IA Academy EP2 Technology Audit & Audit Innovation
Please leave your question in the chat box at the bottom of your screen we will have q and a at the end of session now we would like to welcome our known speaker khun Richard Richard all right Sawasdee krub to everyone thank you for having me uh to share with your community on a Saturday afternoon uh i'm only being able to share uh what i've learned along my journey and experience with everyone in the hopes that you know together as a whole ia community globally and and particularly in the region we can you know continue to innovate can continue to drive the industry standards to higher heights so so uh as much as i'm uh sharing you guys i also hope to uh here and here and and for you to share back uh you know any inputs and insights that you may have as well to drive the industry forward so maybe just a quick a little deeper overview of my career uh i started my career in Ernst and Young doing technology risk and audit and actually it's a very funny way of how i end up doing this so i am not an accountant by training uh i wanted to do consulting for arthur anderson when i graduated but when i graduated arthur anderson didn't exist anymore so uh a senior of mine referred me to Ernst and Young and say hi would you like to try technology risk and an audit so i got into that without knowing exactly what it is but you know 17 years later uh i am proud of this career i've stumbled into because it has brought me to many places around the world it has allowed me to experience so many different industries meet with so many people around the world including in thailand where i've also done various audit engagement in my earlier years uh and and and you know gain new friends uh experiences everywhere so after spending some time in early on singapore i decided to being young back then to move to australia and i spent some time with Ernst and Young in australia doing the same work but it also allows me to open up my eyes around how all that is done in a different country within a different culture as well and after some time i thought i wanted to experience how it feels to be in-house right because as an external consultant you're always moving from engagement to engagement you don't spend as much time internally and i wanted to get a different experience and that i will say is i guess the key pivotal shift in my career after moving into internal audit because it allowed me to have a very very different perspective on trying to find issues but yet being part of that company people always is auditor as not part of that company right because we are the one asking the tough questions right uh or what we term as you know being the contrarian in the company right but we are actually doing for the company on behalf of the board and the shareholders right and that concept is really very hard to grapple with for some people at time even today for some of our stakeholders and i'm sure everyone can relate to that what does it mean to be an internal audit right uh that there was once uh you know my previous head of audit in my commercial firm in australia told me Richard we're not here to be loved we're here to be respected i said my boss i just want to feel loved sometimes you know and and i can empathize with everyone sometimes you don't feel much love in doing the work we do so i i think at this juncture uh you know i i want to also send a note to encourage everyone as industry that you are playing an important role right and sometimes it's hard to get that that love or recognition that we need but uh you know i i think uh a lot has changed uh since i started my career and now and i think today that industry is is in a much better position much more appreciated much more recognized uh but we should not uh keep still on our uh you know current position because the world is changing rapidly and i'm hoping to share with everyone uh around from a concept of audit innovation today how we need to think about so that we continue to stay relevant amidst the changes of where where that is so wrapping up them and moving back to to my career journey uh you know after some time in australia uh you know i wanted to again uh you know and i i've learned so much about different company different industries i've done from media company to manufacturing to banks to services and i just thought oh wow this job got me from singapore to australia where else can i go i wanted to go to the uk i got my visa ready to go and then the financial crisis happened so that stopped me in my track of being a globetrotting auditor back in my earlier days so i i decided to come home uh you know i took a bit of a break and then i went back to Ernst and Young again uh and and my partners welcome back uh you know very readily uh but it also shows that how small this community of auditors is right where we we always always need to appreciate the relationships that we built in in our community as well and i spent a few years back then but as a manager and then you know focusing back in financial services uh which i uh ultimately moved back to uh because after moving trying different industries uh that was the industry that i really enjoy as a tech race professional because back in the day besides being in the tech firm the financial services was the only other industry that invested a lot in technology and that had a lot of complexity so in the last 10 years i've been with standard chartered bank i've been with citibank uh across both third and second line roles uh and from a tech risk professional i have also done business audit business process review uh i was uh leading the second line compliance assurance role for ml money laundering anti-bribery for citibank i i never foresaw when i started my career doing this tech risk that i could be doing ml at one point in the others right but what he has shown me is that we as risk professionals whether you are off a technical background or the business