Interested in this topic? Visit the links below for more resources:
Visit The IIA's website or YouTube channel for related topics and more.
00:00:02 The IIA
The Institute of Internal Auditors presents All Things Internal Audit Tech.
00:00:06 The IIA
Carrie Blakeman sits down with Marco Horvat to discuss how audit committees should rethink internal audit's role amid disruption, data proliferation, and rapid technology shifts.
00:00:17 The IIA
From hidden risks and shadow AI to authority versus accountability, they unpack how boards can navigate change, embrace scenario planning, and prepare for the next disruption with confidence.
00:00:31 Carey Blakeman
Marco, thanks for joining us today.
00:00:34 Marko Horvat
Well, thanks for having me, Kerry.
00:00:36 Marko Horvat
I'm excited to be here, and it's really interesting to have these conversations to make sure that...
00:00:42 Marko Horvat
as we're building the top levels of our structures, that they're adaptive, right?
00:00:46 Marko Horvat
And that they're also reflective of the changing environment.
00:00:49 Carey Blakeman
So our big question that I'd love to start off with is how should audit committees rethink internal audit's role as disruption and new technologies reshape governance?
00:01:00 Marko Horvat
I think it's important to 1st think about how are these environments involving.
00:01:03 Marko Horvat
So like what are the challenges that these internal auditors or these internal audit committees are facing?
00:01:08 Marko Horvat
And one of them is obviously the pace of technology.
00:01:11 Marko Horvat
So we know that the big elephant in the room is generative AI and just AI in general.
00:01:16 Marko Horvat
And to give you an idea as to how that pace of technology has affected us, Netflix took, I believe it's like five years
00:01:24 Marko Horvat
to reach 1,000,000 subscribers.
00:01:27 Marko Horvat
ChatGPT-3 comes out in November of 2022, and they reach a million subscribers in like, or a million users in like 3 months.
00:01:36 Marko Horvat
So the pace and adoption of technology is something we've never seen before.
00:01:40 Marko Horvat
But it's not just the pace of technology, right?
00:01:42 Marko Horvat
We see this longer trend in terms of information flowing.
00:01:46 Marko Horvat
Everybody wants to be a data-first organization.
00:01:49 Marko Horvat
Data is going to help us win the day.
00:01:51 Marko Horvat
And just the volume and pace of information
00:01:54 Marko Horvat
that's flowing through organizations now, something we've never seen before.
00:01:57 Marko Horvat
So being able to sift through it, understand not just the signal from the noise, but new risks and new opportunities that are emerging is something that's incredibly difficult, just given just not only the volume, but the pace of the flow.
00:02:10 Marko Horvat
And then finally, just the way we work has fundamentally changed.
00:02:13 Marko Horvat
So distributed workforces, tech-enabled work models,
00:02:18 Marko Horvat
Even this recent return to the office thing, which seemed to have caught fire earlier in the air, but seems to have fizzled out, like even when we returned to the office, we're returning to a fundamentally different office than the one we left.
00:02:30 Marko Horvat
So the entire environment is changing around them.
00:02:33 Marko Horvat
And I think it is really important that we don't just go through the same paces as we think about things from an audit perspective.
00:02:40 Carey Blakeman
Even though we all know and are living them, they're good reminders that there are very big things that happened in the last four to five years that do make the risk look different.
00:02:51 Carey Blakeman
So I'm wondering what your thoughts are on those risks, kind of thinking of it from a data exposure in this digital first world.
00:03:00 Carey Blakeman
What are risks that you see are emerging
00:03:03 Carey Blakeman
that especially internal audit should highlight to the boards or to the audit committees, but then also thinking from an audit committee's perspective, what should they be thinking of that then they could talk maybe to their internal auditors about.
00:03:17 Marko Horvat
There's the external risks, which I think we've all kind of heard about, right?
00:03:20 Marko Horvat
And then there's also like internal risks, just the fundamental functioning of the organization.
00:03:25 Marko Horvat
The external risks are things like taking care of your proprietary data, making sure that your IP is protected, trade secrets don't get leaked out, et cetera.
00:03:35 Marko Horvat
That is incredibly important.
