100% found this document useful (1 vote)

361 views

PWC - Internal Audit Transformation

Uploaded by

Adrian octo pratama

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

361 views

PWC - Internal Audit Transformation

Uploaded by

Adrian octo pratama

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 130

READ & DELETE BEFORE USING

Delivering Confidence through

If replacing the pattern/photo on this slide, first,
click on and delete the pattern/photo. Then, click
on the icon in the placeholder to select a new

Internal Audit Function:

image. Size and crop if/as needed. Final image is
7.5”/190.5mm tall x 6.67”/169.4mm wide. Use
images from our library.

a transformational view

By Budi Santoso SE, Ak, MForAccy, PGCS, CA, CFE, CPA (Aust.)
Director Risk Consulting & Financial Crime Territory Leader
Budi Santoso SE, Ak, MForAccy, PGCS, CA, CFE, CPA (Aust.)

BACKGROUND
Budi Santoso is Director in PWC’s Forensic Services and Financial Crime Unit Leader, based in the Jakarta office. Budi
has more than 16 years of experience in Indonesia and other countries in South East Asia conducting corruption/fraud and
money laundering investigations, asset tracing, litigation support, designing, implementing and evaluating anti-fraud programs
(both prevention and detection), fraud risk assessment, internal control assessment and improvement, compliance due diligence,
US FCPA & UK ABAC reviews, business process reviews, good corporate governance reviews and business intelligence. An
experienced trainer, he is also capable in leading internal audit, compliance, and antifraud and investigation unit transformation.

RELEVANT EXPERIENCE
• 10 years : worked for the elite Indonesian Corruption Eradication Commission (KPK), serving as Head of the Commissioner’s
Office, Head of the Prevention Secretariat, and also as an investigator/examiner.
• 2 years : Senior Manager in the Fraud Investigation and Disputes team at Ernst & Young (EY) Indonesia
• 2.5 years : Senior Director for Kroll in the Singapore office
• 3.5 years : Director of Training for the Association of Certified Fraud Examiner (ACFE) Indonesia Chapter and
• 2 years : Board Member ACFE Singapore Chapter.

EDUCATION AND PROFESSIONAL CERTIFICATION

• Bachelor of Economics in Accounting from Sebelas Maret University (Solo)
• Master of Forensic Accounting from University of Wollongong (Australia)
• Postgraduate Certificate in Corruption Studies, University of Hong Kong (China)
• Governance & anticorruption short course from International Law Institute, Georgetown University (USA)
• Integrity system short course, Malaysia Anti-Corruption Academy (Malaysia)
• Official education at Indonesia Police Academy (Akpol-Semarang)
• Certified Fraud Examiner (CFE)
• Chartered Accountant (CA)
• Certified Practicing Accountant (CPA Aust.)

PwC | Strictly private and confidential

2
Agenda Contents

1 The Challenges

2 GRC Overview

3 Roles of Internal Audit

4 Digitally fit function; impact of technology innovation

5 Why do we need Internal Audit Transformation?

6 Transforming the Value Proposition of Internal Audit

7 Expected outcome of Internal Audit Transformation

8 Establishing Risk Culture

9 Anti-fraud Management

PwC | Strictly private and confidential 3

1 The Challenges
4
Contents

PwC | Strictly private and confidential 5

Contents

PwC | Strictly private and confidential 6

Our 2020 PwC Global CEO Survey revealed a record level of Contents

pessimism
More than half of the CEOs we surveyed believe the rate of global GDP growth will decline. This caution has translated into CEOs’ low confidence in their own
organisation’s outlook.

Four key themes emerged from our survey

1. Growth
Uncertainty undermines outlook
2. Technology regulation
Setting up guard rails in cyberspace

3. Upskilling
To upskill or not to upskill is no longer the question

4. Climate change
An opportunity cloaked in crisis

PwC | Strictly private and confidential 7

Uncertain economic growth is a top ten threat around the Contents

world
1. Question: How concerned are you, if at all, about each of these potential economic, policy, social, environmental
and business threats to your organisation’s growth prospects? (showing only ‘extremely concerned’)
Global North America Western Europe Asia-Pacific
Over-regulation 36% Cyber threats 50% Over-regulation 36% Trade conflicts 38%
Trade conflicts 35% Policy uncertainty 42% Trade conflicts 36% Uncertain economic growth 35%
Uncertain economic growth 34% Trade conflicts 42% Cyber threats 35% Availability of key skills 33%
Cyber threats 33% Over-regulation 38% Geopolitical uncertainty 31% Speed of technological change 31%
Policy uncertainty 33% Geopolitical uncertainty 33% Availability of key skills 30% Over-regulation 30%
Availability of key skills 32% Availability of key skills 33% Populism 29% Protectionism 29%
Geopolitical uncertainty 30% Uncertain economic growth 32% Policy uncertainty 27% Policy uncertainty 28%
Speed of technological change 29% Speed of technological change 30% Protectionism 26% Cyber threats 27%
Protectionism 28% Protectionism 30% Uncertain economic growth 26% Geopolitical uncertainty 27%
Populism 27% Changing consumer behaviour 22% Climate change and environmental damage 25% Climate change and environmental damage 26%

CEE Latin America Africa Middle East

Over-regulation 38% Populism 59% Policy uncertainty 53% Geopolitical uncertainty 57%
Availability of key skills 36% Uncertain economic growth 53% Uncertain economic growth 50% Uncertain economic growth 51%
Policy uncertainty 32% Policy uncertainty 51% Geopolitical uncertainty 48% Speed of technological change 34%
Uncertain economic growth 30% Over-regulation 50% Social instability 45% Cyber threats 34%
Trade conflicts 30% Exchange rate volatility 45% Over-regulation 40% Policy uncertainty 32%
Speed of technological change 29% Increasing tax obligation1 44% Exchange rate volatility 40% Over-regulation 30%
Tax uncertainty2 26% Tax uncertainty2 40% Inadequate basic infrastructure 40% Exchange rate volatility 30%
Geopolitical uncertainty 26% Inadequate basic infrastructure 38% Cyber threats 38% Increasing tax obligation1 30%
Populism 25% Social instability 37% Tax uncertainty2 38% Changing consumer behaviour 28%
Increasing tax obligation1 25% Speed of technological change 37% Protectionism 33% Tax uncertainty2 26%

Source: PwC, 23rd Annual Global CEO Survey

1.‘Increasing tax obligation’ was worded as ‘increasing tax burden’ prior to 2020
2.2020 was the first year CEOs were asked about ‘tax uncertainty’
Base: Global respondents (2020=1,581)

PwC | Strictly private and confidential 8

Four key forces are driving the upskilling imperative

1. Increasing job 2. Decreasing talent 3. Decreasing mobility 4. Ageing talent

automation availability of skilled labour
1. Percentage of existing OECD unemployment rate Is cooperation among gov’ts and OECD population ages 65 and above
jobs at potential risk of (% of total labour force) businesses leading to greater (% of total population)
automation by education movement of skilled labour between
level across waves markets? (showing only ‘no’)
Low education High education
2015 2020
Medium education 8.5% 20%
0% 25% 50% 75%

8.0% Global 18%

1%
7.5% North America
Wave 1 (to early 2020s) 3% 16%
3% Latin America
7.0%
14%
Western Europe
19% 6.5%
Wave 2 (to late 2020s) 23% Middle East 12%
10% 6.0%
Africa
10%
44% 5.5%
Asia-Pacific
Wave 3 (to mid-2030s) 36%
5.0% 8%
11% CEE
2005 2010 2015 2020 1960 1980 2000 2020

Source: PwC, Will robots really steal our jobs? An Source: OECD Source: PwC, 23rd Annual Global CEO Survey Source: World Bank Group
international analysis of the potential long term-impact of Base: Global respondents (2020=1,581; 2015=1,322)
automation

PwC | Strictly private and confidential 9

Compared to ten years ago, CEOs are more likely to recognise
the benefits of investing in climate change initiatives
Question: How strongly do you agree or disagree with the following statements regarding climate change? (showing only
‘strongly agree’)

2010 2020

30%

25%

16%
13% 14%

Our response to climate change initiatives will Climate change initiatives will lead to significant new My organisation will benefit from government funds
provide a reputational advantage for my organisation product and service opportunities for my organisation or financial incentives for ‘green’ investments
among key stakeholders, including employees

Source: PwC, 23rd Annual Global CEO Survey

Base: Global respondents (2020=1,581; 2010=1,198)

PwC | Strictly private and confidential 10

The Convergence of Financial Crimes
Fraud, cyber, Anti- Money Laundering, and Anti-Bribery & Corruption are the major components of financial crimes, and present
organizations with a number of intersecting and overlapping risks that must be mitigated.

• Fraud, Money Laundering, Cybercrime, and Bribery &

Corruption exist on a single continuum of Financial
AML
Crime – one leads to the other; further, criminals are
(Anti-Money
Laundering) increasing exploiting opportunities across these pillars
• Accordingly, regulators are increasingly focused on
looking at the continuum of financial crimes and
regulatory expectation is that institutions to connect the
dots among these areas
Fraud Cyber • In many cases, fraud, cyber, AML and ABAC programs
have common elements and controls, such as risk
assessment, threat intelligence, due diligence,
prevention, detection, and response.
• As a result, there are opportunities to reduce risk,
improve compliance and reduce cost by converging
(ABAC) Anti-
Bribery & Corruption these programs.
• Institutions approach to financial crimes convergence
may vary based on culture, risk appetite and current
maturity of existing programs. Although challenging,
legacy barriers to convergence can be overcome
PwC | Strictly private and confidential 11
Cybersecurity, anti-fraud and
AML programs often have
common elements and controls,
as well as synergies across
people, processes and
technology
In February 2016, the Federal Reserve Bank of New York cleared
five transactions by Bangladesh Bank in a single day that totalled
more than US$100m.

The money was moved to accounts in Sri Lanka and the Philippines.
But it turned out Bangladesh Bank hadn’t initiated those transfers.

Cyber criminals had tricked the system with fraudulent payment

requests – and authorities didn’t respond in time to stop the
criminals from cashing out the accounts. The money sent to Sri
Lanka was recovered, but most of the US$81m that was sent to the
Philippines disappeared into the country’s casino industry.

The Bangladesh Bank heist is a case to illustrate how

attackers exploit weaknesses across the cybersecurity,
fraud and anti-money-laundering (AML) operations
within financial institutions.

These functions are typically organized into distinct silos,

which means they have incomplete data, don’t
communicate well with one another, and repeat tasks
and processes.

