Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

Internal Audit Optimized

Embracing technology can expand the department’s capabilities, especially when working with limited resources.

Comments Views

​For Jeffrey Mitch, a senior manager at American Eagle Outfitters in Pittsburgh, it was the knowledge that his already lean team was likely to stay that way that prompted him to look for low-cost ways to amplify the work of the team of seven.

“We’re in specialty retail, so a lot of our business is not highly regulated and kind of scrappy,” Mitch says. “It’s ‘Get out there and win the day’ in the mall or online, so I think we’ve kind of adopted that mentality as auditors, too: How do we unlock and bring the most value that we can to our consumers and our business? Data and technology is paramount to that.” 

Calls for internal audit teams to embrace technology can inspire a range of emotions — from enthusiasm and determination to fear, annoyance, and confusion. As with any transformative change, there are obstacles. Right now, times are tough for many organizations. Overall cuts in audit department budgets are reported by 36% of respondents in The IIA’s 2021 North American Pulse of Internal Audit, which might seem to dissuade teams from pursuing technology solutions seen as costly or requiring additional skills. 

There seems to be a shift in audit attitudes toward technology adoption in the near term, according to a Protiviti study, Exploring the Next Generation of Internal Auditing. Compared to 2019, significantly more respondents in 2020 said their functions had no plans to adopt technologies like robotic process automation (RPA), process mining, and machine learning/artificial intelligence (AI). However, among internal audit leaders who are choosing to adopt technology, a growing number say they are doing so to drive efficiency, enhance coverage, or enable continuous auditing. 

In other words, while fewer audit teams are implementing technology solutions during the pandemic, there is an increasing awareness that technology can help functions do more with less. 

Tech as a Power Boost 

Mitch’s team settled on a business intelligence and analytics desktop tool that he and a colleague augment with a scripting language they learned by watching YouTube videos. “We started by asking, ‘What are the tools out there? How can we get involved? How can we learn on a limited budget and in a relatively quick period of time?’” Mitch says. 

Five years on, the team uses it in almost every audit they do, from a data exploration perspective, to monthly monitoring of international accounts payable data and travel expenses, to making visualizations to include in audit reports. “The hardest part is laying that foundation, but once it’s there, and once you’ve got a team that’s bought in, they realize, ‘Oh, I can do this. I can do that,’” Mitch says. “The possibilities are endless.” 

Melvin Kishore, a senior business performance and internal audit partner for energy company Vector Ltd. in Auckland, New Zealand, found creative ways to develop insights and automate processes by piggybacking on technologies readily available at the company. “You’re looking at half the team,” Kishore jokes, explaining that Vector has a cosourced assurance model and works with several external consultants. Kishore, who has a background in finance and data analytics, realized that he could integrate data analytics and automation software with cognitive technologies, part of a suite of products Vector already licensed, that performs tasks like speech and pattern recognition, language processing, and sentiment analysis.

Kishore’s pilot project tackled familiar internal audit territory — monitoring employee expenses by flagging items such as duplicate reimbursements, late submissions, expenses incurred on public holidays, and claims with no supporting documentation. Because the technology was able to look at all the data rather than a sample, he quickly realized that the two-person internal audit team did not have the resources to look at every exception it was flushing out. “We set up a prioritization where any expense claim with multiple exceptions is automatically prioritized to the top, so we’re only concentrating our efforts on more problematic issues,” Kishore says. The expense review has triggered initiatives to better train employees on how to use the reimbursement system and to improve its design. 

The team also launched more innovative projects, providing continuous insight in areas like online reputation, gas cylinder maintenance, corporate fuel usage, and cybersecurity threats.

One such initiative monitors announcements of global data breaches and compares that information with a list of applications used by Vector. If a breached application matches one at Vector, it sends an email notifying Vector’s internal audit and cybersecurity teams of the threat. Another bot flags potential exposure to malicious code from any unauthorized procurement of IT products and services.

Capabilities of the Crew

Bots and Reputation Management


Melvin Kishore says technology is a kind of superpower. “Just take the likes of Batman and Iron Man,” he says, “They are prime examples of normal human beings without any extraordinary or supernatural ability, but are considered ‘super’ by their ability to create and use technology.” 

