No More Waiting Game for Manufacturers: Industry 4.0 Is Already Here

By Sharon Lindstrom, Managing Director
Manufacturing and Distribution Industry Leader

 

 

 

The term “Industry 4.0” isn’t new to manufacturers. What is new, for many of these businesses, is the recognition that the next wave of the Industrial Revolution is already breaking. There is no more time for “Let’s wait and see what this means for our business.” No manufacturer can afford to sit on the sidelines and watch as their industry is transformed by major innovations in digital technology — from cloud computing to big data analytics to advanced robotics to the Internet of Things (IoT). They must be in the game. And to be in it, they must transform their operations digitally.

Embracing big data analytics is an important step on the path to smart manufacturing. It has the potential to affect every step of the manufacturing process. Ultimately, advances in big data analytics are expected to augment the interconnectivity of equipment on the factory floor as part of a larger movement toward the IoT and greater manufacturing intelligence.

That’s a pretty big deal. Yet manufacturers, generally, have been slow to adopt big data analytics, especially in manufacturing operations. This is not necessarily due to lack of interest, or worry about costs, privacy, security or even change itself. The real hindrance is a combination of several significant roadblocks that many manufacturers must overcome before they can implement and execute big data analytics successfully.

These common barriers include:

  • Unwieldy data and processes — Manufacturers facing this problem can take comfort in knowing it’s an issue that plagues most any company pursuing digital transformation. Certainly, there is no shortage of data being produced by the business. The challenge is figuring out how exactly to bring together that ever-ballooning volume of raw data from different systems and sources so it can be analyzed and turned into actionable insights for the business.
  • Disparate systems — This barrier relates to the one above, obviously. Integrating data is complicated by inaccessibility. It is often the case that a business’s legacy technologies have not been designed to facilitate open access to data. The complexity of a typical IT ecosystem makes it very difficult to mine quality data and convert it into a workable format for analysis.
  • Expertise shortage — Finding specialized talent to work with big data — especially professionals with knowledge of the manufacturer’s business and industry — can be a tremendous hurdle. Manufacturers are finding that talent is in very short supply, and extremely competitive to recruit and retain. Over time, as the industry becomes more digitized, manufacturers are likely to face talent shortages in even more areas of their business.

Again, these are just some of the roadblocks manufacturers face. They are not trivial, and companies will find that some are quite persistent. But a manufacturer that wants to be a relevant player in Industry 4.0 must address them sooner than later.

Make sure big data projects have a purpose

As manufacturers work to overcome big data analytics obstacles they must not forget an important aspect of their effort: keeping their business strategy in focus. I will come back to this subject and offer a few tips for success in this area in a future post, but the one I want to mention here is extremely important: Identify a specific use case.

Manufacturers should not just “do” big data analytics because they are under pressure to evolve their operations. Any big data initiative should have a clear purpose. Lack of purpose is often the root cause of a company’s struggles to harness its data effectively and turn it into meaningful insights.

Some may consider it an upside that the manufacturing industry has not moved as quickly as other industries to jump on the big data bandwagon. And it is true that manufacturers that have so far taken a “wait and see” approach with big data analytics and similar digital innovations have the benefit of learning from the missteps of early adopters, and can develop a strategy for success based on lessons learned. But they must make their move now, or they risk falling too far behind the digital curve and becoming obsolete in Industry 4.0.

 

 

From the GAM Conference: Changing Priorities, Analytics in Auditing and More

This week, Protiviti is joining the best and brightest thought leaders from Fortune 500 companies at The Institute of Internal Auditors’ 2017 General Audit Management (GAM) Conference in Orlando, FL. For nearly 40 years, GAM has been the premier experience for internal audit leaders to explore emerging issues and exchange leading practices for positive outcomes. The theme for the 2017 conference is Fostering Risk Resilience. Two Protiviti leaders, Brian Christensen and Jordan Reed, will be conducting panel discussions on stakeholder expectations and the Internet of Things, respectively. We are covering these events and more from the conference here on our blog and on Protiviti’s social media platforms. Subscribe to our blog and follow us on Twitter for timely podcasts and analysis of this year’s conference topics.

 

On Day 2 of the conference, Protiviti Managing Director Jordan Reed shared some thoughts on the panel discussion titled “The Internet of Things: What Does This Mean to Internal Audit?” Jordan led the panel together with Jeff Rowland, Vice President, Audit Services at USAA. Below in Jordan’s own words are highlights from the discussion. For more on why the Internet of Things matters, and the risks and expectations arising from it, read the recently published Protiviti white paper (download).

Share on Twitter

Also hear Protiviti Managing Director and The Protiviti View blog host Jim DeLoach share his view on stakeholder expectations as reflected in the Global Internal Audit CBOK Stakeholder Study.

