Internal Audit of the FutureTransforming Internal Audit21 November 2019
2Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
The Future - Internal Audit 3.0
Assure
3 LoD enhancements
Assurance by Design
During change
Control Effectiveness
Advise
Risk Sensing Risk Learning
Anticipate
RPA Automated QA
AIAnalytics
Automated core Assurance
Purple Person
SMEs
Next Generation Resourcing
Polymath
Relationship management
Agile IA
Response teams
High Impact reporting
Change catalyst
Core processes
Truly greatest risks
Decision governance
Behaviours
3 LoD
Digital technologies Dashboards
Intelligent Assurance
Digital assets
Skills & capabilities Enablers
3Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
Digital assets
Work PaperDocumentation
RPA/ Bots
AnalyticsProcess Mining
Dashboards
4Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
Tech-enabled IA
METHODOLOGY & IA FRAMEWORK
TESTING & VALIDATION REPORTING
• Risk sensing for IA planning
• Automated work papers
• Issue tracking
Substantive fieldwork• Advanced Analytics• RPA / Bots• Cognitive & AI
Continuous Monitoring• CCM• Content extraction (ARGUS)
ERP Based• GRC Tools• Process Mining
• Controls cockpit
• Report writing using NLG
• Report dashboards
• Action items tracking
5Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
Transformation to Analytics
Guiding principles for analytics
Define analytics goal in line with business objectives 01
Know your data02
Actionable and measurable03
Leverage existing insights 04
Relevant to business05
Test, learn and improve continuously06
Analytics maturity curve
Excel Excel, ACL Qlik, Alteryx, Tableau, Argus, Predictive analytics tool SPSS, R
Increased Sample Testing Quantification of Impact Behavioural Trends
Process Change/Continuously
monitoringInnovation
Outcome
Tools
Ad-hocexploration
Non-Repeatable
process
Ad-hocexploration
Non-Repeatable
process
Complex Analysis
Management defined goals &
objective
Integratedinsight
Next best action
• Unpredictable performance
• Success based on individual competence
• Rudimentary and loosely-woven
• Repeatable with similar application and scope, but not consistent across units
• Developed and adopted consistently
• Defines goals and objectives for standardised processes and confirms their communication
• Consistent application across organisation
• On-going monitoring with elements of predictive
• Management decision-making driven by analytical outcomes
• Well-defined and institutionalised
• Continuous improvement methodologies used to adapt to future changes
• Evolving forecasting models
Embedded in process
Stage 1: Initial Stage 2: Developing Stage 3: Defined Stage 4: Advanced Stage 5: Leading
6Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
• #1 challenge : Data
Analytics capabilities vary across the industry with few leaders
* Source Deloitte Global CAE Survey 2017
Data Management & Aggregation
Sampling & profiling
Data Quality
Advanced Modelling
Data analytics
Statistical and quantitative modelling
Data Visualisation
Model Validation
Quantitative Risk Assessment
Small Size of Organisation Largest
Leas
t Sca
re
Sca
rcity
M
ost
Sca
re Analytics Capabilities by Size of Organisation
Challenges
• Audit plan support: Advanced firms supporting 43%, developing firms supporting 21%
• More organisations hiring Data Science and applied Mathematics and Statistics skillsets
• Master data management: Important underpinning for more advanced functions
• Core business auditors to develop analytics capability• 4-7% of audit group comprise analytics teams
(number to increase in 3-5 years)• Audit methodology, approach, and QA to evolving to
better incorporate analytics at the core of the audit function
Opportunities
7Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
Insights-driven IA methodology
Integrated Data Analytic Steps
Traditional Audit Steps
Extract, transform, and load
data
Analyse data; compare, profile,
visualise
Develop testing hypothesis with
audit team
Identify Potential Analytics
Audit sampling, continue to support
and iterate on hypothesis
Visualise and story board
results
Confirm Audit
Objectives / Scope
Develop Enhanced
Audit Scope
Audit commences
Test key hypothesis
Communicate results
Critical new interactions in the process
8Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
Integrating IA and analytics – Example for a FMCG company
Analytics can not be performed Analytics can be performed * Indicative
Order processing Billing and collection
Pre-payment rebates and
DiscountSales return and quality control
Price card and scheme
formulationMonitoring of
targets
Billing and cash transfer to Company
Distribution planning and
logisticsShortages at
shops Shop expenses Physical security Liquidation of old inventory
RFP and vendor selection
Single vendor procurement
