Building Better Internal Audit Services Through Analytics, Process Mining, AI, and More
This article originally appeared on the Chartered IIA Technical Blog.
One of the great inhibitors of greater technology adoption among internal audit leaders is not knowing where to start. It can feel overwhelming and often comes with a sense we are already late to the party.
Other functions — HR, marketing, finance, customer services — have had their digital transformations. In Part 1 of this post, we explored internal auditing’s relationship with technology and debunked common misconceptions. Now, in Part 2, we explore specific applications for internal auditing, from elementary to more advanced ones.
Whether you are already progressing with your digital transformation or have yet to take the plunge, there is an imperative for continuous improvement. We hope to inspire you with some practical solutions.
Easy Wins to Start the Digital Transformation Journey
A good starting place is to identify available internal and external datasets. After you validate their quality, there is probably much you can leverage for planning and fieldwork. Internal audit functions often build data warehouses and engage with data governance forums, enabling better insights for clients and audit committees.
It’s not just about technology. Applying our understanding of patterns can yield some ready insights. For example, from Benford’s law, we know that the likelihood of a digit (i.e., numbers 1–9) being a leading significant digit decreases as the size of the digit increases. For example, 1 appears in first position about 30% of the time, 9, less than 5%. Datasets that don’t conform to this pattern are unlikely to occur naturally. This principle can help detect fraud using a simple Excel spreadsheet, allowing us to apply our time to areas of higher likelihood of error and fraud instead of investigating routine safe transactions.
Analytics, Process Mining, Artificial Intelligence (AI), and More: 7 Ideas to Advance Your Audit Technology Journey
In its latest Next-Generation Internal Audit report, Protiviti notes that “functions that are more active in their pursuit and use of data and technology, as well as innovation more broadly, tend to be more successful in attracting and retaining talent, and their resources tend to have more aptitude in and enthusiasm toward enabling tech and other next-gen capabilities.”
Protiviti also offers, shown below, a model of the hallmarks of Next-Generation Internal Audit functions.
1. Governance
For a function to be successful, innovation must be part of its long-term plan and integral to its vision and strategies for talent management, team structure, and resourcing. The primary goal is to integrate strategy and innovation — distinct yet mutually supportive elements — to enhance the success of Next-Generation Internal Audit functions. In order to achieve this, the right investment in resources needs to be made. This includes upskilling personnel, dedicating time to innovation activities, and working with the right external partners.
2. Aligned, Agile, and Impactful
Adoption of best practices is a prerequisite for impactful technological enablement. The function should be aligned with organisational goals, priorities, and risks and be responsive to change. It should also embrace agile approaches, continuous monitoring, dynamic risk assessment and planning, streamlined operations, and client-friendly report formats.
3. Intelligent Audit Management Through Advanced Analytics
Advanced analytics capabilities are enabled through a suite of technologies that provide the functionality to acquire, transform, analyse, and report on potential exceptions efficiently and effectively. Supporting technologies are used to accomplish the following functions:
- Data Management: automate the collection, cleansing and enrichment of data from multiple systems.
- Analysis: provide rule-based descriptive and diagnostic rules, filters and threshold-based anomalies.
- Advanced Analytics and Statistics: perform predictive and prescriptive analytics, and data science capabilities.
The results of data analytic tests can be integrated into an audit management or GRC platform, which can act as a central repository of all audit tests. Newer applications like Alteryx and Snowflake can be added through out-of-the-box integration. For example, the AuditBoard platform allows users to conduct data analytics tests, map scripts to various financial and ERP systems, extract information, and store scripts, data, and workpapers within the same environment.
4. Data Visualisation
Data visualisation is not just about producing attractive reports. It supports better audit fieldwork, provides easier ways to navigate and analyse data, and enables enhanced communication of deeper insights with greater impact when presenting findings to management.
Excel contains some very effective analytical and graphical tools. Greater sophistication comes with data visualisation packages (e.g., Power BI, Tableau, Qlik). These can be used across the whole audit cycle to identify trends and highlight where the auditor needs to focus.
