Over the years, PwC has provided great value through their annual commentaries on internal auditing.
However, in their 2019 State of the Internal Audit Profession Study, they are advising internal auditors to adopt approaches and practices with which I disagree.
The subtitle to their report is “Elevating Internal Audit’s Role: The digitally fit function”.
PwC starts quite well, acknowledging that disruptive technology and the need to address it has been around for decades.
Organisations are rapidly rolling out digital initiatives in an arena defined by more data, more automation, sophisticated cyberattacks, and constantly evolving customer expectations. In some ways — for internal audit functions— the situation is not new: technology risks and controls have already been on their agendas for decades, and most can reliably deliver a technology audit.
But then they go wrong.
But digital rollouts heighten risks beyond the technology itself.
I cannot comprehend this statement. The risk has always been the effect of a technology-related issue on the business! There’s nothing new here at all!
This has been true for as long as I have been around auditing (and that’s a very long time). PwC says:
Internal audit needs (1) the dexterity to pivot quickly and to keep up with the digital pace of the business, and (2) the knowledge and skills to provide advice and strategic assurance in this new arena.
But this is not a ‘new arena’!
40% of my internal audit team of 20+ years ago were IT auditors, including individuals with as much or more technical knowledge than IT’s own technical staff.
Why? Because that is where the greater risks were, just as they very often are today. I hired people with the skills necessary to address those greater risks.
PwC defines the ‘digitally fit function’:
The definition is twofold: (1) having in place the skills and competencies to provide strategic advice to stakeholders and to provide assurance with regard to risks from the organisation’s digital transformation and (2) changing the function’s own processes and services so as to become more data driven and digitally enabled so the function can align with the organisation’s strategic risks and thereby anticipate and respond to risk events at the pace and scale that the organisation’s digital transformation requires.
As I said, the first part of the definition is nothing new. The second part is an area that internal audit should approach with caution.
Some internal audit functions have become the owners and operators of detective controls. They have implemented analytics that test the data rather than assessing whether management has the right controls.
There are times when it is appropriate for internal audit to test the data. For example, when my team identified several major control deficiencies that represented a significant vulnerability to accounts payable fraud, my IT team developed a series of ACL reports. The team was able to analyze all payments made in the last year or so and confirm that nobody had taken advantage of the control weaknesses.
It can also be useful to analyze the data to understand the business. One of my teams saw that every software contract between the company and our customers was getting the same level of review, even though some contracts were for a few thousand dollars and others were for over a million. Using Business Objects analytics, they were able to stratify the population of contracts and recommend the point above which a contract merited a full review and below which a more streamlined review was sufficient.
I have long been a believer in the power of analytics as an internal audit tool. I used them myself when I was in public accounting (for both financial and ITGC auditing) and later made sure my internal audit teams had access to such tools. In fact, I believe all auditors should have the tools on their laptops or tablets.
But auditors should not fall into the trap of buying a hammer and then looking for nails.
I visited a large internal audit function some time ago. Following the advice of consultants, they had established a data mining team. The team had acquired powerful analytics tools and was now studying the data to decide where to deploy them.
They had bought a hammer (analytics tools and the people to deploy them) and were looking for nails.
What the intelligent internal audit team does is understand where the enterprise risks are and where they need to provide assurance, advice, and insight.
Once they know the target, they can decide what tools are right for the job. Maybe it’s analytics and maybe it’s not.
One of the problems in investing in technology is that when you take an enterprise risk-based approach (as we all should), the target is highly likely to change each year. This is especially true in these dynamic times, when (to quote PwC’s own report) you need “the dexterity to pivot quickly and to keep up with the digital pace of the business”.
If technology is only used once, then there may not be a sufficient return on the investment of time and money.
Until recently, the consultants (including PwC) had been advising internal audit teams to use analytics – without first advising that they need to determine whether there is a need (providing assurance on a risk where the analytics would be of value). Now, they are pushing something called RPA. This is what PwC says:
When it comes to using emerging technologies within their function, many internal audit functions struggle to find the fit. For example, 54% of internal audit functions are either unsure of or do not plan to use AI within the next two years. Even RPA use is questioned: 49% do not plan to use RPA or are unsure how they will use it. But not Dynamics: 37% use RPA currently, and another 45% plan to do so within two years. [PwC uses the term ‘Dynamics’ to refer to the audit functions that meet PwC’s vision of digitally fit.]
RPA stands for robotic process automation.
The problem is that while these bots can detect an error, that is a management role and not an internal audit role.
They are detective controls!
Internal audit functions should not limit themselves by auditing past (or even current) transactions.
They should be auditing the controls that provide assurance that current and future transactions will be handled properly.
They should be providing assurance that management has controls in place to address risk, not performing the controls themselves.
They should provide assurance, advice, and insight on today and tomorrow rather than the past.
Consider the example cited by PwC:
For one company, testing to see whether terminated employees’ system access rights were being removed in a timely manner was a highly manual process. It required using a lookup function from three disparate data sources for each IT application, which took the audit team 100 hours to test 20 instances of the control. With RPA, a bot was built in 40 hours that performs in seven hours the previously manual processes. By automating many stages of the test except human review, testing hours greatly reduced, and coverage expanded from a sample basis to full populations, which provides greater assurance.
This company confirmed that terminated employees no longer had system access rights.
But did they assess whether management had appropriate controls in place that were operating effectively? No.
Did they assess whether the rights were removed in a timely manner? No.
Just because the data was clean doesn’t mean that the right controls were in place to ensure they were clean.
It is possible that a manager scrubbed the employees’ access rights 30 minutes before the auditors ran their test.
Any of my internal audit team would have asked management how they, management, ensured employees’ access rights were removed promptly upon termination. They would then have assessed and tested those controls.
If they felt the need, perhaps because the controls were not strong, to develop analytics (or RPA) to test access, they would have passed that technology on for management to use on a continuing basis – as a detective control.
There is some good material in the PwC report, not only repeating what we have learned in the past but stressing what everybody should be doing moving forward. For example, they say:
- Internal audit leaders universally agree that annual plans and annual assessments are antiquated.
- “Our products, services and/or business model can significantly change within six months. So I don’t know what I’ll need in two years. I don’t have a three-year audit plan. My one-year plan changes every three months.”
But let’s get some things straight:
- Internal audit’s job is to provide assurance, advice, and insight – not to perform detective controls
- Internal audit needs to identify the risks to address and only then the tools appropriate for the task – and not the other way around
I welcome your thoughts.
He retired in early 2013. However,he still blogs, writes, trains, and speaks – and mentors individuals and organizations when he can.
Latest posts by Norman D. Marks, CPA, CRMA (see all)
- Are you hungry for a better approach to risk appetite? - November 18, 2020
- The state of SOX compliance - October 20, 2020
- Rethinking internal auditing - April 27, 2020