Developing a tech-aware audit function
How do companies build a more agile, tech-aware audit function? What new audit technologies are necessary? How will these technologies change audit plans and activities? And what about the governance of this brave new risk assurance world?
Audit leaders must understand that the latest analytics, robotic process automation (RPA), and artificial intelligence (AI) are relevant and essential technologies. The revolution rolling over the horizon is transformative, leading the IT Audit specialists and internal auditing team to be able to do new things.
Audit leaders will be at the helm of more agile, responsive audit functions on the far side of that revolution. This will help provide sharper risk assurance boards and the C-suite demand. These changed internal audit functions will be able to add value to the whole enterprise.
Still, what’s the roadmap to get to this tech-aware audit function?
Technology changes that must happen
First, audit functions must move away from time-consuming manual approaches to SOX compliance and controls testing and toward automated monitoring. But research shows that’s not easy. A Protiviti survey of over 1,100 audit executives found that the hours devoted to SOX compliance in 2017 increased by more than 10%.
Part of that is due to specific financial reporting challenges, like the accounting standard for revenue recognition. Another factor is organisational complexities like merger integration or outsourced business processes. Audit firms, under pressure to be more sceptical and demand more data, are another cause.
The necessary technologies, RPA, advanced analytics, data visualisations, and machine learning aren’t secrets. But they are still relatively low on the adoption curve. In the Protiviti survey, 11% of respondents use RPA, 8% use advanced analytics and visualisation, and only 2% have implemented machine learning.
That means there is tremendous future potential for internal audit functions to transform their risk assurance capabilities. But, yes, we still have lots of groundwork to do today to build the foundation.
For example, robust data governance becomes crucial if we want to build a world of diverse data analytics. Audit leaders must work with business process owners in the first and second lines of defence to define the data created in a digital business process.
Audit leaders will also need to work with business units on automating the extraction and migration of enterprise-wide data from business systems into the preferred analytics or RPA tools.
“We know how to build a better audit function, but we haven’t codified how much trust other stakeholders can put in the results.”
Team changes that must happen
The adoption of these new technologies is generally low because audit teams don’t know what to do with them. The technologies are dazzling, but how can an audit team of real people monitoring real risks thoroughly exploit them?
That’s going to require thoughtful planning and incremental change. Audit leaders must bring together people with expertise: data analysts, business process users, and cybersecurity professionals. These skills must then be converted into reliable audit practices that will deliver assurance to the board.
Rush headlong into that effort, and all sorts of mistakes could arise. For example, a business risk might be misunderstood, leading to an automated process that doesn’t generate the correct data. That’s the fundamental challenge: these technologies will operate at tremendous speed from whatever starting point you place them. So, identifying the right risks and objectives and developing the best audit procedures using those technologies is critical.
Governance changes that must happen
The issues of bringing together the right talent and technology for a more agile risk assurance function bring us to the next challenge audit leaders must contemplate.
Who runs all this? Who will declare these new risk assurance capabilities reliable? Right now, nobody knows. For example, data analytics, RPA, and machine learning benefit GRC professionals. And these technologies are starting to be adopted slowly. But standards still need to be created to gain assurance over the technologies themselves.
So how would an external auditor gain comfort with the effectiveness of a new monitoring control, for example? Audit the source code? Perform its testing at the client’s expense? Use its own AI and visualisations? But what if AI and your AI reach different results?
The audit profession still needs to provide clear answers to those questions. The Public Company Accounting Oversight Board (PCAOB) is researching if an audit standard for this is necessary, but when any standard might arrive isn’t clear.
“There is no scenario where better risk assurance becomes less necessary. We need a clear-eyed understanding of what it entails.”
So, audit leaders must consider how they negotiate this terrain with external auditors, the C-suite approving new audit technology investment, and colleagues in the business units who will work more intimately with the risk assurance mechanisms created.
Consider two statistics from PWC’s 2018 State of Internal Audit report. First, 53% of audit executives reported using dashboards, and 33% shared those across other business functions. Second, those survey respondents say those numbers will jump to 85% and 71% in 2020.
In other words, internal audit functions are already embracing next-generation technology. There is no scenario where better risk assurance becomes less necessary. We need a clear-eyed understanding of what it entails.
How success looks in the tech-aware audit function
Above all else, a board of directors wants to preserve the organisation’s ability to create value. The implicit assumption there, however, is that the organisation can recognise what a threat to that ability looks like and respond accordingly.
That’s risk awareness. For that matter, Boards, senior managers, and business operations leaders don’t just want confirmation that business activity is efficient or complies with the law. They want to know that the organisation can respond to changing business conditions quickly, if not immediately.
The technology exists for IT auditors and internal audit leaders to build that risk-aware capability, and the audit function itself is supremely well-suited to the job. That task will require new collaboration with talent inside and outside the enterprise and a thoughtful strategy for taking all those resources and forging them into a next-generation audit function. It will take competency and deliberation, magnified by technology. Regardless, this future is coming.
Please keep a look out over the coming weeks as we share more articles on building tech-aware audit teams.