Auditors know they need to adopt new technologies to continue adding value, but that’s easier said than done. There are a number of technology, team, and governance considerations necessary to develop a tech-aware audit function.
How, exactly, does one build a more agile, tech-aware audit function? What new audit technologies are necessary? How will these technologies change audit plans and activities? And what about the governance of this brave new risk assurance world?
Audit leaders must understand that better analytics, robotic process automation (RPA), and artificial intelligence (AI) are essential technologies. The revolution rolling over the horizon is transformative: audit functions will be able to do new things.
On the far side of that revolution, audit leaders will be at the helm of more agile, responsive audit functions. This will help provide the sharper risk assurance boards and the C-suite demand. Internal audit functions will be able to add value to the whole enterprise.
Still, what’s the roadmap to get to this tech-aware audit function?
Technology changes that must happen
First, audit functions need to move away from time-consuming manual approaches to SOX compliance and controls testing and toward automated monitoring. But research shows that’s not easy. A Protiviti survey of more than 1,100 audit executives found that the hours devoted to SOX compliance in 2017 increased more than 10%.
Part of that is due to specific financial reporting challenges, like the accounting standard for revenue recognition. Another part is due to organizational complexities like merger integration or outsourced business processes. Audit firms, under pressure to be more skeptical and demand more data, are another cause.
The necessary technologies—RPA, advanced analytics, data visualizations, machine learning—definitely aren’t secrets. But they are still relatively low on the adoption curve. In the Protiviti survey, 11% of respondents use RPA; 8% use advanced analytics and visualization; and only 2% have implemented machine learning.
That means there is tremendous future potential for internal audit functions to transform their risk assurance capabilities. But, yes, we still have lots of groundwork to do today to build the foundation.
For example, if we want to build a world of diverse data analytics, then robust data governance becomes crucial. Audit leaders will need to work with business process owners in the first and second lines of defense to define the data that gets created in a digital business process.
Audit leaders will also need to work with business units on how to automate the extraction and migration of enterprise-wide data from business systems into the preferred analytics or RPA tools.
“We know how to build a better audit function, but we haven’t codified how much trust other stakeholders can put in the results.”
Team changes that must happen
Adoption of these new technologies is generally low because audit teams don’t know what to do with them. The technologies are dazzling—but how can an audit team of real people, monitoring real risks, take full advantage of them?
That’s going to require thoughtful planning and incremental change. Audit leaders will need to bring together people with the right expertise: data analysts, business process users, and cybersecurity professionals. These skills must then be converted into reliable audit practices that will deliver assurance to the board.
Rush headlong into that effort, and all sorts of mistakes could arise. A business risk might be misunderstood, for example, leading to an automated process that doesn’t generate the right data. That’s the fundamental challenge: these technologies will operate at tremendous speed, from whatever starting point you place them. So, identifying the correct risks and objectives, and developing the best audit procedures using those technologies is critical.
Governance changes that must happen
The issues of bringing together the right talent and technology for a more agile risk assurance function, bring us to the next challenge audit leaders need to contemplate.
Who runs all this? Who will declare these new risk assurance capabilities reliable? Right now, nobody knows. For example, data analytics, RPA, and machine learning deliver multiple benefits to GRC professionals. And these technologies are starting to slowly be adopted. But no standards exist yet for how to gain assurance over the technologies themselves.
So how would an external auditor gain comfort with the effectiveness of a new monitoring control, for example? Audit the source code? Perform its own testing at the client’s expense? Use its own AI and visualizations? But what if its AI and your AI reach different results?
The audit profession has no clear answers to those questions yet. The Public Company Accounting Oversight Board (PCAOB) is researching if an audit standard for this is necessary, but when any standard might arrive isn’t clear.
“There is no scenario where better risk assurance becomes less necessary. We simply need a clear-eyed understanding of what it entails.”
So, audit leaders will need to consider how they negotiate this terrain with external auditors, the C-suite approving new audit technology investment, and colleagues in the business units who will work more intimately with the risk assurance mechanisms created.
Consider two statistics from PWC’s 2018 State of Internal Audit report. First, 53% of audit executives reported using dashboards; and 33% share those across other business functions. Second, those same survey respondents say those numbers will jump to 85% and 71% in 2020.
In other words, internal audit functions already are embracing next-generation technology. There is no scenario where better risk assurance becomes less necessary. We simply need a clear-eyed understanding of what it entails.
How success looks in the tech-aware audit function
Above all else, a board of directors wants to preserve the organization’s ability to create value. The implicit assumption there, however, is that the organization can recognize what a threat to that ability looks like and respond accordingly.
That’s risk awareness. Boards—and senior managers and business operations leaders, for that matter—don’t just want confirmation that business activity is efficient or in compliance with the law. They want to know that the organization can respond to changing business conditions quickly, if not immediately.
The technology exists for internal audit leaders to build that risk-aware capability, and the audit function itself is supremely well-suited to the job. That task will require new collaborations with talent both inside and outside the enterprise, and a thoughtful strategy for taking all those resources and forging them into a next-generation audit function. It will take competency and deliberation, magnified by technology. Regardless, this future is coming. That’s one fact we’re all already aware of.
eBook
Future-proofing internal audit
Explore the technologies that CAEs and internal audit teams must adopt to future-proof the audit function. Learn about:
- Audit's role in cyber risk mitigation
- Establishing strong data governance
- Shaping the future of audit with data analytics
- Machine learning and robotic process automation.