internal audit of the future transforming internal audit · ©2019 deloitte touche tohmatsu india...

Internal Audit of the FutureTransforming Internal Audit21 November 2019

2Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP

The Future - Internal Audit 3.0

Assure

3 LoD enhancements

Assurance by Design

During change

Control Effectiveness

Advise

Risk Sensing Risk Learning

Anticipate

RPA Automated QA

AIAnalytics

Automated core Assurance

Purple Person

SMEs

Next Generation Resourcing

Polymath

Relationship management

Agile IA

Response teams

High Impact reporting

Change catalyst

Core processes

Truly greatest risks

Decision governance

Behaviours

3 LoD

Digital technologies Dashboards

Intelligent Assurance

Digital assets

Skills & capabilities Enablers


Digital assets

Work PaperDocumentation

RPA/ Bots

AnalyticsProcess Mining

Dashboards


Tech-enabled IA

METHODOLOGY & IA FRAMEWORK

TESTING & VALIDATION REPORTING

• Risk sensing for IA planning

• Automated work papers

• Issue tracking

Substantive fieldwork• Advanced Analytics• RPA / Bots• Cognitive & AI

Continuous Monitoring• CCM• Content extraction (ARGUS)

ERP Based• GRC Tools• Process Mining

• Controls cockpit

• Report writing using NLG

• Report dashboards

• Action items tracking


Transformation to Analytics

Guiding principles for analytics

Define analytics goal in line with business objectives 01

Know your data02

Actionable and measurable03

Leverage existing insights 04

Relevant to business05

Test, learn and improve continuously06

Analytics maturity curve

Excel Excel, ACL Qlik, Alteryx, Tableau, Argus, Predictive analytics tool SPSS, R

Increased Sample Testing Quantification of Impact Behavioural Trends

Process Change/Continuously

monitoringInnovation

Outcome

Tools

Ad-hocexploration

Non-Repeatable

process

Ad-hocexploration

Non-Repeatable

process

Complex Analysis

Management defined goals &

objective

Integratedinsight

Next best action

• Unpredictable performance

• Success based on individual competence

• Rudimentary and loosely-woven

• Repeatable with similar application and scope, but not consistent across units

• Developed and adopted consistently

• Defines goals and objectives for standardised processes and confirms their communication

• Consistent application across organisation

• On-going monitoring with elements of predictive

• Management decision-making driven by analytical outcomes

• Well-defined and institutionalised

• Continuous improvement methodologies used to adapt to future changes

• Evolving forecasting models

Embedded in process

Stage 1: Initial Stage 2: Developing Stage 3: Defined Stage 4: Advanced Stage 5: Leading


• #1 challenge : Data

Analytics capabilities vary across the industry with few leaders

* Source Deloitte Global CAE Survey 2017

Data Management & Aggregation

Sampling & profiling

Data Quality

Advanced Modelling

Data analytics

Statistical and quantitative modelling

Data Visualisation

Model Validation

Quantitative Risk Assessment

Small Size of Organisation Largest

Leas

t Sca

re

Sca

rcity

M

ost

Sca

re Analytics Capabilities by Size of Organisation

Challenges

• Audit plan support: Advanced firms supporting 43%, developing firms supporting 21%

• More organisations hiring Data Science and applied Mathematics and Statistics skillsets

• Master data management: Important underpinning for more advanced functions

• Core business auditors to develop analytics capability• 4-7% of audit group comprise analytics teams

