IS INTERNAL AUDIT BEING DISTRACTED BY CONSULTANTS BEARING SPARKLING NEW TOYS?
09 Apr 2019
Norman Marks, a very experienced internal auditor and thought leader for internal auditing based in USA, takes issue with the recent PwC study on internal audit - Elevating internal audit’s role: The digitally fit function (2019 State of the Internal Audit Profession Study).
PwC starts quite well he says, acknowledging that disruptive technology and the need to address it has been around for decades.
“Organisations are rapidly rolling out digital initiatives in an arena defined by more data, more automation, sophisticated cyberattacks, and constantly evolving customer expectations. In some ways — for internal audit functions— the situation is not new: technology risks and controls have already been on their agendas for decades, and most can reliably deliver a technology audit”.
But then they go wrong contends Marks.
“But digital rollouts heighten risks beyond the technology itself”.
He cannot comprehend this statement. The risk has always been the effect of a technology-related issue on the business! There’s nothing new here at all!
“This has been true for as long as I (Marks) have been around auditing (and that’s a very long time)”.
Some internal audit functions have become the owners and operators of detective controls. They have implemented analytics that test the data rather than assessing whether management has the right controls.
Tests of all transactions can quantify the extent of a design weakness in the processes but should not be used as a detective control.
Until recently, the consultants (including PwC) had been advising internal audit teams to use analytics – without first advising that they need to determine whether there is a need (providing assurance on a risk where the analytics would be of value). Now, they are pushing something called RPA. This is what PwC says:
“When it comes to using emerging technologies within their function, many internal audit functions struggle to find the fit. For example, 54% of internal audit functions are either unsure of or do not plan to use AI within the next two years. Even RPA use is questioned: 49% do not plan to use RPA or are unsure how they will use it. But not Dynamics: 37% use RPA currently, and another 45% plan to do so within two years. [PwC uses the term ‘Dynamics’ to refer to the audit functions that meet PwC’s vision of digitally fit.]”
RPA stands for robotic process automation.
PwC is not the only consulting firm to push RPA for internal audit. Deloitte has a paper, Adopting automation in internal audit. KPMG has shared Intelligent automation and internal audit.
The problem is that while these bots can detect an error, that is a management role and not an internal audit role.
They are detective controls!
Internal audit functions should not limit themselves by auditing past (or even current) transactions.
- They should be auditing the controls that provide assurance that current and future transactions will be handled properly.
- They should be providing assurance that management has controls in place to address risk, not performing the controls themselves.
- They should provide assurance, advice, and insight on today and tomorrow rather than the past.
Consider the example cited by PwC:
For one company, testing to see whether terminated employees’ system access rights were being removed in a timely manner was a highly manual process. It required using a lookup function from three disparate data sources for each IT application, which took the audit team 100 hours to test 20 instances of the control. With RPA, a bot was built in 40 hours that performs in seven hours the previously manual processes. By automating many stages of the test except human review, testing hours greatly reduced, and coverage expanded from a sample basis to full populations, which provides greater assurance.
This company confirmed that terminated employees no longer had system access rights.
But did they assess whether management had appropriate controls in place that were operating effectively? No.
Did they assess whether the rights were removed in a timely manner? No.
Just because the data was clean doesn’t mean that the right controls were in place to ensure they were clean. It is possible that a manager scrubbed the employees’ access rights 30 minutes before the auditors ran their test.
Rather the internal audit team should have asked management how they, management, ensured employees’ access rights were removed promptly upon termination. They would then have assessed and tested those controls.
If they felt the need, perhaps because the controls were not strong, to develop analytics (or RPA) to test access, they would have passed that technology on for management to use on a continuing basis – as a detective control.
But let’s get some things straight:
- Internal audit’s job is to provide assurance, advice, and insight – not to perform detective controls.
- Internal audit needs to identify the risks to address and only then the tools appropriate for the task – and not the other way around.