Re-imagining Internal Audit Making sense of disruption for Internal Audit€¦ · and connected environment. Risk convergence Risk convergence describes the increased connectivity

Making sense of disruption for Internal AuditIntroducing the Internal Audit Megatrends

www.pwc.com.au

Re-imagining Internal Audit

Rapid urbanisation

Today, more than half the world’s population live in urban areas and almost all of the new growth will take place in lesser known medium-sized cities of developing countries.

Climate change and resource scarcity

As the world becomes more populous, urbanised and prosperous, demand for energy, food and water will rise. But the Earth has a finite amount of natural resources to satisfy this demand.

Shift in global economic power

Some emerging economies that were growing rapidly are now in recession. Commodity prices have played a considerable role in sending these economies into reverse.

Demographic and social change

By 2030 the world’s population is projected to rise by more than 1 billion. Equally significant, people are living longer and having fewer children.

Technological breakthroughs

The digital revolution has no boundaries or borders. It is changing behaviour and expectations as much as the tools used to deliver new services and experiences.

The PwC Megatrends: Five global shifts changing the way we live and do business

2PwC | Making sense of disruption for Internal Audit

Introducing the ‘Internal Audit Megatrends’

Megatrends defining the various influences impacting internal audit

Making sense of disruption for Internal AuditThe Internal Audit Megatrends, or ‘IA Megas’ as we have affectionately termed them, are forces which Internal Audit leaders and practitioners need to understand and respond to. Defining them will, we believe, help to cut through the multitude of current and emerging influences impacting Internal Audit in order to create a clear path for action.

Introducing the IA Megas

Virtualisation

Virtualisation is the technological immersion of all Internal Audit activities in a real time, continuous and connected environment.

Risk convergence

Risk convergence describes the increased connectivity between internal and external risk factors, driving a need for greater breadth and depth from Internal Audit.

Trust

Trust is the new priority for Internal Audit if it wants to thrive in a socially conscious and values-driven society.

Human agility

Human agility is the key requirement for Internal Audit to adapt to co-exist with technology, be more intuitive, iterative and celebrate IA practitioners’ unique human traits.


VirtualisationVirtualisation is the technological immersion of all Internal Audit activities in a real time, continuous and connected environment, which is driving endless possibilities for diverse teams.

What is the trend and why has it come about?

Technologies are now more commercially accessible with more functionality than ever before. This is driving endless possibilities for diverse teams, in multiple locations and different time zones who can connect in real-time, multimedia formats in an unprecedented way. Combining this with socially responsible travel means the virtual IA function is not just achievable but desirable. Internal Audit functions are now immersed in a virtual world with technology impacting all aspects of the IA lifecycle from Risk Assessment to Action tracking. This means that fieldwork can be done remotely, actions can be workflowed, risk themes can be enriched with external data and IA functions can embrace agile.

How will it impact IA?

The future IA involves virtual and globalised teams, interacting in real-time, utilising continuous and dynamic risk assessments, drawing on real time and broader sources of information (in both structured and unstructured formats), predicting risk exposures and responding with agile actionable plans, collaborating directly with stakeholders and auditees, resulting in iterative and dynamic feedback cycles with high speed agreed, management actions.

No longer will auditees be kept at arms-length. Technology will allow them access to and transparency around activities and facilitate self-service as well drive greater trust and confidence in IA. While all this is positive, there is a cautionary tale around ensuring security underpins all technological advances.

How to future-proof IA: Practical steps

Work out what technology you have available already – Not just in Internal Audit.

Assess the digital fitness of the IA team.

Develop a realistic technology and data investment strategy.

Refresh your operating model to take advantage of this trend e.g. virtual fieldwork, off-shore teams and data analytics in advance of fieldwork to provide areas of focus.

Adopt a ‘digital first’ mindset when planning the audit execution.


TrustTrust is the new priority for Internal Audit if it wants to thrive in a socially conscious and values-driven society. The link between trust and performance is more important than ever.


