Internal Audit and Emerging Technology: The future of IT Audit
Midhun Menon P
Technology is both a blessing and a curse. During COVID lockdowns, many office workers have begun to work remotely, and businesses of all sizes have begun to market their products online. Virtual meetings became commonplace. Everyone learned to live and work in a more remote world.
While some people find the opportunities that technology creates endlessly exciting, others (often those in charge of monitoring, controlling, and ensuring that it is used safely, ethically, and by regulations) find it incomprehensible and threatening. Many internal audit teams have been struggling for several years to find people with IT audit expertise, and they are now under increasing pressure to use more technology, more effectively, in their audits. The rapid emergence of new technological developments, from AI to blockchain, adds to their concerns.
However, the complexity of auditing emerging technology in a new digital age should not be underestimated. Internal audit processes and methodologies that have been tried and tested are not obsolete. Internal auditors must comprehend what existing and emerging technologies do in their organizations, as well as what they will do in the future. They must also be aware of potential risks and gaps in assurance.
They can, however, accomplish much of this without specialized IT skills; as with all internal audit engagements, curiosity, imagination, and the ability to ask the right questions of the right people are essential. External assistance can be obtained for specialized areas, but all internal audit teams are likely to interact with emerging technology in some form and should take the time now to consider what this means for their business and audits.
Technologies in Development
Most internal audit teams are becoming acquainted with auditing technology that allows for remote work and well-established corporate IT systems, and many are beginning to use data analytics and Big Data to inform their audits. However, it is now critical to keep an eye on emerging technologies, which are still relatively uncommon but are expected to develop rapidly. Internal audits must stay one step ahead of any risks or assurance gaps that arise because of these risks.
A recent survey of attendees at a Wolters Kluwer webinar on emerging technology found that 20% were using robotic process automation (RPA), 12% were using artificial intelligence (AI), and 3% were using blockchain technology. Significantly, half of the attendees said their organizations were not yet using any of these, while 15% said they were using more than one. Given how quickly technology advances, internal audit must understand what this means for their business, but most still have time to prepare.
Other examples range from virtual reality, the internet of things, bioinformatics, and natural language processing to quantum computing and 5G. RPA, AI, and blockchain are the most widely used and well-established, so these are the ones that internal auditors are most likely to have to audit shortly.
Internal auditors may be called upon to evaluate the strategic decision-making process when a company adopts new technology, but their work will be similar to that of other large corporate decisions. The main audit challenges are assessing any new risks that an emerging technology introduces into the organization once it is implemented, as well as how management monitors and controls these risks. As a result, the internal audit team must understand what the technologies will be used for, how they will be used, and by whom.
Risks associated with RPA
Risks associated with RPA, which is used to automate frequently repeated processes that are critical for day-to-day business, include inappropriate process selection, incorrect configuration, unexpected costs, security, inadequate performance, and change management.
One application of RPA could be a chatbot designed to filter common customer questions. Incorrect configuration may cause the bot to delay passing customers who require additional assistance from human contact, alienating customers. Inappropriate processes may imply that a bot is used to answer questions that may indicate fraud or involve sensitive information that requires individual thought and attention.
Similarly, an RPA system may incur unanticipated costs if, for example, a bot replaces call center staff but then necessitates specialized maintenance and more skilled and expensive personnel to manage it. Other internal audit considerations include whether a bot handles sensitive data that is subject to privacy or other regulations and whether it regularly connects to organizations outside the corporate firewall, introducing new risks of breaches or misused data.
The sheer volume of data passing through an RPA system may necessitate the addition of new safeguards and checks. On the other end of the spectrum, it’s critical to monitor whether the system is functioning properly—that is, whether it can connect to all of the internal systems that it requires to provide meaningful, accurate answers to questions. The internal audit could also look at whether the IT team has enough experience, training, and resources to manage it.
The administration of an RPA system may also pose a risk. If it is used to automate an area where frequent changes are made, it may necessitate additional layers of processes each time, adding time, complexity, and the risk that people will cut corners.
