IA Academy EP2 Technology Audit & Audit Innovation

Show video

Please leave your question in the chat box at  the bottom of your screen we will have q and   a at the end of session now we would like  to welcome our known speaker khun Richard Richard all right Sawasdee krub to everyone thank  you for having me uh to share with your community   on a Saturday afternoon uh i'm only being able to  share uh what i've learned along my journey and   experience with everyone in the hopes that you  know together as a whole ia community globally   and and particularly in the region we can you  know continue to innovate can continue to drive   the industry standards to higher heights so so uh  as much as i'm uh sharing you guys i also hope to   uh here and here and and for you to share back  uh you know any inputs and insights that you   may have as well to drive the industry forward so  maybe just a quick a little deeper overview of my   career uh i started my career in Ernst and Young  doing technology risk and audit and actually it's   a very funny way of how i end up doing this so i  am not an accountant by training uh i wanted to   do consulting for arthur anderson when i graduated  but when i graduated arthur anderson didn't exist   anymore so uh a senior of mine referred me to  Ernst and Young and say hi would you like to try   technology risk and an audit so i got into that  without knowing exactly what it is but you know   17 years later uh i am proud of this career  i've stumbled into because it has brought me to   many places around the world it has allowed me  to experience so many different industries meet   with so many people around the world including  in thailand where i've also done various audit   engagement in my earlier years uh and and and you  know gain new friends uh experiences everywhere so   after spending some time in early on singapore  i decided to being young back then to move to   australia and i spent some time with Ernst and  Young in australia doing the same work but it   also allows me to open up my eyes around how  all that is done in a different country within   a different culture as well and after some time i  thought i wanted to experience how it feels to be   in-house right because as an external consultant  you're always moving from engagement to engagement   you don't spend as much time internally  and i wanted to get a different experience   and that i will say is i guess the key  pivotal shift in my career after moving   into internal audit because it allowed me  to have a very very different perspective on   trying to find issues but yet being part of that  company people always is auditor as not part of   that company right because we are the one asking  the tough questions right uh or what we term   as you know being the contrarian in the company  right but we are actually doing for the company on   behalf of the board and the shareholders right and  that concept is really very hard to grapple with   for some people at time even today for some  of our stakeholders and i'm sure everyone   can relate to that what does it mean to be an  internal audit right uh that there was once uh   you know my previous head of audit in my  commercial firm in australia told me Richard   we're not here to be loved we're here to be  respected i said my boss i just want to feel   loved sometimes you know and and i can empathize  with everyone sometimes you don't feel much love   in doing the work we do so i i think at this  juncture uh you know i i want to also send a   note to encourage everyone as industry that you  are playing an important role right and sometimes   it's hard to get that that love or recognition  that we need but uh you know i i think uh   a lot has changed uh since i started my career  and now and i think today that industry is is   in a much better position much more appreciated  much more recognized uh but we should not uh keep   still on our uh you know current position because  the world is changing rapidly and i'm hoping to   share with everyone uh around from a concept of  audit innovation today how we need to think about   so that we continue to stay relevant amidst the  changes of where where that is so wrapping up them   and moving back to to my career journey uh you  know after some time in australia uh you know i   wanted to again uh you know and i i've learned so  much about different company different industries   i've done from media company to manufacturing  to banks to services and i just thought oh wow   this job got me from singapore to australia  where else can i go i wanted to go to the uk   i got my visa ready to go and then the financial  crisis happened so that stopped me in my track   of being a globetrotting auditor back in my  earlier days so i i decided to come home uh   you know i took a bit of a break and then i  went back to Ernst and Young again uh and and   my partners welcome back uh you know very readily  uh but it also shows that how small this community   of auditors is right where we we always always  need to appreciate the relationships that we built   in in our community as well and i spent a  few years back then but as a manager and then   you know focusing back in financial services uh  which i uh ultimately moved back to uh because   after moving trying different industries uh that  was the industry that i really enjoy as a tech   race professional because back in the day besides  being in the tech firm the financial services was   the only other industry that invested a lot  in technology and that had a lot of complexity   so in the last 10 years i've been with standard  chartered bank i've been with citibank uh across   both third and second line roles uh and from a  tech risk professional i have also done business   audit business process review uh i was uh leading  the second line compliance assurance role for ml   money laundering anti-bribery for citibank i i  never foresaw when i started my career doing this   tech risk that i could be doing ml at one point in  the others right but what he has shown me is that   we as risk professionals whether you are off a  technical background or the business