The better the question. The better the answer�.The better the world works.

Does a disrupted InternalAudit (IA) function meana stronger strategicpartner?

IA disrupted by design — the journeyhas started

To prepare fortomorrow, youmust disrupttoday.

Page 1

The case for change

What will the IA mandate be?

How will IA work in the future?

► Operating model► Use of technology► Talent of the future

The journey has started — emerging trends

A call to action

1

Page 2

Agenda

23

45

Organizations are managing evolving consumerexpectations, new partnerships, dynamic ecosystems,changing industry boundaries, disruptive business modelsand new competitive domains.

Every industry is changing and the cycles of changeare moving ever faster.

Industry convergence is touching every marketsegment.

From technology and climate, to geopolitics and trade,the outside landscape is changing dramatically.

Operating models are shifting – employees seekpurpose-driven organizations; full time roles are beingreplaced by gig work; nature of work is changing due totechnological advances

1

2

345

Page 3

The case for change

Page 4

So what’s happening?Innovation & disruption

Internet of ThingsRobotics 3D Printing Cloud Cybersecurity

Social Media Big Data Blockchain Artificial Intelligence Mobile

Page 5Page 5

Technological disruption is changing our lives

Page 6Page 6

Technological disruption is changing our business

Page 7Page 7

The work — and how we do it — is changing

88

Trust is more important than ever

Business today moves at a breathtaking pace:according to a recent study, in 1964 theaverage life of a company in the S&P 500 was33 years. That is predicted to drop to 12 yearsby 2027.

Trust is the new currencyto derive value and loyalty.Organizations recognize trust is criticalto sustaining consumer loyalty anddifferentiating their brand in the market.

Employees

Regulators

BoardShareholders

Markets

Customers

VendorsThird

Parties

Trusthttps://www.innosight.com/insight/creative-destruction

A good reputationmay get me to trya product – but

unless I come to trustthe company behind

the product I willsoon stop buying it,

regardless of itsreputation” 63% ofconsumers agree*

*Edelman Trust Barometer (https://www.edelman.com/trust-barometer)

Page 9

The case for changeEmerging technologies and new business models mean new risks and a bigger focus on upside and outside risks

Adopting a risk lens – upside,outside and downsideMoving from avoidance to optimization,for better business outcomes.

To be successful, organizations willneed to shift their focus from simplymitigating risk to embracing newupside opportunities.

Striking this balance requiresembedding risk and control intostrategic decision making within thefront-line businesses and multifacetedapproaches to the portfolio of risk.

Organizations will also develop digitalcapabilities that harness intelligenceand deliver insights across theenterprise.

Upsiderisks

Outsiderisks

Downsiderisks

Risks that offer benefits.Risks significant to theorganization’s ability toexecute its businessstrategy and achieve itsobjectives

Risks that offer negativeor positive benefitsbeyond the organization’scontrol

Risks that offer negativeimpacts. Risks anorganization is focused oneliminating, avoiding,mitigating or transferring ina cost-effective manner

Potential forinnovations to growconsumer bases

Increasingmarket share

Acquiring, managingand deriving valuefrom new assetsand talent

Actions of existingand emergingcompetitors

Geopoliticaland economicmegatrends

Demographic andenvironmentalmegatrends

Information securityand cybercrime(also an outside risk)

Employee fraud,and regulatorycompliance

Enterprise resiliency- technology andbusiness continuity

Page 10

The case for changeIA may not be able to keep up with the pace of change in the business leaving a risk coverage gap

Cha

nge

read

ines

s an

d co

mpe

tenc

ies

tom

anag

e ne

w w

orld

Today2000s Next 10 years

Ris

k ga

p

Internal audit Businessmanagement

Page 11

In the future, IA willbe viewed as an air trafficcontrol tower. Technology willenable real-time risk monitoringand timely reporting of high-riskfindings to instill trust, supportconfident decision making andultimately contribute toincreased business value.This operating model will alsoenable a higher degree offlexible sourcing.

