Emerging or disruptive technologies, such as artificial intelligence (AI), robotics, the Internet of Things, nanotechnology, and quantum computing, are permeating almost every industry. These technologies not only alter the way the business is done but ultimately hold the key to future organizational success. Without them, few businesses will be able to survive, much less remain competitive, in the long term.
Internal audit takes on greater importance in digitally transformed environments. Disruptive technologies, in addition to the value they provide, can multiply potential harm and magnify risks significantly. Stakeholders will expect internal audit to be more engaged as they look to manage these risks and seek assurance that controls are effective. To meet the organization's needs, internal audit must evolve, grow, and adapt to rapidly changing conditions.
Significant levels of change in any business environment create uncertainties, increased complexity in operations, and greater risks. New technologies will compel businesses to identify the right strategies, determine the best business models, and recruit people with right skills through a multidisciplinary approach. These initiatives may introduce new strategic and operational risks, which will be a concern for management and auditors.
Practitioners will play a key role in helping manage these risks by providing an independent and objective assessment of the new technology environment. But failing to participate upfront in discussions of system development, governance, and risk management could result in a missed opportunity to add value. Auditors need to be proactive and engaged early. To maximize their contributions, they will need to possess strong business acumen and expertise within the sectors in which their organizations operate, as well as the ability to see the secondary or tertiary effects of organizational risk.
Changing Risk Landscape
The implications of new technologies and their convergences will introduce several uncertainties in the political landscape, turning economic networks into political weapons. This new reality will require country-specific laws involving legal challenges and at the same time increase concerns about corporate accountability. Many of these regulations will pose additional challenges to the internal audit profession. They will require auditors to have the ability to assess the sectors that are politically risky and determine whether their organization has developed new strategies and relationships that balance economic efficiency with security.
Risks related to cybersecurity will significantly influence the landscape of internal audit's work. The World Economic Forum Global Risks Perception Survey 2019-2020 identified "information infrastructure breakdown" as the sixth most impactful risk over the next 10 years. Some expected risks include the speed of technological development, integration of technologies and devices, cross-border legal issues, and unforeseen consequences. These challenges will require internal auditors to check whether existing procedures, programs, and mechanisms put in place by the audited entity are sufficient. Results of such analysis should point out to management any steps that should be taken to help ensure cybersecurity threats are mitigated.
Additionally, new markets, products, cross-border trade, and business acquisitions will introduce risks stemming from new supply-chains, business disruptions, and opportunities for fraud. Different countries and regions have distinctly different cultures, as do different organizations that merge. Internal auditors should possess a sound understanding of the business environment, ethical framework, and fraud risk management processes. Practitioners can help companies assess the alignment of their ethics programs and evaluate the performance indicators in place to measure effectiveness and help promote ethical behavior.
Internal auditors also need to understand generational and cultural differences when communicating with employees in diverse organizations. The changes in business models and supply chains may require internal audit to adapt to a desired culture or a set of values through recruiting culturally informed staff. Practitioners will face increased challenges in providing assurance on whether organizations understand, monitor, and manage the tone, incentives, and actions that drive behavior.
Perhaps most importantly, internal auditors will be required to provide assurance on the value for the money their organization invests in the disruptive technologies and tools. Such an assessment is only possible with an integrated view of their implications for policies, governance, and the processes established to implement them.
The Way Forward
In a worst-case scenario, disruptive technologies may pose a threat to internal audit and replace practitioner skills, depriving organizations of our most valuable assets: professional skepticism, critical thinking, and communication. While this is unlikely to happen, internal auditors should nonetheless prepare for upcoming challenges and opportunities through a two-pronged strategy.
First, the heads of internal audit functions should determine an audit universe of proposed and current change programs, factoring them into audit plans and engagements. This should provide a basis for identifying areas of audit engagement related to disruptive technologies.
Second, audit leaders should identify alternative staffing models that provide the diversity of skills necessary to address new technology risks effectively. The coming years, for example, will witness a sharp increase in the number of "data auditors" with the ability to correlate disparate information to provide early identification of fraud and operational risks. Businesses are using automation tools or bot algorithms that mimic the actions of a person or a computer to avoid redundancies and save costs. Audit practitioners should have the ability to provide assurance on such system development processes as well as validate the security risks by quickly adopting new methods of working, including agile auditing, continuous/concurrent auditing, and automated assurance.
Rising to the Challenge
The whole world is struggling to keep pace with technological advancements — and internal auditing is no exception. But our core skills of critical thinking, collaboration, and communicating set auditors apart in the digital age, with technology only serving to augment them.
To remain relevant, internal auditors should recognize emerging technology-related challenges and opportunities, and prepare for future skill requirements. Practitioners need to deploy the same technologies driving the need for change to help them rise to the challenge. As IIA Standard 1230 says, "Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development." There are no better skills to develop than those that will equip practitioners to confidently face the dramatic changes on the horizon.