background   have the ability to move that through and and this  is one of the key areas i'll talk about which is   being adaptable we're never too old to learn  too late to learn because the reality is that   no one knew like for example no one knew  today i will be here speaking to a group of   you know auditors based in thailand right  this in the past will have required me to fly   over to thailand to perhaps uh give a talk but  clearly technology has enabled us to do things   that we have never previously envisaged although  i would still love to be able to you know interact   with every one of you in person sometimes so uh  you know just uh maybe last august i shifted to   grab to head up technology audit and audit  innovation now you must be wondering what is   someone who spent probably more than you know  two-thirds of his career in financial services   want to move into technology because i'm someone  who is always keen to take on a new challenge   and as someone with a technology background it  opens up now for me an opportunity around thinking   wow in a company that is going to be uh  soon uh listed you know and you know in   the forefront of using technology in the  business model how can i think about doing   audit differently and that's the reason why  i took up this role uh and and being able to   you know take the experience of my past and also  rethink reimagine and reinvent the way we think   about audit uh in this new frontier you know  very much as how uh i believe in how grab uh   in its own way have disrupted you know uh  various uh traditional services economy   to create new opportunities you know for the  everyday entrepreneurs in the region i i want to   do that in my way as an auditor in the support  function of thinking about how can we think   about disrupting order in a positive way to add  new value new insight and create a new sense of   awareness respect and value that we bring to  the table for our shareholders and more so just   going to pause here and pass it back to to the  moderator uh so we can get the session started   thank you thank you richard uh so please  come to visit thailand when when it's safe   and sound we love to visit singapore too and uh  i think i find the very interesting that uh you   like to be part of the company and not to be loved  but to be respect and we are not too old to learn   thank you very much so now we have the table  discussion i would like to invite khun Surasak very impressive introduction richard i'm i have  been working with the bank for over 30 years   and we have been through a couple of crisis and  given the current responsibility in the audit area in the past couple of years i found that  at the bank being an auditor we provide our services more and more on the advisory role  not only the assurance which to me is uh if the   bau is a traditional it's it's something that  we have to do on everyday basis but more on the   advisory role so my question to you is that given  this role how can we ensure the audit committee or   even the board of director that providing such  advisory services we still can be independent   yeah and if if we can earn trust on this meaning  that apart from the assurance that we provide   we can share with the business unit more  on our experience and to help prevent   something that may happen which  in the past it will be uh too late   yeah so great great question and i mean without  me telling you and i'm sure you will see it on   you know the various literature and if you  follow industry following the talk of auditor   playing a risk advice we will uh has been out  there for years right but what does it really   mean from that perspective so maybe i'll  start off with an analogy to help everyone   understand i work for Grab so i'll use the car  right people always say audit is a real view   a real mirror view that's what it is when we do an  audit we say hey what's your audit period you look   back right and that's a very classical way of  driving you need to have that real view in driving   right uh whether you're riding a bike or car what  it is but if you think about because of today   and the future right it's not about real view you  have built in af navigation system forward sensors   you know you use tools like waze or or google  maps and tell you don't take this road because of   bad traffic i'm sure you know you guys in thailand  knows traffic very well and will definitely   try to plan the most efficient way on  that but that's how auditors need to think   around that we need to stop giving real view  mirror type of assurance we need to give   forward-looking assurance especially in the age  of digitization and and transformation right uh   looking at something you know just because okay we  enter a new product now by the time you put it on   the audit plan and get to obtain it it may be the  year after how much time has changed and passed   within that what is the value then telling  management six months 12 months later that   hey we got a huge problem here but it's 12 months  later right so so that mindset means that we need   to think and change and that's why risk advisory  is important is here to stay and you i will see   increasingly in any mature good ia function  to take up more and more of the assurance plan   now on the issue of independence that is something  of course always based IA functions particularly   smaller ia functions where you don't have size  and skill and some of this may be difficult but   i think it can be done because people always  have this association around that risk advisory   equals to not audit equals not assurance right  uh so what some good practice i can suggest   is to be clear on what is the risk advice  rule make sure that is in your IA mandate   and charter that's agreed with the audit  committee make sure your chairman is on   board and then members are on board as well  what we also found is helpful is to actually   define and articulate the service offering  when you say that you're doing a risk advisory   it risk advisory can take many shape and form and  when you look at it a lot of auditors are involved   in