Kishore is using emerging technologies to provide a variety of business insights to Auckland, New Zealand, energy company Vector Ltd., having introduced more than 60 bots since October 2018. 

One bot Kishore developed uses robotic automation and cognitive intelligence technologies to help monitor the company’s reputation on Twitter. “The robotic automation piece goes on Twitter and picks out any tweets about Vector or our subsidiaries,” Kishore says. “An AI engine goes in and does a sentiment analysis of the tweet, indicating whether it is positive, negative, or neutral.” He explains that a second AI engine then extracts key phrases from the tweets, displaying them in an interactive word bubble in real time — with the most frequent phrases appearing largest. Business intelligence software is used to visualize monthly trends. The audit team is hoping to use the Twitter analysis to cross-reference customer reports of electrical outages in the future.

Similarly, the team has set up a bot to find and analyze any mentions of Vector on major online news sites. Both the Twitter and news media bots help Vector understand and manage its reputation online. “It’s a good way of getting information outside of our organization and to see how we’re trending out there on social media and online news,” Kishore says.

Adapting to technology that requires new skills can seem daunting to an already busy team of internal auditors. Functions that have found success in transforming some of their processes have approached the problem differently, depending on the tools and the team’s objectives. In the case of American Eagle Outfitters, Mitch and another team member developed their technical skills but also sought help from the company’s database administrators. “We basically said, ‘Hey, we’re looking to learn’ and they said, ‘Oh, well, let me show you,’” Mitch explains. He says the partnership has led to greater expertise, audit efficiencies, and cooperation on both sides. 

Carrie Schroeder, former director of audit analytics for TD Ameritrade, had the chance to build her own dream team. An early adopter of technology in internal audit, Schroeder started dabbling in data analytics nearly 20 years ago when she was asked to help launch a data analytics function at a bank where she worked. “I saw firsthand how technology would help the audit profession, and three or four years into it, I switched over from audit to help start the data analytics function,” Schroeder says.

Several years and a few financial institutions later, Schroeder was recruited to start the data analytics function at TD Ameritrade. “When I created the team there, I looked for what I call ‘puzzle pieces,’” Schroeder says. She pulled in people with diverse skills — including internal auditors with technology expertise, programmers who were introduced to audit, and business analysts who had experience with both technology and audit. “We all came together with different skill sets to fulfill the requests that we had.” 

Schroeder grew the team to eight people in eight years by showing how technology improves efficiency and effectiveness. “We were able to show where we could go from sample selections to full populations with robotic process automation [RPA] and continuous monitoring routines.”

Bryant Richards, an associate professor of accounting and finance and director for the Center for Intelligent Process Automation at Nichols College in Dudley, Mass., is bullish on RPA as a starting point for introducing more intelligent technology solutions into internal audit processes. He points to the free community versions of RPA software that internal auditors can download and experiment with. “That gives you a taste for it, and you can very easily start creating some basic things,” Richards says. “Every department should send one person to get RPA training.”

There also are low-code, no-code options offered by a variety of data analytics, automation, business intelligence, and cognitive technology providers. Kishore says the tools he uses require little or no coding ability. “A lot of it is just click and drag and setting up some rules where the coding has already been built in the background,” he says. “It’s a very user-friendly graphical interface that eliminates the need to know a coding language.”

Making a Game of It

For situations where an entire team is expected to quickly get on board with a tool and what could be considered “design thinking,” some organizations are turning to gamified competitions. In February, HP Inc. launched a gaming competition called Technovation for its team of roughly 90 internal auditors. HP’s Brian Yarbrough, interim chief audit executive in Houston, and Carrie Gilstrap, IT audit manager in Boise, Idaho, explain that the voluntary eight-week program initially focuses on training auditors on a variety of tools and techniques, including robotics, process mapping, data analytical elements, and dashboarding. “So far it’s generated quite a long list of ideas,” Yarbrough says. “Now we’ll just start down the road of building.” The competition involves prizes and crowd-sourcing ideas “to get people excited and energized to try and compete.” 

