© 2019 KPMG Advisory N.V., registered with the trade ... · Soft-controls: Back to the future IIA Conferentie Muel Kaptein - 11 December 2019. 30 Volwassenheidsmodel Internal Audit

© 2019 KPMG Advisory N.V., registered with the trade register in the Netherlands under number 33263682, is a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (‘KPMG International’), a Swiss entity. All rights reserved.

The future of Internal Audit impacted by data science

Prof. Dr. Rob Fijneman RE RA

KPMG/Tilburg University

—

Amstelveen, 11 December 2019


Profile Rob Fijneman

IM, Accountancy, IT auditing, Ph.D

Started in 1986 @ KPMG, partner since 1997

Corporate clients and IT governance focus

2014-2019 BoM, Head of Advisory, interim CEO

Professor IT auditing Tilburg University and Tias since 2004


Agenda

Dilemma’s

Internal Audit and data science

Data science

Digitizing – name of the game

Closing remarks


Digitizing – the second machine age (2014)

Sensors to be placed everywhere (Long Range

transmission protocols, LoRA). Every knowledge

domain gets digitized

Access to knowledge is democratized

Entrepeneur developers combine information freely

Industry boundaries do not matter


Digitizing – some further developments

From SMAC (Social Mobile Analytics Cloud) to ……

All types of continuous monitoring and auditing tools

available. IA can be robotized.

Disruptive technologies (IoT, Robotics, AI) develop

exponentially

From structured data to unstructured data (sensor data,

social media, customer profiles)

Platform concepts (winner takes it all, focus on US and

Asia)


Data science – some insights

Data science is a concept to unify statistics, data

analysis, machine learning and their related methods

2012 stimulated by HBR calling ‘data science the most

sexiest job of the 21th Century”

Objective is to understand and analyze actual

phenomena with structured and unstructured data

It employs technologies and theories from different

domains like mathematics, statistics, computer science

and information science

Is it new or long existing, different views

Since 2013 launch of several formal international bodies


Data science – audit of “data & analytics” and audit with “data & analytics”

Data & analytics as a tool to signal and analise business

trends and to validate controls both ITGCs and

application controls,

Fitting the solution into the IT infrastructure and running

(ERP) systems

The data & analytics solution also need to be validated

itself (is it reliable and consistent)

We could move towards 100% data validation

Supporting the concept of continuous monitoring and

auditing


Data science – it is all about the quality of the data

Extensively prepare and clean your data

Take time to get to know your data and its environment

Data transformation and analysis

The above activities do not work as a straight line, it

requires investments


Data science – some examples

D&A used during risk analysis phase: risk indicators,

patterns

D&A used to validate controls. Revenue cycle of a

wholesaler of baked goods. Audit objectives supported

by D&A: is revenu complete, are the sales booked in the

right period, any indications of irregularities (fraud

indication), which clients get higher discounts

D&A for performing substantive procedures

It supports the scenario’s of CM/CA. IA testing the

1st and 2nd line of defense CM activities and IA

performing CA.


Internal Audit and data science – flow of activities

Identify business problem, business IA

Clean/validate data, data analyst

Define analytics question, both business IA and data

analyst

Identify minimum data needed, data analyst

Request data, data analyst

Transform data, data analyst

Generate outcome, data analyst

Answer business question, business IA


Internal Audit and data science – common body of knowledge

Merging the business, audit and data science

knowledge

All auditors need to understand the basics of D&A

(therefore we have courses Digital auditing and the like)

Working together between specialists requires a

common ground of understanding (overlapping

knowledge domains)

D&A as a CoE within IA


Internal Audit and data science – many initiatives in education

Tias IT auditing running a specialist track for Data &

Analytics

VU and Erasmus focusing on Digital auditing

Jheronimus Academy of data science interacting with

Audit curricula like IT auditing and financial auditing

Jheronimus Academy delivering ‘’tailor made” data

science courses to companies

Tilburg University kicked off Data driven audit course for

Financial auditors recently

Etc. Etc.


Dilemma’s: balancing between “the audit of” and the “audit with” data & analytics

How to embed data science and data & analytics in the

auditing standards and filing requirements?

Evolving the common body of knowledge of both

(internal) auditors and data scientists: can we create

common ground?

How to ensure that data & analytics delivers audit

evidence?

Data & analytics requires a technical environment with IT

general controls operating effectively, how to get there?

Business knowledge needed to deliver meaningful

analytics


Closing remarks

Be clear on the “blind spots”’, how to mitigate these?

