internal audit event presentations/iia...many internal audit teams have shifted towards...
TRANSCRIPT
Internal AuditAdvanced Insights and Innovation
Noah Jellison, EY
Consulting
Senior Manager
Columbus, Ohio
614 297 3136
513 703 6935
Professional summary
Noah Jellison is a Senior Manager in the Consulting practice of EY. He has over 14 years experience and
specializes in data analytics and data science, automation and robotic process automation (RPA), IT audit, privacy,
and third party risk management and reporting. He teaches data analytics and data visualization courses at local
universities, and is a frequent presenter and trainer on innovation, data analytics, and automation. Noah serves
on the CSM Programs and Business Analytics Advisory Boards at Franklin University. He also serves on the Board
of Directors as Treasurer for both the Columbus Children’s Theater (CCT) and the Columbus Literacy Council (CLC).
He holds a dual B.S. from The Ohio State University in Accounting and Management Information Systems.
• CISA (Certified Information Systems Auditor)• CIPT (Certified Information Privacy Technologist)• ACDA (ACL Certified Data Analyst)• EY Platinum Badges Accreditation - Data Science and Data Visualization
Gaining the Edge –Internal Audit Innovation
The better the question. The better the world works.The better the answer.
Disruption is transforming our industry. New technologies, a shifting regulatory environment, changing workforce dynamics and a global pandemic are just a few that internal auditors must address to assess the risks facing their organizations.
The world changed in March 2020. Almost overnight, the COVID-19 pandemic strained health care systems to the breaking point, put much of the global economy on an indefinite hiatus and radically reshaped societal norms and interactions. For businesses everywhere, these events are undermining established assumptions while catalyzing new models and approaches.
COVID-19
How will COVID-19 reinvent social contracts and change
companies’ role in society?
How will COVID-19 reshape the global balance of power,
trade, networks and institutions?
How will COVID-19 and new technologies shape
the enterprise of the future?
How will COVID-19 change behavior
(consumer, work, family, social networks)?
The better the question. The better the world works.The better the answer.
Disruption is transforming our industry. New technologies, a shifting regulatory environment, changing workforce dynamics and a global pandemic are just a few that internal auditors must address to assess the risks facing their organizations.
Many internal audit teams have shifted towards virtualization and an automated suite of tools for help. That said, these solutions only address one part of the problem. Additionally, a holistic approach that revolutionizes internal audit is needed, fully covering the entire risk universe for the whole organization, in a way that has never been possible before.
When you can see the complete picture, why settle for a glimpse?
Page 6
Advanced insights
and
innovation
Emerging capabilities
Enable auditors to ask questions in a natural format to understand what procedures to perform or which analytics may be applicable
Virtual agents/chatbots
Robotic process automation (RPA) and artificial intelligence (AI) combined to drive smarter automation
Intelligent automation (RPA)
Process mining is a smart big-data technology that visualizes your real process flows
Process mining
System to automatically extract data fields from unstructured documents such as scanned contracts, and drive intelligent decisions based on document findings
Document intelligence
Predictive analytics uses statistics to predict an outcome and is improved by the ability of machines to learn based on experience over time
Data analytics/machine learning
Solution to leverage voice or unstructured data to identify compliance issues or monitor risk by leveraging speech-to-text transcription technology and natural language processing (NLP) modeling
Speech-to-text
This technology can cover large spaces in a short amount of time while providing different types of information such as object counts, volume metrics, thermal imaging, and video based process analysis
Drones
Framework that fosters proactive identification and early mitigation of gaps in existing governance structures and risk-and-control practices to create and maintain trust in AI systems and tools for model validation
Trusted AI
Internal Audit – Advanced insights and innovationHow can IA innovate and create advanced insights?
Risk Assessment Audit Planning Audit Execution Audit Reporting Monitoring
Ke
y a
ctiv
itie
s
Feedback Loop
► Identify risk assessment priorities
► Determine scope of audit plan activities
► Preliminary “scan” of relevant audit information to drive project scope, sampling and fieldwork procedures
► Identify anomalies, trends and potential fraud indicators
► Replace sample testing approaches with full-coverage of populations
► Provide quantifiable, fact-based information for reportable issues and exceptions
► Visualization of audit findings
► Provide an automated basis for continuous auditing & controls monitoring.
► Provide analytical input for follow-up Risk Assessment.
Risk Ranking
Value at Risk Analysis
Regional benchmarking
Key Risk Indicators
Controls Monitoring
Robotic Process Automation
Red Flags / Observations
Risk / Action MonitoringRisk Quantification
Report Visualizations
Exa
mp
les
Audit Lifecycle
Data analyticsWhat use could IA get from predicting the future?