Material receipt and quality check Receiving Storage and
stacking normsPayment
processing
Bill of Material (BOM)
managementInput Output Reconciliation
Production planning and controlling
EHS Compliance Quality controls Wastage and scrap
RecruitmentCommission to
recruitment consultants
Attendance and leave monitoring
Incentive to sales team
Separation and F&F
Wage records and Statutory Compliance
Stock planning, inventory levels
Review of stock out situations Logistics Planning Loading and
dispatch controlsTransporter
selection and evaluation
Freight analysis
AreasAreas
Wholesale
Retail
Procurement
Production
HR & payroll
Distribution
9Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
Continuous Control Monitoring (CCM)
Guiding principals to build CCM Program
1 Link Objectives with Clear Business Drivers
2Know Your Data
3Start Simple
4Leverage Existing Insights
5 Make It Actionable and Measurable
6Test and Learn
CCM Delivery Model
Establish clear understanding of expected benefits; link analytics to business plan
Determine data tables, fields and reports required to deliver testing objectives
Perform first pass testing on data and discuss high level insights with stakeholders.
Perform second pass testing on data.
Summarise key insights and use visualisations
Understand
Acquire
Analyse
Refine
Report
10Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
CCM used cases
Analytics Objective Risk Material price outlier analysis
To identify if same material is purchased at multiple Unit Prices across vendors and plants
FraudFinancial Operational
Purchase Orders without Release Strategy
To identify purchase orders without release strategies which might indicate potential lack of an approval mechanism
Financial
PO-GRN-Invoice Analysis (3 way match analysis)
To compare PO, GRN and Invoice Quantity and identify cases where Invoice Unit Price is greater than PO unit price
Operational
Splitting of Purchase Orders
To identify if multiple POs for the same vendor and material are created on a single date by the same user
Operational Fraud
One Time Vendor Activity
To identify cases where payments have been made to one time vendors more than once
Operational
Vendor – User Correlations
To identify a possible collusion between vendor and buyer, by analysing the POs created
Operational
Purchase Orders without Purchase Requisition
To identify and analyse POs which do not have a corresponding Purchase Requisition.
Operational
11Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
Robotic Process Automation (RPA) / BOTS
RPA is a key component in automating core assurance.
Under IA 3.0, IA functions implement RPA processes that will lessen manual testing needed and increase test coverage.
Continuous RPA
• Automated Controls• IT General and access controls• Configuration controls• Voice analytics BOTs for suspicious negotiations• Voice analytics BOTs on customer service interactions• Intelligent detection of suspicious logs associated with IT systems through GRC• Identifying potential FCPA issues through transaction analysis
Event Based RPA
• Removal of IDs on an employee’s exit from firm• Manual JV analysis• Regulatory reporting validation• Performing financial and MIS reconciliations• Automated review of text-heavy documents
12Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
Artificial Intelligence (AI)
Elements where AI can be implemented
• Data extraction from documents
• Fraud detection, patent and spends analysis
• Follow-up questions, querying knowledge sources, sensing user emotion, and escalating user queries
• Anti-money laundering Suspicious Activity Reports
• Investment narratives
• Portfolio commentary
• Regulatory disclosures
• Personalised client communication
Cognitive Engagement
Cognitive Insights
Finding complex patterns in data to make better decisions and more accurate predictions
Providing language- or image-based personalised information through text/voice
13Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
Process Mining
Sample analysesProcess X-ray shows what really happened during process execution
Throughput timeEnd-to-end view
Waste finding Handovers
User activities Policy check
Exception handling by employees
Work flow between individuals
Root cause identification
Aggregated behavioral patterns
Benchmarking
14Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
Dashboards and Visualisation
Examples
• Real-time modelling of supply and demand • Real-time quality assurance results• Automated assurance dashboards • Risk-sensing dashboards• Portfolio management dashboards• Management & audit committee reporting dashboards
In line with Agile principles of demonstrating control and encouraging collaboration, IA 3.0 promotes use of visualisation and transparency to manage the function.
