DEFINICIÓN Y DETERMINACIÓN DE COMPETENCIAS

In order to validate if the “as-is” model represents the reality of internal audit in companies that are not yet operating in a data-driven way we will perform two expert interviews with an Ernst and Young expert of the internal audit field and with an expert of a client of Ernst Young. The structure and the result of these interviews can be found in appendix F. Both of the experts interviewed indicated that the function of the first line of defense was not modelled completely correct. They indicated that the first line of defense does not only use controls developed by the risk department to monitor risks to the company, but mostly use their own set of risk controls. In addition to this both experts indicated that the third line of defense was also not modeled completely correct. In the conceptual model the internal audit department receives the annual internal audit obejctives from the top management of the organzation. In reality this is not the case. The internal audit depatrment develops their own internal audit objectives based on reports from the first and second line of defense. These internal audit objesctives are only approved or disapproved by the top

management, based on what they perceive as important. Furthermore both interviewees indicated that an additional action needs to be added to the internal audit function which covers the design of internal audit controls used during audits. For clarification reasons the interviewees pointed out that the “perform audit” action should be split into three actions covering the three different types of audits performed by an internal audit department.

In figure 35 these errors have been corrected. Figure 35 therefore serves as the validated baseline for the construction of the “to-be” situation and the migration model and as this paper’s beta version.

8.2. Determine Requirements for the “To-Be” Situation

The second iteration of this action design science paper evolves around the development of a “to-be” model and performing a gap analysis on the “as-is” and “to-be” model to determine information management performance differences and model usability. In order to start modeling the “to-be” situation however we will first have to perform a requirement analysis to determine what the requirements for the “to-be” model are. The requirements determined in this chapter are based partially on the literature study and partially on the previous expert interviews as can be seen in figure 36.

The research methodology of figure 31 proposes three parallel actions for this step in the research methodology. These actions are based on collecting a complete set of requirements based on the technological, human and process aspects of the problem statement. The requirement analysis will be modeled in the Archimate 3.0 language [54]. The first step in the analysis will be to construct a stakeholder and driver analysis. The result of the stakeholder and driver analysis serves as input in the requirement analysis.

In order to identify stakeholders relevant to any financial company in the three lines of defense process context we will have to make sure the stakeholders are generalized, but still understandable and relevant. Furthermore it is important to note that a company can have internal and external stakeholders. From literature [27], [40], [7], [25], and exploratory expert interviews we derived that from our context’s point of view we can identify two categories of external

stakeholders relevant to our paper. The first of these stakeholder categories is called “financial company external stakeholders” in our stakeholder and driver analysis of figure 37. External stakeholders of a financial company are comprised of several separately identifiable groups of people that are mainly interested in the reliability of the financial company. Unethical company behavior will hurt these external stakeholders’ trust of the company or will even hurt them financially. The second external stakeholder group is called “financial sector regulators” in our model of figure 37. This group is comprised of several governing and controlling entities of the financial market that are mainly interested in the company’s compliance to the national and international law and regulations. In the Dutch financial market this group is mainly comprised of the DNB, AFM, ETA, EBA and the Dutch government. For the case of this paper we identified three internal stakeholders most relevant to the problem of this thesis. The three internal stakeholders represent the three lines of defense in the internal control function of a financial company. The operational

department, the risk department and the internal audit department are mainly interested in providing assurance to the company. Therefore we identified assurance as the main driver for the three internal stakeholders. Based on the identified external and internal stakeholders and their main drivers the top layer of the model of figure 37 could be designed.

From exploratory interviews with experts of Ernst & Young and their clients we could derive that the main assurance driver behind the redesign of the current assurance process of the three lines of defense and especially the internal audit function can be subdivided into the “data quality” and “data availability” drivers. As described in the problem statement and the research questions of this paper companies are often willing to make a transition to a more data- driven audit process, but their current organizational and IT infrastructure does not allow for such a process at this moment. In the literature study of this paper and in exploratory interviews with Ernst & Young experts we found sufficient evidence for the sub drivers “data quality” and “data availability” [59], [30], [21]. Recent observations of experts within Ernst & Young and clients of Ernst & Young indicate that at the moment data capture within company systems is insufficient to establish complete audit trails. Expert observations also indicate that current data capture, if present, is often not conform the data need of the three lines of defense. Both of these expert observations are modeled in figure 37 as “data quality is low” and “data shortages occur often”. Poor data quality and low data availability both influence the observation that the current assurance level can be improved. Because the assurance level is currently too low some compliance deficiencies occur as can be seen in recent news reports about some companies in the Dutch financial sector [42]. These news reports in turn influence the perceived reliability of the company negatively.

The underlying goal of redesigning the current three lines of defense process situation will therefore be on improving the assurance level provided by the three lines of defense through means of data-driven audit. The desired outcomes of this redesign are that the technological capabilities level, the process performance level and the people skill level of the three lines of defense will be enhanced as stated before in this paper. Exploratory interviews with experts as well

as literature [59], [21], [29] analyzed in the literature study part of this paper provided us with several desired sub- outcomes, their priorities, requirements and constraints. Figure 38 provides a graphical overview of the relations between the semantical notations.