Internal Audit Insights 2018 - High-impact areas of focus - Deloitte
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Deloitte research1 and experience strongly indicates that stakeholders expect Internal Audit to be far more focused on the risks and issues of the future than on those of the past. This means shifting from auditing the past to advising on the future and to focusing on activities that present new and unfamiliar risks. Some of this will require new skills and talent models. Some demand new frameworks and interaction with new stakeholders. Failing to keep pace with the evolving organization and environment, however, puts at risk Internal Audit’s role as a relevant, engaged, and strategic player within the organization. For that reason, our 13 high-impact areas of focus for 2018 identify activities and risks that present opportunities for Internal Audit to make a positive impact. Whether by adopting new methods, such as automating core assurance and taking an Agile approach to internal auditing, or auditing new threats, such as digital risk, a focus on these areas as they relate to your organization will heighten Internal Audit’s impact and influence. Moreover, these areas of focus will satisfy stakeholders who desperately need Internal Audit’s objectivity, skills, and advice as they tackle new challenges. 1 Evolution or irrelevance? Internal Audit at a crossroads, Deloitte’s Global Chief Audit Executive Survey, Deloitte, 2016
Internal Audit Insights 2018 | High-impact areas of focus Table of contents Robotic process automation Third-party risk and cognitive intelligence Auditing digital risk Culture risk Cyber security Operational risk assurance Data privacy Crisis management Internal Audit analytics Auditing agile Automated core assurance Agile internal auditing Cloud migration The year ahead 3
Internal Audit Insights 2018 | High-impact areas of focus Robotic process automation and cognitive intelligence Robotic process automation (RPA) is the use with these technologies. Doing so calls for of software to perform rules-based tasks an understanding of the new risks and in a virtual environment by mimicking user the need for well-designed and properly actions to obtain the same or enhanced implemented controls. It is also necessary results. RPA also often taps multiple to govern the use of these technologies systems. In general, it makes repetitive in areas like integrity, data access, change manual activities more efficient protocols, and security. and effective. Internal Audit plans should address Cognitive intelligence (CI)—a step beyond the effects of RPA and CI on processes, RPA—includes natural language processing management, and the organization. To and generation, artificial intelligence, and provide sound assurance, Internal Audit machine learning. CI can extract concepts should become involved early. Review and relationships from data, “understand” documentation of testing procedures their meaning, and learn from data patterns and any prior testing by sampling test and prior experience. cases documented, results generated, and issues logged. Ascertain that Both RPA and CI are seeing adoption in a framework and process exist to the business and second-line functions, monitor “bots” in testing and production particularly in financial services and other environments and to triage issues. data-intensive industries. In addition to Specifics include issue identification and many benefits, RPA and CI pose operational, resolution, bot change management, third- financial, regulatory, organizational, and party risk management, and supervision technology risk. Fortunately, the associated and compliance. Opportunities also include risks can generally be addressed by advising on risk mitigation, leading practices, extending existing approaches. and automation strategies. Consider: As functions adopt RPA, CI, and Finally, Internal Audit should consider using similar technologies, Internal Audit should RPA to automate repetitive controls testing support them in identifying, assessing, and internal reporting tasks. and monitoring the risks that come along 4 Back to contents
Internal Audit Insights 2018 | High-impact areas of focus Auditing digital risk Many companies have established digital methods, whereas digital innovators employ processes, and products. Review the digital delivery teams. Promulgate fit-for-purpose transformation strategies; created siloed more agile and automated techniques. strategy and road map and decide where to digital risk frameworks, methods, and teams to develop apps, websites, and Apps and websites used in customer focus, given the risk themes. Digital poses oversight in the first and second lines. This other digital channels; and embedded acquisition and interactions can raise a the usual cyber risks, plus new strategic, includes providing the appropriate level of first- and second-line teams in these range of identity, privacy, and security reputational, and third-party risks—in a assurance over frameworks for managing efforts. Yet Internal Audit generally lags in risks. Meanwhile, many organizations