The Analytics Journey: Analytics Development Analytics Journey: Analytics Development<p>​Here is the biggest secret in internal audit analytics: The success of new analytics has less to do with what happens in the computer, and more to do with good project definition and management. The internal audit function's analytics expert cannot know everything about all of the organization's data and everything about all of the organization's business processes. However, that individual can know how to convince the people who understand a specific process and the people who understand the data produced by that process to work with internal audit for the greater good of developing the new analytic test or process.</p><p>If developing an analytic is a project, it helps for internal auditors to keep the development in sequential stages: scoping, planning, piloting, deployment, and establishment. There will be some fluidity between stages, but in general, each has its own objectives (see "The Analytics Development Process," below).</p><p><img src="/2020/PublishingImages/Analytics-development-process.jpg" class="ms-rtePosition-4" alt="" style="margin:5px;width:635px;height:321px;" /><br></p><h2>Step 1: Scoping </h2><p><strong>Target: Go or no-go.</strong></p><p>So internal audit has an idea for a new analytic test or process. Now what?<strong>        </strong></p><p>The objective of this stage is to understand where this idea came from (background), define its general scope and objective, and decide whether to go forward with the new project based on how it will fit with internal audit's overall analytics program (see <a href="/2020/Pages/The-Analytics-Journey-Finding-the-Right-Direction.aspx">"The Analytics Journey: Finding the Right Direction")</a>. </p><h2>Step 2: Planning </h2><p><strong>Target: Team and tests.</strong> </p><p>At this stage, the analytics expert leading the project will build a team for the project and agree on what<strong><em> </em></strong>aspects, features, or objectives to pursue and how to do it. The team should comprise:</p><ul><li>The process owner, who understands what to test for and why it is important. </li><li>Someone from the process team, who knows how the test elements are captured in the process, their normal ranges, and the meaning of their deviations. </li><li>The IT person who supports that system and knows — or can find out — what tables and fields capture the information identified by the process team. </li></ul><p><br></p><p>Because each of these team members sees the process from a different angle, each will have different, and valuable, ideas about what to look for and how to test for them. Also, they all may appreciate the exposure of working in an interdepartmental effort to address the process owner's concern. The project leader should introduce the members to each other and engage them in brainstorming.</p><p>At the end of planning, the team should have a collection of simple tests, which may not mean much on their own but could indicate what the internal auditor is looking for when considered together. For each of the tests, the project leader will have a good idea of what the auditor will test for, how to perform the test, and where the data will come from. It is helpful to use a template to log that information for each of the simple test elements, as shown below. </p><p><img src="/2020/PublishingImages/Test-Plan-Template.jpg" alt="" style="margin:5px;width:785px;height:441px;" /><br></p><p>Using the logs, different team members can understand the test objective and process whenever the test is performed. Also, auditors can use these logs of the test logic to recreate the test in new systems as the program continues to evolve.</p><h2>Step 3: Piloting</h2><p><strong>Target: Sample data, draft data model, and draft visualization/reporting. </strong></p><p>The extra planning time pays off during the pilot stage. Because the auditor knows what to look for (test) and where it is (data), he or she can quickly move to the math (data model), reporting, and follow-up to validate that the test is providing the expected value. The team members will give the auditor the data and help figure out whether the test is working.</p><p>A common question at this stage is whether or not the internal auditor needs direct access to the data during the pilot. The truth is that having direct access may save time later, but it is a "nice to have" at the pilot stage. After all, the auditor doesn't know if the test will work, so as much as possible he or she should work with existing data in the form that can be provided easily to yield results and refine the approach. </p><p>That said, data must be trustworthy and useful for the test, <a href="" target="_blank">notes</a> web analytics expert Brent Dykes. It helps for auditors to keep a log of the related data sets, along with comments on their usefulness and trustworthiness, as shown below. </p><p><img src="/2020/PublishingImages/Data-Quality-Comments-resize.jpg" class="ms-rtePosition-4" alt="" style="margin:5px;" />The log can help the auditor decide what data needs to be refined, how it should be improved, and why this is important. Being able to articulate this information is invaluable when negotiating direct access with data owners in the future. </p><h2>Step 4: Deployment</h2><p><strong>Target: Established data access, integrated data modeling, and visualizations/reporting.</strong></p><p>Once the pilot has proved its value, the auditor should formalize the testing process and make it repeatable for periodic reporting. Ideally, this process should be automatic, such as using robotic process automation.</p><h2>Step 5: Establishment </h2><p><strong>Target: Documentation, distribution, and schedule.</strong></p><p>As the development work is completed, the real work of acting on the new information starts. To declare this project closed and move on to the next one, the auditor needs to: </p><ol><li>Document the testing, including why the auditor is performing the tests, where the data comes from, and what will be done to the data.</li><li>Determine who will receive the results and establish a follow-up process and expectations. </li><li>Set the re-run schedule for these new tests. Does the user need this information daily? Monthly? Must the user be contacted immediately when this happens?</li></ol><h2>Knowing When Development Is Working</h2><p>A consistent approach to analytics can show internal audit's stakeholders that they are not wasting their time giving auditors their support. It sets realistic expectations for what will be needed from stakeholders at each stage of the development process and helps keep projects on track. Along with standard templates, it improves the chances that projects are transferable and repeatable.</p><p>The development process, or "the way we do things here," is key to consistency and scalability. It can provide a shared language between team members and stakeholders, as well as allow auditors to pursue and track projects running in parallel. It also will enable other auditors to take over part, or all, of a project if help is needed. Although the process is simple, its importance should not be underestimated. </p>Francisco Aristiguieta0
Benford's Law in a Big Data World's Law in a Big Data World<p>​The power of Benford's Law has never been as critical given the rise of big data and computing power. The digital analysis tool has been used in numerous high-profile forensic investigations, including investigations of voter fraud in the 2009 Iranian election and Greece's efforts to hide its debt in 2015.<br></p><p>A Benford's Law review of 5,400 contracts at a Canadian nonprofit organization found the numeral "4" as the first digit 16% of the time, compared to the expected 9.7%. That finding enabled the internal auditor to uncover questionable contracts in amounts between $40,000 and $49,999 that totaled $15 million. Those contracts were approved by an employee who directed them to vendors who were his associates. </p><p>In addition to detecting fraud, internal auditors can use Benford's Law to identify inefficient processes and computer bugs. It does this by determining the expected frequency for any digit in a set of discrete numbers such as journal entries, disbursements, and revenues. This means that a digit in a number in a given data set is mathematically predictable. Because the expected frequency for each digit is known, every item in excess of that frequency is deemed unusual. </p><p>With large amounts of data to analyze, Benford's Law can detect anomalies better than traditional audit techniques. For example, research shows that companies whose financial statements are significantly out of compliance with Benford's Law are likely to get caught for accounting irregularities. A before-and-after comparison of restated earnings showed that the new, real numbers aligned with Benford analysis. </p><p>Internal auditors can leverage audit software with Benford's Law functionality. Additionally, some audit departments can work with the organization's IT function to adopt a step-by-step Benford analysis using established formulas to analyze company data for unusual patterns. </p><h2>Revealing Fraud</h2><table cellspacing="0" class="ms-rteTable-default" style="width:100%;"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Benford's Basics</strong><br> <p><br>Benford's Law made its debut in the audit profession in the 1990s through the efforts of Mark Nigrini, an expert on the theory. First discovered in 1881 by mathematician Simon Newcomb, the theory lay dormant for almost half a century until the 1930s when it was again discovered by physicist Frank Benford. </p><p>Benford determined that leading digits are distributed in a specific, nonuniform way. This discovery led to the mathematical theory that in large sets of data, the initial digits of amounts will tend to follow a predictable pattern. The initial digit "1" is most common as the first digit in data sets, appearing 30% of the time, followed by "2" (17.6%), "3" (12.5%), "4" (9.6%), "5" (7.9%), "6" (6.6%), "7" (5.8%), and "8" (5.1%). The initial digit "9" appears the least often (less than 5%). </p><p>Benford's Law works because the distance from "1" to "2" is far greater than the distance from "9" to "10." For example, if a data set begins with the digit "1," it has to increase by 100% before it begins with the digit "2." To get from "2" to "3" requires a 50% increase; from "3" to "4," 33%; "4" to "5," 25%; "5" to "6," 20%; "6" to "7," 16%; "7" to "8," 14%; "8" to "9," 12%; and "9" to "10," 11%.