As a child, I was a big fan of the animated TV series, The Jetsons. As those of you who watched the show know, the Jetsons were a futuristic family with a robot maid, video conferencing, ubiquitous automation, and a flying car — along with many other gadgets that were pure science fiction in the 1960s.
As a lifelong tech enthusiast, I've watched technology progress toward this Jetsons ideal. While we don't yet have robot housekeepers like Rosie, we certainly have any number of robot-like gadgets that do our bidding at home — from Roombas, to Alexa, to "smart" appliances, for example. Communicating Jetson-style from almost anywhere and via video went mainstream in 2020. And automation is cropping up everywhere — not just in grocery stores and warehouses, but also in robotic process automation (RPA), chatbots, and personalized product recommendations. Some technology has advanced more slowly than I anticipated — I fully expected to see flying cars by now. While we do have semi-autonomous cars, and there are several global startups working on "urban air taxis," the general public still can't purchase a fully autonomous vehicle. But we are getting closer to that reality every day.
The Jetsons wasn't able to predict everything, of course. In fact, there are many ways in which technology has surprised us with totally unexpected developments. What we can predict is that the pace of technological change is going to be dizzying over the next decade and internal auditors are going to have to keep up. As the 2021–2022 chairman of The IIA's Global Board, I will encourage internal auditors to be future-ready. Organizations and audit functions that are not nimble and adaptive will have a difficult time surviving in this world of constant change. However, I believe internal auditors have the skills and experience to look out for what's next and to take five key steps to meet this moment.
Supercharge Internal Audit With the Right Technology Resources
Even for someone who has spent a career working with and implementing new technologies, these dramatic changes can seem overwhelming. But there's much internal auditors can do to ensure we are future-ready. Continuous learning is going to be more important than ever, and IIA President and CEO Anthony Pugliese is positioning The Institute as a critical resource for internal auditors.
The IIA is focused on transforming its technological capabilities, delivering new and relevant training, providing important guidance through resources like the Global Technology Audit Guides (GTAGs), and establishing a new IT certificate. IIA members should take advantage of these resources, and they should develop habits like reading this magazine, which regularly covers technology topics; listening to technology podcasts; and following technology experts on social media.
One of the attributes board members value most from internal audit is insight. In an era where disruptive technology will need to be factored into every audit, it is imperative that internal audit leaders staff their functions with people who have technology insight. There are several ways to ensure the audit team has optimal technical skills, but here are a few ideas:
- Rotate auditors into a more technical role for a year or two, and then bring them back into the audit function.
- Be purposeful with the training budget to ensure team members are obtaining training in the skills of the future.
- Consider creative activities like gamifying training or holding online competitions that encourage use of interactive and collaborative software.
- Recruit technically competent people who may not have audit experience. Then, train them to perform the audit work.
Build Stronger Relationships With Partners and Extended Third Parties
As today's organizations focus on enterprise risk management (ERM) and interdependent risks within the company, it is also important to consider interdependencies with specific third parties and the aggregated risks of multiple third parties. As the march toward the cloud and numerous "everything-as-a-service" providers create greater reliance on external providers, third-party risk will become even more prevalent. Maintaining transparency of third-party risks and controls is critical as supply-chain vulnerabilities continue to be heavily targeted by malicious attackers (e.g., in the SolarWinds and Colonial Pipeline events).
As more organizations move into the cloud, relationships with third parties become more opaque. Cloud providers — and every third party the organization deals with — are relying on other third parties for services, supplies, and data. Internal audit needs to work with the legal department, establishing models now that allow it to audit through a third party to obtain certain types of information about a fourth, or even a fifth, party.