lack fast-paced environment. Internal Audit external parties in digital initiatives. understanding the technologies, methods, risk frameworks and risk management should aim to understand the tools used to Integration of platforms blurs the boundary and tools of digital initiatives. These include capabilities equal to the complexities and automate processes and controls, and then between organizations and third parties, application-development methods, dev-ops challenges of those risks and those posed assess the integrity of the tools. Track digital so clarify the processes, data flows, and teams (which combine development and by external partners who provide these new project pipelines and get involved in early regulatory implications. Internal Audit operational professionals), and tools that technologies, channels, and services. stages and selected iterations. groups are increasingly using cosourcing, automate controls. Many Internal Audit upskilling, and dedicated teams to develop Consider: In audit planning, use key risk Focus on how related risk functions are groups retain traditional mind-sets and the focus and resources needed in this area. themes to assess risks of digital programs, involved, since they are closer to the 5 Back to contents
Internal Audit Insights 2018 | High-impact areas of focus Cyber security In recent years, cyber security Organizations involved in several and drug trials, but overlook those audits have often focused on recent high-profile cyber incidents related to a small nuclear reactor regulatory compliance - areas were likely in compliance with used in radioisotopes (an actual such as data privacy, IT security, applicable cyber regulations. situation). In Internal Audit planning, and business continuity. These Indeed, while most cyber be proactive and cast a wide net. audits have generally ascertained security activities focus on the Look beyond rotational audit compliance with regulations and IT department, corporate email, plans to seek out new initiatives, standards (such as ISO 27000). and the like, the highest risks now Compliance will continue to emanate from business teams using products, markets, contracts, and be high on most companies’ cloud-based systems, working with external parties. Then challenge radar, especially for US-listed external developers, and using management on risk identification, organizations with the Securities applications outside of IT proper. monitoring, and management in and Exchange Commission making Much of this activity escapes the those areas. cyber security a priority in its attention of the CIO, CISO, and Management should instill a culture National Exam Program, and with Internal Audit, and presents serious its recent creation of a Cyber Unit risks. The challenge now is to of awareness of how decisions and within its Enforcement Division. identify a broader range of cyber behaviors magnify or minimize Also, new regulations are being risks before they occur. cyber risk. Encourage the use of developed daily in parallel with war gaming to test the impact of the new AICPA cybersecurity Consider: Internal auditors cyber incidents on operations, risk management examination. accustomed to providing infrastructure, data, finances, Companies should continue compliance-related assurance need reputation, and recovery and to to focus on assurance while new mind-sets and methods. Start gauge responses and resilience— understanding that compliance by thinking broadly. For example, both of which should be with existing regulations hardly in a pharmaceutical company, regularly assessed. guarantees high, or even Internal Audit may audit cyber adequate, cyber risk management. risks related to privacy regulations 6 Back to contents
Internal Audit Insights 2018 | High-impact areas of focus Data privacy The EU General Data Protection by enhanced data mapping and transferred and stored, and for what Regulation (GDPR), effective management. Internal Audit can purposes. Help stakeholders to May 25, 2018, affects all EU help the organization to manage identify data repositories, data flows, organizations that collect or process the increased risk posed by the and who uses and who can alter data on individuals, and non-EU new regulations and to realize data. This data mapping positions organizations with EU operations. the potential of an enhanced the organization to respond to The GDPR greatly expands understanding of data that this work information inquires and manage individuals’ ability to determine can create. individual consent. which personal data is collected Consider: Organizations must In Internal Audit planning, take a on them and how it is treated. establish clear accountabilities risk-based approach to addressing For example, individuals will have around data. Apart from appointing requests and requirements and to opt in to allow certain uses of a DPO, this means clarifying who emphasize key systems, as defined their data. The GDPR establishes is responsible for addressing by data volume, importance, and strong penalties for noncompliance, specific requirements, such as data