Ideagen Insights
Welcome to Ideagen Insights, Ideagen’s official audit and risk management podcast channel! In each episode our host, Stephanie Jones, is joined by experts in the audit and risk management industry. Stephanie is Ideagen’s Audit Product Manager. She has more than 12 years of Internal Audit experience and was recently named one of the nine District Advisors for the IIA in North America. Together, Stephanie and our guests explore and evaluate topics that are of interest to audit departments and are key business risks to organizations across the globe. Visit www.ideagen.com to learn more.
Ideagen Insights
S1EP4 - Internal Audit and the Risk of Digitalisation and Disruptive Technology
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Welcome to Ideagen Insights, Ideagen’s official Podcast Channel. In our introductory series, we are exploring the biggest issues facing Internal Auditors across Europe and North America in 2020. In our fourth episode, Stephanie is joined by Jason Webb, Head of Research and Innovation at Ideagen, to discuss Internal Audit and the Risk of Digitalisation and Disruptive Technology. Join them as they explore the risks of Digitalisation and Disruptive Technology and the steps Internal Auditors can take to protect their organisation.
Stephanie Jones 0:00
Hi everyone and welcome to Ideagen's official Podcast Series focusing on the biggest issues facing internal auditors across Europe in North America in 2020. My name is Stephanie Jones and I am the Product Manager for Pentana Audit and Pentana Risk at Ideagen. I'm joined today by Jason Webb. Jason if you could introduce yourself?
Jason Webb 0:29
Hi, thank you, Stephanie. My name is Jason Webb, I'm the head of Research Innovation at Ideagen. My job is to look is disruptive and innovative technologies for Ideagen, and see how it affects our customers.
Stephanie Jones 0:41
Thank you, Jason. In each of these episodes, we look at a very specific topic identified as a key business risk by European and American branches of the IIA and evaluate how these impact the internal audit departments. So today, we are going to talk about digitalization, disruptive technology and other innovation.
So thank you, Jason, for joining me on this podcast, and this very important topic. So despite 58% of Chief Audit Executives, reporting that digitalization disruptive technology and other innovation as being a top five risk, and 18%, by the way, claiming it's the number one risk, only 30% of Chief Audit Executives say that they are spending significant resources on this risk. Why do you think that is?
Jason Webb 1:33
I think a lot of people, it's not very visible in the organisations. If you talk to our small and medium and large customers, there's a lot going on that they haven't got any awareness or governance of. So typically, we're getting, you know, where's my data and where's my apps? Well, a lot of the apps that we used to have on premise are now in the cloud. And, again, part of that is, that's a good thing, it makes your business more agile, well, that's part of the pitch.
But it does expose yourself to more risk in the organisation because you have no knowledge of what's going on. Because IT aren't in control anymore. And there's no corporate governance in this, it's kind of back to the Wild West scenario that we had in the 80s, where people would do their own thing. And that's a big problem for businesses, because you just lack the control of all the things going on in the organisation.
And I know, audit does have an unenviable task of actually trying to tie all this together and working out what's going on. But it's actually much more difficult in this era of digitalization and extreme change, to actually tie them together. So, people aren't aware that there's big problem here. It's not they're burying their heads in the sand. They just don't know what's going on. And that's a tough problem to address across organisations. Because for example in Ideagen internally, we're an organisation with a global spread. And it's just difficult to work out, you know, people can go and sign up for these applications. And that's a big problem, because they're not governed. They're not auditable. People don't know what's going on.
Stephanie Jones 3:05
Absolutely. And I think that's a good point Jason, you don't know what you don't know. So it's hard to sometimes even be aware of these different applications and not having that visibility, it can be difficult.
I also think that it's something that is very much outside of a normal internal audit. So normally an internal audit, you have a very well known plan, and you can figure out where to go. And if these are unknown areas, then it makes that more difficult. So along that same line, what do you believe are some of the most pervasive examples of this business model disruption, and how do you think technology is enabling it?
Jason Webb 3:47
I refer back to what was I said earlier about applications, but it's the SaaS model that businesses are moving to – this software as a service – where I sign up, I pay a few bucks a month type thing for the service, and it's really useful to me. I’ve rolled this across the board; across the organisation. But again, there's no oversight on this. These things are done behind the back of IT, and behind the back of any regulatory or corporate governance. Therefore, they're not visible.
