Interested in this topic? Visit the links below for more resources:
Visit The IIA’s website or YouTube channel for related topics and more.
00:00:02 The IIA
The Institute of Internal Auditors presents All Things Internal Audit Tech.
00:00:06 The IIA
In this episode, Mike Levy sits down with Reboot George to get practical about one of the most significant shifts underway in internal audit right now, the automation of IT controls.
00:00:17 The IIA
They talk through where this shift is happening, what use cases are proving their value, and how internal audit can lead the conversation rather than wait for the business to figure it out first.
00:00:30 Mike Levy
Hey, everybody.
00:00:30 Mike Levy
Welcome to the All Things Internal Audit Podcast.
00:00:32 Mike Levy
My name is Mike Levy, CEO of Cherry Hill Advisory, and I'm joined by Ribu George.
00:00:36 Mike Levy
Ribu, would you like to introduce yourself?
00:00:38 Reebu George
Well, nice to talk to you, Mike.
00:00:39 Reebu George
My name is Ribu George.
00:00:40 Reebu George
I'm the Deloitte Energy and Resources and Industrials Internal Audit Leader.
00:00:45 Reebu George
I'm excited to talk to you about IT automation today.
00:00:47 Mike Levy
When you think about IT controls automation, talk to us about some of the things you're seeing in the industry and the marketplace.
00:00:52 Mike Levy
What are clients telling you about?
00:00:54 Reebu George
The biggest thing that we're seeing is that the technology and innovation has just excelled at levels that we've never seen before.
00:01:02 Reebu George
And so what you're seeing is organizations that are now SaaS-based, or you can have automated data pipelines, et cetera.
00:01:08 Reebu George
And as you think about those new risks and those new areas of focus, it's a much faster pace than we're used to.
00:01:14 Reebu George
You know, you think about us as auditors, we're used to this annual testing and coming in as auditor.
00:01:19 Reebu George
But I think it's time to shift.
00:01:20 Reebu George
And our organization is now thinking about how do we do more continuous auditing?
00:01:24 Reebu George
How do we think about this in a more strategic way and cover off on risk that is just not done annually, but now continuous throughout the entire cycle?
00:01:31 Mike Levy
So when we think about automation, what does that exactly mean to you?
00:01:34 Mike Levy
Is it, are you hearing mostly around data analytics type of implementations or AI or something else?
00:01:41 Mike Levy
How do you get to the continuous automation?
00:01:43 Reebu George
It's the all of the above approach.
00:01:44 Reebu George
I don't think it's just one way of doing it.
00:01:46 Reebu George
In the old days, we would think of analytics as the approach for more continuous ordering, but there's so many great tools out there and you think of the rays of authentic AI, there's a lot more opportunities to think about this at the scale that's needed at the enterprise level.
00:01:59 Reebu George
So what I'm seeing in my clients primarily is
00:02:01 Reebu George
it's not just internal audit talking about, hey, how do we automate control tasks?
00:02:06 Reebu George
It's the control owners.
00:02:08 Reebu George
And what needs to mirror up at this point is, hey, we have these great organizations that are going at a pace of speed that we're not used to, but they're also not considering controls the way they need to.
00:02:18 Reebu George
And so this is where us as auditors really need to change the conversation and talk about risk along the way and be the strategic advisors that we can be.
00:02:26 Mike Levy
I've been really optimistic by some of the conversations we've been having, because I think over the last year, the conversation has shifted very significantly.
00:02:34 Mike Levy
Because if you talk to internal auditors about a year ago, and I think to your point, things are moving at a very rapid pace.
00:02:41 Mike Levy
People were still just sort of dabbling and trying to figure out.
00:02:43 Mike Levy
And in just a short amount of time, when you look at internal audit's digital transformation journey, to your point, I mean, there's been so many new tools that have been out and the tools that have been released have advanced in such a fast and sophisticated way.
00:02:56 Mike Levy
You're starting to see even the smallest of internal audit teams develop use cases that are changing the way that they perform their work.
00:03:04 Mike Levy
When you think about
00:03:06 Mike Levy
some of the projects that you've worked on and some of the things you're hearing about, what are some of the use cases that you've been encountering?
00:03:11 Reebu George
Let's stay with the theme of IT controls on this one.