00:03:36 Marko Horvat
So understanding what tools people are using, how they're using it, what are risk tolerances,
00:03:42 Marko Horvat
with the proper guidelines we have to make sure that those sort of mission-critical proprietary data points don't get released out into the wild.
00:03:51 Marko Horvat
And then thinking about what are the scenarios that we sort of deploy in the event that something like that happens, which we'll get to a little bit later in this podcast.
00:04:00 Marko Horvat
But I think the other risk that I think doesn't get thought about enough, and you and I have had conversations about this sort of in our other interactions, is this notion that
00:04:12 Marko Horvat
As technology comes in and new information is generated, the way we work has changed and sort of who's responsible for what and the span of control people have over the information and what people do with that information has fundamentally changed within organizations.
00:04:26 Marko Horvat
You take process X, which in the past had like five people and they all produced like the same sort of standard report or whatever.
00:04:36 Marko Horvat
And that report goes up to their manager who checks it for accuracy.
00:04:39 Marko Horvat
And
00:04:41 Marko Horvat
That model has kind of been turned on its head because people are leveraging AI and other tools.
00:04:46 Marko Horvat
So now instead of five people, let's say there's like three people.
00:04:49 Marko Horvat
And instead of those three people being in the same office, they're all over the world.
00:04:52 Marko Horvat
And the generative models they're using for their first passes at things are all similar, but slightly inconsistent.
00:05:01 Marko Horvat
And now they themselves are exposed to information that they've never been exposed to, and they're generating data and conclusions that traditional role hasn't, right?
00:05:10 Marko Horvat
So thinking about it from those terms and the idea of who's responsible for the data, who's responsible with information, who has access to what, and who's affected by the sort of the shifting boundaries in terms of where people work and how they work and what they deal with is something I think organizations really need to consider.
00:05:31 Carey Blakeman
Even again, internally, we've been thinking like the responsibility of data and those risks and who oversees it.
00:05:37 Carey Blakeman
And I know, like you were saying, and when we talked before, audit committees are just, their remit is expanding what feels like probably daily, weekly of what does an audit committee oversee, what does a risk committee oversee, if there is a separate risk committee.
00:05:54 Carey Blakeman
So thinking through that, especially with your experience and the many people you've talked to and worked with,
00:06:01 Carey Blakeman
What are some of the hidden risk or different things that people may not be thinking about, but should be?
00:06:09 Carey Blakeman
And what would you recommend that they do or think through so that data isn't misused or are there ungoverned processes that they should be thinking about?
00:06:21 Marko Horvat
On its most basic level.
00:06:23 Marko Horvat
what we're trying to figure out is that whole sort of spectrum of authority versus accountability.
00:06:28 Marko Horvat
And ideally, we want to match those things up so that the person that has authority over things are accountable for them.
00:06:34 Marko Horvat
And there's good things and bad things with how business is evolving, right, with regards to technology.
00:06:40 Marko Horvat
On the one hand, you see organizations becoming more flat, right, which means that people are more involved and more engaged in the overall business.
00:06:47 Marko Horvat
But then those lines of authority and accountability get blurred a little bit.
00:06:51 Marko Horvat
And then you have situations where people are doing work where they're not held accountable to the outcomes and people are held accountable to outcomes where they're just sort of the end result of all this stuff that happened before and they don't have any influence into it.
00:07:04 Marko Horvat
So how do we mitigate it?
00:07:06 Marko Horvat
I mean, there's a lot of challenges that add complexity to it.
00:07:09 Marko Horvat
The fact that we are becoming increasingly more digital and distributed and nomadic in terms of like where we work, how we work,
00:07:16 Marko Horvat
people are multi-device.
00:07:18 Marko Horvat
So that's the other thing.
00:07:20 Marko Horvat
Controlling the operating environment that people work in is much more difficult.
00:07:22 Marko Horvat
And the other thing too is within most organizations, there's probably a fairly significant shadow AI, shadow IT sort of culture that exists.
00:07:35 Marko Horvat
And so how people can get ahead of it is just sort of embracing it.
