Internal audit needs to understand the risks and opportunities that emerging technologies can deliver — not just for their organizations, but for their own work. 

Internal auditors have a mandate to innovate and embrace the many new technologies available to them.

It is rare for internal auditors to admit they don’t want to embrace innovation, but some concede that the profession generally has been slow — or reluctant — to see the potential of artificial intelligence, machine learning, and other cutting-edge technologies in improving audit work and enabling auditors to provide assurance on a broader range of activities.

Experts agree, however, that internal audit has no choice but to embrace IT solutions based on these technologies. “Internal audit and risk functions need to adopt these tools or they risk becoming irrelevant,” says Nassos Economopoulos, global head of cloud and emerging technology risk at financial services firm HSBC in London.

Internal auditors should automatically recognize their importance to audit work and adopt them as standard, says Jon Taber, internal audit manager at convenience store retailer Casey’s, based in Ankeny, Iowa. “All internal auditors should be looking at how they can use these technologies as part of their everyday work. Many of them are not difficult to adopt, and they require very little training — if any,” he says. “If auditors are not using them, they should be prepared to explain why not.

Limitless Opportunity

Some experts see only upsides to leveraging the technologies. Daniel Hulme, CEO at London-based AI technology firm Satalia, says AI-based technologies have enabled more effective task automation, greater human representation through chatbots and avatars, the ability to drill deeper into data, and more complex decision-making.

Hulme says “the sky’s the limit” in terms of how  internal audit can benefit from their use. For example, AI can help internal audit across most aspects of its transformation to become completely agile and adaptable, especially with regard to getting the most out of the audit team and the workforce at large by getting the right people in the right place at the right time to meet changing needs, he says. Basic technology such as Excel just cannot possibly deliver on those goals quickly enough.

“Proper workforce optimization requires technology that can deliver more of the objectives while honoring the constraints,” he says. If you rely on manual processes and basic technology, “people are poorly matched, costs are higher than necessary, and widespread dissatisfaction among staff quickly sets in,” he says.

Kapish Vanvaria, Americas Risk Markets leader for professional services firm EY, based in Philadelphia, says that while internal auditors are already using data and analytics as part of their work, current advances in technology means much more can be accomplished across the end-to-end life cycle from planning to reporting. He says a data-driven approach to internal audit allows for greater efficiency, risk coverage, and advanced insights as risk identification is improved and expanded by adopting new data inputs. Furthermore, he says, the same technologies could be leveraged to evaluate larger sums of data much more efficiently.

“This changes the approach to audit planning from a finite process review and allows a shift toward continuous monitoring,” Vanvaria says. “Linking continuous monitoring to key risk indicators and the company’s risk universe also enables a risk-based approach to audit planning and execution rather than relying on the traditional site-based process reviews. At the same time, longer term predictive trending — rather than detective controls — allows for a forward-looking view of risk.”

The Business Case

Despite the opportunities that adopting new and emerging technologies may deliver, audit functions are conscious that asking for access to these tools entails a cost, which can mean a difficult conversation with management to ask for more money in a volatile (even depressed) economic market and at a time when budgets are being either frozen or cut.

Economopoulos says the first step is to present a business case as to what internal audit can use the technologies for and how they will benefit both the function and the organization. Another possibility is to borrow people from other parts of the business who have experience with these technologies to either assist in some aspects of audit (or risk) work or to teach the audit team how they can be used. A further option is for internal audit departments to request access to these tools from other departments within the organization that are already using them, which saves the organization money.

The key, he says, “is not to try to achieve too much at the beginning. Start small, get results, and build up progress, as well as capability and confidence. Build a reiterative innovation cycle, experiment, apply, learn, and start again. Also, try to leverage existing technologies as much as possible — there often is so much more you can do with the tools already at hand.”

Nancy Hom, head of strategic planning, data, and analytics for Internal Audit at insurer MetLife in New York, says being an early adopter of new and emerging technologies can be costly if the CAE is not clear about how that new technology meets business needs. Before making an investment, MetLife’s internal audit function looks at four key considerations.

First, she says, the team drills down into what problems it is trying to solve and why the technology is necessary. Second, it assesses what impact the technology will have— for example, will the new tool provide step-change or incremental improvement to the user experience, audit efficiency, or efficacy? Third, it looks at interoperability to see how connected the community of users are around this technology and how easily it might integrate with existing tools. Finally, the audit function looks at the cost and what the return on investment might be over time. 

“Applying these considerations objectively will direct you to the most impactful audit work that is fit for your purpose and situation,” Hom says. “The key is to show decision-makers, using real data, that investing in a certain tool will return ‘X’ percentage of time back to auditors to perform even more value-added activities. Performing a ‘proof of concept’ exercise before investing can also help decision-making and convert the skeptics.” Hom says MetLife’s audit function carried out such an exercise to see if chatbot technology could work for it. The internal auditors were experiencing inefficiency and frustration in getting answers to common questions related to audit methodology, policy, and guidance. They either sent emails to the audit operations team for help or had to manually search the intranet for clarity. 

