The Future of Internal Audit: Embracing Agility and Automation

Traditional internal audits follow a staged process: planning, fieldwork, reporting, follow-up, and monitoring. During planning, the auditor understands the business process, gathers information, assesses risk, forms objectives, establishes scope, allocates resources, and documents the plan. Fieldwork involves testing controls and gathering findings to support the audit objectives. In the third phase, the auditor drafts the report and presents to users of the information after discussing the findings. Finally, in the follow-up phase, the auditor tracks remediation efforts and reports any unresolved issues to ensure that agreed-upon actions are implemented.

However, the traditional method is plagued by shortcomings that make it less responsive to changes in the ever-dynamic business environment. It has often been criticised as rigid, historical, manual, and not agile. Rigidity, in this sense, stems from adhering to a fixed sequence that does not allow for real-time adjustments to changing business needs. Moreover, traditional internal audits rely heavily on historical data analysis, limiting their ability to provide forward-looking insights. The reliance on manual tools, such as spreadsheets, further hinders efficient data analysis and trend identification. Ultimately, the absence of agility in pre-set internal audit plans makes it challenging to respond to unexpected changes or emerging risks.

Agility and Automation and their Applications to Internal Audit

The Cambridge Dictionary defines “agility” as “the ways of planning and doing work in which it is understood that making changes as they are needed is an important part of the job”. Agility in internal audit is being able to adapt to changes in the business environment, shifting business priorities, and technological advancements. In other words, it involves developing internal audit plans that can respond to changes that occur due to emerging risks or changes in business strategies and priorities.

The Information Systems Audit and Control Association (ISACA) Journal - Internal Audits That Create Stakeholder Value: Adopting an Agile Mindset - emphasizes that agile is not a prescriptive approach; it avoids specification of techniques or processes. This means there is room for productivity and creativity while still ensuring that the principles and values of internal audit are adhered to. Put simply, it does not mandate the audit team on techniques of execution and how they work, but helps them think and interact in ways that promote agility. An example of an agile internal audit could be when stakeholders within an internal audit team provide feedback during short meetings held daily. The traditional internal audit plan does not provide this avenue for instant feedback. Feedback will only be received after the reporting has been done.

Automation refers to the use of technology to automate repetitive and manual tasks. In internal audit, automation involves the use of cloud computing and database software to automate auditing tasks like data entry and analysis. Numerous internal audit tasks that could be automated include journal entry testing, reconciliations, report generation, financial statement line-item trend analysis, etc. Embracing automation improves the efficiency and productivity of internal auditors as it frees them up to concentrate on judgmental and strategic tasks rather than focusing on routine and repetitive tasks. Technologies such as Artificial Intelligence (AI), Robotic Process Automation (RPA), Machine Learning (ML), data analytics, predictive analysis, Natural Language Processing (NLP), Natural Language Generation (NLG), and data visualisation can be utilised to facilitate automation in internal audits, among others:

1.  Artificial Intelligence (AI): AI has come to stay, and it is becoming increasingly relevant in different walks of life. Artificial Intelligence, a term coined by Professor John McCarthy in 1956, was defined by him as “the science and engineering of making intelligent machines”. As AI technology advances, its capabilities and scope of usage widen. Processes conducted manually years ago are now beingexecuted using AI. AI activities include machine learning, big data, chatbots, Large Language Models, Natural Language Processing (NLP), etc. Hence, AI can be employed in internal audit activities like data gathering, documentation, and report generation.

2.  Robotic Process Automation (RPA): ISACA Journal Robotic Process Automation for Internal Audit has defined RPA as a “rules-based software programmed to automate activities by performing rules-based tasks”. RPA automates routine audit tasks like reconciliation and document reviews, improving accuracy. However, human judgment remains crucial for complex tasks like fraud detection and risk assessment. RPA frees auditors to focus on higher-level risks, however, it does not replace them entirely.

3.  Machine Learning (ML): ML is a subset of AI. It employs models to perform data analysis to comprehend patterns and predict future outcomes. An email spam filter is a perfect example of machine learning. In internal audit, ML could be used to identify key contract terms in lease agreements, derivatives contracts, sales contracts, etc. It could also be used to identify potential problematic areas when reviewing journal entries. The use of ML in routine internal audit tasks would allow auditors to concentrate on high-risk areas while conducting audits.