advisory work not in the point of taking  management responsibilities but giving   management an independent view helping them  cause issues problems or potential risk rewards   trade-offs they have to think about in making  certain decisions right so as long as the ob or   out of bound markers are clear in what you or will  not do and define those service offering across   with management and and the ac i think that's fine  and i think uh you know i i would like to see also   uh you know ac's challenging auditors if you're  not if they're not doing risk advisory why are   they not are they not in the position to do so are  they not well resourced to do so or what are the   challenges to think about that right because and  all they remember no one wants to buy a car today   that only has a rear view mirror you want buy  a new car today with all the sophistication of   predictive traffic analysis  sensors smart car right thank you yes i'm here okay i think you know the first  question is good and he has had a good answer   from khun richard anyway i have a couple more  now i probably throw it to you one by one   okay first of all before i give you the question  uh i'd like to introduce myself a little bit i'm a   chairman of the audit committee of the ttcl public  company limited and i have quite experienced   uh you know regarding the traveling  regarding the different kind of auditing   and i mostly understand what is the challenges uh  what are the challenges and and the opportunity   for the internal auditor okay but anyway yeah  there are some new things and some new development   and there's some changes today that um you know  we might need some kind of uh people to explain   it to us like the artificial intelligence you know  the machine learning another one is mainly for the   young people the cryptocurrency investment and in  the financial field it's a decentralized finance   um how do you convince you know the auditor  you know your team how do you convince them   to change their their mindset now  usually the computer the internality   they have most of them they have the traditional  uh auditing but now they they are moving on   into the technology so i like to you know  to to to you to share the experience to us sure thanks uh happy to share i i can't say  that i've mastered all these new areas i'm also   learning very much on this because there's  just so much uh going on uh you know   in that sense right uh you know even we talk  about crypto uh you know understanding bitcoin   that's very basic today people are talking about  nft non-fungible tokens right so that space keep   on changing and evolving but what i will say to  think about from an auditor's perspective is this   the the rapid digitization and the use of  technology has disrupted many industries   many companies right we as auditors supporting  companies are not immune to that we as a industry   yourself is not immune to that as well right i  think it is here to stay every industry every   company is facing some of disruption and in  the same way we as all it does need to change   uh on on that i i actually say that this is now  a welcome destruction because sometimes you need   such a pressure to help people uh do that right  uh the the way how i think about it is that   audit has always been behind the curve in using  the technology or or the new way of doing things   in the way that we audited we always wait for  business to implement something then we say oh   we need to figure out how to audit that right and  that mindset is to change today you need to learn   about how can i use a new approach new tool to  audit something don't wait for the business to do   that in fact maybe in the same case go along with  the business your counterparts in that journey   if your company is saying that we're going to  adopt maybe machine learning get on that journey   together with them uh and doing that because  we should not be reacting because we are always   reacting to that so that that to me is this  one key way of thinking about that the other   way is really very much then you cannot use  an analog tool to audit in the digital world   that is the reality you need to use a digital  tool to do audit in a digital world it is like   uh you know not promoting violence but just saying  that you don't bring a knife to a gunfight because   you definitely lose unless it's a close quarter  battle right but that's that's one energy that we   we think about and that's where i think digitally  upskilling it's very important uh and and this is   where i will try to i guess answer the second part  of your question right what does it mean from uh   you know where all of us have different  training training in a traditional mindset   and and even tech auditors i'm not immune to that  tech auditors of the past i have also been trained   to look at very tightly general controls they do  not know various domain today when we audit tech   that is cloud technology you know someone will  say hey as a technology can you look at this   ai algorithm this machine learning this rpa  to you know robotic process automation tool   right so it impacts everyone whether or not you  have a technological technical or non-technical   background the the challenge ahead is clear  what i think may not be clear to everyone so   the opportunities are also very clear uh where  it aligns for everyone in the sense and we have   seen that both in the tech all the community and  the main audit community is the fact that today   data analytics can be done by any auditor because  of the tools and the language that's available   here right that to me is a digital language  there also needs to be a change of mindset when   saying that right in the past you may have  specialist technology auditors in your team   and say oh that goes through the system let me  ask the technology auditor but can you imagine in   a tech firm like mine if they do that then every  auditor must be a technology auditor because we we   we run a whole pure digital business right i have  no manual menu forms uh you know in in in in the   way we uh you know call a right healing right  