The New IIA Standards Are Raising the Bar for CAEs on Technology Strategies

With the new Global Internal Audit Standards coming into effect soon, internal audit leaders are implementing many of the updates outlined by The IIA. One new requirement that has garnered much attention is the need to create an Internal Audit strategic plan that encompasses every facet of internal audit, including the use of technology. 

While CAEs were simply encouraged to use technology in the past, now the focus has shifted to an expectation that the CAE will use technology strategically within the audit function and, more broadly, to facilitate collaboration across the organization. Internal audit’s use of technology is now considered an essential requirement that must be included in the CAEs strategic plan, along with a budget for purchasing, implementing, maintaining, staffing, and training the end users. 

Clearly, the use of technology is now a high-priority component that must be factored into the CAE’s plan and discussions with the board, and the use of technology will expand and become more entrenched in internal audit. This article guides the CAE through developing and implementing a technology strategy to ensure the audit function is well-equipped to meet the current and future challenges of their mandate and the requirements of the Standards.

Download AuditBoard’s IIA Standards Roadmap: 6 Practical Tips to Elevate Your Audit Function, and read on for:

• Overview and significance of Standard 10.3 Technological Resources
• 5 steps to document your technology strategy
• Sample strategic plan for technology in internal audit

What Do the Standards Say About Technology?

The new Standards include a detailed section on technology in Standard 10.3 Technological Resources. In the Standard, CAEs must ensure the team has the technology they need to perform their work and “to improve effectiveness and efficiency.” This Standard echoes a statement in Standard 9.2 Internal Audit Strategy. In the Considerations for Implementation section, the Standards include “the introduction and application of technology when it improves the internal audit function’s efficiency and effectiveness” as an initiative to support the strategy. 

To understand the full meaning of this Standard, we have broken it down into three sections with some ideas on the significance of each section. 

1. Establishing and Evaluating Technology 

Standard 10.3 Technological Resources: The chief audit executive must strive to ensure that the internal audit function has technology to support the internal audit process. The chief audit executive must regularly evaluate the technology used by the internal audit function and pursue opportunities to improve effectiveness and efficiency.

By saying the CAE must strive to ensure technology is in place, The IIA makes this an essential element of the Standards. The Standard raises the bar by requiring the CAE to have a defined technology strategy and approach to using technology to improve the quality of the audit work. The CAE is even required to explain to the board how the team’s work is impacted by the lack of adequate technology, just as they would explain the need for additional staff to cover the highest risks to the organization. 

As part of the technology strategy, the CAE should consider the full ecosystem of technology available to the audit function, including audit management solutions, incorporating analytics and automation, using generative AI, and supplementing with technology to fill a specific need. Also, the Standard makes it clear that technology is constantly evolving, so the CAE must regularly reevaluate the function’s use of technology against the capabilities available to the team now and in the near future. A forward-looking CAE considers how the audit team can better use the technology currently in place within the department, the organization, the market as a whole, and plans for technology in the future.  

2. Training and Collaboration for Technology

Standard 10.3 Technological Resources: When implementing new technology, the chief audit executive must implement appropriate training for internal auditors in the effective use of technological resources. The chief audit executive must collaborate with the organization’s information technology and information security functions to implement technological resources properly.

This section makes two distinct statements. First, the CAE must ensure the team has the appropriate level of training to benefit the most from the technology. The availability of effective training should even be a consideration when choosing a technology vendor – considering factors like:

• How intuitive the software is for initial adoption by the end users. 
• Whether the vendor outsources training. 
• The training is provided by individuals who have used the software professionally, such as former auditors. 
• Trainers should also tailor the training by role, providing advanced training to those who support the applications and basic for the general users. 
• The option for self-service embedded training within the application, especially for remote workers. 

The CAE should consider the need for ongoing training as the team matures in their use of the software. For example, the team may need basic training for data analytics now, but after a year, they may be ready for more advanced functionality. 

The second statement reminds the CAE not to operate in a silo but to actively partner with the organization’s information technology (IT) and information security (IS) functions. This partnership includes many facets. To start, the CAE should never purchase or implement technology without engaging with the IT/IS teams to ensure the software meets the organization’s technical and security requirements. These teams likely have specific processes to follow to evaluate any potential vendor and software, and they will be involved in the technical installation and implementation of any technology the CAE selects.   

The partnership should also include sharing technology. Sometimes, the IT/IS teams already have access to technology the audit team could use. For example, the IT team may have already implemented automation within their processes. The audit team could leverage the current technology vendor’s contract and internal expertise to add automated testing to the strategic plan while speeding up internal adoption and usage. 

