As an experienced professional who has worked with pharmaceutical, medical device, financial service, government, retail and hedge fund organizations, it did not take me many years to realize that audits and assessments were largely manual, tedious and intensive activities. In the past, some of the biggest names used sophisticated and custom governance, risk and compliance (GRC) tools such as ServiceNow and RSA Archer for auditing, compliance management and risk assessments. However, the overall effort or cost to perform and carry out audits remained the same or even increased in some of these cases.
What had been introduced was a semidigitalization of effort and data. For example, ServiceNow has a vendor management module with an interesting feature that conducts supplier assessments, but the number of hours that it took to complete one vendor assessment was hardly reduced before and after the installation of the GRC software. Moreover, the tool stored information and data from the previous couple of years, but that data was not being used to generate insights into vendor assessments or internal audits.
It is not surprising that despite having a dedicated team of certified audit personnel and layers of data and commonalities, many organizations have not solved the problem of the cost and dynamics of an audit team. We hear a lot about fintech, regtech and suptech, but it is time that we start looking at audit tech. Imagine a field (such as audit tech) that combines domain expertise with technologies of today. The output of such an endeavor would increase the meaningfulness of audit reports and reporting insights. As of 2021, a few mature, data-driven approaches have been tried and are on the rise (such as audit analytics). The main driver for most of these organizations is to use analytics to improve audit quality and increase the meaningfulness of audit outcomes. Bank auditors can extract large amounts of encrypted client data and analyze it for outliers and inconsistencies. For example, during security operations center (SOC) audits, an auditor can determine if there are segregation-of-duties errors by identifying combinations of user logs.
Another application under the audit tech umbrella would be to perform text summarization during auditing; this could be based on the questions asked by the auditor, the extraction of information using keywords or the search for those keywords in the audit evidence documents and images. This could be called the “Audit Bag of Words” and be used to identify and convert subjective, unstructured content into structured data, which could be applied to an efficient machine learning classification system. Such an implementation could help auditors easily classify documents that are compliant to a certain regulation.
We could also use neural networks and natural language processing (NLP) models for audits. The application of long short-term memory cells (LSTM) to learn from past audits—both internal and external—creates many opportunities. For example, if we were to feed both internal and external audit findings into a neural network model to learn and train from it over a period of time, we could easily identify our top areas of improvements—whether it is maintaining a quality management system (QMS) as per International Organization for Standardization (ISO) 9001 or updating certain operational processes such as corrective and preventive actions (CAPA) management.
The possibilities of using NLP, AI and machine learning techniques in the field of auditing presents an opportunity to focus on tasks that drain the auditor’s efforts and concentrate on how to improve the audit outcome (for external audits) or audit quality (for internal audits). Audit tech and the application of machine learning and AI will soon revolutionize the auditing field and enable auditors around the world to embrace regulatory and compliance changes faster than ever before.
Editor’s note: For further insights on this topic, read Shini Menon’s recent Journal article, “How Can AI Drive Audits?” , ISACA Journal, volume 4, 2021.
Don't forget—Members can earn free CPE from ISACA Journal quizzes!