Dynamic

internal
auditing
An approach to drive impact and
insight by leveraging data-driven and
agile thinking at a project level

kpmg.com
© 2019 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm
of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG
International"), a Swiss entity. All rights reserved. Printed in Singapore.
Contents
Understanding this approach 3
New thinking for a new era 3
Adding value through insights and a higher-impact approach 3
Highlights of this approach 3
Overview of approach 4
Phase details 6
Initiate phase: Profile, acquire and discover, scope, plan 6
Perform phase: Analyze, validate, adjust 7
Deliver phase: Insights, solutions, actions 8
Drive phase: Support, monitor 9
Appendix I – Templates 10
Initiate 10
Perform 11
Deliver 12
Appendix II – Client credentials 13

© 2019 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm
of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG Dynamic internal audit 1
International"), a Swiss entity. All rights reserved. Printed in Singapore.
© 2019 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm
of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG
International"), a Swiss entity. All rights reserved. Printed in Singapore.
 Understanding this approach

New thinking for a new era

Rapid technology change. Shifting regulations. Talent shortages. Businesses are being disrupted from
many fronts, and the effects are trickling down to internal audit (IA) functions. The near future will add a
new level of complexity for IA, presenting challenges to overcome and opportunities to shine.
This new era demands new thinking and approaches, new skills, and new capabilities. Given the scope and
pace of change, traditional approaches to IA will soon prove incapable of providing the level of risk-related
assurance and insight that business leaders need to protect and enhance organizational value.
For IA to effectively meet the raised expectations of stakeholders—including the audit committee, executive
team, and business line managers—greater speed, agility, business alignment, and future-focus will
be paramount.
Adding value through insights and a higher-impact approach
The right audit approach for this new era is one that helps companies identify areas with the largest
potential for adding value to their business—or to help them focus on areas of greatest risk—by
working proactively with management to define and identify higher impact audits. We define higher
impact audits as those that provide insights to create tangible value through significant process
improvement, taking cost out of the business/operations, or generating revenue.
The keys to this approach include more than just proactive involvement of management but also a
continued collaboration, along with tools that support a more iterative approach, so audit projects can
adjust as needed to deliver as expected. Inherently, this becomes a more agile approach to audit.
Highlights of this approach

Initiate projects with a Increase frequency and extent of Phase planned procedures
problem-solving mind-set business owner collaboration with agility to change
on results and impact based on results

Prioritize findings to Use alternative, succinct Continue IA's involvement

evaluate solutions reporting that focuses on to support solutions and
based on ROI key issues and solutions drive impact

© 2019 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm
of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG Dynamic internal audit 3
International"), a Swiss entity. All rights reserved. Printed in Singapore.
 re Ana
qui lyz Point of value to stakeholders
Ac e

Overview of approach ate

Per
f
Traditional audits stop

Va
e
with delivering findings

p
Sco

lid
or
Init

m
with superficial

ate
recommendations

Moni

se
Drive impact beyond

er

Cau
iv

Dr
l assurance by using insights for

tor

iv
e De

ot
analysis of the right change to

Ro
Ch
an
ge ct solve the problem
Corre

Perform

—— Nature of engagement (assurance or —— Iterative execution of procedures in phased

consulting services) sprints against hypothesis

—— Initiate involvement of process owners —— Continued collaboration with process owners on

procedures and results
—— Data analysis, process, and risk assessment
—— Higher-frequency progress/achievement tracking
—— Hypothesis, objectives, and scope
—— Issue tracking for action planning and
—— Timing final reporting
—— Resources (partner with process owners) —— Scope and approach review for ongoing
—— Approach (project plan with procedures) adjustment to plan and future sprints

Initiate

Differentiators and potential benefits Differentiators and potential benefits

—— Early data analysis in planning enables discovery- —— Staging engagements in phases or sprints to
based risk profiling and prioritization. achieve faster, tangible results
—— A shift in focus from problem finding to —— Process owner involvement to leverage cross-
problem solving at the onset leads to a more functional experience for insights and analysis
impact-oriented scope.
—— Frequent review of progress, results, and scope
—— Management involvement in planning drives early to avoid wasted time and stay impact oriented
buy-in and informed scoping.

Important decision points: In performing this analysis and identifying a problem, is there a good chance a cost-effective
solution can be implemented to solve that problem? Will this scope still lead us to an impactful outcome or do results
thus far suggest a change is needed? What solutions are possible to offer the most opportunity for impact?

