Home / Resources / ISACA Journal / Issues / 2021 / Volume 4 / How Can AI Drive Audits

How Can AI Drive Audits?

Author: Shini Menon, CISA, CISM, CDPSE
Date Published: 30 June 2021
Related: Auditing Artificial Intelligence | Digital | English
français

Auditing is viewed as a manual, subject-matter-driven, tedious and sometimes highly subjective practice. With the digital disruption that surrounds IT professionals, it is time to explore how the next generation of artificial intelligence (AI), natural language processing (NLP) and machine learning (ML) techniques can help the audit profession. There are several facets of these technologies that may come in handy during the life cycle of audits and beyond, and it is helpful to understand how similar techniques have been applied in other IT and business scenarios. Understanding the opportunities that AI presents can be a stepping stone to understanding the benefits of AI, NLP and ML and their many uses.

Auditing in the Digital Age

The practice of auditing is more than a century old. What began as an accountant’s job is now practiced across industries, with sophisticated focus on meeting regulatory requirements or performing risk-based audits. Although the types and methods or models of auditing have evolved over time, the auditor community has faced significant problems ranging from improper audit planning, ignorance toward changing and evolving risk, auditor bias, misalignment with auditees, and skewed data samples.

The auditor’s role in the Digital Age needs to evolve and adapt in a manner in which audits are a mechanism to identify patterns and trends from large data sets. These insights provide support for risk assessments, project scoping, and proactive and early identification of potential issues, among other things. For example, in today’s rapidly evolving technology landscape, existing AI and ML techniques not only detect fraudulent transactions and identify high-risk issues such as unknown system activity from user endpoints, but learning models can also be built from such interventions.

AI Intervention

AI is a unification of several subgroups of technologies that enable computer programs to mimic human intelligence and decision-making skills. These mainly include ML, NLP and robotics. Figure 1 illustrates the landscape of the AI universe. Many of the topics in figure 1 can be potential problem solvers to several known issues and areas of concern within the auditing realm.1 For example:

  • There can be improvements made in the analysis of process documents and in increasing the audit data sample size.
  • Since auditing involves a great deal of unstructured and structured data, NLP-based algorithms can be used to detect issues categorized by topics or areas of focus.
  • Audit time can, potentially, be reduced by more than 50 percent given the hours spent in auditing and reviewing.

There are many such scenarios and mechanisms for using AI in audits.

Challenges and Problems of the Digital Age: Are We Looking at the Right Data?

For any AI program to be successful at solving auditing problems, it needs to target the problems of data and data sets. In this regard, the answer to all of the following questions must be “yes”:

  • Is the origin or source of the data known?
  • Are the data easily accessible?
  • Are the data well rounded and reliable (i.e., is data integrity assured)?
  • Is the single version of the truth (SVOT) agreed upon?

In the past, the audit teams’ focus has been on leveraging governance, risk and compliance (GRC) technology in terms of reviewing and verifying audit governance. For example, audit teams have used popular GRC tools such as RSA Archer, MetricStream or ServiceNow to perform semiautomated tasks that they may previously have done manually. Currently, there are several AI components available that can be used to solve data and sampling issues and other internal audit problems. Many GRC platforms can process data only into reports and may not be able to derive intelligent insights or help with data/sampling issues on their own.

The Other Side of Auditing AI Subset: What Are the Other Critical Problems?

Any audit program can be measured using the following parameters to gauge its effectiveness/success:

  • Environment—The factors impacting the work of the internal audit function
  • Output—The end results of the audit function
  • Quality—The quality of end results
  • Efficiency—The measure of output and quality of results vs. costs
  • Impact—The impact of audit function on an organization’s effectiveness

Each category should have several performance measures. Some of these performance measures are subjective, such as the ability to measure output (e.g., the number of times the auditing output was directly proportional to overall post-audit, process compliance). Another measure is efficiency (e.g., the percent of audits that can be completed under eight hours per audit). However, the challenge is to enhance output, quality and efficiency of audits based on automation of time-consuming and human-intensive tasks in the audit process without affecting the impact of the audit exercise. The key AI enablers in the audit process are:

  • Predictive analysis—A mechanism to predict a trend with data or an evidence sample size while auditing a specific area, e.g., predicting noncompliance to user offboarding based on quarterly data
  • Robotic process automation (RPA)—Semi- or partial automation of auditing steps such as data extraction from data sets into Word/Excel as part of large audit and risk assessments2
  • NLP—Automating repetitive tasks via voice commands targeted at manual and repeat checks
  • Natural language generation and ingestion—Creation of an NLP-based bot that could ingest and learn new commands such as reconciliations or checks based on checklists if the type of audit varies

Return on Investment: Short-, Medium-and Long-Term AI Enablers

Figure 2 summarizes the automation/AI scope for each step of the audit workflow.