PwC | Strictly private and confidential 12

Top 3 frauds in Financial Services compared with other
Industry
PwC 2020 Global Economic Crime and Fraud Survey

PwC | Strictly private and confidential 13

Fraud hits companies from all angles – the perpetrator
could be internal, external, or in many instances there will
have been collusion
PwC 2020 Global Economic Crime and Fraud Survey

PwC | Strictly private and confidential 14

Understanding crime risk of business

Eliminate Protect
Protect Manage Secure
Threat Reputation
Reputation Crisis Value
Threat Remediate

PwC | Strictly private and confidential 15

2 GRC Overview

16
Contents

The three lines

PwC | Strictly private and confidential 17

Principles of the three lines model
Identifikasi enam prinsip utama yang mendasari Three Lines Model:

Prinsip 2: Governing body roles

Peran sekelompok orang yang memiliki kewenangan
Prinsip 1: Governance untuk menjalankan tata kelola atas suatu organisasi
Governing (governing body) adalah untuk memastikan adanya
Tata kelola organisasi membutuhkan struktur dan body roles struktur dan proses-proses yang memadai telah
proses yang memadai dan yang memungkinkan
tersedia untuk pelaksanaan tata kelola yang efektif.
akuntabilitas oleh governing body kepada
stakeholders, tindakan-tindakan oleh manajemen,
02
dan memberikan konfirmasi dan keyakinan yang Management .
Governance
independen (assurance) Prinsip 3: Management and first and second
and first and
second line line roles
01 03
roles Tanggung jawab manajemen untuk mencapai
tujuan organisasi mencakup peran lini pertama
Prinsip 6: Creating and protecting values 6 prinsip dan kedua. Peran-peran lini pertama secara
three lines model langsung selaras dengan pemberian produk dan
Semua peran bekerja bersama secara kolektif jasa kepada pelanggan organisasi (klien),
berkontribusi dalam menciptakan dan menjaga termasuk fungsi-fungsi pendukung. Peran-peran
06 04
nilai dimana semua selaras satu sama lain dan lini kedua memberikan bantuan terkait dengan
dengan kepentingan yang menjadi prioritas pengelolaan risiko.
Creating and Third line
stakeholder. protecting roles
05
values Prinsip 4: Third line roles
Audit Internal memberikan konfirmasi dan keyakinan
Prinsip 5: Third line independence (assurance) yang independen dan objektif mengenai
Third line kecukupan dan efektivitas tata kelola dan manajemen
Independensi Audit Internal dari tanggung jawab manajemen risiko . Hal ini dapat tercapai melalui penerapan yang
independence
adalah krusial terkait keobjektifan, kewenangan, dan kompeten dari proses-proses, keahlian, dan wawasan
kredibilitasnya. yang sistematis dan terstruktur.

PwC | Strictly private and confidential 18

IRM mengintegrasikan manajemen risiko antar three lines of defence
Setiap tahap memiliki peran dan tanggung jawab masing-masing yang berkaitan dengan manajemen risiko dan kontrol. Penggunaan
teknologi pada IRM membantu mengeliminasi usaha yang berulang serta meningkatkan efisiensi dalam pengujian, pengamatan, dan
pengawasan.

Akuntabilitas 1st line Akuntabilitas 2nd line Akuntabilitas 3rd line

Audit
Pengukuran ERM, Keamanan Informasi
Kontrol external
kontrol Audit internal
Manajemen
internal Kepatuhan Regulator

• Menfasilitasi 1st line untuk • Mengelola risiko dan kontrol • Meningkatkan hasil
mendapatkan informasi dari dan • Mengelola dan menguji kontrol pengujian/penilaian cakupan audit
menyediakan informasi kepada • Mengelola kebijakan pada 1st dan 2nd line.
pertanggungan jawab 2nd dan 3rd line • Melakukan audit secara menyeluruh
• Melakukan penilaian risiko
• Mengeksekusi kontrol yang termasuk perencanaan,
“tertanam” • Mengautomasi manajemen
anggaran/timesheet, lingkupan,
• Automasi kontrol / perbaikan secara compliance, manajemen kebijakan,
pengujian, pekerjaan, dan laporan
berkelanjutan dan proses lainnya
audit
• Mendorong maturitas risiko dalam
perusahaan

Teknologi GRC

PwC | Strictly private and confidential 19

An integrated, structure risk management perspective

What goods look like

Current State

Future State

Source: Excerpt from OCEG’s Making the

Business Case for GRC illustration, sponsored
by SAP

PwC | Strictly private and confidential 20

PwC Framework on ERM has adopted the best framework of
risk management…
ISO 31000

PwC’s Enterprise Risk Management

Business Strategy

COSO ERM
Business
Management

Business Platform

PwC | Strictly private and confidential 21

…that could be adopted to implement an anti-fraud strategy
and program
Fraud Risk Management Principle

The organization establishes and communicates a Fraud Risk

Management Program that demonstrates the expectations of the board
of directors and senior management and their commitment to high
integrity Control and ethical values regarding managing fraud risk.

The organization performs comprehensive fraud risk assessments to

identify specific fraud schemes and risks, assess their likelihood and
significance, evaluate existing fraud control activities, and implement
actions to mitigate residual fraud risks.

The organization selects, develops, and deploys preventive and detective

fraud control activities to mitigate the risk of fraud events occurring or not
being detected in a timely manner

The organization establishes a communication process to obtain

information about potential fraud and deploys a coordinated approach to
investigation and corrective action to address fraud appropriately and in a
timely manner

The organization selects, develops, and performs ongoing evaluations to

ascertain whether each of the five principles of fraud risk management is
present and functioning and communicates Fraud Risk Management
Program deficiencies in a timely manner to parties responsible for taking
corrective action, including senior management and the board of directors.

PwC | Strictly private and confidential 22

The Framework can help exploring and managing risk at all
altitudes of the organization

The Framework highlights that risks emanate and

Entity Strategy must be managed at all levels of the
organization. The Framework explores how risks can
manifest at multiple levels within an organization with
some risks directly impacting the entity strategy while
others impacting business objectives.

Entity Level Business Entity Level Business

The Framework also addresses how risks can change
Objective 1 Objective 2 in severity and prioritization at different levels
of the organization and how the impacts of
correlation and diversification are considered when
analyzing the risk profile of portfolio view of risk.

Business Business Business

Objective 1 Objective 2 Objective 3

Risk 1 Risk 2 Risk 3 Risk 4

PwC | Strictly private and confidential 23

Manajemen risiko yang terintegrasi dapat membantu perusahaan
dalam menyusun strategi yang optimal
Potensi manfaat dari manajemen risiko terintegrasi yang berfokus
secara strategis antara lain: Eksekusi strategi meningkat akibat dari
kapabilitas integrasi manajemen risiko
Metodologi dan kriteria penilaian risiko yang terstandarisasi
1 menghasilkan konsistensi pada penerapan di seluruh organisasi
untuk mendukung diskusi strategi.

Memiliki pemahaman yang lebih baik tentang kapabilitas

2 manajemen risiko yang dimiliki saat ini, sumber daya serta
proses untuk mendukung pencapaian tujuan strategis Manajemen risiko
terintegrasi memiliki
perusahaan. peranan penting dalam
Memiliki profil risiko dengan pandangan ke depan yang selaras eksekusi strategi
3 dengan tujuan dan sasaran strategis perusahaan.

Memiliki pemahaman dan artikulasi yang lebih baik terkait

dengan ketidakpastian serta strategi bisnis untuk mengurangi Risiko diidentifikasi,
4 “surprises” dan meningkatkan kepercayaan dalam mencapai
Tujuan dan inisiatif
dikembangkan untuk diukur dan dikelola
tujuan perusahaan. mendukung strategi dan untuk mencapai
akuntabilitas perusahaan tujuan dan inisiatif

Memberi pemahaman kepada tim manajemen akan peluang

5 yang dimiliki oleh perusahaan dalam keputusan bisnis.
PwC | Strictly private and confidential 24
IRM yang mendukung transformasi proses bisnis
“...This is a transformation, not a system implementation…”

Current state Future state

Risk Identifikasi

Audit Penilaiaan

Evaluasi/
Compliance Analisis

CSA Aksi

Pemantauan
BCM

Laporan CSA BCM Third

Third Party Risk Audit Compliance
Party

Perform many - use once Perform once - use many

PwC | Strictly private and confidential 25

Key risk indicators (KRI): identifikasi, inventaris, klasifikasi data
yang ada

Metrik Nilai - Pengukuran finansial dan non-finansial yang

menunjukkan penciptaan nilai bagi komunitas investasi.

Corporate Scorecard - Memberi manajemen wawasan

Scorecard tentang kemajuan terhadap tujuan dan tindakan yang perlu
diambil untuk melaksanakan strategi.
Tipe KRI

Leading Indicators Indikator Risiko Utama - Mengidentifikasi masalah sistemik

atau faktor penyebab yang terkait dengan strategi; mereka taktis Causal measure,
( Proactive) dan prediktif dan dapat dikumpulkan kapan saja.
Leading
Occurrence
Risk Indicators

KRI

indicators Measure
Escalation Triggers Pemicu Eskalasi - Memfasilitasi intervensi sebelum risiko
muncul di luar toleransi yang dapat diterima; mereka
(Reactive) dilaporkan setelah pemicu yang telah ditentukan terputus. Escalation Control Effective
Measure, Volume
triggers Measure
Lagging measures – Kinerja di masa lalu yang menjadi tolak
Lagging Indicators ukur hasil kinerja (berdasarkan fakta).

Transactions and Data

PwC | Strictly private and confidential 26

Peta risiko (risk map) memberikan fokus terhadap organisasi untuk
agenda risiko manajemen
Inherent risk - Control health
= Residual risk
Risiko

Contoh: pencurian
Skenario ancaman
Threat Vector Attack Surface
Kontrol/ pengendali

Identifikasi Contoh:
kredensial dan data pribadi Contoh: Contoh: Primary:
karyawan pishing Email edukasi &
Proteksi kesadaran
Secondary:
Deteksi Secure
email
Tanggapan gateway

Pemulihan

Inherent risk (impact x likelihood) - Control strength = Residual risk

Impact untuk Likelihood of a Control strength dapat diperoleh

risiko ditentukan risk adalah nilai melalui berbagai mekanisme, seperti:
terhadap dimensi rata-rata • Control testing
berikut: tertimbang nilai • Metrics
keuangan, kemungkinan dari • Open issues
reputasi, hukum, beberapa skenario • Capability maturity
operasional. ancaman yang • lainnya
dipetakan ke
risiko.

Dengan melakukan identifikasi impact dan likelihood atas risiko yang terjadi Data Breach

dapat memudahkan organisasi dalam menentukan kontrol/pengendalian

yang diperlukan. Nantinya dari strategi kontrol tersebut, dapat dihasilkan
Data Manipulation
peta risiko yang lebih baik dan terukur dari sebelumnya (residual risk).