background have the ability to move that through and and this is one of the key areas i'll talk about which is being adaptable we're never too old to learn too late to learn because the reality is that no one knew like for example no one knew today i will be here speaking to a group of you know auditors based in thailand right this in the past will have required me to fly over to thailand to perhaps uh give a talk but clearly technology has enabled us to do things that we have never previously envisaged although i would still love to be able to you know interact with every one of you in person sometimes so uh you know just uh maybe last august i shifted to grab to head up technology audit and audit innovation now you must be wondering what is someone who spent probably more than you know two-thirds of his career in financial services want to move into technology because i'm someone who is always keen to take on a new challenge and as someone with a technology background it opens up now for me an opportunity around thinking wow in a company that is going to be uh soon uh listed you know and you know in the forefront of using technology in the business model how can i think about doing audit differently and that's the reason why i took up this role uh and and being able to you know take the experience of my past and also rethink reimagine and reinvent the way we think about audit uh in this new frontier you know very much as how uh i believe in how grab uh in its own way have disrupted you know uh various uh traditional services economy to create new opportunities you know for the everyday entrepreneurs in the region i i want to do that in my way as an auditor in the support function of thinking about how can we think about disrupting order in a positive way to add new value new insight and create a new sense of awareness respect and value that we bring to the table for our shareholders and more so just going to pause here and pass it back to to the moderator uh so we can get the session started thank you thank you richard uh so please come to visit thailand when when it's safe and sound we love to visit singapore too and uh i think i find the very interesting that uh you like to be part of the company and not to be loved but to be respect and we are not too old to learn thank you very much so now we have the table discussion i would like to invite khun Surasak very impressive introduction richard i'm i have been working with the bank for over 30 years and we have been through a couple of crisis and given the current responsibility in the audit area in the past couple of years i found that at the bank being an auditor we provide our services more and more on the advisory role not only the assurance which to me is uh if the bau is a traditional it's it's something that we have to do on everyday basis but more on the advisory role so my question to you is that given this role how can we ensure the audit committee or even the board of director that providing such advisory services we still can be independent yeah and if if we can earn trust on this meaning that apart from the assurance that we provide we can share with the business unit more on our experience and to help prevent something that may happen which in the past it will be uh too late yeah so great great question and i mean without me telling you and i'm sure you will see it on you know the various literature and if you follow industry following the talk of auditor playing a risk advice we will uh has been out there for years right but what does it really mean from that perspective so maybe i'll start off with an analogy to help everyone understand i work for Grab so i'll use the car right people always say audit is a real view a real mirror view that's what it is when we do an audit we say hey what's your audit period you look back right and that's a very classical way of driving you need to have that real view in driving right uh whether you're riding a bike or car what it is but if you think about because of today and the future right it's not about real view you have built in af navigation system forward sensors you know you use tools like waze or or google maps and tell you don't take this road because of bad traffic i'm sure you know you guys in thailand knows traffic very well and will definitely try to plan the most efficient way on that but that's how auditors need to think around that we need to stop giving real view mirror type of assurance we need to give forward-looking assurance especially in the age of digitization and and transformation right uh looking at something you know just because okay we enter a new product now by the time you put it on the audit plan and get to obtain it it may be the year after how much time has changed and passed within that what is the value then telling management six months 12 months later that hey we got a huge problem here but it's 12 months later right so so that mindset means that we need to think and change and that's why risk advisory is important is here to stay and you i will see increasingly in any mature good ia function to take up more and more of the assurance plan now on the issue of independence that is something of course always based IA functions particularly smaller ia functions where you don't have size and skill and some of this may be difficult but i think it can be done because people always have this association around that risk advisory equals to not audit equals not assurance right uh so what some good practice i can suggest is to be clear on what is the risk advice rule make sure that is in your IA mandate and charter that's agreed with the audit committee make sure your chairman is on board and then members are on board as well what we also found is helpful is to actually define and articulate the service offering when you say that you're doing a risk advisory it risk advisory can take many shape and form and when you look at it a lot of auditors are involved in advisory