The link between trust and performance is more important than ever. Stakeholders are holding organisations to account on the basis of trust and transparency, and the consequences of ignoring this are to be found in all the major tabloids. This has come about largely through the generational shift which demands more socially conscious activities, greater desire for mobility, and by default drives a less loyal employee/customer culture. This means that organisations have to take seriously, plan for, monitor and report their trust rating as part of their everyday activities.


In an increasingly complex world, there needs to be more trust and transparency. Organisations need to rely on people acting and making decisions in the right way – i.e. having the right behaviours. In order to remain relevant, Internal Audit needs to align its trust objectives and values to that of the organisation. With increased surveillance, IA has unprecedented access to valuable insights around risk and behaviours and on the other hand, they have the ethical challenge of deciding what is an acceptable use case for this new source of data and a drive for discretion in its use. IA needs to have an articulated set of values which embrace being yourself at work, doing the right thing, putting yourself in others’ shoes, joint working, embracing diversity and respecting privacy.


Develop an IA values and behaviours statement complementary and aligned to your organisation.

Ensure that all IA recruitment, promotion and development activities look for, have or develop attributes which are aligned to the values.

Create or enhance the IA annual report to ensure that trust and transparency measures are clearly monitored and reported on.

Champion trust and transparency throughout the business.


In the spotlight

Wage trust

What is the issue?

Employers are currently experiencing intense scrutiny and have admitted non-compliance issues, which generally arise from multiple factors including a lack of understanding about applicable terms and conditions of employment or misinterpretation of applicable industrial instruments.

Even where employers have demonstrable knowledge of the minimum terms that apply to their employees, they may still face compliance issues because of the incorrect or incomplete configuration of their payroll systems and/or processes.

Common drivers of wage underpayments

• Lack of knowledge regarding applicable industrial instruments

• Incorrect classification of instrument- covered employees

• Failure to accurately record hours of work, including breaks

• Reliance on annualised salaries

• Incorrect payroll configuration

• Personal/carer’s leave accruing incorrectly – particularly for shift workers or part-time workers

How does it impact organisations?

The issue of underpayment has received a great deal of media attention recently. Risks to companies include cost, reputational risk, loss of employee trust, regulator scrutiny and potential penalties or other ramifications.

Exposure to risk of significant public scrutiny, brand and reputation damage and loss of employee trust.

Needing to sift through high volumes of historic data and information to ascertain the potential impact of underpayments.

Time taken to manage multiple stakeholders including the Fair Work Ombudsman, the Fair Work Commission, the Australian Tax Office, unions, employees and the media.

Companies listed on the ASX also need to manage this in light of continuous disclosure requirements.

The tax and accounting implications of how to process and disclose the amounts that are identified as underpayments.

Potential ramifications imposed by the Fair Work Ombudsman including enforceable undertakings or prosecution and penalties.


Key risk factors

• Lack of internal HR resources, and absence of established relationship with industry- specific industrial advisor or reputable employment lawyers

• Large casual, or shift-based, workforce

• Workforce covered by multiple Awards or Enterprise Agreements

• Instrument-covered employees are paid annualised salaries, and are not required to log hours of work or breaks

• Operations across multiple sites; decentralised control over payroll; franchise structure with limited control over payroll

• Manual timesheets/recordkeeping

• Employer operates in an industry with low margins or that employs migrant workers

• Union or employee complaints over payroll accuracy

• Acquisitions of other businesses and legacy payroll systems

What proactive steps companies can take?

In the spotlight

Wage trust (cont’d)

Seek legal advice to confirm knowledge of applicable industrial instruments and permissible payment and engagement methods.

Run a hire to retire process walk through with a payroll SME, assessing payroll process, documentation reviews and performing stakeholder interviews.

Review of payroll code configuration, to ensure the Award/EA interpretation has been coded correctly into the payroll system and to ensure SG coding is correct.