THE BIGGEST OPPORTUNITY FOR RPA, ML AND AI TO WORK FOR AUDITING IS TO PROVIDE INSIGHTS AND INTELLIGENCE REGARDING THE SEA OF DATA.

It is evident that RPA, NLP and predictive analysis are some of the techniques that could bolster the way auditors approach audits.3, 4

Opportunities of Effective Optimization Using AI/ML and RPA for Auditing

Auditors must deal with a sea of information and data presented in response to compliance and other areas. It often seems impossible to consistently make sense out of audit samples. The biggest opportunity for RPA, ML and AI to work for auditing is to provide insights and intelligence regarding the sea of data. These opportunities include the following:

  • Reduction in data processing cycle time
  • Reduction in oversight errors during auditing
  • Replacement of time-intensive, laborious activities (such as verifying evidence) with RPA
  • Ability to make predictions and derive intelligent insights (from available evidence)

What Is the Risk?

Although taking advantage of AI, ML and RPA can benefit an organization, it is also important to understand and consider the risk involved:

  • Using AI tools built by humans introduces the ethics and bias of human judgement and stereotyping.
  • Inadequate testing of AI outcomes can produce questionable results or audit outcomes.
  • Human logic errors might hinder the development of AI algorithms used for auditing.

Specific Use Cases

The application of AI and ML techniques can be extrapolated in the audit life cycle. Techniques and their uses to be considered are illustrated in figure 3.

Typical Applications in IT/Business Areas

There have been several applications of AI and ML in other fields such as anti-money laundering. Detecting fraudulent transactions, performing data quality checks, negative news screening and processing have all been successfully automated via AI/ML techniques. Implementing AI or ML for large multinational corporate banks leads to big savings in manual overhead and reconciliation efforts.

For example, a large multinational IT services firm helped a retail giant automate product order and product requisition form filling via NLP and the use of Alexa commands. It reduced manual errors, oversight and human intervention in repetitive tasks.

Several legal firms can now use state-of-the-art AI and ML platforms to search, retrieve and derive meaningful insights from copious documentation and records based on regulatory and legal needs/jurisdiction requirements.

Conclusion

There are many ways to improve audits over time with help from AI, ML and NLP techniques. However, the challenge lies in whether subject matter experts view these technologies as either a black box or a subject that is hard to interpret or understand. There may be very few professionals who are proficient in the IT domain or functional experts able to successfully implement AI and ML. IT professionals should adopt these techniques to better optimize the auditing field and beyond. A world where IT and auditing professionals are able to use RPA/AI/ML to their advantage will produce more insightful, efficient and measured work products.

Endnotes

1 Parekh, N.; “Inside Product: Technology Landscape of Artificial Intelligence,” Medium, 20 March 2018, https://becominghuman.ai/inside-ai-series-artificial-intelligence-technologies-across-processes-systems-and-computations-5e31eab21117
2 The Institute of Internal Auditors (IIA), Artificial Intelligence Part 1—Considerations for the Profession of Internal Auditing, USA, 2017, https://iia.no/product/artificial-intelligence-considerations-for-the-profession-of-internal-auditing/
3 Accenture Consulting, Evolving AML Journey: Leveraging Machine Learning Within Anti-Money Laundering Transaction Monitoring, USA, September 2017, https://www.accenture.com/_acnmedia/pdf-61/accenture-leveraging-machine-learning-anti-money-laundering-transaction-monitoring.pdf
4 Deloitte, Adopting Automation in Internal Audit: Using Robotic Process Automation and Cognitive Intelligence to Fortify the Third Line of Defense, USA, 2018, https://www2.deloitte.com/content/dam/Deloitte/us/Documents/risk/adopting-robotic-process-automation-in-internal-audit.pdf

Shini Menon, CISA, CDPSE, CSM, GRCP, GRCA, SA

Is associate director at KPMG advisory. She has more than 14 years of experience working with Fortune 100 and 500 clients in the pharmaceutical, banking, hedge fund, retail and government sectors and has led the implementation of large- to medium-scale programs for information security, process and controls definition, risk management, and enterprise governance. She has experience building and developing GRC solutions for complex regulatory compliance and audit requirements. Previously she worked with PwC, MetricStream, Oracle and Siemens Research. She has published several papers on GRC, notably with the ISACA® Bangalore Chapter (India). She is a member of the Open Compliance and Ethics Group (OCEG), the Global Association of Risk Professionals (GARP), and other notable consortiums. Menon has also won accolades as a digital accelerator and with “Be the Navigator,” where she helped develop a rule-based keyword search engine, and she has led several proof-of-concepts on artificial intelligence and blockchain-based pharmaceutical compliance.