The Evolution of Internal Audit in a Digital-First Environment

Biju Nair
Author: Biju Nair, CISA, CRISC, CFE, CIA, CISSP, CRMA
Date Published: 13 July 2022

When leaders at a new digital bank were putting together a job description for their first chief audit executive (CAE), they knew they were looking for more than a candidate who could perform conventional internal audit functions. In this real-world workplace anecdote, instead of reinventing the wheel, they simply added a line to the candidate requirements: “The candidate is expected to have deep understanding of the latest developments in technology, cybersecurity and data analytics.” This line not only sums up the additional qualifications that have come to be expected from the CAE role, but also defines the characteristics of an audit function that operates in a native digital environment.

The global COVID-19 pandemic transformed the way enterprises do business and prompted a surge in digital acceleration. It could be said that the world is experiencing a digital revolution rather than a digital evolution. This revolution has brought about unprecedented challenges—and tremendous opportunities.1

What Is a Digital-First Business Model?

In a digital-first business model, all business opportunities are conceived, planned, and executed with an end-to-end digital experience in mind for the benefit of customers and internal stakeholders. Further, all legacy processes are digitized for better efficiency. Decision-making is much faster for digital-first enterprises because of the interlinking of data elements, which helps establish clear trends and patterns.

Business transformation in a digital-first environment is driven by 3 factors:

  1. Intelligent automation and cutting-edge technology—Whether an organization uses robotic process automation (RPA) or artificial intelligence (AI) for decision-making, technology has become so embedded in business processes that there seems to be no way to decouple one from the other. In an environment where data are the lifeline of decision-making, underlying customer data have become tightly integrated with technology and business processes. Thus internal auditors must change the traditional approach of providing control assurance through operational processes.
  2. Changing customer expectations and investor behavior—User interface (UI) and user experience (UX) have become a crucial part of digital-first business models. This, combined with the emergence of investor activism and environmental/social/governance (ESG) obligations that have captured the attention of customers and investors alike, has introduced new considerations for today’s internal auditors.
  3. The mobile workforce and employee engagement transformation—The COVID-19 pandemic has drastically changed employee expectations and behaviors. In 2021, the term “The Great Resignation” was coined as unprecedented numbers of employees quit their jobs.2 Maintaining a remote workforce has stretched many IT departments and human resources (HR) policies to their limits. Internal auditors have been forced to focus on risk and controls that were previously restricted to privileged users within the organization. Further, the new work culture warrants internal audit performing an assessment of an organization’s culture and ethics as part of their audit plans.

How Internal Audit Can Keep Up With Digital Transformation

Internal audit functions cannot continue to use legacy methodologies in a digital-first environment. The internal audit function must undergo a holistic digital transformation to be successful. This not only requires internal auditors to use technological tools for delivering internal audit mandates, but it also calls for a mindset change and skill set adaptation.

The internal audit function must undergo a holistic digital transformation to be successful.

The internal audit function should aim to achieve several objectives as part of its transformation to a digital-first internal audit function:

