Technology has revolutio1nized businesses, providing real-time intelligence and changing how we govern and make decisions. Cognitive technologies like predictive analytics have mixed innovative and smart ways of working to deliver value and results. Traditional tasks are being greatly improved, for instance, credit analysis, transaction processing, target marketing and fraud detection have significantly altered. The modern Internal Audit function has to keep up with the pace. In fact, it has to position itself ahead of the pack because it is a key stakeholder in ensuring that complete and accurate information is relayed to the board.
No doubt, Artificial Intelligence (AI) is fast becoming the disruptive innovation of the century, shaping how we live and how businesses are run. This is a perfect opportunity for internal auditors to roll up their sleeves, participate keenly and guide organizations to better optimize the risks and opportunities they face. Internal audit professionals will provide values to organizations by employing their skills in understanding and linking strategy and AI objectives. If internal Audit functions are to remain relevant in this conversation, they have to prepare adequately in the following three critical areas.
Internal Audit professionals have to assess whether accountability and oversight is in place to support. AI and data governance frameworks. These frameworks have to be measured and monitored against the organization’s values and ethics. AI forces organizations to refocus on ethics, storage and appropriate use of information. For instance, with the current spotlight on data privacy and ethnical use of data, companies using AI will need to observe stringent compliance and regulatory requirements. Overall, the framework on AI has to cover data use and infrastructure, accountability and regulatory compliance.
Internal Audit have to query whether the data maintained and used by organizations is accurate, complete, transparent and reliable to assist management and the board to make informed decisions. Most organizations do not have a documented structured approach to managing, analyzing and generating insights from their data. Many times information is achieved in different systems that do not integrate. This presents significant challenges on how data is synthesized, interpreted and what conclusions can be drawn.
Internal Auditors have to remember that there will be need to provide insight and hindsight. It is the use of data to provide foresight however, that will be the game changer. Internal Auditors have to study the data and challenge management on its use to assess mitigations and opportunities available.
With AI projects becoming a necessity, they pave way for more risks and opportunities than we can imagine. Organizations across the globe need to build robust cyber-resilient strategies that are resistant, proactive and that continuously improve. Cyber-attacks and technology shutdowns will increasingly appear on the top list of our concerns. The famous “top risks” it is the duty of internal Auditors to sensitize the board members and discuss these risks and opportunities in equal measure. There is no magic bullet to resolving emerging challenges- Internal Audit professionals have to drive value through innovation, use of AI and challenge the value drivers of AI. Internal Auditors roles are becoming more defined in this digital age, transforming into a value partner.
It is definitely time for internal Auditors to understanding their role in AI and most importantly the risks and opportunities that can be harnessed. This is a call for all Internal Auditors to learn, unlearn and relearn in this digital age. No doubt, Internal Auditors will stand up to be counted and work collaboratively with management to provide foresight in this digital age.
Institute of Internal Auditors Internal audit functions whilst independent in mind-set, operate within the infrastructure of the organization. As the business transforms, internal audit need to keep pace with developments – moving too slowly or too quickly carries the risk of providing false assurance or losing credibility with stakeholders. This will impact not only the type of internal audits undertaken and the way assurance is provided but the skills required and the audit methodology itself. This guidance addresses each of these areas in turn.
Our technical blog post
The role of internal audit in digitalization also provides a good introduction to this topic.
Internal audit plan considerations
Assurance for the digital age
Revisiting audit skills Adapting audit methodologies
Internal audit plan considerations
A comprehensive risk based internal audit plan will naturally reflect the rate of technological development within an organization, although still be open to some of the considerations in this section.
Where risk maturity is still evolving and internal audit plans are created using a variety of insights and experience to support the risk information it may be useful to think about three themes within the digital organization when developing the internal audit plan: collaboration, connectivity and communication.
In a digital organization there is a cultural shift towards collaboration both internally and with external partners, internal audit areas to explore could include:
Data governance The replacement of siloes file systems with cloud based sharing systems heightens the need for robust controls, particularly when those systems can be opened up to external parties.
Dependency Reliance on third party platforms is common in the digital workplace putting pressure on continuity arrangements and supplier management controls.
