Internal Audit, Risk, Business & Technology Consulting
next-gen internal audit ARE YOU READY?
VOL. Internal Auditing XV Around the World® Internal Auditing Around the World® Vol. XV Next-Generation Internal Audit: Catch the Wave
BRIAN CHRISTENSEN ANDREW STRUTHERS-KENNEDY Protiviti Executive Vice President Protiviti Managing Director Global Internal Audit Global IT Audit Leader
Experiment. Learn. Repeat.
A critical mass of factors has led internal audit functions to a watershed moment: They must disrupt or be disrupted. At Protiviti, we refer to the innovation and transformation internal audit functions must pursue as next-generation internal audit.1 These efforts — already underway in a growing number of companies — vary. But they share an agile, holistic approach centering on new directions for governance, methodology and technology that deliver efficiency improvements, stronger assurance and more valuable business insights.
For compelling reasons, chief audit executives (CAEs) are urging their teams to embrace an entrepreneurial spirit. Boards of directors and audit committees are raising their expectations regarding internal audit’s role. Directors no longer view internal audit as a place where a simple command of controls is sufficient. They and management want internal audit to address corporate culture, sustainability strategies, and other, still-unfolding and less tangible sources of organizational value.
1 The Next Generation of Internal Auditing — Are You Ready? Catch the Innovation Wave, November 2018, Protiviti: www.protiviti.com/ auditnextgen. Internal audit’s expanding role also demands keeping pace with business partners that are implementing transformation at breakneck speed. They are overhauling traditional business models and processes to enhance the customer experience, digitizing more offerings, and fortifying data-driven decision-making to boost operational performance. The magnitude of these changes explains why half of the top 10 risks board members and executives currently identify relate to digital transformation. These leaders are concerned about their workforce’s ability to transform quickly and in a risk-savvy manner, and whether their organization can compete effectively with nimble, born-digital firms.2
Other factors are demanding that internal audit develop next-generation capabilities. From a risk perspective, more audit leaders are suffering from bouts of FOMO (“fear of missing out”), as they see their counterparts in other companies advancing next-generation auditing models. This anxiety stems from the harsh reality that audit committees may turn to other functions in the company to generate more relevant and real-time insights if internal audit does not find ways to provide them. Internal audit functions that fail to modernize and innovate also risk being unable to attract the digital-era talent they need to thrive.
Overall, though, we see these developments as positive for the profession. The swift advancement of technology tools, combined with the emergence of new auditing methodologies, makes it an extremely exciting time to be an internal auditor. Our profession has never had a better opportunity to elevate its value proposition to new heights. That is evident within internal audit functions that are implementing process mining, robotic process automation and agile auditing pilots; reaping the benefits of 10x efficiency and efficacy improvements; learning from these experiments; determin- ing how to deploy these tools and methodologies more broadly; and more.
But as powerful as innovative auditing tools and methodologies are, their value is far surpassed by the change in mindset that internal audit leaders are working to instill in their teams. They understand that new ways of thinking are necessary for the function to seize this rare opportunity to collect, comprehend and convey insights that will help the business operate optimally and with a clear view of risk — and catch the innovation wave today and ride it into the future with confidence.
2 Executive Perspectives on Top Risks for 2019 — Key Issues Being Discussed in the Boardroom and C-Suite, the annual global survey of board members and executives conducted by North Carolina State University’s ERM Initiative and Protiviti: www.protiviti.com/toprisks.
Internal Auditing Around the World® Vol. XV | ii Internal Auditing Around the World® Vol. XV Table of Contents
i Foreword
v Introduction
1 Accenture PLC
5 Anixter International Inc.
10 Brinks Home Security
15 Capital One
20 Country Road Group and David Jones
24 Delta Air Lines
29 Deutsche Telekom
33 DriveTime
37 Fidelity Investments
42 The Jardine Matheson Group
46 MUFG
50 NTT Communications
54 Occidental Petroleum Corporation
59 Synchrony
64 TD Bank Group
69 Zain Group
75 About Protiviti Internal Auditing Around the World® Vol. XV
Introduction
Jon Kabat-Zinn You can’t stop the waves, Ph.D., Scientist, Writer, Author and but you can learn to surf. Meditation Teacher
The digital era continues to bring wave after wave of disruptive change. Even companies that embrace the change can feel like they’re caught in powerful currents, unable to control their vessel properly or orient themselves in the right direction. They are under pressure not only to adapt to change, but also to invite it through transformation and drive it through innovation.
For companies that are working to become next-generation businesses, the churn of change must run deep inside their organization and into their key functions and must be more than just a digital or transformation veneer. This includes internal audit. Meeting the expectation to transform, innovate and become more future-focused is not easy for a function that has long been tasked with looking backward, confirming that controls are in place and working and, if they’re not, assessing why and outlining a plan for remediation. But our recent paper on the next-generation internal audit function makes a compelling case for the need to look forward.1
This means rethinking how internal audit teams perform their work. How can they adopt more agile practices and engage the business earlier in the audit process? How can they become more data- and technology-enabled to deliver on their objective to provide effective risk
1 The Next Generation of Internal Auditing — Are You Ready? Catch the Innovation Wave, November 2018, Protiviti: www.protiviti.com/ auditnextgen. management more efficiently, and even predictively, to the greatest extent possible? How can they shift from being a risk- and change-averse function to becoming a center for innovation in the company, helping the business itself to transform? Answering those questions requires balancing new internal audit models with the right technology, resources and methodologies, as well as governance and infrastructure, to create value.2
It also requires a new mindset — as well as cultural change within the function. Through our interviews with internal audit executives for this year’s publication, we learned that there is a sense of urgency in many organizations not only to become a next-generation internal audit function, but also to set an example for the profession.
A Long-Unfolding but Accelerating Evolution for Internal Audit
All of the change that’s reshaping the internal audit function today may seem new, but in many respects, it’s been unfolding for some time. Looking back on our past 15 years of publishing Internal Auditing Around the World®, we can see that internal audit functions, on the whole, have been steadily reinventing their role in the business, becoming more of a strategic partner while also maintaining their independence and objectivity.
When we celebrated our 10th edition of Internal Auditing Around the World®, we offered a prediction about the “future auditor,” anticipating that these professionals would engage in even greater levels of collaboration in the business, wield more powerful technology, and assume an even sharper risk focus, while also taking on a greater leadership role. All of those things are true for the profession today. And now, we see progressive functions led by future-minded leaders proactively disrupting how they think and work, rather than waiting to be disrupted.
As C-level executives and internal audit professionals read our profiles of leading internal audit groups worldwide, we hope they will be inspired by the work of their peers. For those struggling to bring change to their functions, may they take comfort in knowing that becoming a next-generation internal audit function can be a slow and often frustrating process, even for the most progressive and resource-rich organizations. For all internal audit leaders and their teams, learning how to catch and ride the wave of change requires hard and sometimes painful work, as well as a willingness to believe that what might at first seem impossible can be achieved with focus and persistence.
Protiviti July 2019
Acknowledgements
We would like to thank the organizations and internal audit leaders who contributed to Volume XV of Internal Auditing Around the World®. We appreciate learning their stories of struggle and success as they help their organizations evolve into next-generation internal audit functions.
We would also like to acknowledge The Institute of Internal Auditors (The IIA) for its commitment to advancing the internal audit profession.
2 Ibid.
Internal Auditing Around the World® Vol. XV | vi Internal Auditing Around the World® Vol. XV
Accenture PLC Assessing Internal Audit’s Competencies of the Future Today
Kathy Perrott The bots can do the testing work in two to three minutes Managing Director, and be done with it. The savings in terms of time and effort Internal Audit Services are incredible once you get it set up properly, and we think there are many other opportunities to apply RPA.
Accenture PLC Accenture takes an innovation-led approach large workforce and global footprint. While to helping clients “imagine and invent” some additions to team size have been made their future. The global professional services in the past year, including establishing company’s 477,000 employees’ intense focus a small team in Japan in response to the on inventing, developing and delivering significant growth the company has notched disruptive innovations in recent years in the country, as well as increasing the has paid off. Today, more than 60% of the number of internal auditors on the IT audit company’s revenues, which have increased team, Perrott and her senior team seek to steadily in each of the past several years, leverage new technology — including robotic come from its digital, cloud and information process automation (RPA) and analytics, in security offerings. particular — to continually streamline the function’s work. Accenture’s end-to-end business architecture is aligned around distinct and Operating efficiently represents a primary highly focused businesses — Accenture objective of the internal audit function’s Strategy, Accenture Consulting, Accenture investment in next-generation technology Digital, Accenture Technology and Accenture and approaches. “We don’t have an unlimited Operations — through which it delivers budget,” Perrott says. “As Accenture services and solutions to clients in more than continues to grow, we have to make sure 40 industries, through 13 industry groups. we’re getting optimal coverage of the highest The company’s clients include 92 of the risk areas. I also want to operate as a good Fortune Global 100® and more than three- company citizen, which means contributing quarters of the Fortune Global 500®. to the bottom line by doing everything we can to operate cost-effectively.”
The function’s commitment to innovation and transformation serves another purpose. Accenture takes an innovation-led “The people we want to attract are those who approach to helping clients “imagine want to innovate and develop new ways of and invent” their future. doing things,” Perrott explains. “They’re less attracted to old-school auditing approaches. By continuously innovating, we are better “Innovation is the name of the game for our positioned to attract the level of talent we client-facing business, as well as almost want and need on our teams.” every other function within Accenture,” says Talent management qualifies as one of Managing Director, Internal Audit Services, Perrott’s professional passions. “Competency Kathy Perrott. “The entire company is assessment and training are close to my committed to exploring new ways of doing heart,” she says, while emphasizing that things by leveraging new technologies staffing the internal audit function of the and challenging ourselves to think and act future is a multifaceted challenge — and one creatively.” that she enjoys unraveling. “It’s become clear that if you want internal auditors who Drivers of Audit Innovation can transition to these new capabilities, you can’t look for people who have proven That mindset pervades the internal audit skills — because those skill sets are not yet function, which represents a relatively small fully formed,” Perrott continues. That’s team within Accenture, given the company’s
Internal Auditing Around the World® Vol. XV | 2 why Perrott has focused significant time properly, and we think there are many other and effort on competency assessments. opportunities to apply RPA. We’re now looking The idea, she says, is to identify which at other testing procedures that we perform characteristics (e.g., being comfortable with as well as working with other parts of the ambiguity, creativity, resiliency, a knack for business that either do the testing themselves strategic thinking) correlate with the ability or have a significant role in the process.” to deploy yet-to-emerge technology and approaches, manage rapid change, pivot on a dime, and address related aptitudes likely to become increasingly valuable as digital The internal audit function’s most transformation advances. recent innovations involve RPA, “It’s tricky, and I can’t say that I have all of digitized reporting and an extremely the answers,” Perrott notes. “But it’s an area valuable data-access upgrade. that we’re working on so that we can be clear on the competencies we know we’ll need and the types of training that will help our Internal audit is also working with the IT auditors develop new skills.” function to identify opportunities for IT to reconfigure or re-engineer certain processes RPA, NLP and Data Lakes and controls to make them more suitable for RPA-enabled testing. As her team looks The internal audit function’s most recent for additional RPA opportunities, Perrott innovations involve RPA, digitized reporting says it is important to have a comprehensive and an extremely valuable data-access upgrade. understanding of the process steps that After assessing the organization’s development bots execute (so that necessary auditing and use of RPA last summer, Perrott’s function evidence can be retained) and to establish developed a proof of concept for internal ongoing RPA oversight. “You have to monitor audit’s use of RPA to test Sarbanes-Oxley- any changes in the underlying application related service organization controls and infrastructure that could potentially render general controls in Accenture’s information the bot obsolete,” she asserts. “You can’t technology (IT) and internal controls develop them and then ignore them. You 1 functions. The team developed three bots that have to monitor and maintain them because performed the testing of those controls in an the different systems and applications that automated fashion. Internal auditors chose the bots are accessing often change.” those areas for the RPA applications because Accenture’s internal auditors also developed the internal controls there had been subject bots to automate reporting out the to highly repetitive manual tests for years department’s GRC application. This reporting and also because those controls had remained provides real-time status regarding audit highly stable during that time. performance metrics, status of open and “The bots can do the testing work in two to closed issues, and various trending data. three minutes and be done with it,” Perrott They are also currently working on digitizing reports. “The savings in terms of time and reporting out of a CRM tool that is used to effort are incredible once you get it set up schedule hundreds of risk discussions with
1 “Robotic Process Automation and Internal Audit — Are You Ready?” Protiviti webinar recording available at www.protiviti.com/US-en/ events/robotic-process-automation-and-internal-audit.
Internal Auditing Around the World® Vol. XV | 3 business leaders and management across Enterprise Insights group’s assistance, the company, as well as other key contacts, designed a self-service solution in which and store the notes from those discussions. internal audit could leverage the data from The function is also exploring how natural the enterprise data lake, curate, perform language processing (NLP) capabilities can be analytics and deliver results to audit teams applied to identify and tag key risks or other while ensuring proper security controls over important points captured in the discussion the data. The solution required a new suite of notes. Additionally, internal audit is working tools to speed up processing and significantly with the legal group to apply NLP to client improve visualization of results. Internal and vendor contracts to search for variances audit submitted a proposal to the company’s from standard contract clauses or required IT steering committee, which gave the project clauses that are missing altogether. a green light — a major win considering that hundreds of business case requests are Those advancements are similar to risk submitted each year to the same committee dashboards the internal audit function and only a fraction are approved for funding. has created by digitizing risk models the The solution has taken about a year to function previously developed. Until recently, complete, according to Perrott. updating the risk models with current data required a fair amount of manual work “The long and the short of it is that we’ve — data had to be downloaded, sorted and upgraded our analytics technology architecture integrated. “We might have performed that in a major way,” Perrott continues. “And work once a quarter,” Perrott says. Now, the that’s enabled us to tap into just about automated risk dashboards provide more everything that Accenture has overall from frequent and near real-time updates. The a data perspective.” dashboards also provide a more robust drill- These experiences show why Perrott places down capability that allows the audit teams such a great emphasis on identifying talent to perform more in-depth analyses. The who have the desire and wherewithal to take combination of more timely data access, as internal audit to the next level and thrive in well as robust drill-down, Perrott continues, the future. Perrott points out that leveraging has enabled the audit team to “improve the advanced technology requires auditors who quality of our audit selection, scoping and possess a blend of technical and interpersonal testing — it’s been truly incredible.” Yet, skills, including the ability to collaborate. she also emphasizes that this powerful new “Because we got out of the gate relatively early capability is the direct result of her function’s with both analytics and RPA, our business persuasive skills and convincing the business partners and stakeholders are interested in — trust that took time to build. learning from our experience,” she adds. Internal audit previously had plenty of data “When they’re highly receptive to finding assets, Perrott explains, but accessing and out how we can help them, that helps us as downloading the data was a time-consuming well because we can show them how to more and cumbersome endeavor that needed to effectively monitor and manage areas that fall be scheduled and frequently timed-out due under their responsibility, and it allows us to to scale and complexity. As internal audit place more reliance on their results.” sought to expand its analytic capabilities, the team looked to leverage an enterprise- level solution. Internal audit, with the CIO’s
Internal Auditing Around the World® Vol. XV | 4 Internal Auditing Around the World® Vol. XV
Anixter International Inc. Wiring Up Business Transformation
Ed Rogowski If your business is going through transformation, and you Senior Vice President don’t have a forward-thinking internal audit department, Internal Audit, you run the risk of being unable to take full advantage of Chief Audit Executive the opportunities that transformation presents.
Anixter International Inc. In 1957, brothers Alan and Bill Anixter saw a and solutions to set up the electrical service, business opportunity: buying wire and cable computer networks, security, A/V, wireless by the mile and selling it by the foot.1 The and more. We can serve and support two recognized that many end users, like everything from data centers to retail stores construction firms, wanted to purchase only to manufacturing environments.” enough product to suit the needs of their Anixter also serves utilities — and expanded projects — and not invest in enormous reels that aspect of its business with the 2015 of wire and cable from manufacturers. So, acquisition of HD Supply’s Power Solutions with a $10,000 loan from their family, the group. “We now manage the inventory for brothers established a wholesale distribution many large utilities in North America,” company that would evolve over the next 60 Rogowski explains. “So, as an example, years into Anixter International Inc., a global if there’s a storm or natural disaster and Fortune 500 business with more than 8,700 utility wires are down, we have prepackaged employees in over 50 countries. kits ready to go for the linemen. They can just grab what they need and get to work on restoring electricity.”
Rogowski says that part of the reason Harmonizing and Rationalizing the company hired him was to help Control Processes the business transform and assess its Anixter has been growing through acquisitions risk landscape. for years, but Rogowski says the business found it challenging to vertically align its companies and their processes and systems. That lack of Today, Glenview, Illinois-based Anixter helps alignment presented business risk to Anixter. to build, connect, power and protect valuable Rogowski says that part of the reason the assets and critical infrastructures2 for about company hired him was to help the business 130,000 customers around the world. Its transform and assess its risk landscape. “They business segments include Network & Security wanted someone in internal audit who could be Solutions (NSS), Electrical & Electronic a partner to the business and provide the right Solutions (EES) and Utility Power Solutions solutions for addressing risks,” he says. (UPS). Anixter also provides inventory management services, such as procurement, When Rogowski joined Anixter about four quality assurance testing, advisory engineering years ago, he brought with him decades of services, and e-commerce and electronic data audit leadership experience that he earned interchange, to many of its customers. in the pharmaceutical and airline industries and at a global management consulting and “Anixter offers almost anything related to professional services firm. “I have a track cabling or electrical applications,” says Ed record of helping to mature organizations,” Rogowski, senior vice president, internal he says. “I implement a business partnering audit and chief audit executive at the company. role for internal audit, focusing on business “If you’re constructing an office building, risks versus financial risks. So, for example, for instance, we can provide the products we’ll look at operational risks, combine that
1 “Who We Are,” Anixter Investor Relations, Anixter website: http://investors.anixter.com/home/default.aspx. 2 “About Us,” Anixter website: www.anixter.com/en_us/about-us.html.