sensitivity. Ensure that a Data and calls for appointment of a requests, breach response, and Privacy Impact Assessment (DPIA) data protection officer (DPO) and data retention. Accountabilities is conducted for any new initiative detailed documentation of roles, and related processes must be involving individual data and pay responsibilities, and processes documented in a framework close attention to hand-offs of data related to the collection, use, and that explains the execution of to any third parties. retention of data on individuals, information requests, retention of including employees and data, and other procedures. Given independent contractors. the mandate to retain data only as While most affected organizations long as it is needed, focus on the have been working to fulfill these data life cycle and on retention and requirements, many are lagging deletion policies. in certain areas. Moreover, GDPR The organization must also presents real opportunities for the document what data is collected organization given the marketing by which systems, where data is and analytical possibilities provided 7 Back to contents
Internal Audit Insights 2018 | High-impact areas of focus Internal Audit analytics Analytics is a perennial high-impact Consider: Analytics should be seen Also, consider using RPA and CI (as noted area for several reasons. First, beyond- as integral to all of Internal Audit’s above) to automate repetitive tasks and the-basics analytics is the single most planning, execution, and reporting, accelerate reporting. Set your sights on powerful booster of Internal Audit and should be reflected in methods and “Digital IA,”1 an integrated set of analytical efficiency and effectiveness available. skills accordingly. capabilities geared to using and auditing Second, the continuing digitalization advanced technologies. Rather than setting uninformed and of business generates huge quantities fixed audit objectives, use data in the of data, which analytics can transform audit scoping stage to highlight unusual into valuable information and business patterns, unexpected relationships, and insights. Third, the tools for analyzing and changes in business conditions. visualizing data are now simpler, cheaper, more available, and easier to use than To prove the value of analytics, initiate ever. Finally, stakeholders’ needs for pilot projects in areas where data higher-level assurance, insights, and risk is readily available, success is fairly anticipation have never been greater. certain, and results will drive value (such as reducing fraud, waste, Yet Internal Audit’s adoption of analytics or other policy breaches). has been relatively uneven and slow. Internal Audit is, admittedly, a function Start with a hypothesis and gather that can find changing the status quo relevant data; for example, we expect and adapting to a new way of life difficult. a certain behavior or outcome here; is An often-undiagnosed barrier to progress that supported by the data? Then iterate can be methodology: traditional audit through the data to drive sampling and approaches can choke innovation, generate relevant insights (rather than restrict data gathering, and treat lists of exceptions), and communicate analytics as a bolt-on capability rather using data visualization tools. than an imperative. 1 The untapped power of “Digital IA,” Deloitte, 2017. 8 Back to contents
Internal Audit Insights 2018 | High-impact areas of focus Automated core assurance Leaders realize that risks associated with business as usual Technologies to facilitate automated assurance and real- Conversations with stakeholders can identify key risks and need to be managed even as they pursue new initiatives, time reporting include off-the-shelf tools, which hold some controls to monitor. Not everything should be automated, and they are coming to expect ongoing assurance on these benefits, and custom solutions that can deliver automated which raises scoping issues—whether to emphasize, for core activities. Internal Audit groups should be moving to assurance over most critical processes and controls. example, financial or operational risks and controls. provide this continuous comfort—ongoing assurance— Consider: Automated assurance should gear comfort levels Become familiar with the possibilities of automation tools, on those core processes, controls, and activities to to the drivers of value and risks to those drivers. Begin by and locate early and easy wins, typically found around key management and the board. assessing core processes in the first line, their criticality, financial controls and reconciliations. Automated assurance implies real-time reporting that flags and the risks, and then prioritize accordingly. Overall, automation provides ample opportunities for actionable items. Such reporting enables rapid remediation, Technology tools in existing systems provide many easily-achieved cost savings and enhanced assurance with the option of continued monitoring pending further capabilities for automating core assurance, although simultaneously. Automating core assurance also enables notification. At this point, using a sampling approach when the first and second lines rarely fully employ them. So Internal Audit to allocate resources to higher value areas entire populations could be monitored, and reporting promulgate use of these capabilities and the embedding and activities. irrelevant details, is becoming a hallmark of a backward- of them into processes and systems. First- and second-line looking Internal Audit function that cannot keep up with functions are often unaware of these capabilities, which developments or provide assurance efficiently. vendors rarely emphasize. 9 Back to contents
