Robots are having a growing influence on organisational practices and this dynamic is of great interest to internal auditors and compliance professionals who examine the impact of these technologies on organisational objectives, risks and controls. But they are also of interest because there is a growing concern that the jobs of auditors and compliance professionals are at risk as the work is being replaced by machines. In fact, the Chartered Institute of Management Accountants (CIMA) found in a study that the work of accountants and auditors has a 94 percent probability of computerisation. Is there still a role for humans? Can we still add value?
While looking recently at the COSO Internal Control-Integrated Framework (IC-IF) I wondered if machines could “reasonably” use the Framework to assess organisations, or if human involvement will be required for the foreseeable future to perform these reviews.
So, there are two overarching questions:
- Which aspects of COSO IC-IF will robots be most adept at replacing humans? and
- Are robots at a certain disadvantage when attempting to replace humans?
It is widely agreed that robots are faster and more accurate than humans when it comes to performing mathematical calculations, identifying gaps, finding outliers, and spotting trends in data sets. After humans prepare key performance indicators (KPIs) and key risk indicators (KRIs), computers can calculate those and identify anomalies much faster than any human can.
But how might robots perform if they had to assess an organisation using the COSO IC-IF Framework?
Let’s examine each component and see how robots might do compared to humans.
This is where as humans we have the best chance of beating the robots and preserving our jobs. There are many cultural and soft-skills elements required to effectively assess this component and determine if the measures in place are achieving the goals of demonstrating commitment to integrity and proper values, enforcing accountability, ensuring competence, and making sure there is proper oversight. Also, embedded in this component is the review of the appropriateness of the organisational structure and the assignment of authority and responsibility. These are topics that robots may struggle with for a while as they are laden with subjective elements. In general, the Control Environment depends heavily on governance, context, organisational maturity and employees’ perceptions and opinions that help to give shape to corporate culture, all of which are difficult topics for machines to grapple with.
The board and management set the objectives for the organisation and identify the risks to those objectives, so these are purely human tasks. But once established, robots can take over quantifying and analysing the degree to which goals are being achieved and the risks that threaten the achievement of these goals. Machines clearly win at data analytics. But when it comes to the qualitative aspects of risk assessments, humans are needed for that. There is probably a tie when it comes to assessing the risk of fraud, because it takes a human (thinking like a fraudster), to identify schemes that can be researched. But artificial intelligence (AI) and machine language (ML) are quickly becoming capable of identifying the anomalies that raise red flags. By crunching massive amounts of data, machines are already demonstrating they are a formidable threat, and helper, of auditors and compliance professionals. Lastly, when it comes to identifying and analysing significant changes affecting people, processes and systems, robots still depend on humans for instruction and guidance.
Computers execute control activities based on instructions programmed into them, but humans are the ones that develop, select, and implement all manual and automated controls. When it comes to policies and procedures, some ML and AI tools are now collating and generating news feeds, writing articles, correcting papers and it is relatively easy to search databases for samples of policies and procedures that organisations need and can implement. So, machines can now technically “write” policies and procedures themselves. However, humans still need to map those documents to the reality on the ground where the work gets done. The result is that computers can produce semi-finished policies and procedures related to Travel and Entertainment (T&E), Accounts Receivable (AR), Accounts Payable (AP), Inventory, Fixed Assets (FA), Purchasing, Shipping, Contracting, Payroll, among many others. As business process automation (BPA) takes over more activities in organisations, the design part of control activities will remain with management and the board, but programmers and machine learning algorithms will make sure robots do the work in increasingly automated ways. So, for control activities, machines are rapidly taking over the task of regulating processes.
Information and Communication
We already have an abundance, if not an excess of data. The term Big Data comes to mind. The challenge is making data relevant and transforming it into useful information to guide the organisation so it can correct its course when needed and verify that stated objectives are being achieved. Sifting through volumes of data is one thing computers are very good at, so once they’re told what is important and what is not, they beat humans easily. Management sets authorisation levels, timelines and deadlines for dissemination, and formats for the presentation of the information, but after that is done, computers will compile, organise, draw and disseminate the information internally and externally. When we add the role of exception reports and process-flow routing triggers, computers can even determine what is to be displayed, who should see what, make recommendations, and even make changes. Imagine for example the links between forecasting, purchasing, inventory management and warehousing, sales and shipping. Many aspects of these activities can be linked and automated through information flows, communication parameters and resupply triggers. So, for Information and Communication, machines are also capable of replacing a large percentage of human involvement.
Emerging technologies are a real threat to traditional internal audit and compliance activities. RPA, AI and ML will replace many activities currently performed by people, but humans will be needed for a while longer to review key aspects and perform a comprehensive COSO-based assessment of organisations. We will be able to add value but must remain vigilant and update our technical skills to leverage computing power appropriately while we provide the service and support that machines cannot provide. The COSO IC-IF provides a good illustration of how internal auditors and compliance professionals can continue to add value in an increasingly automated world but must adapt to this new reality.