<br></p> </td></tr></tbody></table><p>Because few fraudsters know about Benford's Law, the numbers they cook up stand out. As a result, the position of each digit in their transactions will not follow Benford's analysis, revealing their crime (see "Benford's Basics" at right). </p><p>For example, during a purchasing audit at a retail company, internal auditors discovered there were 550 purchase orders issued with the first two digits "96," compared with the expected count of 289 purchase orders. Benford's Law analysis showed 145 purchase orders of between $9,600 and $9,690 were approved by a director whose approval authority was limited to $10,000. Further investigation revealed that over a two-year period, the director made $3.5 million in purchases for personal items such as electronics, jewelry, and appliances.</p><h2>Five Types of Analysis<br></h2><p>Basic tests in Benford's Law cover first-digit analysis, second-digit analysis, first two-digit analysis, first three-digit analysis, and last two-digit analysis.</p><ul><li> <strong>First-digit Analysis</strong> Auditors can chart the expected and actual occurrence for each digit from "1" to "9." They can drill down further on unusual differences for analysis and action.</li><li> <strong>Second-digit Analysis</strong><strong> </strong>Like the first-digit analysis, the second-digit analysis is a test of reasonableness. At a health-care company, an analysis of the second digits in more than 21,000 payroll records revealed that the numeral "0" turned up as the second digit twice as often as it should have. The numeral "5" showed up 60% more often than expected. Based on those findings, the records were deemed fraudulent. </li><li> <strong>First Two-digit Analysis (F2D)</strong><strong> </strong>There are 90 possible combinations (10 through 99) for the first two digits in a number. For example, the first two digits of 110,364 are "11." In an F2D test, Benford's Law would note there is a 3.8% likelihood that "11" would be the first two digits. This is a much more focused test as the purchase order example showed.</li><li> <strong>First Three-digit Analysis (F3D)</strong><strong> </strong>In F3D tests, there are 900 possible combinations (100 through 999), allowing for an in-depth analysis of large data sets. It provides greater precision for picking up abnormal duplications in sets with 10,000 or more transactions.</li><li> <strong>L</strong><strong>ast Two-digit Analysis </strong>There are 100 possible combinations (00 through 99) in the last two digits of a number. The expected proportion for each of these combinations is 1%. Any excess is rounded off or are invented numbers. </li></ul><h2>When to Use It<br></h2><p>Benford's analysis is best used on data sets with 1,000 or more records that include numbers with at least four digits. As the data set increases in size, closer conformity to the expected frequencies increases. </p><p>However, not all financial data lend themselves to such tests. Benford's analysis cannot be used in scenarios such as: </p><ul><li>A data set made up of assigned numbers such as Social Security, contract, invoice, phone, customer, and check numbers. </li><li>Psychological thresholds such as $199.99. </li><li>Minimum and maximum numbers such as a petty-cash fund disbursing between a $10 minimum and a $40 maximum. </li><li>Where no transaction is recorded such as thefts, kickbacks, and contract rigging. </li><li><p>Limiting a sample of transactions to only between a narrow range, such as between $100 and $999.<br></p></li></ul><h2>Extract Needles From Digital Haystacks</h2><p>Benford's Law can be a powerful way to combat the costly scourge of fraud. It is like placing a magnet over a haystack and extracting the needles, enabling internal auditors to analyze an entire population of data. All it takes is an interest and a willingness to learn new approaches.  <br></p>Lal Balkaran1
Six Tips for Auditing From Home Tips for Auditing From Home<p>​The rapid spread of the coronavirus (COVID-19) has led organizations to adopt a flexible, work-from-home approach to maintain business continuity. Internal audit departments around the world continue to perform audit work, even as practitioners work from home. </p><p>The crisis has accelerated the profession's movement toward remote techniques, which previously had been a subject of considerable debate. Specifically, can auditors perform their jobs effectively without interacting in person with audit clients? </p><p>Now internal auditors are putting past assumptions about remote work to the test. Even while working from home, auditors must comply with audit standards as well as maintain creativity and healthy skepticism. To do so, they need to address new challenges and leverage technology tools. Here are six suggestions to audit from home effectively.</p><h2>1. Set up a Home Office </h2><p>Internal auditors should consider a few factors in setting up a home office. The location should be private to minimize background noise and to maintain confidentiality of work. If a dedicated room is not available, auditors should consider measures such as curtains, partitions, or room dividers. Their workspace also should have ample light.</p><p>Auditors should invest in comfortable furniture and relevant technology aids. While a dining table and chair might work as a makeshift desk, a dedicated desk and ergonomic chair can prevent posture problems. Connecting a computer to a second monitor can give auditors a bigger or additional screen. Other helpful technologies include a wireless mouse and noise-canceling headphones. </p><p>Besides technology, auditors can pin notes or tasks to a vision board to track projects they need to accomplish each week. As an add-on, research finds that keeping a plant or flowers in the workspace can enhance productivity.</p><h2>2. Act Professionally</h2><p>Working in an office, internal auditors have fixed routines in terms of lunch, coffee breaks, and the start and end of the day, but that may not be the case when they are working at home. Acting and dressing as if they are going to work can help auditors avoid falling into the trap of complacency.</p><p>Setting a work schedule will help auditors balance their professional and personal commitments. A good approach is to establish working hours around the times the individual is most productive and expects minimal interference. </p><p>Likewise, with schools closed, many auditors are juggling work and personal commitments. Auditors with families should talk to their children about changes and set boundaries, including when they should not be disturbed. They should request help from family members who may be able to oversee children's activities during the workday and set up day schedules for them. Returning the favor for their partners would be helpful.</p><p>Scheduling frequent short breaks can help auditors stay refreshed and focused on work. To avoid burnout, they should enforce a hard limit at the end of their workday.</p><h2>3. Leverage Cloud Technologies</h2><p>Cloud-based technologies and services are helping businesses and governments continue to operate during the COVID-19 pandemic. Unlike traditional technology applications, many cloud services do not require any setup or downloads.</p><p>Videoconferencing has proven indispensable during this time, allowing auditors to talk to co-workers and clients by clicking on an invite link. Such calls enable auditors to hold live interviews and observe visual cues just as they would during an in-person visit or walk-through. Most videoconferencing services enable auditors to share documents with other participants in a call.</p><p>Cloud-based collaborative tools such as whiteboards can help with brainstorming, organizing, and assigning tasks among an audit team. Shared drives allow individuals to simultaneously work on documents, while also providing easy access and version control, thereby reducing email traffic. </p><h2>4. Ensure Confidentiality</h2><p>Internal auditors often are privy to an organization's most confidential information, and protecting it is vital to maintaining audit's trusted role. Most organizations' work environments have sufficient safeguards to prevent information leakage, but the boundary lines can blur easily when working remotely. </p><p>Family and friends can pose conflicts of interest. Examples include a roommate who works for a competitor or a spouse who works for the business unit that the auditor currently is reviewing. To address confidentiality issues, auditors should discuss potential conflicts with spouses, partners, and roommates. </p><p>Auditors should assess the risk of inadvertent information leaks that may occur because someone overheard a call or discovered documents that were not kept securely. If possible, they should take sensitive calls behind a closed door and inform their partner of the times when such calls are scheduled. In addition, auditors should designate space in a desk drawer or file cabinet to store sensitive documents and clearly label documents to avoid information leaks. </p><p>Auditors should discuss with their managers any potential conflicts of interest or confidentiality concerns that cannot be mitigated and determine alternate plans. </p><h2>5. Plan and Communicate</h2><p>In the face of social distancing, and without face-to-face interactions with colleagues and audit clients, effective communication becomes more important. Auditors need to plan ahead of fieldwork, stakeholder walk-throughs, team meetings, and other engagements. They should create a to-do list and update it each morning to keep track of what they want to achieve throughout the day. Communicating such plans to the auditor's manager can allay any concerns about his or her efficiency while working at home. </p><p>It takes more time and effort to access information from co-workers when they are not located in the same place. Communicating expectations to co-workers can help auditors obtain information easily and more reliably. </p><p>Establishing regular virtual check-ins — for example, twice a week — can ensure the manager and audit staff have a platform to consult with the team and raise concerns or questions. Initially, such check-ins can help co-workers learn from each other in adjusting to the work-at-home environment. Moreover, using videoconferencing can help staff members feel less isolated and boost morale.