The case for changeVision for the future of IA to maintain trust in the transformative age

Page 12

The three lines of defense

* Encompasses financial and non-financial risks

Activities generaterevenue or reduce

expenses

Identify, measure,monitor, control andreport all aggregaterisks consistent with

risk appetite statement

Third lineIndependent risk

assurers

Second lineIndependent risk monitors

First lineRisk takers and enablers

Provide technologyservices

Oversee risk-takingand enabling

activities of thefront-line units

Design risk governanceframework

Provide a view beyondcontrol adequacy tobroader, subjective

matters

Accountable forassessing andmanaging risks

Oversee risk profile;review and approvepolicies and limits,including breaches

and exceptions

Riskdomains*

Provide operationalsupport or servicing

Maintaininternal audituniverse and

plan

Stakeholders

Board ofdirectors

Prudentialregulators

Shareholders

Assess the riskgovernanceframework

Report to the auditcommittee on the

audit plan and results

Page 13

Driving insights & adding value

Third lineIndependent risk

assurers

Second lineIndependent risk monitors

First lineRisk takers and enablers

Risk domains

Stakeholders

Page 14Page 14

What will the IAmandate be?

Page 15

What will the IA mandate be?The IA mandate does not need to change but it will evolve

$

IA will be highly connected, proactive and forwardlooking in setting its priorities in response tomarket disruptions

IA will extend beyond its traditional assuranceprovider-role and become a strategic andvalued advisor

Assurance will broaden to: challenging the entirerisk framework and accounting for upside andoutside in addition to downside risks

Page 16

What will the IA mandate be?The mandate does not need to change but there will be a better balancing of focus

Business counselor► Focus on strategic topics and actively engaged in strategic

discussions and problem solving► Anticipating the future/industry trends and the impact on the

business► Fostering change and best practice development

and sharingAnalytics and robotics:► Prescriptive and trendsStrategic and Innovative view

Change agent► Focus on trends on why things fail systematically and audit against

“unknown” rules► Deep dive in root-cause/and internal best practices for

recommendations► Initiating changeAnalytics and robotics:► Descriptive and internal/external data drivenCurrent and change view

Anticipative monitor► Focus on future topics (e.g., missing controls, policies and

procedures)► Future impact of recommendations► Anticipating how the business model is changingAnalytics and robotics:► Predictive and real timeStrategic view

Assurance factory► Focus on non-negotiable assurance and base level of trust and

current/past topics► Current impact of recommendations► Raising awareness on current/past topicsAnalytics and robotics:► Descriptive and internal data drivenCurrent view

Proactive

Reactive

PartnerPolicing

Page 17

How will IA work inthe future?

Page 17

Page 18

How will IA work in the future?Have an agile and dynamic operating model enabled by technology and a flexible workforce

Operatingmodel

Technology

Talent

Be agile and dynamic

Apply more judgment

Provide dynamic outputs

Predict control failures andrisk triggers

Report results digitally

Digitally augment itscapabilities

Build and participate in riskcommunitiesImplement a balanced workforceDeploy resources with the right skill sets

Page 19

How will IA work in the future?The operating model will be flexible, proactive and insightful

An agile and flexibleapproach that is in tunewith the organization’sstrategic direction andpriorities and addressesthe changing businesslandscape.

No longer focused on look-back activities; IAprofessionals will apply more judgment in their work andfocus their attention on emerging risks and outcomes,not the existence of processes and controls.

IA will employ a variety ofdynamic outputs, on amore real-time basis, andgo beyond root causeanalysis to provide bestpractices, sector trendsand relevant benchmarksto meet the needs ofstakeholders.

Flexible Insightful

Proactive

Page 20

How will IA work in the future?Technology will augment capabilities and enable continuous controls monitoring

IA functions will digitallyaugment their capabilitieswith advanced dataanalytics, bots andmachine learning tohandle the volume,speed and complexity ofdata.

The adoption ofcontinuous monitoring andvalidation by the first andsecond lines will shift thefocus from detecting topredicting control failuresand risk triggers.

IA functions will digitally report their results (e.g.,dashboards, text alerts) in real time, providingbusiness insights and strategic advice.

Report

Augment Monitoring

Page 21

How will IA work in the future?A flexible, collaborative talent model with more analytical, innovative skills

Effective IA functions willfacilitate ecosystemsharing and centralizedrisk mitigation.

The IA workforce willconsist of a balanceamong full-timeemployees, third-partyservice providers,machines and contingentresources.

Creative problem solving, innovative mindset andsocial intelligence will become more valuable thantechnical knowledge.

