GRC Tuesdays: Internal Audit 4.0
Like most of other business processes, Internal Audit has radically changed since the establishment of the Institute of Internal Auditors (IIA) back in 1941.
Yes, I know that we can trace some “audits” back to ancient times, with record-keeping systems for receipts, disbursements and tax collection dating as far back as 4,000 B.C. but I don’t intend to go back to the Egyptian scribes and record keeping on stone… So let’s go back to the 40s instead.
Internal Audit 1.0
Ever since the end of World War II and the change of business landscape, and even more so since the introduction of Sarbanes-Oxley Act in 2002, internal audit has ramped up in efficiency and focus with improved standards, guidelines, etc. But the “tools” to perform these tasks were mostly paper based.
To me, the first major change that leads to internal audit 1.0 is the introduction of software solutions specifically designed for audit purposes. These tools were initially “fat clients” hence with the software and the data installed and residing on someone’s own machine.
On the pros sides, this enabled easier harmonization of information and follow-up. But it also meant that information sharing was still ad-hoc with past audit information saved on storage devices that could be lost or corrupt over time.
Internal Audit 2.0
Fast forward now to 2002 and the inception of the Sarbanes-Oxley Act. Software vendors started focusing a lot of attention on internal control and audit tools. At the same time, introduction of new technology improvements helped developers move away from fat clients to full web solutions no longer hosted on a user’s machine.
This is a breakthrough for information sharing: many people can now work simultaneously on the same topic and collaborate. Consolidation of findings and recommendations also becomes much more efficient and instantaneous.
In addition, auditors can also now send actions to the auditees to be filled in the tool directly, meaning much easier follow-up.
Last but not least, this also supports better handover. If an auditor changes role, no work is lost over floppy disk, Zip disk or USB key exchanged, and his replacement can easily and swiftly take over with access to all previous work done. Including drafts for instance.
Internal Audit 3.0
Even if the internal control, risk management and audit processes were now digitalized, many companies realized that they were still siloed.
As early as 2006, the European Commission released a statutory audit directive intended for voluntary adoption within the European Union: the Three Lines of Defense framework.
And once again, professional organizations – including the IIA, supported this improvement by promoting the Three Lines of Defense model where operational management, corporate risk and compliance and independent assurance come together. I am sure you will have read a lot about this in these GRC Tuesdays blogs.
To support this approach, software vendors once again called in their developers who worked on integrating the information from a variety of sources to present a single source of truth. The result is a self-correcting framework in which each line of defense collaborates with the others to continuously provide complete and reliable information.
This also gives access to management to reconciled control, risk and audit information to get an overview of the situation at any given time and better decide on resource allocation.
Internal Audit 4.0
When we thought auditors now had the tools that they needed, new exciting requirements surfaced: specifically with regards to going from sample to full scope audit and even better, moving from reactive to proactive auditing.
How does this work? By putting forensics tools that were previously used by fraud investigators, at the service of audit teams.
With the Three Lines of Defense, auditors already had access to all risks, controls and assessments, but what about also checking the entire data set to identify anomalies and be able to offer course corrections?
With the high-volume data analysis technology available today, nothing easier than to enable audit teams to do more, remotely, and with the same resources.
In this scenario, auditors create – or assign – detection strategies in the work program of an audit. These detection strategies will make use of Big Data analytics capabilities to find irregularities in the data being audited. Should anomalies be detected, and therefore automatically generate alerts, then these alerts are assigned to a working paper added to the work package of the audit. From the working paper, auditors can then use embedded investigative and management tools to further analyze each irregularity. Auditors can proceed as they would with any finding: issue a recommendation, assign action plans, follow-up on the resolution, etc.
I am sure it won’t stop there and I can’t wait to see what Internal Audit 5.0 will bring us. I am already seeing AI being tested, with chatbots, machine learning, etc. supporting the audit process.
The technology is there, so why not use it?
What about you, what are your predictions for internal audit 5.0? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard