Technologies such as artificial intelligence (AI) and robotic process automation (RPA) seem a sure way of revolutionizing the value that internal auditors can add to their organizations. But for auditors working in small departments, the budgets to implement such programs are often out of reach.
Does that mean the days of the small audit function are numbered? Will businesses outsource their audit departments to more technologically enabled consultants to enhance returns on their audit investment? Anecdotally, that seems unlikely — the small audit approach is thriving. Its practitioners are vigorous innovators often working within tight budgets. Squeezing every dollar out of their IT programs is critical, so team members use each application to its maximum capacity. There has to be a rock-solid business case for investing both time and money into new audit technologies — and, if there is, audit committees are supportive. Through innovative techniques and keen attention to stakeholder needs, many small audit functions are making the most of the technology tools at their disposal.
“Small audit shops generally innovate within tight constraints,” says Ross Wescott, principal at consultancy Wescott & Associates in Portland, Ore. “They do so by using what they have differently and, if necessary, bringing some new processes to the table. Every new audit innovation should add value to the business while enhancing the audit process itself.”
Wescott says innovation is a mindset that all auditors would do well to adopt — in both small and large teams. Giving themselves permission to innovate is often the biggest step internal auditors need to take — as well as accepting that some initiatives will fail. To be effective, innovation needs to be closely tied to both the needs of the business and to the technological environment the auditor is working in.
“You would perhaps be surprised, but most IT shops and companies are not very technologically advanced — that is, they are not on the leading edge of technological innovation.” Wescott says. “In the majority of companies, IT lags behind the business’ strategy. The success of an auditor’s IT processes depends on how well they fit their clients’ own infrastructure.”
That does not mean audit functions in all highly digitalized businesses need to adopt the latest technology trends. Wendy Cooper arrived at the U.K. FTSE 250-listed company Sanne Group plc, London, in January as its internal audit director. Sanne Group is investing in internal audit by developing best practices and growing the team from three members to six. But Cooper is not investing heavily in the latest audit technology.
Cooper says Microsoft Office products such as templates in Word and Excel are adequate tools for most small internal audit functions. The former she uses for planning and drafting reports; the latter for the audit team’s risk and control matrix work and for tracking management actions on the team’s recommendations. Having worked at the global Lloyds Banking Group, she has used custom audit tools and understands they can be useful in coordinating the work of dozens of audit teams in multiple locations. But she thinks it is overkill for a small team — not least because it requires hours of audit time to keep them up to date.
In addition to her chosen tools, Cooper uses the business’ IT systems to download data and select samples to be audited. Those systems may be off-the-shelf packages or custom in-house IT systems. Both depend on people within the business helping the audit team.
“You have to build up good relationships and remain independent at the same time,” she says. That can mean audit staff sitting with the IT expert when requesting data and being there when it is collated. The approach has worked well for Cooper, and she is establishing links with the best people in the business with such IT knowledge.
She expects all internal audit staff members to be able to test IT controls and to be tech savvy. But for specialist reviews, such as on cyber risk, and for auditing complex financial applications, Cooper has built a co-sourcing relationship with a consulting firm. She says that if the need for specific IT audit skills increases, she would consider adding a more specialized IT auditor to the team.
Auditing With Purpose
David Givans is the one-person audit function at Deschutes County Administration in Bend, Ore. The county’s data is spread across the organization, usually in discreet silos, and like Cooper, he has to work with business managers to access and analyze data from disparate programs. He says auditors in small functions need to have a “very strong charter” to ensure they have the authority to access the data they need.
As county internal auditor, he deals with a wide range of government departments. In 2018, internal audits have included, for example, a health report on the inmates of the county’s jails, a controls audit over $10 million of revenue from solid waste disposal franchises, and a follow-up report on its recommendations to the Fairs and Expo team at the county.
Givans uses a mix of data mining tools and Excel to perform his audits, but understanding what he wants the technology to do is paramount. “I don’t let the technology drive what I want to do,” he says. “I have a personal passion for data and analysis, and I’ve been pretty resourceful with the data mining tools I have. But it has to be used for a purpose. I want it to help me tell a compelling story in my audit reports.”
He has recently been adding infographics to help him synthesize the data and bolster the arguments that he needs to make. Using such tools is not only an effective way to communicate his findings, but it underlines to the audit committee and to management the benefit those audit technologies provide. In fact, some of the county’s departments are keen to use Givans’ analytics tools. “That’s the perfect outcome,” he says.
Knowledge and Maturity
Auditors need to know their tools inside and out to be able to focus on the questions they want to ask. “The challenge in applying a technology tool is to get to a point where you can do critical thinking with it,” Givans says. Training courses are effective for learning the nuts and bolts of specific systems, but often do not address how to use those programs in the auditor’s own environment. “A tool can help you ask questions you feel need addressing, but you must understand how it can be used to come up with an answer for your organization,” he says.
Using a limited number of audit applications can be a virtue. Taking a deeper dive into existing technologies can prove more effective than adding new software programs, which often have a steep learning curve associated with them, Givans says. “If you have a week’s training course on a software package, you need to use that knowledge — otherwise, you will lose it,” he adds. Givans aims to apply the tools he has on every audit so they provide maximum value to both the audit function and the administration.
