President's message

December 2017

Looking Ahead to 2018
As the year draws to a close, I would like to take the opportunity to share my thoughts on some of the key priorities in 2018 that should be on the Chief Audit Executive’s (CAE) radar. 
Data and Technology
Data and technology will continue to disrupt and transform organisations. Technology is evolving rapidly with cloud computing, internet of things, artificial intelligence and robotics.  CAEs need to incorporate technology into their assurance and advisory roles to keep up with the evolving risks, strategies and needs of their organisations. 
2017 was a year dominated by data breaches and cybersecurity threats.  Cyber risk management will continue to be a strategic priority and CAEs need to recognise the importance of cyber resilience.    
In Singapore, the new Cybersecurity Bill that takes effect in 2018 will empower the relevant authorities to manage cyber incidents and ensure that organisations with critical information infrastructures will responsibly manage cybersecurity risks. 
Geopolitical Risks
Brexit, US President Trump’s government policy, China’s rise as a global power and North Korea’s nuclear threats can pose significant threats to businesses. Internal Audit (IA) needs to support the Board in their risk governance responsibilities and review of the effectiveness of enterprise risk management.
Organisational Culture
Organisational culture and tone at the top can make or break organisations.  CAEs must continue to keep this on the radar as major corporate failures have been attributed to fraud, ethical and conduct issues, and misplaced corporate values.  IA plays a vital role as the trusted advisor of the Board to provide an independent and objective assessment on governance, risk management and internal controls.
In closing, I would like to extend my best wishes to our members and partners and look forward to another exciting year ahead.
Merry Christmas and Happy New Year!
Tan Boon Yen, CIA, CRMA
The Institute of Internal Auditors Singapore 


November 2017

Internal Audit in the Era of Disruption
Businesses today are operating in an increasing complex environment, characterised by unprecedented geopolitical and economic uncertainties, the emergence of disruptive technologies, and changing customer expectations and behaviours. 
What is internal audit’s (IA) role in this era of business disruption? 
Let us look at the 2015 IIA Global’s Internal Audit Common Body of Knowledge® Stakeholder Study. 64% of stakeholders indicated they want IA to be more active in strategic risks. 73% of respondents specified IA should consult on business processes while 71% said IA can facilitate and monitor effectiveness of risk management. The findings reinforced the positioning of IA and the opportunities presented to the IA function to be trusted strategic business advisors in addition to its assurance roles.  
In the age of disruption, the Boards are looking to IA to provide assurance and insights as businesses operate in a more challenging environment that requires them to re-assess their business model and operations in order to pursue new business opportunities.  IA needs to be forward thinking and agile to proactively value add in helping businesses and organisations to effectively manoeuvre the changing environment. For example, if the organisation is changing its business model or implementing new systems, IA is well positioned to provide insights on risk, governance and control issues before processes are fully developed.  IA functions also need to re-assess its audit priorities so that they are focused on the Board’s key concerns and are aligned with the key strategic and business objectives.
The future offers exciting opportunities for the IA profession. IIA Singapore supported by our global platform, remains committed to supporting the IA profession’s transformation journey that is evolving from an assurance role to one that is strategy and business risks focused.
Tan Boon Yen, CIA, CRMA
The Institute of Internal Auditors Singapore 