</p><h2>6. Acknowledge Clients' Challenges </h2><p>Like auditors, audit clients are trying their best to maintain business continuity and are facing similar challenges. Acknowledging these challenges can add a personal touch to the audit and help calm the nerves of business units while responding to auditors' requests. </p><p>Business units also might be changing some of their operations during this time, so auditors should adopt new ways of receiving expected documentation. For example, clients may be using e-signature services to document management review in the absence of signatures on office stationery. Additionally, auditors may need to examine inventory using live videoconferencing and retain the video record as evidence. </p><h2>Changing Practices</h2><p>While transitioning to auditing remotely may seem overwhelming, carefully considering solutions to work-at-home challenges can make the change easier. In time, as auditors adapt to this way of working, remote auditing may become a more accepted practice. For example, many organizations are finding that virtual work is leading to cost savings. If remote work becomes the new normal, being prepared can help auditors adapt and thrive. </p><p><em>For more information on remote auditing, read The IIA's Global Knowledge Brief, <a href="" target="_blank">Remote Auditing for COVID-19 and Beyond</a> (PDF).</em><br></p>Ankit Garg0
Cloud Control Control<h2>​Why is it important to have an inventory of all cloud solutions in use?</h2><p><strong>Furr</strong> An inventory of all cloud solutions in use within the organization is a critical foundational step in establishing a cloud risk and governance program. The inventory can be a useful tool for understanding the aggregate level of risk to the organization by identifying the data and the number and types of cloud computing technologies being used. The inventory also can be used to manage regular reviews of cloud computing solutions to reduce risk and ensure ongoing compliance.<strong><br></strong></p><p><strong>Lovell</strong> Having a complete inventory is the first step in managing the cloud control environment. Armed with this information, organizations can better understand the risks associated with their cloud services; drive clarity regarding roles and responsibilities between vendor and customer; and validate that controls are in place for security, reliability, agility, and compliance of their clouds.<br></p><h2>How often should internal audit evaluate solutions?</h2><p><strong><img src="/2020/PublishingImages/EOB-Lovell-KO-70x70.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Lovell</strong> Audit frequency should be based on risk. In a mature organization, internal audit should focus on major cloud projects and migrations, with governance-type audits occurring periodically after the first annual cycle. For an organization just embracing the cloud, internal audit’s governance-related reviews should occur more often. For organizations with multiple significant applications in the cloud, I would expect some aspect of cloud is covered every year, via project audits, application audits, integrated audits of functions that use cloud services, infrastructure audits, and those focused on cybersecurity. Importantly, the cloud should be audited where it supports critical business activities that also are under audit.<strong><br></strong></p><p><strong>Furr</strong> Cloud solutions evolve quickly, and while organizations typically perform due diligence when choosing a provider, the evaluation often does not address how the platform and individual services develop and are monitored and managed over time. Organizations should perform a cloud computing assessment before completing an audit. Performing an assessment first enables internal audit to build relationships and educate stakeholders on the policies, procedures, and controls necessary to mitigate cloud computing risks. Audit frequency depends on the maturity level, complexity, and use of cloud solutions. As the maturity level of the cloud risk and governance program increases, evaluation frequency can be reduced but should be annual until then.<br></p><h2>How can internal audit gain assurance around cloud solutions? </h2><p><strong><img src="/2020/PublishingImages/EOB-CarrieFurr-70x70.jpg" class="ms-rtePosition-1" alt="" style="margin:5px;" />Furr</strong> The first step is to understand the maturity level of the organization’s cloud risk and governance model. Next is understanding the current aggregate cloud computing environment. The final step is understanding the plan to expand cloud-computing solutions. By understanding these three components, internal audit can better identify and help manage and monitor the cloud environment. It should ensure the organization is building its cloud strategy with compliance and risk in mind. The organization should follow a holistic, robust cloud standard.<strong><br></strong></p><p><strong>Lovell</strong> First, internal audit should test key controls related to the procurement and deployment of new cloud services. Validate that decisions to move a service into the cloud are based on an established architecture and information security standards to which all parties have committed. Also, validate that standard terms and conditions, as well as service-level agreements, are in line with corporate policy. Second, internal audit should audit the vendor management program. Vendor monitoring should be based on risk and could include review of third-party trust reports, control questionnaires, and on-site visits. Third, internal audit should test controls to identify and limit unauthorized cloud services. Finally, internal audit should get involved in cloud projects and validate controls are in place to ensure the security, compliance, agility, and reliability of the organization’s clouds.<br></p><h2>What are some tips for determining whether the audit function is capable of assessing cloud solutions?</h2><p><strong>Lovell</strong> The collective team must understand the technology as well as the business. Look at the current IT audit plan. If the last three years have seen significant coverage of IT infrastructure, cybersecurity, and IT controls that touch application life-cycle management processes, you likely have in-house staff who can learn and cover basic cloud governance, security, and operations-related cloud audits for medium-risk cloud services. However, for any cloud services that support critical business processes or house sensitive data or regulatory compliance-related services or data, supplement audits with subject-matter specialists. Conversely, if the audit plan has historically been focused on IT general controls or application controls, seek outside assistance in general for cloud-related engagements.<strong><br></strong></p><p><strong>Furr</strong> At my company, we frequently work in partnership with internal audit resources and other key stakeholders to “teach them to fish.” Most internal audit teams have little to no cloud computing experience in identifying and managing cloud risk and compliance challenges. This model allows experienced advisors to train their staffs during initial assessments/audits, so they can conduct future cloud computing assessments and audits. </p><p><br></p><table class="ms-rteTable-4" width="100%" cellspacing="0"><tbody><tr class="ms-rteTableEvenRow-4"><td class="ms-rteTableEvenCol-4" style="width:100%;"><p><strong>​</strong><strong>A Focus on Controls</strong></p><p>There are several general policies and controls organizations can implement in regard to cloud solutions. At a minimum, RSM’s Carrie Furr says, cloud computing requires policies, procedures, and controls around high-risk cloud controls domains, as defined by the Cloud Security Alliance Cloud Controls Matrix: </p><ul><li>Data security and information life-cycle management.</li><li>Encryption and key management.</li><li>Identity and virtualization.</li><li>Interoperability and portability.</li><li>Supply chain management, transparency, and accountability.</li></ul><p><br></p><p>In addition, PwC’s Eric Lovell offers four foundational areas of focus:</p><ol><li><strong>Controls related to strategy and governance.</strong> Organizations must determine when and how they move to the cloud, and should develop an architectural reference model to help ensure decisions are consistent across the enterprise, meet business requirements, provide a return on investment, and are within the company’s risk tolerance.</li><li><strong>Solution development.</strong> Whether it’s an in-house development team using a DevOps approach to deploy and manage applications in cloud infrastructure, or taking advantage of the many enterprise class applications provided as a service, specialists should be involved throughout to make sure adequate controls are in place for the production environment.</li><li><strong>Training and awareness.</strong> Both end users and technologists need to be trained on the cloud and how to leverage those services to the advantage of the organization while managing risk. </li><li><strong>Controls related to inventory management.</strong> Organizations need an accurate inventory of all cloud services along with sufficient information about each to make informed risk-based decisions. And, organizations need to control the use of unauthorized cloud services.</li></ol></td></tr></tbody></table><p></p>Staff1