00:03:13 Reebu George
I think more broadly there's so many use cases that we can take this out, but the simple things are just termination testing.
00:03:21 Reebu George
The days of clients, us coming in annually and doing termination testing for 100% of the population,
00:03:27 Reebu George
IT is going and say, hey, why can't we do this more strenuously throughout?
00:03:30 Reebu George
If you have the rules that's needed, and you know the patterns of what we're trying to look for as a workflow as approvals, why can't we do this continuously throughout?
00:03:37 Reebu George
And so what I'm seeing the shift is not just what the auditors think about this, it's also the controller is thinking this way.
00:03:43 Reebu George
So key prime areas that I'm seeing more broadly, anything with user access continues to be a focus area.
00:03:48 Reebu George
So you think of your identity solutions that you have for either how a user gets added, how a user gets removed, thinking about user access overuse, those are prime.
00:03:56 Reebu George
right now to think about what you can do from an automation perspective to really streamline the process.
00:04:00 Reebu George
You think about user access reviews in general, the days when you used to get spreadsheets of users and somebody had to manually review that and somebody had to go through their own analysis.
00:04:10 Reebu George
Those tasks are now being automated in a way that makes more sense and making it easier for the reviewer to understand what they're really looking at.
00:04:17 Reebu George
So I think what I'm seeing the shift is in the second line and the first line and getting smarter and what they need to think about compliance.
00:04:22 Reebu George
It's up to us as the auditors
00:04:25 Reebu George
to come in and make sure it's set up the right way.
00:04:27 Reebu George
And that's where I get a little bit more research into what we do, because when we unpack that and we actually look at it, there's things that we always need to be thinking about from a risk perspective.
00:04:37 Reebu George
Are they covering on all the right users?
00:04:39 Reebu George
Are they thinking about the segues of how users are actually being added?
00:04:43 Reebu George
Those are different risk areas, but maybe the controller didn't think about, but if they engage internally and we're engaged as a strategic advisor, it's an opportunity for both sides to really add value for the organization.
00:04:54 Mike Levy
I think that's a really solid point because I think also when you look at internal audit functions, depending on the size of the function and the size of the company, everything from the smallest all the way through the biggest.
00:05:02 Mike Levy
And a lot of our audiences, it's a very mixed audience here.
00:05:06 Mike Levy
And how it gets implemented in some of those automation topics, those are the things that take so much time and they are so tedious and painful, both for management, for IT, for internal audit.
00:05:16 Mike Levy
And if you could streamline that process with an enterprise grade solution, I think that's great.
00:05:21 Mike Levy
I also have started to see, to your point,
00:05:23 Mike Levy
internal audit functions taking some of that into their own hands, even with their own testing approach.
00:05:27 Mike Levy
So where adoption has been a little bit slower within the business, they are then taking some of the data that they are receiving as part of the request and then automating their review of that process as it relates to IT controls automation.
00:05:39 Reebu George
And I think it's a key point.
00:05:41 Reebu George
We talked about having the enterprise having a digital strategy, but it's as important to have the internal audit team have their own digital strategy.
00:05:49 Reebu George
Think about how they want to do governance around that strategy and then making sure that they have protocols
00:05:53 Reebu George
to refresh that accordingly based on what they're utilizing in the enterprise level.
00:05:58 Reebu George
So when I think about that, there's so much of an opportunity or a white space for us as auditors to think about how we typically have tested in the past.
00:06:05 Reebu George
There's now opportunities for it really to automate testing in a way that's more substantively felt by the organization.
00:06:11 Reebu George
And so one of the things that we're doing and one of the things I see across industry is how our auditors are now equipped
00:06:17 Reebu George
to now look at standard IT controls, think about batch job monitoring, and think of it as an automated process versus going in sampling, like we would have done in the past, or thinking about things in change management where you have a rule-based workflow that's needed for it to be approved and making sure it's needed.
00:06:33 Reebu George
That's now just being streamlined in how we approach the testing.
00:06:36 Reebu George
And as auditors, I think just like your point is, the audit function is progressing their point of view, but it starts with a strategy of how we think we can continue to challenge the status quo.
00:06:45 Reebu George
And it starts with
00:06:47 Reebu George
starting with what is those routine tasks that we know that take a lot of time, and then working your way toward that methodology would you guys build great in your strategy to say these are the prime candidates for us to attack this year.
