In the spotlight: digital trust

Digital trust: disrupting your lines of defence to reduce risk and increase trust

Richard Thomas
Partner, Internal Audit Services, PwC Switzerland

Paul de Jong
Partner, Operational Risk & Control Solutions, PwC Switzerland

With so many companies in transformation, trust has become a more precious asset than ever. The company itself needs to be able to rely on the ability of its transformation initiatives to deliver the promised benefits. Stakeholders such as customers and suppliers need assurance that the company is still a trusted business partner – for example, that their data are being kept and used responsibly.

Traditionally, the three lines of defence were a key component of building and maintaining this trust: operational management and its internal control measures, oversight functions like risk management and compliance, and independent assurance providers such as internal audit. Until recently it was clear what each line of defence did. But the lines are now blurring, thanks primarily to the influence of emerging tech and digital transformation. In this article, we ask how to achieve this balancing act and whether the traditional three lines of defence are still the best way for organisations to gain assurance.

How will emerging technologies impact your Assurance function?

Emerging tech is a two-edged sword, especially when it comes to trust. Technologies are opening up unprecedented ways of securing processes and controlling risks, but at the same time, they’re creating new potential threats that can be hard to pin down. To truly benefit from these technologies in terms of increasing trust, companies need to reimagine what’s possible and implement ‘trust by design’ without creating unforeseen new exposures.

Technologies such as blockchain, robotic process automation (RPA), machine learning, artificial intelligence (AI), natural language processing (NLP) and predictive analytics present opportunities to transform the lines of defence and make companies more resilient to risk − at lower cost. But this emerging tech also creates new challenges. If, for example, internal audit now has advanced technology that can uncover so much more, how does this affect the first and second lines of defence that aren’t up to speed with the latest technology? It’s obviously not a good thing if your last line of defence is the strongest, and this can cause tension within the organisation. But the transformation will continue, and the consequences need to be addressed. In the future, tech should even be able to predict what errors are going to occur, while completely transparent, blockchain-based business processes could even make certain audits redundant. It sounds like sci-fi, but it isn’t as far off as you might think. It’s time to consider the implications.

Two examples: artificial intelligence and blockchain

To illustrate what we mean, let’s look at two potentially game-changing technologies and their implications in terms of risks and controls.

First up, artificial intelligence. AI is set to revolutionise our systems, but what about accounting and controls? Procurement is a data-heavy, highly procedural process with a major bottom-line impact. The classic control is the three-way match to make sure you don’t pay incorrect or fraudulent bills. In practice, this control is known to create process delays, is subject to bypassing, and as a result requires a lot of effort across all lines of defence to get it right. Now imagine that AI handles the process from requisition to payment: figuring out the optimal vendor, volume and timing; monitoring timely delivery; chatting with vendors’ AI to negotiate discounts and clarify differences on good receipts, invoicing and payment differences; predicting and preventing processing errors based on known error patterns; and even intercepting any potential bypasses. Suddenly you’ve transformed a time-consuming impediment into a value-adding control that actually drives business, and which is fully embedded in your operational processes. How will this affect the second and third lines of defence? Are they still needed in this process?

Our second example is blockchain. In an era where everything is moving towards increasing collaboration with third parties, blockchain’s decentralised ledger set-up is a potential game-changer. Why not imitate what the auto industry has already done via electronic data interfaces (EDIs) by creating an integrated end-to-end process that can be managed, tracked and coordinated – even with third parties involved. Blockchain takes this even further: all the parties involved would be on (copies of) the same ledger, which is secure and trustworthy because it can’t be manipulated. The food industry is already using blockchain to track the supply chain, and the technology has also been adopted by watchmakers. This will be a huge disruptive factor in terms of the way companies work together.

But just think of the ramifications in terms of controls and the lines of defence. Because it leaves a clear trail that can’t be manipulated, blockchain will cover many of the bookkeeping activities, including controls, previously taken care of by the first line of defence. It’s trust by design, with little or no room for operational errors. Will the second and third lines of defence still need to check the operating effectiveness, or can they be freed up to concentrate on other risks and more value-adding tasks?

The possibilities are exciting. However, they also come with many challenges. Companies have to ask two questions in particular: Can we trust the data and predictions these new technologies are delivering? And are our defences organised in a way that enables us to harness the advantages of emerging tech while addressing the new risks – known and unknown – that they give rise to?

Do you need to adapt your defences? How?

The degree to which an organisation will need to rethink its defences to reflect the interplay between transformation and emerging tech depends on its situation, and in particular on its digital maturity and where it’s on its transformation journey. Highly digital organisations aren’t likely to have much choice, because it will be their electronic tools that dictate not only what controls are required, but how they are performed. As we saw previously, a technology such as blockchain creates plenty of unknowns, but it also comes equipped with a decentralised trust function that requires different, highly automated blockchain monitoring. In this light, companies adopting blockchain will have to rethink their lines of defence to make sure they perform adequate, but not redundant, tasks. Companies not so far down the digital path will have other options depending on their circumstances and resources.

While we can’t prescribe ready-made solutions, we can propose a number of pivotal questions you can ask yourself to find out if, and how, you could be realigning your defences to build trust in digital transformation.

  1. What is your digital strategy?
  2. How does this digital strategy change your risk profile and the kinds of risks that could crop up?
  3. Are you organised in the best way, with the right skill sets, to address this new risk profile?
  4. Do you have a roadmap to create effective defences aligned with your transformation journey?

Many companies around the world are already asking these questions. In an environment where many organisations realise that their present core business won’t be their core business in five to ten years’ time, finding answers is of the essence.

In practice we’ve found that the best way to start is to get different stakeholders together to think through your digital strategy and agree on what will change, and how this will impact your risk profile. In our experience it’s important to spread the net wide, including suppliers, customers and staff in the discussion. Digitally-driven business model transformation affects the entire ecosystem, so you need to gather a wide range of opinions and interests to get a 360-degree view of the risk landscape.

In our work with clients we’ve found it very helpful to design a target operating model for their three lines of defence, and work out how this model will change in the wake of the changes they have defined. On this basis they can draw up a reliable road map.

Who should take the lead?

As with so many topics around digital transformation, building trust in this environment isn’t a straightforward task limited to a single area such as IT or risk management. It’s all encompassing, with implications for every area of the organisation, from technology to human resources. It involves the challenge of effectively managing interactions between many different elements, such as products, business partners, employees and customers. For this reason, digital transformation and digital trust are topics that top management needs to own: they need to be on the CEO’s agenda, championed and cascaded down through the organisation. In many cases, we see the nuts and bolts of digital transformation being delegated to chief digital or transformation officers; in other companies, the CFO or COO takes on this task. Management should also actively engage with their boards, and in particular, their audit committees, along the transformation journey to ensure all eyes are on trust.

Contact us

Richard Thomas

Partner and Territory Leader Internal Audit, PwC Switzerland

Tel: +41 79 816 27 00

Paul de Jong

Partner, Risk Assurance, PwC Switzerland

Tel: +41 58 792 7658