(number to increase in 3-5 years)• Audit methodology, approach, and QA to evolving to

better incorporate analytics at the core of the audit function

Opportunities


Insights-driven IA methodology

Integrated Data Analytic Steps

Traditional Audit Steps

Extract, transform, and load

data

Analyse data; compare, profile,

visualise

Develop testing hypothesis with

audit team

Identify Potential Analytics

Audit sampling, continue to support

and iterate on hypothesis

Visualise and story board

results

Confirm Audit

Objectives / Scope

Develop Enhanced

Audit Scope

Audit commences

Test key hypothesis

Communicate results

Critical new interactions in the process


Integrating IA and analytics – Example for a FMCG company

Analytics can not be performed Analytics can be performed * Indicative

Order processing Billing and collection

Pre-payment rebates and

DiscountSales return and quality control

Price card and scheme

formulationMonitoring of

targets

Billing and cash transfer to Company

Distribution planning and

logisticsShortages at

shops Shop expenses Physical security Liquidation of old inventory

RFP and vendor selection

Single vendor procurement

Material receipt and quality check Receiving Storage and

stacking normsPayment

processing

Bill of Material (BOM)

managementInput Output Reconciliation

Production planning and controlling

EHS Compliance Quality controls Wastage and scrap

RecruitmentCommission to

recruitment consultants

Attendance and leave monitoring

Incentive to sales team

Separation and F&F

Wage records and Statutory Compliance

Stock planning, inventory levels

Review of stock out situations Logistics Planning Loading and

dispatch controlsTransporter

selection and evaluation

Freight analysis

AreasAreas

Wholesale

Retail

Procurement

Production

HR & payroll

Distribution


Continuous Control Monitoring (CCM)

Guiding principals to build CCM Program

1 Link Objectives with Clear Business Drivers

2Know Your Data

3Start Simple

4Leverage Existing Insights

5 Make It Actionable and Measurable

6Test and Learn

CCM Delivery Model

Establish clear understanding of expected benefits; link analytics to business plan

Determine data tables, fields and reports required to deliver testing objectives

Perform first pass testing on data and discuss high level insights with stakeholders.

Perform second pass testing on data.

Summarise key insights and use visualisations

Understand

Acquire

Analyse

Refine

Report


CCM used cases

Analytics Objective Risk Material price outlier analysis

To identify if same material is purchased at multiple Unit Prices across vendors and plants

FraudFinancial Operational

Purchase Orders without Release Strategy

To identify purchase orders without release strategies which might indicate potential lack of an approval mechanism

Financial

PO-GRN-Invoice Analysis (3 way match analysis)

To compare PO, GRN and Invoice Quantity and identify cases where Invoice Unit Price is greater than PO unit price

Operational

Splitting of Purchase Orders

To identify if multiple POs for the same vendor and material are created on a single date by the same user

Operational Fraud

One Time Vendor Activity

To identify cases where payments have been made to one time vendors more than once

Operational

Vendor – User Correlations

To identify a possible collusion between vendor and buyer, by analysing the POs created

Operational

Purchase Orders without Purchase Requisition

To identify and analyse POs which do not have a corresponding Purchase Requisition.

Operational


Robotic Process Automation (RPA) / BOTS

RPA is a key component in automating core assurance.

Under IA 3.0, IA functions implement RPA processes that will lessen manual testing needed and increase test coverage.

Continuous RPA

• Automated Controls• IT General and access controls• Configuration controls• Voice analytics BOTs for suspicious negotiations• Voice analytics BOTs on customer service interactions• Intelligent detection of suspicious logs associated with IT systems through GRC• Identifying potential FCPA issues through transaction analysis

Event Based RPA

• Removal of IDs on an employee’s exit from firm• Manual JV analysis• Regulatory reporting validation• Performing financial and MIS reconciliations• Automated review of text-heavy documents


Artificial Intelligence (AI)

Elements where AI can be implemented

• Data extraction from documents

• Fraud detection, patent and spends analysis

• Follow-up questions, querying knowledge sources, sensing user emotion, and escalating user queries

• Anti-money laundering Suspicious Activity Reports

• Investment narratives

• Portfolio commentary

• Regulatory disclosures

• Personalised client communication

Cognitive Engagement

Cognitive Insights

Finding complex patterns in data to make better decisions and more accurate predictions

Providing language- or image-based personalised information through text/voice


Process Mining

Sample analysesProcess X-ray shows what really happened during process execution

Throughput timeEnd-to-end view

Waste finding Handovers

User activities Policy check

Exception handling by employees

Work flow between individuals

Root cause identification

Aggregated behavioral patterns

Benchmarking


Dashboards and Visualisation

Examples

• Real-time modelling of supply and demand • Real-time quality assurance results• Automated assurance dashboards • Risk-sensing dashboards• Portfolio management dashboards• Management & audit committee reporting dashboards

In line with Agile principles of demonstrating control and encouraging collaboration, IA 3.0 promotes use of visualisation and transparency to manage the function.

