analytics and automation in internal audit...pwc analytics and automation in internal audit...
TRANSCRIPT
Analytics and Automationin Internal Audit
CAE ConferenceNovember 2019
PwC Analytics and Automation in Internal Audit
Introduction
PwC Analytics and Automation in Internal Audit
1 2
35
4
External pressures on Internal Audit.
The game has changed: Internal Audit now faces different external pressures than before
2
Digitization creates opportunitiesThe amount of data in volume and variety is exponentially higher as a result of digitalisation. Analytics is one of the key enablers to identify, predict and provide recommendations to business leaders.
1
Business patterns have become more complexBusinesses need to make quick and informed decisions based on the patterns and trends obtained from the data in order to success and leadthe market.
2
The need to move at paceTraditional reactive or backward looking audit is obsolete in today’s fast paced world. It adds little value and IA risks being stood down.
3
Regulations and compliance expect moreRegulatory expectations to monitor business activities are increasing. Deeper business understanding & focus on risk are critical.
4
5 Do more with less is continuousThe bottom line is under threat and organizations are being forced to work harder and smarter.
PwC
Internal audit has to have a seat at the table with management. As you build these out, you don’t want internal audit to come in afterwards and identify gaps in controls. They really need to be there right at the beginning. However, it’s one thing physically having a seat at the table but another having the credibilityto be listened to.
Vanessa C. L. Chang Member, Audit Committee, Edison International and Sykes Enterprises
3Analytics and Automation in Internal Audit
PwC
Analytics in Internal Audit
4Analytics and Automation in Internal Audit
PwC Analytics and Automation in Internal Audit
Internal Audit: Transform or risk becoming obsolete
5
PwC Internal audit maturity modelWe believe the maturity is defined by 4 different aspects of an internal audit function.
Assurance provider Assurance provider Assurance provider Assurance provider
Problem solver Problem solver Problem solver
Insight generator Insight generator
Trusted advisor
Delivering objective assuranceof the effectiveness of an organisations’ internal controls
Bringing analysis and perspectiveon root causes of issue identifiedin audit findings to help businessunit take corrective action
Take a more proactive role in suggesting meaningfulimprovements and risk assurance
Providing value-added servicesand proactive strategic advice to the business well beyond the effective and efficient execution of the audit plan
• Align expectations
• Build capabilities• Deliver quality• Increase value
Unrealised value
PwC Analytics and Automation in Internal Audit
Achieving your goals
6
Transforming the Internal Audit function requires focus across multiple domains
• How should we manage and execute our audits?• What is the impact of leveraging analytics?• How do we align to key stakeholders in AC and Management
• What people, skills and training do we have or need?• Do we develop or acquire skills and talents?• Can we arrange job swaps with the business functions?
Continuous improvement
Performance monitoring
Technology, tools and data
Methodology, policies,standards and processes
People, capability management and training
Operating model
Strategy &vision
• What role do we want to take within the organisation?• What do we want to achieve and how do we measure success?• Where can we add most value?
• How should we structure ourselves?• How do we incubate and establish an analytics capability?• How do we access external expertise to accelerate development?
• What data (asset) do we have?• What tools do we have or need need for analytics and reporting?• Do we know how and where we should be using the tools?
PwC Analytics and Automation in Internal Audit
Growing analytics and automation capabilities
7
The IA analytics maturity stagesAdvanced Analytics capabilitiesBasic Analytics capabilities
Reactive
IA D
eliv
ery
effic
ienc
yB
usin
ess
enab
ler
PredictiveEffectiveness in monitoring of key risks
Valu
e to
or
gani
satio
n
• Automated controls are monitored on a real time basis once and potential exceptions are flaggedto risk and/or controls owners on a realtime basis
• Responsibility to operate the program rests with the business. IA are a user and potentially custodian of the program
Continuous transaction monitoring • The extensive data
structures are dissected and normalised within the tool to facilitate understand of activities
• Normality is learned and relearned on demand using stylised scenarios including introduction of false positives and incorporating new scenarios and variables
• Exceptions to patternand subtle risk concentration exposed
• Proactive and predictive actions taken
Predictive analytics
Manual IA function
• Auditing is performed using hard copy documents
• Audit sampling is statistical and/or judgmental
Piloting and ad hoc
• IA function own analytical tools such as IDEA and ACL available
• Bespoke analytics arerun on a one off basis to address specificaudit requirement
Sustainable and periodic analytics
• Analytical scriptsare automated and standardised forspecific reviews
• Opportunity to utilise analytics is considered as part of scoping for every IA review
• Specialist staff support extract and analysisof data
Continuous auditing
• A physical and logical data repository linked to key systems and residing onsite and accessible by Internal Audit
• Overlay with dashboards and alerts to enable IA to monitor exceptions and hot spot areas on a continuous basis
• Key input in defining and updating the IA plan
Automated: Analytical tests which replace activities typically performed
Assisted: Analytical tests that provide information upon which IA judgements can be made
[acl] [IDEA]
[Ui Path]
[Oracle]
[Power BI]
[Wolters Kluwer]
[SS] [R]
PwC Analytics and Automation in Internal Audit
Selecting analytics-enabled audits
8
Knowing where to start so you can get there quickerNot every test, review or audit is suitable for analytics. PwC’s framework is an effective way to facilitate a shortlisting of audit activities
Data availability and complexity
Process and data knowledge
Ability to leverage in future
Impact and risk mitigation
Start
Availability: Is relevant data available for the process in a format that is easy to access?