Collaborative tools encourage fast decision making vital to productivity and agile project management, although appropriate due diligence is still required. With increased empowerment and less structure, delegations of authority beyond financial controls may need to be considered.
Virtual meetings become easier, making it possible to set up temporary groups often negating formal protocols with the risk of personal agendas, stakeholder absence and lack of accountability. Culture Cultural shifts take longer than technological change, functions and managers continuing to work in a siloed manner present a risk to business success. Misinformation Knowledge sharing via wikis are uncontrolled and the provenance of information may not be known, understanding the risks around this is critical to internal audit and decision makers.
It can be easy for people to get carried away with the latest crazes and lose sight of the day job, there needs to be a balance of risk/reward which internal audit is well positioned to advice on without stifling disruptive innovation.
Building on this, there is also greater connectivity of people, data and system, audit areas to explore around this include: Data access
Increased access to data across the organization puts effective cyber security and data privacy among the top risks, both external and internal threat actors (also called a malicious actor, is an entity that is partially or wholly responsible for an incident that impacts, or has the potential to impact, an organization’s security), non-compliance with protocols and human error.
End user computing
Extending beyond formulaic spreadsheets, technological innovations coupled with data access make it easier for people to undertake complex data analytics, how this potentially sensitive information is shared and used will be important.
With connectivity comes creation and the need to understand digital assets in order to protect them.
Along with data privacy, ensuring appropriate protocols when collaborating or sharing information with third parties is essential, this becomes much harder in a digital organization where data is more accessible. Consumer marketing risks increase considerably in the digital era due to the commercial opportunities afforded by technology.
Connecting people across disparate locations whilst enabling efficiency also introduces potential cultural risks and issues of work/life balance as people work late to compensate for time differences. The ability to work from home also challenges some traditional management values which can lead to disparity between departments and disaffected employees.
And finally, this all leads to the criticality of communication, with audit topics to explore including:
Conversations on instant chat improve efficiency yet culturally may be viewed as informal – what new boundaries need to be set?
During times of digital transformation the technology is often the focus, when in reality the risks lie with people and change management.
Ensuring all employees know the protocols for internal and external communications becomes critical to risk management in a digital age.
Multi-directional communications are becoming commonplace and introduce new risks to brand management, complaint handling, product development, manufacturing processes and everything in between.
While it would be exciting to fill the internal audit plan with new audits directed to the host of digital threats and opportunities facing the business, this would be inappropriate. Even in the digital age there are core activities which cannot be taken for granted, the processes may change, the technology being deployed may be different but basic controls still need to be audited.
Assurance for the digital age
Integrated assurance has the potential to become the new normal in the digital age. A wealth of capability for end user analysis and monitoring will create stronger first and second lines of defense, with much more automated, real time assurance. Internal audit will need to differentiate and articulate its third line role, or a new role, very clearly in order not to become obsolete.
Corporate data often hides insightful stories about control effectiveness, risk management, ethical behavior, organizational performance and financial stability. Uncovering these stories and telling them in a way that captures the interest of decision makers will differentiate the assurance providers of the future.
The profession may need to make the case for conducting data analysis with empathy, instinct and ethics or risk being replaced by artificial intelligence. Our data analytics report addresses the business case for introducing or increasing analytics with added value.
Revisiting audit skills
The 2017 Pulse survey produced by IIA Global cites critical thinking, communication, collaboration and persuasion, professional ethics, understanding the audit process as key audit skills.
Finding the balance between hard and soft skills will continue in the digital age and whilst there are no new skills per se, there needs to be recognition that some skills become non-negotiable or more important in the digital age. Examples of these include:
Digital transformations are change programmes without end, being able to work in an adaptable, learning environment will become essential.
A core audit skill that is now a business standard, internal auditors can raise their game by honing root cause techniques to get to the heart of the issues where others may be skimming the surface for quick wins.
Being part geek is no longer optional, learning basic coding is becoming an essential skill to be able to talk with gravitas not only to IT colleagues but millennial and Gen Z (also known as postmillennial or the iGeneration, for example, the demographic cohort following the millennials) colleagues going forward, there are lots of websites offering free courses.