© 2019 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm
of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG
International"), a Swiss entity. All rights reserved. Printed in Singapore.
 Drive

—— Identify opportunities for enhancements —— Communicate the acceptance of risks

—— Consider possible solutions to address items of —— Correct any errors and omissions
significance and develop action plans
—— Support implementation of solutions
—— Communicate and disseminate final results
—— Utilize monitoring system – follow up
and conclusion
—— Survey for feedback and future engagement
—— Deliver assurance opinion or deliver consulting
services output

Deliver

Differentiators and potential benefits Differentiators and potential benefits

—— Utilization of learnings to evaluate possible —— Support implementation of solutions to help the
solutions and provide actionable insights that can business achieve results and enhance value
lead to improvements
—— Maintain a pulse on future risks and issues
—— Prioritization and rationalization of solutions over through continuous monitoring feedback to be
reiteration of problems demonstrates ROI for more dynamic
IA work
—— Minimized effort on lengthy reporting for
maximized focus on impact

© 2019 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm
of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG Dynamic internal audit 5
International"), a Swiss entity. All rights reserved. Printed in Singapore.
 Phase details

Initiate phase: Profile, acquire and discover, scope, plan

Work with engagement stakeholders to understand risks, issues, areas of business underperformance,
and/or opportunities within the related process, leveraging data insights as relevant. Consider and
prioritize this information to establish scope and objectives for the engagement. Develop a plan for the
nature and extent of procedures needed to accomplish established objectives. Confirm the plan with
engagement stakeholders.
Engagements are any projects led by the group. A project is temporary in that it has a defined
beginning and end in time and, therefore, has a defined scope and resources. A project is unique in
that it is not a routine operation, but a specific set of operations designed to accomplish a singular
goal. (Definition from Project Management Institute)
Assurance engagements involve an objective examination of evidence for the purpose of providing
an independent assessment on governance, risk management, and control processes for the
organization. Alternatively, consulting engagements involve advisory and related client service
activities, the nature and scope of which are agreed with the client, are intended to add value and
improve an organization’s governance, risk management, and control processes without the internal
auditor assuming management responsibility. (Definitions from The Institute of Internal Auditors
International Standards for the Professional Practice of Internal Auditing)

Activities

1. Confirm the nature of the engagement (assurance versus consulting services)

2. Identify process owners and stakeholders
3. Through initial inquiry of the business process owner and discovery requests, understand how the
process is currently managed and monitored and any existing performance measurement data
4. Facilitate process mapping/risk assessment and early data analysis for the business process
5. Involve process owners and stakeholders in the review of process and data for effectiveness,
redundancies, areas of underperformance, possible fraud, and other risks/opportunities
6. Through review of process with its owners and stakeholders, develop a hypothesis and prioritize
risks/opportunities, including any quick wins, to establish objectives, scope, and deliverables
7. Determine procedures for identifying, analyzing, and documenting information, utilizing data
analytics as relevant
8. Determine resources needed, any specialists to call upon, and where to leverage involvement of
process owners
9. Determine timing and use of a phased or sprint approach to organize procedures in sets of steps that
each take about one to three weeks to perform before reassessing next steps and any scope change
10. Review and sign off on the engagement plan with audit management (example in Appendix I)
11. Communicate and confirm the engagement plan with process owners and stakeholders
12. If not already in the annual plan, also communicate planned the engagement to the audit
committee/board for approval
© 2019 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm
of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG
International"), a Swiss entity. All rights reserved. Printed in Singapore.
 Deliverables

—— Engagement plan document (example in Appendix I)

–– Objectives and scope and supporting process map or risk assessment
–– Nature of engagement as assurance or consultative
–– Procedures to be performed and milestones
–– Schedule and timing of procedures and milestones
–– Resource allocation, e.g., project-specific – Responsible, Accountable, Consult, Inquire (RACI)
—— Engagement kickoff communication (e.g., email or memo agreed by the stakeholders)

Perform phase: Analyze, validate, adjust

Conduct the agreed-upon data analysis and other procedures in sprints with the initial focus on quick
wins. Involve process owners and other relevant stakeholders to evaluate results that meet agreed
exception criteria as soon as identified.
Begin any root-cause analysis and consider interdependencies and implications. Monitor the
engagement scope after each sprint phase and adjust as needed. Utilize frequent status updates with
process owners and other stakeholders to manage milestones in preparation for final reporting.
Sprints are a phased way of executing planned procedures. After each set/sprint of procedures,
scope and approach are reevaluated and adjusted as needed to enable maximum impact for effort of
future sprints. This results in an iterative approach between performing and adjusting the plan.
A sprint is ideally one to three weeks long, and if plans suggest a sprint would be much longer,
the need to break the sprint down is considered. These shorter sprints, versus a longer, traditional
fieldwork phase, enable faster progress and results delivered back to the business.

