Value creation versus value preservation The only way forward Deon van der Westhuizen

Value creation vs preservation COSO 4 fraud risk Planning and dashboard Consolidation of muni’s Sources of cash 2nd line of defense Legal compliance Cut and collect Emerging risks Demand management Skills audit Preventative maintenance

3 LOD or 5 LOD

Control environment

First line of defense

Second line of defense

Third line of defense

Road forward Shape up or ship out!

Minimum tools in the toolbox Lean six sigma Root cause expert 5 why’s Fishbone diagram Pareto analysis Data mining IT auditing skills Boardroom presence

Lean Six Sigma Is the Integration of Two Powerful Business Improvement Approaches... Lean Speed + Waste Elimination Six Sigma Quality, Cost Goal – Improve performance on items Critical to Customer Quality (CTQs) Focus – Use DMAIC with (TQM) tools to eliminate variation Method – Management engagement, dedicated team effort Goal – Reduce waste and increase process speed Focus – Implementing Waste reduction tools Method – Improvement events Value Stream Mapping Implicit – Success is dependant upon the value of other variables in the function. Results not readily apparent. Explicit – Very specific, clear typical quality measures. Lean Speed Enables Six Sigma Quality (Faster Cycles of Experimentation/learning) Six Sigma Quality Enables Lean Speed (Fewer Defects Means Less Time Spent on Rework) Efficiency Effectiveness Root Cause Analysis

Sample Pareto Chart: Processing Errors

Example: Fishbone Diagram Material Machine Methods Discovery of different discount rates occurs too late in process Computer screens Billing process not accurate Updates Too many “jumps” Product Shortages Master customer discount table not up-to-date Effect: Too many price adjustments at check-out Incomplete Training on common complaints Power Failures Management Policies Not enough staffing during peak times Marketing metrics counterproductive Unfamiliarity with procedures For vacation notification Notification of absence Mother Nature Measurements Manpower Root Cause Analysis

Root Cause Analysis Ask "Why?" 5 Times Computer Storage Costs Too High Effect Computer Storage Costs Too High 1. Why? Users keep too many large files as email attachments 2. Why? Users don’t know that this results in an extra charge to the company 3. Why? Email policy not communicated 4. Why? Official email policy not defined 5. Etc…. ______________ 1. Why? 2. Why? 3. Why? 4. Why? 5. Why? Root Cause Analysis

Four legs of the table Process effectiveness People Risk coverage Value

Level of maturity Assurance provider – delivering objective assurance of the effectiveness of governance, risk and internal control system. Problem solver – analysis of root causes of findings and making recommendations to correct the findings. Insight generator – pro-active role in making recommendations and risk assurance. Trusted advisor – providing pro-active advice of strategic importance well beyond the execution of assurance activities.

Process effectiveness - Deliver quality outputs Budget over time Findings by status Audit ratings Time from fieldwork to report Staff utilization – direct vs. indirect time. Completed audits per auditor Cost effectiveness of IA % of audits where tools were provided to the business (dashboard, data analytics) % audit findings remediated before final report % of audits using data analytics to drive scoping decisions – efficiency

People - Build capability and efficient capacity % staff – professional qualifications % IT versus non-IT staff Staff turnover Number of coaching sessions in a year. Number of staff rotations in and out of the internal audit activity. Average years of audit experience. Alignment of talent to enterprise risks/ leverage of subject matter experts Cost per audit hour Aligning scope and audit plan to management expectations. Promoting quality improvement and innovation Time cycle for drafting the annual audit plan Number of best practices identified communicated within an organization

Risk coverage - Align expectations to boardroom presence level % audits aligned to critical strategic, operational, financial and compliance risks % non-IT vs IT audits completed Assurance on risk management process and visual alignment if risks to audit plan and scope Level of focus on emerging risks and promotion of fraud awareness and risks Use and reliance of combined assurance and the three lines of defense. Number of control self assessment (CSA) sessions conducted. Applying that knowledge to help solve complex client issues. Development of deep industry knowledge. Developing and contributing best practices, emerging issues, and industry trends.

Value - Improve impact and value, boardroom presence % audit coverage within time and budget % audits completed utilizing data analytics Client satisfaction results Business process improvement by IA, including growth initiatives and bottom line Level of management requests to assist with issues of strategic importance, raising capital, tax strategies, continuous auditing Stakeholder assessment versus expectations Training sessions focus on governance, risk and control. Assessment of tone at the top, ethics and culture Percentage of identified risks audited Value added audits – benefit versus cost of audit