There is a common joke among physicists that fusion energy is 30 years away … and always will be. You could say something similar about artificial intelligence (AI) and robots taking all our jobs. The risks of AI and robotics have been expressed vividly in science fiction by the likes of Isaac Asimov as far back as 1942 and in news articles and industry reports pretty much every year since. “The machines are coming to take your jobs!” they proclaim. And yet, all of us here at Audit International still head to the office or log in from home each weekday morning.

The reality is less striking but potentially just as worrying. Most people expect that one day some sort of machine will be built that will instantly know how to do a certain job—including internal auditing—and then those jobs will be gone forever. More likely, is that AI and smart systems start to permeate into everyday tasks that we perform at work and become critical parts of the business processes our units and companies conduct. (Indeed, many professions and industries have already been greatly disrupted by AI and robotics.)

Technology companies have been so successful over the last 30 years because of the common mantra of “move fast and break things.” And that was maybe just about acceptable when it meant you could connect online to your friend from high school and find out what they had for breakfast or search through the World Wide Web for exactly the right cat meme with a well-crafted string of words.

When the consequences now might mean entrenching biases in Human Resources processes, or mass automated biometric surveillance, not to mention simply not even understanding what a system is doing (so called ‘black boxes’), the levels of oversight and risk management need to be much higher.

The Regulatory Environment :
There is some existing regulation which covers aspects of this brave new world. For example, in the European Union, article 22 of the General Data Protection Regulation (GDPR) on automated individual decision-making, provides protection against an algorithm being solely responsible for something like deciding whether a customer is eligible for a loan or mortgage. However, the next big thing coming to a company near EU is the AI Act.

The proposal aims to make the rules governing the use of AI consistent across the EU. The current wording is written in the style of the GDPR with prescriptive requirements, extraterritorial reach, a risk-based approach, and heavy penalties for infringements. With the objective of bringing about a “Brussels effect,” where regulation in the EU influences the rest of the world.

Other western jurisdictions are taking a lighter touch than the EU, with the United Kingdom working on a “pro-innovation approach to regulating AI,” and the United States’ recent “Blueprint for an AI Bill of Rights” moving towards a non-binding framework. Both have principles which closely match the proposed legal obligations within the AI Act, hinting at the impact the regulation is already having.

Much of the draft regulation is still being discussed, with a final wording soon to be agreed. There are disagreements across industries and countries on whether some of the text goes far enough or goes too far. For example, whether the definition of “AI” should be narrowed, as the current wording could encompass simple rules-based decision-making tools (or even potentially Excel macros) or even expanded to greater capture so-called “general purpose AI.” These are large models which can be used for various different tasks and therefore, applying the prescriptive requirements and risk-based approach of the AI Act can become complex and laborious.

The uncertainty over the final wording has given companies an excuse to not make first moves to prepare for the changes. Anyone who remembers the mad rush to become compliant with the GDPR will remember the pain of leaving these things to the last minute. The potential fines, which may be as high as 6 percent of annual revenue depending on the final wording, could be crippling and have a cascade effect on a company’s going-concern.

What Can Internal Auditors Do?
As internal audit professionals we can start the conversation with the business and other risk and compliance departments to shine the light on the risks and upcoming regulations which they may be unaware of. It is our objective to provide assurance but also add value to the company and this can be done through our unique ability to understand risks, the business, and provide horizon scanning activities.

Performing internal audit advisory or assurance work, depending on the AI risk maturity level at the organization, can highlight the good practice risk management steps that can be taken early to help when the regulation is finalized. These steps could include:

1) Identify AI in Use: To be able to appropriately manage AI risks throughout their lifecycle stakeholders need to be able to identify systems and processes which make use of them. Agreeing on a definition of AI and developing a process to identify where it is in use is the first step. This would include whether it is being developed in-house, is already in use through existing tools or services, or acquired through the procurement process.