Potential use cases for IA are using predictive analytics for risk assessments and scoping (prioritization of audit areas) e.g.:
► How significant is the volume/number of credit notes now and in the future to determine how much focus to put on the credit notes process
► Which expense accounts are material now and which ones in the future to determine which ones to select for Trial Balance reviews
Visualization & dashboarding
Insights – Audit planning, risk assessment, monitoring - > control mix, type, frequency & transaction type
Update pivots for each SL and GL data by plant
Map totals into disaggregated variance
table
Filter to only units with a variance between SL
& GL data
Data validation
Note the cause for each variance identified in
variance table
Compare order details to locate possible cause
of variance
Communicate with stakeholders for further
research
Sign in to source system
Enter extraction parameters and run GL
and SL files
Save GL and SL extraction files in local
folder
Data conditioning
Open previous month’s inventory recon file
Delete previous month’s SL and GL data
Copy and paste GL and SL data to respective
tabs
Data research
~ 19 Hours (Before) ~ 1 Hour (Before)
Sign into reconciliation system
Locate the reconciliations upload
folder
Input recon data and attach current month’s
recon file
Data upload
Automated Non-automated
~ 2 Hours (After) ~ 0.4 Hours (After) ~ 0.1 Hours (After) ~ 12 Hours (Before) ~ 0.1 Hour (After)
Data extraction
► Processing time brought down from 20 hours to ~3 hours
► Certain activities within “data research” can be automated further after changes are made to current process
Automation (RPA)– Account reconciliation processSignificantly reduce reconciliation processing and control testing time.
Process Mining
…is a smart big data technology that visualizes your real process flows – in real time. It shows where your bottlenecks and inefficiencies are based on data generated in the organization.
Process Mining…
How is your real process flow within your organization?
Process Mining helps to gain an understanding of your real process based on data generated in your organization.
Question
IA use case example: Scoping + Audit Execution
Text analysis
Identify redundant/duplicate control wording phrases
Computer vision (video analytics)
Face Mask Detection Social Distancing Compliance Heath Maps for Sanitize Prioritization
Occupancy Monitoring People Count
No-Go/Restricted Zone Monitoring
Drones
Inventory counts
Object recognition
Digital twins
Digital Twin
Beyond reality
The IA mandateThe IA mandate is not changing – it is evolving
$
Be highly connected, proactive and forward
looking in setting priorities in response to market
disruptions and risks
Extend beyond the traditional assurance provider-
role and be a strategic and valued advisor
Broadened assurance: challenging the entire risk
framework and accounting for upside and outside
in addition to downside risks
How do advanced insights and innovation add value to IA?
Focus audit scope on risks that really matter
Time savings through in-depth upfront knowledgeand repeatable capabilities
Improved audit value through high impact findings and meaningful recommendations
Sustainable reporting
People motivation and auditor enhancement
IA contribution towards realizing digital strategy and capabilities of the organization
EFFICIENCY
EFFECTIVENESS
RELEVANCE
RELIABILITY
How do advanced insights and innovation add value to IA?
RISK VALUEINSIGHTS
Internal audit risk assessment and audit planning
Audit universe
Requiredaudits
Coverage parameters
Risk parameters
Audit plan approval
Selection and sizing
Risk assessment
The macro internal audit planning processhas been largely unchanged for many years …
... with refinements to meet specific needsand improve sustainability and flexibility.
Prioritization2-4 Weeks 2-4 Weeks
**4-8 Weeks**
ANNUALLY
Audit execution
Report issuance
TestingAudit
planning & scoping
As well as the execution of audits …
Announcement
letterWalkthroughs
Fieldwork
2-3 Weeks 4-8 Weeks
**6-11 Weeks**
► Identify appropriate contacts/stakeholders
► Identify audit team and develop expectations
► Schedule and conduct opening meeting/conference
► Identify key risks and objectives
► Identify key in-scope systems
► Identify controls and develop RCMs
► Develop and send out initial request listings
► Schedule and conduct walkthrough meetings
► Obtain initial request items/populations and select samples for testing
► Develop and send out follow up request listings for testing
► Obtain follow up request items and conduct testing
► Identify, discuss and confirm observations and findings
► Draft audit report
► Schedule and conduct closing meeting/conference
► Issue audit report
Internal audit risk assessment and audit planning
Audit universe
Requiredaudits
Coverage parameters
Risk parameters
Audit plan approval
Selection and sizing
Risk assessment
Prioritization**4-8 Weeks**< 1 WEEK & REPEATABLEDYNAMIC | CONTINUOUS
Audit execution
Report issuance
TestingAudit
planning & scoping
Announcement
letterWalkthroughs
Fieldwork
**6-11 Weeks****3-6 Weeks**
Audit execution
Report issuance
TestingAudit
planning & scoping
Announcement
letterWalkthroughs
Fieldwork
Audit execution
On-Demand Audit
Reports
Testing & Monitoring
Audit planning &
scoping
Real-time | Continuous Auditing
Page 29
Advanced insights
and
innovation
Advanced insights – Audit planning, risk assessment, monitoring
Common risk & control matrix spreadsheet
Advanced insights – Audit planning, risk assessment & monitoring
Overall dashboard – control mix, type, frequency & transaction type
Control text analytics
Drive standardization and quality in descriptions of processes, controls, risks, issues, and other text fields.
