the digitally disruptive internal auditor · the facilitator to electronically: assign risks to...
TRANSCRIPT
1
The Digitally
Disruptive Internal
Auditor
Future proofing your internal audit function
2
PARTICIPATE IN Q&A• Download the IIA Conferences App to
participate in Q&A during select
sessions
• Select the session through the
schedule icon
• Submit your questions for the session
or to specific presenters by selecting
the ASK icon
• Ask a member of the Conference Staff
if you need assistance
• You can also go to https://ic.cnf.io/ from
your mobile device web browser
3
Sergiu Cernautan
CPA, CISA
Senior Director, Product Strategy
Galvanize
Last First
Title
Company
Speakers
4
Personal reflections
Things I know (which isn’t much):
• Auditing is a noble profession, underpinning the integrity of our entire society.
• Every internal audit team I’ve worked with is strapped for time and
substantially under-resourced.
• Audit team mandates and responsibilities seems to be expanding while
dedicated time and resources shrinking.
• New-to-world risk factors are emerging at an exponential pace making risk
management more and more difficult.
• Recent technology advancement has completely changed the game in almost
every profession.
5
Creative destruction forces are accelerating the velocity of risk Digitization is the new norm
6
Broadly, digitalization converts currencies,
transactions, services, products, experiences,
and relationships into virtual forms. Virtual
forms are potentially more flexible, far-ranging,
and profitable—and more challenging to audit.
Source: Deloitte – Internal audit insights, High-impact areas of focus, 2017
Operational Risk
“
7
Convergence of 4 Forces
Cloud
Mobile
Data
Social
Source: Gartner
Driving forces behind digitization
8
No industry will escape digital disruption
Source: Forrester/Russel Reynolds 2015 Digital Business Online
Survey
9
Creative destruction is accelerating as
companies invest in intangible assets such as
databases, proprietary algorithms, and expert
workers, instead of physical assets such as
factories and inventory.
Source: Tuck School of Business at Dartmouth, Vijay Govindarajan and
Anup Srivastava, Strategy When Creative Destruction Accelerates
“
10
Virtual is the new business reality …
12%Or 60 original Fortune
500 left standing since
1955
460%Companies today are 460%
more likely to fail within five
years
90%
World data
created in last 2
years
… requiring new ways to manage risks
17%
S&P 500
intangible assets
in 1975
88%
S&P 500
intangible assets
in 2013
440Since 1955, the Fortune
500 has churned 440
organizations
11
Big idea: Digitization is inevitable.
Your challenge as leaders of internal audit
functions is to prepare your teams for managing
risk in the digital era and protect your
organizations against creative destruction.
Today’s presentation is about the how.
“Digitization
Technology
Methodology
Talent
12
Personal reflections
Things I wonder about:
• How can the audit profession continue to make an impact (and be sought
after)?
• Do we really have to do all the things we’ve always done (i.e. tick marks,
traditional audit reports, recommendations, etc.)?
• Have we really, truly embraced the possibilities that technology has presented
us as a profession (i.e. social, mobile, cloud, big data, automation)?
13
Technology
Are you setting the right technology vision for
delivering internal audit services in today’s digital
environment?
14
Looking into the future, what technology vision
should audit leaders cast today?
Q:
15
Technology vision should incorporate elements of
Cloud
Social
Data & Automation
Mobile
16
What are some examples you can give where
modern technology can be introduced into
internal audit practices?
Q:
17
Cloud Social Data & Automation Mobile
• Un-trap dark data
from spreadsheets,
share drives, and
• Integrate risk
management efforts
across related
functions
• Offer a better user
experience to audit
customers
• Ensure global
coverage
• Engage stakeholders
across the three lines
of defense
• Crowdsource audit
activities across the
business
• Establish internal
audit’s presence in the
organization’s digital
community
• Influence the risk
culture
• Automate your
workflows using robotic
process automation &
machine learning
• Objectively support
your assurance work
with data analytics
• Provide real time
assurance reporting
• Create a continuous
auditing environment
• Connect to cloud, social,
and data sources on the
go
• Capture audit evidence
using multimedia
capabilities of your
devices
• Increase business
productivity in real time
by complementing
traditional toolsets with
mobile capabilities
Digitizing internal audit
18
Crowdsource your enterprise risk assessments
A digital risk workshop tool can enable
the facilitator to electronically:
Assign risks to relevant
stakeholders for scoring
Record and view individual and
aggregate responses
Capture comments and
interactions in risk activity history
Collaboratively evaluate and
finalize scoring results and
rationales
Risk assessments require teamwork and are often an iterative and time consuming process. Modern technology can
speed up the process by digitizing the experience from the comfort of your laptop screen.
vs
19
Automate your process risk and control assessments
Auditors can:
• Define thresholds for the metric ranges
corresponding to the risk rating or control test
outcome.