An RPA Road Test RPA Road Test<p>​Robotic process automation (RPA) has received a lot of attention lately for its ability to streamline processes and increase efficiency. Simply stated, RPA is the automation via virtual robots (bots) of computer-based tasks traditionally performed by people. RPA bots consist of software programs that mimic repetitive actions exactly the way a person would perform them. </p><p>In the business world, RPA has gained momentum as a tool for automating standard repetitive tasks that require little human judgment or thought. The technology frees up meaningful time for humans to perform work that is, well, more human — tasks that require more analytical or intellectual brain power.</p><p>Rudimentary RPA has been around for decades. Spreadsheet macros, for example, have long enabled users to record keystrokes and automate basic tasks with the click of a mouse. Today, RPA bot development is much more sophisticated. Bots are unbound from a single system or database and can manipulate unstructured data — such as by "scraping" it from a screen shot based on a keyword, phrase, or screen location.</p><p>The technology's powerful capabilities have enabled multiple uses of RPA, from automating account reconciliations to performing audit tasks. With these capabilities in mind, the internal audit function at YRC Worldwide (YRCW), a trucking company specializing in freight transportation and logistics services for North American shippers, undertook a pilot program to implement RPA technology. The effort was a success, paving the way for a formal implementation plan and future RPA rollout.</p><h2>The Impetus for RPA</h2><p>With a staff of 17, YRCW's internal audit function is organized into two distinct groups — one specializing in regulatory compliance and risk-based, back-office assurance and consulting engagements; the other focused on compliance and operational reviews related to YRCW's network of more than 300 freight terminals. Internal audit's RPA pilot focused on this latter area. </p><p>YRCW management has consistently made one request of the internal audit team: Provide more audit coverage with the same amount of staff. In keeping with this challenge, audit leadership strives to innovate and has embarked on a strategic mission to create the "terminal audit of the future." Terminal audits consist of transactional and observational testing to provide regulatory and operational compliance assurance, using standard audit programs to provide a consistent measuring stick for evaluating freight terminal performance.</p><p>The YRCW audit function has a multiyear track record of year-over-year audit coverage increases. With each successive year, however, these increases become more difficult to sustain. The goal of the audit-of-the-future strategy is to not only increase audit coverage, but also to enhance internal audit's value proposition by adding to its repertoire of services. Audit leadership saw RPA's potential in this regard as a critical piece of internal audit's strategy. Automating portions of the standard terminal audit program could free up valuable staff resources, allowing more focus on other value-added services. </p><h2>Preparing for Automation</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;">​<strong>Bot-building Skills</strong><p>Getting started with RPA does not require specialized skills. Most RPA tools include typical graphical user interfaces with point-and-click functionality that helps beginners get started right away. </p><p>Anyone with an advanced foundation in the use of basic software tools like Microsoft Excel can develop rudimentary bots. Nonetheless, technical skills such as coding can be helpful when pursuing more sophisticated bot development, especially if the anticipated RPA initiative is more complex.</p><p>More advanced RPA tools also provide for customized coding using either SQL or other coding languages. Individuals who leverage business analyst and coding skills can add significant value to more complex bot development projects.</p></td></tr></tbody></table><p>In preparation for the audit of the future initiative and its RPA component, YRCW internal audit leadership assessed several factors. First, leadership examined staff capabilities, with an emphasis on analytical and technology skills. Although commercial RPA tools have become increasingly user-friendly, application development skills can enhance RPA capabilities significantly. And while YRCW internal auditors had upgraded their technology skills over time through individual development plans, they did not possess the desired coding or business analyst acumen to facilitate RPA.</p><p>To incorporate these skills, internal audit leadership repurposed one of its analyst roles, which was vacant at the time, and rewrote the job description to include RPA competencies. Requirements included proficiency with SQL or other relevant coding skills. Audit leadership also sought process improvement and business analyst experience — in addition to a background in internal auditing. And while the candidate who eventually filled the role did not possess RPA experience per se, the individual's background and skills allowed for a short learning curve. </p><p>Before launching the initiative, internal audit leadership also needed to establish roles for existing team members. They assigned a project lead to learn RPA basics and inform other team members about key features, tools, and requirements. This effort led to a white paper deliverable aimed at defining what RPA was best suited for, identifying key resource needs, and determining whether audit leadership's vision for RPA was realistic. The white paper included a basic description of RPA, as well as information about expected benefits, how RPA works, bot setup options, common capabilities and uses, risks, and top RPA vendors and tools. The document was instrumental in level-setting the team's base knowledge and understanding of the technology's capabilities and limitations. This common understanding enabled the team to collaborate more effectively on a business case for the use of RPA and plan for implementation.</p><h2>Proof of Concept</h2><p>Armed with the white paper research, internal audit began working on a proof of concept to determine RPA's potential value related to the terminal audit program. The process consisted of determining which terminal audit program steps might be suited for RPA conversion and highlighting potential efficiency gains. The team identified steps that involved transactional system testing and other system-related test work versus observational steps for which automation would not be feasible.</p><p>Team members also estimated the current level of effort required to complete audit steps, designating each one as easy, moderate, or hard. Moderate or hard steps were flagged as potential candidates for RPA. Steps considered more transactional in nature, and those requiring the auditor to log into multiple systems, were prioritized as optimal candidates. The more difficult and time-intensive the audit step, the better RPA candidate it was deemed. The analysis provided a quantifiable picture of potential time savings, which ultimately affirmed that RPA had the potential to substantially increase terminal audit efficiency. The collaborative analysis and discussions from the proof of concept exercise served as a green light to proceed with a project socialization plan and develop a pilot program.</p><h2>Socializing RPA</h2><p>With the proof of concept well underway, internal audit leadership began to socialize the initiative with key stakeholders. Socialization represented an important step as the time commitment required to fully implement RPA would potentially impact audit coverage in the near term and might require monetary investment down the road. </p><p>Key stakeholders in the socialization effort included internal audit's reporting hierarchy (i.e., the audit committee and the chief financial officer) and operations leadership (the primary audit client). Additionally, support from YRCW's IT team was particularly important, as anticipated transformational benefits required direct access to organizational data. </p><p>To gain stakeholders' buy-in and support, internal audit needed them to understand both the long-term benefits and the short-term impacts of the RPA initiative. Socialization involved scheduling brief meetings to educate stakeholders on RPA and its merits. Most of them were familiar with RPA from a business process perspective but had not considered the application as it related to the terminal audit process. During the meetings, internal audit also presented the proof of concept results and proposed value proposition for RPA adoption. Because the white paper and proof of concept supported a definitive value proposition, socialization proved merely a formality and the RPA initiative received unqualified support to proceed. </p><h2>Pilot Bot</h2><p>The proof of concept's final phase involved developing a pilot bot. Development consisted of several steps:</p><ul><li>Identifying an appropriate RPA tool.</li><li>Selecting a terminal audit program step that would serve as an appropriate candidate for RPA.</li><li>Working with staff auditors to itemize the tasks required to complete the audit step.</li><li>Developing the RPA bot logic.</li><li>Testing, troubleshooting, and refining the bot.</li><li>Demonstrating the bot.<br></li></ul><p><br></p><p>RPA tool selection is often the first barrier internal audit groups face when looking to pilot an RPA initiative. Especially for smaller internal audit functions, where resources tend to be scarce, monetary investment in a tool that may or may not add substantial value can be a tough sell. Fortunately, several vendors offer web-based RPA tools that provide a basic functionality version, enabling users to get started for free. Internal audit chose this approach for its pilot. After reviewing and trying several free tools, internal audit selected one that had an established reputation and appeared capable of accommodating the pilot.</p><p>The team chose a pilot audit step that involved several manual audit tasks: logging into multiple systems, navigating to various application screens, acquiring specific lists and fields of data so that a sample of test items could be identified, and analyzing the sample data in a spreadsheet to determine the test outcome. Moreover, anticipated bot efficiencies enabled the auditors to replace judgmental sampling with full population testing.