Nearly every organization — from multinational corporations to small, brick-and-mortar enterprises — is in some stage of digital transformation, but just where businesses are along the technology spectrum varies significantly. What is clear is that the challenges and complexities behind getting it right are daunting, especially for internal audit functions that must provide assurance over digital transformation while relying on traditional processes.
“At San Francisco Bay-area companies, you probably see a lot more chief audit executives being successful with data and data analytics,” says Tom Rudenko, head of audit at Yelp. “I think it’s just the nature of our companies — you have to adopt their methods, adopt their tools, because if you don’t, you’re going to become obsolete very, very fast. Whereas in the more traditional companies that are not in technology, it’s more of a struggle to get to that point.”
Whatever stage organizations find themselves, digital transformation is ultimately about data — how businesses present data to customers; how they use and manage customer data; and how they aggregate and analyze business data to increase efficiency, accuracy, profit, and speed. The technology used to parse or deliver this data encompasses cloud computing, data analytics and data mining, robotic process automation (RPA), and artificial intelligence.
Chief audit executives (CAEs) must be aware of the strategic risks associated with embracing or neglecting data and new technology, and they must understand its inherent ability to disrupt business plans and models. Indeed, CAEs rank data and new technology risk as likely to grow markedly in relevance over the next five years, according to The IIA’s OnRisk 2020 report.
COVID-19 Accelerates Need
The COVID-19 pandemic has had an economic impact on organizations worldwide. Businesses that were already technology- and data-driven have had an advantage, even in challenging sectors.
Organizations that were already comfortable with “virtualization” tools and working with digital data were able to more easily transition to setting up remote workforces and processes, connecting with customers, and delivering some services online.
For instance, while Uber has definitely lost revenue from the slowing of its ride-sharing services, the company’s Uber Eats division was ready to ramp up to meet the growing demand for food deliveries and groceries. Meanwhile, in April, the company launched Uber Direct and Uber Connects — pilot projects involving the delivery of other types of goods, such as over-the-counter medications and packages to loved ones. “We were already using the technology platforms, so it’s really adapting the technology platform to embrace the new activities,” Vincenti explains.
The pandemic has also pushed customers and businesses alike into developing new behaviors and habits. Telemedicine, previously slow to catch on as a viable alternative to office visits, is becoming more mainstream.
For example, telehealth provider Carenet Health reported an 80% spike in telehealth visits during the first weeks of the pandemic. Other examples include transportation and logistics companies switching to “contactless” paperwork and internal auditors using drones and security cameras to conduct inventory audits, according to an April 2020
Wall Street Journal article. And a recent study on U.S. attitudes and consumer behavior during the pandemic shows that for as many as 23% of respondents, the shift to more online working, shopping, and meal ordering may be a permanent one.
As a result of these societal shifts, digital transformation is now even more urgent than before, Vincenti says. “If people needed a reminder to accelerate the process, I think that reminder is loud and clear.”
Still, acknowledging the risk does not always translate into its successful management. Despite recognizing that this risk is likely to grow in relevance, CAEs give themselves and their organizations low marks in relation to their personal knowledge of data and new technology risk and their organizations’ ability to manage it, the report notes.
Many factors affect just how invested organizations are in technology, such as whether they developed before the computer age or were “born digital.” Either way, organizations that embrace the use of data and new technology have enjoyed a decided advantage in connecting with customers, coordinating with new digital platforms, or shifting to remote operations during the pandemic (see “COVID-19 Accelerates Need for Digitization,” at right). But it is not too late. Organizations that accelerate their digital transformation can still reap the benefits moving forward — and internal auditors can provide valuable assistance along the way.
Part of the reason some companies are further behind than others when it comes to adopting technology and data processes has to do with culture. Dominique Vincenti, who serves as global head of Internal Audit and CAE for Uber, likes to use the generational term
digital native to describe organizations that were “born” using and manipulating technology and data — such as Uber and Yelp.
Vincenti explains that older industries and those that are not inherently digital are facing some of the same challenges Baby Boomers and Generation X have faced in comparison to digital-native Millennials and Generation Z. “Those who’ve been operating in industries where data and technology is not at the heart of the business model, [but are] ‘going there because we have to’ — they’ve found themselves in that non-digital-native situation, and it’s probably more uncomfortable,” Vincenti says.
For Rudenko, there are pros and cons to working with digitally savvy companies like Uber and Yelp, but one clear advantage is that they are naturally faster at adopting and using technology to solve problems. “The tech companies are not as mature, and they might not have those best practices, but they are very nimble and move fast, and you’re not weighed down by decades of legacy systems, people, and processes,” he says.
Larger, older organizations may have more mature, formal processes, which can be a good thing, Rudenko says. On the other hand, they are also more likely to have bureaucratic processes or silo mentalities where people are reluctant or unable to share information or effectively collaborate across business units. “In my experience with more mature companies, navigating through the organization and just getting access to the data can be a time-consuming and difficult process,” he says. “By the time you were able to analyze it, it was already kind of old news.”
Regardless of their organization’s level of digital maturity, Vincenti says CAEs looking for a better grasp of data and new technology risk need to understand how their organization is approaching the risk strategically. As with any risk assessment, auditors must know what they’re dealing with. They need to consider how important data and new technology are to the organization’s evolving business model and where their organization is with respect to digital transformation.