00:06:57 Reebu George
And then on that journey, I have a client that's doing a three-year roadmap for 42 controls that they're trying to automate.
00:07:03 Reebu George
And I can tell you it's a great strategy they're doing.
00:07:05 Reebu George
They're doing some of the more routine stuff, and they get into the more complex areas as they go.
00:07:09 Mike Levy
Where do you see, so if you walk into a new organization that's not doing any of this, one of the things as we go through some of these sessions, I always like to make sure that people feel like they walk away with tactical things they can take back.
00:07:20 Mike Levy
Where do I start?
00:07:21 Mike Levy
So where would you encourage an internal audit shop that's
00:07:25 Mike Levy
evaluating all of this, how do they get started?
00:07:27 Reebu George
And that's a great question because I think it's so important because for this audience in particular and more broadly, no shop is the same.
00:07:34 Reebu George
I've seen a five-person shop to a 100-person shop do it differently.
00:07:39 Reebu George
The one thing that's consistent is
00:07:41 Reebu George
start with what you think are the big rocks that you feel would make a biggest impact for your enterprise.
00:07:47 Reebu George
And say, what are those areas where your team is spending the most time, whether it's in nodding in a specific area?
00:07:53 Reebu George
And thinking about ways, is there an opportunity for automation?
00:07:55 Reebu George
Again, I always strongly advise, don't ever automate something that's broken.
00:07:58 Reebu George
If you know it's an area that had a big significant deficiency or some level of issues with it,
00:08:05 Reebu George
I wouldn't think they're prime.
00:08:06 Reebu George
I do think there's an opportunity there.
00:08:08 Reebu George
But I would start with things that you know are working the way it needs to and work your way up from there.
00:08:12 Mike Levy
It's funny just because, and we've known each other for a long time, but you actually taught me something years ago.
00:08:16 Mike Levy
It's that people process and technology too, right?
00:08:18 Mike Levy
At the end of the day, so many solutions are out there and there's so many interesting and exciting things, but it's a holistic approach.
00:08:24 Mike Levy
So you made the comment earlier about risk and controls.
00:08:26 Mike Levy
And I say this all the time, which is that if you have bad foundational process or elements and you haven't taken the steps to really
00:08:34 Mike Levy
understand those processes and you just try to put a solution on top, your output is not the same.
00:08:39 Mike Levy
So to your point, when functions start small, it doesn't have to be a monumental three-year enterprise project.
00:08:47 Mike Levy
It can also just be an individual IT auditor on the team starting to automate some of their workflows and process, but while they're doing that, working through the
00:08:55 Mike Levy
the process side of things too, so that it's all squared away.
00:08:58 Mike Levy
So I mean, I think that's a really good point in terms of how you build it.
00:09:01 Reebu George
Yeah, I'll add this one thing.
00:09:02 Reebu George
Right before the session, another CAE came to me right before this, and we were talking about what they can do to automate something that's on the process side around deals.
00:09:10 Reebu George
And the whole point of doing it is not because it's an area of risk for them, it's an opportunity for them because they see the volume of data, they're an oil and gas company.
00:09:17 Reebu George
Taking a step back and saying, how can I look at this more efficiently for the enterprise?
00:09:21 Reebu George
and really get more insights than just doing what we typically do from a sample base.
00:09:24 Reebu George
To your point, it is about starting with something that you think is tangible to start with and that would give good ROI, not just to the Toronto department, but also the broader enterprise.
00:09:33 Mike Levy
And when you think about some of the use cases that are out there, I mean, to your point, there are the bigger enterprise solutions that exist that can automate some of this in a continuous monitoring sort of approach.
00:09:42 Mike Levy
There's also...
00:09:43 Mike Levy
we have a lot of organizations out there that are using generative AI tools in a lightweight way.
00:09:47 Mike Levy
And I do believe that even if you're an individual auditor doing things with the right prompting of in a secure, obviously using your company approved tools and in a secure way, you can leverage some of these generative AI tools you're using to help you accelerate your process and start to automate things, even if it's the first step on a multi-pronged journey.
00:10:04 Mike Levy
So when you look at things and when you think about, you know, internal audit and the positioning, because we touched on that earlier today, earlier, the
00:10:12 Mike Levy
We are really uniquely positioned in this digital transformation journey that a lot of companies are on.