Internal Auditing Around the World® Vol. XV | 6 with an enterprise risk management (ERM) While building his new department and approach, and then identify where we need evaluating existing audit processes, Rogowski to apply internal audit resources.” says he noticed patterns of audit failures in different parts of Anixter’s business. “Talking Rogowski emphasizes that internal audit can with the CFO and the audit committee, I noted be a critical partner to any business pursuing that our team needed to dig deeper to find the a major change initiative like Anixter. “If your underlying causes for these repeated failures,” business is going through transformation, he says. and you don’t have a forward-thinking internal audit department, you run the risk One area the internal auditors examined was of being unable to take full advantage of the Anixter’s South American operations. “We opportunities that transformation presents,” found they lacked good control processes, and he says. people weren’t being trained well enough on the company’s expectations for controls,” Uncovering — and Resolving — the says Rogowski. Underlying Causes for Audit Failures So, the internal audit team worked closely Rogowski says completing a thorough risk with local contacts in each country to identify assessment and understanding how and where the right processes to follow. “Then, we had the business and the board see risk are high to harmonize and rationalize those processes priorities for Anixter’s internal audit function. across the whole entity to come up with a So, too, is determining what kinds of audits the common set of processes and procedures,” team needs to conduct to track the company’s says Rogowski. “After that, we set up the progress in addressing key risks. training. Now, we’re at a point where we can go back and resume audits of these locations Building the internal audit team has been because they know what the expectations are another focus for Rogowski. When he first and how to achieve them.” joined Anixter, he inherited an organization that had experienced significant turnover, leaving only a team of two. Now, he has nine internal auditors who focus primarily on Rogowski emphasizes that internal operational audits. Anixter outsources its IT audit can be a critical partner to any audits, IT risk assessments and cybersecurity testing, as well as its Sarbanes-Oxley (SOX) business pursuing a major change compliance work, to expert resources. initiative like Anixter.
“Outsourcing frees up my team’s bandwidth so we can focus on other value-added work,” Rogowski says the auditors’ work in South says Rogowski. “It also prevents them from America is just one example of how the getting pigeonholed. If they’re too bogged internal audit team is assisting Anixter with down with compliance work to be a partner its business transformation. “Ultimately, to the business, it undermines their ability to the goal is to fully integrate processes for provide value. It also limits their credibility if all organizations across the company into they’re seen as just ‘SOX auditors’ instead of a common set of business practices and ‘business consultants.’” policies,” he says.
Internal Auditing Around the World® Vol. XV | 7 Taking a Seat at the Digital Project RPA,” he says, adding that some auditors are Design Table training on RPA so that they can both identify good RPA opportunities in the business, as Internal audit at Anixter is also helping to well as play a role in the implementations. support the company’s efforts to deliver Innovation and Business Transformation, Once Anixter completes its move to the new which includes maturing technologically, platform, the internal auditors can start to through implementation of the Oracle Cloud experiment more with technology in their Platform. “We’re heavily involved in that department, Rogowski says. “We’ll be in a journey, not only in identifying what types really good position by then because we’ll of controls the business needs, but also in have the right skill sets to do more data assuming an independent oversight role on analytics and RPA types of activities that the project,” Rogowski says. “We’re helping can help position us as an agile group,” to make sure that it’s managed and reported he explains. (The agile work methodology on appropriately.” has been embraced at Anixter after it was introduced by the business transformation team, according to Rogowski.)
The internal audit team is now preparing to In the future, Rogowski says he would master the data analytics tools available within like to see his team using data analytics Oracle Cloud. “We’re building expectations to identify trends. about the type of data we can access and use for reporting,” says Rogowski. “A lot of the tools that we’re using come out of the box, which is
A designated team member from internal very helpful.” audit monitors the overall project plan and In the future, Rogowski says he would like to attends many of the design meetings to make see his team using data analytics to identify sure the right topics are discussed, according trends. “We could then transfer ownership of to Rogowski. “We’re really embedded in the a data analytics program back to the business process of the whole design function,” he and say, ‘Here’s how we can view some of the says. “And that will continue throughout relationships between the transactions that the entire implementation, which will be you process through your organization. And completed in 2023.” here is a program to help you monitor your
Rogowski says Anixter is also creating several performance,’” he says. “If we’re doing our robotic process automation (RPA) solutions job right, we should be able to create many of in conjunction with its transition to Oracle these opportunities in our audit areas.” Cloud. “The internal audit team is embracing
Internal Auditing Around the World® Vol. XV | 8 Providing a Pipeline of Talent for the Business While Rogowski says finding and When Rogowski hires for his team, he says he tries to recruit “the best athletes” he can retaining that talent can be tough, he find. “I look for people who have not only isn’t always sorry to lose good people. an internal audit or accounting background, Turnover in internal audit can be a but also a demonstrated ability of partnering positive thing, he says — provided that with and being a valued consultant to the the professionals leaving the function business,” says Rogowski. “I want people who can roll up their sleeves to help the stay within the company. business solve problems, rather than just identify issues and walk away.” One way that Rogowski helps his team to Rogowski also looks for professionals who build their business savvy is to share insights are comfortable working with databases and that he gains from serving as chairperson know how to pull data out of systems. And he of the board at Chicago-based Alliant Credit seeks internal auditors who can think from a Union, one of the largest credit unions in the process perspective and contemplate, “What United States. Rogowski has been on Alliant’s is the most efficient way to audit?” board of directors for a decade and in the While Rogowski says finding and retaining chairperson’s seat for five years. that talent can be tough, he isn’t always sorry “I think my experience with Alliant helps to lose good people. Turnover in internal audit me to keep my team at Anixter engaged and can be a positive thing, he says — provided informed because I understand how the board that the professionals leaving the function looks at risk and what they want auditors to stay within the company. “I like to have my focus on,” he says. “I can give my team more auditors go into the business, and for internal understanding of the big picture — helping audit to be seen as a pipeline of talent for them to see where business strategy meets the company,” Rogowski says. “It enhances the internal audit mission.” the credibility of the team members, the department’s credibility and increases internal control awareness throughout the company.”
Internal Auditing Around the World® Vol. XV | 9 Internal Auditing Around the World® Vol. XV
Brinks Home Security “Just Start”: Advancing and Refining a Next-Generation Audit Approach
Lynne Howison Our company is changing rapidly and undergoing digital Senior Director of transformation, so internal audit has to obtain information Internal Audit faster than the traditional model allows. Management and the audit committee don’t want to know what happened six months ago — they want to know what’s happening right now.
Brinks Home Security A widely recognized brand, Brinks Home Lean, Mean and Always Moving Forward Security has long been known for its Howison leads a two-person internal audit dedication to security and protection. function. After her former direct report The company has bolstered this brand was promoted to a more senior role in the reputation while also becoming known for company’s finance and accounting function, rapid and creative innovation. A number Howison hired a senior auditor with a of major ongoing changes, including the decade of auditing experience, information implementation and refinement of an technology (IT) auditing expertise, and e-commerce system, have enabled the Certified Information Systems Auditor company to increase its growth rate during (CISA) credentials. Through advanced the past two years. A few years ago, technologies and auditing methodologies, Brinks Home Security launched a direct- including data analytics, robotic process to-consumer online channel, which now automation (RPA), continuous auditing and complements sales of its alarm systems agile auditing techniques, the lean internal and services through dealers that perform audit function can perform more work in the installation, as well as a do-it-yourself less time, though Howison asserts that the offering supported by more streamlined primary purpose of these tools is to provide installation assistance. more speed and information. Based in Dallas, Brinks Home Security is the “Our company is changing rapidly and sole operating subsidiary of Denver-based undergoing digital transformation, so Ascent Capital Group, Inc. (Nasdaq: ASCMA), a internal audit has to obtain information publicly listed company. Most of Brinks Home faster than the traditional model allows,” Security’s approximately 1,000 employees Howison notes. “Management and the work from the Dallas area. The company also audit committee don’t want to know what operates offices in Kansas and Illinois. happened six months ago — they want to “The customer is our business,” notes Brinks know what’s happening right now.” As a Home Security Senior Director of Internal result, the internal audit function is intensely Audit Lynne Howison. “Everything we do focused on keeping pace with the business. centers on acquiring, retaining and satisfying Keeping up, Howison says, means identifying the customer.” This aspect of business is risk factors faster and then providing useful thriving: Brinks Home Security was ranked feedback to management that strengthens highest in customer satisfaction among their decision-making process to ensure that home security brands as part of J.D. Power’s they’re meeting their strategic objectives. 2018 Home Security Satisfaction Study. ℠The “And, yes,” she adds, “we do a lot with a little company’s corporate data analytics group given our size. We have to be very creative on plays a pivotal role in tracking, analyzing and that count.” sharing information and metrics that help Not surprisingly, the internal audit function’s the rest of the business understand customer strategic objectives include the goal of keeping behaviors. This understanding helps increase up with advanced auditing techniques and customer acquisition and retention rates. tools. In addition to his IT auditing expertise,
Internal Auditing Around the World® Vol. XV | 11 Howison’s senior auditor has experience 2. Don’t reinvent the wheel: As internal using ACL’s auditing analytics software, and audit sought to increase its use of he is training to use Tableau’s visual analytics advanced analytics to examine customer- software. He and Howison are also refining and revenue-related risks, Howison the governance, risk and compliance (GRC) decided that “we’re not going to reinvent tool they use for managing the company’s the wheel.” Instead, she and her senior Sarbanes-Oxley (SOX) program. The function’s auditor tapped into the existing data goals this year include applying RPA to at least lake maintained by the company’s data one auditing process, completing work on analytics group. “I can’t hire a team of a continuous auditing capability, advancing data analytics experts,” she adds, “but I the use of agile auditing and increasing the can go downstairs to the head of our data application of data analytics throughout the analytics group, find out about the rich annual audit. data analysis that we already have within the company, learn how management’s using it, and figure out how we can leverage that.” The enterprise risk assessment that 3. Collaborate: After learning about how internal audit conducts each year also agile auditing could produce more timely serves as an important guidepost — and relevant audit results, Howison one that helps ensure that the function and her senior auditor sat down with a remains focused on the issues that are similarly lean internal audit function in another Dallas-based company to of the greatest strategic importance. discuss agile auditing strategy and practices. “We brought our teams together and whiteboarded out how we could Howison relies on the following set run an agile audit in accordance with of decidedly nontechnological guiding auditing standards,” Howison says. principles to help her function succeed in That collaboration produced a two-page its testing and implementing of advanced document laying out an agile auditing auditing techniques and technologies: methodology that Howison’s team has 1. Take “thoughtful leaps of faith”: When been using for the past few years. considering how to apply advanced auditing The enterprise risk assessment that internal technology, Howison is less concerned with audit conducts each year also serves as an identifying in advance which audits will be important guidepost — one that helps ensure conducted with the new technology or what that the function remains focused on the the outcomes of those experiments will issues that are of the greatest strategic be. Instead, she is more focused on getting importance — as Howison and her senior started, learning from the experience, auditor expand their use of next-generation applying those lessons and then expanding auditing techniques. the use of that technology to more audits. “We’re a small team,” she says, “so our mindset is, ‘Let’s just start.’ That’s the most important part — taking a thoughtful leap of faith.”
Internal Auditing Around the World® Vol. XV | 12 Data Tells a Deeper Story Move Faster, Illustrate More
To meet her function’s objective of increasing Like the analytics-supported sales audit, its use of data analytics in audits, Howison the deployment of agile auditing also began learned about existing sales and customer with collaboration. Using the two-page plan analytics from the company’s data analytics from the collaborative planning session as a group before auditing the sales function. guide, Brinks Home Security auditors applied “Before we went out into the field, we met the methodology. with the director of our data analytics group,” she says. “We got as much data analysis and information about the sales process as possible from him. That interview helped us figure out The combination of traditional internal the most meaningful questions to ask about audit interviewing and precise support- sales and customer data and who to ask.” ing data enabled internal audit to share Equipped with those insights and customer a more concise and convincing story and sales analyses, Howison and her senior with senior management regarding auditor visited with sales leaders to discuss sales function risks and opportunities. what the data revealed concerning key sales measures like customer acquisition and attrition. “When we saw something that “In our most recent audit, we followed the might drive attrition, we could drill down into agile audit methodology — we did not wait a high level of detail to identify possible root until we had fully documented everything causes,” explains Howison. “Those extremely or even finished all of our procedures,” detailed analytics led us down the path to hold Howison says. “As soon as we had a number much more directed follow-up conversations of findings and the data and illustrations to around internal controls,” Howison says. support the findings, we shared them with “At the same time, we’re always keeping the management.” enterprise risk perspective in mind because issues like sales and attrition are the most Howison and her senior auditor individually important concerns.” sat down with the company’s chief financial officer (CFO), chief operating officer (COO), The combination of traditional internal and president of sales and examined the audit interviewing and precise supporting initial findings well before the final report data enabled internal audit to share a more was completed. “They were extremely concise and convincing story with senior receptive to the new approach because they management regarding sales function could utilize the information we shared risks and opportunities. The next steps for immediately to start making changes internal audit in its use of data analytics and improvements,” says Howison. The include leveraging Tableau to report the same executives also provided feedback on how information in a more visually compelling the interim reports could be improved, and manner and to start automatically receiving internal audit incorporated that guidance into relevant sales and customer analytics without its next round of interim reports. having to submit requests to the corporate analytics function.
Internal Auditing Around the World® Vol. XV | 13 “Our CEO has been very engaged in our agile That agility is crucial if the internal audit approach,” Howison notes. “He’s validated function is to fulfill its goal of keeping pace the importance of our findings, and monitors with the business. While advanced auditing what changes are being made in response techniques and emerging technologies are to our work and when those changes are key enablers of that agility, Howison points being completed. The audit committee also to a far more traditional auditing tool — one- provided very positive feedback.” on-one interviews — as a vital initial step prior to testing out new advanced approaches.
“When we’re interested in using new tech- nology to audit a specific process, I talk to While advanced auditing techniques the people who perform the process, as well and emerging technologies are key as all of the people surrounding the process enablers of that agility, Howison points and/or affected by it,” Howison adds. “Those to a far more traditional auditing tool insights give us a comprehensive picture of — one-on-one interviews — as a vital the process that no one else in the company usually sees. And that helps us ensure that initial step prior to testing out new we’re focused on the right enterprise risks advanced approaches. as we introduce new methods and tools.”
Internal Auditing Around the World® Vol. XV | 14 Internal Auditing Around the World® Vol. XV
Capital One Transforming Digitally and Operationally to Become an “Industry Beacon”
Chris Kyriakakis As Capital One embraces the 21st-century digital revolu- Chief Technology Auditor — tion that we all experience and live every day, it’s become Managing Vice President, clear that we need to rethink how to address the risks of Technology Audit, a bank building a leading technology company that can Innovations and Analytics thrive in a world being revolutionized by software and data, and be part of the company’s journey.
Capital One Capital One, headquartered in McLean, merchant-funded rewards. Across the Virginia, is a diversified bank that offers company, Capital One is building customer a broad array of financial products and experiences that are real-time and intelligent. services to consumers, small businesses Delivering real-time, intelligent solutions and commercial clients in the United States, is just one example of how Capital One Canada and the United Kingdom. It is also is constantly working to improve how it one of the most widely recognized financial engages with and serves its consumers. brands in the United States. That’s due, in no The bank also drives innovation through its small part, to its highly successful “What’s in Capital One Labs — experimental product Your Wallet?” campaign, which it first rolled and technology incubators that work with out in 2000 with the goal of making its brand financial technology (fintech) startups a household name. and emerging technologies like artificial This year, Capital One will celebrate its intelligence (AI) and machine learning. 25th anniversary as a public company. It Through the labs, which are located in tech has reached the top 100 of the Fortune 500, hotbeds like New York City, San Francisco and built one of the nation’s largest credit card the Washington, D.C. metro area, Capital One businesses and the second-largest auto is evolving the mobile banking experience finance company, and is now the fifth-largest for consumers. It’s also designing and consumer bank in the U.S. and the eighth delivering new services and products, like its largest bank overall. AI-powered virtual assistant, Eno, for credit card customers.1
Innovation at Capital One is not just the domain of Capital One Labs, however. Teams across the enterprise — including Teams across the enterprise — including internal audit — are finding new ways to internal audit — are finding new ways to work and help deliver on the company’s work and help deliver on the company’s efforts to continually break new digital efforts to continually break new digital ground and maintain its competitive edge ground and maintain its competitive edge in an increasingly tech-driven industry. in an increasingly tech-driven industry. “Technology is core to Capital One’s business. We think about banking as an inherently digital product, and we are intently focused Each month, tens of millions of customers on the customer experience,” says Chris visit Capital One’s online and mobile customer Kyriakakis, chief technology auditor and servicing platform. The company uses credit managing vice president, Technology Audit, card transaction data and machine learning to Innovations and Analytics (Tech Audit), at deliver proactive insights to customers about Capital One. “Capital One has been on a their spending and to help detect problems journey to build a technology company that they might miss. They have features that help does banking and competes with banks that online shoppers save money by automatically use technology.” searching for the best prices across the internet, finding online coupons, and offering
1 For more about Eno, see www.capitalone.com/applications/eno/.
Internal Auditing Around the World® Vol. XV | 16 Pursuing a Data-Driven, Multifaceted •• Data products and automation — “We’re Innovation Agenda looking at how to use data products and automation to support the work that’s Chief Audit Officer (CAO) Celia Edwards done in internal audit,” Love explains. Karam leads Capital One’s 300-person “We’re stepping back and thinking more internal audit function. She reports directly broadly about how data products can give to the audit committee of the Capital One internal audit line of sight into what’s board of directors. Internal audit staff are happening in the business and support distributed across several of Capital One’s processes like continuous monitoring.” U.S. and international offices and provide She says one objective is to equip auditors assurance to the bank’s various business lines with self-serve dashboards and other tools and functions. The Tech Audit team, which that will help them plan, prioritize and Kyriakakis leads, has about 80 auditors focused prepare for engagements more effectively. on auditing all of Capital One’s technology and • data risk. Tech Audit also has a Data Analytics • Analytics to support audit delivery and Innovation unit, which serves the whole — The third component of the team’s department; Kaleen Love, vice president of agenda is generating high-quality business analysis, leads that group. analytics to support audit delivery. “That’s the bread and butter of what we While the Analytics and Innovation (A/I) do,” says Love. “We need to make sure organization within internal audit is new internal audit uses the right data for — a little less than a year old — the use of every audit and brings quantitative, data- data analytics in Capital One’s internal audit driven insights to the table as part of its function is not. “Capital One has been a data- assurance work.” The A/I team provides driven company since its inception,” says analytics support that includes full- Kyriakakis. “It’s also had an internal audit population testing, exception testing, department from the start, so the function, script reviews and more. like our company, has always been very data- • driven.” About 20 people on the core internal • Internal audit’s technology stack — audit team focus on analytics, he says. According to Love, this aspect of the team’s work involves making sure that The A/I unit, meanwhile, includes data internal audit has the right technology scientists and other specialists who work infrastructure and tools “to support closely with those internal auditors but are machine learning and data products and also focused on “deep innovation aspects quick-turn agile analytics in service of of audit,” according to Love. She says her the audit plan and audit delivery.” She group’s innovation agenda includes the says, “We are partnering closely with the following areas: technology group at Capital One to think •• Machine learning and AI — The A/I team about how we can ensure internal audit is exploring how internal audit can apply has the appropriate infrastructure to machine learning models, data science consume data from the business, combine techniques, and other advanced technology it with our own data, such as the historical products and functionality to Capital One’s issues and ratings in all of our working vast and ever-growing trove of data “to papers, and deliver data-driven insights power deep and broad risk-based insights” consistently to our auditors.” for the business, Love says.
