Beneath the Data the Data<p>​Big data can tell unexpected stories: The chief financial officer who had a conflict of interest with a supplier to whom he had awarded a multimillion-dollar contract. The two employees who provided their company-supplied fuel cards to family members to refuel their personal vehicles. The executive who had an affair with a union official during wage negotiations. </p><p>Internal auditors never could have discovered such wrongdoing through traditional audit sampling, walk-throughs, or reliance on the representations of management. They were only found by using business intelligence tools to mine data sources that are now routinely available.</p><h2>Business Intelligence for Auditors</h2><p>Audits typically entail inquiries of management, walk-throughs, and transaction sampling as a basis for statistically inferring the effectiveness of each internal control attribute under review. To be generalizable within a given confidence interval, transaction samples need to be both large and randomized to represent the entire population. In doing so, internal auditors usually presume that the population conforms to a normal bell curve. This brings with it the risk that if the sample is too small, the tests are performed with insufficient care, or the population is skewed differently from a normal bell curve, the auditor may form the wrong conclusions about the control’s true characteristics. If the population contains any erroneous or fraudulent transactions, it is unlikely they will turn up in a walk-through or random sample. </p><p>Today’s self-service business intelligence tools expand internal audit’s toolkit from mere questionnaires and sampling to mining entire data populations. These tools make it easier for auditors to mine data for errors such as anomalous transactions and fraudulent data correlations (see “Mining for Errors” below). In this way, auditors can pinpoint actual error, fraud, and cost savings that demand action.</p><p><img src="/2019/PublishingImages/Kelly-Mining%20for%20Errors.jpg" alt="" style="margin:5px;" /><br></p><p>Beyond financial transactions, auditors can use business intelligence tools to access newly available data sources such as telecommunications, email, internet usage, road tolls, time sheets, maintenance schedules, security incident logs, clocking on/off, and electronic point-of-sale transactions. Previously, many of these sources either were not auditable or were stored as manual records. Business intelligence tools open the door to a variety of audits.</p><p><strong>Inventory</strong> For many organizations, inventory is a complex and poorly understood process. Organizations record movements in cash, debtors, and creditors within their financial systems. Yet, inventory data easily can get out of step with the physical daily movement of thousands of nonhomogeneous goods. Inventory is vulnerable to receipting errors, barcode misreads, obsolescence, rot, and shrinkage. </p><p>Things often go wrong in inventory, and audits often have revealed downside errors of 10 percent of inventory value. Therefore, internal audit could focus on ensuring quantity and description data matches physical reality through accurate goods receipting into the accounting system, precise sales capture, and reliable stock-taking. Once inventory data reflects the physical goods on hand, data mining can assist with identifying: </p><p></p><ul><li>Slow-moving and excessive inventory build-up. </li><li>Book-to-physical adjustments pointing to shrinkage or theft by location. </li><li>Refundable stock that can be returned to suppliers. </li><li>Stock-outs where the organization lost sales because of insufficient demand analysis. </li><li>Negative quantities revealing goods receipting or similar process errors. </li></ul><p><br></p><p>This kind of audit analysis demonstrates the informational value of having accurate inventory data. Such information can lead the organization to prioritize which inventory processes most need fixing.</p><p><strong>Supply Chain</strong> Organizations need to know supplier agreements do not conceal undeclared conflicts of interest and suppliers are paid no more than their contractual entitlements. Even small organizations process thousands of supplier payments daily, so errors are likely. Data mining can include: </p><p></p><ul><li>Matching supplier master data such as bank account numbers, addresses, and telephone numbers to employee and next-of-kin master data for unexpected relationships. </li><li>Isolation of purchase orders or payments just below authorization thresholds. </li><li>Erroneous duplicate invoice payments because of optical character recognition or human error when entering invoice references such as mis-entry of “I” instead of “1,” or “S” instead of “5,” or “/” instead of “\.” </li><li>Historic credit notes that have never been offset against subsequent payments and remain recoverable from suppliers. </li></ul><p><br></p><p>Audits using these tests have experientially revealed an average of 0.1 percent in errors, which enabled organizations to recover cash refunds from suppliers. Auditing over several prior years can result in material financial recoveries. <br></p><p><strong>Payroll</strong> For most organizations, payroll is the largest single cost. The board and audit committee need to know overpaying or underpaying employees is minimized. Payroll data mining can include comparing hours paid to hours actually worked by matching sick leave and holiday to other time- and location-stamped data such as building entry/exit data, cell phone metadata, and email data. In doing this, internal auditors can present management with compelling evidence that supports corrective action. Moreover, previous audits have uncovered savings of about 1 percent of total payroll cost from: </p><p></p><ul><li>Claiming fictional hours on time sheets. </li><li>Falsely claiming to be working at home or on paid sick leave. </li><li>Missing scheduled training. </li><li>Finding repetitive patterns of fictitious sick leave taken on Mondays, Fridays, and the day before or after public holidays. </li></ul><p><br><strong>Company Motor Vehicles</strong> Auditors can mine data gathered from vehicles, including road tolls, refueling, traffic penalties, and insurance claims. This jigsaw puzzle of data can show auditors how vehicles are being used for business purposes, possible abuse of vehicles, and drivers with poor driving histories that result in unnecessary cost. This data can be obtained from external motor fleet providers and insurers. Such audits can recover around 5 percent of fleet costs.</p><p><strong>Metadata</strong> While the content of company-issued cell phone calls and text messages is confidential, the accompanying nonconfidential metadata includes called numbers, durations, date and time stamps, and base station geographical locations. Auditors can discern employee activity, interconnections, and external relationships during work hours or while on paid sick leave by matching this metadata to other sources such as the organization’s telephone list and employee and supplier master files. Internet usage metadata provides similar insights. These data sources can help when investigating white collar conflicts of interest and fraud. </p><p>These are just a few areas where business intelligence opens new portholes. Partnering with the chief information officer can help internal audit access the organization’s databases. Once access is granted, auditors can use business intelligence tools with minimal assistance. </p><h2>Getting Started</h2><p>With business intelligence, auditors are no longer constrained by Microsoft Excel’s 1,048,576 row limit. Excel 2016 includes built-in business intelligence tools, Power Query and Power Pivot. Power Query is an extract, transform, and load (ETL) tool that reads source data and makes it available for Power Pivot for data modeling. This source data typically comes from comma- or tab-separated outputs from other systems. Auditors can access Power Query under Excel 2016’s Data ribbon, where it is also known as Get Data and, once opened, Query Editor.