of the food right where's the manual processing   on that besides our partners on the road that  is actually doing that delivery but the whole   process from initiation to to being recorded on  the chair general ledger this is all digitalized   so what that means then the the future of of  auditors i think the makeup of an internal audit   function will change what we come as business and  general general auditors i term them as digital   auditors on the future what that means they  all know basic analytics they understand basic   applications thinking about workflow application  controls and stuff and then the specialists   in audit functions will be different  you may have specialists that looks into   uh you know very very technical  cloud we have data scientists   in fact maybe then the skill sets to understand  financial reporting or treasury stuff which   may be a typical accountant's expertise that may  become a specialist function in the future because   the skill set to audit the business  process of the future which is technology   data treatment will also change yeah  that's probably our how i think about   you know that that's um i think like the key is  um you know what i i try to analyze it is uh by   observation not analyzing now most of the internal  auditor they usually are conservative people   you know because most of them they come from  the career like they come not the engineering   guy so they kind of wait when until they  they they sure that they want to move on   but see that the thing is i think it's also depend  on what you're saying is depend on the company the   company if the company is changing from analog to  digital so it's like forcing the internal auditor   into the area of technology by itself so instead  of waiting until the company instead of waiting   until the company changed from analog to digital  which is saying uh it will be in the future so   internally should be prepared himself now instead  of waiting that's right okay thank you very okay um let me introduce myself for a short  period of time okay my name is Kridchapond   i'm i'm not new to internal audit but i'm  still very young and i heard your introductions   and your journey that is very impressive because  it's like emphasize the commitment to continue   as learning and you have to be like to adapt  things all the time and learn every everything   news all the time so that's um that's that's  very good and that's i that is what i believe   about beings and it's not auditors so uh today i  would like to ask you the questions about the the   Covid pandemic about the covid situation that  maybe every internal auditors can keep asking   about the questions like when in the covid  situations like most businesses have to like   um doing work from anywhere from foreign country  which include the internal audit activities   that in some organization or sometimes we have  to like commit 100 online so in your opinions   what is the top three risks about the business  about the internal audit functions and how the   internal auditor handle the risks and situations  except especially from your experience that may   be you using technology or using different  concepts to deal with the risks which may be   different from the other organizations or  maybe better than the other organizations   please please tell your experience and you  okay yeah so so clearly uh i think the pandemic   as you rightly put the uh force not just ie  but various parts of business if they can   to work remotely where possible right  and that of course also throws of the   auditor of uh in in a certain way when we've  moved down this route because the ability to   sit down with our stakeholders to interact to  build those relationships to look people into   the eye walk the ground is very important and  nothing can compensate that and it depends on   your state of company uh and and i i can  empathize with certain uh audit functions   that will have more difficulty depending right if  you are in a very traditional business good space   you know where you have warehouses or whatnot  and clearly some of this may be difficult in   that sense but that being said there are also new  opportunities right because today uh we can have a   different approach different conversation on that  so let me talk about the risks that i think face   organization from a pandemic perspective  and what ia should be looking out for   so when the pandemic happen people have to  change react to make sure that we adhere to   whatever uh you know regulations that is in place  to keep people safe minimize uh social contact   and energy and form that which also says that  sometimes in our internal process be it from a   b to b or b to c perspective you have to change  those processes right one thing that may not have   perhaps attracted enough attention from all  this is that we have done it to accommodate   during the day pandemic but are they  sustainable and the adequacy of the new   processes that has been redesigned right and being  understanding whether those are temporary measures   or those changes are here to stay because i've  also realized that organization has said that we   have changed a certain way of doing things and  they realized actually you know what because   let's go with this new way because our customers  are happy with it we can go on with it and then   it's more efficient we reduce physical touch  points brings down cost from operational   efficiency you know but i think no one has  perhaps done a holistic look back and say   hey now that this process or this contrast  of redesign are they fit for purpose   are there any uh you know challenges on that right  uh so leading on to this the other risk is around   uh control breaks things around exceptional  approval and deviations that have been given   back then to accommodate in reacting to  the pandemic are they still in place have   people forgotten about the deviations or sectional  approvals that that happens right because everyone   is great when reacting in a crisis people will  always get things done but they may not remember   that hey this was meant to be temporary