Conduct Governance controls review to assess whether controls over wage compliance are adequate, risk frameworks are in place and sufficient support is provided to payroll functions.

Review of annualised salary practices to ensure that salaries are an appropriate payment mechanism, and where this is the case, are paid and are sufficient to cover the minimum wage to which each employee is entitled under the relevant instrument.


Risk convergenceRisk convergence describes the increased connectivity between internal and external risk factors, driving a need for greater breadth and depth from Internal Audit.


Global megatrends have a much greater dominance on the risk horizon of organisations than ever before, forcing Internal Audit functions to look outside their traditional organisational boundaries. Macro risks have moved from being benign irritants to malignant forces because of the hyper-connectivity of organisations, communities and people. Setting the parameters of tolerable risk and agreeing your risk attitude has become a much more complex endeavour because of the need to consider megatrends, global and local, as well as reflect the implications of operating in a values-driven society.


Internal Audit needs to be broad, deep and respectful of the connectivity points between internal and external risk factors. This provides an opportunity to step away from sampling and narrow deep dives, and move towards full populations, continuous auditing, trend-based auditing and external benchmarking with a focus on the outcomes of IA activities rather than the outputs. Internal Audit must be able to rapidly understand and assess the complex correlations between external and internal factors and the impact of these on risk tolerances. Internal Audit is uniquely positioned to stand back and consider whether the first and second line of defence are acting in the optimal way to respond to these risks to ensure the organisation’s sustainable success.


Identify both external and internal sources of risk insight.

Refresh your risk assessment framework to consider a broader range of insights.

Utilise guest auditors or co-source insights into risk from providers, secondees and subject matter experts and work with other risk functions in your organisation.

Maximise technology to help gather and aggregate risk, for example, using Dynamic Risk Assessment principles which predict areas of risk based on historical trends.

Build and use audit approaches that focus on outcomes not outputs; for example, applying our Total Impact of Internal Audit mindset.


In the spotlight

Financial crime


Recent actions and advice by AUSTRAC have provided some additional insights into their expectations of reporting entities (REs). In reviewing and assessing this new information, REs are grappling with how best to respond to the evolving regulatory environment. Recent actions continue the pattern of the past five years of AUSTRAC proving itself to be an increasingly active and formidable regulator. With the heightened stakes, Australian entities will likely place greater emphasis on AML/CTF compliance, including in terms of time and money, to both meet their requirements and avoid enforcement action. AUSTRAC’s actions also signal an increase in the velocity of regulatory actions. REs should endeavour to accelerate the pace of any existing or proposed AML/CTF uplifts to ensure they meet, or exceed, regulatory expectations.

What has AUSTRAC done?

• Levied costly enforcement actions on non-compliant banks

• Issued requests for companies to appoint external auditors to assess AML/CTF programs

• Provided industry-specific guidance (e.g. mutual banks, superannuation sector)

AML/CTF is a significant topic in the Financial Services sector at the current time. Risks to companies include reputational risk, loss of societal trust, regulator scrutiny and potential penalties or other ramifications.

Who can be affected by these actions?

If your company is considered a ‘Reporting Entity’ under the Anti-Money Laundering and Counter- Terrorist Financing Act (AML/CTF Act), they will likely be impacted, directly or indirectly, by these developments. Recent actions continue the pattern of the past five years of AUSTRAC proving itself to be an increasingly active and formidable regulator.


In the spotlight

Financial crime (cont’d)

1

23

4

56

78

What might a Board member be asking management and/or Internal Audit?

Do you have a documented AML/TF risk assessment which covers all of your designated services? Has the Board seen the results of the risk assessment? e.g. have you conducted an enterprise wide risk assessment, and have the results been communicated to the Board?

Do you receive robust management information (MI) containing key metrics used to monitor performance of the AML/CTF Program? e.g. do you know how many SMRs your organisation has lodged in the last year, or how many high risk customers you have?

