Welcome!Adapting to Change for Internal Audit

and Anti-Fraud Professions

Imran Zia, MSc, ACA, FCCA, CIA, CISA, CFEChief Internal Auditor

Gulf Drilling International

Adapt or Disappear ?

It is not the strongest of the species that survives, nor the most intelligent, but the

one most adaptable to changeCharles Darwin, 1809

Digital Universe is Huge and is Growing Exponentially

1 Zettabyte = 1 Trillion GB1 Exabyte=1 Billion GB

World’s largest taxi company owns no taxis (Uber)

Largest accommodation provider owns no real estate(Airbnb)

Largest phone companies own no telco infrastructure(Skype, WeChat)

World’s most valuable retailer has no inventory(Alibaba)

Most popular media owner creates no content (

World’s largest movie house owns no cinemas (Netflix)

Largest software vendors don’t write the apps (Apple& Google)

source: www.ibmforentrepreneurs.com

Only 11% of the Fortune 500 companies from 1955still exist today

The average time that companies stay in the top 500has fallen from 75 years to 15 years.

75% of the companies that were listed on the S&P500 Index in 2012 will be replaced in 10 years time

New York Times reported that the company'sdigital transformation is projected to make 30% ofcurrent jobs obsolete by 2020.

A recent study by Economist found that 94% of theresponsibilities of accountants and auditors will becompleted by robots in 20 years’ time.

Source: 2016 Global Chief Audit Executive Survey by Deloitte

85 % CAEs expect their organization tochange moderately to significantly

In 64 % cases the Audit Committeeneeds Internal Audit to evolve

More than half of CAEs (57 percent) arenot convinced that their teams have theskills and expertise needed to deliveron stakeholders’ current expectations

Only 28 percent of CAEs believe thattheir functions have strong impact andinfluence within the organization

Didn’t innovate fast enough

Less focus on clients

Insisted on their OS

Continued to believe that theycould make a come back

Source: http://accaiabulletin.newsweaver.co.uk/accaiabulletin/jj7m1jilyc4

Is Internal Audit Next BlackBerry ?

Today we live in a VUCA world

V – Volatile

U – Uncertain

C – Complex

A – Ambiguous

We can’t make the Uncertainty go away, but we can change the way we respond to it

Every uncertainty is also a new Potential Future, but a signal that it's time to get ready for change

The Only Sustainable Advantage is to

Learn Faster than the Change

OR

Staying Ahead of Risk

Internal Auditorsneed to beOutsighters – Abilityto ComprehendForthcomingChanges)

Predict the Weather, Don’t just report it

Risk Centric Vs Objective Centric Audit Risk Assessment

Risk Registers & Risk Heat Maps - mostly don’t depictresidual risks; and are not linked with company’s topValue Creation Objectives

Audit Risk Assessment often does not cover company’smost important Value Creation / Strategic Objectives

Small Coverage of the total Risk Universe each year

More Focus on Internal Controls of the audited area whilethe residual risks linked with key strategic areas areignored

The Way Forward

What Could Go Wrong; and What Needs to Go Right

Objective Centric Risk Assessment – Use Company’sObjectives Register not an Audit Universe

Form opinion on company’s Residual Risk Status ratherthan reporting effectiveness of internal controls only

The Value Gap Between Internal Audit and Our Stakeholders

IIA Standard 2201 – Planning Considerations – requiresinternal auditors to consider:

• The objectives of the activity being reviewed;

• The significant risks to the activity, its objectives, resources andoperations and the means by which the potential impact of risk is keptto an acceptable level

Will this approach identify the "critical risks to the enterprise"and lead to the audits that matter ?

Will this enable Internal Audit in providing assurance, insight,and advice on the management of business critical risks ?

Staff for the audits we perform, not perform audits based on the staff we have

If business risks and audits are ever-changing, then the skills &experience that we have need to change at that speed as well

Change doesn’t occur once a year - Internal Audit RiskAssessment must be Dynamic not Static

Focus on the risks that matter to organization objectives.Those are the risks that need to be addressed in the audit plan

Ask the question - will this audit engagement add value

Audit Where The Risk Is Going To Be, Not Where It Has Been

Prevent internal control or risk issues when you can,rather than identify them when they already existand represent

Auditing the risks that impact today and tomorrow,not limiting your focus to what has happened in thepast

Being involved in new initiatives, providingconsulting advice

Are we looking at the Value in all the wrong places ?

