The "big" in big data hardly seems adequate to describe the scope of today's digital information. Each day, the world produces 2.5 quintillion bytes of new data, according to a 2016 IBM Marketing Cloud report. In fact, 90 percent of data created over the history of the human race was generated in the past two years alone, the report says.
Increasingly, competitive advantage is driven by organizations' ability to access, collect, synthesize, analyze, and exploit insights from that data. But the scope of this undertaking swamps traditional practices and capabilities. Tackling it effectively requires mastering emerging technologies, such as artificial intelligence (AI) and robotic process automation (RPA).
For internal auditors, these technologies present a challenge and an opportunity. The challenge? How can they help their businesses understand, codify, and develop appropriate controls around the new risks presented by RPA, AI, and other technologies? The opportunity? Where, within the internal audit function itself, can these tools be leveraged to provide deeper insights with greater efficiency?
Emerging Technology Risk
AI and RPA have great potential to increase efficiency, but they also can help reduce organizational risk. Processes handled by these technologies are performed quickly and with absolute consistency; humans make mistakes or skip steps, robots do not. But that speed and consistency carries its own risk. If a faulty algorithm exists, if the tools access incorrect or incomplete data, if someone tampers with the process, or if RPA does not adjust to changing business or economic conditions, then the organization's automated processes can magnify human errors. Consequently, significant follow-up work may be required to unwind the errors.
Internal auditors should ask several questions when assessing risks associated with emerging technologies:
- Has the organization established programs to take advantage of these technologies? Are foundational programs in place, such as data management and governance, as well as user-access controls?
- Who is responsible for determining whether and how such tools can access the organization's data? Has clear accountability been established? Are appropriate safeguards in place?
- Has the organization implemented appropriate development and deployment controls, addressing issues such as how and when new processes are tested and updated?
- Who is accountable for ensuring that use of the technologies complies with corporate policies, as well as applicable laws and regulations?
- Are these processes being considered holistically to address change management, human resources, and other related concerns?
AI and RPA Defined
Definitions of AI vary. The English Oxford Living Dictionary defines it broadly as: “The theory and development of computer systems able to perform tasks normally requiring human intelligence, such as visual perception, speech recognition, decision-making, and translation between languages.” RPA, on the other hand, involves the use of software with AI and machine learning capabilities to handle high-volume, repeatable tasks that previously required humans to perform. These tasks can include queries, calculations, and maintenance of records and transactions.
Consider the challenge of wading through potentially thousands of contracts that may contain embedded leases, in an effort to comply with the Financial Accounting Standards Board’s new lease accounting rules. Organizations currently use AI technologies such as text recognition and natural language processing to scan contracts for language that indicates an embedded lease may exist, and to flag those contracts for review. RPA is often coupled with this process to route flagged contracts to appropriate parties, ensuring decisions on embedded leases are made timely. Subsequently, RPA is also often used to follow up on, and to confirm, a decision has been made on those contracts. Beyond this narrow example, a variety of studies indicate that as much as 45 percent of the work performed in businesses every day could eventually be replaced by RPA.
Additionally, internal auditors should determine what the organization is doing to ensure effective governance of its technology (see also "A New Age of IT Governance Risk"). Audit leaders need to work with organizational leadership to help develop an appropriate governance strategy for managing these technologies — and also to help unlock their potential. Internal auditing should be involved as part of the design or launch process so key risk indicators can be identified and appropriate controls embedded. This approach is far more effective than trying to append controls as an afterthought. Audit leadership can aid the chief technology officer and chief information officer in the development of a strong governance plan. Numerous available frameworks, such as COBIT and ITIL, can serve as guides. Also, guidance from the chief legal counsel and compliance department may provide additional support. The governance structure or plan over technology should be periodically reviewed for modifications that may be needed.