Internal Auditing Around the World® Vol. XV | 17 •• Strategy, people and practices — “We can experiences for the better, according to build fantastic models and data products, Kyriakakis. Using the feedback that they but if our auditors don’t feel like those receive and other learnings they gain from things help them in their work, then what the research process, internal audit, as a have we really done?” asks Love. Empathy whole, is developing new ways to visualize research, which includes “design thinking its audit universe and understand the sessions,” plays a key role in helping her connections between audit entities. team to engage the whole internal audit “How do these entities interact? Do they department in their work and to “really share applications? Data? Third parties? understand the needs of the auditors” Do thematic issues link them, and can we so that the products her team designs present this information in a visual way to add value and are easy to use. Love says, our auditors? This kind of thinking is helping “We’re not just off in a corner trying to do us get to the point where we can provide something cool — we are tapping into the dynamic assurance back into the company, collective knowledge and wisdom of the even as things change in the business and the department in everything we do.” risk landscape,” says Kyriakakis. She adds, “We also need to make sure that Adopting agile work practices, and managing we, as a team, are well-managed in our the related change effectively, is part of the own processes and that we’re using best effort to improve how the function interacts practices for what we build and maintain with and provides value to the business. and for how we partner with and pull in Several years ago, Capital One embraced data from the first and second lines of the agile methodology for deploying new defense in the business.” products and capabilities to customers. Kyriakakis says that internal audit quickly saw the value of “agile pods,” which are small, cross-functional and multidisciplinary Empathy research has been essential teams that focus on managing a specific task for helping internal audit leadership and its related risk, and which reprioritize at Capital One to understand how their work every day. “It’s a nimble way both auditors and auditees experience to work,” says Kyriakakis, “and it got us audit processes — and to look for thinking about how we could incorporate agile into our audit delivery framework.” opportunities to change those experiences for the better. In 2017, Capital One’s internal audit function restructured its audit delivery operations into agile pods. “We empowered the pods to Increasing Productivity and Transparency prioritize how they deliver work, what they With Agile Practices should work on and when,” says Kyriakakis. “We’ve established routine cadences to Empathy research has been essential for identify any impediments that come through helping internal audit leadership at Capital the audit process and allow the pods to One to understand how both auditors and resolve those issues as quickly as possible.” auditees experience audit processes — and However, while the shift to agile is allowing to look for opportunities to change those internal audit to engage management
Internal Auditing Around the World® Vol. XV | 18 earlier in the audit process and create more All of these initiatives, from moving to an transparency in all aspects of how it delivers agile delivery model to building the right work, Kyriakakis says the transition has not tech stack to support the function, are part been without its challenges. of a much bigger vision for internal audit at Capital One — and for the profession itself. “We knew the move to agile would be a Karam has established this vision for the significant change,” he says. “So, we spent team: “To be an industry beacon that has about 18 months conducting research, redefined internal audit by providing high- developing and piloting our model, and then value, independent and proactive insights, fully deploying it in a thoughtful way. Still, innovating with technology and being a it takes time, energy and persistence from destination for top talent.” our team to embrace all the differences in an agile delivery framework versus a traditional audit delivery framework. There have been bumps along the way, but it’s been a fun All of these initiatives, from moving to journey so far.” an agile delivery model to building the Embracing a Time of Inevitable Evolution right tech stack to support the function, for Internal Audit are part of a much bigger vision for
In the months ahead, Love says that the A/I internal audit at Capital One — and for team will continue to pursue its innovation the profession itself. agenda, with support from the technology group at Capital One. Love says the tech team is staffing software engineers to support But even without the goal to become an internal audit’s agenda, and she also recently industry beacon for other functions facing recruited the department’s first product transformation challenges, Kyriakakis says manager. “This person has decades of his team would be compelled to modernize experience in banking and has led platform and innovate. He says, “As Capital One development in other lines of business at embraces the 21st-century digital revolution Capital One,” says Love. “With additions that we all experience and live every day, it’s like these to our team, we’re bringing a become clear that we need to rethink how to product mindset to our work, which helps address the risks of a bank building a leading us set up the technology support that will technology company that can thrive in a allow internal audit to consume data from world being revolutionized by software and the business in intelligent ways, ultimately data, and be part of the company’s journey.” through real-time streaming.”
Internal Auditing Around the World® Vol. XV | 19 Internal Auditing Around the World® Vol. XV
Country Road Group and David Jones Influencing Stakeholders via Commercial Insights
Mark Brogan Few companies experience as much change and transfor- Regional Head of mation as we’ve experienced in the past two years. Retail Internal Audit, Australia is an incredibly fast-paced industry, so our internal audit and New Zealand team needs to do everything possible to keep pace and remain relevant.
Country Road Group and David Jones Founded in 1838 by Welsh merchant David organized into a business audit team (led by Jones after he immigrated to Australia, Ian Pigdon) and a retail audit team (led by Peta the eponymous company is the oldest Alexander). The head of internal audit reports continuously operating department store functionally to both the chair of the Country in the world still trading under its original Road Group and David Jones’ audit committee name. David Jones currently operates 45 and the head of internal audit at parent stores in Australia and one store in New company Woolworths Holdings Limited. The Zealand. Country Road Group consists of five audit team’s purpose is to “identify commercial distinctive retail fashion brands — Country value and make a positive difference by Road, Mimco, Politix, Witchery and Trenery proactively focusing on the right outcomes.” — and operates approximately 440 stores The team strives to achieve this objective across Australia and New Zealand. through five approaches:
1. Behaving with integrity
2. Focusing on our customers
Transformation is vital for the team to 3. Communicating with influence remain relevant in the face of all the 4. Supporting each other changes that have taken place over the 5. Continually learning and growing past two years. The team is dedicated to active career management. They enthusiastically point
Since the unification of the two companies, out a number of team member promotions the pace of change has been intense, according and transition opportunities into a diverse to Regional Head of Internal Audit, Australia range of business areas, including retail state and New Zealand, Mark Brogan. “Few area management, risk and compliance, companies experience as much change and retail space planning, central planning and transformation as we’ve experienced in the merchandise, and multisite retail store past two years,” Brogan asserts. “Retail is management. When hiring new auditors, an incredibly fast-paced industry, so our the team places value on culture fit, retail internal audit team needs to do everything experience, technical auditing expertise and possible to keep pace and remain relevant.” effective interpersonal skills.
Since David Jones moved its headquarters Transformation is vital for the team to remain from Sydney to co-locate with the Country relevant in the face of all the changes that Road Group in Melbourne in 2017, David Jones have taken place over the past two years. has implemented new systems relating to The internal audit team’s fiscal constraints e-commerce, merchandising, finance and have led them to be creative when using warehouse operations. Continually improving Excel tools combined with data visualization and enhancing the customer experience techniques when reporting results. The team represents a strategic goal. continues to build data analytics coverage across a number of key business processes, Identifying Commercial Value and this will help generate commercial insights — quantified in financial terms — The internal audit team in Australia and New that drive tangible benefits for the group. Zealand consists of six members who are
Internal Auditing Around the World® Vol. XV | 21 Business Audit Manager, Australia and The internal audit function has used fraud New Zealand, Ian Pigdon, emphasizes analytics software to enhance the commercial that new ways of thinking and interacting insights it shares with Country Road Group with internal audit stakeholders mark an brands. Auditors analyzed transactions of equally important facet of the function’s interest, which include refund transactions, innovative transformation. “In this pressured staff discounts and customer loyalty environment,” Pigdon says, “it is critical that rewards. The team financially quantified internal audit communicates with influence these observations and then presented this and makes recommendations that are information to their senior stakeholders, impactful and drive sustainable changes.” which helped their stakeholders make better, more risk-informed decisions. Providing Insights and Minimizing Stakeholder Surprises
To deliver on its mission to identify value- To deliver on its mission to identify generation opportunities for the business, value-generation opportunities for the internal audit team takes a “commercial, insights-driven approach” in its audit reviews the business, the internal audit team while producing reports that incorporate takes a “commercial, insights-driven data visualization. “We’re acutely aware that approach” in its audit reviews while our senior stakeholders are incredibly time- producing reports that incorporate pressured,” Brogan comments. “Thus, we data visualization. need to communicate our key messages and insights quickly and effectively. A key way to do so is by using quantified examples and In addition to increasing its use of analytics, engaging visuals.” the internal audit team is innovating The business audit team previously sought from a process perspective by borrowing to gain a better understanding of customer certain facets from the agile methodology. pain points arising during the online For example, the audit team issues flash delivery process. The team examined reports — interim updates containing existing data — detailed customer feedback observations that are issued several times provided from a customer contact center, as during the audit review. Business process well as Net Promoter Score (NPS) feedback owners respond to the observations, and (“verbatims”) — and then recommended internal auditors adjust their subsequent improvements that were subsequently work in response to that feedback. Senior implemented to enhance the customer stakeholders understand that each flash experience. Internal audit team members also report is a working draft and that the used financial modeling (on a sample basis) to observations are in the process of being quantify how subsequent customer spending validated. The team notes that these changed following their online shopping reports have helped minimize surprises experiences (correlated to the customers’ while reducing the time needed to finalize NPS verbatims). formal audit reports because business process owners have provided their feedback throughout the course of the review.
Internal Auditing Around the World® Vol. XV | 22 People Drive Improvement Peta Alexander, National Retail Stores Manager (Australia and New Zealand), As valuable as advanced analytics and was responsible for the internal audit innovative processes are in delivering function holding weekly TED Talk Tuesday commercial insights to the business, the sessions during which internal audit team team emphasizes that the human aspects of members take turns sharing a recent TED transformation are even more important — Talk or a thought-provoking article with primarily because internal audit’s credibility, the rest of the team. The team has a strong relationships and influence determine the commitment to knowledge management, extent to which business partners translate sharing information and continuous those commercial insights into tangible improvement. The TED Talks help challenge improvements. Brogan emphasizes that how the team thinks, and they also help “nothing of significance or importance signify why diversity of thought is important is achieved without people.” when communicating with stakeholders.
The team acknowledges that not everyone wants to spend their career in internal audit The TED Talks help challenge how the and thus they are committed to finding talent team thinks, and they also help signify who can come into the team and make a positive impact before springboarding into why diversity of thought is important the business. It is incredibly beneficial to when communicating with stakeholders. have a blend of business audit knowledge (with knowledge of business processes) combined with retail store knowledge. The The majority of senior leaders in the business retail store team has over 30 years of combined have completed a personality profiling tool that retail knowledge and can speak with store helps them better understand their strengths managers about the challenges faced, having and weaknesses when communicating and “walked in their shoes.” interacting with colleagues. Insights gained In summary, the team’s creative, cost-effective from this profiling have helped improve approaches toward analytics and a strong focus how they communicate with their colleagues on communication and relationships are the throughout the organization. In addition, key differentiators when developing effective the internal audit team uses one another as and cost-efficient next-generation capabilities. sounding boards to ensure that they are sharing information, insights and recommendations that will be relevant to their stakeholders. Prior to important meetings with senior stakeholders, internal auditors will share those presentations with their auditor colleagues who challenge their narratives and help strengthen and improve them.
Internal Auditing Around the World® Vol. XV | 23 Internal Auditing Around the World® Vol. XV
Delta Air Lines Process First, Tools Second
Brandi Thomas When people discuss internal audit transformation, they tend Vice President — to focus on the application of new tools and processes to audits. Corporate Audit We also think a lot about innovative staffing. For us, that means considering how to deploy a combination of several different labor types.
Delta Air Lines Delta Air Lines has covered a lot of ground Delivering Delta’s Flight Plan since its humble launch in 1924. Founded as Delta hired Thomas in 2017 to oversee a crop dusting operation, the company has the company’s corporate audit team. The grown into one of the world’s largest global responsibilities of the function — which airlines. Today, it serves close to 200 million consists of 21 full-time auditors and a handful customers annually, ferrying them on 15,000 of co-sourced auditing professionals — daily flights to and from 304 destinations include generating and completing the annual in 52 countries on six continents. Delta’s corporate audit plan and Sarbanes-Oxley approximately 80,000 employees help the (SOX) compliance. Delta’s leadership bio for company maintain and operate more than Thomas also indicates that she is responsible 800 aircraft. As a founding member of the for “fostering world-class technical audit and SkyTeam global airlines alliance created in leadership development training within her 2000, Delta participates in joint ventures group.” Thomas reports administratively to with global partners such as Air France/KLM, Delta’s CFO and on a functional basis to her Alitalia, and Virgin Atlantic. board’s audit committee chair. Prior to joining Delta, Thomas headed, and also built from the ground up, Uber’s internal audit function. Prior Thomas says that she is “relentlessly to that role, she rose through the internal audit and corporate finance ranks at General Electric, focused on developing the leadership Nordson Corporation and Intuit. of the future — diverse teams with One of Thomas’s first moves upon joining contemporary skill sets.” Delta two years ago was to work with her team to create this functional mission statement: Delivering Delta’s Flight Plan — the company’s Like other major carriers, Delta continues to annual strategic goals — through innovative risk adjust to the industry’s overall improvement management and collaborative solutions to add following the severe turbulence the sector value and enhance Delta’s operations. experienced before and throughout the global financial crisis. Delta filed for bankruptcy in A commitment to innovation is evident in 2005 and emerged following a restructuring numerous auditing activities and initiatives, less than two years later, on the cusp of the including applying robotic process automation historic economic downturn. (RPA) to SOX testing, the function’s growing use of data manipulation and visualization “All airlines went through an extraordinarily tools (as well as their work in training other difficult period,” notes Delta Air Lines Vice groups within the company to use these same President — Corporate Audit, Brandi Thomas, tools), the use of hackathons (to identify referring to the waves of bankruptcies, new correlations from existing data), and the restructurings and consolidations that con- function’s staffing model. tinued occurring in the industry through 2013 or so. “A lot of pride and camaraderie exists Thomas says that she is “relentlessly focused throughout Delta as a result of overcoming on developing the leadership of the future such major challenges.” — diverse teams with contemporary skill sets.” To that end, the function’s internal
Internal Auditing Around the World® Vol. XV | 25 training and development activities focus on finance’s digital transformation, “we sort of traditional competencies (e.g., influencing raised our hands and said, ‘We’ve been on and negotiation skills) as well as digital-era a similar journey for a short period of time, capabilities. “We’re equipping our team and we can provide some help,’” Thomas with skills around coding, data aggregation says. “We had already aligned with Power BI, and analysis, visualization, and linking so we realized we could beef up the training audit objectives and findings to strategic material and offer that as a service to other priorities,” notes Thomas. She stresses that groups in the company.” internal audit transformation can be applied Inside the function, internal auditors broadly and that it requires a process-first have applied their data analytics skills to mindset. “I can’t emphasize enough,” sharpening the insights they share with the Thomas continues, “that the technology business and devising more effective ways follows a solid process for its integration into of presenting improvement opportunities auditing methodology.” to their partners. Delta auditors pored over all of their medium- and high-risk auditing findings from the past five years and used their analytics skills and tools to identify new Inside the function, internal auditors correlations. “We combined those insights have applied their data analytics skills and gave the business a barometer that to sharpening the insights they share shows them where they’re improving and with the business and devising more where they may be regressing,” Thomas says. effective ways of presenting improve- “It gives them more actionable insights to respond to.” ment opportunities to their partners. Last year, the auditing team also used a combination of Power BI, internal Transforming Into Analytics Teachers audit management software and a data visualization tool to develop a new dashboard The internal audit team’s recent innovation and that helps the function monitor its work transformation activities include a significant more effectively and efficiently. “Every amount of work related to data analytics. Monday, I get an update that shows the Those efforts begin with what Thomas current status of our risk-closure process,” describes as “foundational” skills develop- Thomas says. “With a quick look, I can see ment. Internal auditors learned how to use what’s open, what issues need follow-up and and/or optimize analytics-related tools and which auditors are addressing those issues.” applications that are deployed across the The function is now working on creating company, including Power BI, Hyperion, and similar dashboards that make extensive use SQL, as well as data visualization tools. This of data visualization for business partners training has helped the internal audit team responsible for operational and fraud risk “build data analytics into our methodology,” and other areas. “We’re really excited about Thomas says. taking large quantities of data and drawing The training proved so effective that it insights that help the business,” says made sense to extend it to other parts of Thomas, who stresses that those insights can the company pursuing similar innovation drive process improvements in addition to and transformation plans. As Delta’s CFO ensuring adherence to policies. began to share plans regarding corporate
Internal Auditing Around the World® Vol. XV | 26 Thomas says she is also excited about Secrets to Transformational Success developing more innovative approaches to As Thomas discusses Delta’s approach to staffing her function. “When people discuss internal audit transformation, particularly as internal audit transformation,” she notes, it relates to data analytics and staffing, she “they tend to focus on the application of stresses the value of several approaches and new tools and processes to audits. We also tactics, including: think a lot about innovative staffing. For us, that means considering how to deploy a •• Addressing a comprehensive set of combination of several different labor types.” considerations: While Thomas advocates These categories include full-time employees the value of new staffing models, she (what she refers to as “on-balance-sheet recognizes that these approaches require labor”), rotational workers (on loan from careful supporting considerations. Her other parts of the company), co-sourced team worked with Delta’s IT function to talent, gig workers, crowdsourced assistance, create a rotational program through which digital labor (e.g., RPA) and freelancers. an IT professional joins the audit team for “When I was with Uber, one of my top 24 months. The on-loan IT expert helps auditors left to raise her children, and we bolster internal audit’s technical expertise missed her tremendously,” Thomas recalls. and then promulgates audit’s risk and “She was skilled in most aspects of the controls mindset upon returning to the profession, and she was also an excellent business. “As we designed the program, storyteller and deck-builder. During our busy we had to address several important season, we would hire her on a freelance basis considerations,” Thomas explains. “For to build decks with us. She was familiar with instance, how can the person working with our process and knew our audience very well. us stay connected with the IT organization? With techniques such as these, we can keep So, we arrange for our IT resources to those in the workforce who choose to focus continue to attend their function’s monthly on family for a bit engaged in the workplace. I performance reviews and meet once a am happy to report that this talented woman month with a VP-level IT mentor. We also is now CAE of a healthcare company after a have an agreement that the person will few years focused on raising her children.” have a guaranteed placement after the two years conclude. I think some rotational programs neglect what life is like after the rotation, and we did not want to do that.” The on-loan IT expert helps bolster inter- •• Putting process before technology: “It’s nal audit’s technical expertise and then very sexy to go to the advanced technology promulgates audit’s risk and controls tools first,” Thomas says. “But we’re mindset upon returning to the business. all about process first, tools second.” Process first means focusing on the underlying methodology and the changes Given the industry’s ever-present cost- that the introduction of new technology constraint challenges, Thomas does not requires. “When you’re engaged in digital expect to ever have a glut of on-balance- transformation, some team members sheet labor on her team. “So, we need to are always down for anything new while find innovative methods of expanding and others are more reticent to change,” contracting our workforce to meet the needs Thomas notes. “You need to focus on of the business,” she adds.