Does your accountability framework align with the 3 Lines of Defence (3LoD) model (e.g. independence of 3LoD internal audit)? How do you ensure implementation of a compliant 3LoD framework? e.g. is there a documented delineation of roles with clearly articulated responsibilities?

Does the organisational structure promote accountability for financial crime matters with clear reporting and escalation routes? Are resources subject to consequence management? e.g. is there an effective consequence management policy for internal breaches?

Do you have mechanisms in place to monitor compliance with applicable record-keeping regulations? If so, how do you measure their effectiveness? e.g are the record retention policies tested to ensure ongoing compliance?

Does senior management take steps to ensure that the AML/CTF function has, and continues to have, sufficient skilled resources to execute its role? e.g. has a review of resource requirements, which considers the complexity, size and technological capabilities of the organisation, been performed?

Do you have a process whereby compliance initiatives, identified compliance deficiencies, and remedial actions are escalated to the Board and senior management in a timely manner? e.g. do you have an end-to-end event management/remediation framework?

Do you have mechanisms in place to validate the effectiveness of transaction monitoring detection scenarios? e.g. have these been adequately reviewed for appropriateness related to known typologies (e.g. human trafficking, terrorist financing, child exploitation)? As a Board member, what should you be asking management?



Develop risk-based approach for testing based on collaboration with 1st line and 2nd line.

Do assurance activities over regulatory responses, more proactive rather than after the fact. Advocate for evidence based validation. Ensure appropriate retention of documentation given ongoing organisational restructuring/transformation.

Forms of assurance activities over management’s closure of issues across all 3LoD.

Challenge design and operational effectiveness of controls.

In the spotlight

Financial crime (cont’d)Key risk factors

• Lack of technical knowledge and understanding of Australia’s AML legislation regime leading to incorrect implementation of processes and controls to support compliance with organisation’s AML/CTF Program.

• Complexity of processes not documented to enable end-to-end understanding of processes.

• Accountabilities, roles and responsibilities not appropriately defined across the 3LoD.

• As accountabilities, role and responsibilities not defined, there is limited MI reporting to support appropriate risk monitoring, oversight and reporting.

• Filtering of ML/TF issues to Board level. Lack of regular and comprehensive reporting to Board on ML/TF issues.

• Lack of appropriate assurance and monitoring processes in place.

• Lack of assurance activities to support regulatory responses. Smell test over responses rather than evidence based.

• Root cause of issues are not appropriately understood to ensure appropriate end-to-end solutions or fixes.

• Legacy systems, complex system architecture and multiple data transformation inhibits appropriate capturing of key data points and data analytics to be undertaken to provide insights and trends.

• Financial Crime risk is not front of mind for front line when introducing new channels and products.

• Market share and commercial outweighs risk factors and fast entry to market by front line without proper risk considerations. No considerations as to whether we have adequate systems, procedures and processes to support the monitoring activities prior to implementation.

• Risk appetite not well defined to enable appropriate decision making.

• Risk assessment model not consistent across the organisation or not appropriately implemented.

What proactive steps companies can take?

• Hold people accountable and implement strict consequence management.

• Develop a fit for purpose AML/CTF Program.

• Ensure you have appropriate systems, process and controls to support compliance with the AML/CTF Program.


Human agilityHuman agility is the key requirement for IA to adapt to the co-existence with technology, be more intuitive, iterative and celebrate their unique human traits.


With technology reshaping the world, the ability to combine leading technology with human insight will be a key differentiator. The balance of what humans do will change. People will need to do more thinking, creating, challenging, opining, influencing, acting or deciding not to act, and connecting.


By default, this will drive new stakeholders, new operating models and a different relationship with technology. In addition, auditors will need to audit new areas which have not previously been reviewed and this, in turn, will require new skills and capabilities. Greenfield auditing and one-off audits will be common practice further requiring both resilience and agility. With the greenfield nature of future audits, there is an opportunity to rethink the audit approach and move to intuitive auditing where there are no work programmes or prescriptive practices but rather agile scrums, iterative findings development and collaborative reporting underpinned by a rigorous but flexible framework. Relationships with the business built on trust and empathy will be essential for internal auditors to effectively influence and affect change.