Share on Twitter

Finally, Protiviti Managing Director Matt McGivern discusses the current state of data analytics in internal auditing, including findings from Protiviti’s latest internal audit survey. Listen below.

Share on Twitter

Embracing Analytics in Auditing: New Protiviti Survey Takes a Look

In a digital world, the time for internal audit functions to embrace analytics is now. This is the most significant takeaway from Protiviti’s 2017 Internal Audit Capabilities and Needs Survey, released today. The results show that chief audit executives and internal audit professionals increasingly are leveraging analytics in the audit process, as well as for a host of continuous auditing and monitoring activities.

Learn more by watching our video below. For more information and our full report, visit www.protiviti.com/IASurvey.

From Tiny Tech to Populism: Latest Issue of PreView Scans the Global Risk Horizon

jason-dailyBy Jason Daily, Director
Risk and Compliance

 

 

 

Imagine a DNA-programmed nanoparticle capable of hacking cancer cells, a plankton-sized carbon tube that can remove pollutants from water, or food packaging that changes color in the presence of dangerous bacteria. Nanotechnology, with a market predicted to reach almost $13 billion by 2021, has the potential to change the world, and every industry — from healthcare to the military — has a stake in its advances.

Use of Nanomaterials by Industry

With that potential, of course, comes risk. Nanotech may be applied in controversial ways — such as surveillance, or weapons capable of attacking people, plants or livestock at the molecular level. The technology is not visible to the naked eye, raising concern among some, who worry that self-replicating nanobots could destroy the planet if not properly controlled.

Nanotech is only one of the macro-level trends we’re watching as part of Protiviti’s ongoing PreView global risk series. We evaluate emerging risks according to the five global risk categories established by the World Economic Forum. In the January edition, in addition to nanotechnology, we consider the risk of a global water crisis and the “morality” of thinking machines, and we look ahead at the risk of marching populism and what cybersecurity means on a national and global scale.

WEF Global Risk Categories

The flip side of risk is opportunity. While governments and industries grapple with the shortage of fresh, clean water, particularly in developing countries, opportunities for water applications of nanotechnologies abound. As artificial intelligence increasingly replaces humans in making key decisions, opportunities to improve the underlying algorithms can translate into market share and increased profits for the early movers. And finally, with cyber the new warfare, governments and companies have an opportunity to stake a claim in the cybersecurity space by designing products, as well as policies, that protect both digital assets and societal freedoms.

Several of the topics in our current issue are a continuation from previous issues. This trend will continue, as the risks we are keeping an eye on evolve over time and their implications change, sometimes quickly. Whether continuing or newly emerging, such as populism, all of these risks are fascinating to follow, and imperative to take into consideration in mapping long-term business strategies. That’s probably one reason why our PreView series is among our most popular publications.

I encourage you to both read and share our latest issue with your board and executives, to spark discussion and help ensure these emerging risks are part of risk discussions. And, we encourage a discussion here as well. Tell us what you think in the comments.

Internal Audit Around the World: Collaboration, Technology and the Female CAE

Susan HaseleyBy Susan Haseley, Managing Director
Internal Audit and Financial Advisory

 

 

Technology is creating new areas of risk for businesses, requiring a collaborative mindset and strong relationships to manage risk effectively. At the same time, technology is creating new opportunities to improve how internal auditors manage risk – opportunities that come with the same requirements of collaboration and relationship-building. These changes to the internal audit landscape are becoming evident at a time when more women than ever before have risen to positions of senior leadership.

In our twelfth annual edition of Internal Auditing Around the World, we explore the accelerating change wrought by technology as a source of opportunity and as a source of risk. We also decided to focus this year’s edition solely on the viewpoints of women leaders in internal audit. This combination of themes yields a fresh perspective on the growing drive to collaborate – with IT, business units, senior management and external partners – to leverage specialist knowledge, harness emerging technologies and build influential relationships as trusted advisers to the enterprise.

Technology is going to completely change the way we audit,” says Kathy Swain, Vice President of Internal Audit at Horizon Blue Cross Blue Shield of New Jersey. “As more businesses are built entirely on technology, internal audit will need to follow suit.

In no area is this more true than in data analytics, a technological innovation embraced by many of this year’s internal audit leaders as a way to continuously monitor for emerging risks and potential optimizations. At Nordstrom, business intelligence serves not only to support the internal audit function, but also to share insights relevant to business decision-makers.

These insights will allow our team to become even better at what we’re already good at – risks and controls,” says Dominique Vincenti, Nordstrom’s Vice President of Internal Audit and Financial Controls. “They will also help us to underscore the direct value that the function is providing to Nordstrom in many other ways.