Internal Auditing Around the World® Vol. XV | 27 getting everyone on the same page Thomas and her team rely on other hacks to regarding what the expectations are.” ensure their odds of success, including one that she does not articulate, but certainly •• Leveraging other innovations in the demonstrates: Lead with humility. company: Thomas explains that internal audit “links to various transformation “We’ve made significant progress due to the activities that are happening across the collective effort of an amazing team that business” in an effort to make efficient has been open to change and has gotten on use of existing knowledge, technology board with transformation,” she adds. “I’m and talent. the mouthpiece, but I take no credit for it. I’m really, really impressed by what my •• Assigning full-time responsibility for team has achieved.” pivotal innovations: Getting a full- fledged data analytics capability — within internal audit and most other functions — off the ground is very difficult, Thomas Thomas and her team rely on stresses. That’s why she dedicated one of her team members to leading the other hacks to ensure their odds function’s data analytics group on a full- of success, including one that she time basis. does not articulate, but certainly demonstrates: Lead with humility.
Internal Auditing Around the World® Vol. XV | 28 Internal Auditing Around the World® Vol. XV
Deutsche Telekom Stronger Connections: Internationalizing Internal Audit
Maria Rontogianni Evolving into a next-generation internal audit function is Senior Vice President, a strategic priority for us — as it must be. We can’t hold on Group Audit to our traditional ways. We must modernize and keep pace and Group Risk with change at our company. Governance
Deutsche Telekom Deutsche Telekom AG is one of the world’s ever-higher speeds.1 It is also working to leading integrated telecommunications evolve from being a traditional telephony companies, with approximately 178 million company to becoming “an entirely new kind mobile customers, 28 million fixed-network of service company” that can seize growth lines and 20 million broadband lines. Formerly opportunities in new business areas.2 known as Deutsche Bundespost Telekom, the company is one of three business entities that Ramping Up on Agile Working Methods evolved from Deutsche Bundespost, a state- Deutsche Telekom’s focus on change, and owned postal and telephone service founded in preparing for an increasingly digitized West Germany in 1947 that privatized in 1995. future, impacts all corners of its business, Deutsche Telekom has operated under its including internal audit. “Evolving into a current name since 1995. Based in Bonn, the next-generation internal audit function is a company has grown strategically through strategic priority for us — as it must be,” says acquisitions over the past two decades, and Maria Rontogianni, senior vice president, today operates in more than 50 countries and group audit and group risk governance, at employs more than 200,000 people around Deutsche Telekom. “We can’t hold on to our the world. Deutsche Telekom is a major traditional ways. We must modernize and shareholder in several telecommunications keep pace with change at our company.” companies throughout Europe and in Transformative change at Deutsche Telekom wireless network operator T-Mobile in the includes its recent embrace of agile working United States. Its subsidiary, Frankfurt- methods, including the Scrum method, in based T-Systems, provides global IT and its Telekom IT organization and other areas.3 consulting services, primarily for business- For Rontogianni and her internal audit team, to-business customers. that shift presents challenges. “How do we preserve the control environment in an agile organization?” she asks. “How do we look at Deutsche Telekom’s focus on change, authority, responsibility and accountability as we move from a typical boxed organizational and preparing for an increasingly structure to an agile one, with tribes, chapters digitized future, impacts all corners and squads?” of its business, including internal audit. Another challenge, Rontogianni says, is that the agile method is not a “one size fits all” across different types of service and delivery In anticipation of skyrocketing demand for models. “Deutsche Telekom is a service broadband in the future and the need for organization based on a technology delivery telecom infrastructure that is intelligent model, so how agile and that model merge is enough to open up new business areas to nuanced for all of us — not only for operations entire industries, Deutsche Telekom is but also for internal audit,” she explains. building more efficient networks that can transport ever-greater volumes of data at
1 “Company: At a Glance,” Deutsche Telekom website: www.telekom.com/en/company/at-a-glance. 2 Ibid. 3 “Agile Working at Telekom IT,” Deutsche Telekom website: www.telekom.com/en/careers/our-focus-topics/telekom-it/details/agile-working- at-telekom-it-565952.
Internal Auditing Around the World® Vol. XV | 30 Rontogianni says she is eager to get her team increase the percentage of aligned individual up to speed on agile work methods. “We’re audit plans from 10% to 25%. Now, the team learning about agile right alongside the is working toward 30% to 40% alignment, business,” she says. “I’m also researching according to Rontogianni. She says individual formal training options to see what’s audit plans on the same topic are being available on this topic for internal auditors. executed by 40 mobile auditors working And I’m looking to The Institute of Internal across 14 different companies. Auditors for more insight and watching “It’s a big undertaking,” she says. “It’s what’s happening in the profession and with mind-boggling what we’ve achieved in the our peers across industries.” last 18 months with internationalizing our processes, our system and the mobility of Adopting a More Global Approach to our people across many legal entities and Internal Auditing cultures. It’s a win-win all around for the In addition to gaining a deeper understanding audit department, the stakeholders and the of agile work methods, internal audit’s short- audit committees because we’re now more term goals include solidifying the function’s comprehensive and global in our approach.” internationalization strategy. “This strategy has been a big focus for us for the past two years,” Rontogianni says. “We have so many individually operating companies, especially In addition to gaining a deeper in Europe. Our aim is to internationalize how understanding of agile work methods, internal audit works at Deutsche Telekom — internal audit’s short-term goals from our charter to our tools and to how include solidifying the function’s we operate.” internationalization strategy. Rontogianni, who has been leading Deutsche Telekom’s internal audit function since June 2016, collaborates with a team of about 150 Exploring Options to Go Deeper With internal audit staff who work in locations from Data Analytics South Africa to Seattle, which is T-Mobile’s U.S. Technology plays an important role in sup- home base. “Our internal audit department porting internal audit’s internationalization, is local yet international,” says Rontogianni, according to Rontogianni. “We’re in the adding that Deutsche Telekom’s acquisitions, process of implementing the Teammate or “NatCos” (national companies), have their Plus audit management system, which will own internal audit functions that do not report be our global audit work paper tool. We are formally to the parent company. also using various solutions, like OneNote, “Really, we are one department, even though to support our international communication our governance structures have different and collaboration. It’s quite interesting how reporting lines,” Rontogianni says. “Our things have changed.” long-term strategy is to build on the baseline Rontogianni says internal audit is also now of internationalization that we’ve developed looking at how it can expand its use of data so we can effectively serve a technology analytics. One plan is to modernize the company that is rapidly changing.” Financial Reporting Data Analytics tool, or Over the first two years of internal audit’s FReDA, which internal audit developed five internationalization effort, the goal was to years ago. “It’s a purchase-to-pay auditing
Internal Auditing Around the World® Vol. XV | 31 process,” explains Rontogianni. “We write Rontogianni says that no matter how much SQL queries into SAP and do testing from internal audit work can be automated or purchase orders to payments. Now we’re digitized, internal auditors “still need to thinking about how to develop that further, think, and apply the rules of their market, of maybe extending it to payroll or sales.” their organization, and of proper compliance and governance.” The combination of The internal audit function is also considering technology and human thinking is what will whether to offshore some of its data ultimately create value for the business and analysis as a way to get faster and more drive results. globalized results. “Using offshore data scientists is clearly a cost benefit for us,” “For internal audit, digital transformation is says Rontogianni. “These resources are about how we can utilize information more already doing this work for other parts of the effectively to make more informed decisions. organization, so why not for internal audit? It’s also about preserving the three lines of We’d need to skill up those individuals to defense and supporting a stronger control think like auditors, of course. We also would environment,” she says. “Digitizing and need to consider any potential control issues then letting go is not the endgame for us as with offshoring this work.” internal auditors.”
While internal audit teams around the world are working to transform digitally, Rontogianni notes that not all change Rontogianni says that no matter how needed to meet the challenges of today’s much internal audit work can be rapidly changing business environment automated or digitized, internal auditors is technological. She points to her team’s “still need to think, and apply the rules of internationalization efforts as an example. their market, of their organization, and “What we have accomplished is quite innovative,” she says. “We have succeeded in of proper compliance and governance.” transforming individual local mindsets to one international mindset. It is the foundation for Visualizing a More Holistic Future for how we will operate going forward. And all this Internal Audit was achieved by something very traditional, a positive and healthy ATTITUDE!” As the internal audit function at Deutsche Telekom continues to evolve its processes and practices to meet digital age demands, Rontogianni has a future vision in mind. She sees her team one day providing holistic assurance to the business based on an aligned assurance risk assessment model. She is quick to add that this more holistic process would provide greater assurance to audit committees and drive more impactful management action plans.
Internal Auditing Around the World® Vol. XV | 32 Internal Auditing Around the World® Vol. XV
DriveTime Internal Audit Takes the Wheel on RPA
Erik Rasmussen Our team doesn’t want to be a hindrance to change and Managing Director innovation, but a creative solution provider — a solutions of Internal Audit architect — and a valued business partner.
DriveTime DriveTime is one of the largest used vehicle think one of the beauties of the company is dealership enterprises in the United States, the fact that everyone here has an opportunity with a focus on serving the subprime market. to make a difference every day.” Its business model — developed over the past 25 years — integrates the acquisition, Three Pillars of Focus for DriveTime’s reconditioning and sale of quality used Internal Auditors vehicles and related products with financing Rasmussen has been with DriveTime for almost for its customers. The company uses a 14 years, initially overseeing the company’s proprietary credit-scoring model and point- inventory acquisitions and reconditioning of-sale retail system to provide its customers and warranty work. He spent over a year with vehicle and financing options based on helping to start up SilverRock, a DriveTime their income, down payment, vehicle needs sister company, which primarily sells and and overall affordability. administers ancillary products, such as gap waivers, vehicle global positioning systems (GPS) and vehicle service contracts. In 2016, DriveTime’s work environment is very he transitioned back to DriveTime to lead the internal audit department — a seven-person open and collaborative. team that includes an assistant director, manager, senior auditor and staff auditors.
DriveTime operates 138 dealerships in 27 U.S. According to Rasmussen, the internal audit states, 20 vehicle reconditioning facilities and function at DriveTime structures their work four loan servicing centers. The fast-growing primarily around three areas, or “pillars.” company opened 21 new dealerships in the past The first pillar is compliance. “We’re a large three years alone. For the year ended December participant under the Consumer Financial 31, 2018, DriveTime reported that it had sold Protection Bureau (CFPB) lending rules,” more than 129,000 vehicles and generated says Rasmussen. “So, we have a significant US$3.1 billion of total revenue. DriveTime’s compliance function, and our team provides sister company, Bridgecrest Acceptance the third line of defense.” Corporation, directs the company’s financing The other two pillars of focus are DriveTime’s and loan servicing operations. decentralized field operations — its dealerships
“DriveTime is a complex business,” says Erik and vehicle inspection centers — and its Rasmussen, managing director of internal business process management group, “which audit. “We often think of the company in includes any centralized function, high-risk different divisions: inventory, retail, ancillary area or hot topic (auditable entity) we might products and finance. But we’re highly engage in,” Rasmussen says. integrated, and we work together.” DriveTime’s team uses ACL GRC software to
DriveTime’s work environment is very open help manage audit projects and Microsoft and collaborative, according to Rasmussen. programs like Excel and Visio for performing “We are a flat organization,” he says. “No day-to-day work. They also need to work with one in the company, not even the CEO, has the SQL programming language. “We’re a very an office — just a workstation. There are no data-driven organization,” says Rasmussen. doors to open. Anyone in the organization can “We use SQL and macros to develop and write provide ideas, and work with their team and various audit procedures. We’re now doing a management group to foster those ideas. I bit of continuous monitoring, as well. We’ve
Internal Auditing Around the World® Vol. XV | 34 designed a lot of our operations so that we can Recently, Rasmussen and his team stepped use technology and leverage data from our up to help DriveTime develop and pilot previous work instead of starting from scratch robotic process automation (RPA). on every project.” “We’re spearheading RPA for the whole When the internal audit team wants to dig company,” Rasmussen says. “That may seem deeper on data, they turn to DriveTime’s a bit weird to some people, who might think, data analytics group for help with generating ‘Why is internal audit kicking off a process for reports or building data views. Rasmussen automating business operations?’ But if you says, “I’ve thought about embedding a data look at our staff and our core competencies, specialist within our team, but I haven’t done you can see we’re a natural fit. When you it because I think it benefits our work to have implement RPA, you need to look across the access to multiple data scientists and analysts organization, at business operations, workflow who can help us better understand what’s and processes. That’s exactly what internal happening throughout a complex company.” audit does. And we problem-solve. Our ability to think critically, and our natural curiosity, let Internal Audit — a “Natural Fit” to us peel back the layers on how to stand up an Spearhead RPA RPA group.”
When DriveTime is looking to do something new, whether it’s rolling out a product, launching a division or implementing When DriveTime is looking to do technology, internal audit is invited to join something new, whether it’s rolling the discussion, according to Rasmussen. “We’re at the table,” he says. “Sometimes, out a product, launching a division we have a good role to play and say, ‘We can or implementing technology, internal help you.’ Other times we say, ‘We’re not a audit is invited to join the discussion. good fit for that.’ I think knowing when to raise our hand and when to step back helps our team to earn respect in the organization.” On the Lookout for More Automation Opportunities He adds, “I think internal auditors, in general, need to be careful not to come across as ‘no’ DriveTime enlisted help from an external people — no, you can’t do this, and no, you resource for the technical development can’t do that. If we do, we won’t be invited aspects of RPA, like coding. Since late 2018, to the table. Our team doesn’t want to be when the RPA project was first launched, a hindrance to change and innovation, but the company has deployed three robots, a creative solution provider — a solutions or “bots,” which are still in production. architect — and a valued business partner.” “They’re operating, and the business has now taken ownership of them — including The emphasis on collaboration at DriveTime the responsibility for their operation and helps the company’s internal auditors design,” says Rasmussen. “Our team just to foster strong working relationships helped to get everything started.” with other business groups and earn their trust. That, in turn, creates opportunities Rasmussen says he’d like to see his team help for the internal audit department to help DriveTime develop at least another dozen bots the organization break new ground in its by the end of 2019. In the future, he expects operations, including with technology. the company will have a designated team or
Internal Auditing Around the World® Vol. XV | 35 division responsible for overseeing the creation Adaptability: An Essential Quality for of more bots and the business development and Next-Gen Internal Auditors strategy behind them. “It was never the idea to While the internal audit department have internal audit be the long-term business at DriveTime is playing a pivotal role operator of RPA,” he says. in introducing RPA into the business, Even though internal audit is deeply involved Rasmussen says they are by no means the with deploying RPA at DriveTime, Rasmussen sole innovator at the company. “We have says he’s not sure if the technology is a good more than a hundred IT staff members fit for his department — at least, not yet. “RPA innovating all sorts of new ways for how benefits highly routine, standardized functions we go to market. I think our team and what in our organization, like vehicle acquisition. we’ve been doing with RPA are just examples But the internal audit department is pretty of DriveTime’s culture of innovation.” dynamic. Maybe in the future, we might be able Rasmussen attributes the diversity of his to use RPA for routine, compliance-type work, team to the function’s ability to maintain but I don’t see it solving problems for our team an innovative mindset. He explains, “I right now.” love hiring internal auditors with diverse backgrounds because they think about things differently. For example, I hired Thinking about the skill sets that someone with a political science degree, who turned out to be a great auditor because of internal auditors will need in the future, outstanding problem-solving skills.” Rasmussen says he believes adaptability, Thinking about the skill sets that internal along with interpersonal savvy and auditors will need in the future, Rasmussen intellectual curiosity, will be more says he believes adaptability, along with valuable than many technical skills. interpersonal savvy and intellectual curiosity, will be more valuable than many technical skills. “I’m a big believer in hiring smart, Rasmussen says he sees the opportunity for dynamic people who can adapt to change,” he DriveTime’s internal audit team to automate says. “Evolving your skills for the future isn’t tasks through different uses of SQL or just about learning this or that technology sophisticated macros — and perhaps pass because, whatever the technology is today, it on new, technology-driven best practices to will be something different tomorrow.” the business. “We’re always thinking about how we can make technology work for us, and also, what we can do to help and educate other groups,” says Rasmussen. “For example, we’ve made a commitment to our general counsel that, as we work on third-line audits this year, we’ll explore how we can help the business automate the process for these recurring audits.”
