Case study: Experian plc Technology Enabled Internal Audit as a Business Value Driver

Mike Taylor

Head of Global Internal Audit

The views expressed during the presentation are the personal view of the author and may not be understood or quoted as being made on behalf of, or reflecting the position of, Experian plc

Experian: A leading global information services company…

Revenue

US$4.8 bn EBIT

US$1.3 bn Market Cap* c. £12bn – UK FTSE Top 50

Employees

c.17,000 Offices in

39 countries

Largest markets

US, Brazil, UK

By region

By customer segment

By business

line

…with a diverse portfolio by region, business line and customer segments

Financial services 30%

Direct-to-consumer 20%

Retail 9%

Automotive 5%

Healthcare 5%

Telecoms and utilities 5%

Insurance 4%

Media and technology 4%

Government and public sector 2%

Other 16%

North America 51%

Latin America 18%

UK and Ireland 21%

EMEA/Asia Pacific 10%

Credit Services 49%

Decision Analytics 12%

Marketing Services 18%

Consumer 21%

…with a diverse portfolio by region, customer segment and business line

With 17,000 employees across 39 countries…

Experian Global Internal Audit Team September 2015

GRC Support Team

Risk Management

Compliance

Global Security Office

Mike Taylor Head of Global

Internal Audit

Regional Head of Audit

- UK/EMEA/APAC

9 Staff

Regional Head of Audit

North America

9 Staff

Regional Head of Audit

Latin America

8 Staff

Head of Global IT Audit

Department

Administrator

9 Staff 8 Staff

Internal Audit Challenges 1

Challenge Role of the GRC Audit Management

System (AMS)

Provide clear framework to support audit process

Embed in AMS to ensure compliance / consistency

Support the widespread use of data analytics at

planning and execution phases.

Single AMS supporting transparency / common view

Captured in AMS (audit approach/ analytics )

Capture information once / globally accessible

Manager review trail

Support quality assurance process

Broaden skills in IA - guest auditors Enhance audit practices Transition from regional to global Leverage “best practices”

Increase Audit quality and efficiency

Internal Audit Challenges 2

Role of Wider GRC System Challenge

Improve interface /usage of risk data

Single location for all business actions

Improve action follow-up and closure

Improve interaction with other governance functions

Establish linkage between risk database and audit

process

“Issue tracking” common repository for all governance

issues – IA, Risk, Compliance, InfoSec, Security

Drive reporting off issue tracking database

Make “issue tracking” available to wider business

– to view – action capture

Coordinated assurance project

Challenges As We Look Forward

Activity Technology Impact

Risk + Polices modules

Single data repository – risk & assurance

Common risk & assurance view

Issue tracking

Common database & reporting capability

Refresh risk appetite /policies

Risk owners

Co-ordinated assurance activities

Holistic Reporting

Experian GRC programme

Internal Audit Management

Issue Tracking

Compliance

Enterprise

Management

Group Policy

Risk Management

Rolling out

Operational

Operational

2016

2016

Operational

Project Timeline

2014 2015 2016 Live

Jan - July August Sep-08 Sep-22 Oct-17 Oct-20 Jan-05 Feb-09 Mar-06 Apr-01

VENDOR SELECTION

DETAILED REQUIREMENTS

Phase 1 Planning

Phase 2: Design

Phase 3: Build

Phase 4: User Acceptance Testing

Phase 5: Deploy

Phase 6: Operational Support

Audit Management System

Business requirements

Risk assessment / audit planning

Audit assignment planning

Audit execution

Work paper management / workflow

Audit status tracking

Audit closure / review

Reporting

Issues captured / tracking

Detailed requirements definition & capture

Project Guiding Principles

Sustainability

Documentation

Usability

Change Management

Complexity

Alignment

Inclusion

Consistency

The focus of development efforts will be on the usability of the tool.

The solution will be designed and developed according to the documented business requirements in the GIA manual.

Changes to scope must be formally documented and approved by the Management prior to implementation.

Simple solutions will be selected over complex solutions. The out of box solution will be utilised wherever possible.

Other GRC stakeholders will be consulted regarding proposed changes to shared components.

GIA extended team (UK, Brazil, etc.) will be consulted on decisions involving usability.

Solution will be engineered to require minimum maintenance and allow for Experian to extend the capabilities with in house resources.

All key decisions and solution architecture will be documented throughout the life of the project.

The Outcome – A Snapshot

Audit quality assessment 83%

Data analytics on 66% of Audits

Stakeholder post-audit feedback 4.2 out of 5

Hours of assurance 5% up on target per month

Report issuance <7days v 10days target

Employee engagement 89% (up from 81%)

Project objectives achieved

Live on time/ under budget

Role of Technology and Data in Achieving Our Goals

Audit Management • Increased process consistency throughout

regions

• Increased access to knowledge

• Increased efficiency through process automation

Issue Tracking • Improved issue reporting and tracking

• Visibility of issues across the business

Data Analytics • Enhanced audit planning process

• More efficient and effective testing procedures

Use of Technology and Data to Increase Business Value

Audit Management and Issue Tracking • Build a strong relationship with

governance and business functions

• More insightful audits

• Increase in assurance provided

• Facilitate better risk decision making

• Consolidated view of issues across the three lines of defence

Data Analytics • Provide tools developed during the audit

to the business

Transform culture from analysis to analytics to increase effectiveness of internal audits.

Build a strong foundation by establishing access to various data sources and partnering with governance and business partners to facilitate better risk decision making. Plan for the future by driving innovation and continue to recalibrate the strategy in response to emerging trends such as ‘Big Data’ and regulations.

Benefits of Investing in Technology and Data Analytics

Adopting Technology: Pitfalls to Avoid

• Overly complex business requirements that require significant configuration or coding changes

• Inadequate senior management sponsorship and engagement with the project

• Appointing vendors without vetting and securing the specific individuals who will work on the project

• Appointing vendors who don’t have the right mix of big picture/architectural and detailed technical experience

• Large and complex configuration changes that can cause integrity problems

• Maintaining highly configured solutions can be very costly