How data analytics can help with integrated audit?

The Institute of Internal Auditors of Thailand IIA Thailand - Annual Conference 2011 7 September 2011

Agenda
What is data analytics? Data analytics in the context of risk management Applying data analytics to risk management

IIA Thailand - Annual Conference 2011

2011 Deloitte Touche Tohmatsu Jaiyos

Market Trends & Facts

Data Analytics: Its not something new

1960s-1970s: First attempts at automating the data analysis using mainframe computing
Mainframe computerbased tools supporting Audit sampling (Auditape/STRATA) Timesharing and minicomputer based tools built and regression tools and model libraries introduced

1990s: Analytics evolves with the development of enterprise resource planning (ERP) systems and data warehousing
Risk management and actuarial Analytics modeling tools introduced Fraud, anti-money laundering and FCP support tools

Statistical sampling introduced in audits

1960

1970
Financial modeling tools built

1980
PC-based tools built

1990
Predictive modeling work begun in insurance industry

2000

2010
Major investments in data center infrastructure in U.S., Canada, and Australia

2015

Operations research practice started

Predictive modeling introduced in pricing and supply chain work

1980s: Desktop analytics accelerates through the PC revolution

IIA Thailand - Annual Conference 2011

2011 Deloitte Touche Tohmatsu Jaiyos

Data is growing exponentially and there is pressure now for companies to make faster and better decisions
Data Trends A recent report by the Economist highlights that data-assets continue to grow exponentially

External and Internal Drivers A recent Kennedy Report indicates that a variety of internal and external industry drivers are pushing our clients to embrace analytics

The Economist. Data, data everywhere. Feb 25th 2010

Top internal and external industry factors contributing to adoption: Internal External 1. External competitive 1. Data proliferation and pressure growth 2. Increased regulatory 2. Increasing sophistication pressure of users 3. Technology advancement 3. Maturation of ERP systems

IIA Thailand - Annual Conference 2011

2011 Deloitte Touche Tohmatsu Jaiyos

The data already shows that analytics differentiates the top performers from average and lower performers

A recent study from MIT shows that on average the top performing companies use analytics almost three times as much as lower performing companies in everyday operations and decisioning
MIT Sloan Management Review and the IBM Institute for Business Value. Analytics: The New Path to Value How the Smartest Organizations Are Embedding Analytics to Transform Insights Into Action. 2010

IIA Thailand - Annual Conference 2011

2011 Deloitte Touche Tohmatsu Jaiyos

Kennedy predicts growing competitor investments in Analytics

Industry Sector Trends Kennedy predicts that demand for Analytics particularly will be led by: 1. Financial services 2. Healthcare 3. Retail

Information Management & Analytics Consulting Marketplace 2010-2013: Kennedy Consulting Research & Advisory. 2011 6 IIA Thailand - Annual Conference 2011 2011 Deloitte Touche Tohmatsu Jaiyos

What is Data Analytics?

What is data analytics

A practical definition, however, would be that analytics is the process of obtaining an optimal or realistic decision based on existing data. (Wikipedia) Data analytics is the science of examining raw data with the purpose of drawing conclusion about that information. (Whatis.com) Analytics leverage data in a particular functional process (or application) to enable context-specific insight that is actionable. (Gartner)

IIA Thailand - Annual Conference 2011

2011 Deloitte Touche Tohmatsu Jaiyos

Analytics Defined
Analytics is using data to generate predictive insights to make smarter decisions that drive strategy and improve performance
Deloitte Analytics refers to the skills, technologies, applications, and practices for continuous iterative exploration and investigation of past business performance to gain insight and drive business strategy

Business analytics is the practice of using data to manage information and performanceand make more effective decisions. It can apply to almost any sticky business issue.
9 IIA Thailand - Annual Conference 2011 2011 Deloitte Touche Tohmatsu Jaiyos

Data analytics in the context of risk management

Opportunity for using data analytics in managing risks

Explosive data growth means more raw materials Innovation in data generation and capture Data supports fact-based decision making Already used extensively in many areas of business Data analytics focusing on risks are primarily used in the areas of credit risk, anti-money laundering and fraud

Data analytics has significant potential to be exploited in the internal audit and risk management space
11 IIA Thailand - Annual Conference 2011 2011 Deloitte Touche Tohmatsu Jaiyos

What will the future hold

Will Board and Management be asking us to back up our gut feel on risk with hard data? Will the C-Suite want to understand the key risk factors and their relative importance in real numbers? Will Management have even greater responsibility to foresee future risks long before they manifest themselves? Will data analytics be a core competency for all risk professionals?

Data analytics is a business tool that will be pervasive in our organizations

12 IIA Thailand - Annual Conference 2011 2011 Deloitte Touche Tohmatsu Jaiyos

What types of questions can analytics answer

Historical Perspective
What Happened?

Current Perspective
Where is the problem? Why is this happening?

Future Perspective
What if these trends continue? What will happen next? Whats the best that can happen?

How many, how often, where?

What actions are needed?

13

IIA Thailand - Annual Conference 2011

2011 Deloitte Touche Tohmatsu Jaiyos

How can data analytics be applied to risk management

Historical perspective

Error detection and quantification Targeted analytic applications to detect errors (e.g. business unit reviews or internal audits) Risk Dashboard/ Monitoring How are we currently doing? What if our current risk profile? Key Risk Indicators (KRIs) What-if How will this decision affect our risk?