Internal Audit Insights 2018 | High-impact areas of focus Cloud migration Using cloud services can significantly alter Consider: Traditional audits of areas such Additional assurance can be gained by an organization’s risk profile, depending on as network configuration, asset protection, evaluating providers’ locations, business the data involved, cloud service and model access control, logging and monitoring, model, customer base, history, and financial type, and strength of user and third-party and vulnerability assessment are still soundness. Ascertain that management controls. The term cloud includes software relevant for the cloud, but can differ. understands which contractual as a service (SaaS), platform as a service Cloud standards and guidelines from the responsibilities are the cloud service (PaaS), and infrastructure as a service SANS Institute, NIST, ISO, and the Cloud provider’s, the organization’s, or shared. (IaaS). SaaS and PaaS provide cloud-based Security Alliance are useful, but each has its software and platforms, while IaaS provides own focus, so you must tailor an approach infrastructure services. Cloud service that fits your organization’s strategy, risk models include private, public, or hybrid profile, cloud use-case(s), and cloud service. models (a mix of on-premise, private cloud, Assess the cloud environment holistically, and public cloud services). and evaluate governance elements and shared responsibilities. The risks for these service types depend mainly on access and data criticality. Given Often-misunderstood areas include the varying levels of user control, security inherited controls, incident response requirements will differ for each service responsibilities, and disaster recovery and model type. The appropriate security capabilities. Consider obtaining cloud controls will also depend on the data and certification and tapping external expertise. processes involved. While cloud services are often positioned Regardless of service type, in a public cloud, as cost savings, ensuring optimum value you are entrusting data to a third party, and calls for choosing services carefully, you can audit controls design and execution monitoring and managing resources tightly, only up to a point, after which you rely on and deactivating unnecessary components that party’s assurance. Whatever assurance promptly—all items to review. is obtained from the cloud provider or through procurement, you have limited visibility into the provider’s environment. 10 Back to contents
Internal Audit Insights 2018 | High-impact areas of focus Third-party risk Organizational leaders have long must. Why? Because third parties have An overall EERM framework can be expected assurance around processes become critical to most organizations utilized to surface key areas of risk for vendor screening, selection, while presenting myriad risks. specifically embedded within the contracting, evaluation, payments, and third-party ecosystem. Effective audit Consider: When planning your internal termination. They have also expected programs that assess the health of the audits, start with an assessment of audits geared to identifying potential ecosystem and its components will third-party contracts on the basis cost savings and recovery. help to reduce risk over the sourcing of spend and risk. Large, complex of goods and services most critical to Developments in technology and contracts will generally present more business strategy and operations. automation have introduced more potential exposures and risks than advanced analytics capabilities and real- contracts for goods purchased within time assurance. Beyond this, however, the usual procurement process. leaders want—and need—a more For vendor spend assurance, holistic picture of third-party risks and promote adoption of automated their management. tools for analyzing spend and vendor This calls for Internal Audit to performance, if they are not in place; if understand the organization’s entire they are in place, provide assurance on approach to third-party relationships. As their integrity and effectiveness. Some noted in a 2016 Deloitte global survey2, of these tools can apply RPA to data on the third-party risk universe includes deliveries, service levels, billings, and the third-party ecosystem, third-party other metrics, making real-time third- risk management and governance, and party assurance a reality—and, soon, technology and methods for monitoring an expectation. These tools also free and managing relationships. resources to work on other third-party, or extended enterprise, risks. While cost savings and recovery remain key, excellence in extended enterprise risk management (EERM) is also a 2 The threats are real: Third party governance and risk management, Deloitte global survey, 2016 < https://www2.deloitte.com/content/dam/Deloitte/za/Documents/risk/ZA_Third_Party_ Governance_and_Risk_Management_Survey_RA_Dec16.pdf > 11 Back to contents