work not in the point of taking management responsibilities but giving management an independent view helping them cause issues problems or potential risk rewards trade-offs they have to think about in making certain decisions right so as long as the ob or out of bound markers are clear in what you or will not do and define those service offering across with management and and the ac i think that's fine and i think uh you know i i would like to see also uh you know ac's challenging auditors if you're not if they're not doing risk advisory why are they not are they not in the position to do so are they not well resourced to do so or what are the challenges to think about that right because and all they remember no one wants to buy a car today that only has a rear view mirror you want buy a new car today with all the sophistication of predictive traffic analysis sensors smart car right thank you yes i'm here okay i think you know the first question is good and he has had a good answer from khun richard anyway i have a couple more now i probably throw it to you one by one okay first of all before i give you the question uh i'd like to introduce myself a little bit i'm a chairman of the audit committee of the ttcl public company limited and i have quite experienced uh you know regarding the traveling regarding the different kind of auditing and i mostly understand what is the challenges uh what are the challenges and and the opportunity for the internal auditor okay but anyway yeah there are some new things and some new development and there's some changes today that um you know we might need some kind of uh people to explain it to us like the artificial intelligence you know the machine learning another one is mainly for the young people the cryptocurrency investment and in the financial field it's a decentralized finance um how do you convince you know the auditor you know your team how do you convince them to change their their mindset now usually the computer the internality they have most of them they have the traditional uh auditing but now they they are moving on into the technology so i like to you know to to to you to share the experience to us sure thanks uh happy to share i i can't say that i've mastered all these new areas i'm also learning very much on this because there's just so much uh going on uh you know in that sense right uh you know even we talk about crypto uh you know understanding bitcoin that's very basic today people are talking about nft non-fungible tokens right so that space keep on changing and evolving but what i will say to think about from an auditor's perspective is this the the rapid digitization and the use of technology has disrupted many industries many companies right we as auditors supporting companies are not immune to that we as a industry yourself is not immune to that as well right i think it is here to stay every industry every company is facing some of disruption and in the same way we as all it does need to change uh on on that i i actually say that this is now a welcome destruction because sometimes you need such a pressure to help people uh do that right uh the the way how i think about it is that audit has always been behind the curve in using the technology or or the new way of doing things in the way that we audited we always wait for business to implement something then we say oh we need to figure out how to audit that right and that mindset is to change today you need to learn about how can i use a new approach new tool to audit something don't wait for the business to do that in fact maybe in the same case go along with the business your counterparts in that journey if your company is saying that we're going to adopt maybe machine learning get on that journey together with them uh and doing that because we should not be reacting because we are always reacting to that so that that to me is this one key way of thinking about that the other way is really very much then you cannot use an analog tool to audit in the digital world that is the reality you need to use a digital tool to do audit in a digital world it is like uh you know not promoting violence but just saying that you don't bring a knife to a gunfight because you definitely lose unless it's a close quarter battle right but that's that's one energy that we we think about and that's where i think digitally upskilling it's very important uh and and this is where i will try to i guess answer the second part of your question right what does it mean from uh you know where all of us have different training training in a traditional mindset and and even tech auditors i'm not immune to that tech auditors of the past i have also been trained to look at very tightly general controls they do not know various domain today when we audit tech that is cloud technology you know someone will say hey as a technology can you look at this ai algorithm this machine learning this rpa to you know robotic process automation tool right so it impacts everyone whether or not you have a technological technical or non-technical background the the challenge ahead is clear what i think may not be clear to everyone so the opportunities are also very clear uh where it aligns for everyone in the sense and we have seen that both in the tech all the community and the main audit community is the fact that today data analytics can be done by any auditor because of the tools and the language that's available here right that to me is a digital language there also needs to be a change of mindset when saying that right in the past you may have specialist technology auditors in your team and say oh that goes through the system let me ask the technology auditor but can you imagine in a tech firm like mine if they do that then every auditor must be a technology auditor because we we we run a whole pure digital business right i have no manual menu forms uh you know in in in in the way we uh you know call a right healing right of