Current perspective

Future perspective

14

IIA Thailand - Annual Conference 2011

2011 Deloitte Touche Tohmatsu Jaiyos

Applying data analytics to risk management

Deloitte Analytics: Domain Overview

Analytics create value across the enterprise through improvement of applicable business value drivers. Five Deloitte Analytics Business Domains span the areas identified in the Enterprise Value Map and lend themselves to improvements generated by Deloitte Analytics:
Deloitte Analytics Business Domains
Customer
Customer Analytics is the use of analytics to enhance the customer lifecycle, sales and pricing processes, and overall customer experience

Value Drivers = Business Domains

Supply Chain
Supply Chain Analytics is the use of analytics to provide insights across the organizational value chain

Workforce
Workforce Analytics is the use of analytics to enhance and optimize workforce processes and intelligence

Finance
Finance Analytics is the use of analytics to measure, control, and optimize financial management processes
16 IIA Thailand - Annual Conference 2011

Risk
Risk Analytics is the use of analytics to measure, monitor and mitigate enterprise risk

2011 Deloitte Touche Tohmatsu Jaiyos

Deloitte Analytics: Risk Management Domain 1. Continuous Monitoring (CM) 2. Continuous Auditing (CA)

17

IIA Thailand - Annual Conference 2011

2011 Deloitte Touche Tohmatsu Jaiyos

Deloitte Analytics: Risk Management Domain Continuous Monitoring (CM) is an automated, ongoing process that enables management to: Assess the effectiveness of controls and detect associated risk issues Improve business processes and activities while adhering to ethic & compliance standards Execute more timely quantitative and qualitative risk-related decisions Increase the cost-effectiveness of controls and monitoring through IT solutions.

The value of CM is that it gives management greater visibility into, and more timely information on, business processes designed to achieve strategic and operational goals.
18 IIA Thailand - Annual Conference 2011 2011 Deloitte Touche Tohmatsu Jaiyos

Deloitte Analytics: Risk Management Domain Continuous Auditing (CA) is an automated, ongoing process that enables internal audit to: Collect from processes, transactions and accounts data that supports internal and external auditing activities Achieve more timely, less costly compliance with policies, procedures and regulations Shift from cyclical or episodic reviews with limited focus to continuous, broader, more proactive reviews Evolve from a traditional, static annual audit plan to a more dynamic plan based on CA results Reduce audit costs while increasing effectiveness through IT Solutions The value of CA is that it enables internal audit to move from sampling accounts and transactions to coverage of 100 percent of accounts and transactions.
19 IIA Thailand - Annual Conference 2011 2011 Deloitte Touche Tohmatsu Jaiyos

Barriers to CM & CA Adoption

Perceived impact on the enterprise impacts on costs, headcount, audit plans, workload, quality of audits & stakeholder satisfaction Priority of implementation factors to be considered, such as risk rankings, importance of audit evidence, return on investment and ease of implementation Internal audits readiness to develop and adopt CA depend on business cycle, audit focus & use of automation IT & software considerations Realistic expectations benefits are not achieved overnight

20

IIA Thailand - Annual Conference 2011

2011 Deloitte Touche Tohmatsu Jaiyos

CM/CA Roadmap

3. Plan the design & implementation 2. Develop a strategy for adoption 1. Develop the business case

4. Build & implement the CM or CA system

5. Monitor performance & progress

21

IIA Thailand - Annual Conference 2011

2011 Deloitte Touche Tohmatsu Jaiyos

CM/CA Roadmap
1. Develop the Business Case Connect the initiative to the drivers of value, and the risks, in the business Identify benefits and costs, and quantifying them when possible Place CM or CA in the context of the overall GRC effort and clarifying their roles

22

IIA Thailand - Annual Conference 2011

2011 Deloitte Touche Tohmatsu Jaiyos

CM/CA Roadmap
2. Develop the Business Case Target efforts based upon risk exposure, appetite, and tolerances, enterprise-wide and locally Identify which areas are appropriate to pursue based on projected benefits, costs and ROI Identify how to set thresholds and monitor risks, as well as useful intervals and notification mechanisms Consider required resources and how current resources and priorities may help or hinder adoption

23

IIA Thailand - Annual Conference 2011

2011 Deloitte Touche Tohmatsu Jaiyos

CM/CA Roadmap
3. Plan the Design & Implementation Determine the scope of the objectives Establish roles and responsibilities Design the CM or CA process & mechanisms Allocate resources and creating a timeline and project plan Set reasonable expectations for performance Align people, processes and IT resources

24

IIA Thailand - Annual Conference 2011

2011 Deloitte Touche Tohmatsu Jaiyos

CM/CA Roadmap
4. Build & Implement the CM or CA System Begin with relatively straightforward, low-cost, high-return projects Involve IT, business units, and other key stake-holders early on Create a sense of shared ownership of the project and results Test the CM or CA system, particularly for its impacts on the IT system, before actual launch and adoption Follow the plan, but make course corrections as needed Establish workable practical CM or CA Procedures

25

IIA Thailand - Annual Conference 2011

2011 Deloitte Touche Tohmatsu Jaiyos

CM/CA Roadmap
5. Monitor Performance & Process, and refined as needed Report the results of the effort to management and all other stakeholders Demonstrate the valued added in momentary terms when possible Verify by manual means that the early reading and results are accurate Adjust monitoring or notification mechanisms as needed, given their performance and the quality of the human interface

26

IIA Thailand - Annual Conference 2011

2011 Deloitte Touche Tohmatsu Jaiyos

Closing thoughts
Data analytics requires innovative thinking about sourcing data and identify sensors Data analytics is as much about asking the right questions as it is about the mathematical contortions going on behind the scenes Data analytics can be applied to more aspects of risk management than just credit risk, AML and Fraud

27

IIA Thailand - Annual Conference 2011

2011 Deloitte Touche Tohmatsu Jaiyos

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/th/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and deep local expertise to help clients succeed wherever they operate. Deloitte's approximately 170,000 professionals are committed to becoming the standard of excellence. This publication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte Network) is, by means of this publication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this publication

2011 Deloitte Touche Tohmatsu Jaiyos