2) Inventory: Developing an inventory which includes information such as the intended purpose, data sources used, design specifications, and assumptions on how and what monitoring will be performed is a good starting point and can be added to, based on your company’s unique characteristics and any specific legal requirements that are implemented in the future.
3) Risk Assessments: Since a key aspect of the AI Act is it being “risk-based,” it is important to have a risk assessment process to ensure you take the necessary steps as required in the regulation, based on the type of AI used. For example, what level of robustness, explainability, and user documentation is necessary based on the risk tier provided. It is also important to consider the business and technology risks of using the AI. For example, machine learning using neural networks requires large training datasets, which can raise issues of data protection and security, but may also perpetuate biases that are contained in the datasets. Suitable experts and stakeholders should be involved in the development and assessment of the risk assessment process.

4) Communications: One area that is often forgotten is communication. It is all well and good having a policy or a framework written down but if it isn’t known and understood by the relevant stakeholders it’s worth less than the paper it’s printed on. Involving key stakeholders during the development of your AI risk management processes can help develop a diverse platform of champions throughout the business who can act as enablers as the requirements are communicated and regulation finalized.

5) On-going monitoring: Risk management is not a one-off exercise and this is no exception. Use cases, technology, and the threat landscape change over time and it is important to include a process for on-going monitoring of AI and the associated risks.

The machines may not be coming to take our jobs just yet, but the risks are already here and so are the opportunities to get ahead. There may be a long and winding road in front, as we all prepare for a world where AI is commonplace and new regulations and standards try to shape its use, but each journey starts with a step and it’s never too early to get going.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

The world of internal audit continues to advance. In recent years, audit teams have increasingly used data analytics and cloud technologies to increase efficiency and improve assurance. Now, emerging technologies like AI and robotic process automation (RPA) are further making their way into internal audit. Audit International take a look at what effect this will have on Internal Audit and Financial Services in the future.

It’s still early days, but the trend toward automation is clear. In fact, when asked about emerging technology, 20% participants of a recent audit teams survey said they’re already using RPA. In addition to that, 12% said they’re using AI, 3% said they’re using blockchain, and 15% said they’re using more than one type of emerging tech.

These technologies, particularly RPA, have the potential to enhance audit quality. For example, RPA can enable internal audit teams to spend more time collaborating with other departments and sharing results with boards, rather than getting bogged down in repetitive, less strategic tasks.

And in data-centric industries like financial services, these technologies can make a particularly large impact, as we’ll examine in this article.

What is RPA?
Physical robotics can perform motions that automate repetitive tasks, like putting a cap on a bottle or moving a box from one place to another. Similarly, RPA automates repetitive tasks, but the difference is that RPA is centered around software, not hardware.

“Robotic process automation (RPA), also known as software robotics, uses automation technologies to mimic back-office tasks of human workers, such as extracting data, filling in forms, moving files, et cetera. It combines APIs and user interface (UI) interactions to integrate and perform repetitive tasks between enterprise and productivity applications,” explains IBM.

What does RPA mean for internal audit?
One way that RPA can be used for internal audit is to make data-related tasks more efficient.

“If we cut to the chase, the job is straightforward: we download data, analyze it, and use it to discuss processes and controls…The issue is that we waste a lot of time obtaining and formatting data for each audit—the same tables and charts repeatedly,” writes Jean-Marie Bequevor, Expert Practice Leader Internal Audit at consultancy TriFinance, in an article for Internal Audit 360°.

RPA can also help to automate periodic reporting. If you know certain information is needed in every report, then an RPA program could potentially be set up to obtain and fill that information.

That said, RPA can also carry risk, both in terms of the use of RPA in audit programs and the use of RPA across other departments. Internal auditors need to consider RPA internal controls to make sure that RPA is being used appropriately. You wouldn’t want to end up with a misprogrammed bot that creates errors or security holes.

What does RPA mean for financial services?
In addition to being used for auditing, RPA can also play a role in corporate finance and the financial services industry more broadly.

Finance professionals — ranging from corporate treasurers to wealth managers to mortgage lenders — deal with large quantities of data. With RPA, financial services professionals can automate data-related processes like data collection, data cleansing, and analysis.

For example, an investment analyst might use RPA to improve their research process. Instead of manually creating and assembling a clean spreadsheet full of financial data, an RPA tool could automate that, freeing up time for the analyst to engage in more complex, nuanced tasks.