</p><p>Power Query and Power Pivot have formula languages that allow users to create new data columns specific to their own unique needs. Power Query uses M formula language and Power Pivot uses Data Access Expressions (DAX). Both languages differ from Excel formulas. Whereas Excel formulas are not case sensitive and usually do not distinguish among string, date, and numeric data types, M and DAX are sensitive to both text case and data type. This distinction is important when manipulating data and performing calculations. </p><p>Once internal auditors have loaded and edited the raw data down to only the needed columns in Power Query, they can add each table to the Power Pivot data model under the “Add to data model” option. Auditors can then access Power Pivot from Excel under “Manage data model.” From there, they can use the “Diagram view” to link tables such as transaction files keyed to their corresponding master files. The data model can handle multiple external data sources as well as normal Excel tables. This capability allows auditors to create multidimensional relational databases rather than two-dimensional flat files. </p><p>Power Pivot enables auditors to annotate the relational databases retrieved in Power Query with unique columns and measures specific to audit needs, which can be analyzed using Excel’s pivot tables. “Applying Business Intelligence Using Benford’s Law” at the bottom of the page illustrates how Power Query, M, Power Pivot, and Excel can work together to search for irregularities. </p><h2>Data Cleansing</h2><p>Data files usually need to be cleansed before analysis. That is because over time, original source data is input by a variety of users whose training and attention to accuracy may be inconsistent. Some fields may hold invalid data as a result of being migrated from different systems or different versions of the same system. Moreover, stack overflow and other error types may lurk in historic data, the text files may have misaligned some fields, and records may be broken across two or more rows. </p><p>Comma-separated text files can present extra cleansing problems if users have input commas into individual fields. For example, “Kelly & Yang, Inc” would translate into two separate fields because of the comma, whereas “Kelly & Yang Inc” would translate into one field. </p><p>ETL tools will attempt to read all transactions from the raw data files. But if the tool encounters errors, it may exclude them from the upload, resulting in loss of data that dilutes the objective of testing the entire population. If time allows, the auditor may cleanse the text files field-by-field in a spreadsheet or word processor by rejoining broken records, recalibrating misaligned fields, trimming stray characters or spaces, replacing known error values with blanks or zeros, and converting dates stored as text to real dates. </p><p>Further cleansing may be required if source files are fragmented across different years or subsidiaries and need to be joined into a single table, or if source files are tabulated differently from how internal audit wants to use them. In the first case, Power Query can append files into a single data source provided the field headings are identical. In the second case, auditors can untabulate inappropriately tabulated source files back into a single column of data using Power Query’s Unpivot command.</p><p>Internal auditors should keep a record of data cleansing actions in case future rework is required. Any updates to source data made in Power Query will need to be refreshed in the Power Pivot data model as well as in dependent pivot tables. </p><h2>Efficient Queries</h2><p>Business intelligence tools are faster than previous versions of Excel, but internal auditors still need to be mindful of formula efficiency. If the auditor tries to add a new calculated field to a data model that requires a row-by-row lookup of each element in a two-million-row database, that could easily result in two million x two million = four trillion separate lookups. </p><p>Even with software, four trillion lookups could take several hours. Auditors can increase query efficiency by indexing, compartmentalizing a large query with efficient calculated fields, and filtering out unwanted columns or transactions that are blank or below a given materiality threshold. </p><h2>Securing Data</h2><p>To avoid internal audit being the source of a leak, or to limit the damage if the unthinkable occurs, auditors should take care with data. Auditors can exclude fields that identify living individuals, home addresses, or bank account numbers from downloads or replace them with codes such as an employee number instead of a name. They should be cautious when transmitting data to ensure USB drives are secure and electronic data is not emailed to unintended recipients. Auditors should check recipient email addresses before hitting “send.” Password protection and encryption should be used when practical. As auditors only need to work on copy data — rather than live data — they usually can destroy their version and wipe USB drives after the audit is completed. </p><h2>Original Insights</h2><p>Business intelligence tools unlock new ways to audit. With only a little new learning, business intelligence tools can expand internal audit’s adventures into new pools of financial and operational data that may reveal risk and control insights. Moreover, because even the most innocuous transactions leave data trails, imaginative analysis can uncover errors, fraud, and cost savings that transform audit reports into compelling reading for executives and the board.</p><p><img src="/2019/PublishingImages/Kelly-Applying-BI-Using-Benfords-Law_web.jpg" alt="" style="margin:5px;" /><br></p>Christopher Kelly1
GAM 2019: Disruption’s Internal Audit Impact’s-Internal-Audit-Impact.aspxGAM 2019: Disruption’s Internal Audit Impact<p style="text-align:left;">​New technologies can expand internal audit's capabilities, said panelists at this morning's opening general session of The IIA's General Audit Management Conference in Dallas. The session moderated by Harold Silverman, IIA managing director, CAE Solutions, featured panelists Brian Foster, general manager, Internal Audit at Microsoft Corp.; Stephen Mills, managing director at Promontory Financial Group; and Christa Steele, owner of <span>ChristaSteele</span><span>.</span><span>com</span>. </p><p style="text-align:left;">Foster listed the technologies and tools that internal audit should be using today to prepare for tomorrow, including:</p><ul><li>Collaboration tools.</li><li>Data tools and metrics.</li><li>Deep data analytics.</li><li>Automation.</li><li>Predictive tools.</li><li>Natural language processing.</li><li>A defined artificial intelligence (AI) audit framework.</li></ul><p style="text-align:left;"><br></p><p style="text-align:left;">He said internal audit should be building capabilities such as: </p><ul><li>Business acumen.</li><li>Trusted advisor. </li><li>Collaboration.</li><li>Growth mindset.</li><li>Technical insights — using technology to drive predictive analysis.</li><li>Data-driven storytelling.</li><li>Point of view — customer obsessed.</li></ul><p style="text-align:left;"><br></p><p style="text-align:left;">"If we can move away from tasks and more toward insights, we're going to be better off," Foster said. If internal audit evolves, he noted, it will not only remain relevant, it will also become a strategic partner. </p><p style="text-align:left;">In his presentation, Mills told the audience, "Potential capabilities are rapidly evolving even as we speak in terms of their usage and applications." He referenced robotic process automation, cognitive automation, and AI. </p><p style="text-align:left;">"It's very much about an audit management challenge," Mills said. It's a call to action for senior leaders about how they are going to use these tools in their organizations. There are not enough internal auditors with the skills to get the best value out of these tools, he added. CAEs needs to hire the right people. </p><p style="text-align:left;">Mills went on to say that because The IIA's Certified Internal Auditor certification is the skill-based qualification of the internal audit profession, "As we move forward, it's going to increasingly be the qualification that identifies you as an expert in this [disruptive] field."</p><p style="text-align:left;">Steele told the audience it's time to move beyond just being educated on these new technologies to implementation. She added that the line between audit and risk functions is blurring. Internal audit needs to step up. "If you're not forcing a discussion in the boardroom on what's outside the norm, you're failing the organization," she said. </p><p style="text-align:left;">Steele encouraged the audience to be willing to be vulnerable and candid when they're talking about what they're auditing versus what they should be auditing. And, "Go beyond typical reporting," she urged. "Interpret, predict, prevent."</p><p style="text-align:left;">Steele concluded by telling the audience, "Don't just take the direction; set the direction."</p>Anne Millage0