• Compute relevant metrics using data
analytics tools and link them to relevant risks
and controls.
• The system will automatically return the risk
rating or conclusion of the control’s design or
effectiveness.
• Stakeholders are automatically notified so
they can take corrective action.
• Cover 100% of the data while reducing co- or
out-sourcing costs.
Organizations spend millions in co-sourcing or outsourcing risk and control assessments which consists of “sampling”
key controls. This process is mundane, error prone and often low-value — not to mention very costly.
vs
20
How would you rate the ‘digital readiness’ of
today’s audit shops?
Q:
21
Increased computing
power
Digitization
Advanced analytics
Mobile
Visualization techniques
Risk management for most companies has not fully leveraged the powerful tools that have emerged in the 21st century – increased computing power, digitization, advanced analytics, mobile and visualization techniques, among others – and the capabilities they make possible. Until it does, management can’t get serious about tying ERM into strategy, performance and decision-making – key themes emphasized in COSO’s updated ERM Framework.
Protiviti, Transitioning Risk Management to the Digital Age, Jim DeLoach, Managing Director, October 3, 2017
Risk functions have not fully leveraged technology
22
Forward-thinking Internal Audit functions seek
not only to provide assurance and advice, and
to apply digital technologies to their own work,
but also to anticipate issues and risks
associated with those technologies.
Source: Deloitte - Internal Audit Insights 2018, High-impact areas of
focus
“
23
Process
Are your internal audit processes sufficiently agile
to address the present and the future of your
organizations?
24
Refining the process
25
To be truly Agile … Internal Auditors will need to
deliver value to stakeholders early and often
via incremental delivery of audit products and
services.
Source: Forbes | Can Internal Auditing Become Agile? Seven Keys To
Thinking The Unthinkable | Mar 21, 2017
“
26
Practically speaking, what does agile auditing look
like?
Q:
27
Key ‘agility’ expectations:
• Auditing risks that matter to management
• Communicating what matters when it matters
• Changing audit plans as risks change
• Knowing when to stop auditing
• Auditing forward (or preventatively)
• Collaborate across the lines of defense
Management demands agile auditing
28
Auditing risks that matter to management
Automate this
Focus
on
this
29
Communicating what matters when it matters …
Using interactive, real-time storyboarding
technology auditors can:
• Communicate what matters when it
matters to upper management in a way
that is valuable, data-driven, and
directly actionable.
• Bring the message and data to life by
combining the power of interactive data
visualization, narration, and annotation.
• Provide stakeholders with a feature for
easily taking corrective actions by
triggering remediation workflows directly
from the storyboards.
Traditional point-in-time audit assurance reports no longer provide value to boards and senior management. Instead,
management is increasingly asking for real-time assurance and forward looking assurance projections.
vs
30
Changing audit plans as risks change
Identify
metrics for
continuous
monitoring
Automate the
related enterprise
risk assessment to
reflect real-time
data
Establish the risk appetite (e.g.
risk tolerance thresholds)
Change
direction as
risks change
31
Traditional full cycle audits no longer provide value to boards and senior
management. Instead, stakeholders are increasingly asking for real-time
assurance and forward looking projections on attaining the desired assurance
objectives. vs
Management expects internal
audit teams to:
Present a simple, visual, fully
quantified indicators for audit
assurance
Aggregate scores to measure
assurance by Process, Audit,
Entity, Enterprise Risk
Deliver assurance metrics in
real-time in the way top leaders
consume
Stop when the desired level of
assurance or a sufficient
conclusion are reached
Knowing when to stop auditing
32
Advancements in cognitive technologies, artificial intelligence, and data analytics are helping organizations go beyond traditional ways of managing risks by using smart machines to detect, predict, and prevent risks in high- risk situations. Autonomic computing combines automation and cognitive technologies to make systems self-managing—and potentially self-defending and self-healing against risks.
Deloitte – The future of risk: New game, new rules
Auditing forward (or preventatively)
Only 9% have access to real time data for FP&A
Only 18% use predictive modeling to analyze Big Data
33
Auditing forward: Extracting ‘foresight’ from data
“Data is the new oil.” The quote goes back to 2006, and is credited to Mathematician Clive Humby, but has recently picked up more steam after the Economist published a 2017 report titled “The world's most valuable resource is no longer oil, but data”.
34
Auditing forward: Leveraging the power of analytics and machine learning
Machine learning involves training computers to recognize and look for different patterns in enterprise data. As a result,
machine learning can generate even deeper insights (when compared with traditional rule-based analytics) allowing users
to not only see new patterns but to predict potential outcomes.