RPA in financial services can also help when it comes to client service and marketing tasks. For example, banks could automate activities like identifying customers that are a good fit for credit card offers or loan products. Rather than sending out these offers to all customers or manually reviewing every client file, an RPA program could be set up to compile a list of customers that meet certain criteria.

These are just a few of the many ways that RPA can be used in financial services and internal audit in general. A repetitive, data-oriented business process tends to be a good candidate for RPA. Many of these types of tasks exist in the financial services industry in areas ranging from compliance to customer onboarding.

With automation, financial services firms can free up time and focus on higher-value work, like building customer relationships and identifying new revenue opportunities. Meanwhile, internal audit professionals can use RPA to efficiently provide assurance.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

It’s become a truism that the ‘new normal’ as the world emerges from Covid-19 lockdown will not, and cannot, be like the old normal. But what does this mean for internal auditors? What skills will be most in demand and what can you do about it if you do not feel that you have enough of these at the moment? Audit International have all these answers and more.
As in other areas of the wider economy, many of the skills that are going up in value and demand (and those that are going down) reflect longer term trends that have been exacerbated by the crisis. A strong suite of technical auditing skills now puts more emphasis on so-called ‘soft’ skills and less on some traditionally prized abilities to sift and process information, although independent judgment, logical reasoning and analysis will always be important.

IT auditing is becoming an increasingly specialist preserve that is beyond the scope of most internal auditors, however many employers now expect all internal auditors to have a strong grasp of the basics of data analytics and of what analytics programmes can do for audits and assurance. This IT-savvy must go hand in hand with a wide imagination about the potential uses of the technology and how it can be employed more effectively.
What is new, however, is that ‘soft’ skills and IT experience are no longer nice-to-haves. Whereas a few months ago, there was a shortage of internal auditors in many sectors, now employers are likely to be able to pick and choose. The post-Covid landscape is likely to be bleak for many sectors and internal auditors will not be immune. There will be redundancies and people will need to look more broadly at their CVs, personal skills development and, possibly, at the options available to them in a wider range of sectors.

Russell Bunker, director at Barclay Simpson, says that the highest demand is currently for “experienced internal auditors operating at the delivery level”. Fewer organisations are hiring senior audit managers or trainees, he says. However, he added that a number of fixed-term or interim job opportunities are emerging and there are new jobs appearing as a consequence of an increase in co-sourced internal audit work. Some of these trends may be short-lived, of course, and may reflect temporary bans on permanent hiring.

So, what are the key skills internal auditors will need to thrive in the short and longer term?
1. Communication is key
Emotional intelligence may not have always been top of the list for internal auditors, but it’s hardly a new requirement. Internal auditors have to be great communicators – if you cannot talk to people – and, just as importantly, listen to them – you can neither learn from them nor persuade and influence them.
As computers take on ever more of the analysis side of auditing, we need humans who understand how people operate in real life, what makes them tick? Internal auditors need to pick up the nuances to spot when things may be wrong behind the scenes. They need to use the right language to relate to the people they need to get on their side or to persuade people to change the way things are done and to understand the need to better governance. And they need to be able to convey important messages simply and effectively. This is not always about being ‘nice’ – it’s about being effective. Some of these messages may be tough and they need to be understood and acted on.
It’s also about being able to demonstrate the behaviour that you preach. Actions really can speak louder than words.

2. Business acumen
This has always been important, but is becoming ever more so. Internal auditors see the whole of the business from the inside, but they also need to be able to look beyond it, and beyond their sector and region, if they are to appreciate emerging risks and the bigger picture. They need to understand what keeps their CEO awake at night – and, even more importantly, what should be keeping him or her awake at night.
Increasingly, they are being expected to know a lot about the potential impacts of everything from macro economics to climate change and the complexities of supply chains. Sourcing and reviewing the most up to date and reliable information is vital, but you also need the acumen to know how this could affect your business and to spot the risks and opportunities. Those who do not display this knowledge will not gain the respect internal audit needs from senior management to be effective.