Page 33
Risk assessments
Page 34
Risk assessmentsAudit reporting analysis
Process MiningScience to exploit the value of real data
20% data coverage
The most common and simplified process variant is visualized first
40% data coverage
See less common paths and activities. Ideally suited to detect anomalies and inefficient process variants.
No activity escapes the eye! You can zoom in
detecting long-term or unusual process paths or
defects that would otherwise remain hidden.
+
Textbook” process: How the process should be according to the process description.
The reality: Actual complexity that would be unknown and manageable without process mining.
What people think: Slight deviations from the standard process
+
100% data coverage
► ‘Communication of results’ based on videos, interactive dashboards, click-through examples etc.
► Dashboard reporting which draws upon digitized audit results and evidence to provide a real time view of internal audit findings and results
► ‘Lasting actions’ based on interactive data base for auditee, allowing easier follow up of management actions by IA
► Digitized audit documentation and internal audit delivery tools, resulting in One Click reporting
► Robotics based transcription of content (e.g., utilizing RPA to transcribe content from work papers or voice enabled technology
Automated report deliverybased on:
Re-think ‘traditional’ reporting content and format to deliver:
Digital reportingDigital real time reporting providing business insights and strategic advice
Control automation example – Change management controls (before)
Log into Change Ticket System using credentials
Select appropriate dates for change tickets
Extract sample ticket details from ticketing system
Navigate to change ticket search criteria
Bu
sin
ess
Te
am
System SMR
PMO Helpdesk
Input appropriate dates to select change population
Log into system using appropriate credentials
Select appropriate reports/queries to generate system change log
Au
dit
or
Initiate and
facilitate whole
process
Select random sampling from log for testing per sampling methodology
Initiate discussions and request system change log
Create system change management test sheet
Coordinate and communicate gathering change ticket details
Populate and actually test samples per ticket details
**Manual effort**
Multiple IT systems Detailed processManual, error-prone
activityBack and forth communicationP
itfa
lls
Extract system change population into spreadsheet
Using RPA, you can automate a largely manual change management control process, reducing total processing time to five minutes per sample. Here is a process prior to automation:
** Days to weeks to complete**
Control automation example – Change management controls (after)B
usi
ne
ss T
ea
mA
ud
ito
r
Collaborate to verify that the robot’s process is complete and accurate
BOT can automate system change log extraction
BOT can automate ticket details extraction
BOT can automate everything and reach the procedure on the right and have the testing template ready for
general review
Reduce processing time, resources,
costsLess risk of error
Faster processing
Minimize communication
with parties involvedB
en
efi
ts
Bot prepares testing template that is ready for general review
Time to process: 5 minutes per instance (after BOT has been set up)
Using RPA, you can automate a largely manual change management control process, reducing total processing time to five minutes per sample. Here is a process prior to automation:
Advanced insights example – Purchase to pay (PTP) process
Quickly detect, monitor and remediate inefficiencies and processing errors as part of the PTP control process.
Scenario #1 – Business Insights: The high spikes in price changes on a PO were identified for further follow up.
It was identified that contracts were being entered into the system before the price was finalized and then updated after price was finalized.
This caused significant rework, but the process had not historically been changed because “it was the way things were always done”. The audit finding resulted in streamlining of the process.
Scenario #2 – Reduced Risk: When analyzing all users who were making PO changes, it was identified that firefighter IDs were making a large number of changes even two years after a system implementation.
The proper access was never set up and increased the potential for fraud. Proper access and compliance with SOD was enforced as a result of the audit finding.
Advanced insights example - Time & Expense (T&E) process
Quickly detect, monitor and remediate inefficiencies and processing errors as part of the T&E control process.
Scenario #1 – Cost reduction: Identified that employees used their personal credit card for 33% of the total company’s T&E spend.
Had this spend been on the company issued credit card, this would have put the company at a high tier of rebates which would have yielded a payment of an additional $400K.
Scenario #2 – Cost reduction: It was identified that Hotel Partnerships (20% discount of rate card) existed with Hilton and Marriot family brands.
However, employees were staying at Crowne Plaza and Holiday Inn hotels where the organization had no existing partnerships. The total spend identified at these hotels was $1.1M.
At a 20% discount, this would have yielded savings of ~$200K if Hilton and Marriott family brands were used.
Advanced insights example - User access process and controls
Solution
Users are able to identify, track and trend real-time user access and termination exceptions with drill-down capabilities by technology and system.
Value
Added layer of capability to project and predict potential control failures.
Interactive visualizations of terminated users for user access controls with drill down functionality to allow management to further investigate control exceptions and issues within the terminated user process.
Terminated User Exceptions
We must be bold.
Being bold is not easy.
The world is borderless and rapidly changing and we must do things differently. Even without all of the answers – starting the dialogue is critical.
Innovation is the art of making hard things easy and creating something new and surprising.
Questions?