GAM 2019: Innovations and Impact 2019: Innovations and Impact<p>​Shivvy Jervis, an award-winning innovation futurist, advisor, and broadcaster, opened GAM 2019 with her session, Future Innovations With Big Impact: What's Leading the Charge?</p><p>Jervis told the audience futurism is "not about wild guess work or lofty claims." Rather, it is rooted in rigorous research, and humanity must be a part of the equation. "Technology is dead in the water if it doesn't augment human experiences," she noted.<br></p><p>Jervis said there have been three striking shifts in innovation: </p><ul><li>New advances engineering our needs in a built stage vs. retrofit.<br></li><li>Radical customization and hyper personalization.<br></li><li>Software focused on preempting consumer/client needs.</li></ul><div><br></div><p>Jervis discussed a series of areas highlighting the current and future state of innovations.<br></p><p><strong>Emotive AI</strong>: matches computational ability of advanced algorithms with interfaces that read and respond to human emotion. Meet the digital human — already being used in organizations. The user activates the avatar from a device. It perceives and acknowledges the user's mood. The user asks for the information he or she needs. The digital human mines its database and finds the information rapidly. Jervis says it is an always-on customer service tool. <br></p><p><strong>Data Science</strong>: More powerful than traditional analytics, predictive analytic tools sort through data to predict trends. Users who aren't finding the value in these tools either aren't asking the right questions or need more advanced tools, Jervis said.<br></p><p><strong>Mixed Reality:</strong> experiences or visualizations. Physical and digital objects coexist and interact in real time. The next generation of mixed reality will infuse actual touch in a virtual world. Mixed reality is already being used in defense planning and soldier training, improving surgical outcomes, engineering, and manufacturing. <br></p><p><strong>Immersive Reality:</strong> bringing collateral to life. Physical surfaces around consumers will be hives of content, she explained.<br></p><p><strong>Digital Identity:</strong> According to Jervis, 3.3 billion records were stolen last year, with 42 percent of security breaches stemming from within the organization. Fingerprints and facial ID can already be hacked, she explained, adding that organizations are shifting from first-generation identity security to second-generation biometrics. So what are these new biometrics?</p><ul><li>Vein or vascular ID — subdermal vein patterns under skin (vs. fingerprinting).<br></li><li>Heartbeat ID or cardiac biometrics — everyone has a unique heartbeat pattern.</li></ul><div><br></div><p>"In the future, might we need just one portable sensor that can always prove our identity?" Jervis asked the audience. She said we will likely see that type of sensor first in the B2B sector, and then it will roll out to consumers.  <br></p><p>So how should organizations approach innovation? Jervis says: </p><ul><li>Bring in the mavericks.<br></li><li>Celebrate failure.<br></li><li>Make it inclusive (bet on people, not just strategies and blueprint innovation across organization).<br></li><li>Don't forget about brand perception.<br></li><li>Be nimble and agile. <br><br></li></ul><p>Jervis ended her session with some examples of jobs of the future: </p><ul><li>Head of organizational disruption.<br></li><li>Tech ethicist.<br></li><li>Head of immersive workplace.<br></li><li>Space physician.<br></li><li>Chief trust officer.<br></li><li>Robot–human interaction counsellor.</li></ul><div><br></div><p>"We simply want a future that works," she concluded. <br></p>Anne Millage0
Data Is a Matter of Trust Is a Matter of Trust<p>​Despite the hype, most organizations aren't relying on analytics to guide their decisions. Indeed, just 15 percent of more than 2,400 business leaders and managers surveyed say their organization uses advanced analytics, research by <em>MIT Sloan Management Review</em> Connections finds.</p><p>For many, the problem is trust — trust in the data and trust in its utility as a decision-making tool, according to the <a href="" target="_blank">Data, Analytics, & AI report</a>, sponsored by software firm SAS. Building that trust may require organizations to overcome two persistent gaps that are holding back analytics.</p><p>The first is a utility gap. Although three-fourths of respondents have greater access to "useful" data, only 43 percent say they frequently can leverage the data they need to make decisions. </p><p>That feeling that leaders don't have the "right data" on which to base decisions reveals a second gap: trust. Only 11 percent of respondents say they always trust the relevance of analytics data, while 12 percent always trust its timeliness. Less than 10 percent say they always trust its completeness and accuracy.</p><p>There is some hopeful news. More than two-fifths of respondents say they often trust the relevance, timeliness, and accuracy of analytics data. The downside is only about one-fourth say they often trust the data's completeness.</p><h2>Ensuring Quality</h2><p>Respondents say data quality efforts need improvement. Over two-fifths of respondents describe their data quality approach as informal. That means they reactively correct the data for accuracy, consistency, timeliness, and completeness. </p><p>"The worst place to fix the data is when it's already been collected," says Jeanne Ross, principal research scientist at the MIT Center for Information Systems Research in Cambridge, Mass., in the report. </p><p>One-fifth of respondents say their organization has a formal approach to data quality as part of data governance. This includes routine monitoring, managing, and improving data quality. </p><p>To improve data quality, Ross recommends organizations focus on the business process that gathers the data. That's easier said than done, she admits, but the effort is worth it. With analytics, "your unique opportunity is your own data," she explains.</p><p>It's going to take more money to get to that point, the study notes. Yet only 15 percent of respondents say their organization significantly increased funding of data quality efforts in the past year.</p><h2>Data at Risk</h2><p>Executives trusting the data is one thing, but customers have trust issues with the organizations collecting that data from them. "If customers and partners become reluctant to share data," the study points out, "the data-driven enterprise is at risk."</p><p>Most survey respondents have implemented a data breach response plan or plan to do so soon. Nearly half track where the organization stores data, and 43 percent have an updated list of sensitive data. Also, 44 percent train all employees on IT security risks and practices, while one-fifth are rolling out such training.</p><p>Many respondents' organizations also are adopting better cybersecurity practices. Nearly two-fifths use a recognized cybersecurity framework and another 15 percent are currently implementing one. Nearly half either have a chief information security officer or are creating that position. And some organizations are using analytics to protect data. </p><p>Privacy efforts aren't keeping up, though. About two-fifths of organizations currently notify customers about how their information is collected and shared, and have controls over how employees use that data. Conversely, 14 percent of respondents say their organization is not concerned about privacy.</p><h2>Taking the Lead</h2><p>Executive leadership is a common thread for organizations adopting data analytics. Most respondents say executives seek out data and use analytics in decision-making. However, leaders are less likely to prioritize analytics investments.</p><p>"One area where leadership might do more is analytics skills in the workforce," the study states. About two-fifths of respondents say lack of analytics skills inhibits innovation. </p><p>That may be changing, though, as about one-third are training or beginning to train staff in analytics skills. Moreover, the study points out that collaborations between analytics experts and business units can begin to transform the organization's culture to incorporate analytics. </p>Tim McCollum0
