Paving the way for audit transformation

What comes to mind when you think of the audit function within an organisation? Perhaps it is not one of the most liked, with its investigative nature and attention to details, but its role as the third line of defence is never one to overlook. As companies change their ways of doing business, so should the audit process adapt to meet these changing demands. We spoke with Teo Khai Lynn (pictured in the middle), Head of Audit Methodology & Standards, on how OCBC is doing so.

Q: Hi Khai Lynn. To set the stage – What sparked this project?

Khai Lynn: At the crux of our work is how we, as a function, could help improve the quality and effectiveness of governance, risk management and internal control processes, and enable OCBC Group to accomplish its strategic objectives, using a risk based, systematic and disciplined audit approach.

It is crucial for us to constantly adapt and refresh our audit techniques to ensure they remain fit-for-purpose and relevant in addressing the ever-changing risk profile of our businesses. This was what kickstarted the project.

Q: What was/were the objective(s) the division was looking to achieve?

Khai Lynn: We looked at two main prongs when reassessing the current audit methodology – how could we refresh the existing audit methodology to extend audit scope to new areas, such as strategic and digital risks; how could we bring in new, agile, continuous risk assessment and auditing techniques to improve the effectiveness and efficiency of our framework.

Q: Could you tell us more about the project team involved?

Khai Lynn: My team, Audit Methodology & Standards, stepped up as project co-ordinator of this combined effort involving all audit teams within Group Audit, which brought different expertise and perspectives to the project. The 30-headcount strong core project team worked alongside external consultants, who guided the process and provided insights into best practices.

Q: Tell us about the journey.

Khai Lynn: We decided to try something new, by adopting an Agile-Scrum methodology in managing this project. Interestingly enough, agile auditing was one of the deliverables in our list!

The project team was first trained on the Agile-Scrum methodology. This was an entirely new concept to us, and an external consultant whose scrum masters were present helped guide us through the process.

Additionally, in order to equip ourselves with the required skills for continuous risk assessment and auditing, auditors were also trained in ACL and Qlikview. Through these trainings, we were able to gain a better perspective of how we could leverage technology and data analytics in audits.

Q: What challenges did you face?

Khai Lynn: The main challenge was adhering to the daily scrum, which required each project member to be committed to share and inspect their respective project team’s progress by answering three questions:

• What had the project member done yesterday?
• What will the project member do today?
• Are there any impediments?

A typical daily scrum should last no more than 15 minutes. It was tough adapting to this in the beginning, with project members spending more than half an hour each daily on daily scrum or deviating from the three questions posed. External scrum masters were physically present to ensure that project members adhere to the spirit of the daily scrum. This improved over time and the project members saw the benefits of this project management methodology.

What were some of the successful outcomes from this project?

Khai Lynn: Through this project, our audit scope has been expanded to include auditing of strategic risks (including digital risk) and different auditing techniques have been introduced. These would enable us to have more timely, forward-looking and effective audits.

The adoption of the Agile auditing technique also introduced more dexterity in audit planning and executing the audit engagement in response to new and emerging risks. With greater involvement of our audit clients in the development of the audit scope, we had more constructive discussions on the identification of key processes, inherent risks and control mechanisms as well as root causes to audit findings and feasible management action plans.

How long did the project take from start to finish?

Khai Lynn: We started in May 2018 and completed the project in four months. The refreshed audit methodology was approved by the Audit Committee in October 2018.

What are your biggest takeaways from this project/innovation?

Khai Lynn: This was a project developed by Group Audit, for Group Audit, with proposed changes coming from within. This active participation from the ground ensured that changes were practical and fit-for-use for Group Audit. With this project success, we look forward to further innovations and improvements within Group Audit in the future.