Leveraging technology within Internal Audit Functions

Introduction

Organizations transform, at ever-increasing speeds, and new risks continue to emerge. To continue adding value to their organization, Internal Audit Functions (IAFs) are encouraged to embrace the benefits of technology and data analytics. In this article, we provide a perspective of the future of internal audit, a “technology-enabled internal audit.” We will delve into how a leading IAF could implement technology as part of the internal audit methodology by considering the growth in three base aspects: Positioning, People and Process. Technology will create higher efficiencies, improve effectiveness, identify deeper insights, strengthen data governance and security, and enable IAFs to identify and focus on high priority value-adding activities. Moreover, inspire the trust of their stakeholders, creating a platform for responsible growth, bold innovation and sustainable advances in performance and efficiency of an organization as well as improve IAF attractiveness for students and other new hires.

This article is divided into two parts; the first part will provide background information on the actual and relevant topics in technology for IAFs to understand, identify and leverage the technology, data analytics and their organization’s digital landscape. A roadmap for a leading IAF to grow to be more technology-enabled is discussed in Part II where the basic aspects, Position, People and Process are discussed as viewpoints with a case study of how a pension fund administrator mapped their way to leverage technology.

Part I: Key concepts relevant for internal audit

Many organizations are investing in advanced technologies, such as algorithms and artificial intelligence, predictive analytics, Robotic Process Automation, cognitive systems, sensor integration, drones, and machine learning to automate, labor-intensive knowledge work. Leveraging these technologies is not a matter of keeping up with trends for IAFs. Rather, it is a means to continue adding value to organizations and to meet the expectations of an ever-transforming business environment. IAFs should mirror the evolution of the advanced technologies that organizations are implementing. Figure 1 shows a multilayer mapping for a technology enabled internal audit.

Figure 1. Technology-enabled internal audit multi-layer mapping. [Click on the image for a larger image]

The expanding landscape of technologies is large and multifaceted but can be broken down into four primary categories that lie on a spectrum from simplest to most complex. Next, we will address the following four categories of technologies that can be leveraged by IAFs:

1. Data analytics & business intelligence
2. Process mining
3. Robotic Process Automation (RPA) & intelligent automation
4. Cognitive technology
5. Emerging technologies

1. Data analytics & business intelligence

Data analytics is the science and practice concerned with collecting, processing, interpreting and visualizing data to gain insight and draw conclusions. IAFs can use both structured and unstructured data, from both internal and external sources. Data analytics can be historical, real-time, predictive, risk-focused, or performance-focused (e.g., increased sales, decreased costs, improved profitability). Data analytics frequently provide the “how?” and “why?” answers to the initial “what?” questions often found in the information initially extracted from the data.

IAFs have traditionally focused on transactional analytics, applying selected business rules-based filters in key risk areas, such as direct G/L postings, revenue, or procurement, thereby identifying exceptions in the population data. Leading IAFs are realizing the added value of leveraging business intelligence-based tools and techniques to perform “macro-level” analytics to identify broader patterns and trends of risk and, if necessary, apply more traditional “micro-level” analytics to evaluate the magnitude of items identified through the “macro-level” analytics. Data analytics in internal audit involves (re-)evaluating and, where necessary, modifying the internal audit methodology, to create a strategic approach to implement, sustain, and expand data analytics-enabled auditing techniques and other related initiatives such as continuous auditing, continuous monitoring, and even continuous assurance. See Figure 2.

Figure 2. Journey towards continuous auditing. [Click on the image for a larger image]

The journey from limited IT assurance to continuous auditing – for an IAF involved in financial audits – is visualized above. The IAF will be able to shift its focus from routine transactions to non-routine and more judgmental transactions. At the same time, more of the work performed is being automated. In this journey, the IAF mirrors the developments of the organization itself to optimize the usage of technologies being implemented.

2. Process mining

A fast-growing and value-adding tool is process mining software. Process mining provides new ways to utilize the abundance of information about events that occur in processes. These events such as “create order” or “approve loan” can be collected from the underlying information systems supporting a business process or sensors of a machine that performs an operation or a combination of both. We refer to this as “event data”. Event data enable new forms of analysis, facilitating process improvement and process compliance. Process mining provides a novel set of tools to discover the real process execution, to detect deviations from the designated process, and to analyze bottlenecks and waste.

It can be applied for various processes and internal audits such as purchase-to-pay, order-to-cash, hire-to-retire, and IT management processes. The use of process mining tools to analyze business processes provides a greater insight into the effectiveness of the controls, while significantly reducing audit costs, resources, and time.

