New technologies are transforming the world at a constantly accelerating pace, with no end in sight. IBM’s 2012 Global CEO Study reports, “For the first time [since 2004], technology now tops the list of external forces impacting organizations. Above any other external factor — even the economy — CEOs expect technology to drive the most change in their organizations over the next three to five years.”
In recent years, internal auditors have been bombarded with warnings about the risks presented by cloud computing, social media, big data analytics, and mobile devices, and told they need to address them in their audit plans. Yet, many internal auditors are not using these new technologies to change the practice of internal auditing itself — how they understand and monitor risk, plan and manage their work, test transactions and controls, and communicate the results of their assessments, as many reports on the profession note.
Traditional tools for internal auditors, such as data analytics — sometimes referred to as computer-assisted audit tools — and audit management software from vendors that specialize in internal audit solutions, continue to improve. These products have been joined by governance, risk management, and compliance (GRC) solutions that often include audit management and data mining capabilities.
But there is a great opportunity for internal audit departments to join in the use of enterprise applications to enhance both their efficiency and effectiveness. Organizations are investing heavily in a variety of new technologies to transform the way in which they deliver products to and communicate with customers, as well as how they operate, manage, and direct the business. Auditors can use these same tools to transform each stage of internal audit work (see “Transforming Internal Audit” below).
Transforming Internal Audit
Organizations continue to come up with new and exciting technology uses that auditors may want to implement. Each of these examples illustrates uses of technology that internal audit could adapt to transform its work.
Social Media A bank in Northern California was concerned about the rate of loss of its financial consultants, who work in the branches and help customers select accounts and other investments. When it lost an experienced financial consultant, it also lost the relationships that individual had established with the bank’s customers, affecting revenue adversely. The bank used social media analytics software to mine employees’ email and posts to its internal social media groups. That enabled the bank to identify accurately (reportedly about 66 percent) the financial consultants who were not satisfied with their jobs and were considering leaving. Management was able to talk to these employees and address their concerns, with the positive outcome of retaining many of them.
Many organizations also use social media analytics to monitor what their customers say about them, their products, and their services — a technique often referred to as sentiment analysis or text analytics. This helps them understand not only customer satisfaction with their products and services, but also their level of reputational risk. Some organizations have developed routines that identify email and other chatter that might be a red flag for fraud or intrusion attempts.
Analytics A large international bank was concerned about potential money laundering, especially because regulators were not satisfied with the quality of their related internal controls. It invested in state-of-the-art business intelligence solutions that ran “in-memory” — a new technique that enables analytics and other software to run up to 300,000 times faster — to monitor 100 percent of its transactions, looking for patterns indicating potential problems.
Mobile A global software company upgraded its enterprise risk management system so senior managers could view real-time strategy and risk dashboards on their mobile devices (tablets and smartphones). The executives can monitor risks to both the corporate and their personal objectives and strategies and take actions as necessary. In addition, when a risk level rises about a defined target, the managers and the risk officer receive an alert.
Collaboration The information security team at a U.S. company wanted to increase the level of employee acceptance and compliance with the information security policy. It decided to post a new policy draft to a collaboration area available to every employee and encouraged them to post comments and suggestions for upgrading it. This technique is referred to as “crowd-sourcing.” The company received multiple comments and ideas, many of which were incorporated into the draft. When the completed policy was published, the company found that the level of acceptance increased significantly — the employees felt they had part ownership.
A risk-based internal audit approach requires auditors to build and maintain the audit plan so it addresses the risks that matter to the organization, and then update the plan as risks change. In these turbulent times, risks change frequently, and it is essential that audit teams understand the changes and ensure their plan is updated continuously. This requires monitoring to identify and assess both new risks and changes in the previously identified risks.
Some new technologies used by organizations’ financial and operational analysts, marketing and communications professionals, and others to understand both changes within and outside the business also can be used to great advantage by internal auditors for risk monitoring. The benefits of leveraging this same software are that the organization has experts in place to teach internal auditors how to use it, the IT department already is providing technical support, and it is currently used against the enterprise data internal auditors want to analyze.
A range of enhanced analytics software — such as business intelligence, analytics (including predictive and mobile analytics), visual intelligence, sentiment analysis, and text analytics — enable internal auditors to monitor and assess risk levels. In some cases, the software monitors transactions against predefined rules to identify potential concerns such as heightened fraud risks. For example, an audit team can monitor credit memos in the first month of each quarter to detect potential revenue accounting fraud. Another use is to identify trends, such as changes in profit margins or the level of employee turnover, that might indicate changes in risk levels. For example, the level of emergency changes to enterprise applications can be analyzed to identify a heightened risk of poor testing and implementation protocols.
An interesting exercise is to review how the organization’s financial and operational analysts use analytics software to monitor the business, help managers make business decisions, and complete the financial close. Internal audit teams often can use the same routines without significant change.
Organizations increasingly obtain the greatest value when they combine new technologies, according to a recent Gartner report based on interviews with more than 2,000 global chief information officers. An example is when an organization uses business intelligence software “in the cloud” against big data stored in a data warehouse and then delivers the results to executives’ mobile devices. Internal auditors should consider the same integration of technologies. Not only can the results of analytical routines be delivered to the auditor’s smartphone or tablet, but with mobile analytics, the software actually is run from the mobile device. These technologies also are easy to learn and use.
