Internal Audit 3.

0
The next quantum leap in Internal Audit
The profession has not been forced to innovate for decades

2
Organisations face increasing uncertainties
• The speed of change is unprecedented
• organisations are adopting new
technologies
• The breadth of risk continues to expand
• Failure to act will see risk and change
outpace Internal Audit

3
The need for change
• Assurance over both the core processes and greatest risks
• Assurance over digital technologies
• A point of view on organization's Risk culture
• More timely assurance
• Advice during times of change and generally
• Insights on emerging risks
Only 52% of CAEs indicated that their Internal
Audit function has conducted a cyber-focused
risk assessment to assess the organisation’s
potential cyber exposures
WHAT DO ORGANISATIONS
WANT & NEED
FROM INTERNAL AUDIT?
Only 28% of CAEs indicated that
their Internal Audit function has
formally evaluated the broader
organisation’s culture in the past 3-
5 years
59% of CAEs indicated that the proportion
of advisory services undertaken by their
Internal Audit function will increase over
the coming 3-5 years.
The Future – Internal Audit 3.0

19
Stakeholders want and need more from Internal Audit

Assure Advise Anticipate

6
Assurance needs are broad…

Core processes Truly greatest risks

Decision governance Behaviours

Assure
3 LoD Digital technologies

7
… but Internal Audit’s role as an advisor is key to
maximising the function’s value

3 lines of defence
Control effectiveness
enhancements

Advise During change Assurance by design

8
 Internal Audit can also help the business anticipate risk

Risk Sensing Risk Learning

Anticipate

9
Innovate to transform

10
Internal Audit functions anticipate a focus on “digital”
innovation

11
The Future – Internal Audit 3.0

19
Risk sensing

13
Risk Sensing
Risk sensing can be plugged-in to multiple areas within the Internal Audit process, helping IA accelerate
discovery, strengthen resiliency, and capitalise on opportunities.

01 Risk Assessments
04 Regulatory Risk

02 Fraud Detection
05 Vendor/3rd Party Risk

03 Holistic Risk Landscaping

06 Social Media Audits

14
 Do you have a risk blindspot?

High Impact Events Products & Services

Workplace Financial

Extended Enterprise Innovation &

Digital Assets Socio-economic Competitiveness
Geopolitical

15
Why is Risk Sensing important to IA?
Stakeholders want and need more from IA, and Risk Sensing can be the enabler

Areas enabled by Risk Sensing solutions

Risk Sensing inputs
A 360-degree view of your surrounding risks

Geopolitical data
Reputational &
Communications data Financial data

Technology & cyber data

Regulatory & legal data

Trend
Internal data analysis
Company assets Risk universe

Stakeholders Supply chain

Financials Others…

17
Roadmap to start Risk Sensing today
A call to action & next steps

Identify Risk Sensing

1 candidates based on strategic
priorities

Understand

2 what Sensing activities are being

done at other lines of defense

Deploy
3 Risk Sensing in the most
impactful way

18
Agile Internal Audit

19
What is Agile?

A MIND-SET
Family of Limit
Methodologies
Go Small Work in
Progress

Kanban

Scrum
Dynamic Systems
Development
Listen to
Feature Driven
Method (DSDM)
feedback
Development
(FDD) Lean

XP
Adaptive Software
Development

20
Traditional internal audit approach

PLANNING FIELDWORK REVIEW REPORTING

21
Agile internal audit approach
POV POV REPORT

Sprint 1 Sprint 2 Sprint 3 …

Sprint 0 Sprint 1 Sprint 2 Sprint X

PLAN PLAN PLAN PLAN

FIELDWORK FIELDWORK FIELDWORK FIELDWORK

REVIEW REVIEW REVIEW REVIEW

REPORT REPORT REPORT REPORT

22
How is Agile IA different?
STAKEHOLDER INVOLVEMENT DELIVERY OF VALUE

Traditional Internal Audit

ADAPTABILITY RISK OF LOW VALUE Agile Internal Audit

23
Why bring it to Internal Audit?

Better Faster Happier

Impact Less time to value Stakeholders

Quality Increased productivity Teams

Performance Quicker adaptation Individuals

Decision making Reduced waste Sustainable working

24
Leveraging digital assets

25
 What is Intelligent Automation?
As complexity of automated tasks increase the complexity of the risks evolves.

Machine
Machine Intelligence
Intelligence Spectrum
Spectrum Emerging

General AI
Minimum

(Automates Human Intelligence)

Minimum

• Knowledge • Singularity Emergingintelligence

Representation & • Generative
Machine that fully replicates human intelligence including
Reasoning Adversarial
General AI independent learning and decision making
• Natural
Networks General AI (Automates Human Intelligence)
Language • Evidence Based
Narrow AI (Augments Human Intelligence)

