Worldwide, audits are going through a significant transformation. Businesses are rapidly automating their operations with cloud-based technologies, robotic process automation, and more people are working remotely. This trend drives the need for strong internal controls, and delivering assurance consistently is of utmost importance. It is an ample opportunity to expand the role of internal audits as a strategic asset while embracing digital transformation. Here, we attempt to understand the challenges and opportunities and technological advances needed to achieve the full potential of digitisation of audit processes.
Multiple Business Units across Multiple Firms Are Involved
The Institute of Internal Auditors recently released an update to the three lines of defence model for risk management - published in the Journal of Accountancy.
To illustrate, consider an example of the account opening process in the financial services industry:
- First Line - Business units managing sales are responsible for validating customers’ relevant details before opening an account.
- Second Line - Enterprise Risk Management (ERM) group establishes detailed policies and procedures for account opening and provides oversight with periodic audits and reviews.
- Third Line - Internal and external auditors provide independent assurance on the governance and controls by assessing the effectiveness of the processes and internal controls.
The audit and compliance review processes are complex, lengthy and involve multiple stakeholders from different business units, external vendors and examiners - auditors or government agencies.
Multiple Solutions - Lacks End-to-end Collaboration - Manual Efforts
According to Federal Reserve reports, expenses for personnel are, by far, the largest category, typically representing 60% or more of total compliance expenses.
In most organisations, there are multiple types of audits, multiple auditors and multiple tools. Collaboration involves email trail and semistructured data handling around LoB (Line of Business) systems. There are no solutions that enable collaboration between auditors and their clients across all audits and involving multiple organisations. This increases dependence on manual processes.
Regulatory Change Management Is Manual
Regulations are manually referred to or involve expensive integration with 3rd party systems to track and manage rule changes. On average, most financial institutions have to implement at least 2000 pages of regulations annually. The trend is expected to increase with the rapid adoption of Environment, Social and Governance (ESG) standards worldwide.
Status Reporting Is Always Point-in-time with Data Lag
Due to all the above reasons and separation of responsibilities, assurance processes are largely project-centric and not real-time. Reporting involves thousands of hours in manual data management, and data presented lags by at least 2-4 weeks. In modern days, pandemic related issues impact operations in a matter of hours and days. The existing processes are inadequate for effective risk management.
Emerging Technologies and the Ability to Deliver Assurance on Controls
According to the Chartered Institute of Internal Auditors, the role of internal audit is to provide independent assurance that an organisation's risk management, governance and internal control processes are operating effectively. As per Deloitte, the largest accounting firm, the role and responsibility of internal audit functions may vary in scope and authority in different organisations. There is a clear trend that internal audit is taking on a more strategic and central role requiring collaboration between major stakeholders. As firms adopt emerging technologies using machine learning, natural language processing and blockchain, there is an equally challenging task of scaling up audit and compliance to deliver assurance on governance and internal controls.
Internal Organization Structure
In most cases, the institutional budgets for compliance are allocated under their risk management initiatives or within their core operations of various business units. The impact of regulatory changes is nearly consistent across the business lines. Still, there is a lack of a firm-wide approach towards the facilitation of collaboration for regulatory change management and assurance among the three lines of defence processes. Due to the involvement of vendors in either in-sourcing, co-sourcing or out-sourcing models, several thousand hours of manual processes are inevitable. Executive management reporting also involves the manual aggregation of data resulting in tens of thousands of dollars annually.
As more people work remotely, the traditional project-based business models for audits, compliance, and regulatory services (i.e., visit onsite, deliver services and perform examinations) are not feasible. The clients explore ways to simplify their operations with collaboration frameworks coupled with robotic process automation. Service provider firms are exploring tech-based collaboration platforms delivering end-to-end workflows with integrated regulatory alerts to create a sustainable long term relationship with their clients.