IIA has released On Risk 2021: A Guide to Understanding, Aligning, and Optimizing Risk, which provide insights to key risks faced on a global basis. It brings together the perspectives from three different levels of governance within an organization - Board, the Chief Audit Executive and the Management. Further, it outlines the impact of COVID 19 on business continuity management, cyber security and disruptive innovation.
As part of the third webinar in the series of webinars being conducted jointly by Protiviti and the Institute of Internal Auditors, the above trends and some of the good practices that organizations are adopting to address these trends were discussed under the theme – ‘Reskilling IA in New Normal/ Digital Age.' The session had an eminent line-up of panelists, each a respected voice across industries and an experienced IA professional.
With remote audits here to stay, the internal audit function is expected to grow into a hybrid model of traditional approach combined with digitization footprints.
There is an ever-increasing need to change the auditor’s approach towards governance, controls and assurance. The key factors driving this need are:
- The exponential speed of changes in the operating mechanism of companies including the systems and technologies used by the companies as well as the degree of reliance on such technologies. Auditors are required to comprehend and consider the risks associated with such changes.
- The paradigm shift from traditional audit approach to remote audits, forced upon by the pandemic. By leveraging Artificial Intelligence and RPA tools, which can be customized for risk and control management, auditors need to comprehend risks, which are unknown in the traditional audit approach.
The benefits reaped from such audit mechanism is the transition from sample to ample approach. However, a certain extent of manual intervention is inevitable. For example, physical controls like physical verification of stock or fixed assets would still require some physical presence to ensure the touch with physical world is not lost and the right balance is made.
Interestingly, the impact of the pandemic on the performance of audits has been minimal as 49% of the poll responses indicated that “More than 75%” of the audit plan was adhered to during this period.
Global delivery centres are set to see some exponential growth as we evolve into a remote auditing environment, especially as we achieve the desired levels of efficiency in audit of unstructured data
Remote auditing as a concept, has already been explored and adopted largely by most of the Fortune 500 companies. Over the last five to seven years, there has been a steady movement in the roles from various parts of the world to India. It is most appropriate to credit this transition to their respective operations and technology processes, which has facilitated the transfer to global delivery centres as well as the need to cover risks on real time basis.
An equally important factor is the talent pool available in India having the right skill sets. Our demonstration of the right prospects is probably one of the driving factors for heavy investment by companies in remote audit capabilities in India.
Audit includes audit of structured as well as unstructured data. Structured data, as we know, is data in a predefined agreeable format, easy to interpret and audit remotely. Such data is generated from upstream systems which can be easily comprehended by an offshore team to perform the testing. The issue arises when we have to deal with unstructured data, which requires not only interviewing the auditee and a tangible essence to observe the processes, systems and files but also to extract and analyse data from multiple sources and in discrete formats. What required auditors to fly from India to global offices for audit planning and performance has now been replaced by the use of collaboration tools as well as additional accesses to underlying applications.
However, some barriers to perform remote audit that we could still expect include:
- Language barriers
- Privacy regulations restricting cross border data transfers
- Need for planning with greater details
- Need to invest heavily in acquiring required skill sets
While bringing on board a Bot or employing some advanced data analytics techniques isn’t really a big deal, managing an ecosystem consisting of such technology is a challenge that needs to be addressed.
With digitization fuelling innovation and change, it is vital for internal audit to adopt and adjust to innovation and the use of underlying technologies in line with the new norm and the digital age. It is important to note that whilst the rate of such adoption is low at the moment, it is expected to grow exponentially in the near future.
One of the reasons for such low rate of adoption is lack of ownership and responsibility in an environment where audits are carried out by Bot. Another reason is the redundancy of skills like emotional intelligence, crucial conversations training, business partnering, etc. Instead, there is a requirement of different skills to operate in a different ecosystem.
Key Audit Skills need to be revamped to suit the requirements of the new-age audit.
The internal audit function is witnessing dynamic changes in recent times. Historically, one of the common complaints from an internal auditor has been unavailability of data. However, this has undergone a radical change since the invasion of technology, where there is abundance of data and the challenge is no more with obtaining data but how to use the data effectively. Every business, manufacturing and service alike, are generating huge volumes of data which is varied in nature.
Further, internal audit has always dealt with numerical data supported by text. However, with the advent of IoT’s, data lakes and biometrics and proliferation of the social media, data is now available in the form of audio, video and graphical apart from the other data sources at disposal. An interesting example is of security cameras which captures data every moment from different places and generates huge data points with voluminous video content. However, the use of this data source is still unexplored, although available.
Another example is in the form of facial recognition technology that can be used to evaluate how much time a person spends on his workspace. We can use such technology to enhance the attendance visibility.
A deeper dive into data analytics would bring up various business insights. Although from an audit point of view, identifying red flags remain our primary objective, a more detailed analysis of the data could be used to demonstrate some valuable business insights.
Audit Planning has evolved into a journey of monitoring data on a continuous basis and initiating an audit only when areas of concern are highlighted by such data.
While a traditional audit plan was drawn annually hoping to cover all the processes once in three years, it does not hold good for more modern audit methodologies including agile audits. Continuous, flexible and dynamic audit planning is the requirement of the day. This can be carried out in two parts – one by leveraging the historical data already available with the business and secondly by creating a system of record. A system of record is a form of dashboard which includes an understanding of the underlying systems, the applications, the data flow and interfaces. This process enables us to monitor huge sets of data in a continuous manner and when the risks are material enough, it is pulled into the audit plan. It is important to note that this is a contemporaneous and iterative process with continuous real time data flow.
Further, sharing the methodology of selecting audit areas and drafting of the audit plan with business owners can be of mutual help. Businesses would be ever ready to partner with the internal audit to harness the advantages in such techniques.
In essence, we will have an audit program which is continually in a state of flux based on the parameters being breached.
Methodologies and approaches for audit execution and reporting is set for a paradigm shift with the advent of multiple GRC tools.
With the GRC tools evolving rapidly in the growing chase to automation, there are various tools available in the market including RSA Archer, Laser, Auto Audit, to name a few.
Tools relating to data coverage and analysis require a three-layer set-up and some of the most popular tools in each layer are as below:
Database Layer: Access/Integration of Analytics Solutions to ERP systems
Data Analysis: Layer R Studio, Python, ACL, Altrix
Visualization: Layer Tableau, Power BI, Domo
While all tools serve the purpose, it is necessary to consider the size of the organization and type of risks expected to be managed. While cost is an important factor, the foundational requirements of the organizations which may in turn require customizations in the tool are to be considered.
As we step into the future, internal audit function should shift its focus from generating the best audit reports to providing best root cause analysis and sustainable business recommendations. The risk appetite of the management needs to be challenged to ensure that the shareholders’ trust is maintained. A mind-set to adopt digital solutions is the key to ensure that we utilise data efficiently to provide assurance and risk insights.