00:10:17 Mike Levy
We have this unique role going back to people, process, and technology, where we see a lot of different things.
00:10:22 Mike Levy
If you're an internal auditor looking to advise your organization, how do you make sure you have a seat at the table and sort of bring them, bring the company along on a journey to kind of kick this off?
00:10:30 Mike Levy
If you do want to put this in place.
00:10:33 Mike Levy
within IT and impact what management's doing and everything else.
00:10:36 Reebu George
That's the secret sauce, right, is being invited to the room.
00:10:40 Reebu George
And I think it's really earning that, not just in one meeting, right?
00:10:43 Reebu George
It's A systematic thing that you do throughout your internal audit life cycles.
00:10:46 Reebu George
How do you really add value that you're now being included in those conversations?
00:10:50 Reebu George
But on topics like this, it's coming with a point of view.
00:10:52 Reebu George
I think what internal auditors can do is show them different governance models that's out there for something like AI, like you were just talking about, and saying, what are we doing to introduce governance in what we're trying to do from an AI perspective?
00:11:03 Reebu George
And giving them a perspective of what we need to do at bare minimum to get coverage around some of the things that they're trying to automate.
00:11:09 Reebu George
I think the best success I've seen is bringing a point of view that is differentiated and they feel it's valued, helps you get in the door, but helps you sustain that relationship and helps you continue on their journey with them.
00:11:19 Reebu George
Because it's such an important piece of this is really adding value beyond just being in the meeting.
00:11:23 Reebu George
Sometimes we get so stuck in just getting invited, but then if you don't add the value, why would they call you back?
00:11:28 Reebu George
Right?
00:11:28 Reebu George
And so it's more important that you just have to make sure that you have the right mindset that you're bringing in and you have the right talent that you're bringing into those conversations.
00:11:35 Mike Levy
I think that's really well said.
00:11:37 Mike Levy
And we could probably do a whole another podcast on sort of the talent development side of this thing, because it's one of the biggest challenges.
00:11:42 Mike Levy
We talk a lot about assurance versus advisory projects within internal audit.
00:11:45 Mike Levy
And I think IT controls automation is no different than any of those conversations.
00:11:49 Mike Levy
But if we don't have the level of expertise and skill set on the team to really deliver the insights in a real-time way, I mean, why would they call us and ask us the question?
00:12:00 Mike Levy
When you think about
00:12:02 Mike Levy
examples where you've seen internal audit functions be successful at this, whether it's identification of automation opportunities or worked with the business or IT to help strengthen the control environment or some other transformation and initiative around IT risk and controls and their automation.
00:12:17 Mike Levy
Can you give us some examples of some of the things that you may have seen that have been successful?
00:12:21 Mike Levy
And if I'm listening to this, how do I deploy?
00:12:23 Reebu George
The way that I would start this is simple and easy ones that are prime for this is anything that's rule-based.
00:12:31 Reebu George
that continues to be a topic that we can look at differently.
00:12:36 Reebu George
So when I think about rule-based controls in the ITGC framework, you think about access controls, you think of something like batch job monitoring, you think about something like change management, those are the ones that are primed for this in just the ITGC space.
00:12:48 Reebu George
And I think that if you take a step back and say there's a plethora of controls that most organizations have in each of those areas, it's up to us as leaders to start thinking about, okay, what are these, which of these are primed?
00:12:58 Reebu George
Because not only is it because it's
00:13:00 Reebu George
Hey, it makes sense because you have termination, but do you really have the right processes in place?
00:13:04 Reebu George
And you know you've tested those processes consistently that they're primed for this.
00:13:07 Reebu George
So it's really one, making sure that you have a framework for the governance model of it, but also then baselining this every couple of years, like doing the manual test again to make sure there's no nuances.
00:13:17 Reebu George
The one thing I've seen, and this happened this past year to one of my clients, one of my clients applied an API to something they were doing, and they didn't realize that the automated control that they read for termination weren't working the way it needs to.
00:13:28 Reebu George
And it took them 6 to 12, six months to realize it wasn't pulling the way it needs to.
00:13:32 Reebu George
That led to a lot of additional work for that organization to think about how they get in front of us on a go-for basis.
