Reenvisioning Internal Audit: Part 3

Reenvisioning Internal Audit is a four-part series studying different approaches for internal audit leaders and audit committees to consider as they look forward and reimagine what internal audit functions may look like in the future.

We find ourselves at a crossroads as we look forward to the new normal for internal audit functions. How will internal audit functions pivot to follow suit? How can internal audit functions reemerge to be more effective and more efficient considering the challenges of living in a pandemic stricken world? What benefits can technology bring to the internal audit function of tomorrow? What emerging technologies can benefit internal audit where travel is restricted and human interaction is limited? The answers to these questions, and more, are at the top of agendas for chief auditors, audit function leaders, and audit committees globally.

Granted, as we work to determine what the future will look like, the approach for each audit function will be driven by each business or organization’s approach to emerge and thrive in the new normal. As we study each of the different approaches to reenvisioning internal audit: Lean, Agile, Innovation, and Effectiveness, understand that the right approach will vary based on function maturity, organization culture, resources, talent, technology, budget, industry, geography, and other prevailing factors. Also, note that the right approach may end up being a hybrid based on these and other factors. 

Let’s continue our journey to reenvisioning by discussing the application of Innovation to an internal audit function.

INNOVATION

Innovative internal auditing, while not based on a single overall methodology as in the case of Lean or Agile, is the concept of right-fitting various technologies and practices into the internal audit function to automate and streamline processes and throughput.

Remote Auditing – Remote auditing is not a new technology. Auditors have been using this approach for eons, typically in low-risk environments, and sometimes high-risk environments. The travel bans, quarantining, and social distancing imposed by governments and companies due to the rapid spread of COVID-19 has forced internal audit functions to bring remote auditing to the forefront of their daily activities. The keys to successful remote auditing are upfront planning and communication:

• The risk assessment and the audit scope may need updating during the planning phase based on changes to business practices and the remote audit approach  

• Transparency with the Customer is essential when performing remote audits

  • Ensure clarity on scope and approach, requests, time commitments, deadlines, auditing standards and requirements, and meeting schedules

  • Frequent touch points highlighting audit progress, issues, and observations will keep the audit flowing smoothly and reduce the potential for surprises at the closing meeting

• Web-conferencing applications such as Teams, WebEx, and Zoom enable auditors and auditees to connect face-to-face in virtual conference rooms, record conversations for transcription, share files, and even draw on virtual whiteboards

  • Audit teams should ensure that all parties on calls and web conferences are aware of and approve recording of the meeting's video or audio

• It is important to utilize a secure, shared facility (SharePoint, Box, etc.) for document and data sharing. Ensure appropriate user access is granted and tested upfront

• Remote audit observations, walkthroughs, explanations, and interviews can be performed via web conferencing, screen sharing, photos, or videos from a phone, camera, or GoPro type device

Talent Optimization – the rapidly changing business landscape of today and tomorrow challenges internal audit leaders with balancing the right mix of competencies for the function. While some universities offer specialized programs focused on internal audit concepts, most internal auditors enter the profession with a degree in another discipline. The IIA and ISACA offer Certified Internal Auditor and Certified Information System Auditor certifications, among others. Of course, both certifications require up to 5 years of professional experience or the equivalent. Internal audit functions must compete with audit firms, consulting firms, and other employers for the typical accounting or IT degreed candidates.

With that said, internal audit leaders need to assess their current and future talent needs.  As more internal audit functions are embracing and expanding their reach into data science, data analytics, robotic process automation, and other technologies, like artificial intelligence and machine learning, hiring, sourcing, or developing talent knowledgeable in these fields is a must.  Does every internal audit function need a data scientist on staff? Probably not, but resources functionally knowledgeable in these technologies enhance and expedite the adoption. Keep in mind that these skill sets are in demand and come at a premium.

Along with technology talent, internal audit leaders need to consider, if they have not already, recruiting industry-specific knowledge. I once worked in the chemical processing industry, where one of the company’s internal auditors had a degree in chemistry. While she may not have utilized that skill set on all audits, during operational and manufacturing process audits, her knowledge was indispensable. The same applies to other specialized and technical industries. Recruiting from within the business is also a way to obtain readily available industry and company knowledge. Be cautious with independence and objectivity in that scenario – you do not want an auditor auditing their own work. In summary, internal audit leaders need to look forward and be creative in balancing the right competencies within the internal audit function to match the organization's needs. 

