Sharpening up internal audit's capabilities to address complex strategic and business risks

1. Internal Audit: The new waveRevolutionizing the Internal Audit function whilst retaining core values Singapore, 16 – 18 February 2011 Sharpening up internal audit‘s capabilities to address complex strategic and business risks Daniel LustenbergerHead Group Internal Audit DKSH Grand Copthorne Waterfront, 17 February 2011

2. Content Management’s expectations in an increasingly multifaceted and complex business environment Positioning internal audit to assist management proficiently and effectively in strategic risk management matters Mastering red flags and brand protection in an international environment of rising enforcement of anti-corruption legislation Embracing internal audit’s need of competitive and decisive IT capabilities in hot topics such as IT security, ISO/IEC 27000, ITIL, end user computing and peer-to-peer networks Forming high performing integrated audit teams in an ever challenging labor market

3. Management’s expectations 2011 Top 10 Audit Plan Hot Spots from the ADR1 Strategic change management continues to be the dominating concern as companies are continuing to experience change at a fast pace1 Hot spots like investment mgmt, M&A and international operations reflect the search for new growth opportunities1 Re-regulation and protectionism are making a comeback, globalisation has turned inflationary, and productivity growth has ebbed… Managing IT systems – potential of a glass wall between a company’s IT department and other departments2 1 Source: CFO Executive Board and Audit Director Roundtable research 2 In reference to AmitBasu and Chip Jarnagin, How to Tap IT’s Hidden Potential, MIT Sloan Management Review, 10 March 2008

4. Management’s expectations In this integrated and highly complex world – which, contrary to the hype, ... … is neither “borderless”, nor “flat”, nor any of the other trendy clichés – the business leader must be a “renaissance person” or at least have the intelligence and humility to rely on persons around him/her for achieving the kind of global knowledge and sensitivity that are increasingly required.Jean-Pierre Lehmann, What is responsible business leadership in the early 21st century, June 2008 The E7 emerging economies (China, India, Brazil, Russia, Mexico, Indonesia and Turkey) are set to overtake the G7 economies (US, Japan, Germany, UK, France, Italy and Canada) before 2020.World in 2050, The accelerating shift of global economic power: challenges and opportunities, PwC, 2011 In an era where > 90% of all documents are produced electronically and ¾ of those never make it to the printer, the 'smoking gun' evidence for compliance or litigation is more likely to be found within a computer than buried in a filing cabinet.www.legaltechnolgy.com/digital/pdf/2004 Legislation, as manifested by Sarbanes-Oxley, will do little to prevent future failures as it cannot address the underlying causes. It will not prevent companies pursuing flawed strategies or making poor acquisitions. Stewart Hamilton, Who Controls the CEO, June 2008

6. Increasing necessity for internal audit to understand strategic and operational concepts and evaluate respective company initiatives

7. Need for more strategic risk evaluation and for greater cooperation among functions within the organization

8. Streamlining Entity-Level Controls and effectively interfacing them for all COSO objectives (Strategic, Operations, Reporting and Compliance) with Process-Level ControlsSource: Star Model framework, Jay Galbraith 1 State of the internal audit study, PricewaterhouseCoopers, 2008 Source: Trajectory Management, Paul Strebel

9. Positioning internal audit Positioning of internal audit and required talents Source: A future rich in opportunity, PwC, 2010 www.pwc.com/us/en/internal-audit/publications/2010-study-internal-audit-profession.jhtml

12. China has become a key target of anti-graft actions of the US Department of Justice (DoJ), the main US law enforcement agency with regard to the FCPA. Outside the US, China is now the country the most involved in FCPA matters.

13. Accuracy and transparency of books and records are vital under both US and Chinese law. It may be hard to prove a bribe but inaccuracy in accounts is an easy target for whistleblowers.1 For several of the matters summarized in this section, refer also to Peter Humphrey, Managing Director ChinaWhy Co Ltd www.chinawhys.com, President ACFE China Chapter, Avoiding Trouble with International Anti-Bribery Laws in China, 15 Nov 2010

17. System capabilities should enhance the reliability of financial and operational information by utilizing integrated and embedded functions, for example, for (a) automated procedures; (b) the management of segregation of duties; (c) configurable tolerance level and check reports comprising real-time exception reporting; (d) the central monitoring of controls and analyses of transactions; and (e) Computer Assisted Audit Tools (CAAT).For an insightful evaluation of possible applications, refer to “Making sense of internal control: How to align vision, organisation and technology to lower your compliance costs and improve business efficiency”, PwC, 2010

18. Internal audit’s need of competitive and decisive IT capabilities Risks associated with weaker partners and suppliers is increasingopening up new windows of risk Source: Deloitte

19. Internal audit’s need of competitive and decisive IT capabilities Cloud computing – a new venue to conduct business with partners by creating the extensible enterprise Cloud computing is a general term for anything that involves delivering hosted services over the Internet. These services are broadly divided into three categories: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). The name cloud computing was inspired by the cloud symbol that's often used to represent the Internet in flow charts and diagrams. Source of graph: Technology Forecast 2010, Issue 4, PwCwww.pwc.com/us/en/technology-forecast/2010/issue4/index.jhtml

21. With new computing models such as cloud computing, data security is high on the agenda. The possibilities of data loss, data leakage, downtime of service providers, regulatory constraints, and risk of intellectual property theft create a tense risk environment.