  • Digitized risk assessment—Traditional risk assessment methods should be replaced with a more collaborative and participative approach that is fully digitized. A suggested method for determining residual risk indicators is to prepare a risk assessment questionnaire using the organization’s enterprise risk management (ERM) tool or a more basic tool if needed (e.g., SharePoint, Microsoft Forms). The questionnaire should include generic questions about risk across the enterprise and specific questions about the specific entity/unit being assessed. Appropriate weightage should be assigned to each question based on the applicability and potential impact of control failures addressed in the question. A weighted average is determined based on the questionnaire for the specific unit. This is known as the Self Confidence Index.
    The internal auditor overseeing the respective units independently rates the same control elements in the questionnaire based on their expertise, operational losses and near misses and all other parameters used during the traditional risk assessment process. The auditor also factors in the control effectiveness score based on previous audit reports and on the Risk and Control Self-Assessment (RCSA) of the respective unit. This is known as the Inherent Risk Rating.
    The Residual Risk Rating used to finalize the audit plans is determined by giving appropriate weightage to the Self Confidence Index obtained through the self-assessment of the unit and the Inherent Risk Rating provided by the internal auditor.
    This approach not only provides a fully digital risk assessment methodology, but also enables a collaborative approach to risk assessment, which is essential for today’s dynamic digital business models.
  • Audit execution—A digital-first internal audit function predominantly uses Agile auditing and continuous auditing methodologies to give assurance to its stakeholders.
    Agile audit methodologies have gained more traction in recent years, but are currently practiced without a standard to use for benchmarking. However, the use of Scrum boards3 to track the progress of sprints and key stakeholder involvement during daily stand-up meetings has become more common for Agile audits. Alternatively, a more fluid Kanban approach4 can also be used to execute audits supported by Kanban boards and a visualized approach.
    Agile audit methodologies help achieve a faster turnaround time for audit reports due to the agreed upon audit observations and the mutual agreement on the risk associated with the identified control gaps. Further, the single view of the audit progress being shared through Scrum/Kanban boards allows for better visibility and more involvement from the auditees.
    Continuous auditing has been practiced by internal audit functions for several decades. However, the level of digitalization achieved by enterprises in recent years has enabled a more holistic approach to be implemented in continuous auditing. The interlinking of data and the analysis of big data in real time helps internal audit functions be more proactive in identifying potential control failures. There are now tools available for internal audit functions to correlate incidents from the past to predict with reasonable accuracy whether the potential risk could materialize into control failures in the future. If internal audit can provide such visibility to management based on factual data, its value as a proactive function will be acknowledged by all stakeholders.
  • Reporting—In a digital-first business model, there is no place for physical reports that are printed on hundreds of pages. In fact, many audit departments have moved to a paperless environment even without digitalization as part of environmentally friendly initiatives driven by ESG responsibilities determined by the board of directors (BoD).
    Audit committee packets with hundreds of pages that are submitted periodically (e.g., quarterly) do not reflect a digital-first enterprise’s core values. Internal audit functions within digital-first organizations should adopt a dynamic continuous reporting methodology with escalations based on incident severity. A visual representation of outstanding issues and underlying risk ratings through dynamic dashboards developed using visualization tools such as Tableau or Power BI can reflect well on internal audit’s digitalization journey.

Conclusion

Digitalization of business processes and digital-first business models have accelerated the transformation of internal audit functions in recent years. Audit departments are at various stages of the maturity curve when it comes to adopting a digital-first audit methodology. Digital transformation will only accelerate in the future as more organizations move to explore business opportunities in new areas such as the Metaverse5 and nonfungible tokens (NFTs).6 Internal audit as a function and internal audit leaders as change agents must adapt to this accelerated transformation to continue to add value for stakeholders.

Endnotes

1 PricewaterhouseCoopers, Reimagine Digital: Digital-First for Growth, Singapore, 2020
2 PricewaterhouseCoopers Namibia, HR Matters, 1st Edition, Africa, March 2022
3 Chappell, E.; “How to Build and Use a Scrum Board (With Examples),” ClickUp, 7 April 2022
4 Coursera, “Kanban vs. Scrum: What’s the Difference?” 26 May 2022
5 Abbott, M.; J. Murray; D. Guenther; “Banking in the Metaverse: The Next Frontier,” Accenture Banking Blog, 23 February 2022
6 Conti, R.; J. Schmidt; “What Is an NFT? Non-Fungible Tokens Explained,” Forbes, 8 April 2022

Biju Nair, CISA, CRISC, CFE, CIA, CISSP, CRMA

Is the chief audit officer for Zand, a full-fledged digital bank launching in the United Arab Emirates. He has more than 25 years of experience in the financial sectors in India and the United Arab Emirates. He is an established information security, internal audit, corporate governance and risk management professional. Nair spent 12 years as the head of the internal audit function for various banks in Dubai. He has served on the board of the ISACA® United Arab Emirates (Asia) Chapter for several years and has been a mentor for many young professionals in the audit and security domains.