With the new Global Internal Audit Standards coming into effect soon, internal audit leaders are implementing many of the updates outlined by the Institute of Internal Auditors (IIA). One new requirement that has garnered much attention is the need to create an Internal Audit strategic plan that encompasses every facet of internal audit, including the use of technology.
While chief audit executives (CAEs) were simply encouraged to use technology in the past, now the focus has shifted to an expectation that the CAE will use technology strategically within the audit function and, more broadly, to facilitate collaboration across the organization. Internal audit’s use of technology is now considered an essential requirement that must be included in the CAEs strategic plan, along with a budget for purchasing, implementing, maintaining, staffing, and training the end users.
Clearly, the use of technology is now a high-priority component that must be factored into the CAE’s plan and discussions with the board, and the use of technology will expand and become more entrenched in internal audit. This article guides the CAE through developing and implementing a technology strategy to ensure the audit function is well-equipped to meet the current and future challenges of their mandate and the requirements of the Standards.
What do the Standards say about technology?
The new Standards include a detailed section on technology in Standard 10.3 Technological Resources. It specifies CAEs must ensure the team has the technology they need to perform their work and “to improve effectiveness and efficiency.” This Standard echoes a statement in Standard 9.2 Internal Audit Strategy. In the Considerations for Implementation section, the Standards include “the introduction and application of technology when it improves the internal audit function’s efficiency and effectiveness” as an initiative to support the strategy.
To understand the full meaning of this Standard, we have broken it down into three sections with some ideas on the significance of each.
1. Establishing and evaluating technology
Standard 10.3 Technological Resources: The CAE must strive to ensure that the internal audit function has technology to support the internal audit process. The CAE must regularly evaluate the technology used by the internal audit function and pursue opportunities to improve effectiveness and efficiency.
By saying the CAE must strive to ensure technology is in place, the IIA makes this an essential element of the Standards. The Standard raises the bar by requiring the CAE to have a defined technology strategy and approach to using technology to improve the quality of the audit work. The CAE is even required to explain to the board how the team’s work is affected by the lack of adequate technology, just as they would explain the need for additional staff to cover the highest risks to the organization.
Technology is constantly evolving, so the CAE must regularly re-evaluate the function’s use of technology against the capabilities available to the team now and in the near future.
As part of the technology strategy, the CAE should consider the full ecosystem of technology available to the audit function, including audit management solutions, incorporating analytics and automation, using generative AI, and supplementing with technology to fill a specific need. Also, the Standard makes it clear that technology is constantly evolving, so the CAE must regularly re-evaluate the function’s use of technology against the capabilities available to the team now and in the near future. A forward-looking CAE considers how the audit team can better use the technology currently in place within the department, the organization, the market as a whole, and plans for technology in the future.
2. Training and collaboration for technology
Standard 10.3 Technological Resources: When implementing new technology, the chief audit executive must implement appropriate training for internal auditors in the effective use of technological resources. The chief audit executive must collaborate with the organization’s information technology and information security functions to implement technological resources properly.
This section makes two distinct statements. First, the CAE must ensure the team has the appropriate level of training to benefit the most from the technology. The availability of effective training should even be a consideration when choosing a technology vendor – considering factors like:
- how intuitive the software is for initial adoption by the end users;
- whether the vendor outsources training;
- whether the training is provided by individuals who have used the software professionally, such as former auditors;
- whether trainers should also tailor the training by role, providing advanced training to those who support the applications and basic for the general users;
- the option for self-service embedded training within the application, especially for remote workers.
The CAE should consider the need for ongoing training as the team matures in their use of the software. For example, the team may need basic training for data analytics now, but after a year, they may be ready for more advanced functionality.
The second statement reminds the CAE not to operate in a silo but to actively partner with the organization’s information technology (IT) and information security (IS) functions. This partnership includes many facets. To start, the CAE should never purchase or implement technology without engaging with the IT/IS teams to ensure the software meets the organization’s technical and security requirements. These teams likely have specific processes to follow to evaluate any potential vendor and software, and they will be involved in the technical installation and implementation of any technology the CAE selects.
The partnership should also include sharing technology. Sometimes, the IT/IS teams already have access to technology the audit team could use. For example, the IT team may have already implemented automation within their processes. The audit team could leverage the current technology vendor’s contract and internal expertise to add automated testing to the strategic plan while speeding up internal adoption and usage.