22. Cloud service providers should undergo an ISO 27001 audit, which systematically examines the company’s data security risks and then designs and implements a comprehensive suite of information security controls to address unacceptable risks.Vinod Baya and Randy Myers, Technology Forecast: 2010, Issue 4, PwCwww.pwc.com/us/en/technology-forecast/2010/issue4/index.jhtml

24. Internal audit’s need of competitive and decisive IT capabilities Business operations increasingly use complex data management infrastructures with multiple access points, new network access technologies, and high levels of user concurrency. Such complexities blur lines of data ownership, and challenge organizations to find new ways of managing information. Even when companies no longer have direct control over their IT systems, they remain responsible for performance and stability targets and that these services remain in compliance with applicable laws, regulations, and contracts. Technology Forecast: 2010, Issue 4, PwCwww.pwc.com/us/en/technology-forecast/2010/issue4/index.jhtml

25. Forming high performing integrated audit teams Talent development facing an increasingly multi-facet and self confident workforce… The talent crisis, an ageing workforce, increase in global mobility, ... Source of corporate wealth is shifting from the shareholder to the employee - employees will come to contribute more and more of the value, because today capital is much more readily available than knowledge1 Available talent now consist of people from a vast array of backgrounds and life experiences, companied that choose to retain homogenous workforces are likely to become ineffective in their business interactions and communications2 Source: Re-Inventing Retirement, IBM Corporation, 2006 1 Daniel Vasella, The Main Source of Corporate Wealth is the Workforce, Decades of Leadership , 40 years of Egon Zehnder International, 2004 2 Richard Hill, CFO Standard Chartered Bank, whitepaper Robert Half Singapore, Building a team of finance professionals, 2007

26. Forming high performing integrated audit teams Preserving valuable knowledge before it walks out the door Lacking skill sets of internal auditors Subject Matter Specialists – field specialists to tackle the complexity of difficult or demanding audit themes Knowledge is not only a competitive tool, it is also a motivational too We definitely need team players at all levels – people who are willing to contribute knowledge and share it – personalities1 Feedforward instead of feedback – forward looking development plans rather than historical KPIs Leadership is the ability to transform ordinary people into extraordinary people who will then create results1 Data warehouse controls, data mining and data analytics IT security and network penetration Fraud, corruption and ethics prevention, detection and investigation Strategic and organizational management People management and organizational behavior 1 Daniel Vasella, The Main Source of Corporate Wealth is the Workforce, Decades of Leadership , 40 years of Egon Zehnder International, 2004

27. Sharpening up internal audit‘s capabilities... Key ingredients for some years to come

28. Selected readings and studies Security Among the Clouds, PwC white paper, 2009www.pwc.com/us/en/it-risk-security/publications/security-among-the-clouds.jhtml Eliminating the IT Fear Factor: IT Control & Security for the Non-IT Auditor, part 4, Dr Dan Kneer, webinar Audit Director Roundtable, 22 Jul 2010https://audit.executiveboard.com/Members/Events/EventReplayAbstract.aspx?cid=100224122 UK Bribery Act: Compliance Beware and Prepared!, Society Of Corporate Compliance and Ethic (SCCE), web conference, 27 Oct 2010www.corporatecompliance.org/AM/Template.cfm?Section=Previous_Web_Conferences&Template=/TaggedPage/TaggedPageDisplay.cfm&TPLID=113&ContentID=6688 Viewing Global Business Ethics through Different Cultural Lenses: Global Business Ethics 2.0, Society of Corporate Compliance and Ethics (SCCE), web conference, 9 Nov 2010www.corporatecompliance.org/AM/Template.cfm?Section=Home&template=/CM/HTMLDisplay.cfm&ContentID=6318 Making sense of internal control: How to align vision, organisation and technology to lower your compliance costs and improve business efficiency, PwC white paper, 2010www.pwc.ch/en/.... Do More Great Work, Michael Bungay Stanier, Workman Publishing, New York, 2010www.domoregreatwork.com

29. Thank you Daniel Lustenberger Head Group Internal Audit DKSH Management Pte Ltd Singapore Finance Centre 101 Thomson Road, #17-05 United Square, Singapore 307591 Direct Phone +65 6578 9848, Mobile Phone +65 9647 1586, daniel.lustenberger@dksh.com www.linkedin.com/in/daniellustenberger www.dksh.com

30. Disclaimer The opinions presented in this presentation are the author’s own personal views, and may not necessarily reflect the views of DKSH and its associated companies. Whilst the author has taken all due care to establish the accuracy of the information presented, any error, omission, or inaccurate presentation is unintentional. Where possible all sources are attributed to the originator.