Audit Committee’s Expectations of the Chief Audit Executive in an Uncertain World. (Singapore Institute of Directors) We live in an uncertain world with plenty of technological advancements and digitalization. The world can be termed as VUCA (volatile, uncertain, complex and ambiguous). The advent of tech companies like Uber, Airbnb have caused the downfall of many traditional businesses. One thing is for sure, technology is here to stay and it will continue to disrupt economies. The Financial Reporting Surveillance Programme by ACRA revealed that there is still work to be done in terms of complying with FRS for listed companies. The surveillance programme also reaches out now not just to companies with qualified audit opinions, but those with unqualified audit opinions. ACRA has stated 8 audit quality indicators which will be important for IAs to follow. The recent enhanced auditor report format requires the key audit matters and other information to be disclosed (notes to FS). In Jan 18, companies will need to comply with the IFRS 9 on Financial Instruments and the IFRS 15 on Revenue. Also, in general, there is a move from SFRS to IFRS convergence in Singapore. In addition, for listed companies, it is mandatory for them to produce sustainability reports. This is an area where auditors need to equip themselves with more knowledge. From the above, it is imperative that one unlearns, relearns etc. In addition to provide better assurance, IA can leverage off other assurance providers and work closely with ISD or consider performing co-sourcing etc. The 5 Ls that Internal Auditors need to possess are Learn (lifelong learning on data analytics and how to audit IT etc); Leverage (other assurance providers for AML, cybersecurity etc); Lead (lead the risk management, lead the combined assurance framework/Governance Risk Control framework etc); Live (treat Internal Audit as a form of meaningful work and be passionate about their work); Love (treat IA as a vocation, continue back to the IIA).
The Cyber Resilience Challenge. (RSM, DHL, Datalogic, CSA) To tackle cyber threats, there needs to be a good governance system in place. RSA has a GRC framework and business driven frameworks to address such risks. In addition to cyber risks, an organization must never forget the operational/financial risks and how the cyber risks linked to such risks. Due to the skill of hackers, it is likely everyone will be hacked and it is just a matter of time before it happens. There is a need to weigh the pros and cons of anti-cyber threat measures. In the audit space, IT auditors have a lot of potential to upscale and re-learn. For complex environments, it must be even necessary to develop a hacker mindset in order to perform vulnerability and threat testing. It is important for an organization to have a good risk culture. It is never wise to be naïve when it comes to cybersecurity. There is a need to consider the single points of failure as this might break the organization (for example: a lack of business continuity planning or the drawing up of DRP). In such cases, it might be better to build some form of redundancy. Ask yourself: if you were the CEO, what is the thing that keeps you awake at night? Do not ignore the threat of cybersecurity breaches in your organization.
Auditing at the Speed of Risk in the Digital Age. (DHL) Due to digitalization, IA needs to keep up to date with the latest market developments and update their risk assessments more frequently. Technology is the biggest game changer. Some of the threats that will be surfaced during a threat assessment would be things like malicious software, hacking attempts, unencrypted information, hacking and data theft. It is important to test the disaster recovery plans (DRPs) and BCPs. Ask yourself what do you fear? One should believe in lifelong learning.
Do one thing every day that scares you. – Eleanor Roosevelt
Maximising Value from the Three Lines of Defence. (DSTA) The first line is the management/ internal controls. The second line is risk management/safety/compliance functions. The third line is internal audit. IA has to move away from traditional assurance to advisory and advocacy work. However, do remember that the core IA work is still in still in assurance. Although advisory work is important, CAE should not take on roles that lead to conflict of interest. CAEs must remember that they do not endorse business decisions. The 3 lines of defence can be linked to the COBIT framework (IT governance). COSO framework also supports the 3 lines of defence model in an organization. Some of the attributes required for a successful 3LoDs are strategy, shared values, system, structure, staff and skills. IA could use dashboards and DA to make their work more efficient. Some are proposing a fourth line of defence for the financial industry (external auditor + MAS banking supervision). Internal Auditors must always fall back on the IPPF. KPIs like competency of procurement staff could be introduced.
The Customer Centric Audit: Learn How to Audit What Customers (and Your CEO) Actually Care About. (Proximity Risk and Assurance) How does one go about auditing the customer experience? It is important to do so as it concerns the revenue area of the business. One can start by mapping out the customer journey. Identify the brand touchpoints with the customer and also assess the environment. Poor customer experience could have a negative impact on the business, like the United Airlines passenger who was thrown off the plane. IA needs to audit the risk of poor delivery. IA can indeed and should audit the customer experience. Avoid excessive controls as it might stifle the customer experience and affect the quality. Customer experience is something that will keep the CEO awake. IA can sometimes even pretend to be a mystery guest/customer to examine the quality of service. As part of documentation, IA can build up a customer journey matrix and add in the relevant departments responsible for the various sub-processes. Next, IA can test the expected journey vs actual feedback received from customers. If it’s the first audit report on this area, it would be advisable not to grade it. Always remember the importance of good customer experience as it is essential for customer retention.
Panel Discussion: Leading to Make a Difference. (Deloitte, Citi, MOHH, Olam) MOHH IA managed to evolve from a mainly compliance function to now one that fully incorporates DA. It has been a painful process but it has really helped to boost efficiency. IA is now moving beyond compliance. IA needs to adopt a pragmatic approach and look through the lens of the business. It is necessary to get the right strategy. The CAE must be able to engage the senior management well and also explain to them what IA is all about and how we can meet your expectations. In order to be able to influence management’s behavior, IA must have a deep in-depth knowledge of the business. IA should be seen as being impartial, but not be neutral. As the CAE, it is crucial to state one’s opinion and not sit on the fence. Although it may not be a right opinion, an opinion must be based on facts. To be seen as successful, IA needs to be seen as a growth enabler, and not slowing down the various processes. One such way to achieve this is that IA can get involved in the process design stage and give inputs and recommendations on controls. Olam has many e-learning modules to help IA team improve their competencies. Citi has a Chief Auditor for Innovation and they use many tools for analytics in their work. It is now very common for IAs to use data analytics to audit and now 100% sampling is possible. Due to the rigour of MAS’ inspections, banks like Citi needs to step up and comply. This forces the IA team to improve their quality. Instead of simply adding controls, auditors can remove controls to get rid of legacy issues which slow down processes. In order to stay relevant, Internal Auditors need to be passionate about their work and always remember their core job is still assurance.