From a different perspective, the CAE is also required to collaborate with the information technology and information security functions on the use of audit and risk management solutions. CAEs should view this statement as an opening to discuss collaborating on a connected risk management platform that benefits all teams engaging in risk management activities. The IT and IS functions that report to the CISO and CTO are conducting risk assessments, and they could leverage the same technology that the internal audit team is exploring. 

3. Communicating the Impact of Technology Limitations

Standard 10.3 Technological Resources: The chief audit executive must communicate the impact of technology limitations on the effectiveness or efficiency of the internal audit function to the board and senior management.

The final section of this Standard requires the CAE to discuss the impact of technological limitations on the board and senior management. While this was not an explicit requirement in the past, some CAEs were having these discussions just as they would have discussed the impact of staffing shortages. Without audit management software, the team would operate inefficiently by manually compiling and reviewing workpapers and tracking issue remediation progress. Without data analytics technology, the team would not perform advanced testing for trends and patterns or have the option to test full populations. 

Now, The IIA emphasizes the importance of technology by requiring this conversation at the highest level of the organization. They go further in the Considerations for Implementation section of the Standard by giving the CAE examples of information to share with the board/senior management:

• Present a sufficiently supported technology funding request to the board/senior management to justify the need for the technology as a cost/benefit analysis.
• Demonstrate realized benefits of technology to board/senior management so they can see the effectiveness of the budget allocation.
• Articulate the current state of technology within the function, a desired future state, and the plan to reach the desired level of technological expertise within the strategic plan. 

Internal audit does not control the organization’s budget, so CAEs need to support their case when requesting a technology budget. The business case should clearly articulate pain points, explain how technology will help resolve the issues, and justify the cost of the technology in terms that are meaningful to the board and senior management. Return to them after the technology is in place to demonstrate how it generates the anticipated benefits. The new Standards require CAEs to formulate a comprehensive strategic plan with a well-defined technology component. By presenting the strategy to the board and senior management, along with a roadmap for success that includes people, processes, and technology, we will make it easier for them to buy into the strategy and allocate the funding we need to make it happen. 

5 Steps to Document Your Technology Strategy

Use the opportunity now to document the first iteration of the technology strategy. While deciding what content to include, you can start by referencing the Considerations for Implementation. This area of the Standard provides details on the types of technology to implement and how to build and deploy the technology plan. 

Based on this section of the Standard, the CAE would likely follow a five-step process when considering the technology to include in the plan:

1. Perform a gap assessment to identify technology limitations and opportunities to improve audit projects’ and workflows’ efficacy and efficiency. Then, perform a feasibility assessment to determine the cost and likelihood of success in implementing the new technology.
2. Collaborate with other departments to ascertain interest in implementing a connected risk platform for shared governance, risk, and control management systems.
3. Develop a fully supported business case for technology funding requests that require board and senior management approval. The case should demonstrate how the technology will improve assurance and address organizational risks.
4. Develop an internal audit technology implementation plan that includes measurable KPIs and specific milestones and complies with organizational policy for introducing approved technologies.
5. Identify and respond to technology risks specific to internal audit, including information security, data integrity, confidentiality, third-party data exposure, data retention, and privacy of individual data.

Below, we’ve created an example internal audit technology strategic plan to help you get started on your own technology planning efforts.

Example Strategic Plan for Technology in Internal Audit

I. Introduction

The technology strategy component of the Internal Audit Strategic Plan outlines the initiatives and steps to ensure the internal audit function leverages technology effectively and efficiently. The plan aligns with the IIA Global Standard 10.3, which mandates that the Chief Audit Executive (CAE) ensure appropriate technology support, regular evaluation, and ongoing improvement opportunities.

II. Vision and Objectives

1. Vision: To utilize advanced technology to enhance the internal audit function’s effectiveness, efficiency, and accuracy.
2. Objectives:
   • Integrate advanced technology to streamline audit processes.
   • Ensure continuous improvement in technology utilization.
   • Provide comprehensive training to internal audit staff.
   • Maintain collaboration with IT and information security functions.
   • Communicate technology limitations and advancements to the board and senior management.

