Does a disrupted Internal Audit IA function mean

Does a disrupted Internal Audit (IA) function mean a stronger strategic partner? IA disrupted by design — the journey has started

Agenda 1 The case for change 2 What will the IA mandate be? 3 How will IA work in the future? ► ► ► 4 5 Page 2 Operating model Use of technology Talent of the future The journey has started — emerging trends A call to action

The case for change Investing for the future of your IA function 1 Organizations are managing evolving consumer expectations, new partnerships, dynamic ecosystems, changing industry boundaries, disruptive business models and new competitive domains. 2 Every industry is changing and the cycles of change are moving ever faster. 3 Industry convergence is touching every market segment. 4 5 Page 3 From technology and climate, to geopolitics and trade, the outside landscape is changing dramatically. Operating models are shifting – employees seek purpose-driven organizations; full time roles are being replaced by gig work; nature of work is changing due to technological advances

The case for change Emerging technologies and new business models mean new risks and a bigger focus on upside and outside risks Adopting a risk lens – upside, outside and downside Moving from avoidance to optimization, for better business outcomes. To be successful, organizations will need to shift their focus from simply mitigating risk to embracing new upside opportunities. Striking this balance requires embedding risk and control into strategic decision making within the front-line businesses and multifaceted approaches to the portfolio of risk. Organizations will also develop digital capabilities that harness intelligence and deliver insights across the enterprise. Page 4 Upside risks Outside risks Downside risks Risks that offer benefits. Risks significant to the organization’s ability to execute its business strategy and achieve its objectives Risks that offer negative or positive benefits beyond the organization’s control Risks that offer negative impacts. Risks an organization is focused on eliminating, avoiding, mitigating or transferring in a cost-effective manner Potential for innovations to grow consumer bases Actions of existing and emerging competitors Information security and cybercrime (also an outside risk) Increasing market share Geopolitical and economic megatrends Employee fraud, and regulatory compliance Acquiring, managing and deriving value from new assets and talent Demographic and environmental megatrends Enterprise resiliency - technology and business continuity Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

The case for change Risk gap Change readiness and competencies to manage new world IA may not be able to keep up with the pace of change in the business leaving a risk coverage gap 2000 s Internal audit Page 5 Today Next 10 years Business management Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

The case for change Vision for the future of IA to maintain trust in the transformative age In the future, IA will be viewed as an air traffic control tower. Technology will enable real-time risk monitoring and timely reporting of high-risk findings to instill trust, support confident decision making and ultimately contribute to increased business value. This operating model will also enable a higher degree of flexible sourcing. Page 6 Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

What will the IA mandate be? Page 7 November 2020 Presentation title

What will the IA mandate be? The IA mandate does not need to change but it will evolve $ IA will be highly connected, proactive and forward looking in setting its priorities in response to market disruptions IA will extend beyond its traditional assurance provider-role and become a strategic and valued advisor Assurance will broaden to: challenging the entire risk framework and accounting for upside and outside in addition to downside risks Page 8 Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

What will the IA mandate be? The mandate does not need to change but there will be a better balancing of focus Proactive Anticipative monitor ► Focus on future topics (e. g. , missing controls, policies and procedures) ► Future impact of recommendations ► Anticipating how the business model is changing Analytics and robotics: ► Predictive and real time Strategic view Business counselor ► Focus on strategic topics and actively engaged in strategic discussions and problem solving ► Anticipating the future/industry trends and the impact on the business ► Fostering change and best practice development and sharing Analytics and robotics: ► Prescriptive and trends Strategic and Innovative view Policing Partner Assurance factory ► Focus on non-negotiable assurance and base level of trust and current/past topics ► Current impact of recommendations ► Raising awareness on current/past topics Analytics and robotics: ► Descriptive and internal data driven Current view Change agent ► Focus on trends on why things fail systematically and audit against “unknown” rules ► Deep dive in root-cause/and internal best practices for recommendations ► Initiating change Analytics and robotics: ► Descriptive and internal/external data driven Current and change view Reactive Page 9 Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

How will IA work in the future? Page 10 November 2020 Presentation title

How will IA work in the future? Have an agile and dynamic operating model enabled by technology and a flexible workforce Digitally augment its capabilities Be agile and dynamic Operating model Apply more judgment Predict control failures and risk triggers Technology Provide dynamic outputs Report results digitally Talent Deploy resources with the right skill sets Page 11 Implement a balanced workforce Build and participate in risk communities Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

