Let’s say you’re about to attend an IIA conference. (And let’s
further pretend it is in a near future where the concept of people getting
together in person has once again become normal.) You review the list of
interesting and exciting concurrent sessions with the intent of culling the
great from the almost-great when what to your wondering eyes should appear but
these two sessions: “Audit Smarter, Not Harder: Advanced Analytics” and
“Unleashing Technology and Science for Audit Excellence, Efficiency, and
If you are like countless other audit professionals looking to
find better ways to use the increasingly valuable technologies and data that
are out there, these would be must-see; attendance required, line up like Comic-Con;
tell your neighbors; wake the kids; highlight, underline, and bullet point;
do-it-do-it-do-it-do-it sessions. These would be sessions one should not miss.
Interesting fact. Those two sessions were held in 1996 during The IIA’s 55th International Conference in
Anaheim, Calif. .
It seems we’ve been interested in, but struggling with, the
issues of data, analytics, and technology for quite a long time.
To say that the technological possibilities available to internal
audit are a vast plain of nigh-on unending opportunity is to understate the
potential within our grasp. But it is similarly an understatement to say that
we are not the best at taking advantage of those opportunities.
Okay, let’s omit the niceties and cut to the chase. We stink.
We keep saying we will innovate. We keep saying we will use
technologies. We keep saying we will use data to drive better answers, results,
and opportunities. We keep making promises, yet remain firmly seated in the
back of a long, long train where those in the front are evolving — finding
better and more resourceful ways to use technology — while those of us in the
back are being pulled into the future as we continue to promise “Honest,
tomorrow we’ll get better.”
Think I’m overstating it? Here’s a
little tidbit from The IIA’s 2018 North American Pulse of Internal Audit. The
category: “Internal Audit Implementation of Innovation.” The question: “What
best describes the degree to which your internal audit department has
implemented each of the following?” The percentages presented here represent participants
who said they had “full or partial implementation.” (No credit for those answering
“Implementation planned.” We have all seen far too many audit shops for whom “manana”
is the constant answer to “When will it actually get done?”)
Let’s take a look at the two easiest, should-have-been-a-slam-dunk
areas. Percentage of departments using data analytics: 62%. Percentage using
electronic workpapers: 77%
Sit and marvel at the inadequacy. We have been talking data
and technology for at least 25 years, yet almost one-fourth of audit
departments are not using something as essential as electronic workpapers and nearly
40% are not using data analytics.
As you marvel, let’s look back at how we all wound up
talking about this particular area.
Way back at the beginning of the year, well before the new
normal kept getting newer and less normal, I started a series of posts about
events from the prior decade where internal audit missed opportunities to make
a significant impact. And, while opportunities had been missed, I was also
emphasizing that those opportunities were still waiting for us in the new
decade. I’ve talked about reputation risks, disruption, whistleblowers, and the gig economy. (You can also see a summary here.)
With that last topic, we turned our attention to how
internal audit should be making itself better. And now, as we talk about bots, robotic
process automation (RPA), and artificial intelligence (AI), we squirm a little
more as the magnifying glass is focused even more acutely on what we have and
While we sat around as if we are waiting for someone to give
us permission to innovate or tell us how to do it, bots, RPA, and AI have progressed
to the point where they are almost cliched buzzwords. We are far behind and,
before the conductor of the previously mentioned train kicks us off the
caboose, we have to grasp the concepts, embrace the opportunities, and become
leaders in these areas.
And that doesn’t mean just being able to audit these areas;
it means actually using them in our day-to-day activities. How can we audit
these tools if we cannot use them ourselves?
Right now, bots and RPA could be used in internal audit to
reduce the time invested in data research and analysis, improve the way that
data is received, make reporting of results more efficient, and streamline all
aspects of the work we do in conducting our audits. Then, as our familiarity
with the tools increases, we could start exploring how AI might make our
processes more responsive to the needs of ourselves and our clients.
But, if history is any guide, the profession will generate a
lot of sound and fury about how we need to use these tools, signifying nothing
as we continue to plod along with antiquated approaches and, even worse, antiquated
You want to trivialize auditing? You want to make it irrelevant?
Then all we have to do is keep doing things the way we always have — doing work
the same way while constantly promising that tomorrow, tomorrow, and tomorrow we
will creep in our petty pace from day to day.
The time is not tomorrow, the time is not the next hour, the
time is not the next minute. If internal audit truly wants to step forward and
make impactful differences, we must learn, understand, and apply bots, RPA, and
AI in our everyday work right now.
If I am wrong — if you have innovated and robotized and AI’d
and technologized the heck out of your processes, making your department efficient,
effective, and a model of the future — let me know. In fact, if you have only
taken the first tentative but real steps in this direction, please share. We
all need to know not only that it is possible, but that it is actually happening.
But also prove me wrong by doing. You, the person reading
this blog post — the person who may be a brand-new auditor or a seasoned
professional or a manager or a director or a chief audit executive or a clerk who is barely
allowed to change ink in the printer — you go out and learn the tools. If you
are important, you are setting an example. And, if you are not quite so
important, then you are being a leader. Start making change and let us know.
And having gone on (and on and on, ad infinitum) about how
we need to “do something,” it raises a question: What might “do something” look
like? The next installment of this continuing, seemingly never-ending series
will tackle that very question, perhaps providing a little meat with all this