Ecosystem

Knowledge

Balanced

Page 22

How will IA work in the future?A dynamic approach is pivotal — operating model, use of technology and talent infuse

Digitallyconfident,dynamic

and trustedfunction

Rob

otic

sPr

oces

sAu

tom

atio

n

Dig

ital

Wor

kers

Page 23 25 October 2019 Presentation title

The journey hasstarted

Page 23

Page 24

The journey has startedWhat some IA functions are doing as they kick-start their transformation

Audit Needs Assessment

Develop IA Plan

Execute IA Plan

Communicate Results

Identify and assess risks beyond today’s scope byleveraging predictive, historical and external data1Be flexible and agile around internal audit planningand responses based on changing assurance andreporting needs

2

Use automation to deliver large volumes of transactionaland compliance internal audit areas, enhancing riskcoverage and improving efficiency5

Deliver through advanced data analytics andvisualization enabling efficient resourcing of audit/riskresources

3

Digitize IA evidence and fieldwork in an integrated,digital platform to drive more insight around themes andtrends

4Re-think ‘traditional’ reporting content and format tocommunicate messages in new ways6Automate internal audit reporting leveraging digitizedIA evidence and fieldwork7

Page 25

The journey has startedHow is ‘automation’ emerging across the current IA lifecycle?

Planning andassessment

Execution anddocumentation

Reporting and communication Follow-up

Internal Risk Assessment:► Process mining tools

► Bespoke analytics (descriptive,customized)

► Foundational analytics(descriptive, standardized)

► Advanced analyticsExternal Risk Assessment:► Geographical risk factors

(external risk map)

► External analytics (e.g., digitalmedia, other sources)

Stakeholder needs:► Virtual collaboration

► Intelligent meeting record

► Audit management

Descriptive analytics:► Risk and control review via

process mining tools► Data driven audit execution via

bespoke analytics (customized)or foundational analytics(standardized)

Predictive analytics:► Scenario modeling via advanced

analytics techniques► Risk impact predictions

Digital auditing:► Enhance methods of auditing

based on risk culture► Control and testing automation

through Robotics ProcessAutomation (RPA)

► Virtual assistant to supportInternal Audit knowledgemanagement and providestatistics (e.g., chat/voice bot)

► Process automation for recurringfollow-up activities (email-reminder, status tracking)

► Intelligent meeting record

► Continuous benchmarking andInternal Audit functioncomparison

► Continuous auditing (e.g.,weekly, monthly) via bespokemonitoring dashboards

► Predictive risk alert (safety-netintegration)

► IA dashboard reporting

► IA video reporting

► Report intelligence

► Digital boardroom

Continuous assessment Cont. audit needs assessment • White spot analysis (robotics and text mining) • Cont. monitoring (descr. Analytics)

Page 26

How does automation impact the ability to cover risk?

Financial Compliance Operational Strategic

Manual effort Automation

Financial Compliance Operational Strategic

Risk coverage today

Risk coverageof the future

Page 27

RPAThe big picture

The long-term vision is to combine RPA with powerful analytics and cognitive technologies to form IA applications that will either directly assist people in theperformance of non-routine tasks or even automate those tasks entirely.

Desktop automation

Robotic processautomation

Intelligent or cognitiveautomation (IA or CA)

► The age of macros and workarounds► Pre-existing basic technologies, such as Visual

Basic for Application (VBA), auto hot keys, screen-scrapping

► Several toolkits, no systematic platform

► Strategic platform fortactical change

► Broad application (use cases are not function-specific)

► Rule-based automation of routines (able to followinstructions)

► No intelligence(binary decisions only)

► Strategic platform forstrategic change

► Narrow application (use cases require thoughtfulconsideration)

► Non-routine tasks requiring judgment (cognitivecapabilities, dynamic rules, artificial learning)

► Used to increase value rather than to reduce cost

Implementation speed and solution maturity

Valu

e an

d ca

pabi

lity

Structured data as basis forrepeatable actions Unattended service-based process

Cognitive computing utilizing unstructured data tomake decisions

Act

Perform

ThinkChallengetoday

Challengetomorrow

Page 28

Advanced Analytics

Value

Anal

ytic

s m

atur

ity

Descriptive AnalyticsMining past data to report, visualize, and better understand WHAT has alreadyhappened; after the fact or in real-time

Predictive AnalyticsLeverages past data to understand the relationships between data inputs and outputs tounderstand WHY something happened or to predict WHAT will happen in the future

Prescriptive AnalyticsDetermines WHICH decision or action will produce the most effective result against aspecific set of objectives and constraints.

