Are internal audit departments effectively responding to emerging risks and opportunities? And how can they play a key role in accelerating the firm’s digital revolution? Accompanied by two use cases we argue how the internal audit can accomplish this by embedding technology at the core of the audit approach through the integration of data analytics and the effective use of cognitive analytics.
In early 2016 KPMG and Forbes surveyed ([Loon16-1]) more than 400 chief financial officers and audit committee chairs and found that 90% of the respondents feel their internal audit function is not adequately identifying and responding to emerging risks. The common theme was that internal audit (IA) needs to be more proactive in identifying and mitigating risk, not just assessing the controls already in place. And one of the identified challenges for internal audit is to use more technology, data and analytics in their audit approach and methodology.
It is no longer useful to utter phrases like ‘technology is the future’. If companies are not fully integrating technological advancements in every area of business, no degree of strategic prowess is going to make a measurable impact. How internal audit is conducted is no exception and technology lies at the core of how to manage current and emerging risks ([Loon16-2]).
The question is how can IA embed technology in its audit approach and methodology and support their organization to effectively respond to emerging risks and opportunities but accelerate its digital revolution? Below we discuss two themes that lie at the core of this question.
Figure 1. Pro-active demands on the organization.
Figure 2. Key skills required for the internal auditor.
Fully integrated data analytics
In the past few years, data analytics have helped to revolutionize the way in which companies assess and monitor themselves, especially in terms of efficiently expanding the scope of audits and improving the level of detail to which audits can be performed. Data analytics and continuous auditing can help IA departments deal with the increasingly complex environment by improving their audit processes, resulting in higher quality audits and tangible value to the business. Consider the traditional audit approach, which is based on a cyclical process that involves manually identifying control objectives, assessing and testing controls, performing tests, and sampling only a small population to measure control effectiveness or operational performance. Contrast this with today’s methods, which use repeatable and sustainable data analytics that provide a more thorough and risk-based approach. With data analytics, companies have the ability to review every transaction (not just samples) which enables more efficient analysis on a greater scale. For example, if an internal audit function provides assurance for a data transaction set recorded in a system (i.e. invoices), the audit opinion is no longer based on a sample review (e.g. 30 out of 100.000 invoices), but on every transaction meaning the whole population of 100.000 invoices.
An integrated approach to using data and analytics throughout the audit process (for example, analytics driven continuous auditing, dynamic audit planning, audit scoping and planning, audit execution and reporting) would provide greater insights and value.
In fact, a fully integrated, automated Internal Audit platform would transform and progress the way that audits are conducted. As for the existing desire for a move toward such a technology-enabled approach when asked about the key skills needed in internal audit, the survey reflected that technology (62 percent) is second only to communication (67 percent) in importance, while critical thinking and judgment came in third (52 percent). It stands to reason that a solid technology platform with the propensity for advanced, enterprise-wide data and analytics, and a progressive feedback mechanism would make for a distinctly efficient and effective internal audit function. The added value of Internal Audit can be increased if it can integrate a higher percentage of data analytic procedures into their audit approach.
Currently, 63 percent of companies use data and analytics technology in isolated or specific instances only, or it exists within discrete functions. It is predicted that this statistic will drop to 50 percent in the next three years, while the use of enterprise-wide risk-focused D&A capabilities will increase from 35 percent to 47 percent.
If IA were to operate through an integrated technology platform, the incorporation of risk assessment, D&A, knowledge and experience would advance the potential for IA to deliver significant added value, particularly in monitoring emerging risk, assessing risk coverage and facilitating data-driven decisions to provide actionable insights into the strategic drivers of the business that would optimize both business performance and risk mitigation.
This platform would provide dynamic, near-real time reporting that unlocks the intellectual capital of a business, exposes the root cause of problems and enables internal auditors to help deliver not only added value, but measurable value. This would go a long way toward enhancing the status of Internal Audit in businesses, going so far as to create a model that may, in time, become the standard.
We noted that the survey responses not only identify a ‘value gap’, but that they also point to specific actions that would elevate the value of the Internal Audit function and create a new standard of delivery by:
- providing actionable insights into the risks that matter and increase the focus on emerging risks;
- embracing technology and the benefits of D&A to increase audit quality, improve the quality of audit evidence and facilitate the discovery of new insights;
- leveraging an audit management platform that automates significant portions of Internal Audit service delivery and allows consistent and full execution of your Internal Audit methodology.
Figure 3. Data and analytics deployment now and in the future.
KPMG is currently assisting Randstad, a multinational human resource service provider, with implementing a global data analytics methodology and platform for their internal audit & risk department. Randstad’s vision is to set up sustainable analytics taking into account the requirements from an auditors perspective. Contrary to common perception the key challenges for such an endeavor do not lie with which extraction tools, analytics engine and visualization environment to use.