Each AI opportunity builds upon the prior step in

Each AI opportunity builds upon the prior
Generation Diagnostics • Quantum Computing

to move up the AI market spectrum

Enabled Analytics
Applies deep statistical learning to train models to become more precise and
Narrow AI efficient over time in predictions and judgment
• Natural
Language • Computer Narrow AI (Augments Human Intelligence)
Vision
TOUCH

Understanding
Cognitive Analytics

the AI market spectrum

• Deep Learning (Mimics Human Judgment)
TOUCH

Enabled Analytics
• Intelligent
• Sentiment • Speech & Image
Advisors
Transforms extensive, unstructured data into meaningful, focused, human-like
Analysis Recognition
insights and recommendations upon which
Cognitive Analytics (Mimicsa human
Human can act; can scale
Judgement)
HUMAN

• Natural Language Cognitive

• Interactive
Assistants
complexity and judgment through application of Machine Learning
HUMAN

Processing
Analytics
• Optical
Character
• Machine Learning
Enabled Analytics
Intelligent Automation (Automates Human Workflow)
Recognition Use of NaturalIntelligent Automation
Language Processing (Automates
and Machine HumantoWorkflow)
Learning enable processing
• Text Intelligent of unstructured data, predictive and prescriptive analytics and automation of
Analytics
Automation tasks that involve judgment
• Scripted • Prescriptive Analytics
Task Bots
RoboticAutomation
Robotic Process Process Automation
(Automates(Automates Tasks)
High

RPA • Predictive Analytics

Tasks)
• Rules-based
Mimics humans performing rules-based tasks to improve efficiency, quality, and
High

Automation • Descriptive Analytics

Single / TASK COMPLEXITY Multivariate / accuracy

Mature of process outcomes, as well as increase flexibility and opportunity to
Multivariate /
Single
Simple
/ Simple
TASK COMPLEXITY ComplexComplex
Mature
scale

26
Source: Deloitte Consulting 2018
Notes: Machine Intelligence Spectrum is not a temporal progression
Benefits of Intelligent Automation
Automation opportunities… …key benefits (general and for IA)

Enhancing quality
Removing error-prone manually intensive activities to improve quality.
Increased traceability and auditability, and rapid identification or errors.

Automation
of processes Standardisation
/ controls Standardise performance through codifying activities to reduce inconsistent
performance

More timely and frequent insights

Rapidly integrate data from multiple source systems to provide a more real-
time view of control effectiveness and risk exposure and increase frequency of
activities
Transforming
metrics and
reporting Increasing time for value-added activities
Automating Increase the time spent on high-value activities that increase the development
controls
and skills of the team, and improves stakeholder / interpersonal interactions.
testing

Reducing costs
Significantly reduce manual effort and reduce the cost of operating, testing,
monitoring and reporting. By reducing time consuming manual activities,
automation can lead to significant cost savings.

27
Risks of Intelligent Automation
RPA and Cognitive Automation introduces net new risks to an organization
Operational risks: Financial risks
• High paced bots & algorithms errors grow quickly • Poor automation use case choice – lost investment
• A single bot equates to multiple FTEs  concentration of • Bot related errors  loss of integrity of financial reports
operational risk
• Challenge of disaster recovery due to complex automation
• RPA
Accumulated privileges for bot anddamage
 more Cognitive
when Automation
hacked introduces netrisks
Organizational new risks to an
• organization
Incident management gets harder
• Unforeseen s with lost ability for human intervention • Poor change enablement and management  Lower morale
• Automation as quick-fix vs. re-engineer bad process  risky • Loss of organizational knowledge by employees replaced
• Unauthorized use of automation – Shadow RPA  exposures
• Stakeholder education

Technical risks
• Changes to configuration items like folders complicate
detection and management Regulatory risks
• Testing may require production access
• Bots may overload existing source applications • Bot related errors  regulatory breaches < Hard to detect
• Asset management - New type of assets (bots)

28
Risk Intelligent Automation Framework
Important: consider a comprehensive risk framework for Intelligent automation
Intelligent Automation Program environment Program environment: Represents the
context in which the project is operating
Strategic alignment Corporate culture/Readiness Stakeholder Buy-in and consists of both the internal and
external business environments
Business environment risk Process alignment Portfolio management

Intelligent Automation Journey/Program Level Risks

Journey management:
Use case choices Business casing Choice of Tool Too much too soon Processes performed by the program
Process maturity Risk mgmt. planning Communication Vendor mgmt. management team

Intake discipline Risk monitoring Reporting/Gov. Talent/Resources

Project support:
Intelligent Automation Project support Required to support the project, such as
the setting up of an effective project
Program office Integration with common business functions support office and integration with
business functions