From a different perspective, the CAE is also required to collaborate with the information technology and information security functions on the use of audit and risk management solutions. CAEs should view this statement as an opening to discuss collaborating on a connected risk management platform that benefits all teams engaging in risk management activities. The IT and IS functions that report to the CISO and CTO are conducting risk assessments, and they could leverage the same technology that the internal audit team is exploring.
3. Communicating the impact of technology limitations
Standard 10.3 Technological Resources: The chief audit executive must communicate the impact of technology limitations on the effectiveness or efficiency of the internal audit function to the board and senior management.
The final section of this Standard requires the CAE to discuss the impact of technological limitations on the board and senior management. While this was not an explicit requirement in the past, some CAEs were having these discussions just as they would have discussed the impact of staffing shortages. Without audit management software, the team would operate inefficiently by manually compiling and reviewing workpapers and tracking issue remediation progress. Without data analytics technology, the team would not perform advanced testing for trends and patterns or have the option to test full populations.
Now, The IIA emphasizes the importance of technology by requiring this conversation at the highest level of the organization. It goes further in the Considerations for Implementation section of the Standard by giving the CAE examples of information to share with the board/senior management:
- Present a sufficiently supported technology funding request to the board/senior management to justify the need for the technology as a cost/benefit analysis.
- Demonstrate realized benefits of technology to board/senior management so they can see the effectiveness of the budget allocation.
- Articulate the current state of technology within the function, a desired future state, and the plan to reach the desired level of technological expertise within the strategic plan.
Internal audit does not control the organization’s budget, so CAEs need to support their case when requesting a technology budget. The business case should clearly articulate pain points, explain how technology will help resolve the issues, and justify the cost of the technology in terms that are meaningful to the board and senior management. Return to them after the technology is in place to demonstrate how it generates the anticipated benefits.
The new Standards require CAEs to formulate a comprehensive strategic plan with a well-defined technology component. By presenting the strategy to the board and senior management, along with a roadmap for success that includes people, processes, and technology, we will make it easier for them to buy into the strategy and allocate the funding we need to make it happen.
Five steps to document your technology strategy
Use the opportunity now to document the first iteration of the technology strategy. While deciding what content to include, you can start by referencing the Considerations for Implementation. This area of the Standard provides details on the types of technology to implement and how to build and deploy the technology plan.
If you do not have a technology strategy to deal with these rapid developments and the associated risks – there is no Plan B.
Standard 10.3 Technological Resources – Considerations for Implementation: The internal audit function should use technology to improve its effectiveness and efficiency. Examples of such technology include:
- audit management systems;
- governance, risk management, and control process mapping applications;
- tools that assist with data science and analytics;
- tools that assist with communication and collaboration.
To evaluate whether the internal audit function has technological resources to perform its responsibilities, the chief audit executive should:
- assess the feasibility of acquiring and implementing technology-enabled enhancements across the internal audit function’s processes;
- collaborate with other departments on shared governance, risk, and control management systems;
- present sufficiently supported technology funding requests to the board and senior management for approval;
- develop and implement plans to introduce approved technologies. Plans should include training internal auditors and demonstrating the realized benefits to the board and senior management;
- identify and respond to the risks that arise from technology use, including those related to information security and privacy of individual data.
Based on this section of the Standard, the CAE would likely follow a five-step process when considering the technology to include in the plan:
- Perform a gap assessment to identify technology limitations and opportunities to improve audit projects’ and workflows’ efficacy and efficiency. Then, perform a feasibility assessment to determine the cost and likelihood of success in implementing the new technology.
- Collaborate with other departments to ascertain interest in implementing a connected risk platform for shared governance, risk, and control management systems.
- Develop a fully supported business case for technology funding requests that require board and senior management approval. The case should demonstrate how the technology will improve assurance and address organizational risks.
- Develop an internal audit technology implementation plan that includes measurable KPIs and specific milestones and complies with organizational policy for introducing approved technologies.
- Identify and respond to technology risks specific to internal audit, including information security, data integrity, confidentiality, third-party data exposure, data retention, and privacy of individual data.
In Part 2, we provide an example internal audit technology strategic plan to help you get started on your own technology planning efforts.
Richard Chambers, CIA, CRMA, CFE, CGAP, is the CEO of Richard F. Chambers & Associates, a global advisory firm for internal audit professionals, and also serves as senior adviser, Risk and Audit at AuditBoard. Connect with Richard on LinkedIn.
Tom O’Reilly is the Field Chief Audit Executive and Connected Risk Advisor at AuditBoard. Connect with Tom on LinkedIn.