Internal Auditing Around the World® Vol. XV | 36 Internal Auditing Around the World® Vol. XV
Fidelity Investments From Goodness to Greatness: Going All-In on Agile Auditing
Jeffrey Jarczyk Applying agile methodology to internal audit may be novel, Executive Vice but technology and business functions have been using agile President and successfully for more than 20 years. ... We became intrigued Chief Auditor by that long-term success and thought, ‘Why can’t we do that?’
Fidelity Investments Fidelity describes its mission as inspiring his team continually scan the horizon for new “better futures” and delivering “better opportunities to innovate. “Our thinking,” he outcomes for the customers and businesses” says, “is that if we’re going to continue to be it serves. With assets under administration of relevant to the business while maintaining a US$7.4 trillion, including managed assets of leading position as an internal audit function, US$2.7 trillion (as of March 31, 2019), Fidelity we need to have some people whose job helps an estimated 30 million people invest it is to scan the marketplace and look for their savings and 22,000 businesses manage emerging technologies that we can bring to employee benefit programs. The company bear on our work.” also provides more than 13,500 financial As is the case in most other companies, keeping advisory firms with investment and technology internal audit relevant can be challenging solutions they rely on to invest their clients’ given the rest of the organization’s ongoing money. Privately held for more than 70 years, innovation and transformation activities. Fidelity employs more than 40,000 associates. Fidelity has been a leader in the financial services business and is constantly seeking to innovate in terms of products and services and its internal operations and technologies. The internal audit function’s interest Several years ago, the company started in pursuing agile auditing resulted in expanding its adoption of agile methodology, the formation of an Agile Auditing and now agile practices are being rolled out and Center of Excellence (COE) within the refined across a growing number of business group’s structure, which is purposefully units throughout the organization. While the internal audit function deploys a wide range designed to support the transformation. of next-generation auditing technologies and approaches, Jarczyk and his senior auditors spotted a prime opportunity to “draft behind” Fidelity Executive Vice President and Chief its business partners’ adoption of agile. Auditor Jeffrey Jarczyk leads a 155-employee- strong internal audit function that has Scanning the Horizon developed an innovative blend of structural, procedural and technological mechanisms The internal audit function’s interest in designed to continually improve future auditing pursuing agile auditing resulted in the activities while assisting the business in formation of an Agile Auditing Center making good on its mission of bettering the of Excellence (COE) within the group’s futures of its many customers. He points to the structure, which is purposefully designed company’s heritage, privately held status and to support the transformation and is long-term focus as valuable differentiators. staffed with a combination of tenured agile coaches and veteran auditors with deep “The notion of doing right by the customer organizational knowledge. through our long-term orientation permeates the entire organization,” Jarczyk says. The Jarczyk reports functionally to the chair of mindset certainly flourishes in the internal Fidelity’s audit committee; administratively, audit function. Despite earning a leading- he reports to the head of Fidelity Enterprise edge reputation thanks to their early Risk Management, a group that oversees adoption of data analytics and other next- security, risk and compliance-related functions generation auditing techniques, Jarczyk and throughout the company. The internal audit
Internal Auditing Around the World® Vol. XV | 38 function is organized into four business-audit at Spotify. The internal audit function’s groups that align with the company’s primary Innovation Team had been considering business lines and its information technology applying agile, and the business adoption of (IT) function’s activities. the methodology clinched it.
A fifth audit group, the Innovation and “Applying agile methodology to internal audit Enablement team, is responsible for the may be novel,” Jarczyk notes, “but technology agile audit COE, audit operations, centralized and business functions have been using agile planning, management reporting, and the successfully for more than 20 years. ... We function’s recruiting and development became intrigued by that long-term success activities. This group, led by Audit Vice and thought, ‘Why can’t we do that?’” President, Innovation and Enablement, Christine Meuse, also drives audit innovation. An innovation team within the group is charged with “looking at the horizon, anticipating how The team has had an internship and we can stay on the leading edge and helping co-op program for 15 years and has to decide where we want to go next,” Meuse established strong partnerships with explains. “Right now, we’re looking at some colleges and universities. design-thinking principles that dovetail nicely with our agile auditing approach. We’re also partnering with internal and external parties in The function’s agile auditing pitch to the AI and machine learning space.” business partners was straightforward: We The innovation team also helped identify can conduct the same auditing work in less time. opportunities to automate more of the testing In exchange for reducing time and related of the organization’s information security disruptions, internal audit made several perimeter as the company shifts more asks of business partners who participated applications and systems to the public cloud. in the initial round of agile audits. “We While advanced technology and methodologies let them know the process would be more are manifestations of the innovation Jarczyk intense on their side,” recalls Jarczyk, who and Meuse want to foster in their function, also explained that agile auditors would the two executives also point to their long- need information and data requests to be running college program as a crucial enabler fulfilled in a more timely manner than they of innovation. The team has had an internship had in the past and that the team would want and co-op program for 15 years and has senior leaders from each business area to be established strong partnerships with colleges available every two weeks to discuss a status and universities. Meuse says that the digitally report. “In exchange for that commitment,” native interns and college hires help “instill an Jarczyk continues, “we said: ‘We’ll get out of innovative mindset across our department.” your hair sooner; it’ll be a completely transparent process, and there won’t be any surprises by the A Straightforward Sales Pitch time we get to the reporting because you’ll have been along for the journey.’” The team piloted In 2017, several thousand employees across the approach with five teams to test the many different business groups in Fidelity’s methodology and gather customer feedback. Personal Investing business line began using agile based on the model originally deployed
Internal Auditing Around the World® Vol. XV | 39 In accordance with one of the foundational Keep Calm and Stay Agile elements of agile methodology, Fidelity’s Through four successive waves beginning auditors work together on a team of five to in the third quarter of 2018, the audit team six associates over a designated period (in extended the agile methodology across this case, for nine months) to improve their the entire function by the end of the first work and collaboration continually. The work quarter of 2019. “We now have the entire consists of a succession of two-week sprints, department working in an agile way,” each of which is immediately followed by an Jarczyk says. information-sharing session with leaders of the business group being audited. The insights The benefits sound impressive, but the generated during those give-and-take sessions learnings gained from the agile audits are applied to improve the direction and quality conducted are equally valuable, Jarczyk and of each subsequent two-week sprint. While Meuse emphasize, because they point the way internal audit remains accountable for the to many more improvements and additional opinions and perspectives expressed in the benefits. “We continue to learn and adapt final reports it issues, those findings contain our approach based on feedback from our no surprises for the business partners being associates, coaches and stakeholders, which subjected to the audit because they’ve been is consistent with the principles of agile, and involved all along. “It’s just a much more expect to continue to evolve the process for the collaborative way of getting there,” says foreseeable future,” Meuse says. They note Jarczyk, “and that’s been a huge plus.” that key tenets of the transformation, such as servant leadership and success as a team versus the individual, are mindset shifts that take time to fully take hold and maximize the The benefits sound impressive, but the benefits of this way of working.
learnings gained from the agile audits Under the agile approach, the duration of conducted are equally valuable, Jarczyk individual audits has decreased substantially, and Meuse emphasize, because they according to Jarczyk. He and Meuse also point the way to many more improve- report that the more collaborative and client- centric nature of more frequent agile auditing ments and additional benefits. interactions have elevated trust between the business and internal audit to a new level. The acquisition of agile auditing skills has After completing the pilots, internal audit also delivered career development benefits leaders assessed the work, discussed what throughout the function. “It’s an opportunity was learned and then asked, “Do we feel like to re-energize our auditors, who can now this is something that we really want to lean practice the craft in a completely different into and scale across the department?” The way,” Jarczyk notes, while adding that the resounding answer was yes, Meuse reports. experience has had its share of bumps, as “And we certainly found things that we needed most major change efforts do. “I’m not to improve on and iterate, which is what agile is saying that this has been easy and that we all about — learning and iteration.” don’t still have a lot of work to do, but the net result has been positive, both for our clients and associates.”
Internal Auditing Around the World® Vol. XV | 40 Some of that work includes identifying new As new KPIs are developed, performance key performance indicators (KPIs) because management parameters and links to rewards metrics associated with traditional auditing will need to be changed in kind. Jarczyk has approaches, such as productivity and report recalibrated how he values the contributions volumes, are less relevant to agile auditing of the agile coaches he brought on board. “In success. “In addition to adjusting how we hindsight,” he notes, “we probably should measure overall department output and have doubled the number of coaches we productivity, we know that we need a new hired because they play such a pivotal role in set of metrics that reflect the fact that agile helping people transition to this new way of is highly team-specific in nature,” Meuse working.” During the heat of that transition, says. “Each team will be measuring its own the function distributed “Keep Calm and goodness, so to speak, in terms of how it Stay Agile” buttons to internal auditors improves the way members work together. to acknowledge the discomfort involved Each team wants to evaluate how it is in the major change while conveying that increasing the velocity of that improvement this temporary discomfort is a sign that the over time.” transition to agile auditing is working.
That turned out to be the case, and then some. Fidelity and its internal audit team remain absolutely committed to staying agile As new KPIs are developed, perfor- and reaping the growing benefits of doing so. mance management parameters and links to rewards will need to be changed in kind. Jarczyk has recalibrated how he values the contributions of the agile coaches he brought on board.
Internal Auditing Around the World® Vol. XV | 41 Internal Auditing Around the World® Vol. XV
The Jardine Matheson Group Creating Future Value Through Innovation
Linda Chan It’s good for internal audit to understand what’s in Jardines’ Head of Group Audit IT portfolio, including shadow IT. So, if something does and Risk Management go wrong, like a data breach, we can quickly get relevant, precise advice to safeguard the Group’s economic value — or help build it back up again.
The Jardine Matheson Group The Jardine Matheson Group (Jardines) Reducing Manual Processes and began as a trading business in the Chinese Developing New Ideas port city of Canton — now Guangzhou. The GARM team’s primary objective is “to The company, which was founded by Scots protect the economic value” of the Group, William Jardine and James Matheson in 1832, according to Chan. “That’s the main reason later became one of the first foreign-owned why the internal audit team is here — to trading houses, or “Hongs,” in the former safeguard the future value of the business,” British colony of Hong Kong. In the 1980s, she says. “We work with the business to do Jardines incorporated in Bermuda and kept that, and we are making a difference.” its headquarters in the Jardine House office tower in Hong Kong. The Keswick family, Safeguarding the future value of Jardines descendants of Jardines’ founders, manages includes supporting the business in its efforts the company today. to modernize and innovate operationally. Chan says when she first came to Hong Kong Jardines generated more than US$92 three years ago to work at Jardines, she was billion in gross revenue and US$1.7 billion surprised to find the company was still using in underlying profit in 2018. The Group some “old-fashioned” technology like fax has interests in diverse businesses that machines. “I hadn’t seen a fax machine for at operate primarily in Greater China and least five years before that,” she says. “There Southeast Asia in industries ranging from wasn’t a lot of automation here, either. For financial services and agribusiness to example, expense reporting was still very home furnishings and heavy equipment. much a paper-based process.” International hotel and investment management group, Mandarin Oriental That process, along with many others, has Hotel Group, and Astra, Southeast Asia’s since been modernized, according to Chan. largest independent automotive group and a She says, “Fortunately, our Chairman and diversified conglomerate based in Indonesia, Managing Director saw that the business are among the Group’s many subsidiaries. needed to update its technology and move away from some of its manual processes. Linda Chan is the head of Group Audit and So, he introduced a big initiative for Risk Management (GARM) at Jardines, where innovation — ‘Innovate Jardines.’ People are she oversees a team of 30 auditors. Chan has encouraged to submit their ideas that create an extensive background in internal audit and opportunities for business development — risk management, and her previous positions developing them first by working in sprints1 include director of audit and risk for Dentsu and then presenting them for approval. There Aegis Network, the largest advertising agency are over 40 ideas that either have gone live or in Asia. Chan says, “They have traditionally are in production right now.” rotated people from within the Group into this role at Jardines. But management wanted Chan says the program is having a positive to try something different and bring in impact at the Group because “it’s made people someone from outside the Group. So, they realize that innovation is a good thing.” One hired a recruiter and found me.” downside of the widening embrace of new technology, however, has been the rise of “shadow IT” at the company — cloud-based
1 Sprint planning is an event in the Scrum framework where the team determines the product backlog items they will work on during that sprint and discusses their initial plan for completing those product backlog items. Agile Alliance: www.agilealliance.org/glossary/sprint-planning.
Internal Auditing Around the World® Vol. XV | 43 technology applications and tools that anymore,” says Chan. “So, we always need to individual employees and teams adopt without think about how we might have to reconsider needing to consult IT. Employees proactively our audit approach so that it stays relevant.” embracing new technologies that enhance their collaboration and productivity can help Moving to a New Audit Management to make the company more agile and drive System technological change in the organization. But Innovation and new technology adoption these projects can also create security risks, are happening within the internal audit posing additional challenges to internal audit. function at Jardines as well. For example, “It’s good for internal audit to understand the department recently implemented an what’s in Jardines’ IT portfolio, including advanced audit management system. Chan shadow IT,” says Chan. “So, if something says her group is among the first in Asia to does go wrong, like a data breach, we can implement the latest version of this solution. quickly get relevant, precise advice to “I wanted to implement a system that would safeguard the Group’s economic value — drive people to think about risks first when or help build it back up again.” they do their audit planning. If they know the risks, then they know they will be looking at the right things,” she says. “We were using electronic audit files before, but we often got Employees proactively embracing feedback from the business, like, ‘This is the new technologies ... can help to same thing you did last year.’” make the company more agile and Chan says she would like the GARM team drive technological change in the to employ more data analytics in their work organization. But these projects can in the future — and they are eager to do it. also create security risks, posing “My team is already thinking about how to additional challenges to internal audit. incorporate data analytics into their audit planning,” she says. “Some of the audit projects we did last year for the business involved data analytics, and that whet Chan closely monitors the shadow IT issue everyone’s appetite because they saw the through both internal audit and IT lenses. benefits. I had auditors telling me afterward, Jardines does not have a Group IT director, ‘We should use data analytics more.’” so a lot of responsibility for overseeing IT initiatives — and assessing the risks of those Chan is making sure her team receives the projects — falls to Chan. The GARM team also appropriate training in data analytics. “They includes seven IT auditors. That may seem are all CPAs from large auditing firms with like a high number, but Chan says she likes a numbers background, so learning more to snap up these in-demand professionals about data analytics appeals to them. What’s whenever she can. “I tell my team, ‘If you even better is that the technology is more know of a good IT auditor, send them to me. sophisticated today, so it’s easier for people I’ll probably hire them.’” to use. I don’t hear my team saying, ‘Well, I think this is going to be too difficult.’” Another question for the GARM team at Jardines is how to audit new technologies One logistical challenge that stands in the appropriately. “When something changes, way of the GARM team taking their data the way that we audit might not be relevant analytics use to the next level is the Group’s
Internal Auditing Around the World® Vol. XV | 44 disparate systems. “To do data analytics well, a difference, and who question what we do you need to have some standardization of — in a nice way, of course,” she says. “And I systems,” says Chan. “We don’t have that look for people who have the drive and ability yet, though it is gradually evolving.” to innovate and grow.”
After Chan settled into her role at Jardines, Witnessing an Evolution in Internal Audit she started thinking more about the skills For the past 25 years that Chan has worked in that the GARM team would need to succeed internal audit, she’s seen a lot of changes in in the future. “The Group had a competency the profession. “I think the role of the internal model, but it was outdated,” she says. “So, auditor is much more highly valued today than on a flight from Hong Kong to Jakarta, I it was in the mid-1990s,” she explains. “I got brainstormed all the key attributes that I into the profession at a time when internal thought a good auditor should have, including audit was really starting to take off, and things technical skills and interpersonal skills.” started to change for the better.”