3. Robotic Process Automation (RPA) & intelligent automation

RPA is a productivity tool that automates manual and routine activities that follow clear-cut rules by configuring scripts and “bots” to activate specific keystrokes and interface interactions in an automated manner. The result is that the bots can be used to automate selected tasks and transaction steps within a process, such as comparing records and processing transactions. These may include manipulating data, passing data to and from unlinked applications, triggering responses, or executing transactions. RPA consists of software and app-based tools like rules engines, workflow, and screen scraping.

4. Cognitive technology

Cognitive technologies refer to a class of technology, which can absorb information, reason, and think in ways similar to humans. For years, this has been on the uptrend across all industry areas. Organizations are already embarking on implementing cognitive technologies in their key business processes to improve process execution – and with this new reliance on technology, new risks arise on which IAFs must perform audits.

Today’s intelligent automation innovations have the transformational potential to increase the speed, operational efficiency, cost effectiveness, of the IAF’s internal processes, and to empower internal audit professionals to generate more impactful insights, enabling smarter decisions more quickly. Whether or not an IAF chooses to leverage intelligent automation technologies themselves, they are likely part of an organization which requires them to partake in it, giving rise to need for the technology-enabled Internal Audit Function.

Using the data available and adequate understanding of intelligent automation are pre-requisite skills for performing audits and using cognitive technologies. As IAFs further mature in their use of automation tools, they will become better positioned to harness value for their organization.

We conclude with an overview of advantages and opportunities for IAFs to leverage using these. See Figure 3.

Figure 3. Advantages of technology for internal audit. [Click on the image for a larger image]

5. Emerging technologies

Emerging technologies refers to numerous technology relevant for IAF, either as an audit object, or as means to improve the audit processes itself. We have identified the following set of technologies which are relevant and emerging for IAFs.

Algorithms / artificial intelligence (AI)

A broad and comprehensive algorithms and AI-related risk assessment process is essential for data-driven organizations that want to be in control. The question for IAFs is how to organize this risk assessment process. One auditable topic to consider is the organizing accountability for uses of data between data management teams, application development teams, and business users. Another auditable topic is the formation of network arrangements with third parties. An element that is needed for an IAF, is a long list of known AI-related risk factors. And another list of associated controls that can be used to audit those risks from a variety of perspectives within an organization. The first step for an IAF is taking the strategic decision to take a good look at its algorithms and AI-related risks and where they come from. Currently, internal auditors can audit algorithms and provide assurance for AI frameworks.

Machine Learning is a way to teach a computer model what to do by giving it many labelled examples (input data) and let the computer learn from experience, instead of programming the human way of thinking into an explicit step-by-step recipe. Deep Learning is a subfield of Machine Learning, where the algorithms are inspired by the human brain (a biological neural network). We therefore call these algorithms artificial neural networks.

Cloud computing

An architecture that provides easy on-demand access to a pool of shared and configurable computing resources. These resources can be quickly made available and released with minimal management effort or provider interaction. We see that some IAFs prepared key-controls frameworks for the data stored in the cloud and providing assurance over cloud computing.

Internet of Things (IoT)

“The network of devices, vehicles, and home appliances that contain electronics, software, actuators, and connectivity which allows these things to connect, interact and exchange data.” Leading IAFs are using IoT technology for continuous monitoring of maintenance parameters.

Drones

In technological terms, are an unmanned aircraft. Essentially, a drone is a flying robot that can be remotely controlled or fly autonomously through software-controlled flight plans in their embedded systems, working in conjunction with onboard sensors and GPS. Or simply, IoT connects physical objects to the digital world and drones enhance the physical observation methodology remotely.

Internal audit conducts independent reviews, exposes (possible) vulnerabilities and risks and points the way to solutions. Leading IAFs are using drones for inventory reviews on remote locations. In this way, IAFs offer organizations assurance and insights on these emerging technologies.

Based on a global KPMG survey ([KPMG21]), we observed that only a few leading IAFs have the expertise and capabilities to perform audits on all these topics or to integrate these technologies within their own operations. A reference framework or a work program is often lacking. For IAFs, it’s not a question of whether there is a need for auditing; it’s a question of when.

In the next section, we provide a roadmap to the technology-enabled internal audit.

Part II: Roadmap towards technology-enabled internal audit

We will discuss the differences and effects of a technology-enabled Internal Audit compared to a more traditional IAF and why Positioning, People and Process are crucial elements for an IAF embedding technology in its methodology to add value and improve operations in the organization.