Three Lines of Defense
One of the challenges of today's rapidly changing business technology involves working effectively across the first and second lines of defense, while maintaining internal audit objectivity. The traditional audit approach incorporated relatively static, periodic risk assessments and statistical sampling of data from past transactions to identify control issues. Auditors often identified issues months or more after they arose, making remediation untimely and allowing losses or other issues to compound. With today's tools, internal audit functions can test most or even all transactional data and can do so in close to real time.
The acceleration toward real-time auditing and the associated need to help identify and manage risks around emerging technologies means that internal auditors find themselves working more closely and more often with those in the first and second lines of defense. One of the benefits of real-time auditing involves pushing risk management down to the first line of defense wherever possible. Internal audit can play a key role in investigating how AI and RPA can be used to augment, and in many cases replace, current manual transaction testing and other risk-testing processes. Automating control testing through the use of RPA can enable organizations to spot anomalies earlier.
An organization's risk posture can be greatly improved by helping management understand the best uses of these tools and by working to deploy them in real time. The technology can help identify control deficiencies much sooner, enable testing of entire populations, and correct deficiencies immediately upon identification. As the third line of defense, however, internal audit needs to maintain its independence. Internal auditors may assist the first and second lines in establishing the use of these technologies by providing advice, but they must also ensure audit independence remains adequate to provide the additional layer of review.
Leveraging the Technology
When examining RPA and AI, internal audit shouldn't limit its focus to the business's use of these technologies. The audit function itself offers ample opportunities to leverage RPA and AI to achieve efficiencies and improve results. Auditors should consider several potential applications:
Controls testing is a vital but time-consuming internal audit function, requiring consistent, repetitive application to be effective — just the sort of process that is ideally suited for RPA. In some cases, controls or testing processes will need to be modified to allow for RPA, but once it is in place, automation can produce accurate, consistent, and timely results. For example, ensuring the usefulness of data consumed from multiple sources historically would often require someone from the audit team to spend significant time stitching the data together. Today an RPA automation can quickly replicate all of those tasks with a higher level of accuracy.
Internal audit work requires a significant amount of routine, repetitive communication. For example, auditors often need to request information and then follow up on those requests, many of which are triggered by specific due dates. These processes offer key opportunities for automation.
Scorecard population, audit committee reporting, and other predictable documentation demands often can be fully or partially automated. Dashboards can be fully automated for management and the board of directors. Using RPA with a visualization tool can enable automated generation of dashboard information for these key stakeholder groups.
The specific opportunities to apply emerging technology to the internal audit function will, of course, be partly determined by the circumstances of each organization. By seizing those opportunities where they exist, audit leaders can free up their professionals to focus on the critical thinking necessary to provide real strategic insights for the business.
Delivering those insights and managing the risks of emerging technologies also requires expanded skills — internal audit leaders should keep those needs in mind as they hire and train staff. Although technology can fuel significant improvements and efficiencies, deploying the right people, skills, and approach ultimately enables the technology to work as intended. Of course, a solid accounting and audit background remains vital, but more and more skills around data science and IT must be part of the internal audit group. And the central mission of internal auditing — to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight — remains the same. But tools like AI and RPA require auditors to possess broader technological skills, strong data management capabilities, and familiarity with mathematics — such as linear algebra and statistics, which drive algorithm development. A background in coding also can be valuable.
Hiring professionals with these skills and training those already in the internal audit function is essential. Not only will it position the audit team to best understand and address emerging technology risk, but audit functions considered leaders in these areas may be seen as more attractive to top talent.
Partners in Transformation
The emergence of AI, RPA, and similar technologies is much like that of spreadsheet applications in the mid-1980s. Spreadsheets at that time were innovative and useful, but not yet widely adopted. Within 10 years, they became ubiquitous and revolutionized work, not only within internal audit but across the business world.
Likewise, AI and RPA are transforming businesses and their internal audit functions. And while the new technologies present new risks, these risks can be managed. The greater risk is failing to capitalize on the power and utility AI and RPA tools offer. Effectively managing emerging technology risks while also leveraging these tools are key challenges for today's internal audit leaders. By doing so, however, they can become true strategic partners in their organization's success.