Unplanned Outage

PwC | Strictly private and confidential 27

Nilai & manfaat manajemen risiko terintegrasi

Manfaat Proposisi Nilai yang diberikan Contoh

Contoh: Menetapkan metodologi penilaian risiko BU standar yang

● Penurunan jumlah waktu yang dihabiskan dalam agregasi data dan
mengintegrasikan beberapa penilaian (SOX, kelangsungan bisnis,
pelaporan proses IRM
Pengendalian Biaya manajemen vendor, produk baru), membuat pelaporan risiko di seluruh
● Mengurangi duplikasi aktivitas pengujian kontrol
perusahaan, dengan pandangan praktik untuk memenuhi persyaratan
● Otomatisasi yang lebih baik
peraturan
● Pengurangan proses manual, dikarenakan agregasi data,
kemampuan penilaian dan penilaian, temuan yang dibuat secara
Contoh: Bisnis akan dinilai beberapa kali oleh kelompok yang menangani
otomatis, upaya remediasi, dan pemberdayaan menggunakan alur
risiko internal, kepatuhan dan kontrol. Hasilnya adalah menghasilkan input
Peningkatan Proses / Efisiensi kerja otomatis
berkualitas lebih tinggi dan lebih banyak waktu untuk dihabiskan pada
● Peningkatan fleksibilitas untuk memungkinkan staf untuk fokus pada
aktivitas yang menghasilkan pendapatan.
masalah / masalah dan menjawab pertanyaan bisnis daripada tugas /
beban administratif
● Peningkatan koordinasi dan pertukaran data dan informasi secara
Contoh: Metrik kesehatan dari bisnis individu akan menjadi hasil dari
real-time antara fungsi Kepatuhan, Audit Internal, Manajemen Risiko,
Koordinasi, Fokus, dan Cakupan yang upaya yang terkoordinasi yang memberikan pandangan tunggal yang
dan operasi bisnis
Lebih Baik disepakati dan kemampuan yang ditingkatkan untuk memfokuskan sumber
● Kemampuan untuk menargetkan / memfokuskan upaya pada area
daya di mana ada masalah risiko dan kontrol.
dengan risiko paling kritis

● Respon yang lebih baik untuk ekspektasi peraturan dari analitis yang
Contoh: Dampak risiko dari peraturan baru (misalnya, aturan pencurian
lebih luas yang mendasari penilaian risiko, manajemen perubahan
Respon Regulasi yang Lebih baik identitas) dievaluasi lebih baik dengan meninjau keluaran dari penilaian
peraturan, pemantauan, audit dan pelaporan kegiatan
BU yang ada, dan dimasukkan ke dalam tinjauan risiko berikutnya
● Mengurangi kesulitan dalam mempersiapkan permintaan regulasi

● Manajemen senior akan memiliki visibilitas ke dalam informasi waktu Contoh: Menerapkan pelaporan risiko yang mengintegrasikan data di
Peningkatan Visibilitas ke dalam
nyata dan risiko kritis yang muncul dan masalah kepatuhan / semua kelompok kontrol utama yang terkait dengan risiko kritis akan
Efektivitas Risiko / Kontrol
kekhawatiran untuk membuat keputusan yang tepat memberikan pandangan risiko yang terkonsolidasi untuk manajemen.

PwC | Strictly private and confidential 28

Meningkatnya kebutuhan manajemen risiko digital di masa pandemi
Lebih dari 85% CISO mengindikasikan bahwa manajemen risiko yang berdasarkan data adalah salah satu dari 3 investasi terbaik selama pandemi
COVID-191

Lebih dari 50% organisasi pada saat ini kurang percaya diri akan
Keuntungan dari manajemen risiko digital
pengeluaran mereka terkait dengan cyber:

Efisiensi melalui Pemeliharaan profit dan

Dialokasikan pada risiko yang paling signifikan pada organisasi1
peningkatan fokus pada nilai pasar.
risiko cyber dan TI pada
profil risiko perusahaan
Terhubung dengan seluruh budget perusahaan atau unit bisnis
secara strategis, sejalan dengan risiko, dan berdasarkan pada data.1 Peningkatan kesadaran Peningkatan kepercayaan
pada pihak yang diri dan reputasi pada
bertanggung jawab hingga pemangku kepentingan
Berfokus pada remediasi, mitigasi risiko, dan/atau teknik merespon
pada direksi dan regulator
yang menghasilkan keuntungan kembali pada pengeluaran cyber1
Pertanggungan jawab dan Penambahan nilai,
peran antar risk ownership pengetahuan risiko cyber
Termasuk pengawasan terhadap efektivitas dari program cyber1 dan risk oversight yang yang mendukung
jelas. pengambilan keputusan

Terintegrasi dengan keputusan pada kebutuhan modal saat terdapat Tantangan dari operasi
kejadian cyber yang berat1 dapat ditangani secara
terpercaya oleh pimpinan
Memiliki kontrol terkini terkait teknologi yang sedang berkembang selain CIO
(seperti AI, IoT, blockchain, robotic process automation,
1: PwC, Global Digital Trust Insights 2021, Cybersecurity comes of age
virtual/augmented reality)1

PwC | Strictly private and confidential 29

Penggunaan teknologi pada integrated risk managed (IRM)?
IRM adalah upaya yang terkoordinasi untuk memastikan komunikasi dan kolaborasi antar stakeholder dalam manajemen risiko dan kontrol
pada organisasi.
Kepatuhan (Compliance)

Kemampuan untuk mengelola kepatuhan dengan biaya

Compliance yang lebih rendah melalui proses yang efisien agar dapat
dilakukan secara berulang dan berkelanjutan.
Fungsi: Dokumentasi Proses dan Kontrol, Manajemen
Manajemen Risiko (Risk Management)
Kontrol, Penilaian Efektivitas Kontrol, Pengungkapan dan
Sertifikasi, Loss & Incident Management.
Kemampuan untuk secara proaktif
mengidentifikasi, mengukur, memprioritaskan, Risk Management
dan mengelola risiko dari strategi perusahaan Tata Kelola Perusahaan (Corporate Governance)
dan objektif bisnis.
Corporate
Fungsi: Dokumentasi Proses dan Risiko, Governance Kemampuan untuk mendefinisikan dan
Penilaian Risiko, Analisis Risiko, Pemantauan mengkomunikasikan strategi perusahaan,
Risiko, Agregasi, ERM Dashboard. target/objektif dari kebijakan, evaluasi performa bisnis
melalui pelaporan, scorecards, dan dashboard secara
real-time.
Fungsi: Manajemen Kebijakan dan Prosedur, Audit
Internal, Board and Entity Management, Pelaporan.

Pemberdayaan teknologi Governance, Risk & Compliance (GRC) terdiri dari sekumpulan solusi risiko dan
kepatuhan yang saling terintegrasi untuk mengasimilasikan informasi yang bermakna terkait risiko dan kontrol.
Hal tersebut membantu perusahan untuk secara lebih proaktif mengelola risiko dan usaha serta program
kepatuhan dengan lebih efektif dan efisien.

PwC | Strictly private and confidential 30

Tujuan dari Teknologi GRC
Teknologi GRC mendukung dan mengautomasi proses risiko / kepatuhan dalam satu repositori yang memungkinkan visibilitas dan konsistensi
antara 1st line, 2nd line, dan 3rd line of defense menjadi lebih baik. GRC memiliki potensi untuk mendapatkan nilai tambah yang nyata ketika
didigitasi dan diimplementasikan di berbagai fungsi. Pandangan Kami
Tantangan Utama

GRC bergerak menuju kapabilitas sentral yang bekerja erat

Manajemen
antara fungsi manajemen risiko, audit internal, kontrol
risiko Menadikan fungsi

01
Meningkatkan internal, kepatuhan dan jaminan kualitas serta dengan
kapabilitas GRC lebih bisnis. Karenanya, GRC harus memahami risiko terkait
data risiko dan Risiko
Manajemen kepatuhan dinamis bisnis dan lingkungan bisnis menuju masa depan digital.
Digital
register Risiko
Konsolidasi, teknologi,
integrasi, dan ancaman, dan
Tanpa pendekatan global yang didukung oleh semua
migrasi kelemahan pemangku kepentingan, GRC tidak dapat memenuhi
Board dan
potensinya. Kami dapat membantu manajemen dalam
manajemen harus
Pihak
ketiga
Audit
Otomasi
02 memahami
hubungan antara
GRC dan kinerja
menentukan pendekatan GRC global, bertarget, berharga,
dan terukur. Dengan pengalaman bisnis kami, kami dapat
memberikan masukan tentang komunikasi perubahan dan
Memahami
risiko GRC pengawasan
temuan dan
dukungan selama implementasi.
menyeluruh
masalah
yang muncul
dari pihak
Selama beberapa tahun terakhir, implementasi ERM
ketiga
Membangun berdasarkan kerangka COSO merupakan 'topik hangat'.
pendekatan terintegrasi Keunggulan kompetitif berasal dari pendekatan terintegrasi
Business
Continuity
Kejelasan terhadap
Compliance
Implementasi
proses standar
03 GRC untuk
mendapatkan nilai
tambah yang nyata
yang mencakup GRC, pengendalian internal, audit internal
dan kualitas dengan tujuan menyiapkan perbaikan proses
yang efisien dan untuk tujuan sinergi.
CSA berdasarkan
hasil tes dari BC
Proses Control Self kewajiban
Assessment
Alat digital baru yang diterapkan dalam operasi bisnis
sehari-hari dan perubahan teknologi berarti bahwa manajer
Mengembangkan risiko harus dilatih untuk mengidentifikasi dan memitigasi

04 kemampuan &
platform GRC yang
siap secara digital
risiko baru. GRC harus menjadi lebih dinamis dalam hal
mencakup beberapa area / fungsi dan menghubungkannya.

PwC | Strictly private and confidential 31

Manfaat solusi teknologi GRC

Konsolidasi Data Standarisasi Kolaborasi

Unggah data dari sejumlah Unggah dokumentasi pendukung Ganti beberapa template dengan Menyamakan template dan Membagikan informasi dan
sumber dan sistem yang berbeda secara terstruktur satu sumber terpercaya taksonomi di seluruh organisasi bekerja secara efisien di tiga lapis
pertahanan

Otomatisasi Analisis Data Akses Aman

Mendorong perilaku dan tindakan Analisis dan visualisasi data tingkat lanjut menghasilkan wawasan, tren, dan Manajemen akses untuk
melalui pemberitahuan otomatis pembandingan yang bermakna. Dashboard kemajuan yang real time untuk melindungi organisasi dan
dan alur kerja menyederhanakan manajemen proyek memastikan informasi dilindungi.

