The hypothetical case of the contemporary v the establishment: an alternative approach to the topic of digitalising the internal audit function.
There are many updates you can read on what digitalisation means, strategies, examples of digital technologies etc.. One of the common threads is the assumption that chief audit executives (CAEs) are planning to ‘go digital’. Why wouldn’t they?
Is cost your real barrier? How do you justify your position to colleagues? Has it ever been talked about at the audit committee? There are more important issues after all. Or are there?
What follows are the salient points made during a fictitious court hearing which provides insight into two quite different perspectives.
The case of the contemporary argues for digitalisation. The person who invariably tells you about the book they’d read on the latest thinking about topic ‘x’ or the awesome gadget/upgrade that no-one should possibly live without. Maybe this is you? Maybe you know them?
And then there is the establishment. The person that buys a classic outfit that looks good regardless of fashions, uses technology that best fits their need even if that’s a Nokia 3310 and has been heard using the phrase ‘back in the day’. Do you identify with this?
Nature of the case
After some months of internal debate between two parties, the business concerned decided to seek formal adjudication to bring the matter to a close, thereby bringing the case of the contemporary accusing the establishment of being a technophobe to the mediation court. There was no jury.
Case for the contemporary
As the business world hurtles towards 2030, it is facing new threats as a matter of course, confidently taking risks and grasping the opportunities of new technologies. Internal audit also needs to be doing this.
Digitalisation is all about moving from analog to digital processes. The UK completed the digital switchover for TV broadcasting back in 2012, so why is digitalisation a discussion topic today rather than viewed as fact of life? Everything is all about AI now - which assumes a high digital baseline.
There is no place for hard copy working papers in this day and age. It is illogical to train people to use a paper file rather than an electronic one. There are so many collaborative tools available to choose from today surely one of them is suitable. Young people entering the profession expect a base level of technology in their working life and if it’s not available talent will walk.
We often hear of discrimination and steps to eradicate it such as gender pay gap or boardroom and ethnic diversity. The same can be said of digitalisation, auditors simply want to talk the talk and walk the walk of their contemporaries in other business functions, to have modern working practices. Working from anywhere using cloud based systems means that as auditors we can be efficient and beat with the rhythm of the organisation - meeting with someone via a smartphone app rather than travelling to another location, working at the weekend to attend a school sports day in the week, working collaboratively on a document with colleagues in a different country. It’s not much to ask in the 21st Century.
Digitalising internal audit is not just about the next generation of digital working papers, it is about being able to provide the assurance that the organisation needs. How far into the future does the executive look for emerging risks? Can scenario modelling assist this? How can internal audit provide credible foresight if it's own practices are old-fashioned.
Organisations are evolving their processes and systems much quicker than ever before due to the technologies available, we need to be providing timely assurance and also foresight. Predicting the future is a feat even for the best internal auditor but foresight is more than prediction it builds on insights for future preparedness. This may involve continuous auditing and key risk indicators.
Another fact of our society is big data. The data within organisation’s today is more voluminous and complex than ever before requiring new approaches to analysis to understand trends, behaviours, patterns and linkages. Data analytics is no longer a tool for large audit teams or the IT geek, it’s an essential part of internal auditing. How can we be effective in assessing controls if we are behind the curve on what needs controlling?
There are many facets to internal audit, from strategic audits to financial controls, risk assessments to forensic audits, all can be consigned to the history books if they do not evolve and adapt with the latest techniques and developments. Fraudsters innovate as soon as new technology appears, so must internal auditors.
Your sector or even your organisation may have been an early adopter in the digital age but did your internal audit function take full advantage of this? Is the finance department working out how to take Bitcoin payments while internal audit are asking for a cheque to be raised for a conference? An extreme example but the point is made.
AI is part of the everyday for most organisations. As internal auditors we need to capitalise on the tools available to improve our insight into business operations/risk, and enhance both speed and precision in audit processes so that we can focus on the aspects of our work that require human judgement.
Alexa and Siri are household essentials. As the development of quantum computing grows ever closer we find ourselves hurtling towards synthetic intelligence, the Ex Machina or Data of our sci-fi films. How long will it be before RAI (robotic and audit intelligence) is as common as Siri and potentially we are left behind?
Case for the establishment
We have heard talk about ‘big’ data and ‘interconnectivity’ of risks but is this really anything new? Has this not been at the heart of internal audit activity since the beginning of the profession? What is an auditor that cannot make linkages between disparate pieces of information and concepts?
The profession has been talking about intensifying its use of data analytics for more years than most can even remember. The symbiotic relationship between data analysis and internal audit was identified long before the concept of digitalisation. However, turning that theory into reality for many functions is still a quest.