Trusted for Technology for Technology<p>Technology is a key enabler of business value. Internal auditors must be able to verify that these processes provide the intended return on investment and that technology risk decisions and resources are optimized. Without the necessary skills, auditors may not deliver the value that the business expects of them. </p><p>Most technology auditors at Nordstrom are integrated auditors — technologists with business degrees and years of consulting firm experience. They work as peers to three other unofficial designations of auditors: operations, business intelligence, and compliance. </p><p>Nordstrom uses two metrics to determine whether its technology auditors are trusted advisors: whether clients return to request internal audit’s services and whether the audit recommendations result in business value. To provide valuable counsel, technology auditors need to understand the emerging technologies with which their business partners are working as well as developments such as DevOps, the Internet of Things, and serverless architecture. In learning to provide such advice, technology auditors focused on five areas. </p><h2>Cybersecurity and Privacy</h2><p>Most industries consider cybersecurity and privacy to be inherently high risks. As a company that relies on technology, Nordstrom has hired professionals with cybersecurity certifications to consult and audit how to optimize its risk posture.</p><p>In turn, technology auditors have interpreted and applied controls from security frameworks to Nordstrom’s new, cloud-based environment. Two frameworks auditors use are the International Organization for Standardization’s ISO 27002 — Information Technology–Security Techniques–Code of Practice for Information Security Controls and the U.S. National Institute of Standards and Technology Cybersecurity Framework.</p><p>Auditors translate the security requirements of these frameworks into the language the audit clients use. For example, application teams have adopted a DevOps structure whereby any member of the team can make changes to production code. Auditors explained to the team the potential for unauthorized code change and the requirements contained in the security standards. That helped team members realize they should implement logging and file-integrity monitoring linked to change tickets as a compensating control to ensure that unauthorized changes would be detected immediately. As teams learn about security risk and controls, they make more risk-optimized decisions. </p><h2>Technology Governance</h2><p>Nordstrom’s internal auditors rely on ISACA’s COBIT 5 framework to evaluate technology governance maturity on a repeatable basis. Auditors merged COBIT 5 and ISO standards to create a framework specific to Nordstrom as a basis for audits. This framework enables auditors and audit clients to see where their activities fit into the big picture. </p><p>Having a framework has enabled the department to partner operational auditors with technology auditors to perform integrated audits on nontechnical aspects of technology governance. In one review, auditors provided assurance that technology projects were delivering the value promised in the business case. The auditors on the integrated audit expanded their knowledge by covering tech strategy, enterprise architecture, and performance measurement. </p><h2>Data Science </h2><p>Nordstrom’s auditors have written more compelling audit reports by testing 100 percent of populations using data science techniques. To write such reports, all auditors are expected to have basic knowledge of Microsoft Excel, statistics, and data validation. Internal audit leverages data extraction tools to obtain data for use in creating impactful issue statements in reports. </p><p>Data science tools are especially useful when joining two or more data sets (see <a href="/2019/Pages/Beneath-the-Data.aspx">“Beneath the Data”</a>). In one project, internal audit extracted incident ticket information and linked it with information about problem tickets, root-cause analysis, and application IDs from multiple systems of record. To extract knowledge from these unique data sets, auditors used data visualization tools to tell the story of how well the company’s change-management controls were performing and if it was learning from the incidents. The client capitalized on the analysis to track how much progress was made since the report was delivered.</p><h2>Robotic Process Automation </h2><p>A recent development for Nordstrom’s internal auditors is the use of robotic process automation (RPA). Projects are advisory in nature and aligned with internal audit’s goal of identifying ways to reduce expense or work effort. Partnering with the company’s restaurant and tax divisions, auditors created robots to automate manual processes relevant to food and beverage licensing and entry of invoices. Through this automation, auditors reduced the clients’ payroll expenses. </p><p>Another example is the company’s user-access review and validation process. Auditors incorporated control owners’ control documentation into internal audit’s testing procedures and used RPA to test attributes. One test validated that users had their access revoked timely. RPA has enabled auditors to accomplish more testing within the same time frame.</p><h2>Communication</h2><p>Nordstrom’s technology auditors have focused on improving their verbal and written communication skills. To communicate effectively with the technology organization, the department’s IT audit director spent six months working directly for technology leaders before starting his role in internal audit. During this time, he learned those executives’ leadership and communication styles, which internal auditors now incorporate into their reports to increase their impact. </p><p>Auditors also have become persuasive communicators, effective negotiators, and great listeners. They have increased stakeholder buy-in by using data to buttress audit findings and action plans. Business partners now expect audit findings to be supported by data, even when the topic is difficult to quantify.</p><p>However, visualizing data is not required for all audit reports. Sometimes, visualizations cause the client to jump to assumptions without reading all the details. Some clients prefer to read the text instead. While audit reports should always focus on the most important risks and opportunities, auditors tailor the department’s report style to meet stakeholders’ desired format.</p><h2>Earning Trust</h2><p>To benefit the organization, internal audit needs to constantly develop staff members into trusted advisors and retain them. So far, Nordstrom’s efforts have: </p><ul><li>Increased risk-focused conversations led by leadership, resulting in more effective controls.<br></li><li>Led to a cultural shift to spend time building technology risk mitigation strategies. <br></li></ul><p><br>In the process, technology auditors have received high client satisfaction ratings as well as more requests from management to perform work. Moreover, management is more proactive in driving change about issues that auditors have identified, even before they receive audit reports. Once clients realize that an audit report can propel them faster toward achieving their objectives, they tend to become repeat clients and tell their peers throughout the organization.  <br></p>Paul Slye1
Full Speed Into the Future Speed Into the Future<p>​As internal audit functions race to keep up with their organizations' artificial intelligence (AI) initiatives, two studies reveal current trends and where the technology is going.</p><p>AI research and development is picking up speed, notes the <a href="" target="_blank">AI Index 2018 Annual Report</a> (PDF), based on trend data from a variety of studies. Categories of greatest growth include machine learning and probabilistic reasoning, neural networks, and computer vision, according to an analysis of AI research papers. Most papers published in 2017 covered machine learning and probabilistic reasoning.</p><p>In the learning space, one of the biggest trends is language processing, according to a Stanford News Service <a href="" target="_blank">press release</a> about the AI Index. Most information on the internet is text, but AI struggles to learn the intricacies of human languages. Computer scientists are trying to improve AI's comprehension of written languages to "understand that treasure trove of information," says AI Index leader Yoav Shoham, professor of computer science, emeritus, at Stanford University's Human-Centered AI Initiative.</p><p>Shoham explains that AI has learned to solve "narrow" problems such as translating languages and keyword searches. The next step is teaching AI to put different pieces of information together to answer more complex questions.</p><p>In many ways, AI already has mastered some tasks such as identifying images — often better than people can do it, the index states. And AI is learning things much faster. For example, in about one year, the amount of time needed to train an AI network to classify pictures from the ImageNet database dropped from one hour to about 4 minutes.