"It’s good for internal audit to understand what’s in Jardines’ IT portfolio, including shadow IT. So, if something does go wrong, like a data breach, we can quickly get relevant, precise advice to safeguard the Group’s economic value — or help build it back up again."
- Linda Chan, Head of Group Audit and Risk Management
The Jardine Matheson Group (Jardines) began as a trading business in the Chinese port city of Canton — now Guangzhou. The company, which was founded by Scots William Jardine and James Matheson in 1832, later became one of the first foreign-owned trading houses, or “Hongs,” in the former British colony of Hong Kong. In the 1980s, Jardines incorporated in Bermuda and kept its headquarters in the Jardine House office tower in Hong Kong. The Keswick family, descendants of Jardines’ founders, manages the company today.
Jardines generated more than US$92 billion in gross revenue and US$1.7 billion in underlying profit in 2018. The Group has interests in diverse businesses that operate primarily in Greater China and Southeast Asia in industries ranging from financial services and agribusiness to home furnishings and heavy equipment. International hotel and investment management group, Mandarin Oriental Hotel Group, and Astra, Southeast Asia’s largest independent automotive group and a diversified conglomerate based in Indonesia, are among the Group’s many subsidiaries.
Linda Chan is the head of Group Audit and Risk Management (GARM) at Jardines, where she oversees a team of 30 auditors. Chan has an extensive background in internal audit and risk management, and her previous positions include director of audit and risk for Dentsu Aegis Network, the largest advertising agency in Asia. Chan says, “They have traditionally rotated people from within the Group into this role at Jardines. But management wanted to try something different and bring in someone from outside the Group. So, they hired a recruiter and found me.”
Reducing Manual Processes and Developing New Ideas
The GARM team’s primary objective is “to protect the economic value” of the Group, according to Chan. “That’s the main reason why the internal audit team is here — to safeguard the future value of the business,” she says. “We work with the business to do that, and we are making a difference.”
Safeguarding the future value of Jardines includes supporting the business in its efforts to modernize and innovate operationally. Chan says when she first came to Hong Kong three years ago to work at Jardines, she was surprised to find the company was still using some “old-fashioned” technology like fax machines. “I hadn’t seen a fax machine for at least five years before that,” she says. “There wasn’t a lot of automation here, either. For example, expense reporting was still very much a paper-based process.”
That process, along with many others, has since been modernized, according to Chan. She says, “Fortunately, our Chairman and Managing Director saw that the business needed to update its technology and move away from some of its manual processes. So, he introduced a big initiative for innovation — ‘Innovate Jardines.’ People are encouraged to submit their ideas that create opportunities for business development — developing them first by working in sprints and then presenting them for approval. There are over 40 ideas that either have gone live or are in production right now.”
Chan says the program is having a positive impact at the Group because “it’s made people realize that innovation is a good thing.” One downside of the widening embrace of new technology, however, has been the rise of “shadow IT” at the company — cloud-based technology applications and tools that individual employees and teams adopt without needing to consult IT. Employees proactively embracing new technologies that enhance their collaboration and productivity can help to make the company more agile and drive technological change in the organization. But these projects can also create security risks, posing additional challenges to internal audit.
“It’s good for internal audit to understand what’s in Jardines’ IT portfolio, including shadow IT,” says Chan. “So, if something does go wrong, like a data breach, we can quickly get relevant, precise advice to safeguard the Group’s economic value — or help build it back up again.”
"Employees proactively embracing new technologies ... can help to make the company more agile and drive technological change in the organization. But these projects can also create security risks, posing additional challenges to internal audit."
Chan closely monitors the shadow IT issue through both internal audit and IT lenses. Jardines does not have a Group IT director, so a lot of responsibility for overseeing IT initiatives — and assessing the risks of those projects — falls to Chan. The GARM team also includes seven IT auditors. That may seem like a high number, but Chan says she likes to snap up these in-demand professionals whenever she can. “I tell my team, ‘If you know of a good IT auditor, send them to me. I’ll probably hire them.’”