OK, so we are in the digital age but internal audit is still auditing. There are those, as we have heard, who believe that internal audit is at a critical point due to the advances in technology that are influencing business. Yes, these innovations will affect your organisations, changing ways of working, creating new industries, making some obsolete - this has been the natural cycle since before the industrial age. Look at how the wheel changed humankind.
Internal audit embraced technological advantages decades ago with the introduction of electronic working papers. There are a whole host of packages on the market to improve efficiency, enable communication and support data analytics. All of which were available before the current fad for digitalisation. This may sound like the argument of a Luddite but far from it, keep up to date with technology by all means that’s no different to changing your car before it becomes unreliable, but recognise that at the end of the day it is just a car and will need changing again.
We would argue that while your organisation reacts, in this case to the latest buzzword that just happens to be ‘digitalisation’, that internal audit should be taking a more measured approach and considering it in the context of the wider situation - political, environmental, sociological, technological, legislative and economic. Are we that dissatisfied with what we are doing? Have our stakeholders expressed dissatisfaction with our services?
Internal auditors are objective and independent. We should not be fashioned by the trends of business that is the realm for the first and second lines of defense. We merely need to be proficient and apply due professional care. One can have knowledge and understanding of a heart operation without needing to perform the surgery oneself.
We need to be mindful that in the surge to go forwards we don’t end up going backwards to a time of 100% assurance through testing all transactions not simply around key controls. The role of policeman is in the second line not the third, should internal audit not be deploying data analytics more effectively?
Hardly any organisations are taking fewer risks due to external pressures and the audit committee look to internal audit for assurance as to whether these are informed risks and how they are being managed. Audit committees expect us to be innovative, insightful and improve our practices but without seeking increases to our budgets either financial or human. Fundamentally, as much as we might try to attribute revenue or savings to our work, internal audit is a business overhead; we therefore need to manage expectations in line with our organisations financial position. Should internal audit be asking for additional funding when the return on investment is subjective and any major change activity a distraction from doing the job we’re paid to do? Audit committees seek to reduce assurance gaps not increase them.
Rather than scaremonger about some futuristic RAI, we should be focusing on exploiting technology to enhance our systematic, disciplined approach. We can capitalise on advances within our organisations, outsource arrangements or develop partnerships with other internal audit functions without necessitating some radical digitalised transformation of the profession.
Judges verdict
In drawing a conclusion to the proceedings the judge noted that there would be contingent factors to decision-making that would undoubtedly be unique to each internal audit function. It was also said that as a profession, regardless of sector, internal audit must accept that we are in an age of exponential data and technological advances. To the consternation of all parties, the judge did not favour one argument and instead left them all to consider the wisdom of the ancients to determine their own conclusion.
Questions for consideration
Some of the arguments may have resonated with you, elements of both or maybe one was more persuasive than the other. Ideally, it was a catalyst for thoughts and the following questions may help you to translate your thinking into action.
Questions to self
- How have I reacted to the digital world to date?
- Is there a difference between my social and professional use of social media?
- When do I normally engage with new technologies?
- What is my digital maturity? (if you are looking up the phrase then it’s not high!)
- What is my attitude to change? Do I embrace it or avoid it?
- Is internal audit in line with the digital maturity of the organisation?
- Where does digital sit within the strategy of the organisation? Is there a ‘transformation programme’? Are we on a journey or still in the station? What is our cloud strategy?
- Budgets aside, am I personally motivated to take internal audit on a digital journey?
Questions as a team
- What does digital maturity mean to you?
- How do we compare as a department to the rest of the organisation?
- Which functions/people are leading the way on this?
- What digitalisation benefits are we not getting today and why?
- If budget was no option what should we be taking advantage of/do differently that we don’t do today?
- Thinking ‘digital’ how could we be more efficient and/or effective in performing our audits?
- How do we think big data is playing out across our organisation? Does it apply to us?
- How well are we using data analytics?
- Do we need to have a/update our digital roadmap? What could different look like?
- Are we skilled enough to do this or know it’s complete? What training/support do we need?
Questions for the audit committee
- Should digital innovation be led by the business or IT?
- To what extent do you think that digitalisation is going to impact our business over the next five years?
- How well do you think the business understands its digital needs and associated risks?
- How technically competent do our auditors need to be?
- How does our digital maturity compare to that of other internal audit functions?
- What do you like about how we report information to you today?
- Taking existing capabilities aside, how would you prefer to receive information?
- Do other functions/directors provide information in a digital way that we could learn from?
Conversely, if internal audit is leading, would the audit committee like the Chief Audit Executive to share technique with others?
- Where should data analytics sit in the organisation? For example scanning for errors in payroll data, looking for fraudulent supplier payments? Predominantly first, second or third line?
- Resourcing and skills aside, what balance between assurance, insight and foresight would you ideally like from internal audit?
"When the winds of change blow, some people build walls and others build windmills"
Chinese proverb