“The chatbot we ultimately adopted can answer 200+ commonly asked audit questions quickly and accurately,” she says. “We were clear on the problem to solve: The impact was improving user experience while aligning to enterprise needs.” Taber recommends CAEs embrace open-source AI and machine-learning technologies as a way for internal audit teams to embrace new innovations without breaking the budget. “These technologies are usually quite intuitive, so they require very little training and are extremely useful,” he says. “If the IT team says they are safe to use, internal auditors would be missing a trick not to take advantage of them.” 

Taber offers as an example the AI language technology Generative Pre-trained Transformer, which is the basis of the revolutionary new ChatGPT platform. Taber says GPT allows users to ask things like “how do we best do a treasury audit,” and it will provide a range of answers. “Although not all of the results may be relevant or appropriate, the software can produce enough useful recommendations to at least start a conversation and provide some direction,” he says.

The Right Approach

Taber says the best way for auditors to dip their toes into using innovative technologies is to use them for simple audit tasks first. “Try using these tools for routine audit work first so that you get an idea of their ease of use and the speed at which you can do the work to the required standard,” he says. “Once you can see the benefits and understand how to realize them, you can then consider using them for other less common or more difficult audit tasks.”

However, Taber cautions CAEs against trying to impress management too quickly with new tools they are unfamiliar with. “Don’t overpromise anything or get too ambitious, too early,” he says. “Think about what audit tasks you could perform with these tools and why it makes sense to do so. Don’t just jump in and say that you are going to perform new tasks you’ve never done before just because you think you have the tools to do so — you are at risk of setting yourself up for a fall,” he says.

Alexander Rühle, CEO and co-founder of software vendor Zapliance, based in Hamburg, Germany, takes a slightly different view. He says it is important that internal auditors “start early and fast, and fail fast.” “It’s important not to start with a one-solution-fits-all approach,” he says.

“Instead, move forward piece by piece on tasks that you would normally do, so that you understand what the technology can do, how you can get the best from it, and how the results compare to the usual way you carry out the work,” he says. “That way, if you fail, it’s only a minor issue and it is much easier to correct going forward.”

Be Strategic

Some experts say internal audit needs to think more widely about how the function’s processes can be improved by adopting new technologies, as well as consider the strategic implications that can be achieved through the use of these tools. “You will undermine the benefits associated with these kinds of technologies if you don’t think about what part of the audit process you intend to use them for, the results you want to see, and how you measure success,” says Jason Ackerman, manager, Professional Practices and Innovation, Group Internal Audit at the World Bank Group in Washington, D.C. “You also need to consider how these technologies will help deliver the internal audit function’s strategic plan and what percentage of the budget is necessary to upskill colleagues, plus procure, deploy, and maintain both the technology and the related processes.”

Ackerman says CAEs also need to remember the benefits will take time to fully realize. “Innovation is a journey,” he says. “The positive changes created by these technologies may be incremental at first. Anyone who thinks they will act as a quick fix will likely be disappointed.”

Put in the Work

Another point that internal auditors should remember is to “focus less on trying to incorporate tech into audits and more on understanding the technologies,” says Andrew Clark, co-founder and chief technology officer of Monitaur, an AI governance software company in Boston. “Internal auditors talk a lot about innovation and feel left out that they don’t get to use new technologies,” he says. “But they have not put enough emphasis on learning how the technologies work and where the risk points are.”

Clark says some auditors “think it’s a lot more fun to buy a cool new widget than it is to put in the hard yards to actually learn the hows and the whys” that underpin how the technology works. Internal audit needs to understand what makes the technology tick and treat understanding programming as a skill just like reading a balance sheet, he says. Until then, “internal auditors will always feel like they are playing catch-up.”

Prepare to Pivot

Other factors also play a role in ensuring success in audit innovation — chief among them is the ability for auditors to question whether they can continue to deliver value if they don’t adapt. According to Hom, successful innovation requires an open mindset to challenge what exists and a willingness to try new ideas, learn, and potentially fail.

“Auditors need to challenge the status quo and ask more questions like ‘Why do we do it this way?’ and ‘Is there a better way?’ as these questions open up new experimentation opportunities,” Hom says. “We need to enable our teams to pursue new ideas and ways of working. By creating a safe place to experiment, associates will have a positive experience, leading to more motivation to flex this new muscle.”

Likewise, she says, auditors should be prepared to pull the plug if the technology does not deliver. “It can feel tough to abandon a strategy or course of action when you’ve invested in it,” she says, but “if a new tool fails to generate the benefits or savings you anticipated, you should pivot and move on.” 

It is clear that internal audit needs to understand the risks and opportunities that emerging technologies can deliver — not just for their organizations, but for their own work. As more assurance is expected with tightening budgets, internal audit’s failure to adopt cutting-edge AI-based tools as part of their remit dents the function’s effectiveness and its reputation — especially given the speed and depth of coverage these technologies provide.