So, it’s these disruptive companies come into the marketplace, we use new technology thinking ‘that would be really good’. So as a business manager, I think ‘that's really useful to me, it will enable me to work in a better way’. So it's disrupting the way we do business. But internal audit hasn't quite caught up yet. That sounds a bit harsh, but there's simply a lot going on. And business managers could sign up these things with the corporate credit card, and I'm done. And it's costing us $20 a month for my few people to use this major piece of software. But, where's my data going? You know, and what's going on with the software, who can see it and all those sort of fun questions that internal audit like to ask but people don't have good answers for. And it's you know, a lot of this the SaaS stuff has been enabled by the cloud and the explosion of the cloud.
So Microsoft, Google, Amazon, or those sort of people are also giving internal audit problems, because it's a case of, you know, what standards do you obey; are you obeying, I think it's SAS 70, or whatever. Amazon will let you go to the data sets and check where your data is, it's meaningless to them because they have a global spread. So it's much more difficult to get a handle on how people are handling your data and what they're doing with it.
The other part of this disruption is quite a subtle one. It's what we call BYOD, which is bring your own device. For example, I have my iPhone here, I connect to the corporate network, how is that controlled? Now Millennials are entering the workforce and Gen Z, I think it is coming in as well. They have their own ways of doing things. They're very much the Instagram and the Tinder culture. And that's very disruptive to businesses, they move a lot quicker than we do their work life balance is different to the way that businesses are currently run, in most cases, particularly large businesses working in regulated environments.
So it's very disruptive to them that get staff coming in disrupting the status quo, not because it's wrong, it's because they're passionate about what they do. They care about the corporation they work for, and they want to make change. Now, sometimes uncontrolled change is not a great thing for organisations, because it can cause problems for regulators, when the regulator turns up and says, ‘Why are you doing this? What have you done?’ The answer is a shrug of the shoulders. That's not acceptable.
Stephanie Jones 6:39
Absolutely, that's a good point. And I think that some of these companies that are more established some of the incumbent businesses that have been around for a while - there are disruptors coming into their marketplace with brand new technology, and maybe the incumbents have technology that's a little bit older or a little more experienced, and are now up against some of these incumbents that you know, come in just from scratch. So they're coming in with newer technology, you know, the incumbent has the experience and the reputation and things like that, as well.
And you're exactly right, the millennials and those that are entering the workforce, you know, which direction will they be most interested in? So it becomes different. What do you think are other big challenges facing incumbent businesses when they're competing with these newer, maybe technology-based disruptor companies?
Jason Webb 7:41
The incumbents are often slow to adopt new technologies due to processes internally. And that's not always a bad thing. Again, it's about oversight and governance of what's going on in the organisation. If you have no clear vision from above about what to do with new tech, then you have a problem.
I'm a techie by trade – if I see a cool piece of technology, I want to go and play with it. Okay, I'm not always thinking about the ramifications of technology, whether it's ethical, whether it's regulatory, or whatever. It just looks cool - I'll go play with it. Machine Learning - case in point.
At Ideagen we have a good business case for leveraging Machine Learning to assist our customers. Other companies don't; they just kind of throw Machine Learning at the wall and see what sticks. And that's a bit of a problem, because machine learning has ramifications for things like, you know, again, ‘what are you doing with my data’ – in Europe there’s GDPR. And the appropriate standards in the US, say in California. And it's going to cause friction with the organisation, as the old guard says, ‘well, this isn't good enough’. And the new guys are coming in and saying, ‘we want change, we want it now. We don't want it in three months time when you've ticked all the boxes, we want it now.’
And it's also - we have a sea change in technology from very much on-premise IT – which is again, well controlled – to the cloud-native applications which are deployed nowadays, which are much more freeform and much more mobile and liable to change. So it's, again, it's about change management, how you address that in organisations.
Stephanie Jones 9:18
Absolutely. I think that's a good point about the cloud-native versus on-premise. From my experience in internal audit, and I've been in the business since 2000. Over the past 20 years, there’s been a lot of changes. And the biggest most recent change, especially around internal audit software, is previously many internal audit departments did not want to use any software other than on-premise. And we're definitely seeing a shift in that. And that cloud-native allows - and having that technology really allows - other things like you mentioned AI and Machine Learning and Robotics Process Automation. It's just more difficult to put into place quickly and efficiently when the software is on-premise. But luckily, it seems like the industry of internal audit is beginning to shift as well. It might be a little behind the times, but certainly I'm seeing that shift. Are you seeing that shift as well, Jason?