00:07:39 Marko Horvat
So I think if you have more transparency in terms of
00:07:43 Marko Horvat
what the clear guidelines are.
00:07:44 Marko Horvat
You have more engagement with the organization in terms of setting those guidelines so people clearly know what's inbound, what's out of bounds.
00:07:52 Marko Horvat
Because a lot of this risk is being developed because there just is no clear guideline.
00:07:57 Marko Horvat
Companies are not coming up with clear use cases or clear definitions as to what's acceptable and what's not.
00:08:05 Marko Horvat
And when people take their own agency to play in the gray is where people can potentially get in trouble.
00:08:12 Marko Horvat
So, my recommendations would be understand the environment, understand the complexity, understand how people want to work, make an effort to uncover how they're working now, and have a shared sense of governance and responsibility around what is acceptable throughout the entire organization, given the risk tolerance that the organization as a whole is accepted.
00:08:34 Marko Horvat
We recently worked with a client that's in the media industry, and we were doing this assessment for them.
00:08:42 Marko Horvat
And the leader of one of the leaders of the industry or within the organization was just absolutely certain that no one in their organization was using these Gen.
00:08:53 Marko Horvat
AI tools.
00:08:53 Marko Horvat
Because they talk about in the office and they talk about, oh, we're real journalists and real journalists write their own stuff and all that kind of stuff.
00:09:01 Marko Horvat
And then we kind of, did a deeper dive into it and we found out that, yeah, there are some that were like, I won't touch it.
00:09:09 Marko Horvat
There's no way.
00:09:09 Marko Horvat
It's against everything I believe in.
00:09:11 Marko Horvat
we found 57% of the people in the organization were using Gen.
00:09:17 Marko Horvat
AI in some way.
00:09:20 Marko Horvat
They were dabbling it here and there, getting brainstorming with it.
00:09:25 Marko Horvat
But a lot of times, like I said, unless there's clear direction and an open, transparent discussion around it, not just in terms of the risks that we're taking on, but the benefits of it too.
00:09:37 Marko Horvat
I think you can have a deeper understanding of it and have a more honest conversation in terms of where does it fit in, how can we use it effectively, and how can we as an organization just have a shared point of view instead of this like cultural norm that people don't necessarily stick with in the shadows.
00:09:56 Carey Blakeman
That's a really great point.
00:09:57 Carey Blakeman
So to think through a little bit about how internal audit could advise on some of this, do you have any thoughts on that, just specifically with internal audit or things that you've seen well work with some of the clients you've worked with on advising the board or even working with management on especially that authority and accountability piece?
00:10:18 Marko Horvat
The first action would be making sure that they themselves are comfortable having those conversations.
00:10:27 Marko Horvat
Because oftentimes there is a lot of sort of comfort in the norm and adapting to a changing world, especially where you don't have the expertise into the direction where things are changing, can make people hesitant to sort of diving in.
00:10:46 Marko Horvat
And I think that's especially present in accounting and finance people, because how we tend to get promoted and take bigger roles in our organization
00:10:56 Marko Horvat
is by demonstrating hyper-competency.
00:10:58 Marko Horvat
It's like, I've got this.
00:11:00 Marko Horvat
I understand what it is.
00:11:02 Marko Horvat
I know the black and white in terms of the regulations, but I also know the gray because I'm really ethical and I have a principled way of doing work.
00:11:10 Marko Horvat
And when that is disruptive, sometimes people will double down in what they're most competent in and they'll just kind of shove that stuff to the side.
00:11:18 Marko Horvat
So I think, you know, step one would be embracing that discomfort and having an honest discussion
00:11:26 Marko Horvat
within the function in terms of like, hey, are we ready for stuff, this sort of thing?
00:11:29 Marko Horvat
Like, are we comfortable having a point of view and facilitating that discussion?
00:11:36 Marko Horvat
And I think that's the other thing too, is part of it isn't necessarily dictating to the organization what they should do.
00:11:44 Marko Horvat
It's really facilitating that conversation so that everyone has a broad understanding of what things should look like.
00:11:54 Marko Horvat
And then they come in behind that and ensure that what has been agreed upon or what is necessary, a regulatory prerequisite is followed.