Some internal audit groups take a different approach – they collaborate with external partners not only to gain access to specialized expertise, but also to leverage technologies not available in-house. “We’re not necessarily making huge technology investments,” says Julie Eason, CNL Financial Group’s Internal Audit Director. “When I don’t have the tech internally, I rely on my co-sourced partners.

Last but not least, cybersecurity is a growing area of risk that has led internal audit functions to partner closely with IT. Monica Frazer, Vice President of Internal Audit for Baylor Scott & White Health, holds meetings with the chief information security officer at least once a month, and has new hires undergo extensive training in relationship-building skills. This emphasis on collaboration pays off, according to the surveys Frazer’s department holds after every audit. “We’re really viewed as a trusted business adviser,” says Frazer.

Mari Yonezawa, Chief Audit Executive at Obara Group, sums up this year’s theme well: “If auditors have strong communication skills, they can build good relationships, and the audits will go more smoothly.” Then she adds, “I think this is why women make good auditors. We tend to be effective communicators.

The full volume of our 12th edition of Internal Audit Around the World is available here – peruse at your leisure and let us know your thoughts.

Data Analytics in Internal Audit: An Imperative That Can’t Wait

May is International Internal Audit Awareness Month. We are Internal Audit Awareness Month logocelebrating with a series of blog posts focused on internal audit topics and the daily challenges and future of the internal audit profession.

 

Kyle Furtis

By Kyle Furtis
Managing Director, 
Internal Audit and Financial Advisory practice

 

 

 

Data analytics is a hot topic for internal audit departments. In our most recent Internal Audit Capabilities and Needs survey, data analytics figured among the top ten priorities for internal audit professionals, and CAEs ranked big data and business intelligence their number one priority. When we concluded that internal audit has arrived at a tipping point, it’s fair to say that data analytics is one of the items sure to cause the precipitous changes in how we, as internal auditors, do our work.

The profession is aware that businesses are now more data-driven than ever before, and that not utilizing this data can be detrimental to the proper evaluation of risks and controls and, more importantly, meeting stakeholder expectations. Even so, many internal audit departments are still struggling to come up with a formal methodology for integrating data analytics into their work. A formal data analytics program has a mission and a purpose. It also specifies how data is to be identified, acquired and analyzed to determine potential breakdowns of selected controls. But how do you begin?

One recommendation, based on observing successful data analytics programs within internal audit, is to start in areas where you’re comfortable with the data – whether it’s account reconciliations, journal entries, payables, fixed assets, payroll, human resources or threshold/limit controls. It’s easy to test data based on information you’re comfortable with. Just start in an area where enhanced visibility into the underlying data can add value to internal audit findings.

An interesting example of how to begin came from one internal audit shop I worked with. One of the required steps in each audit was for auditors to explain why they didn’t analyze data when performing testing of internal controls. The auditor’s manager and the director of internal audit were also required to sign off on the explanation. The idea was that inserting that step into the audit program forces auditors to think about data in advance of the audit, knowing that they have to answer that question. They couldn’t just give a flip answer, such as “We didn’t have the time,” or “This type of audit is not conducive to data analysis.” It really forces the internal audit staff to think about the risks, the data behind the risks, and whether some data analysis is appropriate.

For those already thinking ahead in this manner, I suggest below a high-level road map that outlines what data analytics may look like in a few years, and how to get there:

  • In Year 1, define your objectives for data analytics and set the basics: Train staff, identify tools, access and normalize data. You may need to prove the value of data analytics through strategies such as pilot and proof-of-concept programs.
  • In Year 2, identify opportunities to fully embed data analytics in internal audit. Define the data-access model, establish key performance indicators (KPIs), and integrate ad hoc analysis.
  • In Year 3 (and perhaps beyond), fully embed data analytics, broadening its use within the organization, and move toward data governance.
  • Next, engage in continuous analytics, fully integrating the analytics program and establishing standard reporting practices. Enable access to analytics reports throughout the enterprise and increase the level of data governance.
  • Finally, introduce predictive analytics. This would be a new frontier for internal auditors, as predictive analytics is not 100 percent accurate, and, as auditors, we’re used to high precision and accuracy when we analyze data – but it will yield interesting results that you can use for discussion.

Incorporating data analytics into internal audit won’t happen overnight. It’s a multistage process, with components introduced over the course of several years. As with everything, the most important step is the first one – so get started on defining your objectives now. By following the road map outlined here, the benefits of more efficient and effective audits will not be too far down the road.