Use case specific risks

Use case life cycle:
Planning & initiation Requirements analysis Design Development Associated with the various phases of the
life cycle required to deliver the result of
Testing Implementation & rollout Post implementation the project

29
Applying RPA and automation in Internal Audit

Basic Advanced RPA and intelligent

RPA automation

Examples include: Examples include:

• Data extraction and organizing for analytics • Monitor voice interactions based on speech,
behavioral and human emotional tendencies
• Audit evidence gathering
• Detection of risky subsets of trades using advanced
• Building regulatory library clustering techniques

• Audit testing of controls • Detection of outliers using advanced clustering

techniques
• Audit work paper management
• Detection of risky subsets of P&L movements using
• Audit issues and findings management and alert advanced clustering techniques
mechanism
• Misclassifications in unstructured data
• Reporting - consolidating audit findings and observations

30
 Client Case Study | Automation of controls testing
Compliance testing is performed on a daily basis. The use of automation codifies the testing procedures and standardises the
evidence of the testing performed.
Client Case Study | Audit Committee Reporting
• Audit committee reporting requires the production of a multiple reporting packs on a quarterly basis and across different jurisdictions /
countries
• The current process is manual, requiring two dedicated FTEs in an offshore location to pull together these reports
• Content is derived from disparate sources comprising of structured and unstructured data such as audit reports issued, MetricStream data,
other committee reporting
• The manual and repetitive nature of the process means that it is is prone to error and expensive to operate, while the end-to-end compiling and
reviewing process can be time intensive

Audit committee reporting requirements (indicative) Challenges addressed

Key themes • Errors and inaccuracies in content

• Cost of dedicated resource
Open issues | New major issues Unstructured data, • Increased need for detailed
based in pdf, MS Word, management review / QA
email format which are
Audit reports issued • Lead time for report preparation
copied to the audit
committee report • Costly to increase volumes and
Audit report pipeline and changes to audit plan scale up – if/as needed (e.g. new
content, calculation of new KIs /
scorecards etc.)
Operational updates / headcount / budget
Structured data (MetricStream • Manual process to monitor progress
extracts, excel, spreadsheet
Open / closed issues of completion
KIs: tables, other structured data
Time to complete reports / draft to final etc. files) / Unstructured data
Other scorecard metrics (mainly text based)
32
Client Case Study | Audit Committee Reporting
• Audit committee reporting requires the production of a multiple reporting packs on a quarterly basis and across different jurisdictions /
countries
• The current process is manual, requiring two dedicated FTEs in an offshore location to pull together these reports
• Content is derived from disparate sources comprising of structured and unstructured data such as audit reports issued, MetricStream data,
other committee reporting
• The manual and repetitive nature of the process means that it is is prone to error and expensive to operate, while the end-to-end compiling and
reviewing process can be time intensive

Audit committee reporting requirements (indicative) Challenges addressed

Key themes • Errors and inaccuracies in content

• Cost of dedicated resource
Open issues | New major issues Unstructured data, • Increased need for detailed
based in pdf, MS Word, management review / QA
email format which are
Audit reports issued • Lead time for report preparation
copied to the audit
committee report • Costly to increase volumes and
Audit report pipeline and changes to audit plan scale up – if/as needed (e.g. new
content, calculation of new KIs /
scorecards etc.)
Operational updates / headcount / budget
Structured data (MetricStream • Manual process to monitor progress
extracts, excel, spreadsheet
Open / closed issues of completion
KIs: tables, other structured data
Time to complete reports / draft to final etc. files) / Unstructured data
Other scorecard metrics (mainly text based)
33
 What Internal Audit functions need to consider
1. Vision and strategy for automation

2. Foundational infrastructure to support deployment of capabilities

• Governance
• Change management
• Testing and monitoring
• Skills and resource training

3. Target-state operating model

People Process Technology

• Ownership model and roles &
responsibilities
• Role based training
• SME / generalist balance
• Skills enhancement programmes
• Integration with broader
organisational CoE
• Decision governance process to
evaluate automation opportunities
• Enhanced audit methodology and
QA processes
• Centralisation of reporting
• Risk control framework
• Gather and cleanse / normalise data
• Integrate systems (e.g. GRC platforms)
• Establish data feeds / APIs
• Deploy and maintain technologies
• Manage licences

34
Key takeaways

35
Bringing IA 3.0 to life

Automate core assurance

Accelerate adoption of advanced analytics and automation
Apply Agile principles
Innovate to “future proof” the function
Consider Next Gen resourcing models to secure talent and skills
required
Advise and anticipate – don’t just assure!
36