PwC | Strictly private and confidential 32

Gartner magic quadrant (Juni 2019) untuk Teknologi GRC

1 Tingkat 1 – 5 besar produk yang paling diminati pasar

• ServiceNow
• MetricStream
• Archer
• Open Pages (Financial Services)
• SAI Global / BWise

2 Tingkat 2 - GRC / CCM ‘Transaksional’

• SAP/Oracle/Microsoft
• Satori ACL
• Workday/Salesforce/…

3 Tingkat 3 – Teknologi Risiko / Lokal

• Protecht
• Riskman
• CGR
• Readinow

PwC | Strictly private and confidential 33

3 Roles of Internal Audit
34
Contents

Internal Audit Historical Trends

1990 2004 2008 2009

▪ Increased support and assistance

▪ Driven by policies and procedures ▪ Heavily focused on financial and ▪ New emphasis on IA skills and from the board, C-suite, and
adherence compliance controls experience executive directors
▪ Focus on operational and financial ▪ Overextended budgets to meet ▪ Broader risk focus outside of ▪ Laser-like focus on business risks
controls increasing internal control needs financial, compliance, and that matter most in context of
▪ Viewed as the “Corporate ▪ Viewed as a necessary evil of operational board-approved risk appetite and
Police” doing business in the post ▪ Focus on how to accomplish more tolerances; heightened emphasis
Sarbenes-Oxtey era with less resources, training, and on providing independent and
leadership opportunities within objective assurance
the business ▪ Increased opportunity and need to
work with other risk management
functions

Strategic Operational Compliance Financial

PwC | Strictly private and confidential 35

Contents

Internal Audit Mandate

Audit skills + business knowledge + critical and

Strategic Advisor strategic thinking

Internal Audit Audit skills + business knowledge + critical and

Business Insight
Mandate strategic thinking

Non-negotiable compliance Basic audit skills, IT, baseline critical thinking

PwC | Strictly private and confidential 36

Internal Auditor Vs RCO
Perbandingan Peran IA dengan RCO

Investigative Consultative

• Interviewing • Discussing
• Post-event checking • Pre-event mitigating
• Finding • Finding solutions
accountabilities • Curious
• Suspicious • Anticipative
Sumber: The Institute of Internal Auditors
Transformasi Mindset

PwC | Strictly private and confidential 37

Staying relevant with business goals and challenges (1/3)
The internal audit function needs to understand the future risks and issues facing the business

Several strategic objectives and risks agenda are described

below for illustration: illustrated below:
• Effectively managing and delivering the quantum of strategic,
Products Competition business and operational change across the organisation.
• Enhancing systems and IT to eliminate reliance on manual
processes, facilitate effective integration and provide a scalable
platform for future growth.
Current
Strategic industry • Developing digital capability and presence.
growth plans issues Technology
and data • Managing the regulatory landscape and compliance
• Improving customer experience and refreshing distribution
channels, including branches, stores
Talent
management

It is important these are appropriately reflected and

prioritised, as part of the planned Internal Audit activity

PwC | Strictly private and confidential 38

Staying relevant with business goals and challenges (2/3)
This is Internal Audit’s moment
This is Internal Audit’s moment Relevance Alignment Confidence Innovation

The business environment has changed and continues We relish the challenge of We tailor oursolutions Our stakeholder look to us to Our approach is
and continues to change affecting every organisation, in supporting businessesfacing to match our act as a trustedpartner. leading edge and
the biggest change and the stakeholder needs. constantlyevolving.
every market, to one degree or another. As the risk greatestcomplexity. Our distinctive skills and
landscape expands and with it the complexity of doing the We make sure our IA experience are strengthened We have a forward looking
business, challenges and opportunities are being created. It We help identify, prioritise function has the agility and by specialists from the wider approachenabling our
and give assurance over the
is essential for organisations to be ready to respond, but it’s capability to stay in tune firm. We bring technical organisation to act
risks thatmatter. with our businessstrategy. excellence, industry insight decisively, move fasterand
by no means easy. Boards and senior management are being and an objectiveperspective. grow sustainability.
placed under unprecedented pressure to stay on top of
current and emerging risks – for which they require We help you navigate the
opportunities presented
increasingly specialised assurance. Internal Audit has by an expanding risk
emerged as a key means of giving boards the confidence to landscape.
deal with demands of a dynamic market place.
Championing the function
Stakeholders expect Internal Audit to ‘look deeper and see The internal audit function Boards – should expect more support and value from Internal
further’, acting as a lever for change supporting an should recognise the Audit. This may include a
organisation’s strategic agenda. The time has come for responsibilty to support the greater role in supporting the strategic agenda.
Internal Audit to be bold, courageous and innovative in value of the internal audit as it Management – should expect more agility and insight from
order to capitalise on a growing need to provide strategic evolves and transitions to meet Internal Audit. This might include assisting the business and
insight. Understanding this may be daunting prospect, the demands of modern in establishing root cause and driving positive change,
business. leveraging it unique insight across the whole organisation.
especially if new skills are required, but it’s a challenge
worth taking on. The increased comfort gained by the The internal audit should aim Heads of Internal Audit – should expect greater support
organisation and its wider stakeholder group will likely to play a key role in and investment in their Internal Audit functions. Heads of
mean more freedom for Internal Audit to operate in a way it strengthening the profile, Internal Audit should also expect to be consulted on the design
should and will result in greater value for money. credentials and value of Internal and implementation of new initiatives – drawing on business
Auditors everywhere and in doing acumen and networks beyond the organisation.
so, help organisations meet the
demands of their dynamic
marketplace and an expanding
risk landscape.
PwC | Strictly private and confidential 39
Staying relevant with business goals and challenges (3/3)
One of the role of Internal Audit is providing assurance.

An effective Assurance Framework (refer to the diagram in the right) will • A good governance • An effective risk framework
framework will ensure that ensures that there is clear
ensure that all assurance activity is aligned to the key risk and controls all of these elements fit understanding, ownership and
areas, ensuring no duplication of assurance activity and as importantly together. How each is monitoring of key risks.
reported, how committees • With the demerger, you have
no gaps in assurance. The key is to keep this simple but effective. are structured, how recognised there is an
information flows and key opportunity to further enhance
decisions made. your risk processes, to move
• Setting good governance from risk reporting to a more
Governance Risk
around your Assurance Framework Framework
embedded risk management
Framework will be process that works for The
important, for both Client.
Management and the • We will work with you to
Audit Committee. review your existing risk
Internal
processes, advising on ideas
audit Controls for enhancement and
simplification, and how these
will feed into the Internal Audit
Existing plan development.
assurance
providers
• 4
Using the outputs of the review
of the assurance providers, an
Internal Audit plan will be • There will be an opportunity to
developed which focuses on the review your existing Internal
areas that need further Control framework (ICF); most
independent assurance. importantly to ensure the
• This considers what is the right controls are the right ones, but
balance of assurance across all of • A review of the existing sources of also to start to consider
the ‘lines of defence’ proportionate assurance, for example, branch audits, whether further automation
to the level of risk. will ensure they are focussed on the and efficiency is possible.
• It is an opportunity to consider the right area and performed in an effective • Over time, a review of the use
type of assurance you want way. of Oracle to further automate
through the Internal Audit route, • Assessing the effectiveness of the control activity will further
balancing a more traditional other assurance providers will consider support this.
‘policeman’ approach with more if other methodologies / approaches • Similarly, a review of the use
‘consultative’ or agile approaches could be adopted to develop their of data techniques could drive
which we consider in more detail delivery. efficiency in the monitoring and
in the following pages. testing of the ICF.

PwC | Strictly private and confidential 40

What good Internal Audit Looks like?
Red flagging
Telling the business something
that they should be worried The diagram sets out the key features of what we know
about and should act upon. 1 ‘good’ Internal Audit looks like, linking the ‘Eight
Attributes of an Effective Internal Audit function’ (inner
Horizon scanning
2 circle), with the value that Internal Audit brings to an
Predicting future areas of risk,
concern and non-compliance. organisation articulated around the outside.

Business focus We have a proven track record of delivering Internal

Ensuring Internal Audit’s Audit within this Eight Attributes model and strongly
activities are focussed on
areas that are most important 7 believe that this will raise the profile and create a brand
to the business. for Internal Audit at The Client. For example:
• ‘Business Focus’ means we will align the
Insights and benchmarking
Internal Audit effort on what matters to the
Telling the business something
that they did not already know, business and its strategy. This means that as
and could not find out without
6 4
well as addressing risk, our recommendations
Internal Audit involvement.
will be tailored and practical, focussing on
supporting the appropriate change in the
5
Business improvement business.
Ensuring that recommendations • ‘Cost effectiveness’ means that for every audit
are practical, deliver value to the
business and challenge the
we will start by challenging the approach to find
status quo. the most efficient and agile way of delivering
work, getting the most out of our specialists,
Key: and bring measurable value to the business.
1 Service culture 3 Business focus 5 Risk focus 7 Stakeholder Management

2 Technology 4 Quality and innovation 6 Talent model 8 Cost effectiveness

PwC | Strictly private and confidential 41

What we have learned - Eight key attributes across the five
elements

Business Risk Focus

alignment

• Strategy
Stakeholder • Structure
Technology • People
Value protection manage-
• Process
ment • Technology
Internal
Audit
Quality Cost
and Value creation effective-
innovation ness

Service Talent
culture model

PwC | Strictly private and confidential 42

Articulating the mission of internal audit is important
A formal mission statement or charter lays out the function’s goals and provides the basis to evaluate internal audit
performance.
An effective mission statement delineates the function’s authority and responsibilities and reflects the priorities of senior management and the audit
committee. Although they vary in length and specificity, mission statements ought to address the degree to which the internal audit function will allocate
resources toward traditional assurance-focused internal control activities vs. consulting activities perceived to add value to lines of business.
A mission statement that does not align clearly and directly with stakeholder expectations is of little value and can be a detriment to achieving strategic
performance.
An illustration of The Internal Audit Continuum™ below depicts how internal audit’s focus and skill sets
may evolve as stakeholder expectations change.

PwC | Strictly private and confidential 43

The ”to-be” intents should be clarified to shift the mind-set (1/2)
“We need to shift how people value the role of internal audit “

An illustration
Target Heads of Internal Audit Up-sell to C-Suite and NEDs

Advise, co-source, outsource Prioritise outsourcing initiatives

Focus on compliance Focus on creating value (across the organisation)

Act as adversarial policeman Act as collaborative connector

Look for individual risks Help the whole business grow

Reduce costs Identify opportunities and risks

Focus on the past and present Be future facing

And focus on three objectives

1. Elevate the status of 2. Increase understanding 3. Make our offer clear, comprehensive
Internal Audit internally of the value of our offer internally and and consistent.
and externally. externally.

PwC | Strictly private and confidential 44

The ”to-be” intents should be clarified to shift the mind-set (2/2)
Common principles among Internal Audit functions that serve as ‘trusted advisors’. These principles enable an Internal Audit function to be agile, yet deliver with consistent quality and
innovation while optimizing cost.

Bring the right talent and

Enhance value through business provide insights
alignment and risk focus We’ll bring technical and practical
Our team will understand your “coaching” support and insights in
organization’s fitness goals and the form of both core audit skills
develop a program aligned to and a wide range of specialists, to
achieving Internal Audit’s optimal make sure you can tackle whatever
level of performance challenges come your way in a
Cultivate a client
Embrace technology, leveraging dynamic and constantly changing
service culture and
Deliver with quality data analytics and visualization risk environment.
stakeholder management
and innovation at an We recognize the important role
We are continually innovating and
optimized cost technology now plays in monitoring
pushing our own boundaries. We
Our methodology is flexible to performance, encouraging us to push
also focus on knowledge sharing
reach your optimal stride boundaries and support us
with our clients and use our
whether your function to achieve our targets. We bring you
recovery time to evaluate
performs with high intensity the latest thinking and tech
progress and make necessary
intervals or at a marathon innovation to enable you to reach
adjustments to ensure you
steady pace. your strategic goals.
achieve optimal results.

PwC | Strictly private and confidential Flexible and Future-Fit 45

Overview of the Roles
As a trusted advisor, it is important to understand your 1
needs and expectations of internal audit.
Value
enhancement
While internal audit’s traditional role includes providing an
objective point of view on governance, risk management Strategic
and control processes (value protection), we also believe it advice

should include consulting and other activities (value

enhancement). 2
To ensure we achieve the right balance we will conduct Providing insight
further interviews with members of your Audit Committee,
Board and management to confirm the priorities for the
organisation and the areas of focus for internal audit.
3
Once we have a full understanding of the role you would Improving business performance
like internal audit to play, we will formalise this and our and identifying areas for
simplification
responsibilities in the Internal Audit Charter.

