AIG’s Naohiro Mouri Envisions the Future State of Audit Automation

AIG’s Naohiro Mouri Envisions the Future State of Audit Automation

Join Richard Chambers for a new episode of his Agents of Change video series, featuring conversations with internal audit leaders from some of the world’s most prominent organizations about innovation in the profession.

In this episode, Richard sits down with Naohiro Mouri, EVP and Chief Auditor at AIG, to discuss his team’s cutting-edge approach to internal audit analytics and automation that creates opportunities to add significant value to the organization, including:

  • How his tech-savvy internal audit function has stepped up to support business transformation.
  • How his team leverages automation in the audit process to share data-driven insights from full-population testing.
  • Why being relationship-centric requires the courage to be honest. 
  • What the audit automation future state will look like 10 years down the road.

Watch the full conversation, and read the can’t-miss highlights below.

Naohiro Mouri, EVP and Chief Auditor at AIG, shares how his team’s creative approaches to audit automation are providing data-driven insights for the business.

How a Tech-Savvy Internal Audit Function Supports a Transforming Business

Richard Chambers: In my book, “Agents of Change,” I took the position that internal auditors should seek to drive change in their organizations. What’s your view about internal auditors as change agents and how would you define a change agent?

Naohiro Mouri: I think being a change agent is a very important and, in my view, attractive element of being an internal auditor because internal audit covers every facet of the organization that it audits. In AIG, one of the highest expectations that we have in internal audit is to stay with the business and then help them to transform because AIG itself is transforming as a company. So we have a very important role to play to help the business transform itself.

For example, we spend one-third of the time looking at change reviews. Change reviews could potentially mean pre- and post-implementation of all the transformation, playing a quality assurance role for the projects that they perform or they implement, which is very different from the regular audit role that we play. We also play a part on the steering committees, providing real-time insight and advice to the project management team so that they can remediate things as they go, rather than coming after the fact — because by the time you find things, it’s too late, the change has already been made. So we have to make changes as they go along, and that’s really helping us to propel our position in the organization.

For audit, we’re trying to automate audit testing so that it actually happens in real-time or near-time with full-population testing. We no longer test sample days. I’m happy to have achieved close to half of our testing with full population, which means that we find everything that needs to be found. This is a huge benefit for us to help the business to find fraud, irregularities, and errors. Based on the information that we have, we can even in some cases predict what could potentially happen in the future, which is forward-looking testing. All of those things, in my dictionary, are part of that agent of change role.

AIG’s Cutting-Edge Approach to Analytics and Automating Audit Testing

Richard Chambers: You have been talking about some of the innovations and technology advancements that you’ve been driving in the internal audit function at AIG. Before we have any real credibility in our organizations as agents of change helping our companies and our enterprises improve, we have to start by improving internal audit — and you’ve been able to already articulate some of the things you’ve done there. Can you talk a little more about what you and your team have done around RPA and what do you think the future looks like for that?

Naohiro Mouri: The value-added process is the analytics piece: looking at the inside trends and finding things through data.

Gathering and testing data — those are operational processes, which can be automated. Extracting data directly from the source and creating an algorithm to just run it through that — that’s all RPA. Once you’ve built the bots, then you have to maintain them, which actually takes an equal amount of effort when the underlying technologies continue to change. It’s great for a stable organization where your underlying technology — your data architecture — doesn’t change. Then you create bots and they just keep running, self-sufficient and with very little change management. However, for organizations like us at AIG, which is continuing to transform itself, it’s very difficult to create something that lasts long-term. Therefore we shifted to using more nimble and flexible tools… as long as you have the right access to the data and timely access, then you can do real-time testing.

We are also pushing the boundary between the three lines. Now we are trying to embed audit testing modules into some of the applications that are available to us. Say, a client portal, where a client puts in their data — insurance policies, claims processes. If we are able to embed testing in these applications, we no longer have to go to the client and ask for data because we have first-hand data. And then that audit testing module will test itself, so it is becoming almost part of the process and control.