Jason Webb 10:21
I am. I work in industries such as defence and life sciences, who are very much centrally control organisations. They're extremely paranoid is possibly the right word about security and where the data is going, because they work in highly regulated markets. But they're changing the way they work. They're actually moving data into things like Microsoft's Office 365, into Google Cloud into Amazon's cloud, social things. So, people are actually changing, there is a big appetite for this within organisations where they want to limit the amount of infrastructure they have internally, and move to the cloud.
So an example is Life Sciences - there's very much incumbents who work on-premise, but the cloud guys have eaten them alive, okay, the market has irrevocably changed. And that was a big change. Five years ago, I always said that wasn't going to happen, but it has. And it's been embraced by all the big players in life sciences. So there is definitely appetite for change in modern organisations. And often it comes at the speed you don't quite expect, people are willing to say, ‘let's go for it.’ And nothing bad has happened. You know, they still have that level of control. They have that level of auditability, which they need to show the regulators. Particularly in Life Sciences, where, if you ignore the FDA, you know, your drugs don't get done. So, I think people like Microsoft and Amazon have actually changed the rules for us, which is a good thing.
Stephanie Jones 11:53
Yeah, absolutely. And I think one of the challenges that incumbent businesses face in addition to everything that you mentioned, but one of the things is, how do companies maintain their earnings and their core business while funding this innovation?
I saw a quote recently from Netflix, and someone there said that many companies fail to look for new things because they're afraid to hurt their core businesses. And I think that's very much true, even aside from technology. And speaking of Netflix, I remember, back in the day, I was an early adopter of Netflix and what it used to be Jason, I don't know if you know this, or was a part of it. But it used to be that Netflix, their business was DVDs, and you would have one DVD subscription or a two DVD subscription. And when you were done with your DVD they would mail it to you, you would look at it, and then you would send it back, that was Netflix. And then they then became a mainstream of course in streaming technology. So their core business completely changed still in the same industry, probably more of an adjacent market. But now you know, we all know Netflix. It's mainstream completely now, but it's because they weren't afraid to look at an innovative way of doing things.
Jason Webb 13:18
Exactly. Interesting stat for you. Netflix still send I believe 2 million DVDs a month out in the US.
Stephanie Jones 13:26
Perfect! So not everyone changed. But yeah, that's is an interesting stat. I didn't even know that they still offer that. But I did use to get my Netflix DVDs. Now I just turned it on my smart TV, right?
Jason Webb 13:39
Exactly. I think that the Netflix have an interesting problem about pivoting here because they've pivoted to streaming and they do own the streaming market, you know – ‘ Netflix and something’ is a phrase that people regularly use. They're now trying desperately to get away from the DVD shipment because it costs them money. So it's a strange turn about.
Obviously, we've now got people like Apple and Amazon now piling into this market because it's extremely lucrative, you know, everybody paying those 10 bucks a month fees for streaming is great. Spotify changed music overnight. So these pretenders have come along, obviously Amazon and Apple have unique amounts of muscle and marketing ability that small companies lack. But, you know, there's always the ‘next best thing’ to come out of Silicon Valley and some of the things coming in are intriguing. Particularly in things like the Machine Learning space and those sort of things that it's democratising a lot of these technologies out to businesses that couldn't normally afford it. I mean, data scientists are going to cost you probably 100k a year to employ if you're lucky - if you can get hold of one - depending on where you are for example in the US and Europe. These people are very expensive, and they're you know, there's simply not enough of them. So, a lot of the skills that we need in house aren’t available. But people like Amazon and Microsoft and others have these things set up, you can go in, business managers can go and press buttons, we're good to go now. So the rules have changed.
And this can help businesses pivot if they want to pivot, you know, or set up these innovation tribes, I think is the phrase to use within the companies to actually change the way that companies innovate. So it's set out for companies within companies to actually work cross functionally across organisations to make these changes. And that needs to come very much from the top of the organisation, you know, Ideagen, I know, I've got support of the CEO, and CTO and CTO, and CMO all sat behind me going, ‘we need to do this, these are the things we're interested in, we'll do them.’ And that level support you need in business to make effective change.