Mapping a Path to Success

Though audit leaders don’t have to have all the answers before getting started, diving into large-scale initiatives should include a goal, a plan, and governance. Manuel Coello, director of audit analytics at People’s United Bank, N.A., in Hartford, Conn., is also a champion of gamified learning and design thinking within internal audit. He suggests approaching a problem with a formula: Start with the risk, then look for relevant data, and then determine what technology is needed to tackle the project. 

Coello says some organizations have it backward. They jump into technology or ask for data before analyzing what they really need, he says. “That’s not the way to go. What we need to do is define the risk that we’re going to focus on, and we want to tackle the biggest risk.” 

Planning a technology initiative also involves risk assessment and monitoring, Richards says. “Governance is huge. From what I’m reading and seeing, those who are successful have strong governance, effective practices, and they follow their methodology. Those who seem to be building with reckless abandon appear to have some regrets.”

HP started an emerging technology board that meets monthly to keep tabs on technology being considered for implementation. Yarbrough says the group grew out of internal audit’s initial experiments with technology and the realization there were more governance and security issues than they’d anticipated. 

“For example, if you’re going to run a bot that mimics what an individual does, initially you design it to run under that person’s account, under their ID, and then you very quickly realize, ‘Wait a minute, that doesn’t make sense. It needs to have its own ID limiting what it can do,’” Yarbrough says. The emerging technology board talks about technology being evaluated, as well as topics such as machine learning, cryptocurrency, chat bots, and more, he adds. “It’s a cross-functional group where we figure out what makes the most sense, what areas of the business it applies to, what’s the risk involved, and what we should be thinking about from a mitigation control standpoint.”

Getting Everyone on Board

Despite many people’s trepidations about technology, Yarbrough and others say that culture — rather than technology — poses the biggest challenge in changing internal audit. “You don’t realize how strong your biases are about the right way to do a process until you really try to whiteboard it, and people start asking you surprising questions, and you allow yourself to come up with those dumb ideas that might turn into something that’s a more radical transformation,” Yarbrough says. “That’s easy to say; it’s harder to do.” To transform the culture quickly, internal audit may need to show control owners how they will personally benefit from adopting new technology to automate controls, Yarbrough points out. 

Coello says his forays into gamified learning helped auditors and the departments they worked with go from a place of skepticism to enthusiasm about working with technology. He uses an oft-quoted analogy to explain this transformation. “In the beginning, no one likes to exercise,” he says. “You’re doing it because you have to. Eventually, it becomes something that you’re delighted to do.” 

Christine Janesko
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Author

 

 

Christine JaneskoChristine JaneskoChristine Janesko is a content developer and writer, Standards and Professional Knowledge, at The IIA.<br>https://iaonline.theiia.org/authors/Pages/Christine-Janesko.aspx

 

Comment on this article

comments powered by Disqus
  • IIA-Canada-Conference-June-2021-Premium-1
  • AuditBoard-June-2021-Premium-2
  • GRC-June-2021-Premium-3

 

 

Thanks, We Already Know Thathttps://iaonline.theiia.org/blogs/jacka/2020/Pages/Thanks-We-Already-Know-That.aspxThanks, We Already Know That
U.S. SEC: Environmental, Social, and Governance Risks Better Be on Your Radarhttps://iaonline.theiia.org/blogs/chambers/2021/Pages/US-SEC-Environmental-Social-and-Governance-Risks-Better-Be-on-Your-Radar.aspxU.S. SEC: Environmental, Social, and Governance Risks Better Be on Your Radar
Six Data Privacy Predictions for 2020https://iaonline.theiia.org/blogs/Jim-Pelletier/2020/Pages/Six-Data-Privacy-Predictions-for-2020.aspxSix Data Privacy Predictions for 2020
Public Servants Are Vital to Defeating COVID-19https://iaonline.theiia.org/blogs/chambers/2020/Pages/Public-Servants-Are-Vital-to-Defeating-COVID-19.aspxPublic Servants Are Vital to Defeating COVID-19