Skip to main content

Advising on the risks of new technologies

Internal Audit in the age of digitalization

​Widespread technological advances—commonly referred to as Industry 4.0 or the fourth industrial revolution—are rapidly reshaping business. They're also making an impact on Internal Audit (IA) as the function must address the spectrum of financial, operational, organizational, regulatory, and technology risks associated with digitalization.

Internal Audit’s mandate: Proactively assessing new risks

A host of technologies is rapidly advancing Industry 4.0, including more interconnected and powerful networks, high-performance computing, and the advent of digital tools, such as data analytics, robotic process automation (RPA), and cognitive intelligence (CI). Combined, these technologies are changing business in profound ways.

As companies continue to adopt emerging technologies, IA must proactively assess and gain insight into the risks of new technologies. Doing so will enable IA to assess whether appropriate controls are being implemented to prevent and detect new and emerging risks.

In this report, we take a closer look at the specific risks associated with digitalization and offer five practical considerations to help IA departments assess those new digital technology risks.

Disruptive digitalization

Disruptive digital technologies build upon—and extend—foundational and analytical technologies. By introducing new automation capabilities through RPA and CI, disruptive digital technologies can offer IA large gains in efficiency and effectiveness. Many leading companies have adopted one or all of the technologies shown in figure 2 to manage their day-to-day operations.

Digital technology risks: Five key categories

When introducing these RPA and CI technologies into the ecosystem, enterprises are exposing themselves to potential risks that need to be addressed. We classify these risks into five key categories.

  • (1) Poorly designed RPA and CI technologies, coupled with the high execution speed of bots, can multiply processing errors.
  • (2) Ineffective bot oversight procedures can lead to high-impact operational errors.
  • (3) Disparate approaches for applying RPA and CI technologies to business problems can lead to a non-standardized environment and increase complexity with the oversight of bots.
  • (4) Input data provided by developers to train the algorithms used for CI technologies may be incomplete, outdated, or biased. Or it may have an insufficiently large and diverse sample size. In addition, inappropriate data collection methods may result in a mismatch between the data used for training the algorithm and the actual input data used for the operations.
  • (5) Flawed assumptions, inappropriate modeling techniques, coding errors, and overfitting of automation algorithms to training data can present more operational risk.
  • (6) Many RPA and CI technology vendors are quite new and not fully mature, presenting third-party vendor and financial risk.
  • (1) Improper implementation of RPA and CI technologies can result in financial and reputational losses to the organization.
  • (2) Financial misstatements due to misalignment or misconfiguration of RPA and CI technologies may result in significant deficiencies or material weaknesses in internal controls over financial reporting
  • (1) A change in law of regulation can materially impact early adopters of RPA and CI technologies.
  • (2) Some highly regulated processes (e.g., data privacy) may be "off limits" for bot automation.
  • (3) Incorrect and/or incomplete regulatory reports generated through RPA and CI may result in regulatory issues and expensive fines.
  • (4) Bots may act in ways that contravene existing laws (e.g., learning algorithms may result in illegal discrimination against minorities).
  • (5) Data privacy standards and regulations may be at risk of non-compliance if the software bots used to collect confidential or restricted information aren't implemented with strict protection controls.
  • (1) The replacement or repurposing of full-time employees (FTEs) may negatively impact employee morale.
  • (2) Misalignment across groups may lead to gaps in roles and accountability.
  • (3) Missing standards around executing changes to bots may impede change management processes.
  • (4) A single bot may be equivalent to multiple FTEs, resulting in concentration risk.
  • (5) The nascent deployment of bots may introduce training challenges among stakeholders.
  • (1) The impact of routine maintenance changes to the existing information technology (IT) platform may need to be regression-tested for dependent robotics implementations.
  • (2) The "black box" reality of the automation algorithms limits transparency into the workings of the technology.
  • (3) A software bot will require credentials to access data, systems, and applications. And like any other system user, a bot can present information security and access control challenges.
  • (4) Bots may be used inappropriately to perform tasks or scrape data from the applications. They're also more susceptible to a number of cyberattacks at the hardware, firmware, or application level.
  • (5) Business continuity and disaster recovery programs must account for the risks that the implementation of advanced analytics and RPA and CI technologies present.
  • (6) Data provided to train a bot can be incomplete, outdated, or irrelevant, resulting in an incorrect outcome.
  • (7) Improperly designed bots working faster than agreed-upon service-level agreements may overwhelm existing IT systems.

Auditing digital technology risks

Assessing the impact of RPA and CI technologies on the existing controls environment, including new risks, is imperative to the successful adoption of these new age technologies. But there's no need to reinvent the wheel. These risks can be addressed by extending existing approaches to managing enterprise risk. When assessing these technologies, IA should find a balance among its responsibilities to:

  • Assure: Providing traditional assurance
  • Advise: Acting as a trusted adviser
  • Anticipate: Preparing for new risks on the horizon

Five considerations for Internal Audit

As companies continue to adopt disruptive technologies in order to gain tangible operational efficiencies, IA departments must keep pace. Here are five practical considerations for how IA departments can contribute:

Strategic planning and alignment. IA departments should create the strategic vision, goals, and road map on how they plan to audit processes that will be automated via RPA and CI technologies and advanced analytics.

Risk assessments. IA should begin the risk assessment of RPA and CI automation as early on as possible. Due to the rate of technological advances and adaption, it's critical that IA assess the risk associated with digitalization continuously.

Analytics and dashboards. Leveraging analytics to design dashboards that provide IA departments with a detailed picture of the health factors of the RPA and CI technologies will help IA stay ahead of the curve.

Training and recruitment. IA professionals must adopt and adapt to the impending automation change. In addition, senior management should inject fresh perspectives and knowledge by recruiting subject matter specialists (SMSs) from other departments or other companies.

The power of internal audit automation. IA departments should consider opportunities to leverage advanced analytics and RPA and CI technologies to automate the audit life cycle. Internal audit automation allows IA functions to modernize their approaches to perform audit. It can also offer key insights on the challenges and risks posed by adopting these disruptive technologies.

The rate of adoption of disruptive digitalization technologies may be different for each company. Therefore, the preparedness level of each IA department to respond to the risks posed will vary.

But the overall challenge remains the same: Get comfortable with discomfort. And brush up on what IA can do to deliver assurance and advise in the age of digitalization.

To read the full report, download Auditing the risks of disruptive technologies: Internal Audit in the age of digitalization.

Related article: Future of risk in the digital era

Did you find this useful?

Thanks for your feedback