Technology Risk And Its Impact On Internal Audit

Introduction

In the context of the rapid digital transformation across Saudi Arabia and the fast-paced global developments in technology – particularly in artificial intelligence (AI), this paper discerns implications of technology on internal audit attempting to highlight common concerns with a focus on the Kingdom.

The future of internal audit envisions to move away from manual documentation and testing towards a technologydriven approach that leverages AI. However, with the ever-evolving nature of business and internal control environment, internal audit practices need to adapt with ubiquitous changes. These include rapid technological advancements and evolving regulatory landscapes to ensure providing reasonable assurance over the control environment. By embracing technology and adapting practices, internal audit can remain a critical partner in organizational success.

This paper will discuss various risk factors that technology poses for internal audit practice within Saudi Arabia. It will provide a walkthrough approach to addressing risks that are core components of the Kingdom's digital transformation program, namely data privacy concerns, use of big data, cloud computing and AI. We will explore the impact of technology on internal audit practices and the emerging challenges and disruptive opportunities they bring for the internal audit function in both the near future and the long run.

Technology risks for internal audit

Technology drives change, causing disruption across various levels and controls. With disruptive change, many risks come to surface, having a direct or indirect effect on internal audit.

With the significant influence from technology, the profession's regulatory framework has been extensively reshaped to address the emergence of technology-driven risks. This includes an increased need to adapt to technology and its evolution within the enterprise environment, while maintaining a high level of integrity and governance in the assurance services it provides.

Technology helped reshape modal structures, core processes and this changed the way things are done.

What worked in the past no longer works today, as technology's repercussions have been pervasively implemented to reshape matrices and workflows in a systemic manner.¹ While technology places internal audit at the forefront of many novel risks, the main risk it has is internal auditors not knowing enough about technology itself.

With an exponential leap into the digitalization of workflows and process mapping, internal auditors are not only concerned with adding value through risk assessment, but also preserving value by ensuring ethical considerations and proper controls are implemented amid fast-paced workflow changes. Therefore, internal auditors need to possess a thorough understanding of the management's direction and dynamics of the organization's industry to not only provide assurance on controls effectiveness and operational efficiency but also weigh the impact that any risk from technology may have on the long-term objectives.²

This shift has fueled numerous entrepreneurial initiatives and family businesses from and across the internet. Even established businesses and banking institutions are embracing online models, with some going fully digital.³

In today's digital age, as businesses increasingly operate through digital platforms, they rely heavily on technology in the enterprise architecture and solutions they offer. This digital shift has led to a significant amount of corporate and personal data being used, processed, and stored online. As a result, leakage of non-public and material information became a primary focus for regulators seeking to protect the public from cybercriminals. Data privacy – which is heavily exposed with technology systems such as servers and cloud storage -is something internal auditors are on guard for. ⁴

A constant need exists to address data security concerns.

In the case of most emerging technologies, core process variables are enabled through the sharing, storage, and use of data online, on public networks. Without appropriate controls and safeguards, the data can be accessed by unintended and unauthorized users.

The concern grows with technologies such as the Internet of Things (IoT), where in some instances, the entire ecosystem is accessed remotely whilst peripherals and devices store data. Another technology that presents challenges is AI with the use of open data platforms and has been identified as a priority topic by the government for the threat exposing data privacy on such platforms.⁵ As many AI platforms rely on Large Language Models that use vast open data sources, private information and sensitive data can be tampered with and improperly used, such as biometrics saved digitally. This poses a significant risk to personal data privacy – a concern that internal auditors rightfully uphold.

In the light of national efforts directed to safeguard the Kingdom's information and communication technology infrastructure and storage systems, new laws have served such initiatives thereof.6 Internal auditors are hence considering this factor to ensure organizations operating within the Saudi legislation are abiding to such regulations. For example, the storage of Saudiowned data must be stored on cloud services that are not remote, but physically located in the Kingdom. The strategic vision is in its implementation phase, with giga-projects integrating emerging technologies, like Alibaba Cloud establishing a presence in the Kingdom mainly for establishing hosting servers as a step to protect Saudi data from any breach or potential information leak.⁷

Authorities are more than ever committed to ensure a proper data retention system and internal auditors are ensuring organizations fully comply with this aspiration. The type of data to be covered by automation, the rights and privileges to access data, and the intended purpose of information are all parameters in place to protect users and corporations from the use of data in unintended contexts or motives. This is in congruence with AI being integrated in megaprojects and its implementation set in giga projects like Neom, where visionaries seek to integrate robotics and AI into every aspect of citizens' lives. AI is needed for this, as it would allow the Saudi state to leapfrog industrialization and shortfalls in state and institutional capacity.⁸

Information technology plays a growing role in modern auditing.

For instance, the extent technology is being used across multilayered process within an organization compared to the maturity of its IT control environment may also suggest a risk for internal audit. This connection is explored through recently conducted research, which is facilitated through Computer-Assisted Audit Tools and Techniques (CAATTs). The logical paths and relations established through the gathering of empirical data suggest that for work processes that are highly integrated with technology and automation-enabled, a high CAATTs usage can yield positive results where its application can be effective. One might highly expect IT-knowledgeable internal auditors to rely less on CAATTs; however, research suggests this is only true when the application of CAATTs is not as effective.⁹

By default, most AI-based software applications currently in use follow a predictive AI model and are based on human-inputted algorithms and data. Few technologies in use rely on generative AI (GenAI) which may potentially "think outside the box" and offer groundbreaking solutions. Although it is quite novel, SDAIA issued guidance for using, analyzing, and implementing generative AI by proposing principles for responsible use, and presents recommended practices for both Government and Public use.10 Internal auditors, at their own discretion, need to understand which type of technology is being used to adequately address the drawbacks it has as well as knowing which guidelines and measures are meant to be relied on as reference material.

Nevertheless, internal auditors are still unable to fully limit the aftermath that may be caused from technology or even, ultimately, predict how best to address it. Although using technology as a tool to deliver their mandate, systems currently used by internal auditors are not technology-smart, more so, still people-driven. Major applications are archiving systems only, used by internal auditors as tools to shape up, organize and process data. This implies not having reached optimal efficiency to leverage big data with self-running engines to enable continuous monitoring and proper integration of data analytics in the overall automation process of the internal audit activity. Currently, the software that is used largely consists of tools to extract and access data rather than intelligent AI-powered solutions.

In the following part, experienced internal auditors will offer a walk-through trajectory. They will focus on the main hurdles encountered; key learnings gained while delivering the mission of internal audit in a transformational work environment. This stance acknowledges that the internal audit practice is undisputedly affected by technology's impact. It emphasizes the need for internal audit to cope with the variations, enhancements and implementation driven by the digitalization movement.

To read the full article click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.