Activities

1. Perform the first sprint of procedures identified in the engagement plan:

–– Use data analytics and visualization tools to enable full population analysis for deeper insights
and results quantification
–– Leverage process owner involvement where possible in both performing and analyzing
procedures (with IA oversight), for ongoing collaboration
2. Reference source of information, purpose, key inputs, and assumptions for procedures, along
with steps to validate data used
3. Confirm results of each procedure or analytical activity, reperforming as necessary, and validate
with process owners
4. Analyze root causes, interdependencies, and their impact, involving industry or process-level
subject matter specialists for insights; prove or disprove hypothesis
5. Capture and review progress with team lead and project manager in an engagement snapshot
tracker, then communicate to process owners and other stakeholders:
–– Track results in running engagement snapshot that can later be refined for reporting (example
in Appendix I)
–– Use internal “scrum” or short meetings on a daily or other frequent basis
6. After each sprint, evaluate potential scope and approach adjustment (e.g., deep dive or
discontinue procedures) and communicate and update engagement plan accordingly:
–– Need for scope adjustment is based upon engagement impact and cost, and involves
discussion with engagement stakeholders
7. After confirming the scope, complete the remaining agreed-upon procedures in sprints.
Note: Mindfully balance process owner collaboration with quality challenge from IA
© 2019 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. Printed in Singapore. Dynamic internal audit 7
 Deliverables

—— Workpapers with sufficient, relevant, reliable information utilized to support results and conclusions
—— Engagement snapshot (examples in Appendix I) and issues summary to communicate status
and support the final report
—— Engagement plan updated to reflect the final set of procedures and their review, with any
changes emerging during execution

Deliver phase: Insights, solutions, actions

Summarize work completed during the perform phase, complete root-cause analysis, and evaluate solutions
that make the most sense. Utilize insights to develop actionable plans focused on bringing impact to the
business. Leverage concise reporting that emphasizes outcomes and next steps to communicate final
results to all stakeholders, including senior management and audit committee. Agree on next steps.

Activities

1. Consolidate results from the Perform phase to support conclusions and final deliverable
(consulting engagement) or opinion (assurance engagement)
2. Summarize any opportunities for enhancements and issues
3. Evaluate solutions available to address opportunities and/or issues of highest significance and
impact to the business, considering their cost/benefit:
–– Knowledge of which issues are of highest significance is dependent upon the involvement of
business process owners during the Initiate and Perform phases, especially analysis of results
–– Involve industry or process-level subject matter specialists for insights
4. Assess which key risk indicators within the process or subject matter scope can be monitored
going forward to improve risk sensing and faster response capabilities
5. Prepare a highly summarized final report or deliverable to convey outcomes and proposed next
steps (examples in Appendix I)
6. Communicate final results to stakeholders
7. Agree on next steps to drive impact through agreed solutions to be implemented and any
continued support to be provided by IA

Deliverables

—— Communication of results and engagement closing (e.g., report on a page, email, meeting agenda)
–– For assurance engagements: Conclusions reached, applicable recommendations and/or action
plans, and opinion regarding the entity, operation, function, process, system, or other subject matter
–– For consulting engagements: Consultative advice or agreed product output and any
conclusions, applicable recommendations, and/or action plans
—— Report on a page (examples in Appendix I) or other highly summarized final report

© 2019 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm
of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG
International"), a Swiss entity. All rights reserved. Printed in Singapore.
 Drive phase: Support, monitor

Evaluate risks accepted by stakeholders after receiving communication of results and agreeing on next
steps; communicate risk acceptance to appropriate parties. If identified, address any error or omission
found in the final results and communicate the correction timely.
As next steps are implemented, provide support to process owners for a sustainable change process.
Follow up and verify completion of agreed next steps.

