Technologies for internal audit of financial institutions

2023: Internal Audit of Non-Financial Organizations in Russia: Development Status and Trends

On December 21, 2023, it became known that the Association "Institute of Internal Auditors" and the company "Technologies of Trust" ("TeDo") conducted a joint study on the current state and trends in the development of internal audit of non-financial organizations in Russia for 2023. This year's survey was attended by heads of internal audit services (hereinafter referred to as IAA) of Russian companies in the non-financial sector of various sectors of the economy.

As reported, the study considered the use of modern technologies, including the automation of the operation of IAS, as well as the use of data analysis tools. The study showed a number of trends in the development of internal audit practices related to. IT

Despite the general trend towards digitalization and automation of business processes of organizations of all sectors of the economy, 25% of respondents noted that the IAA does not use technological solutions as of December 2023.

Among 75% of respondents who answered about the use of technological solutions in the activities of IAA, the most popular (52%) turned out to be the use of data extraction and analysis tools other than MS Excel (e.g. ACCESS, SAS, SAP, SQL, Python, etc.), second (46%) - data visualization tools (Tableau, Power BI, QlikSense, etc.), on the third - own developments (for example, scripts) for the automated execution of individual audit procedures (32%).

The use of tools other than Excel is required in cases where there is no suitable standard report in the information system, when you need to get raw data from the source and process it. If the standard reports contain everything you need, then Excel is enough. When complex calculations are required, and especially when they are regularly repeated, then tools are more difficult to help (such as Python). told Pavel Nagornov, Director of Internal Audit of PhosAgro PJSC

Hayk Karamyan, Director of Internal Audit of PJSC VimpelCom (Beeline), is confident that the focus of the heads of internal audit should be a constant increase in the data analytics toolkit, as well as improving the skills and qualifications of VA employees in this direction.

Process Mining is used by 12% of respondents, GRC solutions - 8%, RPA (software robots) for audit procedures - another 8%.

Varvara Solodilova, Head of Analytics, Innotech Group of Companies, notes that in 2023, in terms of automation of internal audit processes, the demand for solutions using artificial intelligence increased, but the usefulness and effectiveness of the use of AI technologies remains debatable and requires careful preparation for full use.

The use of IA technology solutions depends on the specifics of the company and the level of its digitalization, as well as on the structure of the internal audit plan. For example, solutions such as RPA are applicable in cases where there are standardized audits in the audit plan from year to year with a large number of routine operations, often related to the collection and initial processing of information. On the contrary, the use of SQL is typical for non-standard analytical tasks on well-structured data. Another interesting observation is that the use by auditors of Business Intelligence systems (such as SAS or PowerBI) can talk about the active interaction of the IAA with management in the framework of providing consulting services. It can be assumed that under international sanctions, the use of proprietary systems by auditors (including Microsoft brands) will steadily decline in favor of open source software or proprietary developments, this trend is already visible now. commented Vasily Chesalov, Risk Management Manager, Internal Control and Audit Department of AvtoVAZ JSC

{{quote 'author
= told Denis Belyaev, CEO of Technologies and Business (Technologies. Automation. Business, "TAB)|Despite the emphasis on" fashionable "tools, we lack the basic tools for automating corporate governance. We are talking about data visualization, but there is no necessary data. We are talking about automation using processing, but there is not even a list of processes. My opinion is that it is necessary to first organize and automate the basic functions of corporate governance. There should be a database containing controls, processes, risk types, key risk indicators (KIDs), measures and then expand them with "fashionable" tools. For example, there should be a centralized register of controls, dates and results of their execution, then you can use BI-based visualization to process this data quickly and efficiently.}}

In the next 3 years, 42% of respondents noted that in the next three years they plan to start using data extraction and analysis tools other than MS Excel, process analytics (37%) and develop their own scripts for automated execution of individual audit procedures (37%).

According to Polina Suslova, Head of Information Systems Implementation at Quadrium-Sistema, although these technological tools are not directly designed to generate profit for the organization, but they make it possible to optimize the quality and transparency of internal audit processes, digitize and reduce audit costs and reduce risk loss, including through preventive detection of deficiencies and accelerated response to identified violations.

Varvara Solodilova, Head of Analytics, Innotech Group of Companies, comments that drivers for the implementation of automated solutions for IAS tasks can be to increase the efficiency of identifying areas for optimization in organization processes: the GRC system helps to optimize the involvement of the first and second line of defense in risk analysis, transparency of information, helps to identify relationships, which allows you to ensure the completeness of information and obtain better conclusions. Collaboration of 3 protection lines in a single tool is one of the sources of faster implementation of changes.

Among 25% of IAAs that do not use technological solutions, 2/3 do not plan to implement them in the next 3 years. As the main reasons why IAAs do not apply or do not plan to apply technological solutions in their work, respondents indicated the following reasons:

• Insufficient level of automation of processes in the organization to ensure the effective use of such tools (71%)
• Insufficient internal audit budget to acquire/develop such instruments (41%)
• Insufficient level of competence of internal auditors to use such instruments (41%)
• Non-obvious possibilities of using such tools compared to the costs of their implementation and use (35%)
• Poor data quality in the organization's information systems, preventing effective use of such tools (25%)

Nikolai Shumilov, head of the internal audit department of the Group of Companies, "" Mangazea emphasizes the problem of insufficient automation of processes in many Russian organizations (including construction companies) in terms of the absence of digital traces of audited processes (paper document flow). In addition, there are problems with disparate storages information sources and non-integrable databases. According to Nikolai Shumilov, this is the main reason why IAAs do not use technological solutions in their work.

