Intelligent tools and technologies had made their way firmly into the corridors of organizations a good many years ago, with businesses designed to embrace Artificial Intelligence (AI) and Machine Learning (ML) to ramp up productivity and efficiencies. Internal audit — bestowed with critical responsibilities of regulatory compliance, monitoring risks and controls, and corporate governance — pivoted too, recognizing the need to equip itself with these tools. However, internal audit teams across industries have just started to implement Robotic Process Automation (RPA) and use process automation tools in small measure as they embark on the AI adoption journey. Even as retailers, banks, global payment solution providers, manufacturers, media companies, movie advertising networks grapple with voluminous unstructured data, the climb on the AI curve has just about begun.
Disruptions are what industries had learnt to live with but what COVID-19 brought in its wake, is a disruption like no other. So, while internal audit functions had started warming up to these new age technologies to bring in more rigor to their evaluations and assessments, the pandemic brought an extra element of challenge to the mix. The COVID-19 outbreak upended businesses and business processes, making it even more imperative for internal audit teams to imbibe AI, ML and RPA. In addition to the earlier challenge of wading through data deluge and fraud, the internal audit teams will now have to manage increased cybersecurity threats post the pandemic. It is, therefore, an apt time to discuss how the use of transformational technologies such as AI can change the game for internal audit.
In most organizations, the in-house consultants or internal auditors are trying to understand the use of AI. They are looking at processes and operations to see how the technology can be leveraged, what kind of applications are there for RPA, what new risks do the intelligent tools and technologies bring and what really the business needs to be mindful of. Right now, it is all about getting “educated,” so to say. PwC, in a 2018 study, said even for foundational tools such as dashboards or self-service data extraction, many internal audit functions had adoption rates of less than 50%.1 There is, no doubt, recognition of the fact that data analytics and RPA usually generate benefits for early adopters. And, therefore, the internal audit teams have started to weigh how to marry the data sets and then extrapolate the benefits of AI and layer it with ML. In fact, there are some internal audit functions that are also looking to leverage Natural Language Processing (NLP) for doing large volumes of document review and for getting insights from that in a much more agile manner.
The full-scale AI adoption, when it happens, is likely to be quite a seamless one because of the inherent synergies auditors have with these intelligent technologies. The internal auditors seek ways to increase information security, look at what needs to be done, mull desired outcomes, consider what controls should be put in place, where and what the risks are, and focus on ways to coach management and employees to improve operations and business efficiencies. And it is these attributes of internal auditors that make them analytical thinkers and bring them in sync with AI, which is all about planning, reasoning, problem solving. Transformational technologies such as AI and ML can help assimilate, aggregate and analyze data in the audit space to keep a clear view of risks.
As businesses go through and emerge out of the pandemic, the need for internal audit teams to take some decisive steps in the adoption of digital intelligence and transformational technologies will gain more traction. AI, ML and RPA will allow businesses and their internal audit functions to rise much faster to the challenges of data analytics and risk management. The CACS (Commitment, Access, Capability, Skilling) Framework is one such comprehensive step in the direction.
So, what is it that internal audit teams need to do to accelerate the AI journey?
The need of the hour, of course, is a buy-in from the organization as a whole and from the internal audit team itself. When working with the top management to understand the goals and objectives of the organization, assess their compliance to federal and state laws and policies, evaluate associated controls and assess risks, the four things that internal audit teams need as part of the buy-in are:
Adoption of the proposed CACS framework can well be the inflection point for internal audit, allowing humans to step aside and make way for AI to review the huge volumes of unstructured data.
The new way of doing audit requires singular focus and commitment. The acceptance of new tools and technologies to facilitate internal audit is the first step in the direction of the digital-first mindset. Traditional analytics methods can yield place to simple ML algorithms. The benefits of AI will be best realized when there is a firm commitment to identify areas of internal audit that can be brought under the fold of automation or robotics. And, using analytics to crack complex data sets can even save millions of dollars.
The success of AI implementation in an internal audit function of an organization hinges to a large extent on skilling. Internal staff development and training are, therefore, key because from an organizational perspective it is important to identify where people with the required skillsets sit in the team and then yoke them together for balanced resource allocation. This can, at times, be a challenge because there could be members in the team who joined at a time when technology was much less in use in their jobs and to get them to acquire a digital mindset or to get them trained may be a bit of a task. The key is to leverage existing talent, not necessarily hire new people.