3. Flexible and agile
Speed is of the essence. How can you offer assurance more effectively, more rapidly and more effectively? This is the holy grail of internal audit and will become even more so in the post-Covid landscape. Technology can help, but it takes people to think about how they can use it better. Those with the imagination and the drive to improve, adapt and change will be most valuable to, and valued by, management.

4. Personal relationships and networking
Use your personal relationships and find out what peers, colleagues, friends and family are doing. Be curious and ask questions. This is partly about being well-informed and partly about good communications. There are loads of ways to keep in touch so use them – from social media to Facetime to old-fashioned phone calls. You never know what may come in useful in future but the broader the net, the more you are likely to benefit.

5. Proactive – use your imagination
Imagination and curiosity are now so important that they deserve a mention on their own. Again, they are not new skills for internal auditors, but they have never been more important. You don’t need a formal mentor to tell you to think about where you want your career or your audit team to be in six months’ time. But it can help to take some time out of your normal routine to practise thinking more imaginatively. Many things in the near future will need to change and someone will need to identify potential changes and the ways to achieve them.
Equally, imagination is an important part of effective communication. What are your auditees doing and why? What are they going through? What do you want them to be doing in future – and how can you help them to get there?

6. Sell, sell, sell
It’s been said that everyone is selling something – and if they say they’re not, they’re lying. Selling has a bad reputation in the UK. It’s seen as duplicitous and bad-mannered. However, sales skills are just as vital for good ends as for bad. Internal auditors are going to have to compete for attention even harder and many will have difficult messages to convey in the near future. If you want management, auditees and colleagues to listen to you and respond to your messages, you will need adequate sales skills.
And, if you’re in a sector that has been badly affected by the pandemic, you may need to brush up your CV and prepare to sell your own skills more aggressively. If you have what it takes to help organisations weather this crisis, don’t sell yourself short.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.

If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
– Switzerland 0041 4350 830 59 or
– US 001 917 508 5615
E-mail:
– info@audit-international.com”

Here at Audit International, we have always been on the lookout for clever ways to describe internal audit’s role in an organization.

Elevator speeches are fine when you have 60 seconds to describe the value your profession brings to an uninformed bystander. However, an elevator speech doesn’t hold a candle to a well-crafted sound bite that will leave a lasting impression.
One of our favorites used to be “internal audit is the brakes that allows the organization to drive faster.” The reasoning behind this analogy is that brakes are a critical component in a vehicle. To be sure, they are used to prohibit a vehicle from moving. But more importantly, brakes are crucial to maintaining control of a vehicle. Of course, well-resourced, independent internal audit functions add little value if they impede an organization’s ability to take risks and achieve results. But they add value when, like brakes on a car, they empower management and the board with information to slow down or stop if critical risks lie ahead.
Over the years, Audit International have come to view the “internal audit-as-brakes” analogy to be a bit outdated. It envisions internal audit as being primarily control-focused. Today, internal audit provides much greater value than merely a set of brakes. After all, a vehicle with an outstanding braking system can still end up in the wrong place. Brakes are great for stopping or slowing down. However, they do little to help change course. Internal audit in the 2020’s must be help create – not just protect value!
We believe a more powerful analogy is that internal audit is a critical component of an organization’s navigation system. Consider the value of a modern navigation system. Once the departing and arriving locations are entered, a navigation system provides timely and crucial feedback on the progress of the journey. The friendly voice provides turn-by-turn advice on reaching the destination. It recognizes when a turn has been missed, and quickly alerts the driver to “make a legal U-turn.” It can be programmed to recommend routes that are faster, less congested, or avoid tolls. Some alert the driver when the speed limit is being exceeded, or the vehicle is being taken on unsafe roads.
Much like the navigation system in a vehicle, internal audit shows its powerful value by:
• Providing assurance that the organization is progressing on the course charted by management and the board.
• Providing recommended corrective actions when the organization is off course (please make a legal U-turn).
• Identifying risks in advance (much like a navigation system warns of an accident or road congestion ahead).
• Alerting management and the board of compliance risks/failures (think excessive speed).
• Providing assurance that the organization has “arrived at its destination.”
To succeed, organizations in the 21st century must manage risks – both internal and external, whether related to finance, operations, strategy, technology, regulations, or reputation. While organizations are raising the bar on effective risk management, executives face extraordinary headwinds spawned by a turbulent environment in which risks materialize virtually overnight. In the past five years, we’ve faced the most extraordinary global pandemic in more than a century, more global financial turmoil, cybersecurity breaches that even target our infrastructure, corporate failures, and more. In the immediate future, we are facing the prospect of severe supply chain disruptions, inflationary pressures not seen in 40 years, and likely more nasty surprises from COVID-19. Relying on a good braking system will be inadequate to navigate the hills and valleys that lie ahead. Instead, organizations need strong navigation systems with well-resourced and independent internal audit functions fully integrated to succeed.
Granted, Audit Internationals updated analogy may be oversimplified. Strong internal audit functions add value in a multitude of ways, and we are never more critical that management and the board in navigating risks that our organizations face. However, I find it is useful to think through analogies such as this one so that I can better articulate internal audit’s role in ways that everyone can understand.
We welcome your thoughts.

