“Internal audit is process improvement and optimisation,” says ICAEW member Abigail Harper who sits on ICAEW’s internal audit panel. She is an internal audit expert, specialising in the hospitality industry.
“We, as Internal Auditors, perform health checks on processes within the business, and make recommendations for how the design could be improved and verify that the process is working effectively and efficiently. Where appropriate, we encourage businesses to embrace artificial intelligence as it can create a stronger control environment for managing risk. This may benefit organisations by preventing human error and streamlining data exchange between functions, which facilitates better informed decision making.”
Harper points out that during an audit, automated controls need less testing than manual controls, which reduces the administrative burden on management and creates a faster and more efficient audit. Embracing data analytics provides facts to support decision making, which can give organisations competitive advantage and deliver cost savings, generating long term value. Once established, it can deliver data scenarios faster and far beyond the capability of the most sophisticated spreadsheets. Increasing the use of technology to support decision making in simple routine tasks reduces the testing requirements for an audit. This helps organisations to get the most out of their Internal Audit teams, by freeing up time to focus on providing assurance around judgemental decisions or higher risk areas.
Harper points out that the strengths of artificial intelligence lie in fact-checking and data-tracking, but notes “when it comes to strategic decision-making you can never fully replace the human element, especially for areas that are more subjective”.
She continues: “When you are looking at the controls around due diligence for suppliers, you can use artificial intelligence to collect data, such as credit score ratings, Environmental, Social and Governance (ESG) questionnaires, and queries around capacity and scalability to support growth plans, but a decision can still be made by a human. Thresholds and criteria can be built within systems which, when met, suppliers are automatically approved. However, there will always be instances where you have to discuss the exceptions and make decisions.” This can be applied broadly – such as employee hiring scenarios or performing employee and supplier performance reviews.
Embracing artificial intelligence does not need to be complex. For example, Covid-19 forced many organisations to take up video calling. Adopting such technology has given staff the ability to work from home effectively and keep organisations operational. Furthermore, it has reduced the need for extensive international travel – helping organisations to meet or exceed their ESG targets. ESG targets need to be science-based so that performance can be measured accurately. Artificial intelligence can support this by reducing subjectivity in performance ratings, bolstering Internal Audit’s ability to provide assurance.
Harper concedes that most businesses still use spreadsheets, which can still be used effectively to pull and analyse data. However, the analysis is only as good as the data – so it is important that the right controls are in place to ensure the data is complete, accurate, and flows between systems smoothly. This is an area where most organisations have weak controls. Data integrity can be improved by locking cells and formulas so that they can’t be changed, password protecting documents when they are being emailed (especially when sending sensitive data such as payroll!) and incorporating simple macros such as time, date, and signature stamps for review. In addition to such recommendations, the Internal Audit team can use technology to valid spreadsheet integrity quickly.
There are tools on the market where spreadsheets can be uploaded and screened – revealing insights such as which cells are locked, where a formula has been manually overridden, and where data has been changed. In such systems, there are a range of reports which can be run to quickly analyse spreadsheet integrity, which is beneficial for large / big data as a comprehensive and time-efficient approach.
Although technology can be used to enhance business processes by making them easier to audit, technology can also be used to enhance internal audit methodology and ways of working. For example, tracking open actions in a spreadsheet, and gathering supporting evidence to close actions can be a tedious task. This can be replaced by a system where management can log into their actions and upload evidence. This provides a real-time tracking system, where actions cannot be closed by the Internal Audit team without review of supporting evidence, and evidence is saved in a central location for easy access.
Workflows can be automated to support reviews during the fieldwork and reporting stages, where version control can be clearly evidenced. Systems can now even link to risk management activities, where key risk trends can be analysed and used to inform the internal audit plan, and systems can be used to plan, assign, and reassign audits to team members accommodating to any change in timescales or team members. This removes the administrative burden and reduces the risk of human error, improving the efficiency of operations.
The march towards automation has accelerated rapidly over the last five years. “There are more data analytics tools on the market to support internal audits, and the Internal Audit function’s operations,” she says. “The market is more mature and sophisticated. There is still a perception that the technology to support Internal Audit operations isn't strong, but I think it's come quite a long way”.
Harper would like to see the Internal Audit function explore more automated options. “We've actually seen a push in the market. Businesses are increasingly recruiting the skillset to automate the internal audit function as much as possible, which would benefit the organisation, as more time would be available to support judgemental areas, which are arguably more value-add.
Harper points out that External Audit (which gives assurance that the financial numbers reported are reasonable within a threshold) is very different from Internal Audit (wwhich gives assurance that processes and procedures are designed effectively and are operating efficiently). Internal Audit covers all processes in an organisation, whereas External Audit is financially focused. However, there are areas in which one informs the other.
“Internal Audit can test the controls within Finance which inform the financial numbers reported in the statutory accounts. For External Audit to conclude that the financial numbers reported are reasonable, they need assurance that the controls around these numbers are effective. This can be tested by External Audit, or External Audit can leverage the testing performed by Internal Audit,” she says. “Often the latter can reduce External Audit fees and lighten the burden of running an External Audit. Another benefit of Internal Audit performing financial controls testing is that they can suggest improvements in design and operation; with solutions rectified, in advance of an External Audit which may help an External Audit run more smoothly.” However, it is noted for larger organisations, or for organisations which apply SOX controls, this approach may be performed by a dedicated Financial Controls team.
The ultimate objective of risk-based Internal Audit is to add value to the organisation by ensuring that controls in processes are appropriate to manage risk in line with the organisation’s set risk appetite. To achieve this, Internal Audit must work closely with a variety of functions and should be established as a trusted business partner. Embracing technology helps achieve this.
Insights special: Hybrid working
Moving to a more digital workplace will create opportunities – better insights using data analytics, improved decision making, new skills and talent – but it also comes with challenges. ICAEW Insights takes a closer look.