GUEST BLOG
Over the years, Big Four audit and consulting firm PwC has provided great value through their annual commentaries and reports on internal auditing. However, in their 2019 State of the Internal Audit Profession Study, they are advising internal auditors to adopt approaches and practices with which I disagree.
The subtitle to their report is: “Elevating Internal Audit’s Role: The Digitally Fit Function.” PwC starts quite well, acknowledging that disruptive technologies are changing internal audit and highlighting the need to address those changes. “Organizations are rapidly rolling out digital initiatives in an arena defined by more data, more automation, sophisticated cyber-attacks, and constantly evolving customer expectations. In some ways—for internal audit functions—the situation is not new: technology risks and controls have already been on their agendas for decades, and most can reliably deliver a technology audit,” the report’s authors state.
But then they go wrong.
The report states: “But digital rollouts heighten risks beyond the technology itself.”
I cannot comprehend this statement. The risk has always been the effect of a technology-related issue on the business! There’s nothing new here at all! This has been true for as long as I have been around auditing (and that’s a very long time).
PwC says: “Internal audit needs (1) the dexterity to pivot quickly and to keep up with the digital pace of the business, and (2) the knowledge and skills to provide advice and strategic assurance in this new arena.”
But this is not a “new arena!” Twenty-plus years ago, 40 percent of my internal audit team were IT auditors, including individuals with as much or more technical knowledge than IT’s own technical staff. Why? Because that is where the greater risks were, just as they very often are today. So I hired people with the skills necessary to address those greater risks.
From there, PwC defines the “digitally fit function”: “The definition is twofold: (1) having in place the skills and competencies to provide strategic advice to stakeholders and to provide assurance with regard to risks from the organization’s digital transformation; and (2) changing the function’s own processes and services so as to become more data driven and digitally enabled so the function can align with the organization’s strategic risks and thereby anticipate and respond to risk events at the pace and scale that the organization’s digital transformation requires.”
As I said, the first part of the definition is nothing new. The second part is an area that internal audit should approach with caution.
A Hammer in Search of Nails
Some internal audit functions have become the owners and operators of detective controls. They have implemented analytics that test the data rather than assessing whether management has the right controls. There are times when it is appropriate for internal audit to test the data. For example, when my team identified several major control deficiencies that represented a significant vulnerability to accounts payable fraud, my IT team developed a series of ACL reports. The team was able to analyze all payments made in the last year or so and confirm that nobody had taken advantage of the control weaknesses.
It can also be useful to analyze the data to understand the business. One of my teams saw that every software contract between the company and our customers was getting the same level of review, even though some contracts were for a few thousand dollars and others were for over a million. Using Business Objects analytics, they were able to stratify the population of contracts and recommend the point above which a contract merited a full review and below which a more streamlined review was sufficient.
I have long been a believer in the power of analytics as an internal audit tool. I used them myself when I was in public accounting (for both financial and ITGC auditing) and later made sure my internal audit teams had access to such tools. In fact, I believe all auditors should have the tools on their laptops or tablets. Still, auditors should not fall into the trap of buying a hammer and then looking for nails.
I visited a large internal audit function some time ago. Following the advice of consultants, they had established a data mining team. The team had acquired powerful analytics tools and was now studying the data to decide where to deploy them. That’s a backwards approach. They had bought a hammer (analytics tools and the people to deploy them) and were then looking for nails.
What the intelligent internal audit team does is understand where the enterprise risks are and where they need to provide assurance, advice, and insight. Once they know the target, they can decide what tools are right for the job. Maybe it’s analytics or maybe it’s not.
One of the problems in investing in technology is that when you take an enterprise risk-based approach (as we all should), the target is highly likely to change each year. This is especially true in these dynamic times, when (to quote PwC’s own report) you need “the dexterity to pivot quickly and to keep up with the digital pace of the business.” If technology is only used once, then there may not be a sufficient return on the investment of time and money to justify it.
The New New Thing
Until recently, many consultants (including PwC) had been advising internal audit teams to use analytics—without first advising that they need to determine whether there is a need (providing assurance on a risk where the analytics would be of value). Now, they are pushing something called RPA, which stands for robotic process automation.
This is what PwC says in the report: “When it comes to using emerging technologies within their function, many internal audit functions struggle to find the fit. For example, 54 percent of internal audit functions are either unsure of or do not plan to use artificial intelligence (AI) within the next two years. Even RPA use is questioned: 49 percent do not plan to use RPA or are unsure how they will use it. But not ‘Dynamics’: 37 percent use RPA currently, and another 45 percent plan to do so within two years.” (PwC uses the term “Dynamics” to refer to the audit functions that meet PwC’s vision of digitally fit.)
