Top executives within organizations are always thinking about how they expand beyond their role. For chief audit executives (CAEs) specifically, the demand and necessity to do so has ebbed and flowed over the past decade, but it has picked up steam in recent years because of the increased expectation on CAEs to deliver more value. The ways CAEs can do this include being more strategic, having more of a business risk mindset rather than pure audit, and bringing business acumen to the table. But right up there with those three mandates is increasing adoption of technology by internal audit departments.
CAEs are facing a whole new set of challenges than just a few years ago. The regulatory changes thrust upon organizations is a huge challenge for trying to stay responsive, especially in highly regulated industries such as health care, banking, financial services, and oil and gas. And just this year, the Federal Reserve began requiring that banks with more than $10 billion in total assets have internal audit functions report straight to the CEO. NASDAQ is also considering making an internal audit function a requirement for being listed. Not to mention that more and more company information assets are being outsourced to places such as call centers, data hosting centers and back office processors. Though the financial cost for outsourcing may be modest, the data and intellectual property made available to these partners—R&D codes, medical data, and customer financial records—is invaluable.
Benefits and types of technology
So, how can technology help? The universe of risks has expanded to thousands of lines in Excel. From SKU to inventory to customer data files, there is just a massive amount of stored data (Big Data) to analyze. Where technology helps is in sorting through all of that information and analyzing what is most important.
Despite the tools available, the rate of adoption is fairly low and increasing at a slow pace. According to Grant Thornton’s third-annual CAE survey, 46 percent disagreed with the statement that their organization is using a governance, risk, or compliance (GRC) tool effectively; 78 percent are not using a tool at all.
Here are the main types of technology CAEs should consider:
- Data analytics (or business intelligence): The ability to quickly identify patterns, trends, and relationships in data with analytics makes this a common tool. According to the survey, 66 percent of respondents say it has a solid foothold in internal audit functions. Data analytics can also be used for forensic analysis, performance measurement, and predictive analysis.
- Regression: This is the automated testing of configuration settings that support business controls. It’s usually performed in collaboration with the IT department against automated controls across various business processes such as accounts receivable, commissions, inventory, purchasing, receiving, returns, sales, and shipping.
- Continuous auditing: This provides the ability to execute an audit efficiently, systematically, and continuously, and also enhances audit quality and stakeholder value. By leveraging technology and automated auditing tools, continuous auditing delivers value across the internal audit function. The best areas to automate are those with a large volume of daily transactions and high degree of conformity throughout the organization, such as shipping, invoicing, and accounts payable.
Implementing or increasing the rate of adoption of technology within your audit department primarily relies on talent. The best strategy is to have an empowering CAE who has broad and significant experience and hires technically talented people, many times who are more recent college graduates, to help revolutionize the function by more quickly leading the way to embracing technology. As a profession, we’re simply not moving the meter fast enough and we need motivation—something that can be driven by talented people who are eager to change things through the use of technology. If you hire the right skilled people and empower them to make that change, within 2-5 years you’ll be looking at a very different type of department.
In the meantime, you must provide training in these technologies so that every employee is proficient in technology to a reasonable degree. Not everyone needs to be an expert, but every employee in your department should at least be trained in the concepts around data analytics, IT risk, and cybersecurity. Of course there will be a subset of experts within that group, but it’s vitally important that none of your employees misses a risk or an event. Everyone should be able to identify where use of technology can be used to help mitigate risk and enhance control evaluation and monitoring.
In this new era of increased regulation and stricter demands on CAEs, internal audit departments will have to think about how to continue to modernize their practices and optimize their ability to deliver the increased value their stakeholders demand. One of the best ways to do this is through increased adoption of technology—by every employee in your department. It is only by doing this that the internal audit function can be elevated to a more strategic function within the organization.