Enterprises are growing in size and across geographies, due in part to technologies brought forth by the Fourth Industrial Revolution (Industry 4.0) such as artificial intelligence (AI), digital manufacturing, the Internet of Things (IoT), data science and analytics, machine learning (ML) and big data. To help organizations sustain this fast-paced growth, the performance and resilience of enterprise IT systems and controls must be assured by internal and external audit and assurance partners. As assurance partners, audit teams play a significant role in supporting the digital transformation taking place worldwide. Such assurance must be provided on the design and operating effectiveness of internal controls and the identification of potential sources of technological, operational, legal and regulatory, human resource (HR) and environmental governance risk. Guidance on how IT can protect the organization from such risk should be provided during trust-assuring audit activities. In doing so, audit teams will function as advisory partners in addition to assurance partners.
Rethinking Audit to Support Digital Transformation
The internal audit function can add value to the organization by identifying potential risk factors of the increase in digitization and their impact. Internal audit teams should focus on providing assurance for the effective governance of digital transformation driven by organizations to achieve business objectives. To be an effective assurance partner during fast-paced digital transformation, internal audit teams must reengineer their own operating models and develop new capabilities. There are new/alternative auditing methods being used by global organizations that can help organizations keep up with the risk assurance related to digital transformation efforts.
Risk-Based Audit Planning
Due to the overwhelming need for assurance, audit teams must conduct multiple audits in a calendar year. In doing so, audit teams could face the risk of providing inadequate or inaccurate assurance due to:
- Lack of continuous monitoring and continuous auditing—Organizations are unable to identify risk proactively and frequently. This will lead to exposure to unexpected and significant serious risk.
- Flawed audit approaches—Inadequate and inappropriate professional skepticism, lack of audit documentation, overreliance on certain forms of audit evidence and weak risk assessment are some of the flawed audit techniques that may result in audit failures.
- Unskilled audit teams—Without having adequate subject matter expertise, skills, and knowledge of the latest audit techniques, auditors become mere checklist-driven auditors who are unable to help in planning and executing audit engagements in a way that can add real value to clients.
- Lack of adherence to global audit standards—Adherence to global auditing standards will help the audit team ensure that audit results are consistent, valid and trustworthy.
- Ineffective, lengthy audit procedures—Most contemporary audit organizations spend a significant amount of time executing lengthy standards-driven audit programs using checklists purchased externally, which tends to significantly extend the audit period. To avoid this trap, audit organizations should develop their own customized audit programs and checklists aligned with the needs of their unique audit engagements.
- Lack of technology used in audit engagements—The use of appropriate technologies in audit engagements makes audits more effective. For example, using data analytics in the audit engagement eliminates audit sampling-related constraints. Process mining technology used in audit engagements helps develop models that demonstrate how the enterprise processes work in reality. Emerging technologies such as AI, data analytics, data visualization, robotic process automation (RPA), and other technologies are expected to be tools used by internal audit departments in the future. However, the skills challenge remains. In a recent global survey, internal audit leaders indicated that the area in which they have the largest talent and skills gap is enabling technology, including advanced analytics, automation, ML, AI and process mining.1
The digital transformation of audit practices can improve the capabilities of internal audit teams in quantifying audit observations for management.
The Chartered Institute of Internal Auditors (CIIA) defines risk-based internal auditing as:
A methodology that links internal auditing to an organization’s overall risk framework. The salient feature of risk-based auditing is placing the risk universe at the center of the audit planning with the focus on addressing high priority risks faced by the organization.2
Risk-based audit planning includes analyzing all relevant sources of risk faced by the enterprise and its audit teams and presenting risk-based audit approaches to chief audit executives. Before creating the annual audit plan, the organizationwide risk register should be reviewed thoroughly to prioritize risk areas. Based on prioritized risk areas, audits for the year can be finalized for the annual audit plan. Risk-based auditing can help drive safe, reliable digital transformation by proactively identifying the potential risk associated with the digital transformation efforts. In addition, the digital transformation of audit practices can improve the capabilities of internal audit teams in quantifying audit observations for management.
Leveraging Audit Analytics
With the help of data analytics, algorithms and structured and unstructured data elements, a significant volume of matching data sets can be analyzed effectively by the internal audit team and audit results can be delivered in a timely manner.3
Utilizing audit analytics has several benefits, including:
- Improved understanding of business operations and the various risk sources faced by the enterprise (e.g., potential for fraud)
- Increased potential for detecting material misstatements that help address audit sampling-related risk
- Improved communication with audit clients
In the past, audit analytics were performed only in a descriptive manner with the use of primitive predictive methodologies (e.g., linear regression). Due to the emergence of ML, contemporary auditors now have access to predictive audit analytics solutions. Instead of focusing on what happened, auditors can now infer what can and will happen with the help of descriptive and predictive audit analytics solutions available in the industry.4
Audit analytics can also be used to perform other audit procedures, such as control testing. Analytical procedures required by generally accepted auditing standards (GAAS) are addressed in AU-C section 520 of the American Institute of Certified Institute Public Accountants (AICPA) Analytical Procedures.5 Audit standards and current trends mandated by the International Auditing and Assurance Standards Board (IAASB), the US Sarbanes-Oxley Act of 2002 (SOX) or environmental and social governance (ESG) can also be referenced as needed. While performing internal audits of operational technology (OT) environments, data elements produced by various touchpoints should be collected in a format that allows the audit team to apply well-defined audit analytics algorithms during analysis. Statistical or nonstatistical sampling methods can be used to collect audit evidence as appropriate and as convenient. In addition, the touchpoints available in OT environments producing various data elements should also be audited from a security perspective to identify relevant security risk.