Another question for the GARM team at Jardines is how to audit new technologies appropriately. “When something changes, the way that we audit might not be relevant anymore,” says Chan. “So, we always need to think about how we might have to reconsider our audit approach so that it stays relevant.”
Moving to a New Audit Management System
Innovation and new technology adoption are happening within the internal audit function at Jardines as well. For example, the department recently implemented an advanced audit management system. Chan says her group is among the first in Asia to implement the latest version of this solution.
“I wanted to implement a system that would drive people to think about risks first when they do their audit planning. If they know the risks, then they know they will be looking at the right things,” she says. “We were using electronic audit files before, but we often got feedback from the business, like, ‘This is the same thing you did last year.’”
Chan says she would like the GARM team to employ more data analytics in their work in the future — and they are eager to do it. “My team is already thinking about how to incorporate data analytics into their audit planning,” she says. “Some of the audit projects we did last year for the business involved data analytics, and that whet everyone’s appetite because they saw the benefits. I had auditors telling me afterward, ‘We should use data analytics more.’”
Chan is making sure her team receives the appropriate training in data analytics. “They are all CPAs from large auditing firms with a numbers background, so learning more about data analytics appeals to them. What’s even better is that the technology is more sophisticated today, so it’s easier for people to use. I don’t hear my team saying, ‘Well, I think this is going to be too difficult.’”
One logistical challenge that stands in the way of the GARM team taking their data analytics use to the next level is the Group’s disparate systems. “To do data analytics well, you need to have some standardization of systems,” says Chan. “We don’t have that yet, though it is gradually evolving.”
Witnessing an Evolution in Internal Audit
For the past 25 years that Chan has worked in internal audit, she’s seen a lot of changes in the profession. “I think the role of the internal auditor is much more highly valued today than it was in the mid-1990s,” she explains. “I got into the profession at a time when internal audit was really starting to take off, and things started to change for the better.”
The higher visibility of the internal audit function at Jardines, its increasing role as a strategic partner to the business, and its involvement in technology and other innovative projects for the Group, help to make GARM a talent magnet, according to Chan. “I’m very lucky because Jardines is a very big organization in Hong Kong, and most people here have heard of us,” she says. “And worldwide, the Group has more than 450,000 employees. So, we have no problem attracting good people to our team from inside and outside of the business.”
The dilemma for Chan is that she can’t keep talent for long because of Jardines’ mandatory rollout model. “As one of my colleagues said to me, ‘No one ever retires from internal audit,’” she says. “People spend about three years with us, and then they rotate out to other roles in the business. That’s a good thing for the Group. But it’s quite challenging to keep my team’s skills up to date because we’re constantly bringing in new people who aren’t experienced in internal audit.”
Regardless of the rollout model, Chan says she always recruits new people for her team with an eye toward the next generation of internal audit at Jardines. “I want auditors who are quite ambitious, who want to make a difference, and who question what we do — in a nice way, of course,” she says. “And I look for people who have the drive and ability to innovate and grow.”
After Chan settled into her role at Jardines, she started thinking more about the skills that the GARM team would need to succeed in the future. “The Group had a competency model, but it was outdated,” she says. “So, on a flight from Hong Kong to Jakarta, I brainstormed all the key attributes that I thought a good auditor should have, including technical skills and interpersonal skills.”
"The higher visibility of the internal audit function at Jardines, its increasing role as a strategic partner to the business, and its involvement in technology and other innovative projects for the Group, help to make GARM a talent magnet."
Communication skills and independent thinking topped the list of interpersonal abilities Chan outlined, and she says she is focused on helping her team members improve in those areas.
“In Hong Kong and Asia, people are very respectful of hierarchy and therefore tend to do what they are told to do — even if it’s not the right thing,” she explains. “So, I encourage my team to speak up more often and think for themselves. Our chief financial officer has also advised that I tell them to do these things. I know it is challenging for them, but it will help them not only to be more effective auditors but also more successful in the business when they rotate into roles in our group companies.”
Click here to access the full list of profiles.