Embrace diverse skill sets in your team and introduce

relevant career paths

Start the journey, Technology does not wait (trial and

error is allowed)

Be clear on your role as Internal Audit: CoE for data &

analytics to stimulate the business and/or CoE for audit

purposes

It will be a digital transformation of your audit function

Thank [email protected]

+31 6 53392036

+31 20 6567450

Insights derived from KPMG practices and client cases, Tilburg University Accountancy,

Tilburg University Executive Master of IT auditing and curricula of Jheronymus Data

Science Institute in Den Bosch

mailto:[email protected]

Amsterdam Business School

Prof. dr. Frank Verbeeten MBA, UvA

Finance & IA in the

Digital Age


Agenda

Developments in organizations

Finance involvement in transformative digital strategies

Impact of digital on Finance

• SSC/outsourcing

• Technologies applied in Finance

Finance professional competencies

Challenges in Finance transformation

What’s next?


Developments in organizations

‘It’s a VUCA-world’

• Volatile, uncertain, complex, ambiguous

Impact of digital on companies

• Impact on (digital) strategy and business model

• Finance as ‘economic conscience’ and ‘decision shaper’ involved?


• SSC/outsourcing

• Robotics & Data analytics




What about other departments?



Are activities outsourced or structured in SSCs?




1= Not at all (0%)

2= Hardly (<25%)

3= Somewhat (25-50%)

4= To a large extent (50-75%)

5= (Almost) complete (>75%)





https://www.youtube.com/watch?v=KmMx1g9J40U

https://www.youtube.com/watch?v=KmMx1g9J40U




Challenges in Finance transformation


What’s next?

What was required?

What is required?

Soft-controls:Back to the future

IIA Conferentie

Muel Kaptein - 11 December 2019

30

Volwassenheidsmodel Internal Audit Soft controls 1. Initial 2. Infrastructure 3. Integrated 4. Managed 5. Optimizing

A. Planning en

methodologie

B. Scope

C. Technieken

D. Rapportage

E. Kennis en

vaardigheden

SC staan in een

individueel jaarplan,

maar niet

opgenomen in audit

methodologie.

SC-model ontbreekt

SC opgenomen in

auditjaarplan en op

onderdelen beschreven

in audit methodologie.

Er is een basis

SC-model

SC onderdeel van

audit meerjarenplan

en toegesneden SC-

model is geïntegreerd

in audit methodologie

SC en toegesneden SC

model zijn onderdeel

van audit visiedocument

en vast onderdeel van

iedere audit en

werkprogramma

SC en toegesneden

SC-model zijn

geïntegreerd

organisatiebreed in

GRC en

risicomanagement.

SC-instrumenten

soms meegenomen

in entity level

controls

SC onderdeel Root

Cause Analyse

SC onderdeel hard

controls testing

SC object van audit

in kader van proces

overstijgende

thema’s

Auditen van SC self-

assessments van

business

SC

meegenomen

in bestaande

technieken

Periodiek gebruik van

gestandaardiseerde SC

auditmethodieken, zoals

interviewvragen, enquête

en observatieprotocollen

Periodiek gebruik van

op maat gemaakte SC

auditmethodieken

Continu gebruik van

SC auditmethodieken,

zoals real-time data-

analyse

Afwisselende mix aan

audittechnieken wordt

weloverwogen ingezet,

met ruimte om te innoveren

en experimenteren

Vrijwillige en

vrijblijvende

mondelinge

terugkoppeling van

gebreken

Schriftelijke, vrijwillige en

vrijblijvende rapportage

over gebreken

SC vast onderdeel in

schriftelijke rapportage

over gebreken

SC vast onderdeel

in schriftelijke

rapportage over

gebreken die

meewegen in rating

Schriftelijke (externe) vaste

rapportage over gebreken

en kwaliteiten die

meewegen in rating

(a.d.h.v. benchmark)

Eén auditor

heeft cursus

SC gevolgd

Alle auditors hebben

uniforme SC training

gevolgd

SC zijn onderdeel van

opleidingsplan en PE,

zowel kennis als

vaardigheden

SC is onderdeel van

PE, zowel kennis als

vaardigheden, waarop

wordt getoetst en

beoordeeld

Multidisciplinaire auditors

onderhouden

uiteenlopende, specifieke

SC-kennis en

vaardigheden

2000 2019 The future

Documents

© 2019 KPMG Advisory N.V., registered with the trade ... · Soft-controls: Back to the future IIA Conferentie Muel Kaptein - 11 December 2019. 30 Volwassenheidsmodel Internal Audit