Value
protection 4
Assessing regulation and compliance
within the current business processes,
systems and controls

PwC | Strictly private and confidential 46

Fresh insights through data analytics
Internal Audit functions are increasingly leveraging the efficiencies and insight that data analytics can play in delivering
reviews. Indeed at PwC, all of our Internal Audit staff have been through Tableau and Alteryx training, to deliver data Case study
mining and visualisation. We have extensive experience in delivering complex data analytics and embedding them
Our client wanted to understand the
into Internal Audit functions, using all major platforms including, Alteryx, Tableau, Power BI, Celonis etc. Whilst we
extent to which their procurement
appreciate The Client are relatively early in this journey, we will work you to ensure we share our experience and
and accounts payable processes
insight as well as challenging you as to where data analytics can be applied.
were controlled. They wanted us to
place particular focus on fraud risk
Data readiness We can leverage our Embedding data and buying patterns in the procurement team.
Our first step will be to use our experience in: into your plan
We supported our review of the processes and
data readiness assessment Data enabled auditing can bring
tool. As not all controls are • Continuous auditing and controls with data analytics testing through our
monitoring – long thought of as great benefits not to just the ‘Halo’ tool to identify potential anomalies from a
ready or relevant for a data- credibility of your function but it also
enabled approach, each the nirvana of the data-enabled fraud and unusual buying perspective, but also to
audit, our tools enable the allows you to do audits faster and
should be assessed based on smarter. Our team of over 700 data increase the coverage of our work. For example,
key criteria to assess the automation of controls testing and we were able to perform 100% sample sizes in
the flagging exceptions for follow- professionals in the UK have
readiness for testing. We will experience in embedding analytics relation to PO matching on the basis of our data
help you prioritise where in up by Internal Audit.
into Internal Audit functions. routines. Any anomalies that were identified were
the Internal Audit plan to focus • Reporting and insights – using further investigated by the Internal Audit team.
data techniques using our data visualisation tools such as A key differentiator between PwC
tool. We will also challenge Tableau and Power BI, we are and other professional service firms
whether these techniques can able to provide interactive outputs is the depth of our team in this Benefit to the client
be pointed both at traditional to enhance the value of our audits space, and our belief that data
analytics is applicable across the Potential fraud patterns and flags were
areas for data analytics and and provide real insight through established for ongoing future monitoring. Also
into broader operational visualisation into the areas of our Internal Audit lifecycle.
areas. review using data as the Whilst we have developed market by analysing buying trends in comparison with
backbone of evidence. leading applications that enable supplier contracts were we able to make simple
effective data acquisition and recommendations which saved the organisation
• Working together – Ensuring that money. For example, we found that by placing
our Internal Audit data analytics analysis, we have also developed
many techniques and applications multiple orders over a short period of time with
team will work with you to share
their expertise and experience to to support other areas of the audit the same supplier, volume based discounts were
help you embed data assurance lifecycle, including risk assessments, not being achieved.
activities in relevant audit phases. planning and scoping.

PwC | Strictly private and confidential 47

Let’s rate the strategic importance of these attributes and
A pulse check – where are you now? how you’re performing against them today.
Attribute Assessment Possible actions

I U
A. Stakeholder
alignment
E A
A. Stakeholder Alignment B. Critical Risk Focus C. Talent Model Alignment
• What are the expectations • How well aligned are • How adequate are IA’s I U
B. Critical risk
of IA’s key stakeholders? audits to the skills for both today and
focus
organization’s most tomorrow? E A
• How confident are you
critical risks?
that IA is meeting them? • How effective is IA as a
I U
• How appropriate is the source of talent for your C. Talent model
mix of audits? organization? alignment
E A

I U
D. Quality and
D. Quality and Innovation E. Use of Technology innovation
E A
• How is IA quality • How extensively is
measured and assessed? Attributes technology leveraged?
E. Use of
I U
• What innovation of • What are the most technology
E A
initiatives are underway? significant IA challenges
Excellence related to technology?
I U
F. Relationship
management
E A

I U
F. Relationship Management G. Cost-effective Services H. Client Service Culture G. Cost-effective
services
• What is IA’s approach to • What are IA’s primary • How are business and E A
managing key stakeholder productivity metrics? ‘soft’ skills emphasized?
relationships? I U
• In what ways have audit • How consistently are H. Client service
processes been analyzed tough issues handled culture
E A
for efficiencies? well?

How do you see your organization addressing your priority areas going
forward? Let’s probe a little further….
Improve Excess Urgent Action Appropriate
• Why less important? • Why less important? • What’s the key issue • How is high performance
Improve Urgent Action The relative importance of
Higher

driving performance currently being achieved?

these attributes and internal • Key stakeholder • How is high concerns?
 Performance →

audit’s performance against views? performance currently • Key stakeholder views?

Opportunity

• Artificial Intelligence for such tasks as full

population testing, controls or risk
modelling
• Robotic process automation for
monitoring or routine tasks such as data
retrieval and audit testing

PwC | Strictly private and confidential 55

Contents

Elevating internal audit’s role: The digitally fit function

PwC | Strictly private and confidential 56

Contents

Elevating internal audit’s role: The digitally fit function

PwC | Strictly private and confidential 57

Contents

Elevating internal audit’s role: The digitally fit function

PwC | Strictly private and confidential 58

Contents

PwC | Strictly private and confidential 59

Four considerations to help facilitate your journey toward
emerging technology internal assurance

PwC | Strictly private and confidential 60

Robotic Process Automation (RPA): A primer for internal
audit professionals

PwC | Strictly private and confidential 61

Robotic Process Automation (RPA): A primer for internal
audit professionals

PwC | Strictly private and confidential 62

Robotic Process Automation (RPA): A primer for internal
audit professionals
Automating control performance, controls testing and other internal tasks

PwC | Strictly private and confidential 63

Robotic Process Automation (RPA): A primer for internal
audit professionals

PwC | Strictly private and confidential 64

Contents

Being a Smarter Risk Taker through Digital Transformation

PwC | Strictly private and confidential 65

Contents

Being a Smarter Risk Taker through Digital Transformation

PwC | Strictly private and confidential 66

Controls

PwC | Strictly private and confidential 74

Contents

Areas of Internal Audit Transformation

An illustration

PwC | Strictly private and confidential 85

Identifying the drivers to
transform the Internal
Audit Function (2/2)
Areas where PwC has assisted organisations
Common needs and “pain-points”
❑ Advising Boards on the most appropriate resourcing model for the client
✓ Stakeholder demand to improve the value and ❑ Providing co-sourcing and outsourcing services to improve flexibility/value
efficiency delivered by the Internal Audit function for money/access to specialist skills
✓ Desire to align with business strategy and raise the ❑ Improving the quality, productivity, relevance and value of in-house
profile of Internal Audit with the Board services and deliverables
✓ struggle to articulate and demonstrate value of ❑ Benchmarking Internal Audit performance to evaluate the current state of
Internal Audit spend the Internal Audit function against demonstrated best practices
✓ Heads of Internal Audit are not always highly regarded ❑ Developing strategic plans and supporting initiatives to transform Internal
and lack ability to perform at Board level Audit functions
✓ Most IA functions are too focused on financial controls ❑ Conducting stakeholder analyses and establishing communications plans
(as opposed to operational controls) to enhance stakeholder engagement, relationships, and satisfaction
✓ Lack of technical specialists with in-depth subject ❑ Performing risk assessments and developing audit plans to raise the level
matter expertise of Internal Audit performance
✓ Lack of commercial awareness ❑ Enhancing Internal Audit methodologies and manuals to improve
✓ Poor softer skills/inability to communicate with the consistency of audit execution and use of best practices
Board ❑ Advising on and supporting audit technology implementations to enhance
✓ Resource gaps - vulnerability to turnover and time-lag the overall efficiency of the Internal Audit function and processes
in filling positions ❑ Developing and delivering training plans to enhance the skills of the audit
✓ Inability to innovate and keep up with a rapidly staff
changing environment
✓ Lack of flexibility and agility of in-house functions
PwC | Strictly private and confidential 86
‘Building confidence in a future-fit business’

Identity Experience Deliver that experience comprehensively to the stakeholder,

cannot live in communications alone.

Messaging focused on the changes Focused on building a deep

The internal audit team must be able to bring to life across the
in Internal Audit: more future understanding of the client: organization: how they talk about themselves, the service
facing, more result driven. identifying the value they are experience they deliver to the stakeholder, the skills-base and
looking for: continuous insights internal culture and approach to work.
delivered informally.

Building
confidence
in a future-
Comprehensive range of fit business
specialists; team built around
business imperatives; focused on
delivering insight and foresight;
creating a holistic system of risk Collaborative; flexible
management; implementing and imaginative; immersed
solutions (not just reporting them). in the business.

Capabilities Culture

PwC | Strictly private and confidential 87

Resourcing model is an alternative to scale the capability

Full in-house
Full Full • Implementation of Internal Audit function using
internal in-house only internal resources How PwC
staffing
can help

Limited Limited co-sourcing

co-sourcing •In-house resources perform
majority of functions
•Outsource specialised skills

Significant co-sourcing
Significant • CAE is supported fully by outsourced
co-sourcing resources
• Specialised skill & geographic coverage are
readily available
Limited Full Outsourcing
internal • Implementation of internal
sourcing audit function by external
staffing
provider
Advisory Outsourcing
Options and alternatives
services
Co-sourcing

PwC | Strictly private and confidential 88

Balancing transformed vs. traditional risk assessment approach

Identify Stakeholder Value Creating Activities

Stakeholder Value Based Approach
Understanding Enterprise Risks
“Top-down” approach where coverage is driven
(Strategic, Financial, Operations, Compliance)
by issues that directly impact shareholder value,
with clear and explicit linkage to strategic issues
of the organisation. Evaluate Impact to Shareholder Value

Audit plan

Traditional Approach
Traditional “bottom-up” approach Evaluate Impact of Risks within Audit Universe
based on stakeholder interviews and
analysis. Focus is on coverage of
identified risk areas, geography and Identify Risks (Financial Operations, Compliance)
business operations.

Define Audit Universe (eg geography, business unit, etc.)

PwC | Strictly private and confidential 89

Illustration of several inspiration within Internal Audit

Personal and focused on

inspiration within Internal Audit
• Leads with ‘I am’ in the headline
and ends with ‘I make a
difference’ (attributed to a
named Internal Audit
manager/partner).
• Tagline ‘Internal audit matters’
used alongside sub-headline
‘Critical to successful
businesses.’
• Image is the Internal Audit
manager that’s quoted in the
headline.

