In the post before the post before this one, I ranted and raved and screamed and yelled and kvetched and generally became a nudzh about internal audit’s need to kick itself in the tuchus and get involved in the world of bots, robotic proces automation (RPA), and artificial intelligence (AI). (And why is this nice, Bohemian boy using so much Yiddish? I don’t know. Keep moving. Nothing to see here.)
Putting Those Bots to Work
Blogs Mike Jacka, CIA, CPA, CPCU, CLU May 29, 2020
But, in all that eloquent waxing over the need for change, there was something important missing — the meat; solid chunks of what-might-be-done. Let me try to make up for that oversight.
Before going any further, an authorial intrusion. Much of what follows was written at the same time as that previous post. After that post hit the web-o-sphere, I was contacted by people who are doing some amazing things in this arena. (I also got some interesting rebuttals to some of my points. It would be worth your time to read Norman Marks’ response to that post on InternalAuditor.org.) Rather than immediately digging into what others are doing, writing up the results, and taking extra time completing this post and, in the process, making it three times longer, I am sticking with my initial thoughts. Stay tuned for later posts where I hope to share some of the things others are doing.
Let’s start out with an important factor in actually applying the concepts we’ve been talking about. One person called me out for mixing up the terms bots, RPA, and AI. And, as a good (or at least adequate) auditor, I like to define my terms. Unfortunately, that is a bit problematic because, in spite of how long these tools have been in use, I can find no real authority on how these terms differ — how they should be defined. The best I’ve seen is that bots do the work, RPA is the programming that develops the bots, and AI is how bots learn. (As always, if someone has something authoritative on the subject, please share/correct me.)
Maybe not the greatest definitions, but we must work with what we have. So, for purposes of this blog post, I’m going to use the word “bots” in most instances. And, when I use that term, please understand that I am speaking in a broad and general sense. One other thing. AI is a whole ‘nother kettle of fish, so I’m not even going to go down that road. Clear as an auditee’s response? Good, let’s move forward.
One of the first things the internal audit department should do — and it almost goes without saying, but I’ll say it anyway — is to find out where the data is. Determine how you can access it. Start thinking about what that data might tell you. Begin planning how numbers might be crunched. And then start some crunching. I know this sounds basic — but it is important to realize that finding all the data, not just the pieces you need for the one project — is key. By spreading a broad net, you’ll have a better understanding of all the possibilities.
If your department has already been involved in computer-assisted audit techniques (CAATs) and data analytics, much of this has probably been done. But not everyone is up to speed. And, for those who think they’ve already got it under control, it never hurts to go back and double-check. No matter what stage you’re in, start with the data — finding, retrieving, and using the available information.
Nice start, but still a little nebulous; it still doesn’t lay out what bots might actually do for us. So, here are three examples of approaches that have been done or might be done.
(And, one more interruption. For helping me put together the following, a shout out to Bryant Richards, associate professor of accounting and finance at Nichols College, former director of corporate governance at Mohegan Tribal Gaming, and an all-around nice guy as proven by the fact that he is putting up with me.)
Example No. 1: Almost anything related to compliance audits is fodder for RPA. You may already be using CAATs and data analytics in this area, but the tools now available allow even more of the compliance-related work to be turned over to computers. Bots and RPA can be used to pull the data, input that data into spreadsheets, complete the requested analysis, and ship (email) the results on a daily, monthly, quarterly, or as-needed basis, all without opening any file, any database, or any applications. You just have to look at the final results and proceed as necessary.
Example No. 2: One use of bots is to more efficiently identify outliers — individual data points that are ripe for research. For example, bots could be used to go into the payables system (again, daily, monthly, quarterly, etcerally) and dump the data in the appropriate analysis tool. The bots could apply Benford’s Law, spitting out the results which would then be shipped to your attention faster than Amazon Prime Same-day delivery.
Of course, this is only effective if you understand the parameters of Benford’s Law, understand your data sets, and understand if Benford’s Law can be applied to the data. But that is true with any analysis. You have to know the data, know what you want to do with it, know if it can be done, and know how you want it reported. Once these decisions have been made and the bots have been programmed, your time has been freed for review and additional analysis of the provided information.
Example No. 3: At Farmers Insurance, we developed a program that would analyze data from the claims database to identify duplicate payments. As part of a continuous audit approach, we ran the program enough times to feel safe in providing assurance that controls were sufficient. Once we were done, we turned the tool over to the claims department.
A similar program could be developed using bots, once again automating additional steps such as retrieving the data, doing the analysis, identifying the duplicates, and providing a report to the user. But this is an example of how bots and RPA might be used to develop programs that can be turned over to the business, providing additional value from the audit department.
These examples are pretty rudimentary. As I previously noted, I’m getting information about some amazing programs, so don’t let the simplicity and short-sightedness of these hold you back. Great things can be done. But also note that these three examples are all about data.
The potential of bots and RPA goes beyond data to process. Unfortunately, I have no good examples for the world of internal audit … yet. But if we look at how computers can be used to automate processes, we should ask ourselves how much of the actual work done by internal audit might be automated? Electronic workpapers were meant to do part of this — moving information between sections to speed up the process — but we can do more. We have to look closely at the actual work we do, find what is mundane and repetitive, automate it, and then free ourselves to do real thinking.
But here’s the really big news. Once we begin conquering our own world, we can approach the business and say either, “We’ve done this work ourselves, so we have the knowledge to look at the bots and RPA you are using,” or “We’ve done this work ourselves; let us show you how you can use it to make your processes more efficient and effective.” (Imagine if every audit report included a section “Identified RPA Use Cases.” Think we might be perceived as adding a little value?)
Looking closely at the examples, you probably noticed that, in spite of throwing around buzzwords like “bots” and “RPA,” the underlying work is not much different than we have always done. It is just that there are now tools that allow us to automate a significant amount of that work, making it cheaper and easier to get it done. And those tools are pretty darn easy to learn. It doesn’t take an IT expert; it just takes someone who wants to spend a few hours learning how it all works. (Yes, IT aptitude wouldn’t hurt, but the perceived lack of such expertise should not preclude someone from learning.)
Again, I have probably mangled how the words bots and RPA are used. And I’d be appreciative of anyone who can help straighten out those descriptions. But I hope you read past those generalities to get to the main idea: This is how these tools can be used.
And, ultimately, the point of all this is the same as I made at the end of that previous post: It is time we come through on our promise to use the technology. That use is how we will free ourselves to do more important work, and it is how we will keep ourselves from becoming irrelevant.