</p><p>Companies are ramping up efforts to exploit AI, as well, the index notes. In the U.S., the number of AI startups has more than doubled since 2015, according to Sand Hill Econometrics. </p><p>McKinsey & Co. notes widespread adoption of AI across industry sectors and business functions worldwide. Telecommunications, travel and logistics, and financial services are leading users of AI for service functions. High-tech and telecommunications exploit it for product development, while retail and telecommunications are the leading AI users for marketing and sales.</p><p>Whether any of these AI trends will benefit people is the focus of a new Pew Research Center study, <a href="" target="_blank">Artificial Intelligence and the Future of Humans</a>. The nearly 1,000 technology pioneers, innovators, business and policy leaders, researchers, and other respondents say networked AI may make people more effective. For example, they say computers could exceed human capabilities for complex decision-making, sophisticated analytics, and speech recognition and language translation. Moreover, smart systems could save time, money, and lives, they say. </p><p>Despite such potential benefits, these experts are concerned about the long-term effects that AI could have "on the essential elements of being human." Concerns include:</p><ul><li>Loss of personal control over people's lives as decision-making in digital life is increasingly performed by AI, with little input or knowledge of how AI works.</li><li>Data abuse and surveillance by systems designed for profit or to exercise power.</li><li>Job loss from AI taking over jobs, which could widen economic divides.</li><li>Dependence on AI that results in people losing cognitive, social, and survival skills.</li><li>Mayhem from AI-based weapons, cybercrime, and information.</li></ul><p> <br> </p><p>"Questions about privacy, speech, the right of assembly, and technological construction of personhood will re-emerge in this new AI context," says Sonia Katyal, co-director of the Berkeley Center for Law and Technology, in the Pew report. These factors may throw beliefs such as equality and opportunity for all into question, she notes.</p><p>Despite such concerns, 63 percent of respondents are hopeful that most people will be better off in 2030. Stanford's Shoham notes that AI is more likely to supplement people with smart technologies and automated processes than to replace their jobs. "Historically, technology has been a net job creator," he says. "It just changes the nature of the jobs." </p>Tim McCollum0
Auditing Blockchain Blockchain<p>​Businesses and government agencies alike are pursuing blockchain’s promise of greater accuracy, trans-parency, and efficiency. Accounting firms are investing more than $3 billion a year on blockchain technology, while IBM predicts that two-thirds of all banks will have blockchain products by 2020. These organizations are attracted to blockchain’s ability to record relevant details of every transaction in a distributed network.</p><p>Like other new technologies, blockchain presents challenges and opportunities for internal auditors. Blockchain carries the typical IT risks such as unauthorized access and threats to confidentiality, but it also could impact traditional audit procedures. Yet, blockchain may enable auditors to be more innovative and efficient. </p><h2>The New Risks</h2><p>As with all new technologies, internal auditors need to assess the internal and external risks to business objectives posed by blockchain. One risk is a “51 per-cent,” or “‘majority rule,” attack. In this attack, a user introduces false data in the blocks to create a fraudulent transaction that most nodes on the blockchain accept as true. Hackers also could target endpoint vulnerabilities where people interact with the blockchain, which is when the data is most susceptible to attack. </p><p>Another risk is individuals in a supply chain who misuse data by manipulating a blockchain’s transparency and traceability features. Legal risks arise from the lack of standards and regulations for monitoring blockchains in diverse legal jurisdictions worldwide. </p><p>Against this backdrop, internal auditors should review whether their clients have established appropriate actions to mitigate risks, including the timelines and staff needed to deploy them. Auditors also should provide assurance on the risks associated with implementing blockchain such as technology interfaces with legacy systems and the adequacy of migration strategies. </p><h2>Testing Systems </h2><p>Unlike traditional databases, blockchain applications maintain data in blocks, also known as a distributed ledger. These blocks are accessible to all users who are permitted to access them. Because a blockchain does not have a master copy of the database controlled by a database administrator, there is no single point of failure in the event of hacking. Instead, the ledger is replicated in many identical databases, each hosted by a different party. Any change carried out in one copy will simultaneously change all the records. </p><p>Notwithstanding blockchain’s security features, internal auditors should ask these questions while testing the system: </p><p></p><ul><li>How does blockchain allow different parties with distributed responsibilities in the network to access the ledgers when there is no central administrator? </li><li>How fast and timely is data available as millions of transactions are written simultaneously? Were availability risks addressed at the design stage?</li><li>How safe are the authorizations that allow users to read and write in the blocks? Are these confidentiality risks? </li><li>How adequate are the cryptography arrangements in place to hide the database in the network to ensure completeness, integrity, and nonrepudiation of data? </li><li>How robust are the validation controls and the roles allocated in view of limitations on reversing the transactions? Once blocks in a chain are secured through hashing, they cannot be reversed. </li><li>How adequate are the arrangements over the audit trail when there is no centralized database?</li><li>How adequate are the controls over the data backup and disaster recovery processes considering there are multiple copies of the blockchain and no single point of failure? Also, what arrangements are in place to recognize the node/ledger that could be used for backups? </li></ul><h2>Impact on Procedures </h2><p>Blockchain has implications for financial statement audit procedures. Because data maintained in blockchains is available in real time, traditional sampling techniques used in financial statements may not be required. Internal auditors can provide assurance by using data analytics to scan the entire database. Additionally, conventional reconciliation and validating tasks may not be necessary because there should not be discrepancies in the financial statements in a shared ledger scenario. </p><p>Indeed, blockchain may render many current risks related to financial statement opinions obsolete. Auditors should be aware of the new risks and their impact on traditional audit procedures. </p><p>One example is the risk of auditing transactions captured in an immutable blockchain. During a financial audit in a blockchain environment, auditors will be able to assess whether the transactions recognized in the financial statements have occurred and relate to the entity. However, in doing so, they might overlook the audit evidence’s relevance, reliability, objectivity, and verifiability. This is because auditors could treat the acceptance of a transaction into a reliable blockchain as sufficient audit evidence. Likewise, blockchain might legitimatize certain off-ledger transactions or incorrectly classify the transactions, providing false assurance. </p><p>Blockchain may require internal auditors to allocate more resources to obtain assurance on the adequacy of controls in recording transactions. Moreover, auditors will continue to focus on issues related to other nonautomated key activities such as governance, risk management, monitoring, reporting, and evaluation. Indeed, value-for-money audits and other types of audits may grow as organizations seek to evaluate the costs and benefits associated with blockchain applications. </p><h2>Opportunities for Audit</h2><p>Blockchain may not completely redefine the rules of internal auditing, but it could provide new opportunities. First, auditors could lobby their clients to involve them during system development either as observers or advisors. This would help auditors understand the nuances of the blockchain operating environment from its inception, including its implementation challenges. Moreover, auditors may be able to suggest and determine the terms of reference for developing appropriate audit modules in blockchain-based systems. </p><p>Second, blockchain may encourage audit management to streamline and reorient its staff, while building the department’s capacity to provide quality services to clients. Staff members will need to be able to work with a range of new technologies. Conversely, by automating some tasks, internal audit functions may not need as many auditors as before. </p><p>Third, artificial intelligence may enable auditors to quickly process, extract, and identify risks up front using publicly available blockchain ledgers. This ability may make the audits more cost-effective. Also, auditors could use data mining to identify the highest risks such as frauds, resulting in more relevant audits.</p><h2>Built to Thrive</h2><p>As blockchain changes the way business is conducted globally, it presents an opportunity for internal auditors to migrate to a challenging, new operating environment. To get there, internal audit must evolve its procedures while staying focused on the risks that matter most to the organization. By monitoring blockchain developments, auditors can help the business thrive in the future.<br></p>Israel Sadu1
