Digital transformation is driving change along two fronts. Organizations are using intelligent systems to solve business problems and reduce costs, yet operational complexity is increasing. Moreover, that complexity is a design problem of those systems — organizations need to focus on how people use technology.
In the face of these two factors, internal audit can help their organization retool internal controls and streamline business processes to focus on strategic risks wrought by digital transformation. Many audit leaders are preparing for transformation with strategic hires in data management and analytics to leverage talent across an expanding portfolio of risk. Meanwhile, new regulatory technology tools enable internal audit to set up analytics programs quickly. As internal audit’s role continues to grow, these audit tools will need to evolve to keep pace.
Five technology trends are set to disrupt how internal audit confronts its risk mandates in an age of transformation: audit analytics, robotics, next-generation cloud computing, cybersecurity, and performance optimization. Internal audit will need to leverage these trends to provide leadership and assurance in the emerging digital economy.
Proving insights from data is internal audit’s new value proposition. Auditors are leveraging analytic platforms to provide insights into control performance trends in near-real time. Trends emerging in audit automation include analysis and replacement of rules-based engines with intelligent systems, audit process automation, continuous monitoring, and a focus on deep-data analytics and visualization for better decision-making.
Ideally, analytic platforms reduce the frequency of false positives in data for a more nuanced look at risks than is possible with point-in-time sampling. Analytics engines work well for routine data sets that are well-defined — such as system user-access controls, accounting functions, and process controls — but more advanced systems are needed for complex risks.
Robotics is another way of describing machine learning and artificial intelligence. These smart systems are either completely autonomous or user-directed with inputs from specific data sets to facilitate machines learning routine tasks. This technology already is used in many industries to achieve business efficiencies and provide expert guidance from zettabytes of data.
The obvious advantage of using these tools is they can run behind the scenes to alert auditors to changes in the control environment. The opportunities to automate and refine internal controls may be endless, with advances in robotics and machine learning making organizations more responsive to change. A July 16 Forbes article notes, “Auditors can use cognitive technology to redesign their work so they can conduct analyses of structured and unstructured data in ways not possible just a few years ago.”
Although many businesses are reluctant to move data to third-party providers, cloud computing is accelerating. IT research firm IDC projects global public cloud spending will continue at a 19 percent compound annual growth rate through 2020.
Organizations facing competing mandates, such as data security and cost reductions, have leveraged a suite of cloud services to support these demands. Cloud computing will require internal audit to develop a portfolio of internal controls and distributed controls that function along parallel lines, as well as define a distributed control environment. Distributed controls are virtual in nature and designed specifically for third-party vendors such as cloud and ecommerce providers.
Internal auditors must prepare for a future where data is decentralized among service providers on platforms independent of internal controls within the organization. This paradigm creates a new risk exposure called “robust yet fragile.” Outsourcing increases scale, making organizations more robust for growth yet more fragile to single points of failure. Reliance on a distributed network of third-party providers creates fragility from each relationship. Contractual and service-level agreements are insufficient backstops. Understanding these new points of fragility will require new assurance models.
Managing risks in a distributed data environment becomes even more complex for asymmetric risks such as information security. Cybersecurity is no longer a compliance exercise to ensure that policies and procedures are followed. Internal auditors must become conversant in the greatest vulnerability in cyber risk — the human element.
Vulnerabilities in complex systems exceed simple solutions, and technology alone is not enough. People trust technology, but cybercriminals can easily exploit that trust. As the digital economy expands into trillions of connected networks and devices, internal audit must assess cyberattack vulnerabilities created by unauthorized cloud services and even employee accounts with third-party providers.
Internal auditors must anticipate how digital profiles created in cyberspace result in new vulnerabilities within the organization. This requires a boundaryless security program that educates employees about how their behavior on the internet leads to vulnerabilities inside the organization. For example, dormant personal internet account credentials can be used to socially engineer access to sensitive enterprise systems. Security programs that reward good behavior and reduce complexity serve as better incentives than blanket punitive responses.
The human-machine interaction is not a new risk. Researchers have identified this interaction as the main cause of the cyber paradox in which cyber risks continue to rise faster than investments in cybersecurity. The human-machine interaction risk is a design problem that ignores human behavior. Basic cybersecurity training has raised awareness but isn’t a solution. The problem requires a broader awareness of digital habits that inadvertently lead to unexpected internal vulnerabilities. Internal audit must take a broader view of the control environment that extends to behavioral factors.
Performance optimization is a process that considers user behavior, technology interface, and situational awareness. Situational awareness is the product of sense-making, comprehension, and response. Examples of performance optimization include contract automation, audit analytics, risk assessments, financial reporting, and chatbots.
To optimize performance, organizations should:
- Clearly define the best achievable outcomes.
- Measure progress in incremental steps.
- Use controlled experiments to reduce risk.
- Anticipate and learn from failure.
Internal audit should partner with business owners to establish use-cases for performance optimization that increases efficiency and productivity, reduces risk and uncertainty, and addresses complexity.
A Path Toward Audit Leadership
The era of digital transformation is an exciting time for internal audit to build on the three lines of defense to become a more proactive leader by advising on strategic business performance. Although some internal audit functions have already adopted some of these approaches, it is not too late to catch up and surpass early adopters. Audit analytics is an obvious place to start for some organizations, while organizations that are further along may be adopting more advanced technologies.
The digital economy presents new opportunities for internal audit to create new assurance models. Audit priorities that align with organizational objectives and reduce risk are a powerful combination. Lastly, automation is a powerful tool, but auditors should never underestimate its impact on the people who have to use it.