Through dashboards, functions can build new, collaborative ways of working.
Automated Reporting Dashboards
15Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
Skills and Capabilities
16Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
Developing the internal audit teamSkills and capabilities
Polymath Purple Person SMEs Next Generation Resourcing
Relationship management
17Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
Agile IA
18Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
Agile IA – Driving Efficiency
Identify high-priority business problem
What agile is and is not
Agile is
Group of methods based on iterative development, where requirements and solutions evolve through collaboration between self-organising, cross-functional teams.
Agile is not
• A single methodology• A set of tools• Easy to implement
Hypothesis for solution
Build & test rapidly with real users
Learn
Deploy
19Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
1
2
3
4
5
Agile IA – Driving Efficiency
IA should transform to deliver on a broader set of expectations, providing assurance but also advising on and anticipating risks…
Why Bring Agile to Internal Audit?
Objective: To deliver meaningful, timely and real time insights.
To assure, advise and anticipate risk effectively, we need Agile IA processes!
Speed & AgilityThe velocity of
business is faster than before, and
traditional IA is not an effective third-line of
defense in thisfast- paced world.
Business ValueAgile is iterative, and allows us to
continually revisit current risks and reprioritise as a
continual process for the audit
Allows IA to respond quickly to changing business needs
Reduces time between requirement and delivery
Builds risk-specific insights for customers
Enhances ability to drive meaningful, high-quality insights
Meets business commitments by reprioritising scope
20Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
4 Roles ● 4 Ceremonies (Meetings) ● 5 Artifacts (Documents)Agile IA end to end
Scrum Team Product Owner Scrum Master Stakeholders
Sprint 0 Execution (Sprints 1, 2, N)Document Meeting
Why are we doing this
audit?
How do we scope this?
Initial Audit
Backlog
How do we prioritise
the backlog?
Sprint Planning
Sprint Backlog
Tasks
1–2Weeks
Daily Scrum
Sprint Review
Work papers
Sprint POV
Retrospective
Audit Canvas
Final Report
21Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
Traditional vs. Agile Internal Audit
Agile IA puts a heavy focus on internal auditors to drive collaboration and be seen as partners to their stakeholders rather than as “the police.”
Traditional
• Begins with ‘big up front’ design and discovery through audit report with limited or no overlap
• Audit report is released as a ‘big bang’ delivery with benefits realised at the end of the audit
• The client/customer/stakeholder has limited communication and collaboration with audit team
Agile
• Cross-functional internal audit teams work simultaneously on a single audit to accelerate delivery of Summary Observations, Impact, and Management Action Plans (MAPs) each sprint
• Product released in increments to ensure audit of right thing at right time
• Uninterrupted communication and feedback between stakeholders, clients and audit team
22Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
Thank you!#IA 3.0. Let us take you from your now to your next!
23Internal Audit of the Future©2019 Deloitte Touche Tohmatsu India LLP
Key Contacts
Anthony CrastoPartnerDeloitte [email protected]
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms.
This material is prepared by Deloitte Touche Tohmatsu India LLP (DTTILLP). This material (including any information contained in it) is intended to provide general information on a particular subject(s) and is not an exhaustive treatment of such subject(s) or a substitute to obtaining professional services or advice. This material may contain information sourced from publicly available information or other third party sources. DTTILLP does not independently verify any such sources and is not responsible for any loss whatsoever caused due to reliance placed on information sourced from such sources. None of DTTILLP, Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this material, rendering any kind of investment, legal or other professional advice or services. You should seek specific advice of the relevant professional(s) for these kind of services. This material or information is not intended to be relied upon as the sole basis for any decision which may affect you or your business. Before making any decision or taking any action that might affect your personal finances or business, you should consult a qualified professional adviser.
No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person or entity by reason of access to, use of or reliance on, this material. By using this material or any information contained in it, the user accepts this entire notice and terms of use.
©2019 Deloitte Touche Tohmatsu India LLP. Member of Deloitte Touche Tohmatsu Limited