</p><p>After defining the new testing approach, the audit team initiated bot development. The process involved recording each of the audit tasks, step-by-step, in the RPA tool. In many ways, development resembled macro programming within a spreadsheet application — auditors captured tasks such as mouse clicks, keystrokes, and login credentials, which they automated using the tool. </p><h2>Pilot Results</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><strong>​</strong><strong>Think Before You Automate</strong><p>Internal auditors should not undertake bot development projects hastily or without sufficient planning and support. Audit functions looking to pursue RPA should consider: </p><ul><li>A proof of concept (including pilot) should be performed to ensure adequate value exists to justify the RPA initiative.</li><li>Rudimentary (free) tools and skills can get the initiative started, but more advanced tools and coding skills may be required to complete the journey.</li><li>Direct access to data adds exponential value.</li><li>Partnering with IT or other groups using RPA enables internal audit to leverage internal subject matter expertise and reduce development expenditure.</li><li>Program quality and sustainability requires close attention to RPA governance. </li></ul></td></tr></tbody></table><p>The pilot project yielded valuable insights about bot development, such as process intricacies often taken for granted when people perform testing. For example, the team realized the value of direct access to data versus indirect access via screen capture. Some steps in the bot development process involved accessing mainframe screens and "scraping" the needed data from them. However, certain application screens consist of mere images and not actual data — i.e., renderings for the user interface. </p><p>People recognize images easily, but RPA tools vary in their ability to process them. The pilot bot could not recognize data captured as imagery, causing problems at this point in the audit step. The bot would either fail or seize up when encountering this task, requiring manual intervention to complete the step. If direct access to the data could be acquired, the bot would be able to continue processing the audit step to completion. At the time of the pilot, direct access to some of the data was not available.</p><p>As a result, the pilot bot produced favorable but incomplete results. The audit step chosen for the pilot usually took an auditor one to two hours to complete manually. Up to the point where screen images proved a barrier, the pilot bot completed the step in about one minute, with an additional 20 minutes of manual processing required by an auditor.</p><p>Even when factoring in the manual work, automation yielded considerable time savings. If direct access to data could be obtained, the bot could complete the entire audit step even more efficiently — in two minutes or less. This discovery highlighted the critical value of direct data access to bot development for future RPA rollout. Through some additional support provided by the IT group, internal audit ultimately acquired direct access to the necessary data and completed the pilot bot. </p><p>Internal audit compared the bot test results with results from manual completion of work to ensure consistent outcomes. It found that pilot results were of higher quality (full population testing vs. a sample) and significantly more efficient (approximately 90 seconds vs. 1–2 hours to complete the audit step). </p><h2>The Road Ahead</h2><p>Having validated the potential for bots to increase audit efficiency, YRCW internal audit is now poised to initiate a formal RPA implementation plan. The plan will prioritize audit steps for bot development as well as consider RPA's governance implications. It will address many of the considerations necessary in any IT development environment, including development standards, change management, and user testing.</p><p>Internal audit leadership will also need to determine the appropriate post-pilot RPA tool to use, and if necessary, build a business case to justify and secure funding. Additionally, leadership will need to evaluate how to redeploy staff once bot efficiencies start to materialize. </p><h2>Vehicle for Change</h2><p>Like many technology tools, RPA is not a one-size-fits-all solution. Its application model and value potential differ for each organization. Ultimately, the value of RPA lies in automating standard activities that are performed frequently. Internal audit functions whose audit plan includes substantial compliance assurance engagements that are repeated frequently are likely to have a better business case for RPA than those whose plan comprises a greater proportion of operational and consulting projects. For internal audit functions where RPA makes sense, it can be a game changer. </p>Rick Wright1
Balancing Transformation and Security Transformation and Security<p>The rush to digital transformation is creating a tension between cybersecurity and innovation. Six out of 10 corporate directors say they are willing to compromise cybersecurity to meet business objectives, according to the <a href="" target="_blank">2019–2020 National Association of Corporate Directors (NACD) Public Company Governance Survey</a>. </p><p>"Boards must work with their management teams to reconcile the need to transform themselves digitally with the need to ensure underlying data assets are properly secured," says NACD CEO Peter Gleason.</p><p>In short, security must be part of the design of digital transformation, a new EY report advises. Yet, only 36% of new technology initiatives include security from the start, according to the <a href="" target="_blank">EY Global Information Security Survey 2020</a> (PDF). </p><p>That shortcoming is despite the growing recognition that security incidents are increasing, notes the survey of cybersecurity leaders from 1,300 organizations. About six out of 10 respondents say their organization has had a material or significant cybersecurity incident in the past 12 months.</p><h2>A Transformation Roadblock</h2><p>The problems are multifold, the EY survey finds. For starters, only 7% say their organization sees cybersecurity as enabling innovation. In most organizations, cybersecurity is considered the opposite — compliance-driven and risk-averse. Just 9% of new cybersecurity spending is for new business initiatives, with greater focus on defensive priorities. </p><p>That approach isn't sustainable, says Kris Lovejoy, EY global advisory cybersecurity leader. Instead, organizations need a "security by design" culture that can "bridge the divide between the security function and the C-suite," she says. In such a culture, the chief information security officer (CISO) must become the agent of transformation, "instead of the stereotypical roadblock."</p><p>To get there, cybersecurity functions will need to win over mistrustful business units. EY reports that 59% of respondents say their function's relationship with business units is neutral, mistrustful, or nonexistent. That percentage rises for key innovators such as the research and development function and marketing.</p><p>To shift the culture to security by design, EY recommends that organizations:</p><ul><li>Establish cybersecurity as a "key value enabler" of digital transformation initiatives, beginning at the planning stage.</li><li>Build trust relationships between cybersecurity and every business function.</li><li>Implement governance structures that support a "risk-centric view" in board and executive reporting.</li><li>Focus on board engagement by using understandable terms to communicate about cyber risks.</li><li>Evaluate the cybersecurity function's strengths and weaknesses.</li></ul><p> </p><h2>The Board and Cyber Risk</h2><p>Acting on those recommendations may be challenging, though, particularly where the board is involved. About half of respondents say their board doesn't understand cyber risk. EY's recent Global Board Risk Survey reports that half of boards are only somewhat confident in their organization's cybersecurity and just 54% discuss it regularly.</p><p>Board directors responding to the 2019–2020 NACD Public Company Governance survey have a higher assessment of their cybersecurity understanding. Nearly 80% say their board's understanding of cyber risk has improved significantly over the past two years, according to the survey of 500 directors, released in December. </p><p>Two-thirds say their board is confident that the organization can respond effectively to a materially significant incident. And almost two-thirds say they are confident in the board's ability to provide effective oversight over cyber risk.</p><h2>Oversight Principles</h2><p>The NACD has teamed with the Internet Security Alliance (ISA) to issue new board guidance, <a href="" target="_blank">Cyber-risk Oversight 2020</a> (PDF). This third edition of the NACD's handbook on cyber risk describes five guiding principles for addressing those risks:</p><ul><li><em>Cybersecurity as a strategic risk — rather than an IT risk.</em> Technology and data are "center stage as critical drivers of strategy," the handbook notes.</li><li><em>Legal and disclosure implications.</em> Directors need to know the legal implications of cyber risks, including what they must publicly disclose and the potential for lawsuits.</li><li><em>Board oversight structure and access to expertise.</em> Boards need adequate expertise about cybersecurity and should discuss cyber-risk management regularly.</li><li><em>An enterprise framework for managing cyber risk.</em> Directors should expect management to put in place an enterprisewide cyber-risk management framework.</li><li><em>Cybersecurity measurement and reporting.</em> The board and management should identify and quantify financial exposure to cyber risk, and determine which risks to accept, mitigate, or transfer.</li></ul><p><br></p><p>In addition to the principles, the NACD handbook includes 13 tools for board directors, which map back to individual principles. These tools include questions directors should ask about cybersecurity, a self-assessment of the board's cyber-risk oversight effectiveness, and an overview of insider threats and third-party risks. Other tools cover incident response, cybersecurity metrics, due diligence for mergers and acquisitions, dashboards, and U.S. government resources.</p><h2>Set the Tone</h2><p>"Digitalization and digital transformation have enhanced exposure to cyber risk across the enterprise, making cybersecurity a strategic risk," says Larry Clinton, president of ISA and lead author of the NACD handbook. He says boards must help set "a tone for security." More and more, boards, management, cybersecurity functions, and business units all must ensure that initiatives address both the risks and opportunities. </p>Tim McCollum0