Definitely, there’s a bright future in building RPA. What it requires for the auditor is to behave slightly differently than before, because before RPA, before automation, auditors could just do walkthroughs, understand the control and then take a sample and test it. Now they have to have a very deep understanding of what the business does and where the data lies and then the exact instance of the application that they use so that they can go to the source data. Straight from there, what they want to test is another thing that they need to think about, which requires much deeper thought and understanding of the business, and which helps us to be much better auditors. Those are the things that we find through the process in RPA, but definitely RPA is the future, automation is the future for us.

Leveraging Technology to Respond to Change

Richard Chambers: We’re coming to the point where soon it will be two years that we’ve been in the COVID pandemic.. What role has technology played in getting you and your team through these events of the past two years? Has it helped you and your organization be more responsive to change?

Naohiro Mouri: Without technology — without having the video conferencing capacity and direct access to the data — we would not be able to perform any of the functions that we do. Now, clearly technology still doesn’t enable us to look over someone’s shoulder when they’re processing something, that only happens in person. We are yet to get to that point. Other than that, the majority of the things that we’ve been doing in internal auditing can be done through technology.

Being Relationship-Centric Requires Courage to be Honest

Richard Chambers: In the book, “Agents of Change,” the four characteristics that CAEs believe an internal auditor needs to have to be an agent of change in the 21st century are business acumen, a strategic mindset, being relationship-centric, and being innovative. Are there others you would add beyond those?

Naohiro Mouri: Yes, just this one thing: No surprises to anyone. That’s probably part of being relationship-centric, but I’ve seen so many auditors fail because they felt things were right to do, but they didn’t actually talk to people before they did it. That surprised people and unfortunately put them in a very difficult position. So I always work with the team because we’re part of the team. Our job is to help achieve management’s objectives, to enhance controls, to better serve our customers. As long as you maintain that objective and clear goals, I think you’ll be fine.

Richard Chambers: Good point on no surprises. When I ask audit committee members and even CEOs what they are looking for from internal audit, the most common thing I hear is “no surprises.” They don’t like to see something happen that they didn’t have any clue was a major risk. It’s a high expectation for internal audit and one that’s tough to live up to, but it is part of the landscape and it’s something we have to be effective at.

Naohiro Mouri: One other thing, Richard — you always talk about courage or being honest. Some of the things that we deal with are painful, people don’t want to hear it, but you have to be courageous enough to put that in front of your CEO or your management team and say, “This is what I see, what do you think?” And if you can’t do that, I think people don’t recognize you as a valuable team member.

What the Audit Automation Future State Will Look Like

Richard Chambers: If asked you to pull out a crystal ball and look ahead, what are the major developments that you think over the next 10 years could happen with this profession? Or maybe what would you like to see happen for the internal audit profession in the decade ahead?

Naohiro Mouri: I want auditors to be more consultative. I expect consulting activities to be a lot bigger. Obviously everything has to be based on assurance, but assurance, like I said, can be automated. When you automate assurance, then you can use that data or information to better serve your clients by providing much more accurate and timely insight and advice. And you can really help to create the environment where audit becomes part of the process. I know that this could be a controversial conversation because we always don’t want to be part of the process, but we are, because some businesses do depend on audit to find things. Obviously controls belong to the first line, but our job is to help them to find things and then provide remediation efforts. Now, we’re not going to help them to do things for them, but through the audit process we build tools and automation consoles, and we can certainly provide those data to the first and second line.

I do expect the second line and third line will come closer and closer, because if we can perform real-time or near-time full population testing for every key critical control that we have in our organization, that’s very much risk monitoring on operational processes. That’s what the second line should be doing. Our job is to test, the second line doesn’t test. That’s the distinction, but otherwise, we can come into the office in the morning and then look at however many controls that we’re in charge of — let’s say 20, 30, 40, 50 controls — that show up on your screen and voila, it’s been tested overnight by the machine and you get the benefit of actually using that result and talking to the stakeholders about what you see in control breakdown. That’s the future that I see.