The higher visibility of the internal audit function at Jardines, its increasing role as The higher visibility of the internal a strategic partner to the business, and audit function at Jardines, its its involvement in technology and other innovative projects for the Group, help to increasing role as a strategic partner make GARM a talent magnet, according to to the business, and its involvement Chan. “I’m very lucky because Jardines is a in technology and other innovative very big organization in Hong Kong, and most projects for the Group, help to make people here have heard of us,” she says. “And GARM a talent magnet. worldwide, the Group has more than 450,000 employees. So, we have no problem attracting good people to our team from inside and Communication skills and independent outside of the business.” thinking topped the list of interpersonal The dilemma for Chan is that she can’t keep abilities Chan outlined, and she says she talent for long because of Jardines’ mandatory is focused on helping her team members rollout model. “As one of my colleagues said improve in those areas. to me, ‘No one ever retires from internal “In Hong Kong and Asia, people are very audit,’” she says. “People spend about three respectful of hierarchy and therefore tend years with us, and then they rotate out to to do what they are told to do — even if it’s other roles in the business. That’s a good not the right thing,” she explains. “So, I thing for the Group. But it’s quite challenging encourage my team to speak up more often to keep my team’s skills up to date because and think for themselves. Our chief financial we’re constantly bringing in new people who officer has also advised that I tell them to aren’t experienced in internal audit.” do these things. I know it is challenging Regardless of the rollout model, Chan says for them, but it will help them not only to she always recruits new people for her team be more effective auditors but also more with an eye toward the next generation of successful in the business when they rotate internal audit at Jardines. “I want auditors into roles in our group companies.” who are quite ambitious, who want to make
Internal Auditing Around the World® Vol. XV | 45 Internal Auditing Around the World® Vol. XV
Mitsubishi UFJ Financial Group (MUFG) Global Audit Transformation Unlocks Value
Katsunori Yokomaku We have very strong audit functions around the world. Executive Officer, Through transformation, we’re establishing the vertical Managing Director, alignment we need to unlock all of that value. Head of Internal Audit
Mitsubishi UFJ Financial Group (MUFG) Tokyo-based Mitsubishi UFJ Financial Dozens of other major changes to processes, Group, Inc. (MUFG) ranks among the technology and teams are also occurring as world’s largest global financial services part of the MTBP and MUFG Re-Imagining organizations with over 180,000 employees Strategy, which is scheduled to take place in more than 50 countries. The company’s through 2023. Digital transformation features numerous subsidiaries and operating prominently among these improvements. entities serve customers in Japan (home Most, if not all, of the changes occurring office); the Asia-Pacific region; the Europe, under MUFG’s transformation are designed Middle East and Africa (EMEA) region; and to foster greater collaboration, information- the Americas region. Historically, each of sharing and consistency (captured in the those four regions (including the home company’s “ONE MUFG” slogan) throughout office) has been supported by its regional the global enterprise. “We’re confident that internal audit function. we will be able to execute this strategy despite a rapidly changing external environment Under a three-year, medium-term business in many of our regions,” notes Katsunori plan (MTBP), MUFG is adopting a more Yokomaku, Executive Officer, Managing integrated and unified management approach Director, and Head of Internal Audit for MUFG across all regions while transforming all of and MUFG Bank. its business operations according to its core principles: (a) customers define the business segments; (b) customers come first when MUFG determines how to allocate resources; Most, if not all, of the changes occur- and (c) strategic priorities remain focused on high-potential sectors by integrating related ring under MUFG’s transformation are and relevant operations. designed to foster greater collaboration,
Structural changes play a central role in information-sharing and consistency enabling this enterprisewide transformation. (captured in the company’s “ONE MUFG” MUFG was traditionally organized into three slogan) throughout the global enterprise. primary businesses: MUFG Bank, Mitsubishi UFJ Securities, and Mitsubishi UFJ Trust Bank. As part of the MTBP’s emphasis on From Problem Finder to Trusted Adviser integration, several new business groups are Yokomaku leads global auditing and ongoing being created. These business groups, whose monitoring activities for reporting to the activities will cut across the three primary MUFG Audit Committee and the Audit and businesses and across geographies include: Supervisory Committee of MUFG Bank. •• Retail and commercial banking He also leads global audit initiatives with his global leadership team, which includes •• Japanese corporate and investment Denise DeMaio, Chief Audit Executive for the banking Americas; James O’Shea, Head of the EMEA • • Global corporate and investment banking Internal Audit Office; and Andre Painchaud, •• Global commercial banking Head of the Asia Internal Audit Office. The MUFG Group has around 1,200 internal •• Asset management and investor services auditors working for the Group globally. •• Global markets
Internal Auditing Around the World® Vol. XV | 47 “The most notable challenge our internal A “Complex” Transformation audit functions face is to continue to provide The “global audit transformation (GAT)” that effective assurance services and coverage MUFG has begun qualifies as “complex,” across legal entities, business groups and according to Yokomaku. The size and global countries while the organization continues reach of MUFG marks one source of that to integrate and globalize,” Yokomaku says. complexity. Consistent approaches must He explains that internal audit must keep be established across numerous cultures, pace with the transformation of the business languages and business practices. while conducting its own transformation to maintain an effective coverage model. “This is a significant challenge,” he adds, “and one that requires a change management effort on As is the case with MUFG’s business a massive scale.” transformation, the purpose of internal Yokomaku also notes that one of the audit’s transformation is to operate in a overarching objectives of internal audit’s longer-term transformation within MUFG more collaborative and unified manner is to transition from operating as a problem across all global regions. finder (as it did in the past), to behaving as an assurance provider and problem solver (as it has accomplished more recently), to becoming The GAT plan calls for changes to harmonize an insight-generator and trusted adviser. and converge business policies, processes, “We have very strong audit functions around talent management practices, organizational the world. Through transformation, we’re alignment, management and stakeholder establishing the vertical alignment we need to reporting, audit methodologies, and support- unlock all of that value,” Yokomaku says. ing systems and data. The GAT timeline is aligned with the company’s overall business As is the case with MUFG’s business transformation timeline. The plan’s multi- transformation, the purpose of internal phased approach is designed to initially lay audit’s transformation is to operate in a a foundation for the move to a fully global more collaborative and unified manner function before implementing the unified set across all global regions. This will foster of methodologies, reporting mechanisms and a more effective and efficient sharing of supporting technologies. This year, for exam- leading-edge internal auditing practices and ple, some types of audits will be conducted technologies, according to Yokomaku. This is in a unified manner around the world. These easier said than done, of course. Since MUFG global audit areas include financial crimes, took its current structural form in 2005, the global systems, Sarbanes-Oxley, market operation of (and governance over) individual conduct, etc. Next year, the plan is for all business entities has been emphasized audits conducted in all regions to follow the over a more centralized operational and same methodology with limited exceptions. governance model. This has been the case for how internal audit operates as well. Moving toward a more centralized model, Yokomaku continues, requires “a change in mindset.”
Internal Auditing Around the World® Vol. XV | 48 It is important to note that the leading prac- so that they can simultaneously gain tices concerning auditing methodologies auditing experience and amass industry and and supporting technology already exist organizational knowledge. To that end, MUFG within MUFG’s globally dispersed internal is also considering the use of internal audit audit organization. For example, internal exchange programs through which internal auditors in select regions are using data auditors in one of the company’s regions join a analytics techniques, and the home office is different region’s internal audit function on a using artificial intelligence (AI) technology temporary basis to facilitate practices sharing to embed efficiency and effectiveness in the and support the “ONE MUFG” objective. document review process. The purpose of GAT is to ensure that these types of leading practices become standard operating proce- dure throughout all global auditing divisions. The internal audit function is currently
These practices extend well beyond assessing ways to improve its talent technology. The internal audit function management processes so it can is currently assessing ways to improve its expand its future supply of senior- talent management processes so it can level internal auditors. expand its future supply of senior-level internal auditors. Yokomaku and his team are discussing with MUFG’s human resources The MUFG GAT program is designed to (HR) function new ways to expose early- achieve standardization, consistency and career professionals to internal auditing efficiency. “Being able to provide a common expertise, methodologies and technologies audit perspective, assessment and opinion through rotational assignments. Moreover, on a global basis is an innovation — one that the internal audit function plans to increase requires a major transformation at a company its hiring of external talent, especially of our size and global reach,” says Yokomaku. those in the early stages of their careers,
Internal Auditing Around the World® Vol. XV | 49 Internal Auditing Around the World® Vol. XV
NTT Communications Enablers of Digital Transformation
Masakazu Inori There has been a significant increase in consulting requests from Communications other internal departments. They are asking internal auditing to Team Leader of identify and provide guidance on risk management improvements Legal Affairs and and also to access our knowledge and experiences related to digital Internal Auditing transformation.
NTT Communications Established in 1999, NTT Communications “Our goal is to help our customers achieve is a wholly owned subsidiary of Tokyo- new business creation and business process based Nippon Telegraph and Telephone innovation by equipping them with new Corporation (NTT), one of the largest findings and forecasts derived from their telecommunications companies in the collections of big data,” explains NTT world. Also headquartered in Tokyo, NTT Communications Team Leader of Legal Communications provides consultancy, Affairs and Internal Auditing Masakazu Inori. architecture, security and cloud services to In support of NTT Communications’ internal help enterprises worldwide optimize their DX endeavor, the internal audit function also information and communications technology operates as a “DX EnablerTM” for the rest of environments. The company, which has the business. more than 20,000 employees worldwide, operates subsidiaries and offices in more than 110 cities throughout 40-plus countries and regions. As of the end of March 2019, The company’s new trademarked NTT Communications’ operating revenue tagline, “DX EnablerTM,” refers to its goal was approximately JP¥1.4 trillion (roughly of changing the world through digital US$12.7 billion). technology. As NTT Communications approaches its 20th anniversary in July, it is celebrating its lengthy track record of innovation. While the company A Two-Pronged Approach to has clearly made good on its original mandate Transformation to “Change Communications” — the tagline The internal audit function’s 17 full-time under which the company launched in 1999 — employees operate on three teams: internal it continues to embrace transformation and audit, Sarbanes-Oxley (SOX) compliance (NTT innovation. The company’s new trademarked Communications’ holding company, NTT, is tagline, “DX EnablerTM,” refers to its goal listed on the Tokyo Stock Exchange) and audit of changing the world through digital planning. Inori currently serves as the leader technology (“DX” is shorthand for “digital of both the SOX audit team and the audit transformation”). planning team, although that structure will In a message posted on his company’s soon change. “To further improve the skills website, NTT Communications President of the auditors, we are working to integrate and CEO Tetsuya Shoji explains that the the internal audit team and the SOX audit organization is helping clients achieve team,” Inori explains. “Each team manager their digital transformation goals as it will be responsible for the work of the other simultaneously pursues its own internal DX team as well.” objectives. To assist customers with their Internal audit’s mission, Inori notes, is to DX goals and efforts, NTT Communications minimize companywide risks and to increase provides services supported by advanced corporate value through the compliance technologies, such as artificial intelligence and efficiency of business activities. The (AI), the Internet of Things (IoT) and more, as function’s short-term goal is to deliver well as infrastructure services (e.g., networks objective assurance on the effectiveness and data centers) that enable and promote of internal controls, identify issues based data utilization.
Internal Auditing Around the World® Vol. XV | 51 on root-cause analysis, and support the increased. Internal auditors have used robotic resolution of any controls-related problems process automation (RPA) to collect and throughout the organization. The function’s cleanse expense data from spreadsheets long-term goal, Inori notes, is to operate as “a and then load the data into a database trusted adviser that provides strategic advice where it can be analyzed via ACL Analytics that has high value for business activities.” software. Part of the reason his team has undergone AI training, Inori notes, is so that Mirroring the company’s two-pronged the function can evaluate how and where to approach to digital transformation, the deploy AI tools to strengthen its assurance internal audit function strives to operate work. The function also uses Tableau’s data as a “DX EnablerTM” by supporting digital visualization tool and R, a programming transformation efforts performed by its language designed for data mining. internal customers throughout the enterprise while simultaneously pursuing internal Inori notes that the data visualization tools audit transformation. Auditing analytics “are particularly important” because they and a move to a more risk-based auditing equip management and employees with a methodology represent two of the function’s more precise and lucid understanding of risks primary transformation focal points. in their areas, which in turn strengthens their ability to manage and mitigate those risks Continuous learning represents a related on their own. All of these tools are used to functional priority. “In addition to acquiring strengthen auditing activities. various audit know-how through operations, we are actively encouraging our internal When examining labor compliance, the auditors to participate in various internal internal audit team analyzes working time and external training, obtain professional data, as well as entry and exit history data, to certifications, and exchange opinions assess risks related to compliance with Japan’s with people from other companies’ audit Labor Standards Act. Internal audit applies departments,” says Inori. His team is also similar analyses to other (complete) data sets learning about AI and its applications. to assess expense spending for any anomalies. Inori reports that these techniques deliver The “Awareness Effect” and numerous benefits, such as: Other CAAT Benefits •• Exhaustiveness: By scrutinizing all of the The internal audit function deploys a range data, unaudited risks are eliminated. of advanced technology to serve as a “DX •• Fairness: There is no room for arbitrary TM Enabler ” to the business and to advance the judgment or sampling errors because the function’s own digital transformation. Most of data is obtained directly from the system. these tools enable internal auditors to derive, •• Objectivity: Any human bias related to and more effectively communicate, new data extraction and comparison decisions insights by analyzing larger collections of data. is eliminated. The function began applying computer- •• An “awareness effect”: As the entire assisted auditing techniques (CAATs) and company becomes more familiar with tools to audits in the labor compliance areas internal audit’s ability to analyze complete in June 2017. Since then, the function’s data populations, that knowledge produces use of advanced technologies, especially a deterrent effect against fraud. those related to data analytics, has steadily
Internal Auditing Around the World® Vol. XV | 52 The success of these analytics-enhanced •• Concerns regarding the domestic audits has stimulated demand for internal subsidiaries, according to audit and audit’s consulting offerings. “There has been supervisory members a significant increase in consulting requests •• A wide range of compliance-related from other internal departments,” Inori information notes. “They are asking internal auditing • to identify and provide guidance on risk • Risk that has been identified in data management improvements and also to analysis access our knowledge and experiences related •• Risk categories identified by the business to digital transformation.” risk management (BRM) committee,
Inori and his team strike a careful balance which is responsible for enterprise risk when providing consulting services. “When management we receive a request for internal consulting, Using that information, the internal audit we are particularly conscious of standing function created a risk map that identifies the in the other party’s position and thinking size of impact and likelihood of occurrence together in a collaborative fashion,” Inori for each risk. Inori and his team now use the explains. “We never look at them from above, risk map to strengthen their discussions with and we are always clear as to what the second executives. line of defense should do and what the third line of defense should do.”
Future-Ready via a Risk-Based Approach The success of these analytics-
NTT Communications’ internal audit function enhanced audits has stimulated is also re-engineering processes as part demand for internal audit’s of its internal transformation. A shift to consulting offerings. increasingly risk-based audits represents one such process overhaul.
To move to a more risk-based auditing The move to a risk-based auditing approach, approach, Inori’s team gathered a large combined with the ongoing adoption of volume of risk information that exists advanced technologies, has helped the throughout the company. Examples of this internal audit function pivot in another way. risk information include: Inori notes that his team’s audits previously focused on detecting past deficiencies and •• Findings by the National Board of fraud indicators. Now, he adds, “We are using Accounting the latest data analysis technology to predict •• Concerns of internal auditors future behavior patterns and prevent and mitigate related risks.”
Internal Auditing Around the World® Vol. XV | 53 Internal Auditing Around the World® Vol. XV
Occidental Petroleum Corporation Drilling Down on Data
Gary Daugherty We need people in internal audit who have a technological Vice President, viewpoint because that’s the future. We also need critical Internal Audit thinkers and good communicators. That won’t change, because internal auditors need to gain people’s trust very quickly and establish an air of collaboration and honesty.
Occidental Petroleum Corporation Occidental Petroleum Corporation is an Houston — two directors, one manager and international oil and gas exploration and one senior auditor. However, the function production company with operations in the receives ample support for projects through United States, the Middle East and South its co-sourcing partners. “I would say our America. It is one of the largest U.S. oil and co-sourcing model for internal audit is gas companies, based on equity market unique among our peers in the oil and gas capitalization, and the biggest operator sector,” says Daugherty. “My team manages and oil producer in the Permian Basin in and scopes all the projects, but we co-source the southwestern United States. At the end most of our work with others. So, rather than of 2018, Occidental had more than 38,000 bringing in subject-matter specialists on a employees and contractors supporting its project-by-project basis, we partner with our operations worldwide. service providers.”
The company’s Midstream and Marketing Establishing ERM and Overseeing ERP segment is composed of several businesses Controls Design that purchase, market, gather, process, transport or store hydrocarbons and other The co-sourcing model for internal audit commodities. Occidental also has a wholly has been in place at Occidental since 1998; owned subsidiary, OxyChem, which is a major previously, the company outsourced all of North American chemical manufacturer. its audit work. The team performs between Dallas-based OxyChem manufactures PVC 70 and 80 internal audits per year, including resins, chlorine and caustic soda, which assurance and advisory projects, cybersecurity are essential to developing products such reviews, Sarbanes-Oxley (SOX) compliance, as plastics, pharmaceuticals and water and contract compliance audits. It still relies treatment chemicals. on a third-party provider to handle contractor audits, however, which represent about 40% of the audit work in terms of volume, according to Daugherty. “Outsourcing contractor audits Outsourcing that heavy workload provides a lot of cost recoveries to the business also helps Occidental’s internal audit and helps us tighten our contract terms and team and their co-source partners conditions,” he says. focus on other projects that create Outsourcing that heavy workload also value for the business. helps Occidental’s internal audit team and their co-source partners focus on other projects that create value for the business. Occidental, which is organized in Delaware, For example, the auditors are collaborating was founded in California in 1920. Occidental with one of their longtime co-source maintained corporate headquarters in Los partners to drive Occidental’s enterprise risk Angeles until about five years ago, when management (ERM) initiative. “We wanted the company decided to move its corporate risk ownership to reside within the business,” functions to Houston — the headquarters city says Daugherty. “So, in the first phase of the of its oil and gas business. project, we set up an ERM council, which is made up of five key executives who report Gary Daugherty, Occidental’s vice president directly to the CEO, and an ERM team with of internal audit, oversees a lean team in about 20 high-level business owners.”