Stephanie Jones 15:51
Definitely, we're lucky here at Ideagen, because we have an innovation department in a research department that you yourself lead, and some companies may not have that. And if they don't have the ability, you know, to fund innovation like that, then maybe a company can acquire an innovative company. And that of course, there's risks associated with that. And you need a clear integration plan and all those types of things as well. So businesses, I think, can come at it different ways. But I do like that we have our research department here.
Jason Webb 16:23
Yes, it’s not all playing with robot dogs.
Stephanie Jones 16:27
Darn it, there goes that picture! Okay, so how do you feel that internal audit can offer support to businesses, as businesses look at these digital initiatives, or maybe this kind of disruptive technology?
Jason Webb 16:41
I think the key thing for me is helping define boundaries for data. Okay, data is one of the key intangible assets and the business has, and its the way you actually control that. I don't mean we're talking centralised control over the data, it's managing that data inside and outside the organisation. So it's managing the data inside and outside the organisation. And that's a key point here - what's acceptable? And this comes back to, you know, helping your staff thinking, that's a core set technologies, we can go and use the app, we can go and work in this way. And that's acceptable – it’s dealing with the organization's attitude to risk. If you’re working in say, an insurer who’s been going for 300 years, then your attitude to risk will be very different to a startup in insurance which is going to be going for three months, and then want disrupt the market and your appetite for risk - they've got nothing to lose, the startup, the incumbent that’s been going for 300 years has a lot to lose. Its prestige, its corporate cultures, all those sort of things that tie organisation together that could go bad. So it's helping to find those boundaries.
The other thing is helping people understand the risks in things like cloud native apps, and these platforms, things like that. It's kind of alluded to what I said earlier is the old standards for say data centre compliance, which I mentioned earlier - you can't audit Amazon on that, they won't let you. Okay, if you're deploying first into US government, you might deploying it into the secret cloud, we have no visibility of that, we're not the right people to do. It's very difficult to have that level of control and auditability of your applications. But it can be done. A few high level processes and a few frameworks to help people actually understand what they can and can't do will help tremendously. And if there's an exception, that can be dealt with, but it's managing those exceptions - setting the ground rules, managing exceptions.
The other thing is back to things like ML, and AI initiatives, which a lot of companies are starting to kick off now. Although some organisations have a very poor story to tell with ML, as I said earlier, throwing machine learning at the walls, see what sticks. Some companies have a really good attitude to this. So back to the insurers, for example, they need to understand the model they’re generating for risk and actuarial models. So, you know, if someone's going to live in this particular state, what their chances of having a car accident. Okay, we can compute that. We generate the models, but we need to know why. Okay, it's not acceptable to say to the customer, ‘we're not going to insure you for this risk. Because the computer model says we're not going to insure you.’ You need to have a deeper understanding what the inputs are and what the outputs are. And that's a tricky thing for internal audit to do. That's what specialists, but it is doable. Okay, as these models grow over time, we need to take a step back and say, is this useful? There's quite often a human will say, ‘I don't understand why you made that particular reason.’ And that's when internal audit needs to take a step back and say ‘no, this isn't right, and we looked at the models, we look at the inputs, we look at the outputs, and we either overexposed or underexposed, we're actually turning away revenue here because we don't understand what's going on, because computers won't tell us.’ And that's where internal audit will have a key role to play - actually policing those models. And it's not an easy job, but it is a very useful one for organisations. Because if you're driven by these models, and you have no common sense, you're not applying the core rationale. So the override is actually no, in this particular state, there might be incidents of accidents are higher, but the computer is not recognising that, or it might be lower than normal. And the computer needs to understand that there's other things affecting this. And that's when internal audit have a key thing to play. Because they're people, they understand. They have a broader understanding of just other than the mathematical models.
Stephanie Jones 20:54
Right, absolutely. And just asking those questions – ‘do we know how our business can be disruptive?’ I don't think it's up to internal audit to determine whether strategy is right, for example, but I completely concur that what internal audit can do and what they do bring to the table is assessing the processes and the inputs and the models that led to that chosen strategy or that, you know, that business decision so completely agree that it's the inputs where internal audit can really bring some value.
So, what questions do you believe that Chief Audit Executives need to ask themselves to make sure that their internal audit team is fully equipped to deal with these risks around digitalization, disruptive technology and innovation?
