As companies transform into next-generation competitors, internal audit (IA) functions are working on their next-gen game as well. Protiviti’s latest edition of Internal Auditing Around the World, Volume 15, looks at ways IA departments around the world are reinventing themselves, using aligned governance, more agile methodologies and new enabling technologies to become more efficient, more future-focused and value-adding.
In a series of blog posts here on The Protiviti View, we will examine some of the key characteristics of next-gen internal audit drawing directly from the experiences of 16 innovators profiled in Internal Auditing Around the World, starting with robotic process automation (RPA). RPA is deployed in leading IA departments to accelerate and increase the accuracy of routine audit tasks such as data gathering, controls testing, risk assessment and reporting. The experience of the early adopters suggests this technology will soon be as ubiquitous as spreadsheets.
Efficiency is a recurring theme across companies and across industries. As audit committees and stakeholders look to IA for more actionable insights — in the form of predictive analytics and strategic advice, for example — internal audit functions are applying a variety of technologies to produce more useful reports, faster and with greater accuracy. As IA departments set their sights on advanced data analytics and data visualization, some organizations have delegated the tedious and time-consuming task of data-gathering to RPA bots. Auditors at NTT Communications, a subsidiary of Nippon Telegraph and Telephone Corp., are using bots to collect and cleanse expense data from spreadsheets and load it into a database for deeper analysis. The details of what types of data is being collected differ from company to company. The relevant point is that leading IA departments are using bots to perform the burdensome task of collecting data from throughout the organization, through existing user interfaces, and gathering it in a single database where it can be put to greater strategic use.
One use that several companies have found is Sarbanes-Oxley (SOX) and general IT controls testing. Occidental Petroleum is exploring ways to deploy RPA to help reduce the 30,000 hours its internal auditors currently spend annually testing internal controls over financial reporting and IT general controls. “We probably spend about 35% of our time on internal controls over financial reporting and IT general controls,” says Occidental’s vice president of internal audit. “Developing bots that can help us and our co-sourcing partners be more efficient with SOX testing is the next generation of internal audit, too.”
Zain Group, a mobile telecommunications provider in the Middle East, recently completed a successful pilot project using RPA to close a communications gap between an externally managed internal audit management system and the company’s communications server, automating the process of emailing business partners to remind them of unanswered audit questions. Prior to the pilot, internal auditors had to manually upload reports and remember to send follow-up emails. Now information requests go out automatically six weeks in advance, and reminders are sent one week after. The pilot, which was originally limited to one country, was so successful that the company is rolling it out to the whole enterprise.
As IA departments become more comfortable with RPA technology, they are likely to find any number of bot deployment opportunities across the full spectrum of audit responsibilities. One example is using bots to digitize reporting out of a CRM tool and use that to schedule risk discussions with business leaders and to store the notes from those discussions.
These are just a few of the ways RPA is being deployed to help transform internal auditing. RPA is only one aspect of next-gen internal auditing, and the transformation process is still in its early stages. In other posts we will look at how internal auditors are using other methodologies, such as advanced analytics and agile reporting to add value and meet increasing stakeholder expectations, which continuing to deliver on core assurance responsibilities.