Auditing the Bots the Bots<p>​Imagine an internal auditor who is confronted with a disastrous robotic process automation (RPA) implementation. Her company spent millions of dollars to implement 50 robots, or “bots,” but the project had yielded only a single functioning bot. Making matters worse, hackers compromised that bot and drained the company’s bank account with a succession of undetected $0.99 electronic transactions. Could the auditor have prevented these things from happening?</p><p>RPA can potentially reduce costs, improve accuracy and productivity, and eliminate tedious processes. It works by building software robots that can mimic the actions of a person on a computer, automating otherwise manual processes. </p><p>Bots are highly fragile and are not intelligent. Unlike artificial intelligence, they can only do exactly what they are told to do. And access to the technology is growing, with Microsoft recently adding RPA functionality to Microsoft Office, putting it on millions of corporate desktops.</p><p>As with any new technology, internal auditors must be aware of RPA’s risks. The potential for a bot to make a mistake multiple times in seconds creates unique risks to assess.</p><h2>Validate Security Risks</h2><p>Assessing RPA’s risks must begin with considering access security to the bot. RPA providers offer both on-premises and cloud-based solutions, with all the risks typical of these approaches. </p><p>Most RPA solutions do not house any “at rest” data, reducing the risk that sensitive data will be captured if the bot is hacked. Instead, bots operate on an organization’s applications using credentials just as a human user would. That means a bot can be hacked and coded to perform fraudulent, unethical, or hostile actions. </p><p>Examining the security around the RPA tool is critical, including access restrictions. Auditors should understand the security around each of the applications that the bot accesses  and the controls around data that the bot “writes.” </p><p>As internal auditors begin to operate within bot-enabled environments, they should consider whether the bots are achieving their business purposes. Internal audit should be a partner, along with information security, in all RPA implementations. Their independent advice should improve clarity around the business objectives for each bot development. Business analysts should establish and track clear, objective performance metrics. Auditors should provide assurance about whether the bots are fulfilling their missions and meeting compliance objectives.</p><p>An additional challenge is disagreement about segregation of duties issues around bots. Because bots lack a sense of doing “wrong,” some auditors say programming them with incompatible duties does not violate segregation of duties. Others say such programming introduces additional fraud risk because a person will have access to the bot’s program while in the production environment. Each organization should address this issue within its risk management framework and culture.</p><h2>Audit the Development Life Cycle</h2><p>Internal audit should provide assurance of the organization’s RPA developments. Development of each bot should follow the organization’s system development life cycle (SDLC).</p><p><strong>System Changes</strong> Auditors should consider both the “upstream” systems that the bot pulls data from as well as the “downstream” systems that the bot writes data to. That is because bots break easily in dynamic environments, requiring constant reprogramming and sometimes complete redevelopment. Any change in a relevant system can create an irreconcilable error in the bot’s performance. Auditors should ensure that the SDLC considers these issues.</p><p><strong>Bot Access</strong> A best practice is to have one person create and test the bot in a “sandbox” — a controlled space outside the production environment. From there, another person moves the bot into production, while a third person manages its ongoing activities. </p><p><strong>Governance</strong> Internal audit should be concerned with both ownership and governance of all active bots, looking for potential conflicts within the governance structure. Some organizations house the RPA program within IT, others at the business-unit level, and still others within a shared services area. Additionally, many organizations manage bot governance through centers of excellence that develop and manage the overall RPA strategy.</p><p><strong>Bot Activity</strong> Most RPA solutions offer audit logs to facilitate review of the transactions each user conducts during a logon session. Auditors should examine RPA user profiles to identify segregation of duties conflicts, excessive access levels, access provisioned to terminated employees, and activity conducted by terminated bots. Additional reviews of the audit logs can reveal inappropriate activities, including attempts to repurpose the bots while in production.</p><p>A common practice is to provide each bot with a set of system credentials to access the enterprise resource planning system. In reviewing audit logs for the organization’s non-RPA systems, auditors should look for irregular bot activities, as well as interactions with human credentials that might create a segregation-of-duties issue. Poor governance over RPA can allow a single person to use a bot to commit fraud.</p><h2>Managing Organizational Change</h2><p>In the story about the internal auditor faced with a poor RPA rollout, the culprit was the company’s culture. Employees had been reading articles about bots taking their jobs and fought the success of the implementation. What the company did not do well was communicate the RPA program’s objectives and achieve cultural buy-in.</p><p>A consistent theme of successful RPA implementations is beginning by automating a single, high-impact, high-visibility process. A great candidate is a highly manual, tedious process that one or more employees dread doing. Once this process is automated, it frees employees from a mundane task, enabling them to add greater value to the organization. </p><p>A further consideration for internal audit is assessing the capabilities and competencies of the internal and external personnel tasked with developing and managing the company’s RPA program. Have each of these people been trained in RPA? Are roles adequately segregated, documented, and understood? Auditors should review the credentialed training programs offered by RPA vendors and seek training, themselves.</p><h2>Improving the Odds</h2><p>Internal auditors should be frequent advisors throughout RPA initiatives. To be effective, the audit function must establish an appropriate baseline of controls around bots and include RPA in its audit plan. Moreover, auditors can provide independent advice on prioritizing the best automation opportunities. In this way, internal audit can improve cultural acceptance and improve the odds that RPA will benefit the business. </p>Chris Denver1
The Analytics Journey: Finding the Right Direction Analytics Journey: Finding the Right Direction<p>​Does your department know what it wants to achieve with analytics? This installment of <a href="/2019/Pages/The-Analytics-Journey.aspx">"The Analytics Journey"</a> series looks to stimulate internal auditors' curiosity about their department's analytics program approach. Auditors need to establish why the department wants a program, how the program supports its mission, and how it fits into the organization. </p><p>After all, if auditors don't know what they came to do, how can they do it? </p><h2>What Do You Want?</h2><p>The answer to this question will set the stage for everything else internal audit does with the analytics program. It will influence resource allocation, key milestones and time lines, expected results, and even what auditors are doing and when. Although the answer may be surprising, it will address exactly how the program fits into the organization. </p><p>These examples demonstrate a range of potential analytics program objectives. Note how some of these objectives are closely related while being very different from most of the others:</p><ul><li>The program will augment the capacity of the internal audit staff.</li><li>Analytics will drive consistency across projects in the organization.</li><li>The program will help internal audit identify and recommend process improvements to its clients.</li><li>The program will be perceived as a resource for developing the organization's analytic efforts.</li><li>The program will help internal audit review key financial transactions for signs of fraud, misuse, or abuse.</li><li>The program will focus on detective controls to support anti-fraud efforts.</li><li>The program will inform internal audit's risk assessment process and help the department prioritize future projects.</li><li>Analytics will monitor performance across the organization.</li><li>The program will help internal audit identify changes in performance by a set of specific processes.</li><li>The program will predict changes in performance by specific processes before they affect production.</li></ul><p> <br> </p><p>Reviewing any two of these objective statements reveals how small variations in the program's intent would have large impacts on its design and goals. That intent frames who should be involved in the program, what results should be expected, when they should be expected, and how will be they derived. This also reveals why analytic programs from different organizations can be successful while having different designs and obtaining different results. The program's objective results are unique based on what the department wants from it, and these will evolve over time.</p><h2>Can You Have Everything?