October 2017

IA In the Age of Transformation
Last week, IIA Singapore hosted the Global Internal Audit Leadership Summit and Annual Conference. Speakers and panellists from diverse business sectors and various stakeholder groups converged to share their insights of auditing in the cyber age and how internal audit (IA) can stay ahead of the curve in the age of transformation. 
Just to share a few key points in my opening remarks at the Summit and the Conference.
With the current technologies, disruptions and risks landscape, IA needs to evaluate governance, risk management and internal controls holistically and audit at the speed of risks. IA needs to be agile to continually reinvent itself and continuously learn and deepen knowledge and competencies to remain relevant and effective.
IA needs to work closely with organisations to bridge the cyber readiness gap with the clear and present dangers from data breaches, the Internet-of-Things, among others. Having good insights of the business and the organisation as a whole, internal auditors are well-positioned to be influencers of positive business outcomes with their assurance and advisory roles to their organisations to proactively manage the risks. 
With technology and big-data, the three lines of defence within an organisation can collaborate and derive synergies from embedding robust continuous and predictive monitoring systems throughout the organisation for real time assurance and effective risk management and controls. However, this does not mean that IA’s position, as the 3rd line of defence is no longer relevant. IA’s position in providing independent and objective assurance to the Board and other stakeholders such as the regulators, does not change.  
The conference ended with many useful insights, knowledge and leading practices that I am sure, will inspire everyone in their journey to stay ahead of the curve and be trusted advisors to their organisations.
Tan Boon Yen, CIA, CRMA
The Institute of Internal Auditors Singapore


September 2017

Auditing in the Cyber Age
Disruptive technologies are a reality of the current business environment. In addition to affecting how business is done, the “Internet of things” and the pervasive use of mobile devices further expose organisations to cybersecurity threats. 
Boards and stakeholders are demanding greater assurance that preventive and detective controls established to mitigate cybersecurity risks are adequate and effective. Internal Auditors need to be better aligned with strategies and objectives of the organisation and address both existing and emerging risks associated with it. To achieve this, they need to deepen their knowledge of the business, adopt a strategic mindset and sharpen their leadership and people skills to build an effective relationship with the stakeholders. For example, when a big data audit programme is implemented, Internal Audit (IA) should engage the organisation’s CIO and key leaders to understand the risks in terms of data collection, storage, analysis, security and privacy. By doing this, IA obtains assurance that the big data’s objective of providing critical intelligence is aligned with the enterprise-wide business strategy. 
The fast-paced digital world opens up opportunities for the IA profession. IA has to move towards the use of audit automation tools to transform auditing and improve audit effectiveness. For example, the use of data analytics tool provides insights to improve decision-making and it also decodes certain underlying trends or anomalies that could be an indicator of more pervasive problems. 
Our Global Internal Audit Leadership Summit and Annual Conference will be held from 25 to 27 October 2017. Learn from distinguished speakers, Audit Committee members, Chief Audit Executives, and ask yourself if you can stand up against “The Cyber Resilience Challenge”? How do you tackle “Auditing Big Data”?  Here’s also where you will find out more about ‘Innovative and Agile Internal Auditing at Google”. 
Early bird registration closes on 22 September. Register now.
Tan Boon Yen, CIA, CRMA
The Institute of Internal Auditors Singapore

August 2017

Stepping Up The Value Of Internal Audit
To step up the value proposition of internal audit, Internal Auditors (IA) must keep up with both the internal and external environment that their organisations operate in. It is important for IA to keep up with emerging trends and risks to effectively meet and exceed their stakeholders’ expectations.
Consider the following I-I-A-S points as a constant reminder to stay abreast and value-add to your organisations:
Be Insightful – IA must be in touch with developments not only locally but around the world. Look out for trends and developments that can destabilise your organisation e.g. geopolitical instabilities and emerging technology and threats. Be conscious of unhealthy cultures in the operating environment. 
Be Innovative – Step out of your comfort zone and dare to harness technology to devise new and efficient ways of auditing. Amongst others, IA needs to re-invent itself with emphasis on soft skills, change in mindset and thinking out-of-the-box.
Be Agile – Businesses are affected by change. Innovate ways of partnering your stakeholders and seek their inputs to provide real time assurance. Engage stakeholders continuously to bridge any gaps in expectations and priorities.
Be Strategic-Minded – Understand business strategy, hone your business acumen skills by acquiring industry knowledge. Understand what is important for the growth and sustainability of the business and align internal audit efforts to support business strategies.
Be in touch with IIA Singapore. We work hard and continue to be a professional body that is resolved to support the development of the profession. Our members are recognised as indispensable to their organisations for effective governance, risk management, and control. Our global platform is an excellent conduit for keeping in touch with local and global standards, trends and best practices.
Yours Sincerely
Tan Boon Yen