00:12:04 Marko Horvat
So that would be sort of my recommendation.
00:12:07 Marko Horvat
I don't know if I specifically answered your question, but you know, that's what I'm thinking in terms of like how they can work with boards in terms of understanding this.
00:12:14 Marko Horvat
And they don't need to know all the answers, but they need to know how to have those conversations.
00:12:19 Carey Blakeman
I like the idea of thinking through changing or reframing the conversation to risk navigation away from maybe risk avoidance.
00:12:30 Carey Blakeman
I think a lot of times accountants or people in finance or internal auditors may be more risk averse and maybe sometimes humans just in general.
00:12:40 Carey Blakeman
But how do we think of it and lean into what would be appropriate and thinking of it more as like navigating risk?
00:12:48 Carey Blakeman
And so what are your thoughts around that?
00:12:51 Marko Horvat
So I think a lot of it has to do with, especially when it comes to sort of emerging things like this in organizations where if you have a purely risk avoidance sort of posture and you lean heavily into like regulatory guidance as your true North Star, I think you miss a lot of opportunity
00:13:15 Marko Horvat
And also, in some ways, you could be inviting risk into your organization, because when compliance isn't clear or the risk really thought out, identified, and agreed upon within the organization.
00:13:28 Marko Horvat
So, like, if I have a regulation that, clearly defines, ethical uses or, regulatory requirements or disclosure requirements or whatever, it's really, really easy for me to have that risk conversation with someone, because the rule says this.
00:13:45 Marko Horvat
When the compliance isn't clear, then we need to change the way we have those conversations around what are the guiding principles that we as an organization are following.
00:13:55 Marko Horvat
Sort of like the core values that we have, which sounds a lot like more squishy and not necessarily like as black or more white, but it's just kind of one of those things where failure to do that creates a lot of gray area and a lot of silence around
00:14:12 Marko Horvat
what people should be doing or how they should be thinking.
00:14:15 Marko Horvat
And when you have that kind of environment, it becomes really, really hard to figure out, what people are doing, assign accountability, assign authority, et cetera, because people will fill in to that gray space, whatever they feel is most appropriate.
00:14:32 Marko Horvat
Now, we'll give people benefit of that, right?
00:14:34 Marko Horvat
Like, you know, I think most people are trying to do the right thing.
00:14:36 Marko Horvat
but they might not, especially as you go further away from leadership, they might not have as much visibility or insight in terms of what the true risk tolerance is, what are the true goals of the organization, those sort of things.
00:14:49 Marko Horvat
So lacking those conversations in terms of guiding principles, ethical use, those kind of things wrapped around risk so that the conversation is, oh, if we do this, we will get in trouble with regulatory body hacks.
00:15:04 Marko Horvat
Like that's an easy conversation.
00:15:06 Marko Horvat
more difficult conversation is, hey, as we're navigating through this unregulated environment, it's really important that we don't lose sight of principle A, principle B, principle C, because that defines who we are as an organization.
00:15:19 Marko Horvat
And that's what's really, really important to us.
00:15:21 Marko Horvat
And so if you have any sort of conflict with that, let's have open discussions about it, anything on the margins, because that'll help us define risk tolerance
00:15:30 Marko Horvat
that affects us in a non-regulatory way.
00:15:33 Marko Horvat
And the other thing too is, I think what oftentimes gets missed in this balance is oftentimes when these proposals for change get put in front of us, it's all the upside, right?
00:15:43 Marko Horvat
All the great things that are going to happen, all the wonderful things that are going to do it.
00:15:47 Marko Horvat
I think focusing in on, you know, what is the cost of failure versus the reward of the success is a good way to frame it.
00:15:55 Marko Horvat
Because if it's a situation, for example, where it's like, oh, we're going to
00:15:59 Marko Horvat
Bring in technology X, and it's going to increase productivity by Y percent.
00:16:05 Marko Horvat
So yeah, we'll bring in this new workflow, Kerry, and you're going to save 30 minutes a day on it.
00:16:10 Marko Horvat
But then the question needs to be asked, well, what happens when it goes wrong?