00:13:38 Reebu George
So it's just the answer is just not automation.
00:13:41 Reebu George
It's about automation plus governance equals a better process going forward.
00:13:45 Mike Levy
Yeah, I think that's spot on, right?
00:13:46 Mike Levy
As you've actually, that was going to be my next question, because I think there are some
00:13:49 Mike Levy
There's a lot of benefits and huge impacts, which is why organizations are endeavoring in this area.
00:13:54 Mike Levy
But if not controlled properly, whether that's from a governance, whether it's from an implementation, system development life cycle perspective, there's tremendous risk.
00:14:02 Mike Levy
I had once in my past, I had an organization implement an automation in the IT control space.
00:14:07 Mike Levy
And the way that they were deploying the data so that it was like a ETL process where they were loading information, they actually inadvertently gave the whole organization access to all of the data, which is like,
00:14:18 Mike Levy
which is a huge different kind of, you're trying to automate and streamline, but you actually created a whole another control risk.
00:14:22 Mike Levy
So, to your point, if you're part of internal audit and you're seeing your organization start to move forward in a process like this, what does that look like from a governance process?
00:14:34 Mike Levy
What do you typically see in terms of organization, both governance within the internal audit function, but then governance within the overall organization?
00:14:39 Reebu George
I mean, it's a mixture of both, right?
00:14:41 Reebu George
I think that there is a mixture of, hey, on the project team, being, having a seat on the table beyond just having a voice,
00:14:48 Reebu George
is then seeing if you could do the testing that's needed before it gets deployed.
00:14:52 Reebu George
And what I mean by that is making sure you understand the inputs and outputs of those controls, understand the governance that they put together, and really make sure that it's aligned to what you would have typically have tested manually.
00:15:02 Reebu George
And so in the first round, I typically try to make sure that I do a little bit of how would this have been if I tested this manually, and how does this compare now that I've done this automated?
00:15:11 Reebu George
What nuances am I seeing difference in data sets in what they're using, what I'm using?
00:15:16 Reebu George
And that's led to more of that, okay, consistently it's being run the way it needs to and give you the level of assurance for your auditors.
00:15:21 Reebu George
Because there's a piece of this for the internal audit function that, hey, it's going to streamline things, but you still need to get your external auditor through that journey.
00:15:28 Reebu George
And so for that to happen as well, you need to make sure you have good evidence of how you demonstrate that.
00:15:33 Reebu George
And so the best way to do that is still perform this manually while you're doing this automation transformation project you're trying to get done.
00:15:39 Mike Levy
I get really excited.
00:15:40 Mike Levy
So just even the concept of IT controls across the board, I get really excited when you think about
00:15:45 Mike Levy
No one gets excited thinking about terminations or just logical access as a whole, but I get really excited about this because I think it's a real-life, low-hanging fruit use case for some of these emerging technologies.
00:15:55 Mike Levy
And when you look at, and I guess you could probably say that those technologies have emerged, but when you look at some of the AI automation techniques built with analytics and to your point earlier around workflows, I think it's more ripe than ever if an organization has not started to disrupt that.
00:16:11 Mike Levy
that even if it comes from the internal audit function, I think there's a huge opportunity for it.
00:16:16 Mike Levy
When you're advising internal audit leaders within IT and they need to, there's always a bit of a sales process that happens with some of this because they need to make sure they are influencing that change within the organization.
00:16:28 Mike Levy
How do you coach them to be more successful at that?
00:16:30 Mike Levy
Because I think as internal auditors, we're not always used to being at the forefront of a, I always call it a sales conversation, but an influence conversation.
00:16:37 Mike Levy
We influence historically through
00:16:39 Mike Levy
observations in audit reports and then how management feedback is resolved.
00:16:44 Mike Levy
We're talking about something that's more forward-looking and proactive and preventative in nature, which sometimes I think is uncomfortable for internal auditors because they're not used to it.
00:16:52 Mike Levy
How would you encourage an internal auditor to endeavor in that conversation?
00:16:56 Reebu George
You said something in the beginning.
00:16:56 Reebu George
I think it was important.
00:16:57 Reebu George
The way you need to think about this
00:17:00 Reebu George
you're starting with IT GCs, but who's the owner of those controls?
00:17:04 Reebu George
It's typically IT.