But how do small functions know whether they are keeping pace with how they should be using technology? It is not easy, says Grant Houle, director of audit at the Mohegan Tribe, which owns Mohegan Gaming and Entertainment in Connecticut. Houle’s seven-person audit team serves the central office in the state. He describes the audit tools that it uses as being “well along the maturity scale” because of the continuous resources and commitment the team has dedicated to its model. “You have to put the time and resources into the tools you have chosen to make sure you get the objectives you defined when you decided to increase your IT capabilities,” he says.
The team is heavily involved in using data analytics and the automation of internal audit processes, such as workpapers, time keeping, and risk ranking. As is typical for a smaller function, it has not dipped its toe in the water with more experimental technologies, such as AI. Houle prefers not to. When he meets other audit executives who have invested in such technologies, he often discovers that they are underused if the company has made the financial investment but has underestimated the time commitment to see it through. Even electronic workpaper solutions, which have been around for decades, will be little more than repositories if the time is not invested in the core process and behavior changes to get value from the technology.
Keeping the team’s capability mature is a “work in progress,” he says, because the business is expanding rapidly. Mohegan Gaming and Entertainment has centers in Pennsylvania, Washington state, Louisiana, and New Jersey; a second flagship property under development in Seoul, South Korea; and a new development it is adding next year in Niagara, Ontario. Houle assesses the maturity and fitness of any audit capabilities and tools at each of the new properties that comes on board. That can mean either setting up audit from scratch, or enhancing existing tools, if needed. So far, there are three additional auditors based outside of Connecticut in the wider team — but that is likely to grow.
Houle has been innovating his audit capability by finding ways to work with the second line of defense. Although his team has done whole population testing with its analytics software, a key focus that has paid dividends recently is continuous monitoring with automated processes. Under the group’s loyalty scheme, players can earn points. On the gaming tables, the way patrons earn these points has a manual side to it — handling playing cards and tracking play for the purposes of earning points. But a lot of data is also collected from real time play, such as from security cameras. The audit team extracts the tracking data files and the scripts they have developed analyzes them for what may be considered red flag incidents on the tables and passes the results of that analysis on to the second line of defense surveillance group. The surveillance team then corroborates the red flag incidents with visual evidence to assess whether there has been genuine gaming errors or potential fraud.
“Our job is to make sure we focus on the most valuable red flag incidents, because the surveillance team needs to physically watch the video material in real time for each one — and there may be 200 in a single day,” Houle says. He estimates the continuous monitoring software cost as only about 10 percent of the total project budget — the rest is allocated to the time his team has spent in making sure they get the appropriate value from the objectives they have set.
With such a success under his belt, Houle is seeking to take the model his team developed on the gaming tables and to innovate audit processes in other parts of the business. Moreover, like Cooper, he is continually keeping abreast of developments in the organization itself to understand if those systems can be better exploited by the audit team.
“I don’t just want to see what is happening on the shop floor,” he says. “I want to be plugged in earlier than that — where are we transitioning to the cloud, for instance, and what does that mean for us?” For example, so-called stadium gaming is becoming popular. A physical dealer remains present, but up to 70 people can play the game and place bets via live video links to the internet. Houle says the process is less risky for the casino because, for example, the risk of marking cards or stealing chips is minimal. On the other hand, IT security risks may increase. Houle makes sure he is at those early meetings to understand the new processes and how his team may be able to help.
Michael Levy is the director of internal audit for Student Transportation in Wall, N.J., a multinational school bus contractor. While keeping a close eye on changing processes at his company, his team of five uses a variety of tools including data analytics, visualization, project management tools, cloud document repositories, and collaboration tools. “It is great to have the ability to use data visualization and analytics, but we as a profession need to make sure we are speaking to our audience and using their language,” he says. “Depending on the project, it sometimes can be better to have those tools used in the background — otherwise you can alienate people.” In addition, he says audit teams need to consider organizational maturity levels to ensure that they do not too far exceed the cultural norms of their organizations. “If we get too far ahead, that could be perceived as a negative,” he says. “We want to be sure as auditors that we do not head down a path that the organization will not perceive value from.”
Although he expects all team members to be conversant with data analytics — someone should be the champion — Levy says that interpersonal skills are also critical for success. “To be successful, we have to be professionals who can facilitate change in the organization and not just manipulate data,” he explains. “That requires relationship building and social skills.” Daily interaction with management helps his team members keep their fingers on the pulse of the organization and be proactive in delivering meaningful change, which data analytics can often help do.
He says he values the efficiencies that the effective use of audit technologies can bring. Automating workpapers, for example, and the process for sending out audit requests has saved his team many hours. However, when he is attending conferences and networking events, he is on a constant lookout for how to use both new and existing tools more intelligently and strategically.
As technologies such as AI and RPA become mainstream, small audit functions will most likely use them where the business case is strongest. Audit committees and management are likely to support those efforts because returns will be demonstrable. As Levy notes: “There is no point in over-engineering something that doesn’t need it. That being said, if we can make recommendations to automate business processes, or parts of the audit, that is an intelligent and efficient way of using our resources.” There are lessons for all on how small functions maximize the return on investment from audit technologies.