How will IA work in the future? The operating model will be flexible, proactive and insightful An agile and flexible approach that is in tune with the organization’s strategic direction and priorities and addresses the changing business landscape. Flexible Insightful Proactive IA will employ a variety of dynamic outputs, on a more real-time basis, and go beyond root cause analysis to provide best practices, sector trends and relevant benchmarks to meet the needs of stakeholders. No longer focused on look-back activities; IA professionals will apply more judgment in their work and focus their attention on emerging risks and outcomes, not the existence of processes and controls. Page 12 Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

How will IA work in the future? Technology will augment capabilities and enable continuous controls monitoring IA functions will digitally augment their capabilities with advanced data analytics, bots and machine learning to handle the volume, speed and complexity of data. The adoption of continuous monitoring and validation by the first and second lines will shift the focus from detecting to predicting control failures and risk triggers. IA functions will digitally report their results (e. g. , dashboards, text alerts) in real time, providing business insights and strategic advice. Page 13 Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

How will IA work in the future? A flexible, collaborative talent model with more analytical, innovative skills The IA workforce will consist of a balance among full-time employees, third-party service providers, machines and contingent resources. Effective IA functions will facilitate ecosystem sharing and centralized risk mitigation. Creative problem solving, innovative mindset and social intelligence will become more valuable than technical knowledge. Page 14 Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

How will IA work in the future? A dynamic approach is pivotal — operating model, use of technology and talent infuse it d au Digital Workers Robotics Process Automation Digitally confident, dynamic and trusted function in ha Sc Data ien tist s ckc Blo Pr mi oces nin s g Page 15 Be n an chm d ins se ark igh cto ing ts r rio ena s Sc alysi an Pre d ana ictive lytic s le ib x an e pl Fl Realtime d r a o Dashb Risk g asses smen reportin t AI conn and techn ected ologi es matio Auto ubs h n t en s g in e nt urc o C eso r Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

The journey has started Page 16 November 2020 Presentation title

The journey has started What some IA functions are doing as they kick-start their transformation Audit Needs Assessment 1 2 Identify and assess risks beyond today’s scope by leveraging predictive, historical and external data Be flexible and agile around internal audit planning and responses based on changing assurance and reporting needs Develop IA Plan 3 Deliver through advanced data analytics and visualization enabling efficient resourcing of audit/risk resources Execute IA Plan 4 Digitize IA evidence and fieldwork in an integrated, digital platform to drive more insight around themes and trends 5 Use automation to deliver large volumes of transactional and compliance internal audit areas, enhancing risk coverage and improving efficiency Page 17 Communicate Results 6 7 Re-think ‘traditional’ reporting content and format to communicate messages in new ways Automate internal audit reporting leveraging digitized IA evidence and fieldwork Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

The journey has started What does it look like? • Page 18 Video Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

A call to action Page 19 November 2020 Presentation title

A call to action Arrival at the future state requires a journey that must start now. No one is out front, so do not look for early adopters. Assess the current IA operating model, resource model and technology footprint to identify opportunities to automate and innovate and better position the function for the transformative age. Start by making real investments in areas of impact and aggressively attack “low-hanging fruit. ” Build a business case and start a process of transformation — technology development and deployment, skills sourcing, branding initiatives — to move toward the future state. Change will require significant education of and communication with all stakeholders. Page 20 Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

Examples of Digital Enablement Page 21 November 2020 Presentation title

The journey has started How is ‘automation’ emerging across the current IA lifecycle? Planning and assessment Execution and documentation Internal Risk Assessment: Descriptive analytics: ► Risk and control review via process mining tools ► Process mining tools ► Bespoke analytics (descriptive, customized) ► Foundational analytics (descriptive, standardized) ► Advanced analytics External Risk Assessment: ► Geographical risk factors (external risk map) ► External analytics (e. g. , digital media, other sources) Stakeholder needs: ► Virtual collaboration ► Intelligent meeting record ► Audit management Continuous assessment Page 22 ► Data driven audit execution via bespoke analytics (customized) or foundational analytics (standardized) Reporting and communication ► IA dashboard reporting ► IA video reporting ► Report intelligence ► Digital boardroom Predictive analytics: ► Scenario modeling via advanced analytics techniques ► Risk impact predictions Digital auditing: ► Enhance methods of auditing based on risk culture ► Control and testing automation through Robotics Process Automation (RPA) Cont. audit needs assessment • White spot analysis (robotics and text mining) Does a disrupted Internal Audit (IA) function mean a stronger strategic partner? Follow-up ► Virtual assistant to support Internal Audit knowledge management and provide statistics (e. g. , chat/voice bot) ► Process automation for recurring follow-up activities (emailreminder, status tracking) ► Intelligent meeting record ► Continuous benchmarking and Internal Audit function comparison ► Continuous auditing (e. g. , weekly, monthly) via bespoke monitoring dashboards ► Predictive risk alert (safety-net integration) • Cont. monitoring (descr. Analytics)