Emerging Technologies – it seems like we have worn out discussing data analytics and data visualiztions within internal audit. While a significant number of internal audit functions are at one stage or another on the maturity scale with data analytics and data visulaizations, there is much room for improvement and growth for most. Audit leaders need to embrace it, even if it is on a small scale. That is all I am going to say about that, here.

So, what are some other emerging technologies that can be adopted by internal audit functions to increase effectiveness and efficiency?

Robotic Process Automation – RPA uses software robots following a specific set of rules to perform a task or series of tasks within one or more software applications. RPA is very process-driven. Variations to the process or the rules result in additional development and configuration. Use case development and fitting the purpose are critical for successful RPA implementations.

As we look at opportunities to innovate and streamline internal audit functions looking forward, certain repetitive areas are prime candidates for RPA. The following are some areas within internal audit where RPA can make a significant impact.

• Risk Assessments – as the need to be more real-time in risk identification continues to increase, RPA can be utilized for initial data gathering from a defined set of business data points (financial and non-financial) used in the risk assessment process. RPA can also be utilized to send and gather survey results from stakeholders at a pre-determined frequency. RPA can also manage follow-ups for incomplete and unsubmitted surveys

• Population Data – for reoccurring or repetitive audit activities that utilize data from a common source, RPA can gather the data population(s), cleanse the data, and perform initial analytical analysis

• Control Automation – RPA bots can be utilized to test systematized and standardized control activities and can even test the entire population for exceptions freeing up auditors for more essential tasks. Examples include testing change tickets for approval and timeliness, testing a population of terminations against active access to systems, testing for POs that are generated after goods are received, testing purchase approvals against the delegation of authority limits, etc.

• Audit Management – RPA can automate certain routine activities such as:

  • sending out audit notification letters

  • scheduling kickoff and closing meetings

  • tracking and notifying that an audit activity is completed as scheduled

  • KPI tracking

  • tracking and follow-up notification of open audit observations

Intelligent Automation – Intelligent Automation is the spectrum of technologies that run from basic rule-based RPA (as described above) to artificial intelligence (AI) technologies. AI technologies can include cognitive automation, machine learning, hypothesis generation, natural language processing, and more technologies to allow software robots to mimic human actions at varying levels. These activities can be process-driven (RPA activities) or data-driven (AI inspired activities).

While some organizations are pioneers in this space, many are just getting started.  Estimates are that spending on intelligent automation will increase by 20 times over the next five years. Automation is the future of work, and internal audit leaders cannot overlook its benefits. Along with supporting the organization from the governance, process, and control standpoints during intelligent automation initiatives, internal audit functions should also be considering automation opportunities applicable to the function.  

In addition to the opportunities identified above focused on RPA, the following are some other examples audit leaders could consider when applying intelligent automation techniques.

• The use of natural language processing in the review of text-heavy documents, e.g., customer contracts, vendor contracts,  service desk tickets, change tickets, policy/procedure documents, etc., to identify inconsistencies, missing elements, exposures, or inaccuracies

• Intelligent automation approaches can be applied to more complex control testing than those performed by basic RPA techniques

• Natural Language Processing (NLP) can be utilized in writing reports based on audit documentation and observations identified

• Using machine learning algorithms to identify patterns and trends in large datasets and unstructured data sets

• Using machine learning algorithms to detect and even predict potential anomalous patterns in high risk and fraud susceptible areas. These can be built into continuous auditing models

• Utilizing AI algorithms to review and monitor network and server security logs for attack patterns

Internet of Things (IoT) – The Internet of Things is the connecting of various devices across a network for the collection, creation, and transfer and of data. IoT connections can be human-to-machine, machine-to-human, or machine-to-machine. Practical uses include tracking a run with a GPS watch, unlocking your front door when you approach, lights that turn on upon your arrival home, playing music over wireless speakers, or a thermostat that learns your schedule and adjusts the temperature in your home automatically. Other cases include more complex systems and technologies and stretch over to Smart Grid for utilities, the Industry 4.0 realm of smart manufacturing, and intelligent supply chain through interconnectivity of customers, vendors, and transportation providers. We will not delve into these topics in this series.