The audit department’s highest priority should be supporting management’s objectives by auditing the most critical risk areas of the organization.
AI and ML for Auditing
The amount and complexity of information assets owned by organizations increases along with digital transformation efforts. Thus, the use of traditional audit techniques may not be effective for discovering fraudulent transactions and other potential risk sources to which the enterprise is exposed with new and complex digital transformation. To overcome this risk, audit teams must include technology practices such as AI, ML and data science.
ML is a subset of AI practices aimed at teaching machines to learn in a similar manner to humans. There are two major types of ML: supervised learning and unsupervised learning. Supervised learning is an ML approach based on the use of labeled inputs and outputs designed to train machines to predict outcomes more accurately. Using labeled inputs and outputs, the ML algorithm measures its accuracy and learns over time. By using ML in collaboration with analytics, audit teams can verify the integrity of various data elements before the application processes them. With the help of analytics and ML techniques, the audit team can clean the data elements and monitor the outliers by comparing data elements with the rest of the data population. Implementation of ML algorithms can improve and transform the auditing profession just as it is expected to transform every other industry in the ongoing Industry 4.0 transformation.6
ML capabilities, when used effectively in internal auditing, can aggregate the large volume of financial-and operations-related data elements from different systems maintained by organizations. These data elements serve as potential evidence of successful implementation of preventive and detective controls in organizations.
Transforming Traditional Auditing Into Agile and Lean Practices
New and disruptive technologies are transforming the technology landscape for organizations worldwide. Due to the multitude of information sources, large databases, and data storage/backups, organizations have initiated the use of big data environments. Internal audit teams should monitor and audit these environments continuously from data quality and reliability perspectives using new approaches supported by data analytics solutions. Internal audits should also be designed with a focus on testing detective controls for identifying risk related to data and its potential occurrence. This can be done by identifying the design and implementation effectiveness of preventive controls. But these audits should have a holistic objective of identifying all the potential risk factors that exist, rather than identifying the risk in silos.
As large chunks of data get generated in big data environments, risk related to data quality, data accuracy, data reliability and security cannot be validated using conventional audit methods. To address this effectively on an ongoing basis, Agile audit methods need to be adopted. Agile auditing is an audit approach used for planning and executing audits in shorter life cycles with the objective of identifying and addressing the most urgent risk factors faced by the enterprise in its digital transformation journey. The Agile approach can be adopted effectively for audit activities such as risk assessment, audit planning, field work and reporting. Critical principles to be considered when planning and delivering Agile audits include:
- The audit department’s highest priority should be supporting management’s objectives by auditing the most critical risk areas of the organization.
- Auditors should accept changes in areas to be audited even during the audit planning phase.
- Insights should be delivered to the audit committee periodically and to clients on an ongoing basis.
- Clients and auditors should work together throughout the audit engagement.
- Individuals responsible for audit engagements should be identified and supported.
- In-person meetings with clients should be conducted frequently.
- While the audit is underway, timely insights related to the status of the risk and control environment should be provided to senior leadership.
- Risk is best understood by maintaining seamless communication with various lines of defense within the enterprise, such as risk management and security teams.
- Audit team members should strive to continuously enhance their skill sets to enhance the agility of audits.
- Audit scope should not be expanded in an uncontrolled manner. Simplicity is key.
- Self-managing teams composed of motivated and skilled individuals should be formed and maintained.
- Audit team members should receive continuous training to equip themselves with sought-after skills for audit engagements (e.g., training in fraud analytics, ML).
Agile auditing essentially mirrors the popular Scrum method used by Agile software development teams to achieve excellence in the development life cycle with a focus on project management activities. Scrum practices may include the designation of a Scrum master, the use of visual dashboards and the conducting of daily stand-up meetings. Using a structured Agile method such as Scrum helps audit teams transition their traditional audit practice into an Agile audit practice.7
‘Leanifying’ Audits
Lean auditing is an effective method of adding more value and efficiency into audit engagements. The concept of Lean originated from the automotive giant Toyota and its massive Toyota Production System (TPS).8 Toyota introduced Lean methods aiming to identify and remove all non-value-added activities in the auto manufacturing life cycle, covering the exhaustive supply chain of Toyota. Unlike global competitors such as General Motors (GM), Toyota manufactures large volumes of cars in small environments and with limited investments using a Lean manufacturing approach. A Lean approach can help audit departments realize multiple benefits:
- Less audit evidence and control testing required
- Fewer audit meetings and reduced inaccuracy in audit observations
- Lower audit costs and less lead time
- Improvements in customer satisfaction, productivity, effective utilization of audit staff capacity, responsiveness and quality of the audit engagements
Adopting a Lean audit approach can help reengineer and improve the performance of the audit function by enhancing the value delivered and improving the productivity of audit team members.9
Introducing Audit 4.0
Industry 4.0 transformation focuses on the use of transformative technologies such as AI, ML, data analytics and robotic process automation (RPA), all of which are used for data collection, communication and analysis. The Audit 4.0 transformation (figure 1) must mimic Industry 4.0 transformation to better enable audit functions in collecting, analyzing, modeling and visualizing data and providing effective and efficient assurance in real time. The Audit 4.0 transformation will lead to the increased use of automated procedures and evolved auditor skills. Audit team members must learn to adapt to the significant changes driven by emerging technologies to enhance the scope of their audit engagements, shorten audit duration, improve accuracy and deliver robust assurance to the enterprise. To achieve these objectives, auditors must be technically trained to support digitized audit processes. Adequate professional development strategies for audit team members need to be planned accordingly.