the food right where's the manual processing on that besides our partners on the road that is actually doing that delivery but the whole process from initiation to to being recorded on the chair general ledger this is all digitalized so what that means then the the future of of auditors i think the makeup of an internal audit function will change what we come as business and general general auditors i term them as digital auditors on the future what that means they all know basic analytics they understand basic applications thinking about workflow application controls and stuff and then the specialists in audit functions will be different you may have specialists that looks into uh you know very very technical cloud we have data scientists in fact maybe then the skill sets to understand financial reporting or treasury stuff which may be a typical accountant's expertise that may become a specialist function in the future because the skill set to audit the business process of the future which is technology data treatment will also change yeah that's probably our how i think about you know that that's um i think like the key is um you know what i i try to analyze it is uh by observation not analyzing now most of the internal auditor they usually are conservative people you know because most of them they come from the career like they come not the engineering guy so they kind of wait when until they they they sure that they want to move on but see that the thing is i think it's also depend on what you're saying is depend on the company the company if the company is changing from analog to digital so it's like forcing the internal auditor into the area of technology by itself so instead of waiting until the company instead of waiting until the company changed from analog to digital which is saying uh it will be in the future so internally should be prepared himself now instead of waiting that's right okay thank you very okay um let me introduce myself for a short period of time okay my name is Kridchapond i'm i'm not new to internal audit but i'm still very young and i heard your introductions and your journey that is very impressive because it's like emphasize the commitment to continue as learning and you have to be like to adapt things all the time and learn every everything news all the time so that's um that's that's very good and that's i that is what i believe about beings and it's not auditors so uh today i would like to ask you the questions about the the Covid pandemic about the covid situation that maybe every internal auditors can keep asking about the questions like when in the covid situations like most businesses have to like um doing work from anywhere from foreign country which include the internal audit activities that in some organization or sometimes we have to like commit 100 online so in your opinions what is the top three risks about the business about the internal audit functions and how the internal auditor handle the risks and situations except especially from your experience that may be you using technology or using different concepts to deal with the risks which may be different from the other organizations or maybe better than the other organizations please please tell your experience and you okay yeah so so clearly uh i think the pandemic as you rightly put the uh force not just ie but various parts of business if they can to work remotely where possible right and that of course also throws of the auditor of uh in in a certain way when we've moved down this route because the ability to sit down with our stakeholders to interact to build those relationships to look people into the eye walk the ground is very important and nothing can compensate that and it depends on your state of company uh and and i i can empathize with certain uh audit functions that will have more difficulty depending right if you are in a very traditional business good space you know where you have warehouses or whatnot and clearly some of this may be difficult in that sense but that being said there are also new opportunities right because today uh we can have a different approach different conversation on that so let me talk about the risks that i think face organization from a pandemic perspective and what ia should be looking out for so when the pandemic happen people have to change react to make sure that we adhere to whatever uh you know regulations that is in place to keep people safe minimize uh social contact and energy and form that which also says that sometimes in our internal process be it from a b to b or b to c perspective you have to change those processes right one thing that may not have perhaps attracted enough attention from all this is that we have done it to accommodate during the day pandemic but are they sustainable and the adequacy of the new processes that has been redesigned right and being understanding whether those are temporary measures or those changes are here to stay because i've also realized that organization has said that we have changed a certain way of doing things and they realized actually you know what because let's go with this new way because our customers are happy with it we can go on with it and then it's more efficient we reduce physical touch points brings down cost from operational efficiency you know but i think no one has perhaps done a holistic look back and say hey now that this process or this contrast of redesign are they fit for purpose are there any uh you know challenges on that right uh so leading on to this the other risk is around uh control breaks things around exceptional approval and deviations that have been given back then to accommodate in reacting to the pandemic are they still in place have people forgotten about the deviations or sectional approvals that that happens right because everyone is great when reacting in a crisis people will always get things done but they may not remember that hey this was meant to be temporary and