Telecom Italia Group (TIM) Looks to Internal Audit for Solid Technology Insights in an Increasingly Fluid Industry
Number of Employees in Company — 65,867
Industry — Telecommunications
Annual Revenues — US$21.4 billion (as of Dec. 31, 2015)
Number in IA Function — About 80
Number of Years IA Function Has Been in Place — 20+
IA Director/CAE Reports to — Board of Directors
“For the technical audit, in particular, the possibility of doing continuous auditing and using data analytics is intriguing. In internal audit, we need to be more active in understanding the changes in emerging technology and how we can audit them or leverage the technology.”
- Silvia Ponzoni, Chief Audit Executive
The Telecom Italia Group is a leading information and communications technology (ICT) company and Italy’s digital partner. Abroad, its strength is in Brazil, where TIM Brasil is a major player on the market.
TIM is Telecom Italia Group’s only trading name for fixed and mobile telecommunications services, internet, digital content, cloud services, digital platforms and solutions. It offers everyone – consumers, enterprises and institutions – simple and safe tools for the new digital life.
Moving to a Strategic Business Partner Role
In the summer of 2015, Vivendi, a French media company, bought a controlling interest in Telecom Italia Group from Telefonica, the Spanish telecommunications company; it has subsequently increased that stake to 24.9 percent, the threshold in Italy to launch the purchase of a company. The new ownership group brought in a new chief executive. The transformation of internal audit began even earlier. A new board of directors, named in May 2014, conducted a thorough appraisal of internal audit and began the process of recruiting a new chief audit executive (CAE) to evolve internal audit from its traditional role, almost separate from the rest of the company, to more of a strategic business partner to the company.
To spearhead that change, Silvia Ponzoni was hired as CAE in September 2015. In addition to her internal audit experience, Ponzoni has served in operational roles, which gives her valuable perspective as she helps the function with its evolution to strategic partner.
“In the previous environment, internal audit was very closed off. We’d now like to share our audit plan to determine if we can avoid duplication with the second level of the control function,” Ponzoni explains.
She continues, “We try to participate more in company projects. We remain independent, but with a clear mandate to give our insight into how to improve the internal control environment in each specific project. My team has a lot of knowledge, and we could enhance consulting.”
Adding an “Internal Third Level of Control”
Ponzoni heads an internal audit department with approximately 60 employees in Italy and 22 in Brazil. The function’s audit process consists of four main pillars:
- Enterprise audits of commercial and support processes
- Financial audits
- Forensic audit and whistleblowing channel
- Technical audits, focused on assessments of network and IT processes and platforms; ICT services; cybersecurity; and supply chain processes, including procurement and investment in technology and the core business of communications
According to Ponzoni, Telecom Italia Group relied heavily in the past on financial audits provided by the external audit company. She says the new management team and the board of directors felt the company needed an internal third level of control on the key financial aspects of the organization. Therefore, one of Ponzoni’s first objectives upon joining the company was to establish internal financial audits.
“This was not driven by a particular financial issue,” she says. “It was a way of expanding the mission of internal audit, and for the function to be more in alignment with common practice in the profession.”
Consolidating on One Platform
The board of directors, to which Ponzoni reports, wanted a clearer overview of the internal control system. Financial audits were the first step in that direction. Ponzoni says the internal audit function is also working with the controller’s office and the risk management team to design an audit management system using software to manage the process.
Ponzoni has worked with such a program before, but it will be the first time the internal audit department at Telecom Italia Group has had one software program to manage the entire audit process. Ponzoni says her team currently manages different aspects of the process through Microsoft Office Suite or other external vertical systems (i.e., an action plan monitoring tool).
The new audit management system (AMS) at Telecom Italia Group will automate everything from the selection of risks and risk assessment to the management of those risks through an interface with the enterprise risk management (ERM) department. The AMS will contain the audit plan and the audit execution, including the storage of work papers, the assessment of controls, the action plan and project management – all the processes of a classic internal audit department.
Ponzoni says, “With one platform for the entire process, we can share information more easily with ERM and compliance. The system also makes it easier to conclude the audit and write the formal report in a structured and efficient way.”
Leveraging Technology and Data Analytics
Beyond audit-specific technology, Ponzoni says she’s planning, medium term, for ways to leverage continuous auditing and data analytics in order to better align internal audit capabilities with the real- time risks of running a telecommunications network.
“For the technical audit, in particular, the possibility of doing continuous auditing and using data analytics is intriguing,” she says. “In internal audit, we need to be more active in understanding the changes in emerging technology and how we can audit them or leverage the technology.”
Ponzoni has also identified a need for her team to audit products and technical services that are, in many cases, externalized and outsourced. This governance of third-party providers is critical, she says,to ensure that contracted services are delivered to contractual quality levels and technical requirements by qualified personnel.
Telecom Italia Group will likely need to engage additional support to help the internal audit function accomplish its short- and long-term goals. In 2016, Ponzoni says she plans to start co-sourcing financial audits, a practice that has already proven to be beneficial in technology audits. “We don’t co- source (in financial audit) at the moment, but will start to do so in 2016,” she says. “This practice has been applied successfully in the technical area for 10 years to perform internal security assessments.”
Monitoring Emerging Tech Trends
Looking ahead, Ponzoni says she sees three trends that will impact the telecommunications industry, the company, and the internal audit function in the near future:
- The emerging Internet of Things and the massive amount of confidential data it generates, which will create new opportunities for hackers and new risks that will need to be monitored and mitigated.
- Cloud computing solutions that consolidate critical infrastructure and intellectual property in the hands of third parties, creating a need for effective third-party risk management.
- Big data mining for behavioral insights, which increases the potential for privacy violations – a risk that will need to be monitored for both reputational and regulatory compliance purposes.
The trends Ponzoni describes affect most modern businesses in some way. As a telecommunications company, however, the opportunities and risks for Telecom Italia Group are magnified both in num- ber and in scope.
The telecommunications industry has already been radically transformed by increasing smartphone penetration and the diffusion of mobile internet service. The race is on for communications companies like Telecom Italia Group to build, borrow or acquire the bandwidth required to serve this rapidly expanding need. And as that infrastructure is established, it’s going to need to be protected, Ponzoni notes.
“The new fiber-optic infrastructure, which is capable of delivering fast and ultrafast broadband services to the customers’ premises, is the next generation of fixed-access networking. It requires street-level intelligent networks and increased security,” she says.
To provide that assurance, Ponzoni says her department will be spending a lot of time and effort evaluating tools and technologies designed to electronically monitor those networks, conducting penetration testing, and working with the operations and risk management teams to ensure that there are effective controls in place and that the three lines of defense are strong and effective.
Ponzoni and her team have been working with their operational and risk management colleagues to identify strategic uses for the massive quantities of data available over their vast network of traditional, cloud and mobile infrastructure. From an internal audit perspective, she says she will measure success by the internal audit function’s ability to effectively aggregate, mine and refine all that data into actionable assurance.
“The use of big data is very important,” Ponzoni says. “Because we will have access to huge amounts of information, we need to be able to give that data structure and meaning. Data mining and analytics mean being able to do something that can interpret all these numbers and data that are out there, and transform it to alerts or red flags.”