Internal Audit Insights 2018 | High-impact areas of focus Culture risk An organization’s culture plays a major role in business Consider: Internal Audit should engage in broader Assess how culture differs across locations and ascertain performance and marketplace reputation. Culture can also organizational-level culture risk management efforts— whether the risk management framework can identify and create risk for the organization when there is misalignment providing assurance and advice on culture as appropriate address outlier behavior. between an organization’s values and leaders’ actions that and validating risk management activities. To do this, Work to ensure that the second line of defense has visibility shape culture, employee conduct and behaviors that sustain consider aspects of culture throughout the life cycle of into culture at the first line, and ensure management and culture, or organizational systems that reinforce culture. an internal audit; for example, coordinate with culture the Board understand that culture will always remain a work stakeholders (e.g., human resources, risk, compliance, The spotlight often shines on culture risk issues only after in progress. customer experience, security, technology) to understand an organizational crisis or incident, but a growing number of potential areas of risk to optimize audit coverage, link leaders are shifting to a proactive approach turning culture into cultural and employee engagement assessments into a value enabler and driver of organizational performance. Such internal audit risk assessments, and incorporate culture an approach requires gaining greater data-driven insight into metrics and control aspects into audit programs, including the organization’s culture, better understanding of employee aspects of culture risk in audit reports. engagement and employee behaviors, and looking for external market signals to get ahead of risk issues and drive necessary Internal Audit can also perform assessments of the management actions. organization’s culture risk management activities against leading practices to provide recommendations to As the third line of defense, internal audit plays a vital management and perform additional procedures to assess role in culture risk management—providing assurance culture risk management programs’ effectiveness. A culture and advising on culture as appropriate and validating risk assessment can provide insight into intangible drivers mitigation activities. Auditing culture is not a matter of of risk, controls effectiveness, compliance failures, and reviewing risk-related policies and procedures; it is a matter potential misconduct; it can also direct audit fieldwork and of developing an understanding of people’s approach to analysis to where it most matters. Such an assessment can managing risk as they do their jobs. In a strong culture, there include a range of activities, such as confidential interviews, is clear awareness and alignment of values, organizational focus groups, and data analytics geared to discovering processes, behavioral norms, internal and external where controls are working well, causing frustration, or statements, and reward systems to promote the right failing to deliver intended results. decisions, the right risk management behaviors, the right conduct—and, thus, the right culture. 12 Back to contents
Internal Audit Insights 2018 | High-impact areas of focus Operational risk assurance While functions such as cybersecurity and employee health capital, and sustainability. However, field-level audits—of When developing the Internal Audit plan, tie operational audit and safety already provide assurance around operations, productivity, asset performance management, maintenance activities to organizational goals and strategies and to key Internal Audit should conduct deeper assessments of activities, operations technology and systems, regulatory operational risks posed to them. Using an operational risk lens, operational efficiency, effectiveness, and risk management. compliance and safety, and asset integrity—may present identify upcoming capital projects, significant maintenance, more opportunity to add value. and similar initiatives. Look to the organization’s risk Operational audits focus mainly on nonfinancial assets assessment and the Enterprise Risk Management and processes. They aim to determine how performance Consider: Excellence in company-level operational internal system, but also conduct robust conversations with key aligns with management’s expectations, identify areas to be audits should be table stakes. A clear focus on core operations