Assurance in the Privacy Regulatory Age in the Privacy Regulatory Age<p>​Public outcry about the growing severity of data breaches has led to enhanced regulations around the world to protect consumers' personal information. The most prominent of these data privacy regulations is the European Union's (EU's) General Data Protection Regulation (GDPR). Other regulations, like California's Consumer Privacy Act of 2018, are modelled after GDPR.</p><p>These data privacy laws can increase compliance risk for organizations and disrupt business operations. Besides businesses that reside within the EU borders, GDPR applies to non-EU organizations that do business with EU residents<strong><em>. </em></strong>Organizations in violation of GDPR may face increased fines and penalties of $20 million or 4 percent of annual worldwide revenue, whichever is greater, for each incident. The law shortens the interval for notifying victims of a breach to within 72 hours after discovery. </p><p>Additionally, data privacy regulations such as GDPR prescribe requirements such as having written information security programs, policies and procedures, and compliance with a security program. New regulations also could impact organizations' long-term planning by forcing them to change current or future business approaches. Opportunities abound for internal audit to add value to ensure the organization complies with data privacy regulations.</p><h2>Breach Management </h2><p>With only 72 hours to notify victims after a data breach is discovered, organizations subject to GDPR need an established and tested incident response plan to ensure notifications occur succinctly and timely. The plan should ensure all third-party contractual data breach notifications are aligned. In auditing the plan, internal audit should:</p><ul><li>Review the current incident response plan and policy to ensure it contains GDPR's 72-hour notification provision. </li><li>Observe or participate in periodic tests of the incident response plan to ensure people are aware of their roles and that notification will occur timely. Also, interview participants to validate the plan and role awareness. </li><li>Review third-party contracts to ensure they outline breach notification timelines that will allow the organization to report a breach, if applicable, within the 72-hour requirement. </li><li>Validate that third-party reporting is incorporated into the incident response plan and testing. </li></ul><h2>Choice of Consent </h2><p>GDPR allows EU residents to choose whether and how organizations can use their personal data. The organization's legal team should provide guidance about when consents must occur. This requires the organization to document and maintain consents. Internal audit should:</p><ul><li>Perform a walk-through of the process to review for any potential control improvements or efficiency opportunities. </li><li>Test the consent process by entering a consent to see whether the system has logged and retained it. </li><li>Obtain customer records sent to third-party vendors and compare them to the consent-tracking system to validate that consumers consented to having their records sent to the third party. </li><li>Review audit trails to ensure they cannot be altered. </li></ul><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p> <strong>​GDPR Opportunities</strong><br></p><p>An August <em>Internal Auditor</em> article, <a href="/2018/Pages/GDPR-and-Internal-Audit.aspx"> <span class="ms-rteForeColor-9">"GDPR and Internal Audit,"</span></a> discusses the main aspects of GDPR compliance. Author Jan Hertzberg advises internal auditors to include independent assessments and compliance testing in their audit plans. Hertzberg says these activities can raise executive and board awareness of GDPR noncompliance by highlighting poorly designed or missing controls. Moreover, they can identify opportunities to audit common processes across departments.<br></p></td></tr></tbody></table><h2>Limitations </h2><p>Under GDPR, organizations must not retain customer data longer than required for its intended purpose. Data is either stored online or backed up. Backups can be performed online or offline on removable media such as tapes. As a best practice, the organization's retention policies should document the time period in which it retains customer data and comply with respective data privacy regulations. </p><p>Data removal should be documented and tracked to show compliance. Removing data from online sources can be done easily using a database query. Removing data from offline storage can be a more tedious process, depending on the backup model used and rotation plan. </p><p>For tape storage, this may require removing the record from full and incremental backups, including those for data file restoration and full disk backup for disaster recovery planning. Additionally, retaining a large number of previous backups could lead to a somewhat cumbersome process in which the organization would need to recall and remove each record on each tape.</p><p>In reviewing data retention practices, internal audit should: </p><ul><li>Perform a walk-through of the process to look for potential control improvements or efficiency opportunities. </li><li>Select a sample from the tracking system of deleted customer records and query the production system and active online backups to validate that the customer records were removed. </li><li>Select a sample of offline tape backups and review whether the customer records were removed. </li><li>Compare data retention policy requirements to the tracking system to ensure data was removed as stipulated.  </li><li>Validate whether the current data retention policy complies with associated data regulations.</li></ul><h2>Third-party Vendor Management </h2><p>GDPR requires organizations to gather third-party guarantees for compliance along with proof of compliance. These guarantees usually are included in contractual provisions along with provisions for overall vendor monitoring and oversight processes. Steps internal audit should take include:</p><ul><li>Performing a walk-through of the process to discover potential control improvements or efficiency opportunities. </li><li>Reviewing a sample of third-party contracts to validate whether GDPR contract provisions exist. Also note any other contract provisions that allow for monitoring of the vendor's control environment. Such provisions could include the right to audit, third-party assessments, or other service-level reporting that demonstrates compliance. </li><li>Testing a sample of contractual requirements to ensure there is supporting evidence of monitoring activities. </li><li>Participating in the organization's testing of the third-party vendor's controls, if there is a right to audit. Note this could be an opportunity for internal audit to add value by performing select GDPR third-party vendor audits. </li></ul><h2>Privacy Policy</h2><p>An organization's online privacy policy should note customers' rights and align with associated privacy regulations. Examples include the customers' rights to know how their data is used, request removal, and correct their data. Additionally, the privacy policy may include types of security practices the organization may use such as encryption. </p><p>Overall, internal audit's assurance activities should align with the respective online data privacy policies. These assurance activities may include:</p><ul><li>Conducting a walk-through of processes used to provide customers stated rights for any potential control improvements or efficiency opportunities.