July 2017

Annual Conference

IIA Singapore will be hosting our Annual Conference at MBS, Sands Expo & Conference Center from 25 to 27 October. Together with Singapore Accountancy Commission (SAC), we are organizing the Global Internal Audit Leadership Summit, themed “Auditing in Cyber Age”.  In the current digital world, with automated business processes and entire value chains being digitally connected as well as changing business models where outsourcing and offshoring are the norm, exposures to cyber security risks are greater than before. Cyber security risks have tops the agenda of senior management and the audit committee and board members.

Back to back with the Summit is the Annual Conference, themed “IA in the Age of Transformation”.  With the dynamic and complex environment aggravated by the advancement of disruptive technologies, to be competitive, organisations need to embark on a transformation journey by reviewing their business strategies, systems and processes. Likewise, IA needs to transform to fortify its position as a value-adding partner and advisor to its organisation.  

The Summit and Conference will bring together both local and international speakers and it is a good opportunity to hear from the invited speakers and panelists that include Audit Committee members, Chief Audit Executives and other thought leaders. We have also invited speakers from Google, Microsoft and SAP. Participants can look forward to topics such as “Audit Committee’s Expectation of CAE in an Uncertain World”, “Building the Brand of IA”, “Future IA in the Transforming World”, “Managing Cyber Security Risk”, “Innovative and Agile Internal Auditing at Google” and “Leveraging Technology in IA”. The detailed program can be viewed at the IIA Singapore website

Yours Sincerely
Tan Boon Yen

June 2017

Managing Outsourcing Risks

In today's business environment, organisations are outsourcing significant parts of their operations for various reasons e.g. for costs and efficiency reasons, for capacity management or to gain access to expertise. Organisations need to be cognizant of the risks of outsourcing which could have extensive impact on their businesses if not adequately managed. In recent years, there have been many incidents relating to outsourced operations that have not only caused major disruptions to businesses but have also resulted in penalties for non-compliance with regulatory requirements and tarnished their well-established reputation. Business processing and information technology outsourcing are increasingly prevalent. The most common and significant outsourcing risks relate to business continuity, confidentiality and security of information and intellectual properties, and compliance with regulatory and legal requirements. Organisations need to establish a governance and risk management framework to adequately mitigate the risks.

Internal auditors need to consider and include the assurance review of outsourced operations in their audit plan. There is a need to assess whether outsource risks have been identified and the severity of risks appropriately assessed by the organisation. The governing framework and organisational roles and responsibilities for managing outsourced risks need to be clearly established. Risk dashboards should be put in place to continuously monitor the management of risks so that there are early warning systems for timely measures to be taken. Important risk mitigating measures would include due diligence of potential and existing service providers, robust contract review and administration procedures, procurement processes and vendor performance management and monitoring procedures. It is necessary to also assess the service providers' regulatory compliance management procedures, their service operation framework and controls and their business continuity and crisis management procedures to ensure prompt recovery of critical business functions in the event of major business or systems disruption.

Yours Sincerely
Tan Boon Yen

May 2017

Were You Prepared For The Ransomware Attack?

The world's biggest-ever computer ransom assault in the month of May has affected more than 190 countries. The indiscriminate attack, which began on Friday, struck banks, hospitals and government agencies, exploiting known vulnerabilities in old Microsoft computer operating systems. According to the cyberattack message, payment is demanded within three days or the price is doubled, and if none is received within seven days the locked files will be deleted.  

Was your organisation prepared? What is your role as internal auditor with regards to cybersecurity? The IIA’s Global Technology Audit Guide (GTAG) in Sep 2016 is a useful guidance for internal auditors. In addition, “GTAG: Assessing Cybersecurity Risk” describes internal audit’s role in cybersecurity including the CAE’s role relating to assurance, governance, risk, and cyber threats and the assessment of risks and threats. “GTAG: Auditing IT Governance” also provides further guidance for IT governance.