maybe we have you know loosened uh to control my expectations in certain areas i've not come back to look at it right so i think it's very important the last part is very naturally with the pandemic what you see is huge digitization that poses a lot of new risk for organization would didn't invest from a digital perspective in the past when i say investment i'm talking about investment in data governance i'm talking about investment in cyber security posture because the more things that you digitalize and move on that your risks change the risk profile of your company change the risk profile of this process change uh and that's where we need to think about that right so i in india plans need to also think and break away from hey let's look at the traditional area but maybe flank out and say that hey what has happened in the last two years you know which are the areas that have been subjected to the most changes that we think that of high risk and they should uh you know perhaps adjust their plans to do targeted reviews to provide assurance on those areas thank you very much that's the very informative answer okay so uh we move to Khun Surasak please it's your turn thank you um based on the situation that you share with us going digital and and this has changed very very fast in banking business um the the second line of defense when we say the circle of defense in the past people always mostly rely on the third line of defense which we have discussed this earlier that is maybe a bit too late but uh given the fasting uh the fast changing environment to me it seems like the second line third line is this is it come closer that the line between the second line and third line is more blur and the first line which in the past would pass everything out of the business to the second line and third line but because of the fast changing environment how how how would how would we implant risk awareness to the first line even in the bank we always have a uh we call it the line 1.5 somewhere between first line and second line so going forward how i would like to hear your view about the second line and third line function and how how to how to uh encourage the first line to have more on the risk awareness yeah uh so let me address the part on the second and third line right uh yes i i mean on face value that appears to be some overlap clearly with now uh investment and technology that also allows both second third line to to you know automate invest in the analytics that that do the work uh i know that for a fact because i've done that in both my second and third line role you know even in second line we were also investing in automation analytics to do that right i think realistically so let me talk about at the macro level realistically uh with the exception of virtual industries like in banking the investment and second line functions are still quite under invested by and large across most industries uh you know and and and that being said uh the tools and technology today will allow companies to bridge that gap without investing as much accounts right i think what really now uh happens is it provides a platform for the third line to differentiate itself in terms of the work that is performing and focusing on the the hundred percent detail level testing then can be taken on in a mature second life organization and the third line then now can truly be focused on high value assurance work high value risk advisory work and that means different opportunities different skill sets required in a third line auditor because an auditor who can only just go through you know thinking through bashing through a standard control will find that a struggle because then the work becomes very unstructured in in a sense right risk advice people are never structured they are always requiring you to think like a consultant it's just that you you you you don't implement it as a consultant that's the key difference right in that perspective so that there is that that challenge but the opportunity for third line to now then say that hey partner with the second line say that if you have a good mutual second life function focus on doing the heavy lifting detail testing and whatnot the second line can do and the third line focus on you know what we talked about earlier right you want to know what's emerging you can pivot your your plan your people on on uh high-risk areas very fast uh the next part is around that interaction with first line uh what i love about the new client and environment as well as people are also becoming more risk aware and there is that opportunity for the third line because with the right toolings uh and technology analytics there's ability to share with the first line how their control environment looks like at an ongoing basis i've seen shift in creating solutions that's been created by first my second method line that eventually has been shared with the first line for their self-testing and awareness right and also being able to prove uh provide them automated dashboards on ongoing basis this are very clear highly visible uh indicators of the of their key risk indicators that i say right and and we set up correctly then it's very clear on the visibility and these dashboards with the right support of management and the board could be used to very much uh to drive the behavior from a first line because you know uh people can always debate about issues but effects are and date and data is the best source of facts right no one will dispute data uh in in that sense so this is where we we need to be able to leverage that but i think that maturity also allows that really uh uh more focus uh for for the third line uh and and and to a certain extent you know if you also have good line one or one point five that do their own testing again i welcome that because then if it allows the third line to focus on high priority well i i not know of any third by function who have uh any shortage of work so far we always