Questions drivinganalysis

Techniques used

What is the bestoutcome?

What will happennext?

What if those trendscontinue?

Why is this happening?

What actions are needed?

Where exactly is the problem?

How many, how often,where?

What happened? Standard Reports

Ad hoc Reports

Queries/Drill Downs

Alerts

Statistical Analysis

Forecasting/extrapolation

Predictive Modeling

Optimization

Traditional Reporting and AnalysisStandard and ad-hoc reports report out past performance; drill-downs and alerts provideadditional information to specific questions

Page 29

How will IA deliver through analytics in the future?

Mobilize analyticsteam to develop

DA charterRisk Assessment Audit Planning Audit Execution Audit Reporting Monitoring

Key

activ

ity

Feedback Loop

► Identify risk assessmentpriorities

► Determine scope of audit planactivities

► Preliminary “scan” of relevantaudit information to drive projectscope, sampling and fieldworkprocedures

► Identify anomalies, trends andpotential fraud indicators

► Replace sample testingapproaches with full-coveragedata analytics

► Provide quantifiable, fact-based information for reportableissues and exceptions

► Visualization of audit findings

► Provide an automated basis forcontinuous auditing & controlsmonitoring.

► Provide analytical input for follow-up Risk Assessment.

Risk Ranking

Value at Risk Analysis

Regional benchmarking

Key Risk Indicators

Controls MonitoringRed Flags / Observations

Risk / Action MonitoringRisk Quantification

Report Visualizations

Exam

ple

anal

ytic

s

Page 30

The current environment of rising risks, regulatory activity and compliance costs makes this the ideal time to consider the potentialrole of Continuous Control Monitoring (CCM) or Continuous Audit (CA).

CCM / CA provides the business with insights into the effectiveness of controls and integrity of transactions. It also enablesinternal auditors to determine more quickly and accurately where to focus attention and resources.

Proactive Mitigation

Automate manual tasks

Actionable control framework

Effective auditing process

Expand risk coverage

Reduce Costs

Shorten audit cycles

B

E

N

E

F

I

T

S

Why

CCM/CA

Continuous Control Monitoring

T&E spend

P-card spend

Accounts Payable

Accounts Receivable

Journal Entry

Inventory

Fixed Assets

Potential CCM areas

Continuous Control Monitoring/Continuous Audit

Page 31

What is blockchain?

Distributed ledger► Every participant in the network keeps a copy of all the

transactions.► Transactions are secured by encryption to prevent tampering.

Consensus algorithm► No one node or server is responsible for approving transactions

leading to genuinely distributed transaction processing.► Each entry is validated and recorded on all ledgers across the

network.

Smart contracts/programmable ledger► Transactions can be sent with rules attached – small programs

that govern when and how transactions are processed.

Blockchain is adistributedinfrastructuretechnology. It is adecentralized ledger thatkeeps a record of eachtransaction that occursacross a network, whichenables a decentralizedexchange of trusted data– a “shared recordbook.”

Blockchain is software: it is both a database and a network

Page 32

A call to action

Page 32

Page 33

A call to action

Assess the current IA operating model, resource modeland technology footprint to identify opportunities toautomate and innovate and better position the function forthe transformative age.

Start by making real investments in areas of impact andaggressively attack “low-hanging fruit.”

Build a business case and start a process of transformation— technology development and deployment, skillssourcing, branding initiatives — to move toward the futurestate.

Arrival at the future state requires a journey that must start now. No one is out front, so do not look forearly adopters.

Change will require significant education of and communication with all stakeholders.

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction andadvisory services. The insights and quality services we deliverhelp build trust and confidence in the capital markets and ineconomies the world over. We develop outstanding leaderswho team to deliver on our promises to all of our stakeholders.In so doing, we play a critical role in building a better workingworld for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one ormore, of the member firms of Ernst & Young Global Limited,each of which is a separate legal entity. Ernst & Young GlobalLimited, a UK company limited by guarantee, does not provideservices to clients. For more information about ourorganization, please visit ey.com.

© 2018 EYGM Limited.All Rights Reserved.

EYG no. 012126-18Gbl

BMC AgencyGA 1008961

ED None.

This material has been prepared for general informational purposes only and is notintended to be relied upon as accounting, tax or other professional advice. Pleaserefer to your advisors for specific advice.

ey.com