Activities

1. Communicate risk acceptance to proper management through reporting, sign-off, or other

channel used by the organization
2. Correct errors or omissions that would change the outcome of IA’s findings or conclusion if
identified at any point after report is delivered
3. Log engagement within the annual engagement summary for tracking agreed next steps
4. Support process owners in the implementation of next steps and any troubleshooting needed to
achieve a sustainable change
5. Wherever possible, institute continuous monitoring based on key risk indicators identified during
the course of the project
6. Follow up to verify completion of next steps
7. Engagement survey sent for feedback and future engagement interest

Deliverables

—— Risk acceptance communication, e.g., email or memo, if applicable

—— Annual engagement summary log
–– Add to running log of current year engagements
–– Document the type of follow-up: Support implementation of solution, inquiry on progress,
retest, updated document, etc.
–– Set follow-up target date
–– Set follow-up completion date
—— Engagement survey questionnaire, depending on size of engagement

© 2019 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm
of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG Dynamic internal audit 9
International"), a Swiss entity. All rights reserved. Printed in Singapore.
 Appendix I – Templates

Following are several sample templates intended for illustrative purposes. Each organization will
have its own perspective on where standard templates would be beneficial and which attributes and
elements to incorporate, based on its audit program.
Initiate
The following is an example of a template to use for the engagement plan with RACI to convey
agreed objectives, scope, phases of procedures and milestones, timing, and resource roles
and responsibilities.
For illustrative purposes only, as each organization considers what makes sense in its environment.

© 2019 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm
of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG
International"), a Swiss entity. All rights reserved. Printed in Singapore.
Perform
The following is an example of a template to use for the engagement snapshot and as a running
status report and log of findings throughout the course of the project and ultimately use for
final reporting.
For illustrative purposes only, as each organization considers what makes sense in its environment.

© 2019 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm
of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG Dynamic internal audit 11
International"), a Swiss entity. All rights reserved. Printed in Singapore.
Deliver
The following is an example of a template to use for the report on a page to distill down to the
“so whats” for the engagement and avoid time spent on reporting that stakeholders are either not
interested in or can get in other channels such as at the engagement onset or through status reporting.
For illustrative purposes only; each organization considers what makes sense in its environment.

© 2019 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm
of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG
International"), a Swiss entity. All rights reserved. Printed in Singapore.
 Appendix I – Client credentials

—— New leadership required every department to articulate its ROI

—— IA had been heavily focused on SOX and had to move beyond compliance to
stay relevant
—— Data-driven project approach was found to offer the most likely impact
$5B domestic
retailer —— Representative projects:
–– Machine learning video analysis
–– SKU-level inventory adjustment analysis
–– Employee turnover analysis against shrink results

—— Growing, potential IPO candidate with first-time audit, risk, and compliance function
—— Audit function engaged in a wide variety of nontraditional projects and needed a
$1B domestic simple but effective approach
consumer services —— Representative projects:
–– Employee discount program analysis
–– Corporate card spend and compliance

—— Executive leadership tasked chief audit executive with achieving more audit coverage
and greater visibility over its 20-plus plant locations
—— IA traditionally performed one to two site audits per year, selected primarily on
$6B stakeholder feedback obtained during the annual risk assessment
multinational —— A continuous risk assessment (CRA) project was undertaken across all plant locations
industrial to achieve:
manufacturer –– Timely risk and performance insights
–– Dynamic audit planning
–– Remote/desktop auditing with quarterly reports

—— Rapid growth environment due to acquisition activity

—— IA emphasis on a higher-impact approach, with more frequent risk assessments and
$4B domestic optimization of resource allocation
construction —— Representative projects:
materials producer
–– Dynamic site risk assessment dashboarding and monitoring
–– Incident hotline management and reporting

© 2019 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm
of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG Dynamic internal audit 13
International"), a Swiss entity. All rights reserved. Printed in Singapore.
Connect with us
Jonathan Ho
Head of Internal Audit, Risk & Compliance
Head of Enterprise Market
T: +65 6411 8336
[email protected]

Tea Wei Li
Partner
Risk Consulting
T: +65 6411 8114
[email protected]

Some or all of the services described herein may not be permissible

for KPMG audit clients and their affiliates or related entities.

kpmg.com/socialmedia

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity.
Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is
received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a
thorough examination of the particular situation.

© 2019 KPMG Services Pte. Ltd. (Registration No: 200003956G), a Singapore incorporated company and a member firm of the KPMG network of
independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved. Printed in
Singapore.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.