Diverse use of Data Analytics (DA) and Robotic Process Automation (RPA) is not unknown in this data driven world. Even though the number of businesses leveraging analytical tools to unleash the power of big data is over 50% of the industry, there are still a significant number of business areas or functions which steer away from this advancement. Among them, the internal audit function is one such area with relatively untapped potential of analytics, as it is still trying to explore the extent of its applicability and usefulness.

Challenges in the line of duty

Being the third and final line of defense, it is key to prevent any business anomaly or risk appear or surpass a Chief Audit Executive’s (CAE) vision spectrum. Adapting to a world where decision making relies on data-driven technology does not appear to be an easy proposition for CAEs.

Expectations from a CAE have risen to a different level; swifter detection of risks, red flags for process anomalies, caution for fraud, and continuous control monitoring are table stakes in the line of duty. As the gatekeeper of the final defense, internal audit evaluates risk management, compliance function, and all the other governance processes. And this is precisely where data has a significant role to play. Performing all these activities without any data intelligence aggravates the challenges. Auditors are used to sampling methods, extrapolating the results and treating them as issues, whereas the problem might lie within the hidden data. If you dig deeper you might be able to get to the root cause of the problem. The recording and visualization of metrics and review of every bit of data is pivotal to achieving success.

Now, why do we deem RPA and DA to be a necessity for CAEs? Because this is not about future, but these are very much being leveraged and relevant in the present. The tsunami of technology has taken over and it’s the world of big data where a lot of exciting things are happening! Everything we know of will become redundant and technology will take over, rather has already started taking the course. CAEs need to think and reflect on what can be done to stay relevant.

Strategy for Technology Acceptance

What can CAEs do to innovate, improve, and add value to the organization? As an auditor needs to connect to the audit committee, the board, peers, risk committee, the regulators, and stakeholders constantly, it directs that communication is key. Now-a-days no one is interested in knowing the sample size, every data is important, and they need assurance that no data within a process has been overlooked. DA and RPA come into picture to help derive value from the volume of data in such scenarios.

It is equally crucial to understand your expectations from such technological assets so that technology does not ruin the objective. To cite a few examples in which business functions are leveraging analytics; many financial organizations utilize algorithmic trading to sell or buy commodities as the system shows clients which are more likely to trade at given data points based on historical behavior; or human resource functions leverage in-built algorithms to select candidates, in fact a lawsuit against an application tracking system (ATS) was filed for an unknown glitch in the algorithm where it would not pick any profile of women with strong professional backgrounds for a higher position. Hence there are cases where the in-built algorithms might not be what was needed, and that is one of the challenges for auditors to focus on.

Taking the Leap

So, what steps can we take to make the giant leap in safeguarding the organization?

Firstly, it is core to understand the business objectives of your organization, which would grant you the flexibility to align your activities to the end goal. Take a stock of requirements and develop a well-defined strategy for innovation.

Equally significant is to understand the capabilities and skill matrix of the present group of auditors within the organization at a global level, to understand how relevant they are in the current scenario and based on this assessment introduce relevant training programs to enhance their skills and make them relevant. Ensure they have the business knowledge, basis which they can classify the technology or software being leveraged along with the pattern of data flow to arrive at the results.

CAEs need to build an infrastructure which not only supports the deployment of the automation technology but also facilitates ongoing maintenance and mitigation of any risks arising out of this.

Finally, a prototype of the operating model needs to be developed so that any variations in people, process, or technology can be linked or changed, to adjust with the current state. The new model should be a natural extension to the existing work model. But it is equally important to consider when and where the intervention is required.

The Road Ahead for CAEs

As we take stock of the progress made in past few years, we realize that organizations are seriously analyzing and accepting the immense advantages from these artificial intelligence and machine learning tools and moving ahead of the curve with RPA and DA tools. These disruptive technologies continue gaining acceptance from early adopters, as they prove their capability, reaping benefits across the complete internal audit lifecycle. Organizations are stepping up to implement a systematic approach that considers the operating model, infrastructure and applicability across the IA lifecycle, and gradually launch pilot projects.

The most important aspects of adopting an automated analytical technology is:

  • Automation – moving from manual to automated testing, avoiding repetitive tasks and ensuring that all the key controls are automated, helping focus on the analysis of any deviations.
  • Population – no more depending on sampling techniques or finding that any important data is missed, hence the creation of a comprehensive data reservoir, making it completely reliable, adding value to the organization.
  • Identification – identifying the repetitive areas and number of audits, both local and global, identifying and aligning the controls to multiple audits at different locations.

It’s time that auditors balance their responsibilities, stay more vigilant and engage proactively - as organizations adapt to disruptive technology, and the second line of defense remodels its approach to control neutralizations and tests. This will help CAEs gain more confidence as an assurer and focus on risks associated with these technologies to keep the board abreast of the emerging risks and provide assurance that these risks are being addressed adequately.