Intelligent automation has the potential to transform nearly every aspect of business. It can increase the speed, operational efficiency, cost-effectiveness and accuracy of activities in IT, HR, operations, finance and more. Workers can generate more impactful insights and make smarter decisions more quickly. It can automate simple or repetitive tasks, but also do knowledge work, thanks to big data, predictive analytics, process robotics, natural language processing, machine learning and A.I.
However, managing risk through this new digital frontier has become a major challenge for most organizations. This is where internal auditors are playing an increasingly important role: The internal audit function can help to focus the integration of governance, risk, and controls considerations throughout the automation program lifecycle, and it can help identify opportunities to embed automation-enabled control activities within a variety of business processes and functions.
There is a very close alignment between the risk and performance objectives of IT and internal audit’s capabilities around intelligent automation, says Michael Smith, intelligent automation leader for internal audit at KPMG. “Both IA and IT want to see risk well-managed and automation programs well-governed,” he says. In addition, internal audit sits across the entire organization, so it has a broad view across silos. “That allows internal audit to have a perspective on where the opportunities exist to leverage automation into processes and weigh in on governance,” he explains. “Where IT and internal audit are collaborative and partnering, the automation efforts are more meaningful and yield much better results.”
So how can organizations best capitalize on intelligent automation while maintaining proper controls? For the best results, internal audit and IT should look at automation opportunities within an IT process or control and consider how to automate the validation component as an end-to-end improvement in risk management, says Nicole Lauer, KPMG’s IT Internal Audit services leader. “Many internal audit shops are focused right now on using automation within their own function, but recognize that they can also add value by bringing broader insights on how to do things better for the company — getting the company away from manual efforts to focus on more strategic areas,” she says. “IT has a resource in internal audit they may not be aware of for those ideas.”
Key opportunities for internal audits across the three lines of defense
All three lines of defense across the company are ripe for internal audit involvement in automation. For IT, as well as other functional owners across the enterprise, internal audit can serve as a key “automation advisor,” on assessing the impact automation initiatives have on systems and controls to address the organization’s dynamic risk profile.
For the first line of defense, there are opportunities for IT to take advantage of internal audits in areas such as user access and change management. “User access is often a place where IT gets started with intelligent automation, because that data is more structured,” says Smith. With the second line of defense — those with oversight over policies and standards — internal audit can help identify opportunities to leverage intelligent automation within monitoring controls, regulatory compliance monitoring, policies, and reporting activities.
Finally, internal audit can itself leverage automation as the third line of defense: Seizing automation opportunities can help internal audit reduce its costs, improve outcome quality, and drive additional value within the internal audit organization.
“Connecting the cost and benefits drivers across those three lines of defense creates better use cases for intelligent automation,” says Smith. “It’s a way to drive broader savings and efficiency and promulgate the optimal control framework going forward.”
To that end, the audit function should be seen as a champion of the organization’s goals for leveraging automation, rather than a roadblock who will impede its progress.
“Don’t be afraid to engage internal audit,” says Lauer. “From the IT standpoint, don’t assume they’re going to say no — instead, see them as an enabler that you can engage with early on in the intelligent automation journey.” Keep in mind, she adds, that IT is not always the function that owns the intelligent automation programs within the company. But IT often becomes an enabler of the automation and the steward of protecting the automation assets, so engaging with internal audit from the beginning can be beneficial when it comes to issues such as security and access control, change management, and monitoring of the technology and the overall program.
Drive greater value by partnering with internal audit
Whether your intelligent automation program is just beginning or is already up and running, internal audit can add value by collaborating on use case portfolios and automation governance programs . A thorough internal audit review of intelligent automation will cover strategy, technology, process, personnel, controls and program management/governance.
“I think it’s a critical and exciting time within the internal audit profession,” says Smith. “We’re at this inflection point with a growing suite of advanced technologies that we can use to drive significant value when partnering with the organization, especially IT.” If done right, partnering with internal audit around intelligent automation can provide more assurance and greater value to the organization.