4.  Data Analytics: Data analytics is the process of collecting, classifying, and transforming data to find trends and make inferences and/or draw conclusions from the data collated. In data analytics, tools like Caseware IDEA and Audit Command Language (ACL) are employed to analyse electronic data collated. The Association of Chartered Certified Accountants (ACCA) resource Data Analytics for Internal Auditors revealed that internal audit departments now use data analytics in highly transactional and policy-driven areas like expenditures, payroll, and accounts payable. Data analytics could also be used by internal audit in revenue assurance by checking the accuracy of billing against contracts and pinpointing errors or unusual trends.

5.  Predictive Analysis: It leverages data analytics and statistical modelling to anticipate potential risks. As a tool for internal auditors, predictive analysis can be used for:

• Fraud detection (e.g., a bank can use it to identify trends in customer behaviour and spot unusual transactions that could point to fraudulent practices).
• Financial risk assessment (e.g., creditworthiness assessment of loan applicants).
• Operational risk assessment (e.g., an organisation can use it to study patterns of machine breakdown and implement proactive measures to mitigate against this).
• Compliance risk assessment (e.g., a healthcare provider can use predictive analysis to identify potential data privacy breaches by analysing access logs)

6.  Natural Language Processing (NLP): NLP, an area of computer science and AI, allows computers to process vast amounts of natural language data. It helps auditors to analyse unstructured data sources like emails and reports. NLP can be used for repetitive tasks like documentary evidence vouching. It can also be used to extract information from invoices [e.g., Optical Character Recognition (OCR)]. An NLP tool could be used to read numerous documents quickly. It is an efficient way of completing tasks when conducting internal audits.

7.  Natural Language Generation (NLG): It focuses on generating reports based on data gathered during an audit review. Its application in internal audits includes audit report generation, executive summary generation, recommendation formulation, reporting on compliance, etc. For internal auditors, NLG would ensure that reports generated are consistent and errors are reduced.

8.  Data Visualisation: The Journal of Accountancy article of the Association of International Certified Professional Accountants titled Data Analytics and Visualisation in the Audit defines data visualisation as the graphical representation of information and data that helps to spot and understand trends, outliers, and patterns in analysed audit data. For example, data visualisation allows auditors to identify trends in gross profit performance over time, enabling them to pinpoint specific months where red flags indicate potential issues that need further investigation.

Benefits of Agility and Automation

• Efficiency: Automation improves efficiency. The number of manhours dedicated to a process when manually conducting an audit could be saved and channelled to focus on areas that require more strategic thinking if automation is embraced.
• Accuracy: The application of automation and agility yields higher accuracy in the findings and recommendations presented in the internal audit report. Errors could only occur if the data collated for use contains errors.
• Consistency: There is consistency in tasks because processes and procedures are repeated. Errors are easily spotted and corrected because automation tends to standardise audit processes.
• Cost reduction: Automation and agility reduce cost in the long run. While it may be argued that the initial outlay of employing automation tools in internal audit can be expensive, the benefits to be enjoyed in the long term far outweigh the cost.
• Value-add: internal auditors have been criticised for being watchdogs and agents that ‘dish’ out punishments rather than persons who add value while conducting their job. Agility would change this narration because auditors would be able to respond to changes as quickly as they occur.
• Strategic thinking: Agility enables internal auditors to think strategically. The idea of auditing will go beyond the traditional approach. Businesses would further enjoy the benefits of an internal audit because internal auditors would respond to changes in the business environment promptly.

Conclusion

In a world where business processes are becoming complex and new risks emerge from time to time, internal auditors need to embrace automation and agility. This would ensure efficiency, accuracy, consistency, cost reduction, value-added, and better strategic thinking when an internal audit is conducted. It is worth noting that agility is not meant to replace the traditional approach to internal audit. It allows for creativity and productivity, when conducting internal audits, while still maintaining the principles and values of internal audit.

Authors

Oluwafemi Fayehun, Senior, Risk Consulting & Afolabi Folarin, Associate, Risk Consulting