It is not enough to have a Facebook presence, being confident and capable in all things digital is a pre-requisite to engage in meaningful dialogue with the c-suite.
Facilitation Collaboration is a key feature of the digital age and being able to manage a workshop, temporary group or Skype meeting is essential for the 21st century internal auditor.
Workspaces are transient with hot-desking and zones becoming commonplace, this makes it easier for internal auditors to sit with auditees, observe practices and gain cultural insights.
Internal auditors and their reports have always been the shop window of the department, however, in the digital age where everyone has a brand, this becomes ever more important, consider updating old style photos and biographies for video biogs and blogs. Internal auditors need to be mindful of their digital footprint both professional and personal as credibility can be easily lost with an inappropriate social media comment.
Being able to present to a group is an essential skill as it brings intention to life delivering education, inspiration and often entertainment, it is harder to forget a good presentation than a good report.
The recruitment challenge for these skills may lead to more secondments into internal audit from the business, second or third careers moves into audit from industry as well as entry routes into organizations for graduates.
Adapting audit methodologies
Technological advances are intrinsic to digitalization and without question will reshape internal audit processes depending on systems deployed, alongside this will also be cultural shifts in the digital workplace. This opportunity could be the catalyst to change long standing methodologies around areas such as:
In an organization with a high digital IQ and vast quantities of data, comprehensive analysis will be expected and not just financial data, to be credible, internal auditors will need to perform above the standard for their organization. Ideally this would involve exploiting tools within the business in addition to complementary audit specific data mining tools. Our data analytics report addresses the business case for introducing or increasing analytics.
Tools such as Microsoft SharePoint now enable documents to be worked on collaboratively, shared in virtual presentations and stored in the cloud, this has the potential to improve information gathering, validation processes and dissemination of results.
Could it also replace electronic working papers? Delivery The Standards do not require a written report, Standard 2440 Disseminating Results says that the ‘chief audit executive must communicate results to the appropriate parties. The implementation guide goes on to say that ‘results may be communicated verbally or in writing, and the format may differ depending on the recipient’. Whilst PowerPoint and Prezzi presentation software tools have been around for years, new data connected tools such as Sharp Cloud mean that digital business leaders will start to demand more tech savvy reporting.
Expected controls Continual technical innovation coupled with improved understanding of risk appetite mean that it is no longer appropriate for internal auditors to start an engagement with a list of expected controls as they will become obsolete much more quickly in the digital age either due to design or requirement.
Focusing on how a risk is being managed rather than controlled will enable auditors to embrace innovations quickly and focus on evaluation rather than expectation. Governance, risk management and compliance (GRC) tools Internal audit and risk functions can capitalize on the digital journey to promote the use of systems to make assurance more efficient and insightful.
Insurance Internal audit has always worked closely with insurance, going forward this two way relationship will be more important than ever as digital risk insurance requires regular updating and robust understanding of coverage so that internal auditors can balance control advice.
The pace of business in the digital age will see pressure for internal auditors to deliver prognosis on governance, risk and control in addition to diagnosing issues and advising treatment. In a fast moving environment telling a director about an issue is not as effective as raising a red flag that something may become an issue. Pre-empting change and associated opportunities and threats enables capitalizing on risk rather than leading to digital disruption.
Programmes/checklists Caution should be exercised in using historical internal audit programmes and checklists in a digital organization due to the speed by which change can happen. Whilst this is an approach already advocated for risk based auditing, it may also be necessary when undertaking routine compliance and financial controls reviews particularly where systems are cloud based with frequent updates. Sustainability Internal audits often include commentary on basic business continuity arrangements, in the unforgiving digital age this will need to be extended to sustainability to encompass wider factors such as talent retention and change overload.
“The relevance of internal Audit in this digital age, putting a focus on the Republic of Liberia”
By Samora P. Z. Wolokolie, MBA, CFE, CA, CPA, CFIP, CTP.
Deputy Minister for Fiscal Affairs
Ministry of Finance and Development Planning (Republic of Liberia)