PwC is certainly not the only consulting firm pushing RPA for internal audit: Deloitte has a paper on the topic, “Adopting Automation in Internal Audit,” and KPMG has shared “Intelligent Automation and Internal Audit.”
I have no inherent qualm with RPA. The problem here is that while these bots can detect an error, that is a management role and not an internal audit role. They are detective controls! Internal audit functions should not limit themselves by auditing past (or even current) transactions. They should be auditing the controls that provide assurance that current and future transactions will be handled properly.
They should be providing assurance that management has controls in place to address risk, not performing the controls themselves. They should provide assurance, advice, and insight on today and tomorrow rather than the past.
Consider this example cited by PwC: “For one company, testing to see whether terminated employees’ system access rights were being removed in a timely manner was a highly manual process. It required using a lookup function from three disparate data sources for each IT application, which took the audit team 100 hours to test 20 instances of the control. With RPA, a bot was built in 40 hours that performs in seven hours the previously manual processes. By automating many stages of the test except human review, testing hours greatly reduced, and coverage expanded from a sample basis to full populations, which provides greater assurance.”
The Right Controls?
This company confirmed that terminated employees no longer had system access rights. But did they assess whether management had appropriate controls in place that were operating effectively? No. Did they assess whether the rights were removed in a timely manner? No. Just because the data was clean doesn’t mean that the right controls were in place to ensure they were clean. It is possible that a manager scrubbed the employees’ access rights 30 minutes before the auditors ran their test.
Any of my internal audit team would have asked management how they, management, ensured employees’ access rights were removed promptly upon termination. They would then have assessed and tested those controls. If they felt the need, perhaps because the controls were not strong, to develop analytics (or RPA) to test access, they would have passed that technology on for management to use on a continuing basis—as a detective control.
There is some good material in the PwC report, not only repeating what we have learned in the past, but stressing what everybody should be doing moving forward. For example, they say:
- Internal audit leaders universally agree that annual plans and annual assessments are antiquated.
- “Our products, services and/or business model can significantly change within six months. So I don’t know what I’ll need in two years. I don’t have a three-year audit plan. My one-year plan changes every three months.”
But let’s get some things straight: First, internal audit’s job is to provide assurance, advice, and insight—not to perform detective controls. And second, internal audit needs to identify the risks to address and only then the tools appropriate for that task—and not the other way around. 
Norman Marks is an internal audit and risk management expert and author of the blog, “Norman Marks on Governance, Risk Management, and Audit.” He is also the author of several books, including World Class Risk Management, Risk Management in Plain English: A Guide for Executives, and Auditing that Matters.
Norman hit the nail on the head. I get tired of being told (1) internal audit must put in place a new tool when all the necessary preparatory steps have not been taken (including whether the tool is useful), and (2) internal audit will only bring value when they take over management’s responsibility. Great words of wisdom here from Norman.
As in many things, “it depends”. Using the RPA example, I agree – trying to force auditors to adopt some technology without coupling it to a strategic audit plan less does not seem to be an effective use of time and resources. However, it’s good for internal auditors to understand what RPA can do. It might be very useful for a Management tool, to potentially replace high volume labor intensive processes. If IA can recommend technologies that may improve Management’s operations and controls, seems to me that fulfills a key internal audit objective – to provide meaningful advice and insights to management.
My e-book at smashwords.com is the same thesis as auditors are performing internal controls “bass akwards”. Looking for effects and causes before performing the control review.
Everyone in the internal audit business should simply recognize annual studies, such as the one discussed, carry a business development agenda. These “State of Profession” studies have been published regularly for at least 15 years now.
In its original form, the PwC study and similar studies of others sought to be a “State of the Profession” barometer, addressing a spectrum of issues from talent to process, methodology and technology.
The objective of these “studies” has changed from useful benchmarking to service promotion focused on emerging issues and topics that almost any company would be challenged by, let alone their internal audit function. The purpose of the studies has clearly become service promotion and sales, not internal audit “leading practices”.
It seems like you have spent quite some time taking a study out of context and criticising it for no real purpose other than proving a point against consultants!
In most examples above, both points of views can be justified, what matters in my humble view is to take things for its merit, reflect it in your situation (organisation, team complexity etc) and apply it to your benefit – and if it’s not relevant just ignore it. One of the biggest impeding factors in IA change is the people in charge believing ‘they know it all’! You can probably learn a lot more from a smart fresher/trainee who comes in with a different background and has different skills. IA is as much a science as it is an art, take the positives, move with the change and carry on.
Next time you would like to promote yourself please feel free to educate people / write a paper / share your viewpoint but don’t hide behind a ‘critical piece’ as its easy to dish others by taking what they say out of context.
FYI – I am not from PWC / KPMG etc so I have no personnel connection to the reports you are criticising.