The Positioning aspect touches on the positioning of IAFs within the organization, its governance, mandate, independence, relationships, and importantly, access to structured and unstructured data. The People aspect looks at the competencies and the skills of those individuals within the internal audit team, or those individuals at the disposal of the internal audit team. Lastly, but most importantly, the Process aspect considers the various tools, options and solutions that allows IAFs to utilize data effectively and successfully as part of its risk-based internal approach and the audit methodology.

To remain relevant in current times, the end goal for IAFs should be to effectively implement the use of technology in its risk-based approach to auditing. Each organization will have a different journey to get to the end goal; however, considering Positioning, People and Process should be the starting point.

Traditional versus tech-enabled IAF

Traditional IAFs established an annual plan and a long-term plan (year or multi-year plan) which is not or hardly being updated based on emerging risks and developments that may arise. The level of assurance of advisory audit is also dependent on the judgmental or statistical sampling work of the audit team and audit findings are based on partial observations.

A technology-enabled IAF moves beyond the traditional approach to a robust and dynamic planning with data-driven feedback loops between the IAF and the Executive Board or Audit Committee which provide greater insight to assist management decision making on process improvement and control effectiveness. The risk analysis is conducted with input from data analytics, resulting in a comprehensive and risk-based audit plan. Technology-enabled IAF provides better assurance and insights based on testing of the entire population. Auditors are freed up to focus on the quality and more strategic parts of the audit.

Positioning

Positioning refers to whether the IAF is sufficiently structured and well placed (reporting lines within the organizational structure) to enable it to contribute to business performance. In this context, positioning refers to having suitable mandated access to data and the business and the respect of the other departments across the organization.

This would suffice for a traditional IAF, however, organizations should consider a strategy to implement, sustain and expand the use of technology in their internal audits. More importantly, they should consider the added value derived from the use of technologies to derive insights from vast volumes of information, drawn from across the organization and external sources.

Successful IAFs of the future will be positioned in such a way that they will leverage technology to add value to management and the board. This requires transforming the way IAFs plan, execute, report audits, and manage stakeholder relationships.

Positioning a technology- enabled IAF is key within an organization, and not just the use of technology in audits, but also effectively making use of data, existing infrastructure, and the technical capabilities of data analytics software in its processes. Specifically, a technology enabled IAF should:

• be characterized by strong relationships at the highest levels and have a regular presence in major governance and control forums throughout the organization while maintaining its independence and objectivity.
• have a comprehensive understanding of Governance, Risk and Compliance (GRC) framework of the business, including its strategies, products, risks, processes, systems, regulations, and planned initiatives.
• be recognized by stakeholders as a function that provides quality challenge, drives change within the organization and can connect-the-dots across lines of business and functions utilizing technology.
• have an integral role in the governance structure as the 3rd line, which is clearly aligned with the organization’s objectives, articulated, and widely understood throughout the organization; and
• have a defined and documented brand that permeates all aspects of the internal audit department, IAF strategy and is widely recognized and respected both internally and externally.

People

Many traditional IAFs are facing challenges to concretely implement more data-driven procedures into the internal audit process ([Veld15]). Instead of focusing on tools and technology as the entry point for enablement, IAFs should consider the competencies and capabilities that are needed to utilize these tools and technologies effectively.

Technology-driven internal auditing requires a significant amount of critical thinking and understanding of data. Faced with new business processes, auditors must not only be able to quickly understand a new business process and its related data; they must also identify risks that can be quantified and understand how to create analytics-enabled procedures and visualizations of the results which address those risks. For this reason, evaluating and identifying the IAF team’s skills and competencies are fundamental to successful technology-enabled IAF.

Too often, internal auditors have been trained in the next best tool to quickly keep up to date with the speed of changing technologies, without addressing the fundamental purpose for said technologies. As a result, we are all too familiar with participating in training, forgetting most of what was learned or failed to identify the use case in daily work life within a week. Digital awareness is key for internal auditors to identify opportunities to leverage relevant training.

Technology-enabled IAFs have a staffing strategy and talent attraction plan based on their organizational structure, goals, and long-term strategy. Leading technology-enabled IAFs hire employees such as data scientists and create a fully-fledged digital internal audit center of excellence, while it is more common for emerging technology-enabled IAFs to have one or two data analytics and IT Audit specialists in their team.