Cybersecurity will continue to top the list of risks for internal auditors, audit committees, senior management and board of directors. Internal auditors play an important role as part of its overall assurance responsibilities, to determine if cybersecurity risks are addressed effectively. In reporting to the audit committee, CAE should keep cybersecurity on the agenda, discuss the level of cyber resilience preparedness with audit committees.  Internal auditors should also take a multi-prong approach i.e. from auditing people and culture on cybersecurity awareness and discipline, to risk management systems, policies and procedures and incident management framework. It is important for internal auditors to also share their insights in these areas with management and the Board.

Yours Sincerely
Tan Boon Yen

April 2017

Public Sector Internal Audit Conference 2017

The theme of our Public Sector Internal Audit (IA) Conference last week (April 20th & 21st) reflects the importance of internal auditors to be future-ready. It was another fruitful conference, thanks to the esteemed thought leaders and practitioners, for their insightful sharing and updates on current trends and developments as well as leading practices. The IA function of DBS Bank of Singapore shared an amazing IA transformation journey, leveraging on technology, harnessing data and working proactively with stakeholders to achieve audit effectiveness and effectiveness.  In my view, it is a world class IA function.

Beyond continuous and predictive auditing, participants heard about agile auditing. It is possible for the 1st, 2nd and 3rd lines of defense to work seamlessly to provide combined assurance to organizational stakeholders. Nevertheless, I would like to point out that this does not mean that IA’s role, as the 3rd line of defense, is no longer relevant. This position should not change as stakeholders rely on IA for independent and objective assurance.

In the current digital age with technology disruptions & innovations and data analytics, opportunities instead of challenges, are abound for IA to add and create value. Aptly put by one of our speakers - "It is a unique moment for IA to take leadership, facilitate new growth while maintaining compliance and building trust in the digital future."

May 1st is the start of International IA Awareness month where IIA Institutes and IA functions around the world, plan and organize activities to promote the value of internal auditing to their stakeholders. Look out for our May IA Awareness Month activities and we strongly encourage you together with members of your organization to participate in the activities organized by IIA Singapore. 

Yours Sincerely
Tan Boon Yen

March 2017

Poised For The Future

Singapore’s Committee of Future Economy (CFE) Report has identified seven strategies to achieve the vision to be the pioneers of the next generation. The strategies “acquire and utilize deep skills” and “build strong digital capabilities” resonate well with the transformation journey of the internal audit profession.  

As Singapore enters a new phase of development, the journey is challenging. An area that Singapore must position itself is by “developing deep digital capabilities”. With technology and digitalisation transforming many businesses, internal auditors need to acquire and develop strong capabilities in digital technologies, in particular, data analytics. Data is an asset that should be harnessed to transform audit quality and raise productivity. Cyber security is key as organisations are exposed to cyber threats with increasing reliance on mobile and cloud computing, internet and social media.  Internal auditors need to be equipped to provide assurance to stakeholders on cyber security risks and controls.

To continue to serve stakeholders well, internal auditors must continue to acquire and develop new skills, strive for agility and equip themselves for the future. Internal audit work will be challenging, interesting and impactful if we focus well on what is ahead for the business. The 10 core principles of IIA’s International Professional Practices Framework (IPPF) 2015 include a very relevant core principle - IA must be “insightful, proactive and future-focused” to be effective.  

One aspect that will not change for internal auditors is to build a firm foundation with relevant certifications and continuing professional development. At this point, I would like to congratulate our young professional, Ms. Fiona Tan Yan Wen, a member of IIA Singapore who has received the William S. Smith Award, a Certificate of Honour for achieving the highest score in the recent CIA exam. Well done! 

Yours Sincerely
Tan Boon Yen