and  maybe we have you know loosened uh to control   my expectations in certain areas i've not come  back to look at it right so i think it's very   important the last part is very naturally with  the pandemic what you see is huge digitization   that poses a lot of new risk for organization  would didn't invest from a digital perspective in   the past when i say investment i'm talking about  investment in data governance i'm talking about   investment in cyber security posture because the  more things that you digitalize and move on that   your risks change the risk profile of your company  change the risk profile of this process change   uh and that's where we need to think about that  right so i in india plans need to also think and   break away from hey let's look at the traditional  area but maybe flank out and say that hey what   has happened in the last two years you know which  are the areas that have been subjected to the most   changes that we think that of high risk  and they should uh you know perhaps adjust   their plans to do targeted reviews  to provide assurance on those areas thank you very much that's  the very informative answer   okay so uh we move to Khun  Surasak please it's your turn thank you um based on the situation  that you share with us going digital   and and this has changed very very fast in banking business um the the second line of defense when we say the  circle of defense in the past people always   mostly rely on the third line of defense which  we have discussed this earlier that is maybe   a bit too late but uh given the fasting uh the  fast changing environment to me it seems like   the second line third line is this is it come closer that the line between  the second line and third line is more blur   and the first line which in the past would pass  everything out of the business to the second line   and third line but because of the fast changing  environment how how how would how would we   implant risk awareness to the first  line even in the bank we always have a   uh we call it the line 1.5 somewhere  between first line and second line so   going forward how i would like to hear your view  about the second line and third line function   and how how to how to uh encourage the first  line to have more on the risk awareness   yeah uh so let me address the part on the second  and third line right uh yes i i mean on face value   that appears to be some overlap clearly with now  uh investment and technology that also allows   both second third line to to you know automate  invest in the analytics that that do the work   uh i know that for a fact because i've done that  in both my second and third line role you know   even in second line we were also investing in  automation analytics to do that right i think   realistically so let me talk about at the macro  level realistically uh with the exception of   virtual industries like in banking the investment  and second line functions are still quite under   invested by and large across most industries  uh you know and and and that being said   uh the tools and technology today will allow  companies to bridge that gap without investing   as much accounts right i think what really now uh  happens is it provides a platform for the third   line to differentiate itself in terms of the work  that is performing and focusing on the the hundred   percent detail level testing then can be taken  on in a mature second life organization and the   third line then now can truly be focused on high  value assurance work high value risk advisory work   and that means different opportunities  different skill sets required in a third line   auditor because an auditor who can only just go  through you know thinking through bashing through   a standard control will find that a struggle  because then the work becomes very unstructured   in in a sense right risk advice people are never  structured they are always requiring you to think   like a consultant it's just that you you you you  don't implement it as a consultant that's the key   difference right in that perspective so that there  is that that challenge but the opportunity for   third line to now then say that hey partner with  the second line say that if you have a good mutual   second life function focus on doing the heavy  lifting detail testing and whatnot the second   line can do and the third line focus on you know  what we talked about earlier right you want to   know what's emerging you can pivot your your plan  your people on on uh high-risk areas very fast   uh the next part is around that interaction with  first line uh what i love about the new client   and environment as well as people are also  becoming more risk aware and there is that   opportunity for the third line because with the  right toolings uh and technology analytics there's   ability to share with the first line how their  control environment looks like at an ongoing basis   i've seen shift in creating solutions that's  been created by first my second method line   that eventually has been shared with the first  line for their self-testing and awareness right   and also being able to prove uh provide  them automated dashboards on ongoing basis   this are very clear highly visible uh indicators  of the of their key risk indicators that i say   right and and we set up correctly then it's very  clear on the visibility and these dashboards   with the right support of management and the  board could be used to very much uh to drive   the behavior from a first line because you know uh  people can always debate about issues but effects   are and date and data is the best source of facts  right no one will dispute data uh in in that sense   so this is where we we need to be able to leverage  that but i think that maturity also allows that   really uh uh more focus uh for for the third  line uh and and and to a certain extent you   know if you also have good line one or one  point five that do their own testing again   i welcome that because then if it allows the third  line to focus on high priority well i i not know   of any third by function who have uh any shortage  of work so far we