</li><li>Testing to ensure processes for each stated security requirement are appropriate. For example, if the security policy mandates that customer data be encrypted, then internal audit testing would include validating that the data is encrypted both online and offline (backups). In addition, internal audit would observe and test the security controls of the encryption keys.</li></ul><h2>Cross-border Data Transfers </h2><p>Cross-border data transfer regulations may prohibit data transfers or require specific data protections. Many governments are implementing cooperative agreements to permit data transfer while still appropriately protecting individual privacy. Two examples of cross-border data transfer agreements are the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules System and the Privacy Shield negotiated between the EU and U.S. </p><p>Organizations should remain abreast of current developments to ensure compliance with data transfer requirements. Internal audit must understand the requirements of these intergovernmental agreements and ensure compliance with each requirement. </p><h2>Policy and Procedure Management </h2><p>Formal policies and procedures are the heart of any security or data privacy program. Effective policies and procedures receive enterprisewide buy-in. </p><p>As a best practice, annual acknowledgement and training ensures policies and procedures are communicated and understood. Internal audit assurance activities should focus on ensuring compliance with these policies and procedures and determining whether there are appropriate processes to maintain them. </p><h2>Data Management </h2><p>Knowing what data is collected, its location, and how it is used is paramount to ensuring data privacy compliance. This includes understanding what specific data is transferred to third parties and how they use the data. </p><p>Organizations usually have a data policy that categorizes types of data and provides guidance on the manner in which each type of data should be secured. They should formally define a data management program to ensure they maintain a data inventory and comply with existing policies and procedures. Internal audit tests should include:</p><ul><li>Performing a walk-through of processes to manage data for any potential control improvements or efficiency opportunities.</li><li>Testing to ensure the organization adheres to data retention requirements. </li><li>Testing to ensure appropriate security is in place as stated in the organization's data policy.</li><li>Testing to ensure data inventory is maintained.  </li><li>Assessing management's formal risk assessment processes.</li></ul><h2>Ensuring Sound Security</h2><p>Internal audit should remain abreast of current data privacy requirements that affect the organization. This includes serving as consultants for management to implement appropriate compliance measures and posting audit assurance activities. </p><p>The annual audit planning efforts should include audits that will allow validation of current data privacy compliance. This is especially necessary with organizations facing the risk of increased fines and penalties as well as a heightened potential for lawsuits by victims of data breaches. In this environment, internal audit can help ensure the organization has sound and prudent security practices. <br></p>James Reinhard0
The Rise of Automation Rise of Automation<p>​The "big" in big data hardly seems adequate to describe the scope of today's digital information. Each day, the world produces 2.5 quintillion bytes of new data, according to a 2016 IBM Marketing Cloud report. In fact, 90 percent of data created over the history of the human race was generated in the past two years alone, the report says. </p><p>Increasingly, competitive advantage is driven by organizations' ability to access, collect, synthesize, analyze, and exploit insights from that data. But the scope of this undertaking swamps traditional practices and capabilities. Tackling it effectively requires mastering emerging technologies, such as artificial intelligence (AI) and robotic process automation (RPA).</p><p>For internal auditors, these technologies present a challenge and an opportunity. The challenge? How can they help their businesses understand, codify, and develop appropriate controls around the new risks presented by RPA, AI, and other technologies? The opportunity? Where, within the internal audit function itself, can these tools be leveraged to provide deeper insights with greater efficiency?</p><h2>Emerging Technology Risk</h2><p>AI and RPA have great potential to increase efficiency, but they also can help reduce organizational risk. Processes handled by these technologies are performed quickly and with absolute consistency; humans make mistakes or skip steps, robots do not. But that speed and consistency carries its own risk. If a faulty algorithm exists, if the tools access incorrect or incomplete data, if someone tampers with the process, or if RPA does not adjust to changing business or economic conditions, then the organization's automated processes can magnify human errors. Consequently, significant follow-up work may be required to unwind the errors.</p><p>Internal auditors should ask several questions when assessing risks associated with emerging technologies:</p><p></p><ul><li>Has the organization established programs to take advantage of these technologies? Are foundational programs in place, such as data management and governance, as well as user-access controls? </li><li>Who is responsible for determining whether and how such tools can access the organization's data? Has clear accountability been established? Are appropriate safeguards in place?</li><li>Has the organization implemented appropriate development and deployment controls, addressing issues such as how and when new processes are tested and updated? </li><li>Who is accountable for ensuring that use of the technologies complies with corporate policies, as well as applicable laws and regulations?</li><li>Are these processes being considered holistically to address change management, human resources, and other related concerns?</li></ul><p><br></p><table class="ms-rteTable-default" width="100%" cellspacing="0"><tbody><tr><td class="ms-rteTable-default" style="width:100%;"><p><strong>​AI and RPA Defined</strong></p><p>Definitions of AI vary. The <em>English Oxford Living Dictionary</em> defines it broadly as: “The theory and development of computer systems able to perform tasks normally requiring human intelligence, such as visual perception, speech recognition, decision-making, and translation between languages.” RPA, on the other hand, involves the use of software with AI and machine learning capabilities to handle high-volume, repeatable tasks that previously required humans to perform. These tasks can include queries, calculations, and maintenance of records and transactions. </p><p>Consider the challenge of wading through potentially thousands of contracts that may contain embedded leases, in an effort to comply with the Financial Accounting Standards Board’s new lease accounting rules. Organizations currently use AI technologies such as text recognition and natural language processing to scan contracts for language that indicates an embedded lease may exist, and to flag those contracts for review. RPA is often coupled with this process to route flagged contracts to appropriate parties, ensuring decisions on embedded leases are made timely. Subsequently, RPA is also often used to follow up on, and to confirm, a decision has been made on those contracts. Beyond this narrow example, a variety of studies indicate that as much as 45 percent of the work performed in businesses every day could eventually be replaced by RPA.