Through dashboards, functions can build new, collaborative ways of working.

Automated Reporting Dashboards


Skills and Capabilities


Developing the internal audit teamSkills and capabilities

Polymath Purple Person SMEs Next Generation Resourcing

Relationship management


Agile IA


Agile IA – Driving Efficiency

Identify high-priority business problem

What agile is and is not

Agile is

Group of methods based on iterative development, where requirements and solutions evolve through collaboration between self-organising, cross-functional teams.

Agile is not

• A single methodology• A set of tools• Easy to implement

Hypothesis for solution

Build & test rapidly with real users

Learn

Deploy


1

2

3

4

5

Agile IA – Driving Efficiency

IA should transform to deliver on a broader set of expectations, providing assurance but also advising on and anticipating risks…

Why Bring Agile to Internal Audit?

Objective: To deliver meaningful, timely and real time insights.

To assure, advise and anticipate risk effectively, we need Agile IA processes!

Speed & AgilityThe velocity of

business is faster than before, and

traditional IA is not an effective third-line of

defense in thisfast- paced world.

Business ValueAgile is iterative, and allows us to

continually revisit current risks and reprioritise as a

continual process for the audit

Allows IA to respond quickly to changing business needs

Reduces time between requirement and delivery

Builds risk-specific insights for customers

Enhances ability to drive meaningful, high-quality insights

Meets business commitments by reprioritising scope


4 Roles ● 4 Ceremonies (Meetings) ● 5 Artifacts (Documents)Agile IA end to end

Scrum Team Product Owner Scrum Master Stakeholders

Sprint 0 Execution (Sprints 1, 2, N)Document Meeting

Why are we doing this

audit?

How do we scope this?

Initial Audit

Backlog

How do we prioritise

the backlog?

Sprint Planning

Sprint Backlog

Tasks

1–2Weeks

Daily Scrum

Sprint Review

Work papers

Sprint POV

Retrospective

Audit Canvas

Final Report


Traditional vs. Agile Internal Audit

Agile IA puts a heavy focus on internal auditors to drive collaboration and be seen as partners to their stakeholders rather than as “the police.”

Traditional

• Begins with ‘big up front’ design and discovery through audit report with limited or no overlap

• Audit report is released as a ‘big bang’ delivery with benefits realised at the end of the audit

• The client/customer/stakeholder has limited communication and collaboration with audit team

Agile

• Cross-functional internal audit teams work simultaneously on a single audit to accelerate delivery of Summary Observations, Impact, and Management Action Plans (MAPs) each sprint

• Product released in increments to ensure audit of right thing at right time

• Uninterrupted communication and feedback between stakeholders, clients and audit team


Thank you!#IA 3.0. Let us take you from your now to your next!


Key Contacts

Anthony CrastoPartnerDeloitte [email protected]

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.

This material is prepared by Deloitte Touche Tohmatsu India LLP (DTTILLP). This material (including any information contained in it) is intended to provide general information on a particular subject(s) and is not an exhaustive treatment of such subject(s) or a substitute to obtaining professional services or advice. This material may contain information sourced from publicly available information or other third party sources. DTTILLP does not independently verify any such sources and is not responsible for any loss whatsoever caused due to reliance placed on information sourced from such sources. None of DTTILLP, Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this material, rendering any kind of investment, legal or other professional advice or services. You should seek specific advice of the relevant professional(s) for these kind of services. This material or information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser.

No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person or entity by reason of access to, use of or reliance on, this material. By using this material or any information contained in it, the user accepts this entire notice and terms of use.

©2019 Deloitte Touche Tohmatsu India LLP. Member of Deloitte Touche Tohmatsu Limited