</h2><p>What happens when internal audit wants its analytics program to meet all of these objectives? In that case, auditors should keep in mind that internal audit's objectives can evolve and the department can run parallel efforts with different emphases. However, as with any job function, the "true North" has to be clear and well-aligned between those doing the work and those asking for the work to happen.</p><p>What if internal audit wants it all anyway? Then Internal audit must choose to start somewhere, keeping in mind the Cheshire Cat's advice to Alice when she asked for directions: If you don't know where you are going, then all roads are just as good — or just as bad. </p><p>That said, if internal audit takes a couple steps on each road and then changes its mind, it will spend money and time to essentially remain where it started. Hopefully, the department will learn from each road taken to help it assess its eventual direction, as long as "exploring" is the program's intent.</p><p>To avoid taking the wrong road, internal audit should consider what success would look like before it commits resources to the program. That clarity will give the department a better idea of how to design and pursue the program, including who to make responsible, how much time and budget to allocate to the program, who else should be involved, and where the effort will be housed.</p><h2>How Do You Know When the Program Is Working? </h2><p>A good indication that the program is working is when the department is able to assess whether a proposed new analytic would be a good fit for the program. By understanding how the program fits within the organization and what the department is trying to achieve, internal audit can evaluate whether an idea is worth pursuing, should be referred to someone else, or would be best saved for later.</p><p>The program approach is the most important step on the analytics journey. Once internal audit understands what it wants from its analytics program, it has a real chance of tracing its progress and achieving its objectives. </p>Francisco Aristiguieta0
Bringing Clarity to the Foggy World of AI Clarity to the Foggy World of AI<p>In unveiling the U.S. government’s updated National Artificial Intelligence (AI) Research and Development Strategic Plan last June, U.S. Chief Technology Officer Michael Kratsios framed the reality many organizations face with AI. “The landscape for AI research and development (R&D) is becoming increasingly complex,” Kratsios said, noting the rapid advances in AI and growth in AI investments by companies, governments, and universities. “The federal government must therefore continually reevaluate its priorities for AI R&D investments to ensure that investments continue to advance the cutting edge of the field and are not duplicative of industry investments.”</p><p>Organizations are indeed investing in AI. About one-third of companies in Deloitte’s most-recent State of AI in the Enterprise survey said they were spending $5 million or more on AI technologies in fiscal year 2018. Moreover, 90% expected their level of investment to grow in 2019. These investments are occurring across all facets of business, from production and supply chain to security, finance, marketing, customer service, and internal audit. </p><p>With so much money on the line, organizations must invest the right resources in the right places to capitalize on AI. But with the technology evolving rapidly, it’s not clear how they can accurately assess AI-related risks and ensure that projects are consistent with the organization’s mission, culture, and technology strategy. In this sometimes-foggy environment, internal audit can be a valuable ally by focusing on whether the organization has a sound AI strategy and the robust governance needed to execute that strategy.<br></p><h3>Defining AI</h3><p>The definition of <em>artificial intelligence</em> is somewhat ambiguous. There is not universal agreement about what AI is and what types of technologies should be considered AI, so it’s not always clear which technologies should be in scope for internal audits.</p><p>Technologies that fall into the realm of AI include deep learning, machine learning, image recognition, natural language processing, cognitive computing, intelligence amplification, cognitive augmentation, machine augmented intelligence, and augmented intelligence. Additionally, some people include robotic process automation (RPA) under AI because of its ability to execute complex algorithms. However, RPA is not AI because bot functions must adhere strictly to predetermined rules.</p><p>When considering which technologies fall under the umbrella of AI for internal audit purposes, it is important to understand how the organization defines it. For that reason, ISACA’s Auditing Artificial Intelligence guide recommends auditors communicate proactively with stakeholders to answer the question, “What does the organization mean when it says ‘AI?’” This alignment can help auditors manage stakeholder expectations about the audit process for AI. Moreover, it may tell auditors whether the organization’s definition of AI is broad enough — or narrow enough — for it to perceive risk in the marketplace.  </p><h3>Start With Strategy</h3><p>However the organization defines AI, most guidance agrees that internal audit should focus its audits on the organization’s AI strategy and governance. Without a clearly articulated and regularly reviewed strategy, investments in AI capability will yield disappointing results. Worse, they could result in financial and reputational damage to the organization. Internal audit should confirm the existence of a documented AI strategy and assess its strength based on these considerations:</p><ul><li><em>Does the strategy clearly express the intended result of AI activities? </em>The strategy should describe a future state for the business and how AI is expected to help reach it, as opposed to AI being viewed as an end unto itself.</li><li><em>Was it developed collaboratively between business and technology leaders?</em> To provide value, AI endeavors must align business needs and technological capability. Auditors should verify whether a diverse group of stakeholders are providing input.</li><li><em>Is it consistent and compatible with the organization’s mission, values, and culture?</em> With expanding use of AI comes new ethical concerns such as data privacy. Auditors should look for evidence that the organization has considered whether planned AI uses are consistent with what the organization should be doing. </li><li><em>Does it consider the supporting competencies needed to leverage AI?</em> Successfully implementing AI requires support and expertise around IT, data governance, cybersecurity, and more. These areas should be factored into the organization’s AI strategy. </li><li><em>Is it adaptable?</em> While the cadence will vary by organization, key stakeholders should review the AI strategy periodically to confirm its viability and to ensure it accounts for emerging threats and opportunities.</li></ul><p><br>Organizations need their internal audit departments to ask these types of questions, not just once, but repeatedly. Research shows that organizations want their internal audit departments to be more forward-looking and provide more value in assessing strategic risks. Regarding supporting competencies, board members and C-level leaders are most concerned that their existing operations and infrastructure cannot adjust to meet performance expectations among “born digital” competitors, according to Protiviti’s Executive Perspectives on Top Risks 2019 report. As such, internal auditors can provide assurance that the organization’s AI strategy is appropriate and can be carried out realistically. </p><h3>Pay Attention to Data Governance</h3><p>As with any other major system, organizations need to establish governance structures for AI initiatives to ensure there is appropriate control and accountability. Such structures can help the organization determine whether AI projects are performing as expected and accomplishing their objectives. The problem is that it’s not yet clear what AI governance looks like. </p><p>According to a 2018 Internal Audit Foundation report, Artificial Intelligence: The Data Below, “There is not a template to follow to manage AI governance; the playbook has yet to be written.” Even so, the report advises internal auditors to assess the care business leaders have taken “to develop a robust governance structure in support of these applications.” That exploration should start with the data. </p><p>Big data forms the foundation of AI capability, so internal audit should pay special attention to the organization’s data governance structure. Auditors should understand how the organization ensures that its data infrastructure has the capacity to accommodate the size and complexity of AI activity set forth in the AI strategy. At the same time, auditors should review how the organization manages risks to data quality and consistency, including controls around data collection, access rights, retention, taxonomy (naming), and editing and processing rules. They also should consider security, cyber resiliency, and business continuity, and assess the organization’s preparedness to handle threats to the accuracy, completeness, and availability of data.</p><p>AI value and performance also depend on the quality and accuracy of the algorithms that define the processes that AI performs on big data. Documented methodologies for algorithm development, as well as quality controls, must be in place to ensure these algorithms are written correctly, are free from bias, and use data appropriately. Moreover, internal audit should understand how the organization validates AI system decisions and evaluate whether the organization could defend those decisions.</p><p>In addition to governance around data and AI algorithms, internal audit should examine governance structures to determine whether:</p><ul><li>Accountability, responsibility, and oversight are clearly established.</li><li>Policies and procedures are documented and are being followed.</li><li>Those with AI responsibilities have the necessary skills and expertise.