Embed Size (px)
Citation preview
Adroit Auditing in a Transforming World
Jenitha John
Senior Vice Chairman
IIA Global
Contents
2
GLOBAL LANDSCAPE
ORGANISATIONAL PARADIGMS
INTERNAL AUDIT PARADIGMS
CONSIDERATIONS FOR ADROIT AUDITING
Corporate scandals
Business model rethink against technology disruption (VUCA)
Changing global economic & political conditions
Cybersecurity threats
Competition for talent and workforce demographics
Increased regulatory burden
Consumer spending and behavior
Investor activism
Blended value proposition
Public, private partnerships and the role of government
Evolution of inclusive capitalism (profits vs. wages)
New Realities
Landscape & Trends – 2020 Audit Plan Hotspots Summary
www.visualcapitalist.com/big-data-keeps-getting-bigger/
The Rise of Data
www.visualcapitalist.com/big-data-keeps-getting-bigger/
Data - Stay attuned to the customer
•Operational units and product lines are managed and measured independently, tend to focus on their respective business units.
• Unnecessary duplication across the business
• Accountability for interdependencies and handover points not clarified.
• Too many manual workarounds – cross pollination of ideas and efficiencies not shared.
• IT systems have been patched together from multiple builds/product lines.
• System changes are expensive and time consuming.
• Disparate IT systems make it difficult to understand and analyse data with
consistency or rigor.
• How then do we serve customers if we do not leverage the data at our
disposal?
• Channel administration done separately (e.g. online, mobile, middleman, instore, relationship
managers) - how do we manage and understand the customer experience effectively from
different channels?
• Omni channels to be exploited as sales centres – facilitate cross-selling.
• Onerous business processes fuelled by disconnected channels frustrates customers.
Detachedchannels,
fragmented data & onerous business
processes
Non-integrated duplicate legacy IT systems
Organizationalsilos
Organizational inefficiencies
Compliance
Regulatory Dividend - Convergence of workplace disciplines
Finance
Technology &
Information Audit
Data scandal puts Facebook's business on trial
Corporate Scandals - Global
Lessons from Corporate Scandals
Auditors – both internal and external,– scope influence, fear of loss of incentive, complacency, over reliance
IFRS is subject to management discretion and interpretation – accounting standards cannot stop fraud
Over reliance on single KPIs – like EPS, focus on good news culture, ROIC/EVA to be considered
Boards become beholden to management. Weak Board Chairman, understatement test of Board packs
Culture & Ethics - Establish and demand the integrity of disclosures – Autocratic executives, rule by fear
Gap between remuneration and performance –personal enrichment & dysfunctional behaviour
Board Management
Analysts RegulatorsBanks
Investors
Consultants Auditors
CustomersCreditorsSponsor
Employees
Cause of Failures
Economic Distress
Deliberate mismanagement
Technological Causes
Working Capital Problems
Corporate Culture - Ethics
Poorly structured board
Over-expansion & diversification
Disjointed key performance indicators
Audit Fraternity EY: Gold, drug money and a major auditor’s 'cover-up’28 October 2019
Do governing bodies really challenge?Has the organization correctly identified and assessed its strategic risks including sustainability risks in the context of its risk appetite? Is this built into key performance indicators
What role do assurance providers (e.g.,
chief risk officer, risk management
staff, internal audit, compliance) play in
the organization’s strategic planning
process?
How can assurance providers
help the board understand
the overall health of the
internal control environment
in the organization?
Are assurance provides providing the board
with a comprehensive, balanced assessment
of the organization’s governance processes,
including assurance on performance
management & risk management?
Are assurance activities aligned with the strategic objectives of the business?Is there transparency on performance against the 6 capital
Has the organization correctly
identified and assessed the
external risk landscape, and does it
have appropriate mitigation plans
in place?
How are the company’s
assurance providers leveraging
big data and analytics to help
the organization achieve its
objectives?
Does assurance providers have the skill set and trust to deal with the increased complexity presented by emerging risks and new realities?
How aligned are your organization’s performance indicators and risk management activities to its strategic objectives?
Board composition, skills, effectiveness - diversity a
top concern.
Increased transparency/context around boards’ risk-oversight processes.
How are boards monitoring the company’s culture.
Are Boards exploiting assurance providers’
wisdom
In today’s world, thesmartest person in the roomis no longer the person who hasthe answers, but the one whoasks the right questions to getthe desired outcomes.
