the question. The better the answer�.The better the world works.
Does a disrupted InternalAudit (IA) function meana stronger strategicpartner?
IA disrupted by design — the journeyhas started
To prepare fortomorrow, youmust disrupttoday.
Page 1
The case for change
What will the IA mandate be?
How will IA work in the future?
► Operating model► Use of technology► Talent of the future
The journey has started — emerging trends
A call to action
1
Page 2
Agenda
23
45
Organizations are managing evolving consumerexpectations, new partnerships, dynamic ecosystems,changing industry boundaries, disruptive business modelsand new competitive domains.
Every industry is changing and the cycles of changeare moving ever faster.
Industry convergence is touching every marketsegment.
From technology and climate, to geopolitics and trade,the outside landscape is changing dramatically.
Operating models are shifting – employees seekpurpose-driven organizations; full time roles are beingreplaced by gig work; nature of work is changing due totechnological advances
1
2
345
Page 3
The case for change
Page 4
So what’s happening?Innovation & disruption
Internet of ThingsRobotics 3D Printing Cloud Cybersecurity
Social Media Big Data Blockchain Artificial Intelligence Mobile
Page 5Page 5
Technological disruption is changing our lives
Page 6Page 6
Technological disruption is changing our business
Page 7Page 7
The work — and how we do it — is changing
88
Trust is more important than ever
Business today moves at a breathtaking pace:according to a recent study, in 1964 theaverage life of a company in the S&P 500 was33 years. That is predicted to drop to 12 yearsby 2027.
Trust is the new currencyto derive value and loyalty.Organizations recognize trust is criticalto sustaining consumer loyalty anddifferentiating their brand in the market.
Employees
Regulators
BoardShareholders
Markets
Customers
VendorsThird
Parties
Trusthttps://www.innosight.com/insight/creative-destruction
A good reputationmay get me to trya product – but
unless I come to trustthe company behind
the product I willsoon stop buying it,
regardless of itsreputation” 63% ofconsumers agree*
*Edelman Trust Barometer (https://www.edelman.com/trust-barometer)
Page 9
The case for changeEmerging technologies and new business models mean new risks and a bigger focus on upside and outside risks
Adopting a risk lens – upside,outside and downsideMoving from avoidance to optimization,for better business outcomes.
To be successful, organizations willneed to shift their focus from simplymitigating risk to embracing newupside opportunities.
Striking this balance requiresembedding risk and control intostrategic decision making within thefront-line businesses and multifacetedapproaches to the portfolio of risk.
Organizations will also develop digitalcapabilities that harness intelligenceand deliver insights across theenterprise.
Upsiderisks
Outsiderisks
Downsiderisks
Risks that offer benefits.Risks significant to theorganization’s ability toexecute its businessstrategy and achieve itsobjectives
Risks that offer negativeor positive benefitsbeyond the organization’scontrol
Risks that offer negativeimpacts. Risks anorganization is focused oneliminating, avoiding,mitigating or transferring ina cost-effective manner
Potential forinnovations to growconsumer bases
Increasingmarket share
Acquiring, managingand deriving valuefrom new assetsand talent
Actions of existingand emergingcompetitors
Geopoliticaland economicmegatrends
Demographic andenvironmentalmegatrends
Information securityand cybercrime(also an outside risk)
Employee fraud,and regulatorycompliance
Enterprise resiliency- technology andbusiness continuity
Page 10
The case for changeIA may not be able to keep up with the pace of change in the business leaving a risk coverage gap
Cha
nge
read
ines
s an
d co
mpe
tenc
ies
tom
anag
e ne
w w
orld
Today2000s Next 10 years
Ris
k ga
p
Internal audit Businessmanagement
Page 11
In the future, IA willbe viewed as an air trafficcontrol tower. Technology willenable real-time risk monitoringand timely reporting of high-riskfindings to instill trust, supportconfident decision making andultimately contribute toincreased business value.This operating model will alsoenable a higher degree offlexible sourcing.