have more work on i i couldn't agree with you more but uh to hear from you uh seems that the other people have to work harder during this stage in order to pass some tools or some experience to the first line or even the the like 1.5 so that other people will have more time to focus more what you call the high value test yeah i i just just a point on that and i think this is also great provides more career opportunity for thirdline individuals to do with that to go into first and second line as well to drive some of these changes that you want to see in how a ideal first and second third line very good part should engage right so i i don't see this as as a threat to to the third line but i as an opportunity for the third line to take the lead to change the risk culture um if i may add to this um in in kbank we have couple of people from audit move to second line uh it's very helpful it's very helpful okay Ajan Sivarak it's your turn and Richard i think maybe you have only one or two miniutes to answer not five minites that i gave you ok i let you priortize what is maybe we don't have to do all but maybe you want to prioritize which one yeah uh okay i'm here yeah well that's good uh for the listening um i think before i go to the next question now i'd like to add a little bit uh based on my opinion when you're talking about the first line the second line and the third line the most important of the third line is the independent we still have to preserve it yes absolutely whatever we want you know or whatever we still need the first line the second line to be aware of our independent now to be aware not just you know it can be a lot of a lot of understanding you know if uh the first line the second line the third line they know their uh most important aspect now okay that that that that's uh for the uh uh question of course which is a very good one um my question my next question is you know we've been talking about the the internal auditor now they're talking about the audit and then you know the the most important position of the auditing is the ceo let's see if the if you you know the internal editor one day you want to be a ceo let's think about you know your ceo what do you want what do you want internal auditor um what they look like what kind of picture of the in the internal auditor you would like them to help you to up you to achieving your objective the business objective in the area of technology so i i think it's a great question uh i know i will not bucket to the area technology i think it's how do a ceo see the value of ia function right in in in a broader sense right and how does it help you uh i'm not a ceo now not yet uh maybe one day i may have my own but uh i think it's all about understanding the value proposition that i bring to the table right because you have an independent function that will with your support call it as he sees it right and this is to help the ceo and his management team to remove any blind spots because when the company gets bigger there is so much more management layer right sometimes people are afraid to bring the real problem onto the table because it affects their performance for affects their bonuses and whatnot and this is where ia can bring that value to a ceo who can see that you know my eye function is like my personal doctor my personal physician that i trust right he will give me an independent health check on my family which is the rest of the company in in that sense right and technology and this is very important ceo and management team should enable ia to get whatever information they need partly from a technology a data perspective to help present and form that view because today in the tools we have we can write audit issues differently instead of saying 10 out of 25 samples have problem i can tell you in the whole population of over the last six months twenty percent have a problem we can quantify the issue if if your transactions are all technology and data driven to that perspective we can quantify the impact to you right so i will say support the investment that you need in ia function for their data uh skill upskilling their technological investment let them have the ability to access the data warehouse type in right i i run uh different uh agile streams with my innovation team around uh thinking about different data cells how could we have a ia dashboards that can help me monitor different things how could we cross look at different set of data and look at opportunities and what not right to me my canvas board is unlimited with the more data and tools i have but if you try to say hey do your job but stay in the room you know the doctor is can only see one patient at a time in the room but you say that hey go out to the community and look for the people you need to treat and that's a very different proposition right so so that's that's how i kind of frame it in a in a very short time we have left i mean this is this is good this is a good perspective of of a good ceo you know that that a bad ceo good ceo yeah so uh you're an internal leader one day you become a ceo i think you will be a good ceo so that's right it's your turn thank you i thought um there is so little time left so i just wonder whether i can ask this question but okay they still come so as ask khun Richard is working like in the IT based corporation very big corporation so i would like to ask the difference between the traditional one the non-IT organizations and IT organizations like Grab what is the difference in your first in your perspective about um these two types of organizations in terms of internal audit in terms of the risks in terms of the internal control so so that we can learn the non-IT traditional organizations can learn from IT organizations to prepare for the digitalizaions to learn more before going before using more technology for better performance please please share your view so uh clearly it's different because uh tech organization tends to also