As enterprise risk management (ERM) programs continue to mature at organizations around the world, internal auditors are now facing a new challenge. Technology risks are evolving and changing so rapidly, it is difficult for management to assess the new threats and adjust its strategies to manage and mitigate them. Applications that use disruptive technologies, such as artificial intelligence, advanced robotics, 3D printing, blockchain, and the Internet of Things, are being designed quickly and often generate new high-growth markets. Internal auditors are struggling to stay abreast of the most recent developments and identify new internal controls that add value.
Additionally, the exponential growth of computing power has enabled organizations to capitalize on the use of mobile devices and leverage the ubiquity of the internet to reach their markets almost instantly. While this is an exciting and challenging opportunity for marketers and business managers, it has injected new risk considerations for internal auditors.
Digitalization of data has created opportunities to improve data analytics, use algorithms to facilitate cognitive intelligence, and create bot applications that perform automated tasks. The essence of the risks and controls has not changed as much as the underlying technology. The processes still need to adhere to organizational policies and procedures, change management practices are still a vital component in transitioning to new tools and processes, and system and access controls must be enforced.
However, some controls that were important in the past now take on a new level of criticality. Automated algorithms result in less transparency of the underlying process. When data is used and shared through these processes, accuracy, and completeness become a necessity. An organization needs very specific controls to ensure a bot does not proliferate erroneous data. Information security and access control processes must treat the bot as if it were a person and only allow access to appropriate data. Checks and balances must be integrated into the process to ensure the results are accurate, service level agreements are met, and contracts are adhered to.
Advanced materials, 3D printing, and autonomous vehicles are other advances that are transforming the business landscape. New businesses created by these technologies need to follow established governance processes and design risk management and internal controls into their business processes. As entirely new markets and products are developed, it is important that risk managers and internal auditors are involved proactively.
Many applications using the cloud and the internet are being transformed by another new underlying process called blockchain. Blockchain is a distributed ledger that maintains a shared list of records. Each of these records contains time-stamped data that is encoded and linked to every other previous transaction in that chain of transactions. The decentralized and distributed storage of these records provides visibility to everyone in the network and ensures that no single entity can change any of the historical records. While blockchain is already being used in numerous applications, most notably digital currencies, many other industries are exploring the technology. Banks are testing cross-border financial transactions, and there is much speculation about the potential to use blockchain to eliminate the middle man in real estate deals, contracts, stock purchases, and other similar transactions. If blockchain is effective at eliminating intermediaries, the new business model will expose all the transacting parties to new risks, which were previously being managed by the middle man.
Audit's Effect on Disruption
There are several ways internal auditors can help manage the effect of disruptive technologies on their organizations. By focusing on assurance, providing insight to management, and demonstrating proficiency and expertise in new technologies, internal auditors will be able to contribute significantly to the overall success of their organizations.
Focus on Assurance For many years organizations have been encouraged to focus on what they do best. That is wise advice for the internal audit profession, as well. By continuing to focus on governance, risk, and internal controls, auditors can help ensure processes are designed and operating effectively. Regardless of the nature or tempo of the changes, auditors will then be able to fulfill their mission. Moreover, proactively helping their organizations anticipate emerging risks and technological changes can position internal audit as an authority and help prepare the organization to respond to disruptive events.
Engage With Stakeholders and Subject-matter Experts By aligning with the expectations of its key stakeholders and working closely with subject-matter experts who are implementing disruptive technologies, internal audit can be focused on the most relevant and significant issues. For example, cybersecurity and data privacy are topics that every organization is managing. Identifying trends that will affect the organization, and collaborating with and providing insight to their stakeholders, can enable internal audit to significantly affect the business agenda.
Invest in Training on Disruptive Technologies More than ever, internal auditors must constantly pursue training to learn about new technologies and the complex and emerging new risks being introduced into their organizations. Additionally, chief audit executives need to focus on developing an adaptive, flexible, innovative staffing model. This new model must tap into a highly specialized talent pool that has the technological competence to rapidly understand and leverage new tools, techniques, and processes.
Put New Technologies to Work Perhaps the most important thing auditors can do to prepare for technological innovations is to embrace and leverage new technologies in their own work. Internal auditors need to be at the forefront of adopting artificial intelligence, cognitive computing, and smart robots. Auditors need to completely understand how technologies like blockchain work and how they can be used in their organizations. They must take advantage of machine learning and data analytics in their audit processes. Moreover, continuous auditing should be the standard default for new audit routines, and real-time auditing should be a requirement as organizations implement new business processes.
An Audit Upgrade
Just when organizations were getting a handle on ERM, the threat of disruptive technologies has arrived and will affect every organization regardless of its size or objectives. When Gordon Moore observed in 1965 that the number of transistors on an integrated circuit had doubled every year since transistors were invented, one doubts he imagined that exponential growth would continue for more than 50 years. As computing power increases, technology becomes more mobile, data becomes more accessible and usable, and new competitors capitalize on the opportunities that arise. Risk managers will have to assess emerging threats consistently. Internal auditors will need to respond to those threats with new and better ways to perform audits and redesign their own processes — or they may face disruption, themselves.