Another technology with built-in third-party risk is blockchain, which is a decentralized network of distributed users who have agreed to trust each other for certain types of transactions. These networks can be as small as two or three or could include millions of participants. Blockchain will require organizations to work together to create automated contracts and online and real-time approval processes for an immediate exchange of value. While data can be restricted and encrypted, it will still be vulnerable to inadvertent exposure. All the organizations in the network will need to address the confidentiality risks, ensuring that personally identifiable information is not compromised or stolen. Some participants — banks, other businesses, buyers, sellers, and regulators — will require access to sensitive information. These situations will have to follow defined controls, regulations, and protocols to ensure compliance with laws and to meet the expectations of customers who are now, more than ever, demanding privacy and confidentiality.
Internal auditors need to be prepared for completely different testing of distributed and shared data and will need to consider questions like:
- How will internal audit obtain and test information that is buried in some third party's database?
- How will auditors test data that is being used on one of the blockchain consortiums?
My Circuitous Path to Internal Auditing
Like many internal auditors, I arrived at the profession from a somewhat indirect route. After graduating high school, I planned to be a high school teacher and coach. I was good at math, I liked kids, and while I wasn't really built for basketball, I had learned to play because it was the only sport my little Oklahoma high school offered. But after about three semesters at Oklahoma State University, I figured out that wasn't really the right path for me. I dabbled in engineering, and then made my way to accounting and computer science. I loved the business side of accounting, and in computer science I found that I really enjoyed the fast-changing world of technology. Particularly with coding, things have to be very sequential and ordered to work, and I could appreciate that. I ended up receiving two degrees: one in computer science and one in accounting.
I worked as an auditor for a certified public accountant for a couple of years but then jumped back into IT and became a computer programmer. Even in the mid-1980s, technology was advancing quickly and I didn't want to lose the computer science training I'd gained in college. So, I took a job with a Tulsa-based energy company, working my way up to technical services supervisor. While there, I developed billing applications and was the IT project leader for the implementation of new financial systems.
In 1991, I decided it was time to get back to the accounting world, and I went to work for American Airlines. By then, I was leading people, so I started running large accounting processing systems, such as payables and receivables, revenue accounting, and interline accounting. Even though I was no longer a computer programmer, in my various leadership roles, I still helped build and design large, integrated, and technologically sophisticated accounting systems.
At that point, while technology, leadership, and accounting had been ongoing themes in my life, I had no interest in internal auditing. However, that changed after Sept. 11, 2001. American Airlines had two planes involved in the terrorist attacks, and the effect on the company was immediate. The federal government shut down the national airspace, cancelling thousands of flights. Exactly a week after 9/11, I received a call from my boss, the chief financial officer at American Airlines: My job was being eliminated, but I was being offered a new role as the chief audit executive (CAE), if I was willing to move to Dallas. My response, "Sure, boss, I'd be glad to take that job in Dallas."
After I'd been doing the job for just a few months, I realized that internal auditing was not what I'd expected. I loved the service aspect of the work — the ability to help other people succeed. I also enjoyed the consulting side of it, as I've always liked fixing problems. I decided to stay on that career path, and I eventually went on to work for Devon Energy as its CAE.
Today, I'm the chief risk officer at Jack Henry and Associates, a fintech company, where I oversee the CAE. All the work I'd done previously — the accounting work, the big process work, the computer programming, the leadership roles — it all came together for me in the remarkably satisfying profession of internal auditing.
Use Data Management As a Catalyst for Change
As with disruptive periods throughout history, organizations are going to encounter both risks and opportunities. One of those opportunities relates to the most valuable asset in the digital world, data. As organizations move data into the cloud, collect data about their customers and employees, and find even more ways to use that information, data custody and privacy will become more important than ever. Consumers understand the risks to their privacy, so governments are responding with new laws and regulations that punish organizations that aren't handling their responsibilities well. Internal auditors need to be more analytical and understand that the organization's data will be quickly downloaded, thus heightening data privacy issues. Data privacy begins with identity management, so a great place for auditors to start is to review identity governance, administration, and privileged access management.
More data moving around more quickly means an accelerated use of big data and greater demand for data analytics. Internal audit needs to ensure there is governance over that data. Auditors will need to focus on database management and ensure policies, procedures, governance, data stewardship, privacy controls, and classification schemes are in place and functioning effectively.