operating executives. investigated, and propose enhancements. Meanwhile, many demands an understanding of field-level operations as well as internal auditors are oriented more toward financial processes company-level operational risks. Start by ascertaining Apply analytics to process data to isolate trends, patterns, and performance. that second-line activities are providing proper assurance anomalies, and root causes, and enhance reports through and, if they are not, help them to do so or provide the needed visualization tools, added insights, and risk anticipation. Even in capital-intensive industries like manufacturing and additional assurance. oil and gas, traditional audits may overlook basic operations. Consider whether external subject matter specialist Internal Audit groups in such industries typically conduct resources may be needed, or whether knowledge can be useful company-level audits around the supply chain, accessed internally through guest auditor or cybersecurity, contract compliance, capital projects, human rotation programs. Back to contents
Internal Audit Insights 2018 | High-impact areas of focus Crisis management Crisis management provides the structure, Consider: An organization needs a crisis leadership, decision-making, and communications management program encompassing governance, to support the organization in managing a crisis processes, and risks. Governance organizes program situation. It encompasses business continuity, ownership and the roles and responsibilities of disaster recovery, cyber incident response, and security, legal, IT, Internal Audit, and other functions. financial market crisis response planning and Processes are needed to address crisis response, execution. Most major organizations have basic decision-making, recovery, communications, and business continuity plans and disaster recovery contingency plans. Risks must be identified to plans in place, particularly for IT, supply chains, enable scenario planning and response capability and facilities. development through training and simulations. Aim to provide assurance and advice in each of Usually Internal Audit will, on a rotational basis, those areas, and to anticipate events and review those plans, provide assurance on related promulgate best practices. compliance, and conduct post-event reviews. However, the focus on continuity management has Consider whether leaders can answer the questions: widened to include any event that could irreparably What are you prepared for? How prepared are you? damage finances, operations, cyber capabilities, Ensure that simulations are regularly conducted reputation, or other essential assets. and used to develop and test overall plans as well as playbooks for specific events. A crisis management plan provides a framework and contingency plans for senior executives should the Go beyond regulatory guidance and checklists need arise. Responsibility for crisis management and audit not just the existence of plans, but their sits with senior leaders, which means that Internal likely effectiveness. Audit is the logical—and perhaps only—source of Also, consider industry-specific issues and evolving assurance and advice. regulations, such as the EU’s GDPR reporting requirements for breaches. Internal Audit may need to upskill or tap external sources to add value in this area, but doing so can save the entire enterprise. 14 Back to contents
Internal Audit Insights 2018 | High-impact areas of focus Auditing agile Organizations are increasingly adopting Internal Audit must be aware of Agile Proactive engagement by Internal Audit Agile methods of managing projects and processes and projects in the organization, is key to establishing how Agile can be processes. Companies and functions in and of their potential issues and impacts. managed while maintaining balanced and technology and financial services lead the sustainable levels of control. Consider: Internal auditors should way, but others seeking increased speed, understand Agile methods and clarify efficiency, and innovation are also coming responsibilities, schedules, resources, on board. (These include Internal Audit deliverables, and risks and controls—in functions—see below.) Desired outcomes discussion with Agile team leaders. include faster results, greater focus on A flatter structure may mean greater user needs, more nimble decision-making, variability in the way outcomes are and reduced documentation. achieved, while less documentation may Agile empowers people to make decisions reduce visibility into risks. Controls may and take calculated risks based on more be given short shrift as the pace of work targeted objectives delivered in shorter picks up. Therefore, assurance functions, time frames, but these attributes can including Internal Audit, should assess stress some control environments. A risks and controls during all phases, from fast pace can introduce more frequent ideation to pre-implementation. impacts or errors, but that can be offset by Traditional audit plans may be less useful increased direct business ownership. than early involvement and parallel visibility An intense focus on user needs can into the work. Internal Audit may best overlook other considerations, such as approach Agile by understanding what is security or regulatory concerns, which can to be delivered—what the Agile project or be mitigated by ensuring that standards process aims to achieve, delivery risks, and are known and applied across Agile teams. proposed controls—and by understanding Reduced documentation can make it how it is being delivered, including hard to know what was done, by whom, management of risks and use of controls. when, and why, which calls for changes to governance and controls. 15 Back to contents