Jason Webb 21:47
For me, it's embrace SaaS, control it. Okay, set the ground rules up to what's acceptable to internal audit. Because when the business turns around to internal audit and says, ‘what's going on here?’ You have an answer. You know, you’ve set the rules up, if somebody is violating the rules, and you've gone looked at it, then we can deal with it appropriately. You know, that organisation shipping data to China? Why? What's going on here? So, if you've worked in the US Federal environment, for example, that anything going via the Far East is probably a no, no. So it's setting those rules up to get the business managers do a little due diligence here, rather than just saying, ‘yes, I’ve ticked the box. Yes, I've ticked the box, I've signed up, I've now committed the organisation to an onerous set of standards here that I can't comply with. So basically, I've signed us up for something we can't deal with. I've ticked the box in the agreement that says, you can send all my data wherever you like.’ That's not acceptable. Okay. So it's setting those ground rules up for internal audit to say, we’ll help you here, we want to be parties to this so we know what's going on. So when somebody kicks off a new initiative, you’re kind of there at the start, and say, ‘these are the rules - okay, I don't understand this, can you get more information, please.’ It's basically controlling the SaaS migration as businesses move away from on-prem.
It’s also making sure that when you sign up to cloud SaaS providers, they have a basic set of standards. So, if you mandate that for GDPR, then the organisation can ship your data off, where it shouldn't be. And we're good to go. Okay, if that's your basic standard, that's okay. But it's setting these basic ground rules, I think it's important. And also working out what external parties have access to your data. So, my data is in the cloud, well, which bit of the cloud? Who has access to it? All the cloud is is other people's computers. That's really all it means. So it's all about working out where everything is, which is an unenviable task because I don't know any more, corporate governance don't know any more – internal audit needs to help actually just set the rules up.
Stephanie Jones 24:06
Absolutely. And I think that that's some really good points that you brought up - as an internal auditor, you know, the internal auditors want to be considered as a trusted adviser to the business. And as these new processes are coming in place, is internal audit prepared to really advise on the design of those controls that need to be in place for those systems? Not to be responsible for the controls, because that will always remain with the business. But is internal audit prepared to give advice on the design of the new systems put in place.
And I think the other thing that you mentioned that is very relevant is that these innovation projects and these new things that are coming up, do they still have good controls? I think it's easy to become and fall victim to becoming a little more lax in the control structure when something is brand new. but like you said, there's still things that you can do, looking at the internal controls of a third-party system, for example, or a third party application. There's always things you can look at. So, you know, not giving inappropriate leeway, and things like that. So, all these innovation projects, just like all the established projects and processes that exist to the company, they all need to have that good control structure in place.
Jason Webb 25:30
Yes, you know, otherwise, you'll run your business off a cliff that you're not expecting. So I think you hit the nail on the head, Stephanie it's all about internal audit, being there as a trusted advisor. And that's what we need, you know, we're not expecting you guys to be policemen. But we need to ask for advice on what's acceptable. So as a business, we want to come to internal audit first to ask the questions, so we don't run into trouble later.
It's all about being good corporate citizen here, you know, we want to make sure we do the right thing. I don't want to have the CEO banging on my desk saying ‘we’ve got a data leak here’ internal audit go, ‘we didn't know.’ And with basic controls in place, that's okay. It's the software engineering term we use is MVP, which is minimum viable product, you know, what's the minimum viable standards we need to apply and controls, we need to apply to this to make it work. It will change over time. But that's okay. Part of this process is it's all about change. Very, very dynamic. So things could change continuously. And it's not just embracing the SaaS model, it's embracing the organisational change that we’re going through. Turning to internal audit and saying, ‘we need your guy's help here. What can we do to make this better?’
Stephanie Jones 26:53
Well, Jason, thank you so much for all of your insight into this topic. I certainly appreciate it. Any closing thoughts before we wrap this podcast up?
Jason Webb 27:04
Change is coming. Internal audit being there as a trusted advisor is the key thing here, but obviously internal audit need to get up to speed with the SaaS model, I think is the key thing here and application not being owned by the company anymore.
Stephanie Jones 27:19
Absolutely. Definitely an exciting time to be an internal audit. And I'm seeing more change with companies with internal audit. And the challenge will be of course, and the opportunity will be to embrace that change. And, you know, let it take all of us into the future. So thank you, Jason, for your time today. Thank you for all of your insight. I learned a lot. And I appreciate you being here. And with that, thank you everyone for listening to this podcast. Bye!