Data visualisation doesn’t stop with static images. Dynamic and interactive dashboards are much more powerful for both audit and management. They can be custom-designed and passed on to the client. Dashboards can support continuous risk monitoring, sampling, and auditing. Some auditors fear this is too close to performing management roles, but if handled carefully, it increases our attentiveness to changing conditions.
5. Process Mining
Both data analytics and process mining involve the analysis of data, but the latter is a particular application to business processes. Process mining can highlight how routine processes (such as accounts payable) are working while identifying bottlenecks, deviations, single points of failure, inefficiencies, and potential circumvention of key controls. While data analytics can help you find the needle in the haystack, process mining will help you find how the needle got there in the first place.
Process mining technologies (e.g., Celonis, Microsoft Process Advisor, SAP Signavio) are highly useful when conducting walk-throughs, enabling users to view and evaluate whole datasets over multiple years. Like dashboards, these tools can be left with the business for continuous application.
6. Data Science, Cognitive Analytics, and Large Language Models (LLMs)
The recent technological advancements in the field of AI are fundamentally reshaping how organisations operate. Although usually late adopters, internal auditors are increasingly leveraging these advancements to refine their methodologies, improve efficiency, and broaden their risk assessment capabilities. Key among these advancements are data science, machine learning (ML), cognitive analytics, and Large Language Models (LLMs).
Utilising data science techniques, internal audit functions can identify and predict patterns, trends, and anomalies in structured and unstructured data. This capability to uncover the hidden narratives within the data enables auditors to identify potential risks and issues before they manifest into significant problems.
Cognitive analytics is the application of AI and ML to extrapolate historical, formulating intelligent predictions with applications for dynamic risk assessment by forecasting where errors, noncompliance, and other weaknesses might occur.
LLMs like ChatGPT, trained on vast datasets, can generate human-like text, enabling them to perform a broad range of tasks such as answering questions, writing reports, summarising text, and even generating code. In the context of internal audit, the possibilities are endless. One particularly potent use case for LLMs could be to review and interpret complicated policies and procedures and to provide clear, understandable explanations.
7. Robotic Process Automation (RPA)
RPA software such as UiPath or Power Automate can be used to automate manual activities, freeing up audit time for more complex, high-value tasks. They offer ready-to-use interfaces to build scripts and run tests for deviations over multiple transactions with the advantage of keeping data together as one source of truth.
Cloud-based audit management technology can harness RPA to streamline the audit process from end to end by automating workflows and routine tasks, such as updating records, preparing documents, generating standard reports, and sending emails. Advantages include superior document management, real-time collaboration, automated workpapers, remote monitoring, enhanced security, and seamless stakeholder communication.
Strategizing Your Adoption of Technology
We encourage you to make technology adoption one of your top priorities.
- Take a planned approach.
- Embrace change.
- Experiment with technology and be playful, involving everyone.
- Secure buy-in.
- Be mindful of the importance of integration of datasets and technologies, security requirements, and compliance with regulations.
- Add more value by passing tools back to the client.
ChatGPT won’t make you redundant. Technology like it will take on administrative tasks, but the human element of critical thinking is the creative spark behind meaningful insight. Remember, the most important part of a stethoscope is what’s between the earpieces.
Enjoy the journey.
Further Reading: Chartered IIA Members can access a range of Chartered Institute guidance on digital topics and data analytics.
Al Mawji, CMIIA, is a Senior Director, Partnerships UK&I at AuditBoard. An experienced audit and risk professional with over 20 years of experience, Al spent the last 10 years as a Chief Internal Auditor at Brookfield Asset Management in New York. Connect with Al on LinkedIn.
Alex Psarras is an Associate Director in Internal Audit and Financial Advisory at Protiviti. Since 2010, he has been working closely with clients to align internal audit and GRC functions with their objectives, helping them bridge the gap between risk, data, and technology. Connect with Alex on LinkedIn.