IT Audit Benchmarking Webinar: David Brand and Robert Kress Answer Your Questions

David BrandRobert E. Kress (Accenture)By David Brand
IT Audit Global Practice Leader, Protiviti
and
Robert E. Kress
Managing Director, IT, Financial and Operational Audit, Accenture

 

It has been a few months since the release of Protiviti’s  5th Annual IT Audit Benchmarking Survey (conducted jointly with ISACA) – documenting the top tech challenges of executives and IT professionals around the world. We covered the highlights in a webinar and a blog post back in December. We’ve said a lot on the topic, online and offline, but what’s needed is a dialogue. To that end, we want to address some of the questions that were asked during our December webinar that we didn’t have time to address then. The questions are as relevant now as they were then, and will continue to be for some time. Protiviti’s David Brand and Accenture’s Bob Kress presented at the webinar and took the time to provide the answers below:

Q: What are some of the top customer relationship management (CRM) tools for risk assessments?

Bob: There are many reputable CRM systems in the market. We use the CRM contact management functionality to support our continuous risk assessment – tracking the people we have risk discussions with, scheduling meetings, tracking meeting notes and reporting. Accenture uses Microsoft Dynamics in a software-as-service model for this capability. This works well for us, as MS Dynamics interfaces directly with Office 365 Exchange for email, which enables easy scheduling and calendaring.

Q: Which framework would you recommend for IT audit? COBIT or COSO, or is there something else?

Bob: Accenture uses the COBIT framework for the IT risk universe. We use it to assess risk across all businesses and functions, with particular emphasis on those functions or businesses that contain IT infrastructure (e.g., data centers, hosting servers, networks) and those that manage confidential data. For IT audit reporting, we use the COSO framework to assess the severity of findings. The NIST cybersecurity framework is well-aligned with the major risk frameworks in the market, such as ISO, COBIT, and ISMS. NIST provides a comprehensive framework to assess cybersecurity and is becoming increasingly popular and accepted in the marketplace.

David: Frameworks are good tools to ensure that your thinking is broad enough to cover areas that might not be top-of-mind. But I’d also suggest that sticking to a single framework probably isn’t the right idea. You need to consider various frameworks that are out there and pick and choose the right framework components and points of focus that are going to work for your organization.

Q: For advisory projects, do you issue an audit report at the end of the project with detailed audit objectives and conclusions?

Bob: For advisory services projects we typically do not issue audit reports. Our observations and recommendations are communicated via a variety of forms, depending upon the nature of the advisory service. This includes a report, an email, verbally in review meetings, etc.

Q: Please elaborate more on the meaning of the term “integrated auditing.”

Bob: For Accenture, integrated audits typically combine an assessment of financial or operational risk and technology risk. A combined team of financial, operational and technology auditors is used for these audits.

Q: What are some best practices when developing an IT audit universe?

David: Start with an inventory of all the applications an organization has deployed, all the technology used to deliver products to market. List all of the databases, platforms, networks, etc. that those applications run on. Then look at all of the services required to manage all of those tools and infrastructure – user administration, configuration, patch management and so on. You really need to look at both halves – the technology infrastructure (software and hardware) and the processes that deliver and support the infrastructure, and assess the risk of each component. That gives you a bottom-up view of the technology risk environment. You also must seek to understand how technology supports and interacts with the achievement of the company’s strategies and objectives and how it is used to support key risk mitigation strategies. Mapping this thinking back to the infrastructure components and services inventoried above will provide you with a top-down view of technology risk. Both views are necessary to obtain a complete picture.

Q: Do you assess just inherent, or both inherent and residual risks, as part of the risk assessments? Would you recommend developing an audit plan based on inherent or residual risk rating of auditable unit risk rating?

David: Traditionally, we like to talk about inherent risk. The challenge is that a risk assessment is typically based on the perspectives of management, and getting management to understand the difference between inherent and residual risks, and divorce themselves from their knowledge of the control environment to answer in an inherent way, is too difficult. In other words, once a manager knows all of the controls that have been implemented to mitigate a risk, it is very difficult for that manager to step back and try to think philosophically about that risk and all of the things that are inherently risky about it, because that risk has already been addressed. So, I like to go in and talk about both the risks and the strength of the control environment, and then I can conduct audits from there.

Q: As you perform continuous risk assessments and note changes, do you issue a new risk assessment report with each change or just one annual report for the audit committee?

David: As you progress from performing annual risk assessments to performing assessments quarterly, or even continuously, you are not re-issuing risk assessment reports, but you might have a heat map or some other dashboard or indicator that is updated as the risk landscape changes. You’ll present risks to the audit committee based on that heat map – this is not really a report but more of an update, or a summarized updated view of risks. By the time you get to a true continuous risk monitoring model, there would no longer be a need for an annual report, because risks are being assessed and reported in real time.

Given the rapid and accelerating pace of change in data management, security and infrastructure, IT audit will continue to be a hot topic and one we will be monitoring closely, revisiting our survey results and webinars for more insights. In the meantime, feel free to share your experiences in the comment section below.