Internal Audit Insights 2018 | High-impact areas of focus Agile internal auditing Principles and practices of Agile development are being Learn about Agile from internal practitioners in software applied to audits and projects by forward-thinking or systems development, or enlist external support. Internal Audit groups. Agile methods foster rapid Understand that adopting Agile demands a change of response to emerging issues, closer collaboration with mind-set as well as methods, and not every internal stakeholders, faster delivery cycles, and streamlined auditor can adapt. However, those who do usually find reporting3. Agile also changes the approach that internal that they relish the pace of work, engagement with auditors take to their work. For example, instead of stakeholders, and enhanced effectiveness that result auditing to a periodic schedule, internal audits are from Agile Internal Auditing. conducted when needed, particularly when the need is urgent. Rather than waiting until an internal audit is complete, auditors deliver weekly or even daily updates as findings or issues emerge. Rather than presenting unnecessary details, reports deliver insights on what matters most. Agile has the power to revolutionize Internal Audit by making audits and reviews more relevant, risk-based, and real time. Consider: First, be clear about what Agile is and what it is not. While it is a flexible methodology, simply calling a process Agile (or using terms such as Sprint, Scrum, and Backlog) does not make it so. Agile Internal Audit adapts Agile to Internal Audit needs. It is up to you to decide whether and where Agile might work in your function. Good candidates are areas with a need for more responsive and relevant reporting, high-stakes projects like IT installations or merger integrations, and where Internal Audit groups need to do more with less. 3 Becoming agile: A guide to elevating internal audit’s performance and value, Deloitte, 2017 < https://www2.deloitte.com/content/ dam/Deloitte/us/Documents/finance/us-advisory-agile-internal-audit-part1-introduction-to-elevating-performance.pdf > 16 Back to contents
Internal Audit Insights 2018 | High-impact areas of focus The year ahead Clearly, the year ahead calls for a strong Forward-thinking Internal Audit functions focus on all things digital. Of our 13 seek not only to provide assurance and hot topics, more than half are aligned advice, and to apply digital technologies directly or closely with information to their own work, but also to anticipate technology and capabilities. Most issues and risks associated with Internal Audit groups should prioritize those technologies. They anticipate assurance and advisory work around stakeholders’ potential moves to new uses of these technologies in the technologies, strategies, and business organization and ways of using them models so they can ready themselves to enhance their own work. Just as and the organization for those moves. customers are tending to outpace In this way, they assist stakeholders in organizations in their uses of digital some of the most challenging areas technologies, many stakeholders now they face—new areas where risks are outpace Internal Audit in similar ways. emerging and where new value can be created—thus increasing their impact and influence in visible and valuable ways. 17 Back to contents
Global Internal Audit Leadership Terry Hatherell Kristopher Wentzel Porus Doctor Global Internal Audit Leader Internal Audit Leader, Americas Internal Audit Leader, thatherell@deloitte.ca kwentzel@deloitte.ca APAC +1 416 643 8434 +1 416 643 8796 podoctor@deloitte.com +91 22 6185 5030 Peter Astley Sandy Pundmann Sarah Adams Internal Audit Leader, EMEA US Internal Audit Leader IT Internal Audit pastley@deloitte.co.uk spundmann@deloitte.com Global Leader +44 20 7303 5264 +1 312 486 3790 saradams@deloitte.com +1 713 982 3416 Neil White Internal Audit Analytics Global Leader nwhite@deloitte.com +1 646 436 5822 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms. Deloitte provides audit & assurance, consulting, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500® companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights, and high-quality service to address clients’ most complex business challenges. To learn more about how Deloitte’s approximately 245,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. © 2018. For information, contact Deloitte Touche Tohmatsu Limited
You can also read