The case for changeVision for the future of IA to maintain trust in the transformative age
Page 12
The three lines of defense
* Encompasses financial and non-financial risks
Activities generaterevenue or reduce
expenses
Identify, measure,monitor, control andreport all aggregaterisks consistent with
risk appetite statement
Third lineIndependent risk
assurers
Second lineIndependent risk monitors
First lineRisk takers and enablers
Provide technologyservices
Oversee risk-takingand enabling
activities of thefront-line units
Design risk governanceframework
Provide a view beyondcontrol adequacy tobroader, subjective
matters
Accountable forassessing andmanaging risks
Oversee risk profile;review and approvepolicies and limits,including breaches
and exceptions
Riskdomains*
Provide operationalsupport or servicing
Maintaininternal audituniverse and
plan
Stakeholders
Board ofdirectors
Prudentialregulators
Shareholders
Assess the riskgovernanceframework
Report to the auditcommittee on the
audit plan and results
Page 13
Driving insights & adding value
Third lineIndependent risk
assurers
Second lineIndependent risk monitors
First lineRisk takers and enablers
Risk domains
Stakeholders
Page 14Page 14
What will the IAmandate be?
Page 15
What will the IA mandate be?The IA mandate does not need to change but it will evolve
$
IA will be highly connected, proactive and forwardlooking in setting its priorities in response tomarket disruptions
IA will extend beyond its traditional assuranceprovider-role and become a strategic andvalued advisor
Assurance will broaden to: challenging the entirerisk framework and accounting for upside andoutside in addition to downside risks
Page 16
What will the IA mandate be?The mandate does not need to change but there will be a better balancing of focus
Business counselor► Focus on strategic topics and actively engaged in strategic
discussions and problem solving► Anticipating the future/industry trends and the impact on the
business► Fostering change and best practice development
and sharingAnalytics and robotics:► Prescriptive and trendsStrategic and Innovative view
Change agent► Focus on trends on why things fail systematically and audit against
“unknown” rules► Deep dive in root-cause/and internal best practices for
recommendations► Initiating changeAnalytics and robotics:► Descriptive and internal/external data drivenCurrent and change view
Anticipative monitor► Focus on future topics (e.g., missing controls, policies and
procedures)► Future impact of recommendations► Anticipating how the business model is changingAnalytics and robotics:► Predictive and real timeStrategic view
Assurance factory► Focus on non-negotiable assurance and base level of trust and
current/past topics► Current impact of recommendations► Raising awareness on current/past topicsAnalytics and robotics:► Descriptive and internal data drivenCurrent view
Proactive
Reactive
PartnerPolicing
Page 17
How will IA work inthe future?
Page 17
Page 18
How will IA work in the future?Have an agile and dynamic operating model enabled by technology and a flexible workforce
Operatingmodel
Technology
Talent
Be agile and dynamic
Apply more judgment
Provide dynamic outputs
Predict control failures andrisk triggers
Report results digitally
Digitally augment itscapabilities
Build and participate in riskcommunitiesImplement a balanced workforceDeploy resources with the right skill sets
Page 19
How will IA work in the future?The operating model will be flexible, proactive and insightful
An agile and flexibleapproach that is in tunewith the organization’sstrategic direction andpriorities and addressesthe changing businesslandscape.
No longer focused on look-back activities; IAprofessionals will apply more judgment in their work andfocus their attention on emerging risks and outcomes,not the existence of processes and controls.
IA will employ a variety ofdynamic outputs, on amore real-time basis, andgo beyond root causeanalysis to provide bestpractices, sector trendsand relevant benchmarksto meet the needs ofstakeholders.
Flexible Insightful
Proactive
Page 20
How will IA work in the future?Technology will augment capabilities and enable continuous controls monitoring
IA functions will digitallyaugment their capabilitieswith advanced dataanalytics, bots andmachine learning tohandle the volume,speed and complexity ofdata.
The adoption ofcontinuous monitoring andvalidation by the first andsecond lines will shift thefocus from detecting topredicting control failuresand risk triggers.
IA functions will digitally report their results (e.g.,dashboards, text alerts) in real time, providingbusiness insights and strategic advice.
Report
Augment Monitoring
Page 21
How will IA work in the future?A flexible, collaborative talent model with more analytical, innovative skills
Effective IA functions willfacilitate ecosystemsharing and centralizedrisk mitigation.
The IA workforce willconsist of a balanceamong full-timeemployees, third-partyservice providers,machines and contingentresources.
Creative problem solving, innovative mindset andsocial intelligence will become more valuable thantechnical knowledge.