always have more work on i i couldn't agree with you  more but uh to hear from you   uh seems that the other people have to  work harder during this stage in order   to pass some tools or some experience to  the first line or even the the like 1.5   so that other people will have more time to  focus more what you call the high value test yeah   i i just just a point on that and i think this is  also great provides more career opportunity for   thirdline individuals to do with that to go into  first and second line as well to drive some of   these changes that you want to see in how a ideal  first and second third line very good part should   engage right so i i don't see this as as a threat  to to the third line but i as an opportunity for   the third line to take the lead to change the risk  culture um if i may add to this um in in kbank   we have couple of people from audit move to  second line uh it's very helpful it's very helpful okay Ajan Sivarak it's your turn  and Richard i think maybe you have   only one or two miniutes to answer  not five minites that i gave you ok i let you priortize what is  maybe we don't have to do all   but maybe you want to prioritize which one yeah uh okay i'm here yeah well that's good uh for the  listening um i think before i go to the next   question now i'd like to add a little bit uh based  on my opinion when you're talking about the first   line the second line and the third line the most  important of the third line is the independent   we still have to preserve it yes absolutely  whatever we want you know or whatever we still need the first line the second  line to be aware of our independent   now to be aware not just you know it can be a  lot of a lot of understanding you know if uh   the first line the second line the third line  they know their uh most important aspect now   okay that that that that's uh for the uh uh  question of course which is a very good one   um my question my next question is you know  we've been talking about the the internal auditor   now they're talking about the audit and then  you know the the most important position of the   auditing is the ceo let's see if the if you you  know the internal editor one day you want to be   a ceo let's think about you know your ceo what  do you want what do you want internal auditor   um what they look like what kind of picture of  the in the internal auditor you would like them   to help you to up you to achieving your objective  the business objective in the area of technology so i i think it's a great question uh i know i  will not bucket to the area technology i think   it's how do a ceo see the value of ia function  right in in in a broader sense right and how   does it help you uh i'm not a ceo now not yet uh  maybe one day i may have my own but uh i think   it's all about understanding the value proposition  that i bring to the table right because you have   an independent function that will with your  support call it as he sees it right and this   is to help the ceo and his management team to  remove any blind spots because when the company   gets bigger there is so much more management  layer right sometimes people are afraid to   bring the real problem onto the table because  it affects their performance for affects their   bonuses and whatnot and this is where ia can  bring that value to a ceo who can see that   you know my eye function is like my personal  doctor my personal physician that i trust   right he will give me an independent health check  on my family which is the rest of the company   in in that sense right and technology and  this is very important ceo and management team   should enable ia to get whatever information they  need partly from a technology a data perspective   to help present and form that view because  today in the tools we have we can write audit   issues differently instead of saying 10 out of 25  samples have problem i can tell you in the whole   population of over the last six months twenty  percent have a problem we can quantify the issue   if if your transactions are all technology and  data driven to that perspective we can quantify   the impact to you right so i will say support  the investment that you need in ia function for   their data uh skill upskilling their technological  investment let them have the ability to access the   data warehouse type in right i i run uh different  uh agile streams with my innovation team around   uh thinking about different data cells how  could we have a ia dashboards that can help   me monitor different things how could  we cross look at different set of data   and look at opportunities and what not right to  me my canvas board is unlimited with the more   data and tools i have but if you try to  say hey do your job but stay in the room   you know the doctor is can only see one patient  at a time in the room but you say that hey go out   to the community and look for the people you need  to treat and that's a very different proposition   right so so that's that's how i kind of frame it  in a in a very short time we have left i mean this   is this is good this is a good perspective of  of a good ceo you know that that a bad ceo good   ceo yeah so uh you're an internal leader one day  you become a ceo i think you will be a good ceo so that's right it's your turn thank you i thought um there is  so little time left so i just wonder whether   i can ask this question but okay they still come  so as ask khun Richard is working like in the IT   based corporation very big corporation so i would  like to ask the difference between the traditional   one the non-IT organizations and IT organizations  like Grab what is the difference in your first   in your perspective about um these two types of  organizations in terms of internal audit in terms   of the risks in terms of the internal control  so so that we can learn the non-IT traditional   organizations can learn from IT organizations  to prepare for the digitalizaions to learn more   before going before using more technology for  better performance please please share your view   so uh clearly it's different because uh tech  organization tends to also