Leveraging ML auditors can:
• Explore and understand patterns in data
without having to tell the analytic what to do
• Find and analyze groups that have formed
organically
• Identify anomalies in a specified numeric field
or across transaction attributes
• Spend more time analyzing the exceptions,
anomalies, and patterns instead of finding
them
• Feed the insights gathered back into the ML
algorithms (i.e. train the computer) to perform
predictive risk modeling
35
Collaborating across the lines of defense
• Engage the frontlines to ensure controls are performed adequately and timely
• Equip Frontline business process managers with a centralized control portfolio view allowing them to oversee control execution
• Enable Frontline operators to view, perform and capture evidence for controls they are responsible for
• Internal audit and compliance teams can immediately identify control breakdowns and remediate preventatively
• Autonomy and accountability to Frontlines
• Automated reminders to perform controls and tasks
• Time bound execution of controls
36
Talent
Are you hiring and training for the internal audit
skillsets of the future?
37
Main objectives:
• Attracting and retaining top audit talent
• Securing expertise to address the risks that matter
Future proofing audit team skills and expertise
38
39
75%
of workers will have access to
intelligent personal assistants
by 2019
- IDC Research -
Average person
will have more conversations
with bots than spouse by 2020
- Gartner -
75%
of workers will have access to
intelligent personal assistants
by 2019
- IDC Research -
Average person
will have more conversations
with bots than spouse by 2020
- Gartner -
65%
of children entering primary
school today will work in jobs
that do not yet exist
- World Economic Forum -
Impact on business world …
40
41
What key technology skills should internal audit
professionals invest in to make an impact at
their organization?
Q:
42
Digital economy realities
•Data explosion
•Digital infrastructure
•Robotic process automation
•Artificial intelligence
•Digital risk
•Cyber security
•Data privacy
•Blockchain
•Advanced analytics and decision automation
•Real-time, automated core assurance
•Cloud migration
•Risk velocity
•Agile risk management
•Real time assurance
Skillsets in demand
•Data science: Data analytics to detect, predict, prevent, and even take risks
•Behavioral science: Growing popularity of behavioral economics to inform decision-making or assess risk
•Digital literacy: Systems, networks, smart devices to manage risks and controls
Emerging skillset needs
Source: Deloitte - The future of
risk: New game, new rules
43
Robotic automation is coming.
Do you see it as an opportunity or threat?
Q:
44
“The data robots are coming to
replace the auditors.”
-Handelsblatt
45
When are people better than technology?
Q:
46
Automation is not about decreasing headcount, it is about
moving up the value chain. By freeing up resources,
auditors can shift time to proactive activities like business
transformations and emerging risks becoming problem
solvers rather than problem finders.
Source: Christine Katziff, Corporate General Auditor, Bank of America
“
47
RPA takes the robot out of the human. The average
knowledge worker employed on a back-office process has a
lot of repetitive, routine tasks that are dreary and
uninteresting. RPA is a type of software that mimics the
activity of a human being in carrying out a task within a
process. It can do repetitive stuff more quickly, accurately,
and tirelessly than humans, freeing them to do other
tasks requiring human strengths such as emotional
intelligence, reasoning, judgment, and interaction with the
customer.
Source: McKinsey & Company
“
48
Incorporate robotic process automation
The one thing audit doesn’t have is elastic human capital to cover an increasingly expanding and complex digital risk
landscape. Using the endless power of RPA and machine learning, auditors can buy back time by offloading repetitive
processes where the rules are known to focus on tasks that require professional judgment and critical thinking.
Leveraging RPA auditors can:
• Create virtual robotic assistants to automate
repetitive tasks and risk management
routines such as:
• Analytics
• Risk assessments
• Control testing
• Remediation workflows
• Real-time visualizations and
dashboards
• Leverage machine learning to increase the
value of automated routines over time as
well as predict and model risk outcomes
49
The executive summary
Moving internal audit up the value chain
50
Key takeaways
• Digitization is inevitable.
• Leadership challenge: Future proof your internal audit functions.
• Invest in modern technology (i.e. cloud, social, mobile, data, robotic
automation).
• Import agile principles into audit methodology.
• Invest in developing new skillsets (data science, digital literacy, etc.)
• Move up the value chain (automate routine risks, focus on strategic
ones).
51
Further reading
https://www.acl.com/audit/agile-auditing
Becoming agile: Elevate internal audit
performance and value
Innovating in internal audit to enhance
collaboration and deliver timely insights
Deloitte
Forbes Can Internal Auditing Become Agile? Seven
Keys To Thinking The Unthinkable
Galvanize
2017 State of the Internal Audit
Profession Study
PWC
52
Thank you!
53
TELL US WHAT YOU THINK!
Evaluate this session right in the
IIA Conference App!
Not using the conference app?
Visit: ic.cnf.io to complete
your session evaluations.