Technology-enabled risk assessment Example – use of ©Think. Tank Risk assessment meets digital Prepare Interview Analyze Technology-enabled activities ► ► ► Anonymity and instant vote results Simultaneous contributions for deep discussion and analysis Transparent process and outcomes Prioritize and evaluate risks on impact, likelihood, management preparedness and velocity (optional) Virtual collaborative capabilities Benefits of a technology-enabled risk assessment: ► Improved quality and efficiency of the process ► Enables real-time, collaborative sessions across multiple locations Business risk profile ► Reduces end-to-end cycle time Capture the significant risk exposures and perceived level of management preparedness. These parameters assist in determining the approach for business risk coverage. ► Reduces executive time and cost of travel ► Allows all session data to be captured via one-touch reporting Workshop Summary Improve Managed or tested Monitor Optimize Page 23 Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

External risk indicators mapped into Risk Assessment Example - Growing Beyond Borders (GBB) quickly profiles markets with a deep fact base and visuals. GBB is an EY data visualization tool that consolidates and visually represents a wide variety of publicly available, EY-owned, and client data on a world map – e. g. , demographics, economics, infrastructure, risk Sample GBB outputs The Footprint view compares a client’s global presence against competing companies GBB facilitates efficient, structured country and city comparisons to help companies in all sectors develop their growth strategy Preloaded into the tool are 1, 000+ indicators across country-, state- and city-levels – allowing for customized data comparisons along highlyrelevant selection criteria Multiple data types can be presented simultaneously and weighted according to the client’s priorities GBB can also integrate client and 3 rd party data for greater customization Page 24 Does a disrupted Internal Audit (IA) function mean a stronger strategic partner? The Heat Map offers a visual method to rank countries across multiple data metrics The Market Attractiveness tool provides a clear picture of countries’ positions across two single criteria or composite axes

Foundational analytics Example – EY Optix Enabled by EY Optix: Core and common processes that are highly conducive to the use of analytics Example core business processes Procurement Inventory ► Routine analytics that are repeatable and scalable to deploy on all IA process audits Accounts Payable Fixed Assets ► Common risk model and control framework across entities Sales HR & Compensation ► ERP independent (common data model) Accounts Receivable Travel & Expense ► Light fraud analytics incorporated into significant process modules FSCP / GL Analytics delivered visualization dashboards: Example business processes: Procure-To-Pay: 50 Inventory: 21 Order-to-Cash: 37 Payroll: 19 EY Optix can be leveraged to enhance audit execution and reporting phases: Page 25 # of analytic tests Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

Advanced Analytics Prescriptive Analytics maturity Questions driving analysis What is the best outcome? What will happen next? What if those trends continue? Optimization Predictive Modeling Forecasting/extrapolation Determines WHICH decision or action will produce the most effective result against a specific set of objectives and constraints. Predictive Analytics Leverages past data to understand the relationships between data inputs and outputs to understand WHY something happened or to predict WHAT will happen in the future Descriptive Analytics Why is this happening? What actions are needed? Where exactly is the problem? How many, how often, where? What happened? Statistical Analysis Mining past data to report, visualize, and better understand WHAT has already happened; after the fact or in real-time Alerts Traditional Reporting and Analysis Standard and ad-hoc reports report out past performance; drill-downs and alerts provide additional information to specific questions Queries/Drill Downs Ad hoc Reports Standard Reports Techniques used Value Page 26 Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