PwC | Strictly private and confidential 90

General approach in transforming internal audit function (1/4)

Strategy & Risk People Process Technology

Strategic Objectives Capabilities Assessment Audit Cycle Improvements Optimisation of Technology

• Understand what the strategic • Inventory of existing skills • Align Internal Audit with • Reduce the labor content of
objectives of the organisation organisation’s strategic audits by increasing the
• Conduct gap analysis
are objectives effectiveness of lower-risk
• Determine adequacy of audits
Stakeholder Value • Reduce audit cycle time by
resources to respond to all key
conducting more targeted • Provide real time monitoring of
risks
• Understand what audits significant risks
drives/devalues stakeholder Talent Management • Increase value derived from • Explore areas where
value within the organisation focus on higher-risk areas technology can streamline or
• Use of internal and external
Strategic Risks standardise a process
resources • Improve communication to
stakeholders through concise, • Test entire data populations
• Understand what the strategic • Consider implementing a
impactful reports electronically
risks of the organisation are rotational staffing model to
attract and retain talent

PwC | Strictly private and confidential 91

General approach in transforming internal audit function (2/4)

A comprehensive approach to enhancing Internal Audit’s value proposition by addressing two strategic dimensions.

1. Realigning audit
coverage
Significantly More Value
How? 2. Improving processes and
• By incorporating an accepted model of value leveraging technology
creation
1. Realigning audit coverage & performance as a reference point for
identifying risk. How?
• By evaluating risk based on its impact to • By focusing audit services on significant risks &
promote controls, & leveraging self-assessment.
or reduce shareholder value.
• By reassessing the HR model to align skill sets with
• By identifying emerging risk through an future audit focus & leveraging offshoring & outsourcing
industry to gain needed skills.
sector lens & the associated risk & audit
• By reassessing the HR model to align skill sets with
impact.
future audit focus & leveraging offshoring & outsourcing
2. Improving process and • By creating an audit plan prioritized based on
results of a value-oriented risk assessment.
•
to gain needed skills.
By streamlining reporting processes; automating
leveraging technology reporting & tracking; & using a range of technologies in
the audit process for (1) data analysis & storage (2) risk
Significantly More Value assessments & monitoring & (3) collaboration.

Materially Less Cost

Reducing inefficiencies & managing costs

PwC | Strictly private and confidential 92

General approach in transforming internal audit function (3/4)

Balancing between value maintenance and value enhancement

Company Strategy / Shareholder Value Drivers/ Strategic Risks

Value Enhancement Focus

Internal Audit Strategy

Organisation

People Operating Strategy

Improving Inefficiencies
& Managing Costs
Process Process

Technology
Technology

PwC | Strictly private and confidential 93

General approach in transforming internal audit function (4/4)
Balancing between value maintenance and value enhancement

Eg review of large
commercial contract for
An illustration
Future State of Internal
compliance but also to Audit
establish if services can be
delivered at reduced cost Current Risk
Risk Management
Management Maturity
Assurance

Internal Current State of

Internal Audit
Audit Control
Value Assurance
Proposition

Eg review of month
end reports to ensure
all key controls are
Compliance reconciled

Internal Control Sox Informal Risk Functional

Processes Compliant Management ERM
PwC | Strictly private and confidential 94
Risk Management Maturity
Designing the roadmap in maturity level
Internal Audit Maturity
An illustration

PwC | Strictly private and confidential 95

Contents

Method of Internal Audit Transformation

Implementation of Data Analytics

Through capitalizing the new data-driven business available from business activities and external sources, Internal Audit can apply new
techniques by embedding data analytics during audit process. Therefore, Internal Audit can provide the management with new insights
that cannot be captured with the traditional method. Following are the benefits on implementing Data Analytics during audit process:

Increase audit scope Increased efficiency New analysis method Continuous Monitoring Reduce Cost

Audit process can now Manual audit procedures Usage of data visualization Monitoring process can be Lower operational cost by
capture 100% of can be reduced to analyse trends in the done continuously through maximizing data driven
populations, rather than data data procedures
selected samples

PwC | Strictly private and confidential 96

PwC Transform* Methodology
Transform* is PwC methodology to approach and deliver all aspects for transformation and improvement from strategy to
implementation

Scope and stages of transformation

Strategy& Assess Design Construct Implement Operate &

Strategy Review About this methodology:

Delivering Change

Structure • Help in creating an integrated road

map for improvement program
Process
Create “Case Create Build New Rollout New Operate New • Cover all components of change:
for Change ”, Transformation Ways Ways of Organisation straregic/framework, structure,
People Initial Target Blueprint, of Working Working and and Implement people, processes and technology
Operating Detailed and Plan Ensure Continuous
• Gives flexibility in performing the
Technology Model and Design and Rollout Benefits are Improvement
assessment and evaluation,
Scope Initiatives Quick Wins Realised design, implementation and
continuous improvement
Programme Delivery
Change
Driving

Change Management

PwC | Strictly private and confidential 97

7 Expected outcome of
Internal Audit Transformation
98
Contents

What is the outcome of Internal Audit Transformation?

More dynamic teams with Analyse 100% of populations

leverage models across the using neural networks and
3 lines of defence AI to scope highly focused
audits.

Flexible Audit Higher

Proactive risk spectrum, not precision audit Behavioral
focus operating
audit plan activities science
model

Embed a continuous Risk Sensing Diversify the scope and Leverage data to identify
process that uses external and nature of audit activities. behavioral trends and root
internal sources of data for Issues based reviews, audit cause.
identification of risk areas insight workshops and more.

PwC | Strictly private and confidential 99

Contents

Expectations of transformed internal audit function

With powerful data and technology in hand, internal audit can understand a greater array of business risks and provide assurance that those
risks are managed and mastered. A transformed internal audit function is expected to:

Influence the
Provide greater Scope and execute strengthening of first
Uncover human
Identify blind spots, coverage across audits virtually, with a and second line
behavioural patterns
previously humanly organization without data driven and risk defences through
through machine
impossible increasing audit based targeted digital collaboration
learning and regression
resources precision and continuous
monitoring

The internal audit’s stakeholder group has expanded and expectations are heightened. Change is fast and risks are complex and
interconnected. As it transforms, Internal Audit can collaborate with first and second line functions in data-driven ways not previously
possible. By doing so, reduce the likelihood of blind spots or significant issues materializing.
The three lines of defence can identify common sources of data and synergize data retrieval and analysis, so that each group is working
efficiently and developing insights from a common foundation. And internal audit teams can share and other tools that can become real-time
monitoring capabilities for the first and second line of defence. There are many opportunities. With an eye toward the broader risk
capabilities of the organization, the internal audit can be a catalyst for bringing a greater level of insight and more effective assurance to the
management team

PwC | Strictly private and confidential 100

Contents

Internal Audit of the Future

PwC | Strictly private and confidential 101

Contents

Internal Audit future analytics

Audit Audit Audit

Risk Execution Reporting Monitoring
Assessment Planning

▪ Identify risk ▪ Preliminary “scan” of ▪ Identify anomalies, ▪ Provide quantifiable ▪ Provide an automated
assessment relevant audit trends, and potential fact-based basis for continuous
Key Activity priorities information to drive fraud indicators information for auditing & control
▪ Determine scope of project scope, ▪ Replace sample reportable issues monitoring
audit plan activities sampling, and testing approaches and exceptions ▪ Provide analytical
fieldwork procedures with full coverage ▪ Visualizations of input for follow-up
data analytics audit findings Risk Assessment

▪ Risk Ranking ▪ Regional ▪ Red ▪ Report ▪ Control Monitoring

▪ Value at Risk benchmarking Flags/observations Visualizations ▪ Risk/Action
Analytics
Area Analysis ▪ Key Risk Indicators ▪ Robotic Process ▪ Risk Quantification Monitoring
Automation

PwC | Strictly private and confidential 103

Establishing risk culture:

8 defining the right leadership and employee

behaviors, incentives and rewards
104
Why is risk culture a hot topic?

"The repeated nature of

these fines demonstrates
Scandals/Fines
that financial penalties
alone are not sufficient to
address the issues raised.
Fundamental change is
Increased needed to institutional
Financial crisis Regulatory culture, to compensation
Scrutiny arrangements and to
markets.”
Mark Carney
Governor of the Bank of England
November 2014
Public sentiment Source: BBC Business News (17 November 2014)

PwC | Strictly private and confidential 105

Companies are making changes to their risk culture
Companies leaders are publically declaring commitment, implementing changes and communicating
progress to stakeholders…

“We introduced the “I am shredding the

process of deep, longer- bank’s self serving culture
term cultural change and by improving ethics…”
established our new
corporate values”
“We are ensuring that our
systems, practices,
“Adhere to highest controls, technology and,
standards of honest and above all, culture meet the
ethical conduct…” highest standards”

“We have fostered an

“We value a culture of inclusive and engaged
dependability, doing the culture that is open and
right thing…” transparent”

Sources: Publically available information, including company websites, codes of conduct and annual reports

PwC | Strictly private and confidential 106

Budaya risiko yang berkesinambungan merupakan salah satu aspek
vital dalam mewujudkan manajemen risiko yang optimal
Kami memandang pentingnya pengembangan budaya risiko yang berkesinambungan sebagai salah satu aspek vital dalam
pengembangan manajemen risiko digital yang optimal. Dalam melakukan kajian atas framework manajemen risiko, kami secara eksplisit
mempertimbangkan faktor budaya sebagai salah satu aspek penting penerapan manajemen risiko digital Bank BRI.

• ‘Walk-the-Talk’ untuk setiap level

• Pesan dari Pimpinan
• Role Model
• Infrastruktur teknologi
menampilkan portofolio risiko • Mengklarifikasi peran dan
perusahaan akuntabilitas di seluruh Bisnis
• Program dan langkah-langkah dan Risiko
pengembangan Budaya Risiko
• Fungsi risiko dilihat sebagai
partner bisnis strategis

• Praktik yang konsisten di seluruh

lapisan/ lini organisasi • Awareness, pelatihan dan
peningkatan kemampuan terkait
• Pemikiran yang sama mengenai risiko dibagikan secara merata
kepemilikan risiko
• Sinyal peringatan dini
• Risiko yang muncul dari suatu area
dikomunikasikan secara proaktif
dianalisis untuk dampak yang
mungkin terjadi terhadap seluruh
portofolio risiko
• Tertanam dalam pengembangan karir,
perekrutan sampai pensiun
PwC | Strictly private and confidential
• Insentif, imbalan & kompensasi sesuai
107
dengan profil risiko organisasi
Risk and compliance culture is an important element in driving
the behaviours of the organisations supporting the effectiveness of
GRC (including anti-fraud) programs

PwC | Strictly private and confidential 108

How are companies addressing risk culture?
Companies implementing (risk) culture change using a mix of approaches, each
with its own issues
1. The ‘Top-Down’ Approach
Focuses on driving culture and behavior change : Issue:
• Align Vision & Values; Confirming assumptions and beliefs Current Culture +
• Diagnose/Baseline current culture “New Behaviors” =
same old culture
• Define behaviors and embedding through incentives and rewards
• Measure and report progress

2. Focus on Risk Culture

Focuses on driving change from front-to-back:
• Clarify risk appetite and establish risk framework
Issue:
Alignment,
• Define roles, skills and accountabilities across “lines of defense”
ownership &
• Communicate risk culture expectations sustainability
• Embed into Talent and Performance Management practices

Need for an integrated approach

PwC | Strictly private and confidential 109
While “tone at the top” has improved, our recent risk
culture survey1 confirms gaps still exist

1PwC risk culture survey completed by over 500 Global Banking leaders. Results published in
“Cure for the common culture: how to build a healthy risk culture”, 2014

PwC | Strictly private and confidential 110

These gaps were analyzed and grouped into
implementation themes
Risk Culture Framework