be younger they tend to have a younger workforce who tend to be more tech savvy right so what that means is every time there's a new tool out there people say hey can i use this tool can i use that tool can i automate this right people are willing to to change that and the organization in the spirit of innovation let's say how how dare you they are willing to spend and invest in that traditional organization because of various reasons course and also legacy systems and processes we'll find that for our help because they oh you want to try that but that doesn't work with our system because that's legacy right so you will have those challenges which we result in in the way that how we think and approach uh things on that but the expectation then is also very different i come from financial services heavily regulated industry people are very careful so every process has make a checker you know secondary review and whatnot but in attack firm you if you try to think about that just not gonna work because to them it's about fast fast plus agile right you know my millions of of uh uh uh consumers and user my app's not going to wait for a change management window to open at the end of the month to make a change in the app if it's causing a uh issue that will you know lose revenue right on on that you will also have here that you know def ops and dev set ups have also changed the way how it management IT general controls have uh changed uh in in that sense people don't have that many layers of segregation or duties traditionally so moving fast means a different risk framework which requires a higher risk appetite and a better understanding of the risk-free trade or trade-offs but the good thing is that unlike traditional organizations when they do that they tend to have the tools that allow them to manage the risk automate that detect outliers that is something traditional organizations face in trying to change because you want to change but if you don't invest in in in two things like the risk reward trade-off and and the two means you're not going to be able to get that because it requires you to take more risk which you can mitigate but it requires also more ultimate solutions to to to look at that so i mean just mindful time like that's that's probably the the high level sorry answer i can give i i want you to tell us more about in terms of the risk appetite about the risks that the traditional organization must face when become more digitalization because in my first question to discuss about the when under covid situations when the non-IT once have to use IT technology to to like include in some process and that will incur more risks more new risks in terms of like cyber security things or in terms of the the other is that the traditional one is not acknowledgement so i would like um some you to explain sometimes about the risk appetite and the new risks in from the digitalization yeah so so uh i mean clearly uh you have a lot more new ways because when you go digital then you have reliance on the technology right what's your favorite right today if i talk about cloud do you go as a single cloud strategy multi-cloud strategy and these are very complex stuff when you talk about resiliency if i speak to someone in banking you'll say oh we always do the DRP we'll switch to the other data center and whatnot but what does that mean from a cloud perspective right so so and then this is where organizations need to think about right what is my risk at the time do i need to pay for more resiliency and and and what's that trade-off i'm willing to accept right what's that criticality on that right uh so i think it's all going to be a risk reward uh trade-off i think a lot of time i just bring it back to from an audit perspective auditors raise the risk for the time no medium high i would challenge auditors to ask the question so what uh maybe to the point if you have two minutes with your board member or CEO in the lift you want to tell me about the five low risk issue or the one high risk issue that that he or she can spend time to help support you right and this is where we need to get better in raising articulating the issues that we want to highlight and also quantifying that risk impact trade-off right because we see issues all the time but some of them in the scheme of things uh and and you know i come from a company that has millions of transactions some more transactions are low value right you may find exception but you realize that hey i may have a 5,000 exceptions here but that only constitute maybe 50 usd of loss do i want to be focused on something like that right that that's that's where you know we have to be helping management think about that risk reward track of trade-off and then this will also help build credibility or ia because you say oh i is just raising everything whether is it worth 50 or 5,000 dollars right so you know you want to spend your time so that you you you become credible and rip at value and impact thank you Richard i think we have the question from the chat box a very long question but i will ask with the short one uh they mentioned about the ai and machine learning could you please tell us that how can we audit the ai or machine learning or to help the business uh to make value and how can we use the ai machine learning in our audit below yeah uh so okay i'll break it down so from ia perspective uh i've seen audit functions uh and we are also starting to use that in analyzing trends and issues right because uh and and this is a very heavy extensive topic because there's also things like ai bias right uh on that so you can use it to train data to see the trends that you have and then you can see anomalies for example certain type of transactions peak at certain time of the week of day right and if you feed that through months and years of data the the ai will learn that is the trend so which means to say when things change differently from the volume type of transaction