Ecosystem
Knowledge
Balanced
Page 22
How will IA work in the future?A dynamic approach is pivotal — operating model, use of technology and talent infuse
Digitallyconfident,dynamic
and trustedfunction
Rob
otic
sPr
oces
sAu
tom
atio
n
Dig
ital
Wor
kers
Page 23 25 October 2019 Presentation title
The journey hasstarted
Page 23
Page 24
The journey has startedWhat some IA functions are doing as they kick-start their transformation
Audit Needs Assessment
Develop IA Plan
Execute IA Plan
Communicate Results
Identify and assess risks beyond today’s scope byleveraging predictive, historical and external data1Be flexible and agile around internal audit planningand responses based on changing assurance andreporting needs
2
Use automation to deliver large volumes of transactionaland compliance internal audit areas, enhancing riskcoverage and improving efficiency5
Deliver through advanced data analytics andvisualization enabling efficient resourcing of audit/riskresources
3
Digitize IA evidence and fieldwork in an integrated,digital platform to drive more insight around themes andtrends
4Re-think ‘traditional’ reporting content and format tocommunicate messages in new ways6Automate internal audit reporting leveraging digitizedIA evidence and fieldwork7
Page 25
The journey has startedHow is ‘automation’ emerging across the current IA lifecycle?
Planning andassessment
Execution anddocumentation
Reporting and communication Follow-up
Internal Risk Assessment:► Process mining tools
► Bespoke analytics (descriptive,customized)
► Foundational analytics(descriptive, standardized)
► Advanced analyticsExternal Risk Assessment:► Geographical risk factors
(external risk map)
► External analytics (e.g., digitalmedia, other sources)
Stakeholder needs:► Virtual collaboration
► Intelligent meeting record
► Audit management
Descriptive analytics:► Risk and control review via
process mining tools► Data driven audit execution via
bespoke analytics (customized)or foundational analytics(standardized)
Predictive analytics:► Scenario modeling via advanced
analytics techniques► Risk impact predictions
Digital auditing:► Enhance methods of auditing
based on risk culture► Control and testing automation
through Robotics ProcessAutomation (RPA)
► Virtual assistant to supportInternal Audit knowledgemanagement and providestatistics (e.g., chat/voice bot)
► Process automation for recurringfollow-up activities (email-reminder, status tracking)
► Intelligent meeting record
► Continuous benchmarking andInternal Audit functioncomparison
► Continuous auditing (e.g.,weekly, monthly) via bespokemonitoring dashboards
► Predictive risk alert (safety-netintegration)
► IA dashboard reporting
► IA video reporting
► Report intelligence
► Digital boardroom
Continuous assessment Cont. audit needs assessment • White spot analysis (robotics and text mining) • Cont. monitoring (descr. Analytics)
Page 26
How does automation impact the ability to cover risk?
Financial Compliance Operational Strategic
Manual effort Automation
Financial Compliance Operational Strategic
Risk coverage today
Risk coverageof the future
Page 27
RPAThe big picture
The long-term vision is to combine RPA with powerful analytics and cognitive technologies to form IA applications that will either directly assist people in theperformance of non-routine tasks or even automate those tasks entirely.
Desktop automation
Robotic processautomation
Intelligent or cognitiveautomation (IA or CA)
► The age of macros and workarounds► Pre-existing basic technologies, such as Visual
Basic for Application (VBA), auto hot keys, screen-scrapping
► Several toolkits, no systematic platform
► Strategic platform fortactical change
► Broad application (use cases are not function-specific)
► Rule-based automation of routines (able to followinstructions)
► No intelligence(binary decisions only)
► Strategic platform forstrategic change
► Narrow application (use cases require thoughtfulconsideration)
► Non-routine tasks requiring judgment (cognitivecapabilities, dynamic rules, artificial learning)
► Used to increase value rather than to reduce cost
Implementation speed and solution maturity
Valu
e an
d ca
pabi
lity
Structured data as basis forrepeatable actions Unattended service-based process
Cognitive computing utilizing unstructured data tomake decisions
Act
Perform
ThinkChallengetoday
Challengetomorrow
Page 28
Advanced Analytics
Value
Anal
ytic
s m
atur
ity
Descriptive AnalyticsMining past data to report, visualize, and better understand WHAT has alreadyhappened; after the fact or in real-time
Predictive AnalyticsLeverages past data to understand the relationships between data inputs and outputs tounderstand WHY something happened or to predict WHAT will happen in the future
Prescriptive AnalyticsDetermines WHICH decision or action will produce the most effective result against aspecific set of objectives and constraints.