PwC | Strictly private and confidential 111

Establishing effective risk culture requires a global and
multidisciplinary approach
Leadership
• ‘Walk-the-Talk’ at all levels

Technology and Governance &

infrastructure Organization
• Portfolio view of • Clarify roles, and
enterprise risk accountabilities across
• Program and BAU Business & Risk
Risk Culture
measures

Consistent global Communications

operating norms • Risk awareness,
• Consistent practices education, and
across all geographies escalation
• Common
global mindset

Talent Management
• Embed into hiring, development
and incentives

Source: Cure for the common culture: how to build a healthy risk culture, PwC 2014
PwC | Strictly private and confidential 112
Call to Action: Inspire the risk culture you desire
To deliver and sustain changes in risk culture, consider some of the following
risk culture “leading practices”
Visible Consequences Creative Tension Redeploy Talent
Analyze star performers “Business” leaders own Catalyze behavior change
and take corrective actions risk culture, however risk through by redeployment
where the right business management empowered across “Business” and
results are delivered with to override decisions. control functions.
the wrong behaviors.
Align/Rationalize Rigorous background
ethics/culture/behavioral checks & attitudinal
change programs as required screening

Rebuild Trust Balanced Metrics Self-Regulate

Openly and honestly Establish repeatable Incent managers to
communicate risk culture process/tools to diagnose encourage “constructive
success and failures to and measure risk culture conflict” and “demand
internal and external debate” across functions,
stakeholders. Define and track progress regions and hierarchies, for
against qualitative and key “moments that matter”.
quantitative success

PwC | Strictly private and confidential 113

9 Anti-fraud Management
114
PwC Anti-Fraud Program Framework
Companies seek to minimise their risk of fraud through implementation of anti-fraud programs. The diagram below illustrates components which may form part of
such a program.

Anti-Fraud Program Framework

Governance
Governance

2nd line of defense 3rd line of defense 4th line of defense

Fraud Policies and
Fraud Risk Assessment Fraud Compliance Fraud Strategy Independent Audit
Procedures

External auditor, reviewer and

1st line of defense Supervisor (including regulatory
People Process
Governance supervisor(s)reviewer/auditor
Governance Internal and External Data Sources

Organizational Regulatory
Internal Fraud External Fraud Alert Vetting
Design Reporting
Governance Governance
Internal/
Event Response
Staffing Model Ext Referrals

Trend Analysis Quality Control

Customer, Account and Transaction Data
Fraud Awareness Employee data, Entitlements, Logics, (Wire, ACH, Check, Card, Trades, Bill Pay),
Accessed Data, physical access, email, historical Fraud data, email, voice, online Investigation Referrals
voice, trading activity, compensation, activity, fraud data feeds (NCFTA, black
vendors, procurement lists)
Training Loss Recovery Metrics/KPIs

Technology

Governance
Surveillance/ Rule Definition &
Analytics Case Management Authentication Forensics
Monitoring Optimisation

PwC | Strictly private and confidential 115

PwC Anti-Fraud Management Cycle

Prevention Detection Investigation Recovery Remediation &

Improvement

• Fraud risk governance

• Whistle Blowing System • Initial investigation • Loss recovery plan • Monitoring action plan
• Fraud risk assessment
• Fraud risk framework • Independent review • Fact-finding investigation • Suspension transactions • Scaling up the learning
• Anti-fraud policy & • Internal Audit and analysis • Asset tracing and recovery organisational level
• Compliance review • External investigation • Public disclosure • Update necessary anti-fraud
procedure
• Fraud risk register • Reporting system process and control
• Fraud risk control activities • Imposition of • Knowledge management
• Fraud risk awareness penalties/disciplinary
training and capacity actions
building
• Fraud risk indicators
• Enforcement measures

Performance metrics

PwC | Strictly private and confidential 116

Incorporating the Fraud Diamond in the assessment
Opportunity
Opportunity

Pressures Rationalisation

Pressure Rationalisation
Capability

When we identify processes, …and expanded into adding the element

consideration all relevant points of focus of capability into the “fraud diamond”
and opportunities, incentives/pressures
and attitudes/rationalization will be
considered…
Positioning

Intelligence &
Stress
Creativity

Typical traits of
Capability

Discussion - Anti Fraud Risk Management Deceit25 September 2020 Ego

116

Coercion

PwC | Strictly private and confidential 117

Fraud Risk Management Program: Why does it “fail”?

1 Failure to capture emerging risks

2 Tick-the-box exercise focus

3 Unclear and inconsistent risk appetite (cost vs benefits)

4 Inadequate information system

5 Ineffective monitoring

6 Silos

7 Unclear consequences if fails

8 Crisis management

9 Low understanding of fraud risk

PwC | Strictly private and confidential 118

Developing an integrated financial crime management is
becoming crucial
Eliminate Protect
Protect Manage Secure
Threat Reputation
Reputation Crisis Value
Threat Remediate

• Internal
• Background checks
• Third Party
• Vendor/customer/third-party
• Regulatory
due diligence
• Anti-bribery
• Integrity due diligence
• Incident response retainers
• Asset trading
• Cybercrime • Current state assessment
• Social and political risk
• Anti-trust and system design
mapping and assessments
• Employee misconduct • Integrated security
• Sexual harassment programme management
• Incident management and
• Anti-bribery and corruption Risk emergency response
• Anti-money laundering Due Diligence • Strategic security leadership
• Sanctions • Security audits
• Training and awareness
Programs
• Cyber analytics • Expert testimony
Cyber fraud risk assessment
• • Quantification of damages and claim
Cyber due diligence
• preparation
Threat intelligence
• • Rebuttal and defense of claims
• Cyber incidence response • Privileged consulting
• Incidence response preparedness • Document management (e-
• Evidence preservation and discovery)
retention
• Cybercrime investigations

• Code of conduct development

• Risk and investigate analysis • Whistle-blower policy management
• Computer and mobile forensic • Entity and process-level fraud risk
• E-discovery services reviews
• Fraud awareness training

PwC | Strictly private and confidential 119

PwC Fraud Risk – the general taxonomy
Fraud is an intentional misrepresentation of the truth; wrongful or criminal deception intended to result in financial or personal gain.

The following is our general Fraud Taxonomy which is used to classify different types of fraud by perpetrator and vector.

Internal fraud External fraud

Fraud Ring Attacks

Financial Statement Bribery and Asset Fraud Committed by Fraud Committed by Fraud Committed by
Market Abuse Against Customer or
Fraud Corruption Misappropriation Customers Resellers & Agents Vendors & 3rd Parties
Company Accounts

Asset/Revenue New Account/Digital Fraudulent Fraudulent

Illegal Gratuities Cash & Payments Insider Trading Credit/Bust Out
Overstatement Identity Reseller/Agent Vendors/3rd Parties

Conflicts of Interest – Conflicts of Interest –

Asset/Revenue Account Takeover & Vendor Collusion &
Sales Practices - Credit & Margin Unauthorized Trading Payment Fraud Sales Practices -
Understatement Transactions Corruption
Internal External

Transaction Fraud
Conflicts of Interest - Inventory & Other Revenue Share & Vendor
Market Manipulation without Account Fraudulent Claims
Purchases Assets Royalty Service/Product
Takeover

Anti-Competitive Victim Initiated Bribery & Corruption - Vendor Invoice &

Economic Extortion Data & Information Returns & Refund
Behavior Transactions Agents Discount

Product & Service Abuses of Terms & Upstream Supply

Bribery
Misrepresentation Conditions of Sale Chain

Counterfeit
Loyalty & Incentive
Product/Intellectual
Program Abuses
Property Theft
PwC | Strictly private and confidential 120
The maturity scale framework in assessing the anti-fraud strategy

For Illustration only

120
Assessment of the appetite in using analytics in their prevention and
detection program of the anti-fraud strategy
The evolution journey of fraud analytics could change how the company will harness new information sources to make more
effective and efficient decisions in fraud prevention.
For Illustration only

Prescriptive analytics
What if something
else happened?

Predictive analytics Prescriptive analytics

Increasing business value

leverage predictive analytics

Why will happen? with actionable data and a
Diagnostic analytics Predictive analytics enables feedback system to track
analysts to make predictions the outcomes of
Why did it happen? business decisions.
about future events based
Diagnostic analytics are upon analysis of recent and
useful for deriving actionable historical patterns.
Descriptive analytics insights for addressing a
What happened? specific business issue or
historical event.
Descriptive analytics are
useful for understanding an
event in hindsight.

Structured Data and Operational Decisions Unstructured Data and Strategic Decisions

25 September 2020
Increasing sophistication of data & analytics 121

PwC | Strictly private and confidential 122

Traditional fraud program and Digitally enabled fraud program
risk assessments and risk assessment
• Collection of information is manual in nature • Automate the process with PwC’s Digital Assessment Tool
• Relies on few subject matter experts’ knowledge of leading • Increase efficiency of information collection through
practices for analysis leading to inefficiencies and inconsistencies standardized questionnaires
• Difficult to compare across business units and over different • Increase consistency in the assessment of program and
time periods controls by leveraging built-in fraud program and control
• Lacks peer comparison data that provides insights for fraud leading practices
program optimization across business enablement, losses, costs • Gain powerful insights by comparing your program maturity
and customer experience and control ratings across business units, over time and with
your peers
• Leverage peer comparison data to optimize your program
and controls across business enablement, losses, costs and
customer experience business drivers

PwC | Strictly private and confidential 123

Fraud Strategy Examples
• Irregularities with One-Time Vendors
• Vendors in High Risk Countries
• Invoice does not match goods receipt
• Invoice/claim does not match purchase order
• Insurance Use Cases:
✓ Suspicious claims (claim fraud)
✓ Bogus businesses (sales fraud)
✓ Excessive claims in a geography (provider fraud)
• Banking Use Cases:
✓ Transactions from or to high risk countries
✓ Large outgoing cash shortly after incoming foreign transactions
✓ Suspicious text fields

Strictly private and confidential

PwC | Strictly private and confidential
124
Effect of Fraud on Companies

Strictly private and confidential

PwC | Strictly private and confidential
125
Fraud Management Capabilities

Strictly private and confidential

PwC | Strictly private and confidential 126

Fraud Management Capabilities

Strictly private and confidential

PwC | Strictly private and confidential 127

Fraud Management Capabilities
• Data Provisioning and Integration:
✓ Feed & Upload operational business events/content for analysis
✓ Flexible modelling of detection objects
• Detection and Alerting:
✓ Rule-based Algorithms
✓ Predictive Methods
✓ Interactive Calibration
• Investigation and Decision:
✓ Intuitive
✓ Comprehensive
✓ Collaborative
✓ Integrated with SAP HANA
Strictly private and confidential
PwC | Strictly private and confidential
128
GRC System Landscape

PwC | Strictly private and confidential •

129
Contents

“Internal Audit’s value will be

measured by its ability to drive
positive change and improvement”

“Intellectuals solve problems, geniuses

prevent them (Albert Einstein)”

“However, not enough to prevent &

detect problem, but also to predict it”

PwC | Strictly private and confidential 130

Thank you

Budi Santoso SE, Ak, MForAccy, PGCS, CA, CFE, CPA (Aust.)
Director Risk Consulting & Financial Crime Territory Leader
Email: [email protected]
Tel: +62 21 50992901
Mobile: +62 813 9915 4114
WhatsApp: +6590603089
pwc.com

This document has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in the document without
obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this document, and, to the extent permitted by
law, PwC Indonesia, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information
contained in this document or for any decision based on it.
The documents, or information obtained from PwC, must not be made available or copied, in whole or in part, to any other persons/parties without our prior written permission which we may, at our discretion,
grant, withhold or grant subject to conditions (including conditions as to legal responsibility or absence thereof).