Beyond analytics IA’s use of technology has expanded beyond data analytics and governance risk and compliance tools Robotics process automation (RPA): Artificial Intelligence (AI): Other: A software solution that runs unattended, working like a virtual employee with legacy applications performing repetitive tasks reliably at the UI level Software-driven intelligence that mimics human cognition, behavior, and thought processing to replicate more complex tasks that include professional judgment and historical knowledge Complementary technologies, tools and architectures that can be combined with other layers on the spectrum to automate a business process or human experience Sensors Machine learning Comparing data sets Composing and sending emails Internet of Things Deep learning Conversational Agents (chat bots) Computer vision Automation of clicks, data entry Completion of auditable activity logs Unmanned Aerial Systems (Drones) Natural Language Generation Reading, copying, aggregating data Neural Networks Entering data into a system Rules-based processing and decision making Page 27 Natural language Processing Predictive algorithms Does a disrupted Internal Audit (IA) function mean a stronger strategic partner? Macros

RPA Example areas to assess for leveraging RPA Bots provide flexibility and connectivity between applications, increase the effectiveness of applications, and complete routine activities that previously required manual effort, but they do not replace existing computing capabilities, and they do not generally replace entire roles. Start to identify: where are resources…. Preliminary ideas for consideration: ► manually accessing and gathering data from several different applications to complete their activities? ► manually moving data from one system to another? ► manually checking the consistency of data between multiple systems? ► manually updating the same information in multiple systems? ► waiting for alerts/events to initiate their activities? ► manually remediating data across several accounts? Control execution Controls testing Identity/Access management Compliance monitoring Risk data aggregation Page 28 Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

Process Mining Science to exploit the value of real data What people think: Slight deviations from the standard process Textbook” process: How the process should be according to the process description. 20% data coverage See less common paths and activities. Ideally suited to detect anomalies and inefficient process variants. Advantages ► ► Page 29 No need to rely on outdated process description No need for biased descriptions and interviews Reduced extent of documentation Identification of previously unknown process weaknesses No activity escapes the eye! You can zoom in detecting long-term or unusual process paths or defects that would otherwise remain hidden. + + ► 100% data coverage 40% data coverage The most common and simplified process variant is visualized first ► The reality: Actual complexity that would be unknown and manageable without process mining. ► ► Increased speed and flexibility across services Optimization, harmonization and standardization of processes Improved process quality and reliability 100% transparency be visualizing all actual processes Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

Technology Enabled Contract Review (TECR) Overview ► TECR uses OCR (optical character recognition) to ingest and analyse contracts ► Searches for patterns and shared components and includes key word classification ► TECR could be used to digitise and search audit evidence such as contract documentation or procedural documentation ► This would enable the automation of documentation review for key terms/words rather than manual review. Benefits ► Centralises contacts into single environment, extracts key info, analyses contracts ► Enables enhanced review and reporting capabilities ► Significantly reduces time taken for document/contract review Page 30 Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

Optic reader Automatic extraction and translation of unstructured documents Extracting value from scanned documents Input document (image) Required Data Fields ► Master Agreement version ► Type of transaction ► Effective date Processed document Functionalities and features Core engines 1 2 3 4 ► ► ► Extracted Data Points ► 29 December 2009 ► Rate Swap Transaction ► 11 April 2011 Page 31 ► ► ► Core functionalities Image cleansing Document quality enhancement Optical character recognition Document search Document structure identification Repapering Natural language processing Information retrieval Packaged solution usable through a web-based interface Modular sub-solutions available through APIs leveraging our 4 core engines Image Cleansing Optical Character Recognition Document structure identification Natural language processing Hosted on EY secured environment Allowing for a complete audit trail Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

Digital reporting Digital real time reporting providing business insights and strategic advice Re-think ‘traditional’ reporting content and format to deliver: Automated report delivery based on: ► ‘Communication of results’ based on videos, interactive dashboards, click-through examples etc. ► Digitized audit documentation and internal audit delivery tools, resulting in One Click reporting ► Dashboard reporting which draws upon digitized audit results and evidence to provide a real time view of internal audit findings and results ► Robotics based transcription of content (e. g. , utilizing RPA to transcribe content from work papers or voice enabled technology ► ‘Lasting actions’ based on interactive data base for auditee, allowing easier follow up of management actions by IA Page 32 Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

Talent Potential future workforce model Delivery Team & SMRs Innovation & New Technology Team Automation Hub Remote Testing Center Delivery Team & SMRs Risk Monitoring Center Delivery Team & SMRs Data Analytics Hub Delivery Team & SMRs Page 33 Does a disrupted Internal Audit (IA) function mean a stronger strategic partner?

EY | Assurance | Tax | Transactions | Advisory About EY EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities. EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey. com. © 2018 EYGM Limited. All Rights Reserved. EYG no. 012126 -18 Gbl BMC Agency GA 1008961 ED None. This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice. ey. com