III. Current Initiatives

1. Audit Management Software Implementation:
   • Implementing AuditBoard’s OpsAudit audit management software to automate and streamline audit processes.
   • Integration with existing financial and operational systems for real-time data access.
   • Enable risk management collaboration with other internal assurance providers.
2. Data Analytics Tools:
   • Utilizing data analytics tools to perform more effective and efficient audit tests.
   • Partnering with the Information Technology (IT) function to adopt the data analytics software already available through an existing vendor contract to reduce costs and speed adoption.
   • Training internal auditors in data analytics to improve their ability to detect anomalies and trends, with plans for annual training to expand our scope into more advanced analytics.
3. Cloud Computing:
   • Migrating audit documentation and tools to cloud-based platforms for better accessibility and collaboration.
   • Reduce the workload of internal IT resources while maintaining or reducing current associated costs. 
4. Cybersecurity Tools:
   • Incorporating advanced cybersecurity tools available through the Information Security function to protect audit data and ensure compliance with information security standards.

IV. Planned Initiatives

1. Artificial Intelligence and Machine Learning:
   • Exploring AI and ML technologies to enhance audit planning, risk assessment, and anomaly detection.
   • Implementing AI-driven audit tools to automate repetitive audit tasks and improve real-time audit monitoring.
   • Researching advanced predictive analytics to identify future risks. 
2. Robotic Process Automation (RPA):
   • Implementing RPA to automate routine audit tasks and increase audit coverage.

V. Training and Development

1. Comprehensive Training Programs:
   • Developing training programs tailored to the new technologies implemented, including the audit management system, data analytics, and AI/ML in the future.
   • Ensuring all internal audit staff are proficient in using the existing and new tools and technologies.
2. Continuous Learning:
   • Providing ongoing education and certification opportunities for internal auditors to stay updated with technological advancements.
3. Skill Assessment:
   • Regularly assessing the technology skills and qualifications of the internal audit staff.
   • Identifying skill gaps and providing targeted training to bridge these gaps.
   • Encouraging and incentivizing certification in emerging technology areas. 

VI. Collaboration with IT and Information Security

1. Joint Implementation:
   • Collaborating with IT and information security functions to ensure proper implementation and integration of technological resources.
   • Establishing joint teams to oversee technology projects affecting the internal audit function.
2. Security and Compliance:
   • Ensuring that all implemented technologies comply with organizational and regulatory information security standards.
   • Conducting regular reviews to ensure ongoing compliance and security.

VII. Communication and Reporting

1. Regular Updates:
   • Providing regular updates to the board and senior management on the status of technology initiatives.
   • Communicating any limitations or challenges in technology that impact the audit function’s effectiveness or efficiency.
2. Impact Assessment:
   • Conducting impact assessments of new technologies on the internal audit processes.
   • Reporting the results to key stakeholders to ensure transparency and informed decision-making.

VIII. Documentation and Evidence

1. Technology Implementation:
   • Internal Audit collaborates with IT for all technology purchases and implementations. 
   • We follow a Prepare, Design, Build, Deploy, Support model, with a preference for SaaS solutions from SOC1 and SOC 2 compliant vendors. 
   • We maintain records of the vendor selection process, the technology used, the training provided, and the impact on audit processes. 
2. Policy and Procedures:
   • We comply with the organization’s Information Security Policy, Data Retention Policy, and Acceptable Use Policy.
   • We have prepared to develop policies and procedures for using technology in internal audit, which are documented in our Audit Manual.
   • Ensuring these policies are accessible to all internal audit staff and are regularly reviewed.

IX. Conclusion

This strategic plan aims to position the internal audit function at the forefront of technological advancements, ensuring that it remains effective, efficient, and capable of providing valuable insights and assurance to the organization. The CAE will strive to meet and exceed the technology standards required for a robust internal audit function through ongoing evaluation, collaboration, training, and communication.

Planning for the Future of Technology

Over the next ten years, technology will be heavily integrated into every aspect of our work, including internal audit and risk management functions. A well-developed technology strategy is critical for CAEs to identify, acquire, implement, and deploy the right technology at the right time. As we look to the future and plan for advancement, we can anticipate several key developments:

• Artificial Intelligence (AI) will assume the majority of assurance tasks. 
• Greater emphasis will be placed on AI governance, data integrity, and culture. 
• Assurance teams will leverage advanced predictive analytics to identify potential risks and issues before these materialize. 
• Talent strategies will emphasize diverse expertise, including data science and IT proficiency.
• The three lines of defense will blend to expand beyond value protection and foster value creation.
• Virtual reality and advanced communication tools will enable comprehensive reviews without physical presence.

As you document internal audit’s strategic plan and develop the technology strategy component, consider your team’s current technical capabilities and what it would take to incorporate existing technology and the technology on the horizon. If you do not have a technology strategy to deal with these rapid developments and the associated risks – there is no Plan B.