Technology Paradigms
Big Data & Advanced Analytics
Robotics
Augmented RealityAdditive manufacturing e.g. 3D printing
Cloud computing Horizontal & vertical system integration
Internet of things Cybersecurity
DIGITAL FULFILMENT
CUSTOMER EXPERIENCE
Ux counts Multi/Omnichannel customer engagement
Digital sales & marketing –higher ROI
Focused customer insightCocreation to deliver according to customerMining unstructured data for creativity
Straight through processing, virtual interaction and fulfilment
Automated processes & controls with risk profiling –seamless risk data aggregation
Real time information aggregation (MIS) – faster decision making – transparent value chain
Automation
Connectivity
Decision Making
Innovation
Upside Objectives: Opportunity | Innovation | Value Creation | Transformation | Disruption
Oversight Objectives: Cybersecurity | Compliance | Risk Management | Optimization | Governance
Unpack Business Model Paradigms
Business Transformation Imperatives
D2C5
Data
CUSTOMER COMPETITION COMPLIANCECONDUCT &
CULTURECYBER
Digital
Business Transformation Imperatives
D2C5
19
Risk & control based audits
Manual sample testing
Silo focused
Being educational
Leverage data analytics
Agile, integrated risk-based
To Delivering
Perceived as…
Reshaping Perceptions
Finance & compliance
Policemen
Business optimization & Strategic Risks
Pragmatic corporate change agents
Proactive, collaborative, trusted
Indispensable
On the job training
- Internships
IIA certifications
University Level
School LevelWho wants to be
an Internal Auditor?
Audit Learning Paradigms
FINDING THE WAY
Audit Practices
OLD SCHOOL AUDITOR
Audit Talent
- Typical audit mind
- Old school –checklists
- Narrow focus- Inability to
connect dots- Policeman
Audit Tools
- Electronic Working Papers
- Timesheets- No data analytics- Disaggregated Platforms- CAATs – manual
sampling- Reactive
Audit Stakeholders
- Who?- Expectations- Methods of
communication- Balanced Reporting- Holistic View - GRC
Audit Value
- Methodology- Value Proposition- Quality- Service Delivery- Performance
Management- Innovation
4321
Foundation – Robust, effective, adroit audit approach
Value Driven KPIs
Defining a value charter and a value scorecard is vital for measuring internal audit’s success
Leadership, Talent, Tools Acumen
Value creation & business optimization
Collaborative relationships, insights and advisory focus
High Risk Coverage. Audit integrated report
Advisory role on corporate activities
Educate governing bodies and audit staff
Forefront of existing and emerging risks
Optimization opportunities & efficiencies
Beacon for change –trusted advisor
Assurance
ObjectivityInsight & Foresight
Internal audit is well positioned to support good governance
Broad view of the organization - familiar with systems and processes
Insight on potential risks facing industry and wider economy
Competent workforce – skills and qualifications
Adherence to IIA IPPF –conformance to robust standards, independence, objectivity
Value of Internal Audit
Driven to help organization succeed, create and enhance value
Use in-depth
understanding to
debate root causes,
exposure and
remediation – be
resolute with follow
ups
Assurance –informed and unbiased critique of governance processes, risk management and internal control
Role of Internal Audit
Prognosticator – use
foresight identify trends
and bring attention to
emerging challenges
Enabler –enable
informed decision
making towards
organizational
success & value
creation
Resources -
Effective
utilization of
resources
Provide insight on
effectiveness and
efficiency of key
internal controls to
management and
Board
Stakeholder Expectations of Internal Audit
Tools and Techniques
World class
Audit
Planning
Data Analytics
driven scoping
and sampling
Smart Audit Techniques –
Fieldwork – harnessing the
value of data and effective
tools
Impactful,
insightful
reports
(Optics)
Leverage
combined
assurance and
GRC
Skills and
Competency
Mix
Collaboration
3 LOD - History
19961996-2009
20102013
2018
Origin of 3LODUK, financial
services
Steady growth in3LOD adoption
ECIIA/FERMAGuidance on EU
Company Law Directive
IIA Position Paper3LOD in Effective Risk
Management and Control
Increased growth in3LOD adoption
Refresh of Model –Working Group
established
Current model
Objectives of Refresh Project
Identify how the model has been adopted in laws, regulations, etc.
Analyze strengths and weaknesses of the model
Engage with key stakeholders
Consider how the model may be improved
Share analysis and thinking for public consultation
Prepare recommendations for revisions to the IIA Position Paper
Release and promote new IIA Position Paper and other resources
Pros and cons
GOVERNING BODY
Leadership & Oversight
MANAGEMENT FUNCTIONS
Strategy Execution
RISK, COMPLIANCE &
SUPPORT
Guidance, Challenge,
Support
INTERNAL AUDIT
Objective assurance &
related advisory
• Ethical culture, and setting the “tone at the top”• Stakeholder Engagement• Setting strategic direction• Delegation to governance committees and authority
to 3 lines• Setting KPI’s and KRIs and monitoring performance.• Approving governance frameworks designed by 3
lines• Opining and challenging reports and assurance from
all functions.• Reporting decisions, actions & outcomes to
stakeholders/ authorities. • Performance evaluation
• Providing independent assurance, opinions, insight, and advice - On the adequacy and effectiveness of
governance, risk management, and internal control.
- On the efficiency and effectiveness of operations, including the safeguarding of assets, and on the reliability and integrity of reporting processes.
• Assessing the influence of organizational culture and behaviour.
• Contributing to the adequacy and effectiveness of policies.
• Unbiased reporting to the audit committee, governing body and management.
• Analyze known and identifying emerging issues
that may impact decisions & outcomes.
• Identifying changes in the organization’s variances
and tolerances in performance.
• Assisting management in developing risk
frameworks, processes, and controls to align
performance with strategic goals.