©2020 PT PricewaterhouseCoopers Consulting Indonesia. All rights reserved. PwC refers to the Indonesia member firm, and may sometimes refer to the PwC network. Each member firm is a separate legal
entity. Please see www.pwc.com/structure for further details.

STOPPLE / HOT TAPPING Method of Statement
No ratings yet
STOPPLE / HOT TAPPING Method of Statement
9 pages
Nietzsche, Friedrich - On The Genealogy of Morality (Hackett, 1998)
100% (3)
Nietzsche, Friedrich - On The Genealogy of Morality (Hackett, 1998)
221 pages
Process Y
No ratings yet
Process Y
8 pages
How To Conduct An Audit Tender: Appendix 17
No ratings yet
How To Conduct An Audit Tender: Appendix 17
24 pages
Management Information System
No ratings yet
Management Information System
25 pages
13.report Writing
No ratings yet
13.report Writing
14 pages
Internal Auditing-Adding Value Across The Board
100% (1)
Internal Auditing-Adding Value Across The Board
8 pages
PWC Code of Conduct April 2021 v2
No ratings yet
PWC Code of Conduct April 2021 v2
33 pages
KPMG Audit of Memorial Gardens' Project
No ratings yet
KPMG Audit of Memorial Gardens' Project
20 pages
Future Internal Audit Whitepaper
No ratings yet
Future Internal Audit Whitepaper
20 pages
Mckinsey Guide
No ratings yet
Mckinsey Guide
18 pages
People Analytics Maturirty Assessment Framework
No ratings yet
People Analytics Maturirty Assessment Framework
2 pages
Construction Auditingby Ron Risner
No ratings yet
Construction Auditingby Ron Risner
2 pages
Deloitte Internal Audit 4 0
No ratings yet
Deloitte Internal Audit 4 0
16 pages
MARTA: 2012 KPMG Phase II Final Draft
No ratings yet
MARTA: 2012 KPMG Phase II Final Draft
114 pages
Elevating Internal Audit's Role: The Digitally Fit Function
No ratings yet
Elevating Internal Audit's Role: The Digitally Fit Function
22 pages
KAPCO Technical Proposal
No ratings yet
KAPCO Technical Proposal
112 pages
Infographics Powerpoint Presentation Slide - 16x9
No ratings yet
Infographics Powerpoint Presentation Slide - 16x9
139 pages
Aditya Birla Nuvo 2011 Deloitte Report
No ratings yet
Aditya Birla Nuvo 2011 Deloitte Report
57 pages
Ey Faas Branch Accounting Deck Final
No ratings yet
Ey Faas Branch Accounting Deck Final
41 pages
ICAO Report CA To CFO
No ratings yet
ICAO Report CA To CFO
66 pages
Enterprise Fraud Risk Assessment - Practice Note
100% (1)
Enterprise Fraud Risk Assessment - Practice Note
16 pages
Consulting Thought Leadership Report FY11Q3
No ratings yet
Consulting Thought Leadership Report FY11Q3
49 pages
2005 Due Professional Care
No ratings yet
2005 Due Professional Care
6 pages
ERM Overview
No ratings yet
ERM Overview
34 pages
PWC Intagible Asset
No ratings yet
PWC Intagible Asset
393 pages
TPPA PWC CBA - Final Report 021215 FINAL (Corrected)
No ratings yet
TPPA PWC CBA - Final Report 021215 FINAL (Corrected)
324 pages
NYC Community Development Block Grant-Disaster Recovery Action Plan A
100% (1)
NYC Community Development Block Grant-Disaster Recovery Action Plan A
199 pages
Green Modern Product Development Roadmap Presentation
No ratings yet
Green Modern Product Development Roadmap Presentation
10 pages
Financial Crime and Fraud Report 2022
No ratings yet
Financial Crime and Fraud Report 2022
178 pages
Enterprise Management Framework Brochure
No ratings yet
Enterprise Management Framework Brochure
4 pages
Audit Indipendence
No ratings yet
Audit Indipendence
45 pages
Pricewaterhouse Coopers: About
No ratings yet
Pricewaterhouse Coopers: About
12 pages
BCG Narrative
No ratings yet
BCG Narrative
94 pages
SPAN IFMIS Project in Indonesia
No ratings yet
SPAN IFMIS Project in Indonesia
12 pages
Financial Condition and Options 13july2018 Final
No ratings yet
Financial Condition and Options 13july2018 Final
278 pages
PWC My Payroll Operating Procedure
No ratings yet
PWC My Payroll Operating Procedure
1 page
KPMG - Nigeria - Transforming Internal Audit and Control Through Digital Innovation
No ratings yet
KPMG - Nigeria - Transforming Internal Audit and Control Through Digital Innovation
21 pages
PWC Corporate Finance at HSG Investment Club
No ratings yet
PWC Corporate Finance at HSG Investment Club
20 pages
Vulnerability Management
No ratings yet
Vulnerability Management
6 pages
EY Work Sample
No ratings yet
EY Work Sample
4 pages
Code of Ethics
No ratings yet
Code of Ethics
23 pages
The Future of Internal Audit in Banking
No ratings yet
The Future of Internal Audit in Banking
15 pages
Owasp LLM Center of Excellence Guide
No ratings yet
Owasp LLM Center of Excellence Guide
32 pages
MSCO Firm's Profile
No ratings yet
MSCO Firm's Profile
19 pages
Practical Project Management BSI-2023
No ratings yet
Practical Project Management BSI-2023
141 pages
Valuation Report of BPCL
100% (1)
Valuation Report of BPCL
24 pages
Training and Assessment Strategy-Sample
100% (2)
Training and Assessment Strategy-Sample
8 pages
Guidelines On Data Analytics Book
No ratings yet
Guidelines On Data Analytics Book
56 pages
GOTO Prospectus
No ratings yet
GOTO Prospectus
876 pages
Antimoneylaundering
No ratings yet
Antimoneylaundering
76 pages
Deloitte Belgium - AI Brochure
No ratings yet
Deloitte Belgium - AI Brochure
4 pages
PWC Shariah Report
No ratings yet
PWC Shariah Report
14 pages
JD For Deloitte Advisory Usi - Valuation (Tangible Assets)
No ratings yet
JD For Deloitte Advisory Usi - Valuation (Tangible Assets)
3 pages
PWC - Annualreview2011
No ratings yet
PWC - Annualreview2011
56 pages
M - CPS - HCC - 0516 - Functional Proposal - Strategy and Organization Restructure
No ratings yet
M - CPS - HCC - 0516 - Functional Proposal - Strategy and Organization Restructure
208 pages
Embark - The CFOs Roadmap To Finance Transformation
No ratings yet
Embark - The CFOs Roadmap To Finance Transformation
15 pages
Internal Audit Services:: Beyond Assurance
No ratings yet
Internal Audit Services:: Beyond Assurance
4 pages
Documents
No ratings yet
Documents
20 pages
View Issue 14
No ratings yet
View Issue 14
64 pages
Navigating Through The Corporate DNA
No ratings yet
Navigating Through The Corporate DNA
30 pages
Auditing Information Systems and Controls: The Only Thing Worse Than No Control Is the Illusion of Control
From Everand
Auditing Information Systems and Controls: The Only Thing Worse Than No Control Is the Illusion of Control
Ed Danter
No ratings yet
Antony C. Sutton and Viktor Suvorov On Technology Transfer From The West To The Soviet Union
100% (3)
Antony C. Sutton and Viktor Suvorov On Technology Transfer From The West To The Soviet Union
72 pages
Chapter 08 Sampling Distributions and Estimation: Multiple Choice Questions
No ratings yet
Chapter 08 Sampling Distributions and Estimation: Multiple Choice Questions
302 pages
Portfolio Eelco Maan - 06 - 2016
No ratings yet
Portfolio Eelco Maan - 06 - 2016
25 pages
Training - Manual - TBN Operation (Rotor Dynamic & Vibration)
100% (1)
Training - Manual - TBN Operation (Rotor Dynamic & Vibration)
19 pages
The New Bloom's Taxonomy: An Interactive Quiz Game
No ratings yet
The New Bloom's Taxonomy: An Interactive Quiz Game
28 pages
06 Programming Foundations - ByteParts
No ratings yet
06 Programming Foundations - ByteParts
6 pages
PI044H - Technical Data Sheet Winding 05
No ratings yet
PI044H - Technical Data Sheet Winding 05
7 pages
Methods of Philosophizing
No ratings yet
Methods of Philosophizing
15 pages
Volvo Motronic 4.3
100% (1)
Volvo Motronic 4.3
26 pages
Kádárrituals9780230393042 TXT
No ratings yet
Kádárrituals9780230393042 TXT
237 pages
Steel Manual Computation
No ratings yet
Steel Manual Computation
14 pages
Bagmati Irrigation Project: Department of Water Resources and Irrigation
No ratings yet
Bagmati Irrigation Project: Department of Water Resources and Irrigation
32 pages
The World During Rizal
No ratings yet
The World During Rizal
31 pages
Introduction To Philosophy of The Human Person
100% (1)
Introduction To Philosophy of The Human Person
5 pages
Sent-Tutorial - 4 Force On Submerged Surface Prob
No ratings yet
Sent-Tutorial - 4 Force On Submerged Surface Prob
3 pages
Tuw 2014 05 10 D 001
No ratings yet
Tuw 2014 05 10 D 001
1 page
New Jha Chemical Cleaning Phe Kakg-A
0% (1)
New Jha Chemical Cleaning Phe Kakg-A
5 pages
Wind Mill Power Generation System: Synopsis
No ratings yet
Wind Mill Power Generation System: Synopsis
7 pages
Uppcl Bill
No ratings yet
Uppcl Bill
1 page
mall case study
No ratings yet
mall case study
1 page
Manual - OCS-T - V1 ENG
No ratings yet
Manual - OCS-T - V1 ENG
15 pages
Flexible Manufacturing Systems (FMS)
100% (2)
Flexible Manufacturing Systems (FMS)
30 pages
Q1 Week 3 Density
No ratings yet
Q1 Week 3 Density
7 pages
Compound Bar LECTURE 14
100% (1)
Compound Bar LECTURE 14
5 pages
A Design Tool For Timber Gridshell
100% (2)
A Design Tool For Timber Gridshell
237 pages
Understanding Consumers Willingness To Use Ride 2019 Transportation Researc
No ratings yet
Understanding Consumers Willingness To Use Ride 2019 Transportation Researc
16 pages
Hoja de Personaje de Hechicero
No ratings yet
Hoja de Personaje de Hechicero
2 pages
Networking Questions and Answers
No ratings yet
Networking Questions and Answers
18 pages