Internal Auditing Around the World® Vol. XV | 55 The second phase of the ERM initiative, to be the top critical enterprise risks and emerging completed by the end of 2019, centers largely risks we identified in the first phase of our on data. “We’re developing dashboards with ERM project,” Daugherty says. “That effort key risk indicators and key performance defined what we call our ‘mission-critical’ indicators for monitoring any changes in projects for 2019 — the projects that are risk,” says Daugherty. “It’s been a really fun locked in for the year. Other projects may be and eye-opening experience for us.” added or deferred depending on changes in our business and risk profile.” Another major project internal audit is helping to support is the oil and gas group’s Developing Dashboards, Automating implementation of SAP S/4HANA. The Work and Tracking Issues enterprise resource planning (ERP) suite went live in Occidental’s South American As Occidental implements new processes operations at the start of 2019 and will be and systems to improve how it operates, rolled out in the United States in 2020. internal audit is working to modernize, too. “We’re doing a lot of pre-implementation Daugherty says his team’s commitment to work,” says Daugherty. “We’ve performed innovation and transformation is “about several comparative process reviews, looking driving efficiency and doing more with fewer at some major processes for oil and gas, resources — better, faster and more cost- like materials management, maintenance, effectively.” It’s also about making sure that production and measurement, and supply internal audit “doesn’t get left behind.” chain management. We’re trying to ensure Embracing more sophisticated tools for that process and application controls are data analysis and reporting was one of the designed properly. In addition, we’re involved team’s first steps toward becoming a next- in the SAP pre-implementation controls generation internal audit function. “We had review of IT general controls, configuration plenty of historical data, but we had to collect settings, and user access roles and it, put it in Excel or Access, run graphics, and responsibilities.” then make a PowerPoint presentation so that we could share it,” says Daugherty. “Now, it’s all automated.”
Embracing more sophisticated tools for The internal auditors use TIBCO Spotfire Data data analysis and reporting was one of Visualization and Analytics software to create the team’s first steps toward becoming a dashboards that supplement their reporting to the audit committee. “The dashboards next-generation internal audit function. provide an automatic snapshot of where we are in terms of our overall plan status, project tracking, aging of open internal audit These projects alone would be enough issues, open SOX compliance deficiencies and to keep any internal audit function very contractor audit results,” says Daugherty. busy — even a team that co-sources. But Occidental’s internal auditors also have a list Occidental’s internal auditors attend five of projects to tackle in 2019 that was shaped audit committee meetings annually, and by their annual risk assessment in 2018. “We their time to prepare for those meetings has looked at major initiatives for Occidental, been significantly reduced thanks to their use from the SAP S/4HANA implementation to of data analytics. “The tool basically tracks cybersecurity, and married those things with everything for us, and it’s very interactive,”
Internal Auditing Around the World® Vol. XV | 56 says Daugherty. “We can drill down into the or work directly with the business and IT to data to get details on demand and answer any develop something that we all can use.” questions that the audit committee may have. Real-time assurance tools are one example And the issue tracker lets us gauge where we that Daugherty has in mind. “We could set are on all outstanding issues. We’ve loaded up monitors to track any fluctuations or every issue for every audit that we’ve done anomalies or deviations in data, starting with over the last seven years into the tracker.” simple things like travel and entertainment expense reporting, delinquent payments, Establishing an “Opt-Out Methodology” AR gaining, or slow-moving inventory,” he for Data Analytics explains. “Then, we could do comparative As part of their efforts to increase their process reviews of activities among all the overall efficiency, the internal audit team business units. From there, we could drive at Occidental updated their methodology in more targeted audits, like spot audits, of 2018. “We incorporated automated process those anomalies.” maps for internal audit project execution, follow-up and SOX testing,” says Daugherty. “Now, you can click on a process icon to get to our templates and report formats — it’s Daugherty says access to specialized our entire methodology, from planning to skills is a key reason that Occidental fieldwork to reporting. It’s a good training relies heavily on co-sourcing for internal tool for our co-sourcing partners.” audit work. Daugherty also introduced the concept of “opt-out methodology” to the internal Raising the Visibility of the Function — audit team. Daugherty explains: “We tell and Thinking About Bots our auditors that we will use data analytics on every project that we initiate unless they Daugherty says access to specialized skills opt out. But to opt out, they must get my is a key reason that Occidental relies heavily approval. We’ve found that this methodology on co-sourcing for internal audit work. really drives the use of data analytics, When Daugherty does need to hire staff for whether it’s visualization of data or using his core team, he says it can take time to data analytics within a project to test entire find someone with the right mix of abilities data sets rather than sampling. In some who can help the internal audit function cases, we’ve even taken the data analytics keep making strides with its innovation tools that we’ve developed and turned them and transformation efforts. Through the over to the business.” co-sourcing model, the team has scalability Daugherty also says he’s eager for his and can bring the right resources at the right team to increase collaboration with the IT time to meet its needs. organization and the business to get the full Daugherty says, “We need people in internal benefit of Occidental’s data power. “There are audit who have a technological viewpoint silos of data scientists, quants [quantitative because that’s the future. We also need critical analysts] and other folks in the business thinkers and good communicators. That won’t doing their own thing with data,” says change, because internal auditors need to gain Daugherty. “Now, it’s time for our team to people’s trust very quickly and establish an air either leverage what’s already been developed of collaboration and honesty.”
Internal Auditing Around the World® Vol. XV | 57 The work that Daugherty and his team are Another area that the internal audit team doing to drive innovation and transformation at Occidental is just starting to explore — in the function has not gone unnoticed at which will likely grab the attention of the Occidental — in fact, it’s helped to raise business — is robotic process automation their visibility. “What we’ve been able to (RPA). “We’re wondering what we can do achieve is coming through in our audits and with RPA,” says Daugherty. “Can we develop deliverables, and that’s resonating throughout bots to do our SOX testing, for example? We the organization,” says Daugherty. “We have probably spend about 35% of our time on people coming to us asking, ‘Hey, we know internal controls over financial reporting you have unique skills and tools — can you and IT general controls — and that’s out of assist us with this project?’ or ‘Can you give us roughly 30,000 hours a year. Developing bots that technology?’” that can help us and our co-sourcing partners be more efficient with SOX testing is the next generation of internal audit, too.”
The work that Daugherty and his team are doing to drive innovation and trans- formation in the function has not gone unnoticed at Occidental — in fact, it’s helped to raise their visibility.
Internal Auditing Around the World® Vol. XV | 58 Internal Auditing Around the World® Vol. XV
Synchrony Investing in a Data-Driven, Digital Future for Internal Audit
Mark Martinelli In the future, I think internal auditors, in general, will use Executive Vice more data analytics and digital dashboards to get a better President and sense of whether a risk is going up or down. So, there will be a Chief Audit Executive little bit more science and a little bit less art in our reporting.
Synchrony Synchrony is a consumer financial services company that delivers customized financing programs across a range of major industries, To help them learn, Martinelli collab- from retail to automotive to travel. It is the orated with the data scientists and largest provider of private-label credit cards professional practices group within in the United States and has established partnerships with national and regional the function to set up a data analytics retailers, healthcare providers, and other “university” for internal audit. businesses in the United States and Canada. Synchrony also provides an array of consumer Spending Two Weeks in the “Data savings products through Synchrony Bank, its Intelligence Academy” wholly owned online bank subsidiary.
Synchrony, headquartered in Stamford, Martinelli oversees an internal audit depart- Connecticut, split off from GE Capital, General ment that is divided into five teams, as well Electric’s financial services unit. So, while as a professional practices group. He has Synchrony is technically a new company, its expanded the staff size from 10 to 60 since roots extend back to 1932, when GE Capital joining the firm in May 2014, a month before Retail Bank began providing customers a line Synchrony’s IPO. About 20 team members of credit to purchase GE appliances. In 2014, work with Martinelli at Synchrony’s Stamford Synchrony went public, raising more than headquarters. The other 40 individuals are US$2.8 billion in its initial public offering (IPO). spread across offices in Georgia, Illinois, Utah and India. Synchrony is a digitally forward company that invests in technology across multiple “I had an opportunity to build a new internal platforms — in-store, online and mobile. audit department at Synchrony,” Martinelli It has as a goal to shape the future of says. That work included creating a data financing and customer engagement by analytics function within internal audit, which combining technology and analytics to stay was something Martinelli says he wanted to ahead of emerging trends, and then pilot do right from the start. Today, data scientists new programs and partnerships to deliver make up about 10% of Synchrony’s internal innovative solutions fast.1 And as Synchrony audit team. “We’re now trying to retool and pursues those investments, its internal audit rescale the department so that everyone on team is on hand to assess potential risks. the team has real working knowledge of data analytics by the end of 2020,” says Martinelli. “Synchrony is essentially a technology company that does consumer finance,” To help them learn, Martinelli collaborated according to Synchrony Executive Vice with the data scientists and professional President and Chief Audit Executive Mark practices group within the function to set Martinelli. “So, a big portion of the internal up a data analytics “university” for internal audit team’s work, in addition to providing audit. The Data Intelligence Academy (DIA), assurance services to the company, is to audit which is self-funded by the department, technology. That includes cloud and mobile launched in 2018. “We’re training individuals technology, as well as other innovations on data analytics and related techniques in designed to make Synchrony’s interactions a two-week immersive course,” Martinelli with our customers more frictionless.”
1 “About Us — Innovation,” Synchrony website: www.synchrony.com/about-us.html.
Internal Auditing Around the World® Vol. XV | 60 says, adding that about 25% of the auditors The internal auditors who completed the had completed the training as of early 2019. Data Intelligence Academy’s curriculum have already developed several case studies “My view is that the next generation of that they’re using in their work, according internal auditors will need to know data to Martinelli. “We’re starting to see the analytics,” he says. “I’m already thinking benefits of those case studies, too,” he says. about what we’ll be able to do in our “We have individuals and teams coming up organization by the end of next year when with findings that they wouldn’t have been everyone in the department has deeper able to uncover without data analytics. I also knowledge of data analytics and techniques. think that our use of data analytics is helping We’ll then be able to use our true data us to deliver audit work to Synchrony that’s scientists in a much more specialized way.” timelier, as well as more aligned with the needs of the business.”
Measuring Internal Audit Efficiency While Martinelli is intent on helping his Through “The 2020 Initiative” team become proficient in using data analytics, his “digital vision” for the As Synchrony’s internal auditors expand department extends well beyond that their use of data analytics in their work, the business’s appetite for data-driven effort. His goal is to use technology to insights and tools from the function grows, help evolve a more real-time assurance says Martinelli. “I’ll tell you why that’s model for Synchrony. the case: We’re now able to give them deeper assurance,” he explains. “We can also identify and share opportunities for Martinelli says there was no trouble finding automation or efficiencies within a process, volunteers for the inaugural class of the including sharing best practices for data Data Intelligence Academy. “We had many analytics used in those processes.” team members raise their hands to say, While Martinelli is intent on helping his team ‘Yes, I want to be a part of that.’” That level become proficient in using data analytics, his of enthusiasm, along with the success of “digital vision” for the department extends the program to date, is motivating other well beyond that effort. His goal is to use internal auditors at Synchrony to embrace technology to help evolve a more real-time the opportunity to learn this new skill set. assurance model for Synchrony. “Auditing, “People are sometimes wary of new tech- both internal and external, is a bit historical nologies — and the impact they could have in nature,” Martinelli says. “We, as auditors, on their jobs,” Martinelli says. “The Data show up, perform the audit, and then issue Intelligence Academy is a way to introduce a report three months later telling you what data analytics to our team in a comfortable we found. What we want to do is shorten our way, and it’s working really well for us. The auditing spans, deliver faster reporting and combination of an auditor’s knowledge of conduct better risk assessments.” the process, coupled with their new DIA data Eliminating manual work is one key to realizing analytics skills, is really providing measurable that vision. Employing data analytics and early wins for our DIA graduates.” dashboards is another. “We could look at
Internal Auditing Around the World® Vol. XV | 61 certain key performance indicators, changes in within a certain amount of time,” he says. “So, balances, the number and type of complaints how fast do they get signed off? And are we coming in from consumers, and many other falling behind on the work?” things,” says Martinelli. “And maybe we He adds, “I’m trying to find better ways to combine that information with internal and make us more aware of where we’re efficient external data to come up with risk indicators — and where we’re not. I think it’s important that can tell us if a risk in a certain area of the to shine a spotlight on our department to make business might be increasing or decreasing.” sure we’re as effective as we can be using digital He continues, “What I’m describing is not and data to create dashboards to show my exactly predictive modeling. But the idea leaders and to see for myself how well we’re we’re working toward is to create dashboards running the internal audit department.” that could tell us whether we should look at an area of the business sooner rather than later because something has changed and is potentially creating risk.” As the internal audit team at Synchrony
Martinelli says, “In the future, I think internal uses technology and data insights to auditors, in general, will use more data work more efficiently, Martinelli says analytics and digital dashboards to get a better they are finding more time to focus on sense of whether a risk is going up or down. So, value-adding projects for the business. there will be a little bit more science and a little bit less art in our reporting.” Martinelli also envisions internal auditors at Synchrony using Getting Comfortable With the Speed dashboards to show business owners broad of Change trends over time, instead of offering a point- As the internal audit team at Synchrony uses in-time assessment. technology and data insights to work more Soon, the internal audit department at efficiently, Martinelli says they are finding Synchrony will be using dashboards to gauge more time to focus on value-adding projects the performance of the function itself. That for the business. “We need to do more work digital project, now in development, is called around data privacy and cybersecurity, for “The 2020 Initiative.” Martinelli offers this example,” he says. “And, as we automate background on it: “One of the goals I set for more of our work, we are reinvesting our time the department this year is to run internal in these and other areas.” audit like a business. We’re becoming more Pivoting to new assignments isn’t always easy, efficient in our work by using tools like though — nor is adapting to new technology. data analytics, but how efficient are we as a But Martinelli says next-generation internal department? So, I want us to have a series of auditors will need to do both to succeed in simple dashboards that can tell us, every day, the profession. And that’s not all: “Internal how efficient and effective we are in terms of auditors need to get more comfortable with using our team, in getting audit reports out, the speed of change,” he says. “There is how fast we’re validating issues, how well we always change, and there always will be are utilizing our resources, and more.” change. But the pace of change today is rapid, One dashboard being designed now will provide and that’s driven largely by technology.” visibility into audit work papers, according to Martinelli. “Work papers have to be signed off
Internal Auditing Around the World® Vol. XV | 62 So, for internal auditors, getting comfortable with the speed of change will include learning how to audit emerging technology — and So, for internal auditors, getting com- perhaps in real time, Martinelli says. “We fortable with the speed of change will have to figure out how best to audit new include learning how to audit emerging technologies, which present new risks,” he explains. Martinelli points to systems technology — and perhaps in real time. that use machine learning and artificial intelligence, which could “make changes in coding on their own.” He says, “I think, in the future, internal auditors will need to audit while operational systems and controls are being built, as opposed to after the fact.”
Internal Auditing Around the World® Vol. XV | 63 Internal Auditing Around the World® Vol. XV
TD Bank Group Assigning a Human Face to Internal Audit Transformation
Michael Pagan In a nutshell, our strategy is: Go Digital, Be Agile, Vice President, Get Fresh Perspectives, and Live One TD. Global Head of Audit Strategy and Transformation
TD Bank Group Headquartered in Toronto, TD Bank Group’s customers to keep the bank’s pen after they’ve more than 80,000 employees serve 25 completed a transaction. So, it’s no surprise million-plus customers worldwide. Those that TD Bank Group recently put a human face customers are primarily located in North on internal audit innovation. The strategic America, as well as in Europe and the Asia- blueprint for internal audit transformation that Pacific region. TD Bank Group operates resulted from this decision is comprehensive several subsidiaries in three business lines: and instructive.
1. Canadian Retail: TD Canada Trust, An Innovative Personality Business Banking, TD Auto Finance (Canada), TD Wealth (Canada), TD Direct In April 2018, TD Bank Group’s internal audit Investing and TD Insurance function, which has more than 400 full-time 2. U.S. Retail: TD Bank, America’s Most employees globally, named Vice President Convenient Bank, TD Auto Finance (U.S.), Michael Pagan as the global head of audit TD Wealth (U.S.) and TD’s investment in strategy and transformation. The U.S.-based TD Ameritrade Pagan reports to TD Bank Group’s Global Chief Auditor Xihao Hu, who took on the 3. Wholesale Banking, including TD Securities role in early 2019, and Anita O’Dell, the chief auditor of the U.S. bank.
“The audit strategy position was created to TD Bank Group companies promote ensure that we are properly focusing on the their ability to maintain highly personal future. Our chief auditor at the time, Kelvin Tran, decided that we need somebody senior connections with customers and stake- to focus on strategy full-time,” Pagan recalls. holders in the digital age. Pagan’s extensive auditing experience in the financial services industry and his nine years auditing various areas of TD Bank Group, Despite the variety of services delivered by including wholesale banking and U.S. retail those subsidiary companies, TD Bank Group banking, made him a befitting candidate, strives to collaborate and serve customers in as did his personality. Pagan has a healthy a unified manner across all of its businesses appetite for innovation and creativity. and units in accordance with “One TD,” an enterprisewide strategic priority. The three In this new role, Pagan worked to ensure pillars of this approach include fostering the strategy was developed collaboratively. strong partnerships across internal teams, “We don’t want strategy developed in seamlessly delivering the bank’s entire an ivory tower,” Pagan notes. “It can be offerings to customers and deepening easy for theory and the practice to become customer relationships. disjointed, so I really need to work through my colleagues.” TD Bank Group companies promote their ability to maintain highly personal connections with Transformation Phase #1: Origination customers and stakeholders in the digital age. TD Bank’s “unexpectedly human” credentials The first order of business involved (which it has trademarked) are evident in its articulating the function’s approach to branch offices’ long hours, pet-friendly policies transformation and innovation. This was a and abundant lollipops. Tellers also encourage broad mandate to further define the role and
Internal Auditing Around the World® Vol. XV | 65 determine success measures, and it actually document. “In a nutshell,” Pagan emphasizes, began with a blank canvas, which was very “our strategy is: Go Digital, Be Agile, Get Fresh exciting but also scary, according to Pagan. Perspectives, and Live One TD.”