Develop a clear vision of human-led IA activities as distinct from technology- led auditing e.g. Intelligent Controls methodology.

Invest in developing training and a culture of celebrating and strengthening human traits e.g. creativity, influencing etc.

Identify, log and baseline the mundane activities which have been automated to keep the focus on how technology can help.

Put away existing audit programs and build your audit plans and scopes iteratively as you progress through the audit.


Internal audit effectiveness

Expectations have evolved, merely going beyond providing assurance is no longer going to be enough.

Delivering the IA mandate

Eight attributes of internal audit effectiveness

• Expectations are clearly articulated and communicated

• Internal audit defines and articulates its mission and value

• Metrics are developed to measure progress towards the stated mission and vision

• Data analytics/continuous auditing are deployed, allowing for alignment with business areas, providing efficiency/increased coverage in testing and early warning of risk indicators

• Data is utilised to provide deep and persuasive intelligence on business issues and observations/recommendations

• Stakeholders perceive IA as operationally excellent and, where appropriate, as a provider of strategic support

• An IA strategic plan exists that captures expectations, communication strategy, and timelines

• IA coordinates with business units to define expectations and share audit scopes and seeks function-specific feedback regularly

• An appropriate mix of core internal audit and subject matter specialists (including those with business acumen)

• A continual learning and development model exists

• Quality standards have been defined

• Formal quality reviews are regularly completed to identify improvement opportunities

• Innovation is embedded in the culture of internal audit and is consistently fostered and rewarded

• The audit plan is based on both a top-down, strategic, approach and bottom-up approach to business risks

• The audit plan is continuously updated to respond to changes in the company and the external environment

• Appropriate time and effort are spent on assessing the key risks of the enterprise

• Metrics measure customer satisfaction based on stakeholder expectation

• All services provide balance of objectivity and value

• Use of internal and external resources, varying staff levels and geographical locations to increase efficiency

• Productivity is actively measured and managed

• Audit methodology and processes are standardised and simplified to be cost effective

Business alignment

Technology

Stakeholder management

Talent model

Risk focus

Service culture

Cost effectiveness

Quality and innovation

Confi dence and assurance


Total value of internal audit


Total value of internal audit (cont’d)

Total impact of internal audit (TIIA)

Business improvement

Insights and benchmarking Red flagging

Ensuring that recommendations are practical and deliver business improvement

Audit committee IT auditees

Leadership team CEO CFO CIO

Regulator operational

managementCustomers suppliers

communities

Investors functions

second line

External audit risk

management

Telling the business something that they did not already know and could not find out without internal audit involvement

Telling the business something that they should be worried about and should act upon

Predicting future areas of risk, concern and non compliance

Ensuring internal audit’s activities are focused on areas that are most important to the organisational strategy

Business focus Horizon scanning


Effectiveness

Total impact = effectiveness + contribution


Who can help?

Sophie Langshaw Partner, Internal AuditSydney+61 410 520 [email protected]

Sean RooneyPartner, Internal Audit

Brisbane

+61 434 223 [email protected]

Justin EvePartner, Internal AuditPerth+61 422 002 [email protected]

Adrian KingPartner, Internal AuditCanberra


Jason AgnolettoPartner, National Leader Internal AuditMelbourne


Kim CheaterPartner, Internal Audit

Adelaide



www.pwc.com.au

© 2020 All rights reserved. PwC refers to the Australia member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. Liability limited by a scheme approved under Professional Standards Legislation. At PwC Australia our purpose is to build trust in society and solve important problems. We’re a network of firms in 158 countries with more than 250,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.au.127075825

Documents

Re-imagining Internal Audit Making sense of disruption for Internal Audit€¦ · and connected environment. Risk convergence Risk convergence describes the increased connectivity