“Audit International are specialists in the recruitment of Auditors and various Corporate Governance Professionals including Internal Audit, Cyber Security, Compliance, IT Audit, Data Analytics etc across Europe and the US.
If you would like to reach out to discuss your current requirements, please feel free to reach us via any of the following:
Calling
• Switzerland 0041 4350 830 59 or
• US 001 917 508 5615
E-mail:
• info@audit-international.com”

The job profile of the Data Scientist is still young, but is often searched for on the job market. They are required in many industries, such as:

• Banking and insurance 
• Trading
• Business and organizational consultancies, market researching
• Social Media, Telecommunications, online tradinging and network management
• Bio-, pharmaceutical, chemical and medical industries
• Logistics
 

 
In 2012, Tom Davenport, Professor at the Harvard Business School, has described the competence profile as following: „… a hybrid of data hacker, analyst, communicator, and trusted adviser. The combination is extremely powerful – and rare.“
In times of “big data”, Data Scientists are experts in demand, who are paid above average and enjoy great freedom in companies as “gold diggers”. Using methods of mathematics, computer science and statistics, they gain facts and knowledge from large amounts of data, the “gold of the 21st century”, and discover new business areas. In addition, they are something like interpreters. They formulate the data records into legible results and display the essential information in a comprehensible language.
Data Scientists are trained in statistics, graph theory and other mathematical fields, and are proficient in methods such as data mining, process mining, machine learning and natural language processing (NLP). Added to this is knowledge from practical computer science. Knowledge of operating systems, databases, networks and data integration tools, as well as the most important programming languages and analytics tools are mandatory. Furthermore, knowledge about the Hadoop ecosystem, social networks and other systems from the internet and big data environment is a compulsory requirement for professional practice. The competency profile is that of an all-round talent and accordingly (currently) difficult to find.
 
The Data Scientist and the financial function within the company
The question whether a controller can assume the tasks of a Data Scientist must be clearly denied in the context of the described competence profile. The current opinion in the industry is, that it is illusory to believe that controllers could also assume the tasks of a Data Scientist. However, controllers should know the job profile of a Data Scientist as well as the possibilities and limitations of Big Data. The cooperation between the tasks of a controller and a Data Scientist is an important source for the future economic success of companies.
 
The Data Scientist and Auditing
The advancing digitization also places new challenges on internal auditing in the selection of the audit methodology. Data Science offers the possibility to consider the analytics of data masses as a test step within an audit and in this way to create an additional benefit. This means, however, that the internal audit department must also acquire expertise in data science in addition to the already acquired competences, such as finance, business management and compliance. Since an individual auditor can hardly have all the competences mentioned above, these should be at least available within the team. If necessary, remember to include an external Data Scientist.
Along the lines of internal auditing, the external auditing is placed before conditions that were changed by digitization: the flood of data, the appropriate audit methods as well as the concern of finding young recruits within the auditors underline the need for efficiency gains. The surge in job advertisements for data scientists in audit centers, as well as first attempts to use artificial intelligence in this area, underscores this.

This feature blog was written by Prof. Dr. Nick Gehrke (Zapliance)