“Value” is what the customer places a value on, notwhat internal audit would like to consider valuable

There is a huge risk when internal auditdepartments are so consumed with the idea ofadding value (which they measure through dollarsavings, process improvements, and such) that theyfail to provide the assurance that our customersneed

Who is Responsible to Assess & Manage Risk ?

Risk Management is not a Department, it isAttitude

The people who should own risk are the peoplewho own performance and the achievement ofobjectives

If you are to be an effective manager and achieveyour objectives, you need to be able to manage therisks to the achievement of your objectives

The Corporate Frog Story

Forbes magazine recently called culture the most overlooked element of audits

Organization Culture

Here and Now

The Risk Culture

How organization dealswith Multiple tomorrows

Problem – Imbalance between the Two

A poor mismatch between the culture and the riskculture in an organization can lead to catastrophes

A Hard Look at the Soft Stuff

There is a need to move away from a focus on today’s issues to a balanced look at today’s and tomorrow’s concerns

Significant Deviations from the Board’s Espoused Values

Silo-based Functioning

Layered Management Reporting

Excessive Short-termism

Control Management instead of Risk Management

Black Holes

The most significantnon-financial cost maybe the negativereputation of theinternal audit rolethroughout theorganization.

Likeable Auditors

A study shows that if an auditor is likable and gives a well-organized argument, managers tend to comply with hissuggestions, even if they disagree and the auditor lacks supportingevidence.

Identify & expand areas of commonality wheninteracting with others

Understand and adapt to communication styles

Don’t pass judgement

Pull more and push less

Board / Top Management with No/little Idea of InternalAudit Capabilities

ByAligning with the Expectations of Ignorant Boards, Weare Doomed to Repeat the Failures of the Past

Way-out

Educate the Board / Top Management of our Capabilities &Responsibilities

Expand our capabilities to address key risk areas

How likely is it that the Business Strategy has been accurately established ?

The most recent Global Risksreport by the World EconomicForum ranks cyber attacks asone of the top 10 risks mostlikely to cause a global crisis

Attackers had access to theorganizations’ environments foran average of 205 days beforethey were discovered.

Worldwide spending oncybersecurity is predicted to top$1 trillion for the five-yearperiod from 2017 to 2021,

Why Hackers Could Cause the Next Global Crises

Internal Audit Needs to Up Its Cyber Security Game

Source: Global Perspectives and Insights: Emerging Trends, The Institute of Internal Auditors

Top 4 Cyber Security Mistakes

Assuming We’re Not a Target

Approaching IT as Just an IT Issue

Neglecting to Understand and Update our Network

Relying Solely on Anti-Virus Technologies

Focus Points

Cyber Security threat never sleeps, and companies can’tafford to be asleep

Cyber-defense Tactics & Tools Cannot Remain Static

Way-Out - Job on Hand

Treat Cyber Risk as enterprise-wide Risk, not just an ITissue

Measure the impact of security breaches with achievementof corporate objectives

Apply advance solutions to detect attacks even if there areno known signatures

I

M

P

A

C

T

High 3 6 9

Medium 2 4 6

Low 1 2 3

Remote Likely Probable

L I K E L I H O O D

Meeting Internal Audit Objectives without Auditing

Internal Audit Reports do the Function a Great Disservice

Typical Audit Report conveys what we want to say rather thanwhat leaders of the organization need to know

Reporting opinion on sufficiency of Internal Controls ratherthan full range of risk responses / treatments in place

Way Forward

It is critical to communicate “What Matters” to stakeholders

Provide stakeholders with the information they need, whenthey need it; and in a form that is actionable

Change is our final product – A recommendation has no valueunless it leads to a necessary change by management

Stop When It Is Obvious – You are not in a court of law

Quality Assurancebased on quantityand not on quality

Working Papers forworking papers sake

Evidence Collection

What else ?

Distractions

Generation gap between the people setting thepolicies and the people facing the results of thosepolicies

Insanity – Doing the same thing over and over again and expecting different Results - Albert Einstein

Embrace Change – Think Outside the Box

Quantum Transformation in Internal Audit Paradigm - TheElectric Light did not come from the continuous improvementof candles

Future Focussed Auditing - My Interest is in the FUTUREbecause I am going to spend rest of my life there

Audit That Matters - Focus on success (value creation) morethan avoiding failure (value preservation)

More Value Addition - You can’t do a good job, if your job isall you do

Welcome!Adapting to Change for Internal Audit

and Anti-Fraud Professions

Imran Zia, MSc, ACA, FCCA, CIA, CISA, CFEChief Internal Auditor

Gulf Drilling International