Complexity: • Are there three
or less data sources for the internal audit?
• Is the data able to be validated for consistency and completeness?
Impact/Risk:Does the process represent a high risk area to the company, and is there a high perceived impact of the internal audit?
Repeatability: Is the internal audit activity performed with regular frequency, or does it represent a common audit focus area?
Familiarity: Does Internal Audit have sufficient knowledge of the business process to understand and interpret the data?
Applicability: Is the dataset or risk area applicable to other potential internal audits or business units?
Yes Yes Yes Yes Yes Yes
No No No No No No
Not a likely analytics candidate Potential analytics candidate Strong analytics candidate
PwC
Automation in Internal Audit
Analytics and Automation in Internal Audit 9
PwC Analytics and Automation in Internal Audit
“RPA and AI are the next big technologies. It will be important for Internal Audit to understand these technologies and be able to push the business in how they implement new solutions in the future. With new technology comes new security risk, and this should be a concern of boards going forward.”
Alvin BledsoeAudit Committee Chair
SunCoke Energy
10PwC Analytics and Automation in Internal Audit
Software macros
Data prep and analysis tools
Robotic desktop automation
Workflow automation software
Rule engines
Automation-enabled enterprise platforms
Robotic process automation
Computer vision
Natural language processing
Machine learning
Intelligent business process
management systems
Intelligent processautomation platforms
The new automation
toolbox
Level of business-IT collaborationHighLow
Pwc.com/automation
PwC Analytics and Automation in Internal Audit
What is RPA?
Configurations that automate manual, repeatable tasks
Algorithms that solve specific problems
Software that plugs into, and accesses, existing business software
Workflow enabled interaction
RPA is…
11
A humanoid robot Something that can entirely replace humans
Something that replicates human cognitive functions
Purely just another cost play
RPA is not…
PwC Analytics and Automation in Internal Audit
Example opportunities for RPA in internal audit
Internal Audit offers a broad range of opportunities for automation using both RPA and potentially IPA technology. Below are example areas for potential automation across the foundational, risk assessment and execution phases.
12
Foundational Risk assessment and audit plan development Execution
Identifying and understanding stakeholders’ expectations
Building or internal audit’s strategy
Driving internal audit quality
Understanding the business
Gather information to identify risks
Evaluate and prioritise risk universe
Develop and communicate the risk based audit plan
Preparingthe audit
Planning the audit
Conducting fieldwork
Audit reporting
Issue management
Comm. w/ stakeholder
Setting Internal Audit’s mission
Managing talent
Understand organisation structure
Conduct interviews
Develop the risk universe
Draft the audit plan
Audit project staffing
Establishing engagement objectives
Identifying controls based on risk
Preparing the final audit report
Monitoring management actions
Maintain business relationship
Developing Internal Audit Charter
Managing delivery
Understand stakeholder expectations
Risk rating Audit plan comm.
Coordinating logistic and project milestones
Performing fact finding
Evaluating the control design
Distributing the report
Validation of management actions
Coordinate Assurance across org.
Developing a strategic plan
Managing performance
Prioritizing risks
Ongoing risk assessment
Confirming scope
Creating risk and control matrix
Operational effectiveness testing overview
Report quality review
Archiving documentation
Audit plan updates
Preparing the document request list
Creating the audit program
Conductinga closure Meeting
Gathering and sharing feedback
Planning memo
Finalizing scope
Preparing management action plans
Automation opportunities with RPA Potential automation opportunity with IPA
PwC
Lessons learned
Analytics and Automation in Internal Audit 13
PwC Analytics and Automation in Internal Audit 14
Many have failed, many more will do thesame unless we adjust
Global lessons learnedWe share our global experience with you to help you avoidmaking the same mistakes as others.
Common pitfalls
No. 1Embarking on
the journeywithout a defined
strategyNo. 2
Going it alone
No. 3Underestimating
thepower of
organisationalcultureNo. 4
Falling into theautomation trap
No. 5Seeing analytics as
just a bolt-on to existing auditprocedures
No. 6Isolating the
analytics team
PwC Analytics and Automation in Internal Audit
pwc.com
Questions?
This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.
© 2019 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
191117-163322-SA-OS
Clement ChanDirector – Digital TrustT: +971 501 5236 19E: [email protected]
Contact