Technologies being deployed for risk and security managers include mobile dashboards and other mobile “apps.” For example, an information security manager can monitor defined security risk levels — such as intrusion attempts or identified segregation of duties exceptions — in real time on his or her tablet. The same technology can either be used directly by the auditor or adapted to show risk levels of interest.
Business executives similarly use dashboards and mobile analytics on their mobile devices to monitor and manage the business. For example, a large media conglomerate in Singapore provides daily metrics to senior managers on both their smartphones and tablets. The managers may use the phones for immediate notifications, with further and more detailed analysis performed using their tablets or laptops. Internal auditors should consider monitoring the same performance metrics because a variance from expected results may indicate a change in related risks. Moreover, they might use the technology to build an internal audit dashboard that monitors critical business risks.
Some internal audit departments have added risk management responsibilities to their portfolios. In addition to providing tools for risk monitoring, vendors offer a range of stand-alone risk management (or enterprise risk management) solutions; specialized tools for assessing financial and other risks, such as derivatives; integrated risk and compliance solutions; and GRC platforms.
One of the tasks in audit management is maintaining the risk-based audit plan. Several software vendors that supported internal audit management planning in the past have upgraded their solutions to include functionality for risk managers. Other vendors that focused more on risk and compliance managers have added functionality for internal audit management. Vendors may market these products as GRC solutions for both internal audit and risk management professionals. These solutions have a level of integration between the corporate risk profile and the internal audit risk-based plan that can be very useful. Some solutions include risk monitoring routines, typically through integration with analytics software.
Many organizations are acquiring GRC technology as they upgrade their risk and compliance programs. Internal audit departments should consider joining this initiative and adding their “wish list” of capabilities to the requirements definition. However, it is important to recognize that it is unlikely that any GRC solution will satisfy every internal audit need, and the organization may give priority to addressing risk and compliance requirements because they provide greater value to the organization.
Internal auditors have been using software to test transactions for decades, and new technology continues to improve their ability to test both transactions and controls. The same software that a bank’s compliance department uses to monitor transactions for possible money laundering also could be used to test whether they were approved by the correct individuals, identify potential duplicate or over-payment of vendors, or detect unusual transactions such as large inventory adjustments.
In the past, auditors relied on software designed for internal auditors to perform this testing. Modern analytics software has caught up with and, in some respects, surpassed internal audit data mining and analysis solutions. Although audit solutions have a library of tests designed specifically for practitioners, the new analytics software is easy to use and capable of the rapid and complex analysis of billions of transactions.
With the advent of mobile and the availability of analytics on devices such as smartphones and tablets, internal auditors now have the power of advanced analytics and data mining in the palms of their hands. Past constraints such as the inability to run audit software while at an international location are largely dissipated. Auditors now can develop a data mining routine, run it, and analyze the results wherever they are in the world.
Some GRC solutions include automated workpapers, and a few have integrated automated testing using analytics, which can become the core of continuous audit programs. In fact, many of the barriers to implementing continuous auditing are coming down. For example, auditors can lower the cost of the software by leveraging products acquired for other purposes by the organization, use easy-to-use “drag-and-drop” features to reduce the complexity of the software and its implementation time, and integrate workflow into the software to address the need to route potential exceptions to process owners and others for investigation.
Audit Reporting and Communication
As the world gets faster, boards and management need audit reports that communicate clearly and concisely what they need to know. Busy executives don’t have time to read multipage reports. They want audit communications that get to the point, can be read and understood quickly, and can be acted upon effectively.
A few innovative chief audit executives have used some interesting techniques to report internal audit assessments to management and the board. Some have adopted a more visually appealing representation in a one-page audit report; others have moved to the more visual capabilities of PowerPoint from the traditional text presentation of Microsoft Word.
New visualization technology — sometimes called visual analytics when allied with analytics solutions — provides more options for internal audit managers seeking to enhance or replace formal reports with pictures, charts, and dashboards. Executives and boards manage the enterprise with dashboards and trend charts. Effective internal audit communications make good use of the same techniques. One company used charts and trend lines to illustrate how the time to process small contracts far exceeded acceptable levels and was continuing to increase. The graphic — generated by a combination of a business intelligence analysis and a visual analytics tool to build the chart — was inserted into the standard internal audit report. Another company that was using business analytics tools for continuous monitoring shared the results with management and the board through dashboards that were integrated with the analytics tool.
Some GRC solutions offer reporting capabilities, which are becoming more useful for internal audit management. In time, these products may add more sophisticated visual reporting suitable for sharing with the board.
Where Technology is Going
Internal audit departments have a rich selection of technologies that can be used to make them more effective and efficient. It is questionable whether internal audit functions can remain relevant — addressing and providing assurance on the risks that matter to the organization — without much broader use of modern technology.
Technology can enable an internal audit department to understand the changing business environment and the risks that can affect the organization’s ability to achieve its objectives. The world and its risks are moving all the time, and auditors need to address the issues that matter now. To misquote the great hockey player Wayne Gretzky, internal auditors need to audit where the risk is going to be, not where it was when the audit plan was built.
They need to audit risk areas quickly and share the results with the board and management in ways that communicate assurance and stimulate necessary change. Technology is part of the solution to that need.
Technology that should be used by internal auditors will continue to improve and will be joined by others in time. For example, solutions for augmented reality — where a picture or view of the physical world is augmented by data about that picture or view; the one most often in the news is Google Glass — could enable auditors to point their phones at a warehouse and immediately access operational, personnel, safety, and other useful information. The future is bright indeed.