Internal Audit in a New World

This article was previous published in the Institute of Internal Auditors website and has been reproduced with permission.

The impact of COVID-19 has advanced the internal audit profession to a world with high expectations of our profession. Boards, audit committees and executives have all experienced significant pressure and change in the last year. This has equally translated into a need for the internal audit profession to adapt and step up to assist as that agile trusted advisor.

Unfortunately, many Canadian internal audit functions did not have the chance to prove this and have been displaced by cost reduction and restructuring.

We are now in a different world, and therefore internal audit leaders and team members must also evolve to meet the current expectations, some of which involve learning new strategies, business models, technology and regulation in order to remain relevant.

The following are just a few examples of what have either changed forever or are now new to our profession.

Virtual testing and auditing

COVID-related restrictions have required internal audit functions to be more creative in how they accomplish their goals. For example, some industries or businesses with remote manufacturing or operations have acquired virtual video and mobile technology. This allows the internal audit team to instruct front-line industry workers to act as virtual auditors to collect information required for an audit, while following instructions from internal audit staff, such as instructing a remote manufacturing employee to conduct a physical inventory count.

Increasing reliance on systems, data, and artificial intelligence (AI) for real-time and continuous monitoring

Past audits which identified issues about, for example, violations of the code of conduct or specific rules related to health and safety, have driven new projects to use technology to implement continuous monitoring systems. Essentially, these continuous monitoring systems measure what the acceptable range is for every metric being tracked. When the actual metric ventures outside this range, it is then flagged for immediate review. One could call this an early warning system to prevent issues from growing into very material problems. For example, expense report continuous monitoring is becoming common. AI is advancing this monitoring to another level of higher accuracy.

Utilizing applied data (risk analytics) to solve material issues

Analytics have been proven to be effective at finding solutions to complex problems and identifying issues early with exact precision. It does not take much in terms of volume of transactions or complexity in testing for a data analytics approach to prove to be exceedingly more efficient and accurate than a manual, human-testing approach. A recent example is how it is now common for large scale capital construction projects to utilize analytics to test vendor billing accuracy, and to claim back for overbilling.

Outsmarting the sophistication of hackers

Easier said than done. Many hackers never stop innovating and finding new ways to break through even the most advanced security systems. It is certain cyber security will never stop being a material issue for business and government. For example, hackers know the COVID-19 pandemic has expedited change and digital transformation, all of which can weaken cyber security controls. It is not a surprise there has been a significant increase in hacking attempts using ransomware since the pandemic began.

Optimizing human productivity by replacing manual and repetitive tasks with robotic process automation (RPA)

As the world continues to rely on technology that collects data, the more we are able to leverage systems - the internet of things and the cloud - to have bots replace repetitive manual labour tasks. Resources are being asked to move towards higher skilled roles that add even more value and bot functions are quickly taking over boring and repetitive tasks. internal audit has the opportunity to provide advisory support to help management identify opportunities to apply RPA, but also has the ability to leverage the technology itself. Highly manual and repetitive audit processes may lend themselves to RPA to drive efficiencies, while reducing the risk of error in high volume, manual processes susceptible to human errors.

An entire new code of conduct for remote virtual workers and related fraud investigation techniques

A remote workforce with little opportunity to actively monitor has opened the door to workplace misconduct. How can employers know if remote working employees are taking drugs or consuming alcohol during work hours? Can employees access and distribute confidential, private or restricted data remotely? Companies must be aware of the most common risk scenarios and adapt to create new policies and controls that will minimize risk in the future. In the past, fraud investigators relied heavily on in person, face-to-face interview techniques. Today, this has been replaced with virtual interviews. Time will tell if this can be an effective way to conduct a fraud interview. To date, MNP’s forensic experts have confirmed they have been able to conduct effective virtual fraud investigation interviews. Many companies are turning to technology to help with fraud investigations, using data analytic and AI systems designed to uncover anomalies.

Dealing with the side effects of expedited digital transformation

The more extreme the change caused by digital transformation, the greater the chance historical controls may no longer be effective or efficient. Once consideration is if the business has sufficient data governance and management practices and controls in place to maintain the integrity of data and the quality of related decisions driven by it. Some business that have had to quickly implement new systems to maintain or enable supply chain or online sales models have seen many of their controls become ineffective immediately. This then requires the establishment of a whole new set of controls to maintain positive audits from regulators or external auditors.

Emerging critical reporting areas such as environment, social, and governance (ESG)

For many ESG is not a new subject. However, it is now of significant importance to investors, capital markets, and most consumers. Many companies are scrambling to understand the ESG expectations of investors, regulators, customers, and partners. In some industries and public companies, it can mean demise over time as capital is no longer available. There is also a growing focus on ESG reporting and compliance to soon-to-be enforced formal ESG reporting standards. It is quite probable companies will need annual ESG assurance audits in the future. Both International Financial Reporting Standards (IFRS) Foundation and Securities Commissions are looking at formal ESG reporting standards around the world. This may become as material as the Sarbanes-Oxley Act.

The critical need for data governance, management and security (avoiding privacy breaches)

Companies, organizations, and individuals are all exposed to the risk and liability associated with violating laws related to data; such as a hacker breaching personally identifiable data stored by your organization. Governments, regulators and law enforcement are all implementing rules, laws and penalties related to data breaches resulting from insufficient controls. Every organization should be asking what level of controls is considered reasonable. This would include asking if your organization have an inventory of where all restrictive, confidential and personally identifiable data is stored.

A never-ending world of training, education and upgrading skills

The pace of change has now exceeded the pace with which organizations and governments can help employees stay on top of critical skills and current needs. The good thing is there are ways to detect skill requirements by tracking related data and communicating near-term gaps in knowledge. Continuous monitoring of high-risk areas and associated metrics can act as an early warning indicator. It can also identify areas that require new skills and capabilities to audit effectively, such as testing cyber controls related to a SCADA system.

The world we live in will never go back to exactly the way it was before COVID-19, and therefore internal audit must change equally or more so to remain relevant and be able to maintain the role of a trusted advisor.

2021 will offer immense opportunities as the need for an internal audit function has never before been so important. MNP Enterprise Risk Services stands committed to supporting the internal audit community as it seizes these opportunities and rises to the challenge.

Contact

For more information, contact Richard Arthurs, National Leader, Internal Audit, at 587.702.5978 or [email protected].