IoT applications are generally more applicable to the business than specific to Internal Audit; however, data collected by IoT devices can bring additional insights to auditors. Some IoT examples relevant to Internal Audit include:

• Utilizing IoT asset tracking devices to perform fleet or machinery asset audits

• Utilizing GPS collected data when auditing fleet operations

• Using RFID devices and systems to perform physical inventory counts or to identify and track slow-moving or obsolete stock. This data can also be utilized for determining appropriate inventory costing methods

• Utilizing IoT device data on inputs, outputs, machine run times, and employee labor to audit product costing for inaccuracies and application of costing methodologies. IoT technology can also be utilized to improve the accuracy of overhead absorption, consider tracking actual energy consumption rather theoretical by work center or machine

• Using IoT monitoring sensor data to audit preventive maintenance programs on machinery or fleets

• Utilizing IoT devices in remote locations or for remote field workers to monitor activities and reduce the necessity to travel to these locations for audits

• Using IoT devices to reduce risk by monitoring employee well-being, identify employees that are tired or experiencing problems, and to track employee interactions as in the case of COVID-19 outbreaks

Cloud Technologies – cloud computing is most easily explained as using someone else’s computers and software located in a secure data center somewhere. Cloud computing and has become very prevalent. Often called Software as a Service (SaaS) like Office 365 or Salesforce, Platform as a Service (PaaS) like Google App Engine, or Infrastructure as a Service (IaaS) think Microsoft Azure VM.

Cloud computing technologies bring opportunities to the internal audit function also. Most major risk management, audit, controls, electronic work papers, and comprehensive Governance, Risk, and Compliance (GRC) applications now have subscription-based cloud offerings allowing auditors to work from virtually anywhere in the world from a laptop or tablet computer. Cloud computing reduces the endpoint device requirements allowing auditors to utilize less costly, lighter, and more energy-efficient devices. SaaS offerings for data analytics and visualization software allow internal audit functions to more easily access and embrace these technologies. Cloud instances can allow for connections to more massive datasets. Note: Remember, to prevent shadow IT-situations, always involve your technology and information security departments when procuring cloud computing technologies to ensure reliability, security, and privacy requirements are addressed.  Other cloud computing capabilities for internal audit functions to consider are training and professional education, computing environments and software environments for training and sandbox purposes, project management and planning, collaboration and communication, and knowledge management.

Virtual Reality / Augmented Reality (VR/AR) – while still in its infancy in the adoption phase by most organizations, VR/AR technologies can potentially bring a wealth of benefit to auditors. Consider the following scenarios using VR/AR:

• Virtual tours of remote facilities

• Inventory or fixed asset physical count verifications

• Utilizing VR/AR to search through electronic document files

• Utilizing VR/AR technology to inspect capital and construction projects at completion

• To display financial or other information three-dimensionally

• To perform financial simulations or if-then analyses

• To perform data analytics and visualizations

• Not lugging a heavy laptop and additional screen since your entire workspace is virtually in front of you through the use of your phone or tablet and VR glasses

• Imagine the possibilities… 

Drones and Robots – in this time of travel restrictions and social distancing, internal audit functions should consider using drones or robots, equipped with cameras, for onsite observations and confirmations at remote facilities. Consider these also for the use in hazardous or unsanitary conditions.  Having worked previously in the utility construction industry, drones would have been quite beneficial in providing evidence supporting the of completion of power line structures for revenue estimates, not to mention for quality purposes. Drones can also be used to verify inventory discrepancies at remote sites. Please follow FAA and other applicable guidelines when using drones.

Wow, that is a lot of technology. The benefits derived from applying some of this technology can definitely transform an internal audit function. Increased visibility, continuous audits, robots writing reports, drones doing inventory counts all sound great, but applying technology takes buy-in and planning. So, before going to the CIO to discuss your 2021 capital budget, let’s continue our journey in reenvisioning internal audit by looking at some other techniques to improve effectiveness.  

If you missed part one of this series, you can find it in our blog at: Reenvisioning Part 1 

If you missed part two of this series, you can find it in our blog at: Reenvisioning Part 2

In part four of this series, we will discuss increasing the effectiveness and efficiency of audit techniques within internal audit functions.