A key part of filling in this blank canvas was extensive research; books, white papers and articles; conferences featuring leading One TD brings a strategic and customer futurists and technology thinkers; and the study of trends shaping the financial services focus, holistic perspective, and three industry. Audit and bank executives were lines of defense coordination without approached to find out how they saw their compromising independence. work evolving. “There’s definitely a trend in the industry and within TD whereby more individual leaders are taking responsibility The Live One TD component of the strategy for innovation and transformation,” Pagan reflects the audit function’s commitment to, notes. “Whenever I saw an announcement and alignment with, TD’s corporate strategy. concerning colleagues taking on a new The pillars of internal audit’s transformation role with ‘strategy,’ ‘innovation’ or strategy are: ‘transformation’ in their title, I would •• Go Digital: This pillar calls for internal immediately ping them, so we could start audit to embrace advanced technology sharing ideas.” and data analytics — to weave digital and The blank canvas evolved to multiple drafts of advanced technology skills into the DNA of the strategy with input from the chief auditor. all auditors — not just specialists. Those exchanges, along with discussions with •• Be Agile: This means modifying “capital- other members of the internal audit senior A-agile” methodologies so that the management team and assistance from function can operate with a flexible, external consultants, were very helpful as the nimble approach while providing transformation strategy needed to align with (1) independent assurance. the company’s strategic objectives; (2) internal audit’s latest vision (“great people providing •• Get Fresh Perspectives: This strategic insights on key risks around the corner”) and pillar centers on the function’s talent (3) internal audit’s value proposition, which is management and benchmarking activities. “providing valued, independent, holistic and Fresh perspectives relate to diversity in proactive assurance.” every sense of the word — to gender, race and ethnicity, as well as diversity After finalizing the strategy, communication of thought, background, experience, was key. “A key objective was to have education and skills, with a goal to make everyone from entry-level auditors to our the group better suited to solve new and chief auditor know what our strategy is and unique challenges. how it’s relevant to them. That’s crucial because our strategy is not implemented by •• Live One TD: One TD brings a strategic me — it needs to be understood, bought in, and customer focus, holistic perspective, and implemented by every single person in and three lines of defense coordination our function,” Pagan says. without compromising independence.
The entire leadership team and the audit committee supported the final strategy
Internal Auditing Around the World® Vol. XV | 66 Transformation Phase #2: Communication Transformation Phase #3: Execution
The next phase of this transformation Once TD Bank Group’s internal audit strategy work remains ongoing, and the transformation strategy was finalized, communication never ends. auditors across all levels of the division volunteered to take ownership of and drive This phase began in earnest with a two-day activities within each of the pillars. Pagan conference attended by the entire global clarifies that this governance structure is division. “During the conference, I introduced separate from the formal organizational the strategy after a little dramatic buildup,” structure and helps to foster innovation Pagan recalls. The event featured numerous within business-as-usual activities while workshops devoted to each pillar of the sharing responsibilities across teams. strategy, as well as guest speakers from the business, including the company’s head of The assistance of TD Bank Group’s central innovation and several technology experts. project management function was utilized to formally monitor those initiatives — The entire event really launched the com- a move that demonstrated the unified munication of the strategy. “The excitement approach espoused by the company’s One TD generated during events like that subsides priority and helped add more structure and because you don’t get to present in front accountability to projects. of the entire function every month. So, we’re working on other ways to sustain the One initiative within the Go Digital pillar momentum,” Pagan says. consists of an objective that 50% of audits conducted in the current fiscal year will use some form of data analytics. A related Go Digital objective involves training Pagan gains new perspectives from internal auditors to use a data analytics tool different groups within internal audit, from Alteryx. While the tool is intuitive, a and they return to their teams with a function-wide rollout and accompanying training effort might be inefficient. Instead, better understanding of the transfor- champions were selected within each audit mation — and more excitement. team who would be best suited to learn the tool quickly based on their experience with similar tools and advanced analytics, as In addition to small group discussion sessions well as their managers’ recommendations. with audit teams and distributing newsletters “We developed a more targeted training containing updates on transformation approach to get them comfortable using progress to his auditing colleagues, an this tool,” Pagan explains. “The training innovation rotation program was created is not just about how you use the tool and through which auditors joined Pagan to work the data it produces, but also about how you full-time on innovation and transformation select the best opportunities to apply the for three-month stints. Pagan gains new tool. We then expect the champions will perspectives from different groups within pass on their knowledge to the rest of their internal audit, and they return to their respective teams.” teams with a better understanding of the transformation — and more excitement.
Internal Auditing Around the World® Vol. XV | 67 Plans for modified agile auditing pilots ourselves if we need to continue to hire full- and enhancements of the internal audit time specialists. Or, is there a more fluid model function’s talent management strategy where we work with outside partners who can and processes are now being finalized. The help us address new skills needs much faster as talent enhancements will be based on a the business changes?” function-wide skills assessment that will Pagan concludes by emphasizing that be compared to a model of what skills the internal audit transformation is a work in function will need five and 10 years from progress, and there is a lot more work to be now. Recruiting and training approaches done, but the future looks incredibly bright. will then be reviewed to determine the best “The division is excited, and I am excited,” approach for moving forward. he adds, “by all the things we have to figure “We’ve traditionally hired from large auditing out and build for the future.” firms and from other banks,” Pagan explains. “Our interns and entry-level auditors tend to be accounting majors. We expect that our quest for fresh perspectives may significantly alter Plans for modified agile auditing pilots that approach. We may look at engineering and enhancements of the internal audit majors and increase hiring from a broader array function’s talent management strategy of technology companies. We’re also going to and processes are now being finalized. re-examine our labor model. We are asking
Internal Auditing Around the World® Vol. XV | 68 Internal Auditing Around the World® Vol. XV
Zain Group The Front Lines of Internal Audit Innovation
Venkatesh Jandhyala Now, you might say, ‘That sounds like an operational Chief Internal Auditor activity and not something internal audit should do.’ But we view CapEx [capital expenditures], and whether they are generating the returns that were originally projected, as a strategic risk if projections are not met … and we know that we can deliver immediate value to the organization once we complete our advanced integrated analytics initiative.
Zain Group Established in Kuwait in 1983, Zain Group offering a broad array of appealing individual was the first mobile telecommunications customer digital services and applications operator in the Middle East. Today, on the (many through key partnerships), as well as heels of a successful expansion strategy a range of enterprise (business-to-business initiated in the early 2000s, Zain Group is or “B2B”) services, offering government a leading mobile voice and data services bodies and companies of all sizes business- operator with a commercial footprint in eight enhancing communications services. Most markets across the Middle East and Africa, recently, in Kuwait, the operator launched with 6,000 employees, over US$4.4 billion in Zain Drone-as-a-Service, which helps annual revenues, and 50 million individual utilities remotely oversee and manage their and business customers. Zain Group operates vast infrastructures in an efficient and safe in Kuwait, Bahrain, Iraq, Jordan, Saudi Arabia, manner. Zain Group’s transformation in Sudan, South Sudan and Lebanon (where it recent years has consisted of major initiatives manages the local operation “touch” under a in six focus areas: customer experience, management contract). The Zain brand is one operational effectiveness, value management, of the most recognized and loved brands in B2B, digital frontier and innovation, and the region, having won numerous prestigious talent development. marketing and advertising awards across the “Technology evolves rapidly in the globe, with the brand being valued in the telecommunications industry and having vicinity of US$2.3 billion. the foresight to plan and adapt is critical,” notes Zain Group’s Chief Internal Auditor Venkatesh Jandhyala. The swift pace of technology-driven change combined with To counteract the shrinking margins Zain Group’s strategic transformation that all voice and data services efforts, as well as the company’s large and infrastructure providers confront, highly varied geographic footprint, keeps Zain Group is remaking itself as a Jandhyala’s internal audit team on its digital lifestyle services provider. toes. “Given the ongoing adoption of new technologies throughout the business, some of the processes that our auditors document are no longer relevant just a few months after In 2016, the company embarked on an we complete an audit,” says Jandhyala. ambitious transformation under the current Group CEO and Vice Chairman, Bader Al This dynamic also spurred Zain Group’s Kharafi. To counteract the shrinking margins internal audit function to deploy an that all voice and data services infrastructure impressive, steadily expanding collection providers confront, Zain Group is remaking of advanced technology, including process itself as a digital lifestyle services provider. mining tools, robotic process automation Across its operations, the company is (RPA), continuous monitoring activities (CMA) and advanced integrated analytics.
Internal Auditing Around the World® Vol. XV | 70 Monitoring Fuel Cost Swings During Sudan, and the outsourcers maintained a Civil War contracts with a number of different fuel providers that delivered diesel to numerous The majority of Zain Group’s largely cell sites — both inside and outside war- centralized internal audit group is based in torn regions. That arrangement meant that the company’s Kuwait City headquarters. A internal audit’s sampling of fuel-cost data small internal audit division also operates would be ineffective, if not useless. from the company’s Saudi Arabia office, primarily to address auditing work related to unique Saudi regulatory requirements.
Jandhyala leads a team of 25, which includes Back in 2015, Jandhyala’s team eight full-time employees and 17 co-sourced developed a homegrown continuous internal auditors. He describes the co-source monitoring capability in response to arrangement as crucial to his function’s price spikes in diesel fuel that hammered operation because it gives him access to specific skills and technical expertise (e.g., Zain Group’s South Sudan operations process mining) while also letting him scale during that country’s civil war. up and down in accordance with fluctuating workloads. His team audits processes performed by 6,000 employees across eight Instead, internal auditors went to Zain South countries on two continents. “We are very, Sudan, which did not have an enterprise very lean,” Jandhyala points out. “As a result, resource planning (ERP) system at that time, we’ve needed to be a much earlier adopter of and scanned and loaded fuel procurement new internal auditing technology. We are also and cell site operations management data highly influenced by our company’s overall into a database. The auditors ran SQL digital strategy. That means we continually queries and integrated that information look for innovative ways to maximize the with a geographic information system (GIS). value we provide despite our lean size.” The application they developed enabled local management to get the previous six A prime example: Back in 2015, Jandhyala’s months’ fuel-cost information on nearly team developed a homegrown continuous 200 cell sites, individually or by region, at monitoring capability in response to price the click of a button. Those views helped spikes in diesel fuel that hammered Zain management determine which suppliers Group’s South Sudan operations during were gouging and which ones were raising that country’s civil war. In most parts of costs in response to legitimate supply chain South Sudan, as well as in many other disruptions. Based on this information, regions of countries in which Zain Group internal audit also suggested the use of a new operates, cell phone towers run on diesel outsourcing approach, the selection of a new generators (making diesel fuel the company’s fuel vendor, and the implementation of new second-highest cost contributor to network key performance indicators to monitor and management expense). Cell site operations manage fuel costs moving forward. management was largely outsourced in South
Internal Auditing Around the World® Vol. XV | 71 Utilizing Process Mining and explains. “We’re seeing a lot of value for this, Social Media Monitoring and we’re trying to figure out how we can use the tool to give our auditees a real-time The internal audit function has refined its understanding of what’s occurring in their use of advanced technologies since equipping areas on an ongoing basis.” Jandhyala and the South Sudan operations with that his team are also evaluating how to apply continuous monitoring application four years process mining to accounts payable (AP) — ago. Jandhyala emphasizes that all of his while zeroing in on fuel costs — more broadly function’s innovation-related activities are throughout the company. squarely centered on managing risk. “We look at everything we do from a risk management Internal audit’s recent use of RPA in the perspective,” he says, while describing recent company’s Saudi Arabia operations involved a process mining and RPA initiatives. more targeted effort. Internal auditors wanted to address the lack of integration between the internal audit management software (IAMS), including open issues and follow-up actions Based on the success of its RPA pilot by business partners, and the operation’s in Saudi Arabia, internal audit is now email system. The IAMS is managed by an external services provider, so, due to internal planning how to implement similar bots information security requirements, direct in other regions. integration between those two systems was not an option. As a result, prior to the RPA implementation, internal auditors manually Zain Group’s internal auditors recently uploaded relevant reports and status updates applied process mining, with the help from the IAMS into SharePoint, which is of technology from Celonis, to audit the integrated with the email servers. That procure-to-pay life cycle in the company’s manual work consumed significant amounts Jordan operations. Those operations were of time on an ongoing basis. attractive for process mining thanks to The RPA application automated the transfer the existence of mature processes, a well- of information from the IAMS to SharePoint. structured ERP system and a relatively “Rather than sending out manual emails as smaller number of transactions (compared we used to do,” Jandhyala says, “automated to Zain Group operations in other countries). emails are now sent to the auditee six weeks The initial audit with the process-mining before the due date of a specific action. If tool is currently wrapping up, and Jandhyala we do not receive updates from the auditee reports that the new approach reduced the on the status of a particular issue within time auditees needed to devote to the process one week following the due date, an email definition stage of the audit by 25% to 30%. is automatically sent to the auditee’s “Now we’re able to give auditees real-time supervisor.” Based on the success of its RPA examples of any anomalies that require their pilot in Saudi Arabia, internal audit is now quick review to determine whether what we planning how to implement similar bots in discovered makes sense and, if so, what type other regions. of follow-up the issue requires,” Jandhyala
Internal Auditing Around the World® Vol. XV | 72 Other forms of internal audit innovation at “Now,” Jandhyala adds, “you might say, ‘That Zain Group have served to address strategic sounds like an operational activity and not risks rather than internal auditing efficiency something internal audit should do.’ But we and efficacy. Internal auditors just completed view CapEx, and whether they are generating the function’s first social media sentiment the returns that were originally projected, as a analysis for the company’s Saudi operations. strategic risk if projections are not met … and The review gauged what customers and we know that we can deliver immediate value employees are expressing on social media to the organization once we complete our platforms about their experience with the advanced integrated analytics initiative.” company. “From a risk perspective, social media can affect the value of our brand, so we conducted the sentiment analysis from that perspective,” notes Jandhyala. By 2020, Jandhyala plans to complete a new, advanced integrated analytics Delivering Immediate Value With initiative that his function will begin in Advanced Integrated Analytics the coming months. By 2020, Jandhyala plans to complete a new, advanced integrated analytics initiative that his function will begin in the “While there is pressure on us to manage our coming months. This multilayered analysis resources judiciously and still keep pace with will evaluate the extent to which capital rapid technological changes, we are able to do expenditures (CapEx) in a given region are our jobs effectively and experiment with new generating the returns they were expected methods and technologies in our work thanks to yield. The analysis will pull in a large to our forward-thinking audit committee, collection of varied internal and external and our progressive board and executive data, including budgets, revenue forecasts, management,” Jandhyala says. “Without spending and actual revenues, as well as their combined support, any change would population and demographics information, have been very time-consuming and delayed GIS data, local economic trends, information internal audit’s transformation.” on transportation networks, and more. The idea is to help business partners understand which factors have the greatest influence in ultimately determining the efficacy of their investment planning and decisions.
Internal Auditing Around the World® Vol. XV | 73 “Transformation is not the end but rather the end of the beginning, as internal audit starts on a path of innovation and ongoing advancement.” — Andrew Struthers-Kennedy Protiviti Global IT Audit Leader ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 75 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
PROTIVITI INTERNAL AUDIT AND FINANCIAL ADVISORY PRACTICE — CONTACT INFORMATION
Brian Christensen Andrew Struthers-Kennedy Executive Vice President, Managing Director Global Internal Audit Global IT Audit Leader +1.602.273.8020 +1.410.454.6879 [email protected] [email protected]
AUSTRALIA GERMANY THE NETHERLANDS Adam Christou Peter Grasegger Jaap Gerkes +61.03.9948.1200 +49.89.552.139.347 +31.6.1131.0156 [email protected] [email protected] [email protected]
BELGIUM INDIA SINGAPORE Jaap Gerkes Sachin Tayal Nigel Robinson +31.6.1131.0156 +91.124.661.8640 +65.6220.6066 [email protected] [email protected] [email protected]
BRAZIL ITALY UNITED KINGDOM Raul Silva Alberto Carnevale Mark Peters +55.11.2198.4200 +39.02.6550.6301 +44.207.389.0413 [email protected] [email protected] [email protected]
CANADA JAPAN UNITED STATES Ram Balakrishnan Yasumi Taniguchi Brian Christensen +1.647.288.8525 +81.3.5219.6600 +1.602.273.8020 [email protected] [email protected] [email protected]
CHINA (HONG KONG AND MEXICO MAINLAND CHINA) Roberto Abad Albert Lee +52.55.6729.8070 +852.2238.0499 [email protected] [email protected] MIDDLE EAST FRANCE Sanjay Rajagopalan Bernard Drui +965.2295.7772 +33.1.42.96.22.77 [email protected] [email protected]
Internal Auditing Around the World® Vol. XV | 75 � ���� �roti�iti In�. An ��ual ���ortunit� ���lo�er �����i�a�ilit��Veteran�. �������� �����i�a�ilit��Veteran�. � ���� �roti�iti In�. An ��ual ���ortunit� ���lo�er
THE AMERICAS UNITED STATES Houston Sacramento ARGENTINA* COLOMBIA* Alexandria Kansas City Salt Lake City Buenos Aires Bogota Atlanta Los Angeles San Francisco Baltimore Milwaukee San Jose BR AZIL* MEXICO* Boston Minneapolis Seattle Rio de Janeiro Mexico City Sao Paulo Charlotte New York Stamford PERU* Chicago Orlando St. Louis CANADA Lima Cincinnati Philadelphia Tampa Kitchener-Waterloo Cleveland Phoenix Washington, D.C. Toronto VENEZUELA* Dallas Pittsburgh Winchester Caracas Denver Portland Woodbridge CHILE* Fort Lauderdale Richmond Santiago
EUROPE, FRANCE NETHERLANDS BAHRAIN* SAUDI ARABIA* SOUTH AFRICA * MIDDLE EAST & Paris Amsterdam Manama Riyadh Durban AFRICA Johannesburg GERMANY SWITZERLAND KUWAIT* UNITED ARAB Frankfurt Zurich Kuwait City EMIRATES* Munich Abu Dhabi UNITED KINGDOM OMAN* Dubai ITALY Birmingham Muscat Milan Bristol EGYPT* Rome Leeds QATAR* Cairo Turin London Doha Manchester Milton Keynes Swindon
ASIA-PACIFIC AUSTRALIA CHINA INDIA* JAPAN Brisbane Beijing Bengaluru Osaka Canberra Hong Kong Hyderabad Tokyo Melbourne Shanghai Kolkata Sydney Shenzhen Mumbai SINGAPORE *MEMBER FIRM New Delhi Singapore #ProtivitiNextGen
© 2019 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. PRO-0719-101115