Do these questions sound familiar? Probably yes, as these tools simply are the new enablers of the phenomena we have been calling "end-user computing" for quite a while.
A few years ago, when we started to recognize the end-user computing phenomena, we simply had a "wizard" in the audit team who could do things in spreadsheets or databases that others didn't even know were on the menu. With the rise of self-service tools, these wizards have grown a following of apprentices, and now the person we used to call "wizard" wants to be known as a "citizen data scientist" or "citizen developer," depending on the tools that individual most commonly uses.
As long as you are willing to learn, these wizards will show you how to replicate their tricks in your projects. But as amazed as we are, our wizards are the first to recognize that they are not the top of the heap. Being a "true" data scientist/data engineer/programmer (a specialized professional) is not the same as what they do as a "citizen" data scientist or a "citizen" developer (a handy amateur).
Although they are "amateurs" or "hobbyists," these citizen developers are the ones who create our business intelligence dashboards, process our data so the rest of us can use it, develop bots to simplify our jobs, and perhaps design and oversee automated workflows to collect and route information to others in the team who need it. They get the job done, not because they are technical masters, but because they are "good enough" at what they do, and really understand what you are trying to get done (business acumen).
Because of their ability to produce results and their dual nature of business and technical, when audit teams considered end-user computing, we didn't choose to contain these wizards. Yes, we did recognize that some level of controls had to be put in place. We wanted to make sure we knew what decisions they were making with their tools, and we also wanted to ensure that these decisions were made at the right level of authority, regardless of technical expertise. With those guardrails, we actually chose to enable these wizards in the departments we were reviewing and embedded them in our own teams.
Since the amateurs can do the job, does this mean the end of professional services? Can we accept that we are all finally equally good? No, and no … definitely not.
Actually, we have been dealing with fields of amateurs and professionals forever. For example, we still want our doctors to go to medical school, but maybe we check with mom before running to the emergency room. The same happens when the car "is making a sound," and you have to decide between taking your car to your brother or to the shop.
Sometimes it is not even our decision. It may happen as we listen to our neighbor's tribute garage band when we arrive home versus going to a concert of the band they cover.
In all these examples, we simply exist on a tiered ecosystem that starts with "elementary school art class," moving into "mass-made available at the supermarket," to "crafts," to "fine arts." The environment is large enough to accommodate all these options, and the people playing in each tier are the first to recognize their skills and limitations.
So how do auditors navigate this new ecosystem when it comes to our professional or citizen developers and data scientists? Perhaps we deal with it the same way we treat other end-user computing tools and teams: We try to understand the scope and impact of the work to be performed and make sure it is appropriate.
Basically, if your proposed bot will simplify something you already are doing, go ahead and craft it with your friendly neighborhood data scientist. If all hell could break loose when the process is not completed, then make sure the new tool is developed with the support of your IT team, following all their development stages, and perhaps even buy a plug-and-play solution.
Doing this will enable you to use your citizen/self-service tools and experts to get started, run proofs of concept, and complete rapid prototyping and test deployments to keep pushing performance and sometimes enable new opportunities or skills for you and your team. If your proof of concept is effective and transformative, you may graduate it from your "science fair" installation into an institutional tool established in collaboration with your IT team and other experts.
Is this consistent with your experience? Let me know in the comments.
Francisco Aristiguieta, CIA, is responsible for internal audit analytics at Citizens Property Insurance Corp. in Jacksonville, Fla.