be younger they tend   to have a younger workforce who tend to be more  tech savvy right so what that means is every time   there's a new tool out there people say hey can i  use this tool can i use that tool can i automate   this right people are willing to to change that  and the organization in the spirit of innovation   let's say how how dare you they are willing to  spend and invest in that traditional organization   because of various reasons course and also legacy  systems and processes we'll find that for our   help because they oh you want to try that but that  doesn't work with our system because that's legacy   right so you will have those challenges which  we result in in the way that how we think and   approach uh things on that but the expectation  then is also very different i come from financial   services heavily regulated industry people are  very careful so every process has make a checker   you know secondary review and whatnot  but in attack firm you if you try to   think about that just not gonna work because  to them it's about fast fast plus agile right   you know my millions of of uh uh uh consumers  and user my app's not going to wait for a change   management window to open at the end of the month  to make a change in the app if it's causing a   uh issue that will you know lose revenue right on  on that you will also have here that you know def   ops and dev set ups have also changed the way how  it management IT general controls have uh changed   uh in in that sense people don't have that many  layers of segregation or duties traditionally   so moving fast means a different risk  framework which requires a higher risk appetite   and a better understanding of  the risk-free trade or trade-offs   but the good thing is that unlike  traditional organizations when they do that   they tend to have the tools that allow them to  manage the risk automate that detect outliers   that is something traditional organizations face  in trying to change because you want to change   but if you don't invest in in in two things like  the risk reward trade-off and and the two means   you're not going to be able to get that because  it requires you to take more risk which you can   mitigate but it requires also more ultimate  solutions to to to look at that so i mean   just mindful time like that's that's probably  the the high level sorry answer i can give i i want you to tell us more about in  terms of the risk appetite about the   risks that the traditional organization must  face when become more digitalization because   in my first question to discuss about the when  under covid situations when the non-IT once   have to use IT technology to to like  include in some process and that   will incur more risks more new risks in terms  of like cyber security things or in terms of the   the other is that the traditional one is  not acknowledgement so i would like um some   you to explain sometimes about the risk appetite  and the new risks in from the digitalization   yeah so so uh i mean clearly uh you have a lot  more new ways because when you go digital then   you have reliance on the technology right what's  your favorite right today if i talk about cloud   do you go as a single cloud strategy multi-cloud  strategy and these are very complex stuff when   you talk about resiliency if i speak to someone  in banking you'll say oh we always do the DRP   we'll switch to the other data center and whatnot  but what does that mean from a cloud perspective   right so so and then this is where organizations  need to think about right what is my risk at the   time do i need to pay for more resiliency and and  and what's that trade-off i'm willing to accept   right what's that criticality on that right uh  so i think it's all going to be a risk reward   uh trade-off i think a lot of time i just  bring it back to from an audit perspective   auditors raise the risk for the time no  medium high i would challenge auditors to   ask the question so what uh maybe to the point  if you have two minutes with your board member or   CEO in the lift you want to tell me about the five  low risk issue or the one high risk issue that   that he or she can spend time to help support you  right and this is where we need to get better in   raising articulating the issues that we want to  highlight and also quantifying that risk impact   trade-off right because we see issues all the  time but some of them in the scheme of things   uh and and you know i come from a company that has  millions of transactions some more transactions   are low value right you may find exception but  you realize that hey i may have a 5,000 exceptions   here but that only constitute maybe 50 usd of loss  do i want to be focused on something like that   right that that's that's where you know we have  to be helping management think about that risk   reward track of trade-off and then this will  also help build credibility or ia because you   say oh i is just raising everything whether  is it worth 50 or 5,000 dollars right so you   know you want to spend your time so that you you  you become credible and rip at value and impact thank you Richard i think we have the question from the chat box a very long  question but i will ask with the short one uh   they mentioned about the ai and machine learning  could you please tell us that how can we   audit the ai or machine learning or to help  the business uh to make value and how can we   use the ai machine learning in our audit below  yeah uh so okay i'll break it down so from ia   perspective uh i've seen audit functions uh and  we are also starting to use that in analyzing   trends and issues right because uh and  and this is a very heavy extensive topic   because there's also things like ai bias  right uh on that so you can use it to train   data to see the trends that you have and then  you can see anomalies for example certain type   of transactions peak at certain time of the  week of day right and if you feed that through   months and years of data the the ai will learn  that is the trend so which means to say when   things change differently from the volume type  of transaction