Data analytics and cognitive technologies will result in a reappraisal of how internal audit achieves effective governance.
According to Paul Holland, Technology Director KPMG in the UK: "The application of data analytics, and then artificial intelligence (AI) , will result in a reappraisal of how internal audit achieves effective governance. The result will change the three lines of defence model".
We first saw data analytics (D&A) come onto the annual list of top ten concerns for internal audit about 18 months ago. But the reality is that it affects all of the top ten priorities.
This is summed up by a change we think might be coming to the traditional three lines of defence framework adopted by organisations. This separates functions into three: own and manage risk; oversee risk management compliance; and provide independent risk assurance from the internal audit team.
In conversation with some banking clients recently, we concluded that automation is going to become so embedded it will leave fewer reasons to distinguish between the second and third line.
That poses some tough questions. When lines of defence blur, management may struggle to hold people to account with crisp and defined responsibilities. History tells us that bad things can happen when those duties aren’t clearly delineated. And particularly in financial services, the conventional lines of defence are as much imposed by regulators as by firms.
Nevertheless, it will soon be possible for all interactions, processes, transactions and decisions to be continuously and passively monitored. Issues will be flagged for escalation, but much of the risk monitoring and compliance will be automated. That’s just as well: data from enterprise systems and beyond have become a torrent, making machine analytics a vital tool, regardless of structural changes to the three lines.
However, the systems that do this will have to be trusted – because we will be so utterly reliant on them. Internal audit teams will have a crucial role in calibrating and evaluating the performance of these technologies.
We’ll need a function to set standards and policies – work currently done in the second line of defence.
But, do we really need to continue to separate the setting and application of policies the way they are now? Perhaps technology is opening the possibility of rationalising how tasks and responsibilities are assigned across the three lines.
We’re certainly seeing frontline management seek out analytics capabilities, previously the preserve of specialist functions. Among risk professionals and those charged with oversight, new levels of detail about (and responsiveness to) real-time operations are changing the relationship with management.
This has profound implications for the people hired in internal audit teams. If you want the best talent, you need to demonstrate you’re building an innovative and exciting environment in which to work. People aren’t interested in mundane processes and generating rote reports. They expect technology to automate the menial work so that they can focus on strategy and policy, on influencing behaviour more tangibly and on supporting the organisation in its responsibile use of new technologies.
Control and risk management are still vital, especially at a time when change continues to accelerate thanks to disruptive technology. But that emphasises the need for IA and other risk specialists to focus on the design of policies as much as checking on their application. Fixating on the other, more menial, tasks will leave organisations less adaptable – and less attractive.
Paul Holland is Director, Technology Risk Consulting at KPMG in the UK.
Andrew Shefford is Head of IT Internal Audit at KPMG in the UK.
© 2020 KPMG LLP, a UK limited liability partnership, and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative, a Swiss entity. All rights reserved.
KPMG International Cooperative (“KPMG International”) is a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.