</p></td></tr></tbody></table><p>Additionally, internal auditors should determine what the organization is doing to ensure effective governance of its technology (see also <a href="/2018/Pages/A-New-Age-of-IT-Governance-Risk.aspx">"A New Age of IT Governance Risk"</a>). Audit leaders need to work with organizational leadership to help develop an appropriate governance strategy for managing these technologies — and also to help unlock their potential. Internal auditing should be involved as part of the design or launch process so key risk indicators can be identified and appropriate controls embedded. This approach is far more effective than trying to append controls as an afterthought. Audit leadership can aid the chief technology officer and chief information officer in the development of a strong governance plan. Numerous available frameworks, such as COBIT and ITIL, can serve as guides. Also, guidance from the chief legal counsel and compliance department may provide additional support. The governance structure or plan over technology should be periodically reviewed for modifications that may be needed. </p><h2>Three Lines of Defense </h2><p>One of the challenges of today's rapidly changing business technology involves working effectively across the first and second lines of defense, while maintaining internal audit objectivity. The traditional audit approach incorporated relatively static, periodic risk assessments and statistical sampling of data from past transactions to identify control issues. Auditors often identified issues months or more after they arose, making remediation untimely and allowing losses or other issues to compound. With today's tools, internal audit functions can test most or even all transactional data and can do so in close to real time. </p><p>The acceleration toward real-time auditing and the associated need to help identify and manage risks around emerging technologies means that internal auditors find themselves working more closely and more often with those in the first and second lines of defense. One of the benefits of real-time auditing involves pushing risk management down to the first line of defense wherever possible. Internal audit can play a key role in investigating how AI and RPA can be used to augment, and in many cases replace, current manual transaction testing and other risk-testing processes. Automating control testing through the use of RPA can enable organizations to spot anomalies earlier.</p><p>An organization's risk posture can be greatly improved by helping management understand the best uses of these tools and by working to deploy them in real time. The technology can help identify control deficiencies much sooner, enable testing of entire populations, and correct deficiencies immediately upon identification. As the third line of defense, however, internal audit needs to maintain its independence. Internal auditors may assist the first and second lines in establishing the use of these technologies by providing advice, but they must also ensure audit independence remains adequate to provide the additional layer of review. </p><h2>Leveraging the Technology </h2><p>When examining RPA and AI, internal audit shouldn't limit its focus to the business's use of these technologies. The audit function itself offers ample opportunities to leverage RPA and AI to achieve efficiencies and improve results. Auditors should consider several potential applications:</p><p>Controls testing is a vital but time-consuming internal audit function, requiring consistent, repetitive application to be effective — just the sort of process that is ideally suited for RPA. In some cases, controls or testing processes will need to be modified to allow for RPA, but once it is in place, automation can produce accurate, consistent, and timely results. For example, ensuring the usefulness of data consumed from multiple sources historically would often require someone from the audit team to spend significant time stitching the data together. Today an RPA automation can quickly replicate all of those tasks with a higher level of accuracy.</p><p>Internal audit work requires a significant amount of routine, repetitive communication. For example, auditors often need to request information and then follow up on those requests, many of which are triggered by specific due dates. These processes offer key opportunities for automation. </p><p>Scorecard population, audit committee reporting, and other predictable documentation demands often can be fully or partially automated. Dashboards can be fully automated for management and the board of directors. Using RPA with a visualization tool can enable automated generation of dashboard information for these key stakeholder groups. </p><p>The specific opportunities to apply emerging technology to the internal audit function will, of course, be partly determined by the circumstances of each organization. By seizing those opportunities where they exist, audit leaders can free up their professionals to focus on the critical thinking necessary to provide real strategic insights for the business. </p><p>Delivering those insights and managing the risks of emerging technologies also requires expanded skills — internal audit leaders should keep those needs in mind as they hire and train staff. Although technology can fuel significant improvements and efficiencies, deploying the right people, skills, and approach ultimately enables the technology to work as intended. Of course, a solid accounting and audit background remains vital, but more and more skills around data science and IT must be part of the internal audit group. And the central mission of internal auditing — to enhance and protect organizational value by providing risk-based and objective assurance, advice, and insight — remains the same. But tools like AI and RPA require auditors to possess broader technological skills, strong data management capabilities, and familiarity with mathematics — such as linear algebra and statistics, which drive algorithm development. A background in coding also can be valuable. </p><p>Hiring professionals with these skills and training those already in the internal audit function is essential. Not only will it position the audit team to best understand and address emerging technology risk, but audit functions considered leaders in these areas may be seen as more attractive to top talent.</p><h2>Partners in Transformation</h2><p>The emergence of AI, RPA, and similar technologies is much like that of spreadsheet applications in the mid-1980s. Spreadsheets at that time were innovative and useful, but not yet widely adopted. Within 10 years, they became ubiquitous and revolutionized work, not only within internal audit but across the business world. </p><p>Likewise, AI and RPA are transforming businesses and their internal audit functions. And while the new technologies present new risks, these risks can be managed. The greater risk is failing to capitalize on the power and utility AI and RPA tools offer. Effectively managing emerging technology risks while also leveraging these tools are key challenges for today's internal audit leaders. By doing so, however, they can become true strategic partners in their organization's success. </p><p></p>Michael Rose1
Editor's Note: The Smart, Small Internal Audit Function,-Small-Internal-Audit-Function.aspxEditor's Note: The Smart, Small Internal Audit Function<p>​At an IIA Audit Executive Center CAE roundtable discussion early this year, some participants shook their heads when asked what it would take to make their audit functions more innovative. Participants said they didn’t have the resources to even consider innovating. However, Jim Pelletier, IIA vice president of Professional Standards and Knowledge and <a href="/blogs/Jim-Pelletier">’s innovation blogger</a>, told them they should not consider lack of resources a roadblock to innovating, as it only takes one person to think differently and challenge the status quo.</p><p>Approximately one-fourth of North American IIA members are full-time employees of small (one- to five-person) audit functions, according to The IIA’s 2018 Member Needs Survey. In this month’s cover story, <a href="/2018/Pages/Small-but-Tech-Savvy.aspx">“Small but Tech Savvy,”</a> CAEs of small functions discuss how they are using technology creatively, efficiently, and cost effectively. “Through innovative techniques and keen attention to stakeholder needs, many small audit functions are making the most of the technology tools at their disposal,” author Arthur Piper writes.  </p><p>Innovation and flexibility go hand in hand. “With limited resources comes limited time, but small audit functions must maintain flexibility when events occur that are outside the scope of the audit plan,” writes Justin Stroud, who was brought in as Western Reserve Group’s one-person audit department nearly four years ago (see <a href="/2018/Pages/Starting-Small.aspx">“Governance Perspectives”</a>). “Having laser focus and a detailed game plan can help squeeze in work that can add value to the organization.”</p><p>And small audit departments have been known to do great things! In this month’s <a href="/2018/Pages/A-Case-of-Misplaced-Trust.aspx">“Fraud Findings,”</a> read how a lone internal auditor worked with a forensic investigator to uncover a nearly $4 million embezzlement — no small feat. </p><p>So, here’s to the small but mighty audit function, the men and women who work tirelessly to enhance and protect organizational value. These small teams are succeeding through agility and innovation. </p>Anne Millage0

  • GEICO_Mar 2019_Premium 1
  • IIA CIALS-_Mar 2019_Premium 2
  • IIA Group Training_Mar 18 to 31_2019_Premium 3