IAFs that are starting their tech-enabled journey may find it difficult to balance their short-term and long-term staffing requirements. Reliance on third parties – including IT resources from another internal department, a tool vendor, audit/consulting firms or temporary contractors – is a common way to address initial, part-time, or sudden incremental needs. These auditors can enable greater flexibility and be a catalyst for implementing a more technology-driven approach.

Process

A leading internal audit team has a technology-enabled methodology to embed data analytics, IA management applications and GRC solutions into every part of the internal audit methodology and process. To appropriately integrate technology in each step of the internal audit methodology, the IAF should partner with the organization to be able to understand the systems, data or scripts which supports business areas.

Partnerships with Risk & Compliance teams are leveraged to build joint business cases to improve business processes with data in the business. Moreover, a leading IAF team should also cooperate with IT on an operational level, while maintaining its independent role, and understanding the information that needs to be provided to receive the correct data. Each stage of the IAF’s audit methodology can use data, and prioritizing a “data first” approach will provide the required paradigm shift.

To guide IAFs on how to enhance the overall internal audit cycle, we focus on the following key stages (see also Figure 4):

1. Planning
2. Scoping
3. Fieldwork
4. Reporting, monitoring and follow-up.

In addition to this cycle per internal audit engagement, technology-enabled IAF can embark on a continuous auditing way of working. The data output of the preceding audit can be leveraged as input for the next audit.

Figure 4. Internal audit execution process. [Click on the image for a larger image]

Planning & scoping

To succeed in embedding data analytics throughout the audit process, the focus on data analytics is introduced in a risk-based planning phase. To identify points of focus during planning and derive meaningful insights throughout the audit process, a leading IAF should leverage business data, technology, analytics, and external sector relevant factors to:

• Gain data-driven insights prior to fieldwork.
• Enhance audit objectives with digitization of risk assessments.
• Identify risks based and automated KPI calculations and data used for prior reporting; and
• Take an integrated approach including all governance functions to determine a single risk source of truth.

Fieldwork

The technology-enabled Internal Audit Function is not devoid of detailed manual testing. The IAF is aware of this and can identify what technology is best applied when testing controls and mitigating factors frequently with Computer Assisted Audit Techniques (CAATs). The business area, system, and process are the input factors to determine and approach. An experienced tech-enabled auditor assesses this continuously based on availability of data and required assurance. Leading IAFs should:

• Identify procedural weaknesses or critical transactions using process mining, data analytics, or ERP analytics. These create meaningful and insightful observations in the audit execution.
• Harness existing technology to automate audit procedures with prebuilt bots and routines for well-known business processes.
• Apply internal audit management (or GRC) software to create and facilitate their methodology and templates.

Reporting, monitoring & follow-up

Internal audit reports to various stakeholders on a regular basis. This includes reporting of audit results to auditees and senior management, as well as reporting on other generic topics as guided by the IIA Standards. Written reporting is complemented by data-driven dashboards or connected web-based reports for continuous and real-time reporting. Technology empowers the IAF to monitor and follow-up by simply “refreshing” the input data. Leading IAFs should:

• Develop an effective communication plan which could make use of web-based reporting platforms, such as KPMG Dialogue, to deliver reports which are integrated and seamlessly clarify observations with links to follow up action plans and embedded data-driven results; and
• Consider integrated and continuous monitoring reports by visualizing the results of data analysis instead of text-based reporting, for example using PowerBI, QlikView or Tableau.

Conclusion

Organizations are integrating increasingly advanced technologies into their way of working. IAFs are expected to mirror the evolution of organizations to remain relevant, add value and inspire the trust of their stakeholders. Each IAF will have a different journey to improve and innovate to match their organization’s technology-enablement, whereby Positioning, People and Process should be the starting point. Understanding how to Position an IAF that uses technology is essential for IAFs to continue to meet expectations by the organization. Coupled with the correct People with the right competences and skills to drive a technology-enabled audit process. The right skills and competencies are necessary, but not sufficient for an IAF to improve their function with technology. Understanding the relevance for the skills, competencies and technology in the internal audit process is critical to execution.

Where Process includes tools, options and solutions that allow IAFs to utilize data effectively and successfully as part of its risk-based internal approach and the audit methodology, IAFs must seek to keep up with developments in technology which have an impact or can be leveraged in the internal audit process. In doing so, and positioned correctly in the organization with the right people, the IAF will be able to continue to play a vital and relevant role in their organizations. A technology-enabled IAF can contribute to the fundamental shift in perspective and understanding that a dynamic risk environment presents threats and challenges not just to the organization itself, but to all the stakeholders who have an interest in the organization.