So what makes such an undertaking difficult? Randstad operates local firms in 39 countries, each of which has a large degree of autonomy to enable it to cater to the needs of the local market. However this has led to a diverse landscape of internal processes and information systems, each of which have their own data model and architecture. An additional layer of complexity is added by regulations regarding data privacy, payroll, tax and data export which vary per region and can be quite stringent.
To address these difficulties a robust and standardized data analytics audit methodology has been developed to accompany the new analytics platform. At its core lies a global data model and a set of guiding principles regarding data transfer, data privacy and data retention. It is operationalized through an audit execution plan that puts a heavy focus on bringing together critical knowledge and key stakeholders from the local firm and the global internal audit department to understand the local processes, systems and data models, to map local data to the global model, to assure the gathering and transfer of data occurs according to the principles and to manage and assure the quality of the results from the analytics platform.
The implementation of this platform has touched almost every aspect of the internal audit department of Randstad. To manage the scope of such an undertaking the implementation happens on a process by process basis. It started with a pilot on payroll and has now expanded into other core processes for Randstad: pricing, travel & entertainment and bank transactions.
Figure 4. Efficiency of a data driven internal audit. (by Randstad and KPMG)
Through this implementation the internal audit department not only increased its audit quality and increased its efficiency but it has also effected process improvements at local firms just by implementing its data driven methodology.
Unprecedented advances in data capacity, data diversity, processing power and cognitive analytics will continue to transform the business landscape with impact across the entire organization. An internal audit function should not just magnify what the company already knows, but must present new findings, offer new perspectives, and provide new ways of gleaning such insights. Cognitive analytics provide the means to do this.
Cognitive analytics is synonymous with artificial intelligence. At its core it is the use of machine learning and natural language processing to mimic the extraordinary capacity of the human brain to draw inferences from existing data and patterns and create self-learning feedback loops. Using the awesome (distributed) computing power available to use today we can raise this ability to unprecedented levels by continuously monitoring large volumes of unstructured data.
Internal auditing is particularly suited to cognitive technology because of the increasing challenge to tackle immense volumes of structured and unstructured data related to a company’s information: internal and external; financial and non-financial.
Figure 5. Immense volumes of structured and unstructured data. (by KPMG)
Watson is a powerful cognitive analysis system developed by IBM. IBM and KPMG have partnered up to employ Watson to assist firms in effectively using cognitive analysis. KPMG developed a prototype using Watson to enable an internal audit department to re-evaluate commercial mortgage loan credit files including its unstructured data. The prototype processes the entire credit file for each loan along with relevant external information.
By teaching Watson the loan grading process used by KPMG and by using a sample set Watson learned to identify key elements that impact the loan grade. After this ‘training’ phase Watson was able to evaluate loans and provide a loan grade with a certain confidence level. When relevant, Watson also provided supporting information extracted from the credit file without providing confidential client information. Using a feedback loop this prototype will continue to learn elements that impact the loan grade and this will increase its confidence levels.
With this prototype thousands of loan files can be re-evaluated in an instant, significantly reducing manual labor and decreasing human inconsistencies and error.
Figure 6. Artificial Intelligence.
Especially the analysis of external sources has always seem a daunting tasks. Luckily natural language processing algorithms have evolved to a point where they are very effective at analyzing publicly available media including news outlets and social media. This has empowered organization to identify relevant signals of change in the external environment. One such example is the Cyber Trends Index that was discussed in the last issue of Compact ([Harr16]). It has been developed by KPMG and Owlin and has been made available to the public.
Using such solutions organizations can determine if a signal is becoming a trend and whether it should be considered as a risk or as an opportunity. Once you have identified these risks and opportunities an internal audit department can empower the business by pro-actively identifying new trends, determining the implications and pre-empting exposure to new risks.
More and more organizations have shown that by embedding data analytics and making use of advanced techniques such as cognitive analytics the internal audit can transform to a technology-enabled department that empowers the entire organization in pro-actively and effectively identifying, managing and even capitalizing on emerging risks and opportunities. And with support from technological innovators and your trusted partners your internal audit has the means to accelerate the digital revolution of your entire firm.
[Harr16] A. Harrak MSc et al, What’s Trending in Cyber Security?, Compact 2016 (3), https://www.compact.nl/articles/whats-trending-in-cyber-security/.
[KPMG17] KPMG, Internal Audit: Top 10 Considerations for 2017, KPMG, 2017, https://assets.kpmg.com/content/dam/kpmg/nl/pdf/2017/advisory/KPMG-IA-Top-10-considerations-2017.pdf.
[Loon16-1] B. van Loon RA, H. Chuah RA RO, Seeking value through Internal Audit, KPMG International, 2016.
[Loon16-2] B. van Loon RA et al, Internal Audit: Top 10 key risks in 2016, Institute of Internal Auditors, 2016, https://www.iia.nl/-kpmg-internal-audit-top-10-key-risks-in-2016/.