AI’s most common risks
AI introduces a new set of risks. Data system use numerous resources and as a result, more entry points and connections are formed, thus enhancing the potential risks. Physical risks may also exist if an organization uses AI in products such as autonomous vehicles or to detect when heavy machinery requires maintenance. AI could also be used to diagnose medical problems. If it is improperly configured or malfunctions, it may cause harm to people before the problem is identified.
Some risks overlap with those associated with other types of emerging technology; for example, data privacy is likely to be important when employing AI. Internal auditing should ensure that data used and shared have the explicit consent of data providers. Is this configured correctly and adequately controlled?
There have also been reports of AI systems being primed with data, which results in inherent bias. If a system is designed using data collected over a long period and is configured to make decisions based on prior rationale, it is likely to make similar decisions, which may reflect observed human biases from that period. This increases the likelihood that a company will not only shortlist the wrong candidates but will also suffer reputational damage and possible legal costs. Internal auditing should look into how this is being tracked and whether bias is being identified, managed, and corrected.
Internal audits should also inquire about how the AI system can be modified if external circumstances drastically change. AI is designed to evolve and adapt, but only within the parameters that it is given. If the world changes quickly, as it did when the pandemic began, new parameters may be required.
Both intentional and unintentional failures must be considered. The more powerful and connected a system is, the more destructive it can be if misused, putting trade secrets, plant operations, and security at risk.
Common risks for Blockchain Technology
Blockchain’s strengths can also be its weaknesses. The inability to reverse transactions or access data without the necessary keys makes the system secure, but it also means that organizations must follow specific protocols and management processes to avoid being locked out and to have clear contingency plans.
Interoperability is essential for blockchain; it must be able to communicate with multiple internal and external systems. Internal audit must gain assurance that it can do so and that it is thus functioning properly. Because operating through network nodes exposes the organization to cyber-attacks and data hacks, security concerns are paramount.
Internal auditors should also ensure that the organization has the necessary data management processes in place and is in compliance with all applicable regulations. Because the regulatory landscape for blockchain is still evolving, audit teams should ensure that compliance managers are constantly monitoring developments and adapting processes accordingly.
Further risks stem from the organization’s transactions with unknown external organizations; auditors should inquire whether this could expose them to, for example, violations of anti-money-laundering legislation.
Programs for scoping out Emerging Technologies
All emerging technologies rely on interactions with internal and external systems. With each new connection, new risks are introduced. This is an evolution of the risks that internal audit considers when auditing existing IT systems, but the volume of data and system complexity are novel.
Furthermore, internal auditors should be aware of the critical importance of adequate security and backup procedures for encryption and keys.
Some emerging technology is governed by existing regulations, such as those governing privacy, but much remains unregulated or only lightly regulated. Internal auditors should expect regulations to change quickly.
Finally, rather than being distracted by their focus on emerging technology, internal audits should continue to monitor the overall health of their organization’s IT as usual. It is critical to find ways to blend how old and new IT risks are constantly monitored.
When asked what the most important factor was to consider when planning and scoping an audit of emerging technology, 62 percent of Teammate webinar attendees said it was aware of the risks introduced by technology. Their next most important concern was the alignment of new technology with enterprise strategy (23%), while 10% were concerned about a lack of subject matter experts.
Three-quarters of webinar participants said they currently outsource or co-source support for emerging technology audits. According to Jae Yeon Oh, one of the advantages of co-sourcing is that the audit team can learn from working alongside those with more experience. Only 11% of attendees had auditors with experience auditing emerging technology, and 23% admitted they did not audit it at all.
When should you outsource IT services?
That does not mean you should abdicate all management responsibilities, and it is also not a good idea to do so as a knee-jerk reaction when your IT department is suddenly in trouble.
The Role of Artificial Intelligence, Big Data, and Machine Learning in Mitigating Money Laundering Risks
Artificial Intelligence, Big Data, and Machine Learning have revolutionized the fight against financial crime, making it more cost-effective and efficient, enabling a more innovative approach.