• Providing guidance and training on governance,
risk management, and control processes.
• Facilitating and monitoring the implementation of
effective risk management practices by
management.
• Monitoring the adequacy and effectiveness of
internal control and timely remediation of
deficiencies.
• Delivering outcomes aligned with stakeholders
expectations
• Assessing internal and external factors that may
impact decisions and outcomes.
• Establishing systems/ procedures that deliver on
performance
• Affecting remediation when decisions, actions,
behaviors, and outcomes are seen to be wanting
• Own, develop, implement and monitor policies
• Delegating responsibilities ito DOA
• Setting tactics, performance and risk indicators.
• Monitoring and analyzing activity.
• Reporting performance, forecasts and outlook to
the governing body.
Roles and responsibilities - 3 Lines
3 LODNEXT STEPS
Working Group establishedObjectives, project plan, Advisory Group,
Consultant2018
October 2019 - Evaluation of exposure feedback December 2019 - Working Group reports to Global Board with draft recommendations
2019
July 2020 - Revised Position Paper and other resources/supplementary papers
2020
Global Assembly – Roundtable discussionJune – Sep 2019 : Public consultationExposure of analysis and proposals
2019
Combined Assurance• Management Assurance - Ultimate
responsibility for managing risks & controls
• Internal & External Assurance -Objective and independent (dependent on organisational positioning & stature) assurance provided by Internal, External audit and professional experts
• Combined Assurance - Leads to continuous improvement, operational excellence, minimises duplication of effort between assurance providers
Internal Assurance
• Risk management
• Regulatory Compliance
• Internal Audit (independent)
• Legal, Company secretary
• Health and Safety
• Fraud Teams etc.
Management Assurance
• Strategy, Operations
• Finance & Treasury
• IT, HR, Product development, Sales
• Supply chain / Distribution/Production
• Oversight etc.
External Independent Assurance
• External auditor
• Sustainability, Actuarial
• Project management
• Process improvement
• External forensic fraud examiners /Auditors
• Regulatory inspectors, etc.
Underpinned by a robust
Risk Management Framework
Foundational aspects for combined assurance
Effective corporate governance structures – “rhythm on the dance floor”
Benefits of Combined Assurance
Collaboration• Leverage common risk
assessments• Deliver unified,
consistent message
Efficiencies• Eradication of Assurance
Fatigue• Cost savings and greater
coverage• Sharing of lessons learned
Effective control environment• Reporting is more precise and
insightful
• Valuable, relevant data based on collaboration and not silos - facilitates better decision making
• Facilitates the annual assurance statements
• Fewer surprises
Underpinned by a mature Risk Management framework and
function
Challenges to Combined Assurance
Company Dynamics
• Culture
• Operating model
• Fragmented platforms
• Local vs Global footprint
Reliance on Assurance Providers
• Perceived objectivity
• Qualifications, Competencies and Experience
• Conflicts & Profile
• Methodology -Standards
• Affiliation to professional body
Governance Frameworks
• No distinction between lines of assurance
• Misaligned definition of risk, controls & assurance
• Size of company
Technology : A Case For GRC
Audit Leaders Competency FaceliftThe Catalyst CAE
Asks and listens
Fosters innovation
Provides balanced feedback
Builds trust
Focuses on potential
Collaborates and networks
Empowers others
Encourages development
Energizes and mobilizes
Aligns actions with strategy
Aligning Internal Audit Objectives with Business Objectives
Demonstrating and Adding More Value
Leverage combined assurance
Educating Governing bodies
Increasing use of Technology
Increasing the use of Knowledge
Using “Non-Traditional” Internal Auditors
Invest in Lifelong Learning
Audit Competency Facelift
Financial/
Operational
literacy
Independence
Ability to
connect the dots
Knowledge of risk management
(including non financial risks),
internal control, governance
Future Internal Auditor
1
IQ
2
EQ
3
CQ
4
AQ
Functional, Technical,
Business Acumen
MIND OF THE FUTURE AUDITOR
Drone mentality
VUCA World
Risks, instability, fluxData overload,
direction, indecisiveness
Productivity, contradictions
Distrust, Lag in innovation
Use hindsight, probe changes
Challenge perspectives, learn
Focus, cultivate opportunities
Nimble, harness innovation
What does this mean?
How to respond?
Volatility
Visionary
Uncertainty
Understanding
Complexity
Clarity
Ambiguity
Agility
Speed, magnitude, turbulence and
dynamics of change
Unfamiliar territory and unpredictable
outcomes
Multiple dependencies amidst global
interconnectivity
Multiple perspectives and interpretations of
scenarios
Continuous
calibration of
stakeholder
expectations
Embrace
smarter tools
– leverage
automation
02 03
Agile,
integrated
risk-based
assurance
04
Pragmatism
on risk
exposure &
remediation
05
Optimization
Opportunities
Sharing
insights
06
Lifelong learning/ reskilling/
constant reboot
07
Measure value add
and Ongoing refinement
Adroit Auditing
Courage
Insight
Collaboration
Attitude
Agile
Innovative
Change is the only constant.
Heraclitus