Vincenti suggests CAEs ask themselves: “Is data and new technology becoming a core enabling function? Or is it just sitting on the side as technology has been for many, many years, and is just a way of making things a little bit more efficient — not necessarily an enabler of business but just a support of business?”
A New Way of Thinking
While every industry is different, Vincenti says it is important to consider competitors: “Are we at odds with how literally the world is evolving, and can we become the next Kodak or Blockbuster in our industry? If auditors determine that digital transformation is now embedded in their business model — fundamentally, how business is now done — then the audit function must change its approach, as well,” Vincenti says.
Although internal auditors may have had a strong grasp of previous business processes, she adds, they need to realize fundamentally that today’s business is done primarily with data and technology. They must understand the new business world as well as they grasped the former, less digitally based one.
Vincenti says CAEs also need to recognize that data, along with money and people, is a fundamental asset in this new way of doing business, whereas technology is just the means to use the data. “What I’ve told my team and what I’m trying to tell people is that before understanding technology, do you understand data like you understand dollars? Because this is the raw material.”
Building Trust With Small Steps
Building Technology Into the Audit Process
In a May 2020 IIA webinar titled “Utilizing Technology to Advance Internal Audit and Stay Relevant in a New Risk Environment,” presenters Scott Madenburg, director of Solutions Advisory Services, AuditBoard, and Eric Groen, managing director, Protiviti, provided examples of ways analytics technology can be used for reporting and planning:
A key takeaway from the webinar is that internal audit functions looking to incorporate data processes into their own work may not have to reinvent the wheel. There may already be technology tools, data, and people (such as business analysts) that CAEs can leverage to start incorporating data analytics testing and processes into internal audit engagements. CAEs might also consider forming a specialized committee that includes participants from IT, management, and elsewhere to determine how data analytics could be incorporated into and benefit current business practices.
While understanding data and technology is important, it can take time for internal audit to become a trusted resource on data and technology risk if this is not already part of the organization’s culture. Rudenko recommends that internal audit build trust with easy wins using data analytics within the audit function. Although most organizations have all but eliminated travel in the current environment, one of the easiest places to piece together early wins is with travel and expense reporting. As an area at high risk for fraud and one that likely is already part of a reporting system, he says, it can be a good candidate for adaptation to an automated system.
“You can extract the data out of that system and run it through a series of data-driven tests,” Rudenko says. “Run those tests a couple of times, get the process stabilized, and hand that back to the business. They usually love it, and they’re very happy for something that helps them manage their expenses.”
Both Rudenko and Vincenti agree that relationships are crucial. “You need to have very robust relationships with the tech and data science communities of your company,” Vincenti says. “And one of the reasons is to leverage the systems and technologies that are already in place so that there are economies of scale.”
Vincenti asks, for example, why the audit function would consider buying RPA licenses if a privileged RPA vendor relationship and license agreement have already been established elsewhere in the organization. Understanding what technology is available and “piggybacking” wherever possible is key, she says. (See “Building Technology Into the Audit Process” at right.)
According to Rudenko, once internal audit can demonstrate the efficacy of using data analytics tools, the payoff in trust can be great. “You get a trophy, and you put it on the shelf,” he says. “And you start to build your brand inside the organization, and people start to see the value that you’re bringing back to the company.”
Management at Yelp sees internal audit as an important part of the company’s strategic planning, rather than as an interloper. Rudenko and his team are consulted for advice on website development, data pipelines, reporting dashboards, and more. “They want our insight,” he says. “They want our knowledge of risks and controls.”
The Right Team
Building competencies within the internal audit team is also important if the audit function intends to become more technically savvy, but that can take time. According to Rudenko, it is unrealistic to expect everyone on the team to be experts in data analytics, coding, and internal audit because such employees are considered “unicorns” — hard to find even in Silicon Valley.
At Yelp, Rudenko aims for at least half of the internal audit team to be technically savvy, but he also focuses on people who are a good cultural fit for the company. To do this, he invites people from around the organization to participate in interviews for internal audit positions. Getting buy-in from people who will be working with his auditors helps promote teamwork and trust, Rudenko explains.
“In the end, it’s about building relationships,” he says. “That’s really what this all comes down to, but that doesn’t happen overnight.”
At Uber, Vincenti says she has strong technology audit muscle on her team. “One of my directors is the technology specialist, and he is our point-of-contact with the [chief technology officer] of the company,” she says. “On a daily basis, we’re touching base with the engineering teams.”
Vincenti describes her team of auditors as “specialized generalists.” In other words, while everyone has broad, general knowledge, they each have deep knowledge of one or two specialized areas relevant to Uber’s business model. In addition, the audit activity has its own data science team. While the data scientists understand internal audit enough to work well with the auditors, they are the only true data specialists on the team.
The Digital-first Imperative
Vincenti points out that, ultimately, analyzing data is not a new concept for internal audit. The difference is that the tools and the focus have changed. And internal auditors, like the organizations they serve, need to adopt a digital-first mindset.
“The challenge today is to bring data and technology at the core of everything,” Vincenti says. “So today the core is the internal auditor, and the data analytics and technology are on the side — we need to turn the model upside down. We need to put technology in the middle and the internal auditors around to leverage it and add value.”