it should provide you those   other let's say that something else is going on  differently on that right so this is one way and   how we do it around like for example if you have  a customer service site right you could use it   on fuzzy logic to pick up keyword search what are  customers complaining about that also provides you   uh indicative hotspots that hey is there a process  or control issue around that because we see a   lot of customer complaint in that area right so  there's on that now auditing ai now that that is a   tough one uh so the way our approaches this is  two things right of course it helps if you have uh   such people in your team to help you but not it's  always around framework and there's been various   regulators around the world that have taught uh  published various framework to think about ai   right and and you need to think about the bias  right so that in the same way that we do that how   ai models are developed by the business in  terms of the data set they are using for   training is very important because that will  create buyers and and you can google that right   there in the us there was one that they use for  sentencing guidelines on offenders and they found   that there was a bias on on on a certain  race because the past data seem to suggest   a certain ways are given behavior sentencing  right and then that's where you using those   data past data although it's factual data could  create a bias on on on that right so so it's all   thinking about the framework when where people say  that oh i'm going to start the ai machine learn   uh you need to challenge around yeah what is  that data set what is that you know things   and and then what are the feel safe how do they  monitor and check that that bias do not happen   and it could be from uh based on uh ray sex or  profile even from a credit decision process in a   bank or you know offering a loan uh as a and then  you know in extreme government services as i say   or whether certain decisions are made with  those buyers lisa you mentioned about the   open source that you use for the technology audit  and and you said that you will tell us yeah so so   uh you know in this whole transformation as we  advocate for digital auditors right uh we also   recognize that and and the world of learning  has changed today last night you have to go for   course sit in person go to a school university  to ask yourself uh the learning industry's been   disrupted as well so you have things like  consora linking learning uh like my whole   audit department is pursuing consora google data  analytics professional certification uh and we   mandate that for for every uh auditor uh business  or tech or otherwise so that everyone has that   foundation training the other thing that we wanted  to do is also to help understand that despite all   the training not everyone is just going to be as  technically savvy to write scripts from day one   the beauty of today's technology has  enabled uh analytical tool what we term as   low code no code 2 right that allows them to do  data analysis without having deep appreciation of   scripting or coding and and that can be taught so  one open source source software is called nine k n   i m e uh and and and that that is a tool uh that's  also have been used by uh a few other global audit   functions uh so yeah if everyone is interested you  can uh you know uh go online and find them okay Richard hi hi hi hi so you give us a  open source right or something yeah i i i just uh posted the link oh okay  thank you very much uh richard Khun Suvimon   just asked the same question i asked  you how many people of your team   of Grab singapore uh we uh regionally we  have uh uh uh 20 over people right now   uh and and and uh we asked you in a midway  through our multi-year transformation uh   so so i think i think the other thing is also  to to think about the idea of the future because   uh with the technology and tools some people  think about iesi should be proportional to   the revenue some people think about ie  size that should be proportional to the   number of people in the organization uh not wrong  right i think the new dimension then is also   ie size relative to the uh uh the technological  tools expertise uh and data available within the   organization because that also allows you so  uh and this is where we want to future-proof   the audit function uh in the sense that  you know technology will allow us to   uh digitalize a lot of the audit work right uh  but that doesn't mean there's no audit work that   it allows us to fill in the high resolution  because i think in a company like us that's   always venturing into new markets doing new things  we are always just trying to say hey where's the   new thing that we need audit but we still need  to continue to audit the many other things that   is already on our plate right so so so i i think  uh you know if anyone would think about that   you know when you think about your  audit function in the future think about   that it's not about the number but the number of  right expertise that you have to help you create thank you Richard uh for the last  question uh for one sentence to be   digital ia what would you  recommend for one sentence don't be afraid yeah changes change is always frightening uh and and  i i i think i'll leave it with everyone don't be   afraid right because you know i we i can't have  this talk everyone said yeah we we need to do   all this but if you don't step out try fail yeah  uh experimentation don't be afraid to experiment   yeah outside maybe do not be right do not be  afraid to experiment because only through trying   failing then we can get better and  and i'll leave everyone with that thank you very much richard i think we uh  appreciate your time and maybe we are a little bit   late and you have the family engagement right so  thank you very much uh and please if you come to   thailand tell me and i i miss singapore so i will  visit singapore which is that thank you richard   all right thank you for this opportunity very  much bye thank you bye-bye thank you very much

2021-11-09

Show video