Continuous Auditing
To support fast-paced, dynamic digital transformation and Audit 4.0, audit executives should adopt a continuous auditing methodology when planning and executing audits. Continuous auditing is an audit approach that examines risk and control environments, regulatory compliance mandates, IT ecosystems and business processes on an ongoing basis. Continuous audits are generally technology-driven and designed to automate error checking and data verification in real time and without leaving any gaps. With continuous auditing methodology, selected critical business transactions or key controls are tested continuously based on predetermined criteria. This approach helps audit teams discover dynamically emerging risk in key business processes and communicate it to their clients in real time.
Conclusion
Chief audit executives should review their teams’ current practices on an ongoing basis and introduce any necessary improvements into the audit methodology and audit charter to improve performance metrics and strengthen the customer feedback loop. Each completed audit engagement should be evaluated for its value delivery toward achieving the strategic goals and objectives of the enterprise. New technologies and methods such as audit analytics, AI, ML, risk-based auditing, continuous auditing, and Agile and Lean auditing must be practiced to ensure the delivery of an optimum level of assurance by audit teams. In addition, new value propositions aligned to Industry 4.0 transformation should be developed by the audit teams. This helps enterprises gain assurance on the efficacy of their risk and control environments in successfully identifying and addressing the new breeds of risk that are emerging due to Industry 4.0 and digital transformation.
Endnotes
1 Protiviti, Internal Auditing Around the World Volume 18: The Future of Work Is Here, USA, 2022, http://www.protiviti.com/us-en/survey/internal-auditing-around-world
2 Claypole, A.; “Six Compelling Reasons to Take a Risk-Based Audit Approach,” Ideagen, 31 January 2022, http://www.ideagen.com/thought-leadership/blog/6-compelling-reasons-to-take-a-risk-based-audit-approach
3 Chen, J.; M. Talha; “Audit Data Analysis and Application Based on Correlation Analysis Algorithm,” Computational and Mathematical Methods in Medicine, 15 November 2021, http://www.ncbi.nlm.nih.gov/pmc/articles/PMC8608501/
4 Vasarhelyi, M. A.; S. Cho; A. Cheong; C. Zhang; “Smart Audit: The Digital Transformation of Audit,” Medium, 7 February 2020, http://medium.com/ecajournal/smart-audit-the-digital-transformation-of-audit-b283e1653bd4
5 The American Institute of Certified Public Accountants (AICPA), Analytical Procedures, USA, 2021, http://us.aicpa.org/content/dam/aicpa/research/standards/auditattest/downloadabledocuments/au-c-00520.pdf
6 Dickey, G.; S. Blanke; L. Seaton; “Machine Learning in Auditing: Current and Future Applications,” The CPA Journal, June 2019, http://www.cpajournal.com/2019/06/19/machine-learning-in-auditing/
7 Lucas, C.; “Agile Auditing Using Scrum Techniques,” Internal Auditor, 21 February 2022, http://internalauditor.theiia.org/en/articles/2022/february/agile-auditing-using-scrum-techniques/
8 Robert C. Byrd Institute (RCBI), “Lean Manufacturing Made Toyota the Success Story it Is Today,” Marshall University, Huntington, West Virginia, USA, http://www.rcbi.org/lean-manufacturing-made-toyota-the-success-story-it-is-today/
9 Chartered Institute of Internal Auditors (IIA), “Lean Auditing,” 22 September 2020, http://www.iia.org.uk/resources/delivering-internal-audit/lean-auditing/?downloadPdf=true
VIMAL MANI | CISA, CISM, SIX SIGMA BLACK BELT
Is the head of the information security department of Bank of Sharjah. He is responsible for the bank’s end-to-end cybersecurity program, coordinating cybersecurity efforts within the banking operations spread across the Middle East. Mani is also responsible for coordinating bankwide cybersecurity strategy and standards, leading periodic security risk assessment efforts, incident investigations and resolution, and coordinating the bank’s security awareness and training programs. He is an active member of the ISACA® Dubai (United Arab Emirates) Chapter. He can be reached at vimal.consultant@gmail.com.