it should provide you those other let's say that something else is going on differently on that right so this is one way and how we do it around like for example if you have a customer service site right you could use it on fuzzy logic to pick up keyword search what are customers complaining about that also provides you uh indicative hotspots that hey is there a process or control issue around that because we see a lot of customer complaint in that area right so there's on that now auditing ai now that that is a tough one uh so the way our approaches this is two things right of course it helps if you have uh such people in your team to help you but not it's always around framework and there's been various regulators around the world that have taught uh published various framework to think about ai right and and you need to think about the bias right so that in the same way that we do that how ai models are developed by the business in terms of the data set they are using for training is very important because that will create buyers and and you can google that right there in the us there was one that they use for sentencing guidelines on offenders and they found that there was a bias on on on a certain race because the past data seem to suggest a certain ways are given behavior sentencing right and then that's where you using those data past data although it's factual data could create a bias on on on that right so so it's all thinking about the framework when where people say that oh i'm going to start the ai machine learn uh you need to challenge around yeah what is that data set what is that you know things and and then what are the feel safe how do they monitor and check that that bias do not happen and it could be from uh based on uh ray sex or profile even from a credit decision process in a bank or you know offering a loan uh as a and then you know in extreme government services as i say or whether certain decisions are made with those buyers lisa you mentioned about the open source that you use for the technology audit and and you said that you will tell us yeah so so uh you know in this whole transformation as we advocate for digital auditors right uh we also recognize that and and the world of learning has changed today last night you have to go for course sit in person go to a school university to ask yourself uh the learning industry's been disrupted as well so you have things like consora linking learning uh like my whole audit department is pursuing consora google data analytics professional certification uh and we mandate that for for every uh auditor uh business or tech or otherwise so that everyone has that foundation training the other thing that we wanted to do is also to help understand that despite all the training not everyone is just going to be as technically savvy to write scripts from day one the beauty of today's technology has enabled uh analytical tool what we term as low code no code 2 right that allows them to do data analysis without having deep appreciation of scripting or coding and and that can be taught so one open source source software is called nine k n i m e uh and and and that that is a tool uh that's also have been used by uh a few other global audit functions uh so yeah if everyone is interested you can uh you know uh go online and find them okay Richard hi hi hi hi so you give us a open source right or something yeah i i i just uh posted the link oh okay thank you very much uh richard Khun Suvimon just asked the same question i asked you how many people of your team of Grab singapore uh we uh regionally we have uh uh uh 20 over people right now uh and and and uh we asked you in a midway through our multi-year transformation uh so so i think i think the other thing is also to to think about the idea of the future because uh with the technology and tools some people think about iesi should be proportional to the revenue some people think about ie size that should be proportional to the number of people in the organization uh not wrong right i think the new dimension then is also ie size relative to the uh uh the technological tools expertise uh and data available within the organization because that also allows you so uh and this is where we want to future-proof the audit function uh in the sense that you know technology will allow us to uh digitalize a lot of the audit work right uh but that doesn't mean there's no audit work that it allows us to fill in the high resolution because i think in a company like us that's always venturing into new markets doing new things we are always just trying to say hey where's the new thing that we need audit but we still need to continue to audit the many other things that is already on our plate right so so so i i think uh you know if anyone would think about that you know when you think about your audit function in the future think about that it's not about the number but the number of right expertise that you have to help you create thank you Richard uh for the last question uh for one sentence to be digital ia what would you recommend for one sentence don't be afraid yeah changes change is always frightening uh and and i i i think i'll leave it with everyone don't be afraid right because you know i we i can't have this talk everyone said yeah we we need to do all this but if you don't step out try fail yeah uh experimentation don't be afraid to experiment yeah outside maybe do not be right do not be afraid to experiment because only through trying failing then we can get better and and i'll leave everyone with that thank you very much richard i think we uh appreciate your time and maybe we are a little bit late and you have the family engagement right so thank you very much uh and please if you come to thailand tell me and i i miss singapore so i will visit singapore which is that thank you richard all right thank you for this opportunity very much bye thank you bye-bye thank you very much
2021-11-09 12:20
