Sponsored Content

4 key ways technology can help internal audit deliver more value to organisations

By Amrit Bains, AuditBoard EMEA Customer Success Manager

How can internal audit reimagine itself to stay relevant and provide more value? One aspect of the solution is inescapable: Internal auditors must embrace technology to not only ensure that they continue to provide assurance to their organisation, but also to provide more coverage with fewer resources. Nevertheless, many internal audit teams struggle to implement technology in ways that deliver this value. 

The approach that Bupa’s internal audit team has taken started with the creation of a “Digital by Default” strategy. An international healthcare company serving 60M+ customers, Bupa’s ~120-member audit team set out a goal in 2023 to achieve a “world class,” highly ambitious level of digitalisation of their internal audit function by 2025 year-end.

As part of my role at AuditBoard, I’ve been privileged to work closely with — and learn from — a Bupa team including Head of Internal Audit, Joana Berenguer Garcia, and Head of Analytics Assurance, Sachin Kapoor. Joana’s 18 years of experience span assurance, controls, international projects, and stakeholder management, making her a fantastic leader for Bupa’s digitalisation initiatives. Sachin, with 15 years’ experience implementing analytics, data science, and other digital solutions, is pivotal in helping the team leverage technology more effectively.

Earlier this year, I led an insightful panel during which Joana and Sachin shared best practices learnt from Bupa’s digitalisation journey. Their actionable ideas exemplify four key ways technology can help internal auditors deliver more value to organisations.

1. Improve decision-making and documentation

Internal auditors make countless decisions during an audit. Proper documentation, including evidence of review, is therefore essential. In order to effectively facilitate this, Bupa’s Decisions and Judgements (D&J) logs capture the thought process behind scope, analytics, fieldwork, and interpretations of testing results and observations. 

Previously, log creation, review/approval, and storage were manual processes, viewed as administrative tasks and often conducted at audit close. But technology has helped the team reimagine the D&J process as a valuable, decision-making tool embedded throughout the audit. 

Now, automated workflows for these processes are aligned with Bupa’s path to digitalisation. The D&J field embedded within the audit worksteps makes it simple to record decisions in real time, and the increased transparency helps the full team visualise the decisions made at each step. Said Joana, “we really believe that documenting the decisions — and the rationale behind those decisions — helps the team feel more accountable, empowered, and confident in their approaches.”

2. Enhance stakeholder engagement and accountability

Effective dialogue and early engagement around areas of risk are critical to a constructive audit process and beneficial outcomes for both auditor and auditee. Management Self-Assessments (MSAs) enable Bupa’s business stakeholders to provide their own assessments of control environments under review, including the declaration of any control gaps or weaknesses and the sharing of action plans. Joana believes that MSAs are a “valuable indicator of risk culture, giving us a sense of stakeholders’ self-awareness regarding their control environment and maturity,” in addition to giving internal audit a broader view of the processes they’re auditing. 

Historically, however, Bupa’s MSA process was highly manual, as templates were shared via email, meaning review and follow-up was also a laborious process. As a result, the team often faced delays in receiving and processing MSAs, slowing the start of fieldwork. This was therefore quickly identified as a key stakeholder interaction to benefit from efficiencies through automation. 

Post-digitalisation, automated workflows make it simple for the team to create and distribute user-friendly MSA forms to stakeholders, and completed MSAs are automatically sent for review/signoff and stored when final. Due dates in the system hold stakeholders accountable, automating follow-up, increasing on-time completion, and freeing up capacity. Technology also enabled increased collaboration, as Joana notes: “If more than one stakeholder needs to populate the MSA, they can input information simultaneously.”

3. Embed repeatable analytics in the audit lifecycle

Analytics are integral to Bupa’s audit methodology. Said Sachin, “Every single audit on the plan must consider using analytics techniques by default or provide a rationale if otherwise.” 

Bupa’s prior audit management system (AMS), however, didn’t embed analytics throughout the audit lifecycle or allow consistent mapping of analytics testing to business controls and audit outcomes. Plus, initial adoption proved counterproductive, as “reporting was quite manual and cumbersome, decreasing auditors’ efficiency with increased adoption of analytics,” explained Sachin. 

Today, automated worksteps, embedded analytics, and intuitive templates have increased efficiency, consistency, repeatability, and adoption. Analytics are seamlessly mapped to controls and outcomes, and easy extraction fast-tracks analysis and reporting. 

“The impact has been massive. It has increased assurance coverage. It has also provided deeper insights, because we have moved away from traditional ways of auditing to rely upon more full population testing approaches. Our auditors feel empowered to apply analytics techniques, allowing them to explore the art of the possible,” said Sachin. “It also helps in smoothing audit outcomes and discussions with stakeholders, helping them understand how the data led to the findings and management action plans.”

4. Improve audit coverage and consistency

Internal audit has implemented a framework to review a set of global audit thematics (e.g., data, third parties, risk culture) in all the audits. Reviewing these themes is mandatory as it ensures adequate and consistent coverage of Bupa’s key risks, and Joana explained that “these themes give us a lot of data and conclusions, which allows us to create half-year and year-end global insights that we report in committees and stakeholder conversations.” 

Audit themes and the related questions need to be reviewed annually to ensure they are still relevant. Frustratingly, the previous AMS didn’t permit Bupa’s team to update themes on their own. Also, Themes were typically assessed at audit close. “We really believe thematics should be part of fieldwork, so testing can be done during the audit,” says Joana.

Now, the audit structure embeds a user-friendly “themes” form. Themes are included by default, and the team can autonomously make changes. Joana added, “We can also extract data much more easily from the system, allowing us to enhance our reporting capabilities.”

Embrace technology to enhance value 

Process improvement is core to internal audit’s value proposition in the modern age. The key is pairing technology with auditor-driven innovation. “Collaboration between auditors and technology is instrumental,” said Sachin, as it can lead to “innovative new solutions or make existing solutions more efficient.” He also recommended augmenting assurance coverage planning with real-time, analytics-enabled monitoring, which is critical in helping organisations quickly detect and respond to risk events and predict and prevent control gaps.

The bottom line, Sachin says, is to "not shy away from adopting digital solutions.” Internal audit’s ongoing relevance and value demand it.