System capabilities are critical for any internal audit as that is where the data integrity drive begins. The whole aspect of data maintenance and data processing starts with understanding the system capability. Be it evaluation of the effectiveness of control systems, auditing of information systems or financial systems, the important point is to comprehend how the systems are going to handle vast volumes of data or vast amounts of processing. For instance, a global payments solution provider could have AI & ML built into its core processing systems and service offerings. And so, one needs to get a sense if there are people in the team that have the capability to understand the technologies and extract the value out of those. There must be that capability in internal audit teams to connect the data dots to tell a relevant story.
Access — be it to data or the right tools — is as crucial as the capability to use it. One of the key challenges internal auditors face is with regard to access as sometimes the process owners are open to let them in and sometimes, they are not. This, of course, is more of a culture or relationship issue than a technological one, but nonetheless very pertinent for AI adoption. For continuous monitoring, getting access to operating systems that process owners are using is certainly a hurdle internal auditors need to cross before they embark on the path to adopting smart technologies.
The CACS framework opens the door to next gen internal auditing.
Are AI, machine intelligence and predictive analytics mere “good to have” for internal audit? No, not anymore. For optimizing audit planning and business improvement opportunities, smart technologies are a must have. As the race to create value heats up post the pandemic, internal audit teams will have to step up their business delivery game. The scope of internal audit in applying the three magical words — assurance, advice and insight2 — can be expanded further with the adoption of intelligent technologies.
So, how can transformational technologies script this transition journey? And what kind of AI-powered tools can further empower the internal auditors?
There are AI-powered auditing platforms that can analyze a gamut of financial entries and transactions, identify gaps in monetary flows and can help recognize areas of highest risk of material misstatements. As accuracy and speed become the buzzwords on audit street, reliance on tools that provide analytics and predictive analytics will gain more traction. AI-powered tools help zero in on incorrect amounts, excessive spending, suspicious merchants or help discover duplicates at a much faster clip. Such tools are very important in audit delivery as well as in risk assessments. The days of data-driven audit planning has arrived and is here to stay.
Although these are early days of AI adoption by internal auditors, let us look at some of the audit spaces where AI has started making inroads.
For companies that are working with third parties, such as those that are processors for credit card transactions, AL and ML can work wonders for fraud detections. There is need for audit from an authorization perspective. Therefore, third-party risk management and vendor oversight are some of the areas where AL and ML can be used in abundance. ML can ramp up speed and quality of audit substantially, thereby bringing with it sizable dollar value.
Capturing data and then giving insights to organizations on how that data can be used both defensively and operationally is possible through use of AI. While some internal audit teams have started using bots for SOX compliance testing, some that are in the business of movie advertising are using AI for scheduling showtimes, inventory placement for ads, etc. AI tools can also help audit teams track network events, analyze attributes of those event or what they are attempting to do. ML, on the other hand, can identify threats from a cyber risk standpoint and has the potential to reduce the number of threats to a few hundred from a few thousand a day.
Automated processes for document requests and retrievals have been in place for a while. That’s kind of the low-hanging fruit. Where the focus can shift essentially now, from an audit perspective, is RPA. When teams perform a division audit, it would be prudent to specifically look for opportunities to link it to RPA for a wider audit coverage. Forecasting, such as attendance in movies, is also a potential area of AI growth that auditors can explore. What audit can also use AI for is to identify and track contracts – right from the inception when they are in the proposal stage through to revenue recognition.
Internal audit would certainly need to embrace AI for better project scoping and ROI, but can risks emerge due to these new technologies? If so, then how does it change organizations’ risk profiles? They do and these are food for thought for the auditors. One critical part of the job of internal audit teams now will be to understand the risk profile of AI and work on mitigating those risks as well. After all, at the heart of all audit work is the necessity to understand inappropriate use of data and threats to cyber security. For enhancing business deliveries, auditors have to show dexterity on the defensive (cyber security) side as well as on the operational side. AI would have to be used not just for tactical purposes, but also for strategic ones.
And when that is established, the next step would be to take AI to scale, although with due caution.