Continuous monitoring is the future of audit, says Vodacom SA’s Sitho Mdlalose
Vodacom SA’s Sitho Mdlalose believes that digitalisation and increased business insight are key audit trends.
This Future of Audit series is proudly brought to you by ACCA.
“The word that springs to mind when I think of the future of audit is ‘digital’” says Vodacom SA FD Sitho Mdlalose. “The future of audit for me is really about the future of business in general, and that’s digital.”
Sitho was appointed FD of Vodacom South Africa in 2020 after the Vodacom Group restructured and the decision was taken for the South African company to operate as a standalone company. Before that, he held the role of CFO for International Business at Vodacom for several years, giving him good understanding of the challenges of managing internal audit for a multinational entity.
As Vodacom continues on its journey from telco to tech company, Sitho believes that audit will play an important role. “Yes, assurance is great because what it does, and from an audit function perspective, is helps me protect the value that the organisation has built,” he says. But beyond this, he believes that the future of audit, and where it can truly begin to create value, is through providing increased insights. “The future of audit cannot be purely protection of existing value – it can help create future value.”
Like all areas of business, audit will also need to keep pace with rapid digitalisation. With technologies like blockchain and automation on the rise, Sitho highlights the need to establish audit teams that are both tasked with creating value through insights and that can “think digital”.
As processes are automated and digitised, Sitho believes there will be a shift towards continuous monitoring. “It will no longer make sense to continue to do manual testing when there are these automated processes,” he says. “As automation happens, the level of effort required to manage them lessens, and so processes and controls can run concurrently on a continuous basis.”
Emerging risks highlighted by Covid-19
Sitho believes that audit will not return to its former pre-pandemic state. “A lot of businesses have taken massive leaps in digital as a result of being forced into it, and I think that is absolutely true of audit,” he says. “I could never have imagined that we would do remote audits, but we are entering our second year of doing so.”
Covid-19 has highlighted emerging risks and it’s been challenging to give assurance over these in a rapidly shifting environment. “The impact of those risks is significant,” Sitho says. “For example, from an internal audit perspective, an organisation may have gone from liquidity not being one of the biggest risks that the organisation faces to suddenly having to think about whether cash flows are going to remain the same.”
Remote working has also given rise to privacy considerations – an area that presents serious risk for any organisation. As a multinational company, Vodacom has also had to navigate the challenges of working remotely across different regions, which often have different regulatory requirements too. “The reality is that audit relies on data sets,” he says. “I think one of the challenges that any multinational organisation will likely face is the accuracy of the data that they're trying to mine, and in this digital environment there's now an increased reliance on that data as the basis for digital testing.”
In this brave new world, it’s not always immediately clear which regulations need to be followed. For example, Sitho says, a company’s centralised audit team may sit in Johannesburg and be looking to run some tests and scripts over certain data. To do that may require loading data to the cloud, which may expose it to privacy risk. “There may also be laws around whether that data can leave the country or not, and does going to cloud mean it's left the country?” Sitho says. “Different countries have different views on things like that.”
New skills for the future of audit
Another challenge in the post-pandemic world of audit for multinationals is the availability of skills across different markets. While traditional audit skills may be accessible, businesses now need IT and cyber skills too. “You'll get a varying degree of specific deep skills within those fields in different markets in the continent, and to an extent, while you can always set up central hubs, emerging skill sets in networking and cybersecurity start to become a challenge,” Sitho says.
He adds that it’s also important for enterprises to realise that while it’s possible to build audit programmes and develop standardised testing for deployment across regions, it’s critical to leave room for flexibility. Customers, the business landscape and regulatory frameworks will differ in each country and audit programmes need to remain adaptable enough to cater for these differences.
Vodacom, which traditionally focused on telecommunications, has shifted over the years and continues to adapt in response to consumer and market demands, moving into technology and financial services. According to Vodacom, its M-Pesa mobile money service is the most successful in Africa, and is also the region’s largest fintech platform, with almost 42 million active customers.
As Sitho points out, a changing business means changes in internal audit too. “The number one priority is ensuring that we've got the right skills. We changed a lot of our recruitment, to ensure that we're getting the right balance of skills across our whole business, and in internal audit as well. We’re getting people who understand robotics, who understand big data and know how to use and analyse data, who are privacy experts,” he says. “We’re working on getting all the different skills and expertise into internal audit, so that when we audit we've got a view and understanding of the environment.”
Sitho underscores the need for audit teams to not only understand emerging technologies, and emerging risks, but to have a thorough understanding of the business’s long-term strategic goals. “This allows them to proactively equip themselves for where the business is going,” he says. “It’s also important to look at how to maintain a dynamic audit plan. We’re moving away from traditional audit plans that get approved once a year by the audit committee, where what needs to be delivered is agreed on day one, and over the 12-month period, it's executed. Now, there's still room for that because you want the accountability of ensuring that you look through all the areas. However, you need to keep some flexibility in that audit plan to be able to address the emerging risks as the year progresses because as environments change more quickly, internal audit teams need to make sure that they are able to change just as fast.”
Sitho believes that collaboration is helpful in navigating the way forward. “The world moves too fast for any one organisation to have the sole right to knowing everything first. Collaborating with other organisations where possible is a big thing because you need to learn fast. The speed of identification of risks is critical in the environments we operate in today. Collaboration opportunity is a really helpful thing.”
He concludes by reinforcing his belief that internal audit is more important than ever before. “It's increasing in relevance as the complexity of organisations grows,” he says. “The future of audits is to become more integral to the business and to be a better business partner.”