</li><li>AI activities and related decisions and actions are consistent with the organization’s values, and ethical, social, and legal responsibilities.</li><li>Third-party risk management procedures are being performed around any vendors.</li></ul><h3>AI Gains Momentum</h3><p>AI poses challenges that make auditing it daunting for many internal audit functions. To audit the technology effectively, internal audit functions must have or acquire sufficient resources, knowledge, and skills. That doesn’t mean they need expert-level knowledge on staff, though. </p><p>Obtaining these capabilities has proved to be challenging. According to The IIA’s 2018 North American Pulse of Internal Audit, 78% of respondent chief audit executives indicated it was very difficult to recruit individuals with data mining and analytics skills. Nevertheless, the internal audit function should work to steadily increase its AI expertise through training and talent recruitment.</p><p>However, success in auditing AI does not depend directly on technical expertise. Instead, auditors must be able to assess strategy, governance, risk, and process quality — all things they can bring from an independent, cross-departmental point of view. </p><p>The sooner internal auditors do this, the better, because AI, in all its various forms, is gaining momentum. Soon, it will be difficult to find an area of the business that does not leverage it in some way. And although the constantly evolving technologies and risks can be dizzying, internal audit can provide sound assurance that the organization is pointing its AI investments in the right direction. <br></p>Kevin Alvero1
Privacy Law Puts California Consumers in Control Law Puts California Consumers in Control<p>​Maybe you've seen the "don't sell my data" buttons popping up on websites lately. If you live in California, you may have noticed similar signs in retail stores. They are harbingers of businesses scrambling to comply with California's new data privacy law.</p><p>The California Consumer Privacy Act (CCPA) went into effect on Jan. 1, and already it's become a mad rush. The state will start enforcing the law on July 1, but there are no rules yet. And initial compliance costs could top $55 billion, according to an economic assessment compiled for California's attorney general by Berkeley Economic Advising and Research LLC (see "CCPA and Data Privacy Resources" below right).</p><p>The CCPA is a response to a litany of data privacy breaches and concerns over how Facebook, Google, and online marketers are compiling, using, and selling consumer data. In a recent <a href="" target="_blank">Pew Research Center study</a>, 81% of respondents say they have no control over the personal data companies collect on them.</p><p>The CCPA is about giving consumers that control. Under the law, California residents have the right to:</p><ul><li>Know how organizations use their data.</li><li>Request that their data be deleted.</li><li>Opt out of having their data collected, shared, and sold.</li></ul><p> <br> </p><p>"Americans should not have to give up their digital privacy to live and thrive in this digital age," California Attorney General Xavier Becerra said in October at <a href="" target="_blank">a press conference</a> announcing draft regulations for the CCPA.</p><h2>Doing Business With California Residents</h2><p>The CCPA follows on the European Union's (EU's) General Data Privacy Regulation (GDPR), in effect since May 2018. Just as GDPR covers all EU residents, the CCPA applies to any organization that does business with California residents, even if the organization is located out of state. Organizations are subject to the law if they meet one of three conditions:</p><ul><li>Generate more than $25 million in annual revenue.</li><li>Buy, sell, or share the personal information of 50,000 or more California consumers, households, or devices.</li><li>Derive at least half of their revenue from selling consumers' personal information.</li></ul><p> <br> </p><p>Although GDPR and the CCPA are similar, one area of difference is penalties. Under GDPR, regulators can fine organizations up to 4% of annual revenue for data privacy violations. With the CCPA, fines are $2,500 per nonintentional violation and $7,500 per intentional violation. </p><p>Because each person affected counts as a violation, those amounts can multiply quickly when hundreds of thousands of California residents' data may be involved. Further, the CCPA allows individuals to sue for damages if their data is disclosed.</p><h2>Data Collectors Are Most at Risk</h2><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>CCPA and Data Privacy Resources</strong> </p><p><em>CCPA</em><br></p><p>California Attorney General's Office, <a href="" target="_blank"> <span class="ms-rteThemeForeColor-1-0">Standardized Regulatory Assessment: California Consumer Privacy Act of 2018 Regulations</span></a> (PDF). </p><p>California Attorney General's Office, <a href="" target="_blank"> <span class="ms-rteThemeForeColor-1-0">California Consumer Privacy Act Regulations: Proposed Text of Regulations</span></a> (PDF).</p><p>BakerHostetler LLP and Practical Law, <a href="" target="_blank"> <span class="ms-rteThemeForeColor-1-0">CCPA and GDPR Comparison Chart</span></a> (PDF).</p><p>International Association of Privacy Professionals, <a href="" target="_blank"> <span class="ms-rteThemeForeColor-1-0">U.S. State Comprehensive Privacy Law Comparison</span></a>.</p><p>TrustArc, <a href="" target="_blank"> <span class="ms-rteThemeForeColor-1-0">Essential Guide to the CCPA</span></a> (PDF).</p><p><em>Data Privacy</em><br></p><p><em>IIA Bulleti</em>n, <a href="" target="_blank"><span class="ms-rteThemeForeColor-1-0">International Data Privacy Day</span></a> (PDF).<br></p><p>U.S. National Institute of Standards and Technology, <a href="" target="_blank"> <span class="ms-rteThemeForeColor-1-0">NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management</span></a> (PDF). </p></td></tr></tbody></table><p>Organizations most likely to be impacted by the CCPA are those that collect and sell massive amounts of consumer data. At the top of that list are the big digital marketing and advertising companies. </p><p>Because consumers have to opt out of such collection under the CCPA, the law may not impact these companies' practices as much as they were by GDPR, according to Lauren Fisher, principal analyst at eMarketer in New York. That's because GDPR required consumers to opt in to data collection. "Marketers failing to uphold practices that make consumers feel comfortable with sharing data are likely to feel the effects," she explained in a <a href="" target="_blank">July 2019 eMarketer article</a>.</p><p>But it's not just the big marketers. Any company with lots of data on consumers — big companies, internet companies, and online retailers especially — is at risk. And the more consumer records they have, the bigger the risk, says Chris Babel, CEO of San Francisco-based TrustArc, which provides data privacy compliance technology. </p><p>Babel says many large global companies have to comply with GDPR, so they've had a head start on compliance, despite the differences in the two laws. But many big companies with lots of consumer data weren't impacted by GDPR because they don't do business outside the U.S. Take utility companies with their huge customer bases, for example. "They don't have more risks, but they have less time," to prepare for CCPA compliance, Babel says.</p><h2>Viewing Data From a Privacy Perspective</h2><p>The CCPA "requires businesses to fundamentally understand their data on a different level than they've ever had to before," Babel says. Typically, businesses have looked at data from a security standpoint, he explains. Their focus is on the point where the data is collected, whether it's encrypted, and where it's stored. </p><p>Babel says organizations need to look at data from a privacy perspective that considers what the data includes, how it is used, and where it flows — both within and beyond the business. That's far more complicated.</p><p>For starters, different businesses store data in different ways. One company might have lots of data but store it in a single database. Another company could have fewer records but spread them across hundreds of databases, Babel explains.</p><p>The next concern is what happens when a consumer requests to see his or her data, or asks the business to delete or stop selling it. According to the draft rules, organizations have 45 days to comply with such requests. During that time, the business must validate that the person is who he or she claims to be, locate the person's data, and comply with the request.</p><p>But that's just the data that resides within the organization. Babel says the CCPA presents substantial vendor management consequences because organizations are responsible for all the data they sell or share with other businesses. That means an organization responding to a consumer request also must contact any other organization with which it shared or sold that information so they can comply, as well.</p><p>"When you start peeling that back, layer by layer, it gets more complicated than most companies think," Babel says.</p><h2>The Drumbeat of Regulation</h2><p>But peel back the layers they must, because the drumbeat for consumer privacy protection doesn't stop with California. A similar law went into effect in Nevada in October 2019. Ten other U.S. states are currently considering consumer data privacy laws, according to the International Association of Privacy Professionals.</p><p>California's law isn't finished rolling out yet. In addition to finalizing new rules — the public comments period ended in December — there are business-to-business and employee data aspects that take effect in January 2021.</p><p>And just because California's rules aren't final, it doesn't mean organizations are off the hook. Attorney General Becerra <a href="" target="_blank">told Reuters</a> this month he will make an example of businesses that don't make efforts to comply, "to show that if you don't do it the right way, this is what is going to happen to you." </p>Tim McCollum0

  • AuditBoard_Pandemic_May 2020_Premium 1_
  • Galvanize_May 2020_Premium 2
  • IIA CERT-Online Proctering_May 2020_Premium 3