For many internal auditors, artificial intelligence (AI) may seem like a daunting topic to tackle — but that shouldn’t stop them from considering how they can apply it to their work. Tools and techniques exist that can provide auditors with powerful, straightforward techniques to enhance their work. With an increased focus and urgency around the use of data to support internal audit activities, the time for next-generation pursuits, such as use of AI, is now.
Following up on a previous blog post discussing the basics of AI for auditors, here we offer our thoughts on how internal audit organizations can get started with AI methods, such as machine learning (ML), to increase efficiency and coverage, better assign resources to areas that matter most, deliver more insight and even help identify leading indicators of risk. We also offer a specific example of ML applied to internal audit.
Machine Learning Doesn’t Have to Be Complex
ML is an application of AI in which the system itself is designed with the ability to learn and improve from experience. While ML algorithms vary widely in complexity, there are places to start that are accessible to most, if not all, internal audit groups, including those that are still trying to make progress with “traditional” analytics. One such example is an unsupervised learning algorithm commonly referred to as “data clustering.” In basic terms, clustering techniques aim to find similarities in the data that might not be readily apparent to the naked eye. Clustering algorithms are widely used for applications such as fraud detection, market segmentation and outlier identification. They are typically more straightforward to apply than other types of ML techniques and are an ideal starting point for shops just beginning their ML journey.
Clustering techniques are ideal for situations where the auditor doesn’t know what rules to apply to the data to identify commonalities or outliers. They can be used to discover patterns that the auditor would not necessarily have known to look for: to give the data a voice and let it tell its story. While many datasets may consist of simple transactional data — such as travel expenses or credit card receipts — and will require uncomplicated sorting, filtering and simple rules-based analysis, other datasets may consist of data that is less accessible, such as contract and lease terms, or data that’s buried inside other data. This second group may require more advanced, but still accessible, AI methods, such as natural language processing (NLP), to extract key information and meaning from a variety of data sources.
Identifying Outliers: A Real-Life Example
Let’s look at one specific example. Internal auditors at a large international bank were tasked with testing the effects of data quality issues on collateral data from multiple portfolios. Instead of manually sampling and analyzing sample data, they used ML methods that allowed them to identify statistical anomalies for a targeted follow-up. Auditors developed the necessary routines and procedures and used an ML algorithm (Isolation Forest), to visualize the dataset in three dimensions, enabling them to identify outliers. Those outliers became the focus of their audit attention and helped provide strategic, data-driven insights that the auditors were able to share with management.
The same tools and methodologies from this example can be applied at many points throughout the audit life cycle, from risk assessment and planning to scoping to fieldwork and even at the reporting and follow-up phases. Tools like Alteryx, for example, allow clustering to be done in a low- or no-code environment. In many respects, the tool vendors have done the hard work and have packaged complex methods into easy-to-apply features in their toolsets, significantly lowering the technical barriers to the application of ML.
The important takeaway in the example we gave is that the tool did the heavy lifting, following the parameters set by the auditors to sort the “haystack” and identify the “needles” that needed to be found. It should be stressed, however, that input from auditors is both required and valuable; business knowledge of the auditor is necessary to ensure the right data is used, and a level of technical knowledge is required to ensure proper configuration and application of the tool.
That said, we want internal auditors to understand that ML methods are accessible not only to those with advanced data science, mathematics and coding skills. Many analytic technology vendors have goals to create “citizen data scientists,” to “democratize” data science, and to transition away from code-heavy technologies to intuitive, nontechnical drag-and-drop interfaces. They are starting to make these goals a reality.
AI is a continuum, and not all applications are going to be as accessible or applicable to internal audit. Nevertheless, just as we all learned to walk before we could run, starting with simple AI applications will lead to more advanced ones. As a subset of AI, ML is a good starting point. Applications will advance as competencies grow, and even a simple use case can make a big difference in time saved, population coverage and quality of insights, even for an internal audit organization that has no access to deep data science skills.
The most important requirement to get started with AI in internal audit is having some kind of quality, organized data; the ability to extract that data; at least a base-level understanding of the algorithms and available tools; and the ability to interpret the outputs and apply them to internal audit activities. These requirements are not unique to advanced analytics but form the basis of any analytics work. Further, they are skills that can fit easily into every auditor’s toolbox.
Are you considering an AI tool for your internal audit work? We plan on discussing more use cases for AI in future blog posts. Subscribe to this blog to get them in your inbox.
Rish Dua, Director with Protiviti’s Enterprise Data Analytics practice, and Andrew Struthers-Kennedy, Managing Director and Global Leader of Protiviti’s IT Audit practice, contributed to this content.