00:17:04 Reebu George
And what is IT known for in that company?
00:17:08 Reebu George
IT is typically known for the cutting-edge stuff.
00:17:09 Reebu George
IT is the one that's really thinking of automation, thinking about things that we could do differently.
00:17:13 Reebu George
So there are easy process owners to really get alignment with when you go on this journey.
00:17:18 Reebu George
Because when you explain it in a way that, like you said, you need to sell the idea, honestly, it's within IT, it's a lot easier than it is on the process side.
00:17:25 Reebu George
It's when I get into the process that like, hey, does this make sense?
00:17:28 Reebu George
what's the ROI in this, et cetera.
00:17:30 Reebu George
But within IT, when they see the efficiencies that could be raised, it's sudden and impactful for them, because they know, like on a day-to-day basis, what they need to do for an audit in some cases, and what this could be streamlining for them as data owners, if they had the right level of access, if they had the right level of automation, the way that's needed.
00:17:48 Reebu George
So I always start with, hey, who is the owner of who you're trying to sell that product to?
00:17:52 Reebu George
And why would that matter for them?
00:17:54 Reebu George
And why would this value drive to another level for them if you were able to achieve this solution?
00:18:00 Reebu George
If you get that win-win conversation with any kind of conversation like this, it always comes down to the right time, the right leader, and the right message.
00:18:09 Reebu George
And if all those are aligned, you'll have a great product.
00:18:11 Mike Levy
Yeah, and I mean, to your point, I mean, just to hone in on it too, I mean, I think that it depends who you're talking to around why and how they
00:18:19 Mike Levy
derive the value from what you're doing.
00:18:21 Mike Levy
So if you're talking to a business owner, someone that's not an IT, but as a management owner, it's the what could go wrong is what you're talking about.
00:18:27 Mike Levy
It's like, here's what happens when you don't timely approve things and why we do this control.
00:18:30 Mike Levy
And that's always been a successful conversation, at least in making them or having them help understand why we're doing certain things.
00:18:37 Mike Levy
So Reboot, like we've talked about a lot of different things in the IT controls automation space.
00:18:41 Mike Levy
What else do you think our listeners should know about as they're endeavoring to move forward on this?
00:18:46 Mike Levy
I think when you think about this, what else keeps you up at night and where do you think some of the other topics they need to focus on are?
00:18:51 Reebu George
Honestly, for me, there's a couple of things that I think about.
00:18:55 Reebu George
When organizations rely heavily on screenshots and spreadsheets, it's prime for this conversation.
00:19:01 Reebu George
So think about your organization, think about where you guys are on that journey and to show that a control worked.
00:19:05 Reebu George
That's typically a signal that something could be automated.
00:19:08 Reebu George
The other thing I would say is just
00:19:11 Reebu George
It's a real shift happening within IT controls, and it's moving away from periodic compliance and to an opportunity to do continuous assurance.
00:19:18 Reebu George
And so us as the audit function, us as the internal audit function, and more broadly, needs to show up in a different way.
00:19:24 Reebu George
We can't keep doing the same procedures that we've done in the past and think we're going to get the same results as technology keeps on moving forward.
00:19:30 Reebu George
So it's up to us as leaders in the internal audit profession to continue that conversation with our leaders and make sure that we bring what we're going to be done differently to help our brand with the internal audit.
00:19:39 Mike Levy
Wonderful.
00:19:40 Mike Levy
So ultimately, making sure we are articulating both our value proposition and the value proposition of some of this change becomes critically important.
00:19:48 Reebu George
Absolutely.
00:19:49 Mike Levy
Thank you for your time.
00:19:50 Reebu George
Thank you.
00:19:52 The IIA
For those looking to go deeper into IT controls and earn CPEs, our IT general control certificate program is available online and in-person.
00:20:01 The IIA
Participants can earn 20 CPE credits and receive both a digital badge and a certificate upon completion.
00:20:07 The IIA
To learn more and register, you can find the link in the show notes of this episode.
00:20:13 The IIA
If you like this podcast, please subscribe and rate us.
00:20:16 The IIA
You can subscribe wherever you get your podcasts.
00:20:19 The IIA
You can also catch other episodes on YouTube or at the iia.org.
00:20:23 The IIA
That's T-H-E-I-I-A dot O-R-G.
