The sudden onset of the pandemic and the subsequent lockdowns and travel restrictions have upended business around the globe. To navigate the resulting complex and dynamic risk landscape, organizations have no option but to go digital. For the internal audit function too, it has become imperative that it reinvents itself with innovative tools and technologies to stay relevant and meet today’s business challenges.
In Deloitte’s 2020 survey of audit committee chairs and members, 92% of respondents said that IA should provide insights on and help prepare for emerging risks, while 63% said IA should be faster reporting results of their work. The current volatile business environment warrants an agile, flexible, and future-ready internal audit function that can add value to an organization.
Internal Audit: The Digital Transformation Journey
The internal audit function provides valuable insights into the effectiveness of an organization’s risk management, governance, and internal control processes. Before considering what Industry 4.0 technologies to adopt to modernize IA, it is important to have a comprehensive view on the level of maturity of this function, the maturity of the technology being considered, and the associated risks.
- Internal Audit Maturity Level
Identifying the current level of maturity of IA marks the first step of the digital transformation journey. Depending on the level of automation and structure, the Institute of Internal Auditors (IIA) has identified five levels of maturity of the IA function:
- Initial: Scattered policies and processes, high reliance on manual systems and spreadsheet, no data validation, ad hoc audit activities
- Repeatable: Better policies and processes but may not be documented, low reliance on data and information generated from systems, reporting processes are defined but may not be documented
- Defined: Defined and documented policies and processes, greater reliance on information generated from systems, effective use of reporting templates
- Managed: Policies and processes are communicated to personnel, high data integrity, reliable automated reports, continuous monitoring of key data, highly effective reporting, quality and timeliness metrics defined and monitored
- Optimized: Continuous monitoring and updating policies and processes for necessary changes and emerging leading practices, extensive use of data mining and analytics, highly effective reporting, robust succession planning in place
Assessing the level of maturity of internal audit is important as it will help an organization recognize the shortcomings of its existing approach, determine the desired future state, and the technologies that must be adopted towards achieving this goal.
- Bringing Industry 4.0 Technologies to IA
To wade through the pandemic-driven new normal and successfully manage the resulting distributed workforce, internal auditors need to embrace advanced transformational technologies to provide valuable insights and rapid assurance. When talking about Industry 4.0 technologies, the key technologies that have gained considerable traction in the past couple of years include cloud computing, robotic process automation (RPA), AI/ML (analytics), and blockchain, among others.
Implementing these technologies will empower IA teams to continuously monitor and quickly detect risks even in the remote setup, collaborate seamlessly across the three lines, automate the aggregation of risk data, be cognizant of emerging risks, and more. These capabilities, in turn, will help make the IA function more agile and future-ready.
That said, organizations should decide on the technology to be adopted and its level of maturity depending on the business needs and goals. They must determine if the application is relevant to the nature of their business or if they are implementing it just out of the fear of missing out. Ultimately, the primary reason to embark on the digital transformation journey of IA is to add value to top management’s view of business risk and facilitate effective decision making.
- Associated Risks with Technology
When considering implementing Industry 4.0 technologies, it becomes critical for organizations to assess where these technologies are going to create risk and where the risk is going to fall. KPMG has defined four dimensions of risks when it comes to IA:
- Recurring: This is the dominant risk that should be considered on a recurring basis.
- Exceptional: This includes risks that don’t have previous audit history within the organization. IA should aim to provide initial assurance to the key stakeholders as to how these risks are addressed.
- Emerging: Most of the new and emerging technologies fall under this risk. This includes risks and opportunities that may not have clear attention of the organization but may soon become material risks.
- Established: These are the risks that are clearly considered to be the key to the organization and should dominate the IA plan and assurance agenda.
In addition to keeping abreast of the latest technologies and developments, IA practitioners must focus on understanding the impact of digitalization on business and audit processes, and identify, assess and mitigate the associated risks such as cyber risk, third-party risk, and others.
Organizations can simplify the digital transformation of their IA by leveraging MetricStream Internal Audit Management. The product enables companies to drive an agile internal audit program that is not only aligned with organizational goals but also allows to factor in new risks that arise with shifting priorities. In addition, automated processes, real-time reporting, and access to audit data, and analytical tools help auditors to accelerate internal auditing and optimize resource allocation and enable senior management to make faster and well-informed business decisions.