To leverage data appropriately, the entire audit planning process needs to be redesigned to integrate a focus on data. Part of the scoping and objective-setting process — which has traditionally occurred on the front end of planning — should now include a focus on identifying potential data analysis that might add value in the audit.
The results of this effort should be used to refine and enhance the scope of the audit. Audit sampling — or 100% testing where possible — will then allow internal audit to provide more accurate insight into the area being audited. As auditors approach the end of the audit, they can convert the data into storyboards and visualization to tell a more impactful story.
Reimagine How to Deploy Technology Within Internal Audit
Some internal audit functions are well-suited for RPA and artificial intelligence (AI), machine learning, continuous auditing, and anomaly detection tools. With RPA, internal auditors can more easily move from testing a sample of internal controls to testing the entire population. Programmable bots can be used to test controls in minutes and feed the results to management dashboards. Bots also can monitor configurable controls, report on results outside of specific thresholds, and even prepare and document workpapers.
Auditors can leverage machine learning to simplify grouping and categorization tasks. Another example would be to teach a tool to predict who should have approved a particular invoice and then run the tool against the entire population of invoices to identify discrepancies. These technologies will expand the potential to perform the testing much more effectively.
Internal auditors may find useful a practical, three-part series of reports from The IIA's Internal Audit Foundation, in collaboration with Deloitte, on Moving Internal Audit Deeper Into the Digital Age. Part 1 offers a structured methodology for leveraging automation within the internal audit function. Part 2 considers six critical components of RPA and cognitive intelligence and examines their output to determine the greatest risk areas and how to audit them. And, Part 3 looks at how internal auditors can take automation capabilities beyond theory to practice. The reports, as well as numerous other technology-related publications and resources, are available via resource exchanges on The IIA's website, including the Artificial Intelligence and Data Analytics resource exchanges.
Another option for auditors looking to educate themselves on the latest technologies is to attend The IIA and ISACA's annual GRC Conference. This year's conference, being held Aug. 9-11 virtually and in Denver, Colo., has tracks focused on cybersecurity, data, and technology trends, among many others.
Prepare for the Democratization and Convergence of Technology
As mobile technologies become cheaper and more ubiquitous, the benefits of technology are going to become more common and impact many more people. With so many important technologies currently evolving, the impact will begin to grow exponentially.
The foundation of this concept is built on Moore's Law, an idea I first encountered as a computer science student. Moore's Law is based on American engineer Gordon Moore who in the 1960s predicted that because manufacturers were able to make smaller and smaller transistors, the number of transistors added to silicon chips would double every 18 to 24 months. This has given rise to exponential growth in computing power that has continued for the last six decades.
This increasing computing power means that technology will continue to quicken its pace, and we'll see the knock-on effects in areas like AI and machine learning, blockchain, robotics and autonomous vehicles, 3D printing, 5G, nanotechnology, and virtual and augmented reality.
One result of all of this extra computer power and storage is that scientists now have the capability to access and store more data related to the Internet of Things (IoT). With more access to the IoT, robotics can be deployed to automate activities and processes. And by applying AI, the robots can be trained to perform certain tasks and ultimately learn and make improvements to their own software. With all the technologies improving at a near-exponential rate, the cycle of improvement will be extraordinary.
A Future-ready Response
We don't need a quantum computer to tell us there is going to be a lot of change over the next several years, or that that change will dramatically impact internal auditors and the organizations they serve.
While I am still disappointed that we don't yet have flying cars, I am amazed with the size and speed of our computer chips, our ability to work on the scale of a nanometer, the advances in the 3D printing of human organs, and our understanding of the human gene. Moreover, I am continually impressed with the number of people around the globe who now have access to the wealth of information on the internet via mobile devices. These advances are incredible, but we are still early in a digital revolution that will truly change the world for the better. Internal auditors have the opportunity to lead our organizations into the extraordinary unknown that tomorrow will bring. It's time to get future-ready.