Questions drivinganalysis
Techniques used
What is the bestoutcome?
What will happennext?
What if those trendscontinue?
Why is this happening?
What actions are needed?
Where exactly is the problem?
How many, how often,where?
What happened? Standard Reports
Ad hoc Reports
Queries/Drill Downs
Alerts
Statistical Analysis
Forecasting/extrapolation
Predictive Modeling
Optimization
Traditional Reporting and AnalysisStandard and ad-hoc reports report out past performance; drill-downs and alerts provideadditional information to specific questions
Page 29
How will IA deliver through analytics in the future?
Mobilize analyticsteam to develop
DA charterRisk Assessment Audit Planning Audit Execution Audit Reporting Monitoring
Key
activ
ity
Feedback Loop
► Identify risk assessmentpriorities
► Determine scope of audit planactivities
► Preliminary “scan” of relevantaudit information to drive projectscope, sampling and fieldworkprocedures
► Identify anomalies, trends andpotential fraud indicators
► Replace sample testingapproaches with full-coveragedata analytics
► Provide quantifiable, fact-based information for reportableissues and exceptions
► Visualization of audit findings
► Provide an automated basis forcontinuous auditing & controlsmonitoring.
► Provide analytical input for follow-up Risk Assessment.
Risk Ranking
Value at Risk Analysis
Regional benchmarking
Key Risk Indicators
Controls MonitoringRed Flags / Observations
Risk / Action MonitoringRisk Quantification
Report Visualizations
Exam
ple
anal
ytic
s
Page 30
The current environment of rising risks, regulatory activity and compliance costs makes this the ideal time to consider the potentialrole of Continuous Control Monitoring (CCM) or Continuous Audit (CA).
CCM / CA provides the business with insights into the effectiveness of controls and integrity of transactions. It also enablesinternal auditors to determine more quickly and accurately where to focus attention and resources.
Proactive Mitigation
Automate manual tasks
Actionable control framework
Effective auditing process
Expand risk coverage
Reduce Costs
Shorten audit cycles
B
E
N
E
F
I
T
S
Why
CCM/CA
Continuous Control Monitoring
T&E spend
P-card spend
Accounts Payable
Accounts Receivable
Journal Entry
Inventory
Fixed Assets
Potential CCM areas
Continuous Control Monitoring/Continuous Audit
Page 31
What is blockchain?
Distributed ledger► Every participant in the network keeps a copy of all the
transactions.► Transactions are secured by encryption to prevent tampering.
Consensus algorithm► No one node or server is responsible for approving transactions
leading to genuinely distributed transaction processing.► Each entry is validated and recorded on all ledgers across the
network.
Smart contracts/programmable ledger► Transactions can be sent with rules attached – small programs
that govern when and how transactions are processed.
Blockchain is adistributedinfrastructuretechnology. It is adecentralized ledger thatkeeps a record of eachtransaction that occursacross a network, whichenables a decentralizedexchange of trusted data– a “shared recordbook.”
Blockchain is software: it is both a database and a network
Page 32
A call to action
Page 32
Page 33
A call to action
Assess the current IA operating model, resource modeland technology footprint to identify opportunities toautomate and innovate and better position the function forthe transformative age.
Start by making real investments in areas of impact andaggressively attack “low-hanging fruit.”
Build a business case and start a process of transformation— technology development and deployment, skillssourcing, branding initiatives — to move toward the futurestate.
Arrival at the future state requires a journey that must start now. No one is out front, so do not look forearly adopters.
Change will require significant education of and communication with all stakeholders.
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction andadvisory services. The insights and quality services we deliverhelp build trust and confidence in the capital markets and ineconomies the world over. We develop outstanding leaderswho team to deliver on our promises to all of our stakeholders.In so doing, we play a critical role in building a better workingworld for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one ormore, of the member firms of Ernst & Young Global Limited,each of which is a separate legal entity. Ernst & Young GlobalLimited, a UK company limited by guarantee, does not provideservices to clients. For more information about ourorganization, please visit ey.com.
© 2018 EYGM Limited.All Rights Reserved.
EYG no. 012126-18Gbl
BMC AgencyGA 1008961
ED None.
This material has been prepared for general informational purposes only and is notintended to be relied upon as accounting, tax or other professional advice. Pleaserefer to your advisors for specific advice.
ey.com