00:16:14 Marko Horvat
Okay, when it goes wrong, it's going to take us seven days to recover.
00:16:17 Marko Horvat
Is it worth it to save 30 minutes a day to have like this potential seven day catastrophe?
00:16:23 Marko Horvat
And then what's the likelihood of that happening?
00:16:25 Marko Horvat
So that just gives a deeper conversation in terms of not just what do things look like when they go right, but what do things look like when they potentially go wrong?
00:16:33 Marko Horvat
Is that risk worth it in the long run in terms of disruption?
00:16:37 Carey Blakeman
So I think as we kind of
00:16:39 Carey Blakeman
wrap up here.
00:16:40 Carey Blakeman
I really would love to hear your thoughts on what is 1 action that audit committees can take now to prepare for disruption.
00:16:50 Carey Blakeman
Hopefully people are preparing and have been preparing, but maybe think about it in a maturity, like if someone really hasn't, but also for those that you've experienced who have seen a lot, like how can they keep going?
00:17:04 Marko Horvat
The best thing to do is to scenario plan in your business.
00:17:08 Marko Horvat
What do things look like when things go well?
00:17:12 Marko Horvat
What do things look like when things go a little bit wrong?
00:17:14 Marko Horvat
And what do things look like when things go completely off the rails, right?
00:17:19 Marko Horvat
Because you want to remove yourself from that crisis thinking, you know, all the pressures that go in like, oh my God, like you'll be sometimes it's, there's so many actions to be taken can be overwhelming.
00:17:29 Marko Horvat
And you're probably not in the best mindset to be making the most efficient decisions.
00:17:34 Marko Horvat
So the extent that you can scenario plan out, like what do we do if catastrophe X strikes us, right?
00:17:41 Marko Horvat
Like what do we do if we wake up tomorrow and everything is locked down because there was a cyber attack and now they want us to spend, like, I don't know, they want us to send like 100,000 Bitcoin to some weird place, right?
00:17:52 Marko Horvat
What do we do?
00:17:53 Marko Horvat
And you know, you can get more narrow in terms of scenarios as you become, you have more resources and you become more mature, but at a basic level,
00:17:59 Marko Horvat
It's like, what are sort of the rudimentary steps that we need to do when things go wrong?
00:18:04 Marko Horvat
So that when things go wrong, you're not wasting your time, at least on those first initial actions.
00:18:09 Marko Horvat
You're spending more time on the bigger problems that are in front of you, which could hopefully lead to better outcomes, mitigating the loss, getting back online quicker.
00:18:18 Marko Horvat
So that would probably be my best advice.
00:18:21 Marko Horvat
And then if you're going to do that, continuously assessing, because as we mentioned earlier, the environment around us is continuously changing.
00:18:29 Marko Horvat
So continuously assessing what those best actions are and just having a playbook of like, hey, basic ABCs, when a problem happens, these are the five steps that we do.
00:18:39 Marko Horvat
So you don't have to think about them and work on those bigger problems.
00:18:42 Carey Blakeman
That's great.
00:18:43 Carey Blakeman
We've been seeing scenario planning come up as in some of our research that people need to do.
00:18:50 Carey Blakeman
So I love how you talked about that and talked through it.
00:18:53 Carey Blakeman
So thank you so much, Marco, for joining us today.
00:18:58 Marko Horvat
Always a pleasure speaking with you, Carrie, and it's great to see the work that you guys are doing, helping people think through these increasingly complex and changing problems.
00:19:10 The IIA
Ready to lead with confidence?
00:19:12 The IIA
Join the IIA's 2025 RISE Virtual Conference on December 5th, all online.
00:19:19 The IIA
Earn up to 7.2 CPEs while diving into resilience,
00:19:23 The IIA
innovation, strategy, and ethics with today's top audit leaders.
00:19:28 The IIA
Save your spot now at the iia.org.
00:19:32 The IIA
If you like this podcast, please subscribe and rate us.
00:19:35 The IIA
You can subscribe wherever you get your podcasts.
00:19:38 The IIA
You can also catch other episodes on YouTube or at the iia.org.
00:19:42 The IIA
That's T-H-E-I-I-A dot O-R-G.