Insufficient automation of business processes and poor data quality really hinder the use of technological tools and optimization of internal audit efficiency. In our experience, the use of technological solutions does not necessarily face budget constraints. For example, a combination of SQL and proprietary scripts (for example, in Python) does not require additional costs and has sufficient flexibility and power to solve a huge number of problems. Using such tools requires a certain level of competence, but the necessary skills can be grown inside the IA in a reasonable time, within 1-2 years. reported by Vasily Chesalov, Risk Management Manager, Internal Control and Audit Department, AvtoVAZ JSC, and shares his own practice

Pavel Nagornov, Director of Internal Audit of PhosAgro PJSC, supports colleagues in that the main problem in organizing a continuous audit is the lack of a data archive, especially in systems related to production, and clarifies that as of December 2023, the process of import substitution of software is ongoing everywhere, auditors need to keep a "finger on the pulse" so that when implementing updated systems, their requirements for the quality and completeness of data are taken into account.

Indeed, for the efficient use of data and processing tools, it is critical that data and processes are digitized, depending on the overall maturity of the organization's IT systems. Nevertheless, beyond the boundaries of neural networks, robots, data analytics and processing, there are also such seemingly more "boring" and "non-technological" solutions as automation of IAS workflows, tracking the implementation of corrective measures, and managing audit projects. Such automated systems do not require IT competencies from auditors, but at the same time they are "root," forming an ecosystem and a single environment for the interaction of IA, internal control services, risk management and management of the organization. The value of such automation tools is to reduce risks, increase the amount of detections, completely monitor the implementation of recommendations, and constantly develop and improve the work of the IAA. noted, Alexey Chernyshev Product Director of AVACOR Digital Design

{{quote 'author
= Denis Belyaev, General Director of Technologies and Business (Technologies. Automation. Business, "TAB)|I think the main problem of the lack of funding for IAS or the effective use of tools is the low level of knowledge of corporate governance at the management level, and the knowledge of the boards of directors and the executive body is critical. We see even in leading universities that a small part of the course is allocated to the tasks of corporate governance, and in some educational institutions it is not at all. Independent directors do not know what risk management, internal control and internal audit are, do not know how to read the relevant statements, not to require any execution at the level of the executive body and heads of divisions. My opinion, first we need to concentrate on the development of risk culture, integrate it into corporate governance, provide internal training and certification courses, and technological tools can only help in putting emphasis on some technologically oriented responsible persons of organization management. First, you need to focus on simple, low-cost technology tools that help the internal audit service do its direct work.}}

Data analysis tools are mainly used by IAA to check purchases (71%), inventories (46%) and accounting, management accounting and reporting (35%). 15% of respondents do not use data analysis tools other than MS Excel. About 1/3 of internal audit services use a data analysis tool to perform continuous audits.

Types of audits that use data analysis tools

Polina Suslova, Head of Information Systems Implementation at Quadrium-Systems, confirms that automation tools can optimize efficiency and expand the scope of continuous audit: for example, form ready-made interactive dashboards and dashboards for prompt analysis of information, identify deviations from the specified target values, anomalies and negative trends for observed business processes and attention zones that are included in the monitoring perimeter of the internal audit service.

With organized internal control, there is no need to focus on specific operational processes, devoting more time to corporate governance and the company's activities as a whole. For procurement, there may be more internal control procedures or automated tools at the management level, but this should not affect the scope and tools of the IAA. Most likely, the statistics demonstrate a direct indication by management of the focus of the internal audit service on specific operational processes. I believe that this trend should be broken by placing appropriate control on the "first" and "second" line of defense. Personally, my expectation that the list of processes should include emphasis on corporate governance processes, and not directly on operational activities. supplemented Denis Belyaev, CEO of Technologies and Business (Technologies. Automation. Business, TAB)

Technological solutions that IAA plans to start using in the next 3 years

About half of respondents (48%) indicated that the IAA does not use specialized software for internal audit purposes, which is comparable to the 2021 data. The share of use of proprietary software has increased - as of December 2023, 17% of IAAs use it, in 2021 - only 7%.

At the same time, 61% of respondent companies from those that do not use special software for VA do not plan to implement it in the next two years. According to Pavel Nagornov, Director of Internal Audit of PhosAgro PJSC, the need for such software arises with the territorial disunity of the team, a large number of personnel.

Alexey Chernyshev, AVACOR Product Director of Digital Design, confirms that based on the practice of significant growth in automation projects in the last 2-3 years, i.e. the start of use of specialized software by those internal audit services that have not previously used it, is not observed.

This growth is much more pronounced in the implementation of risk management software. Large internal audit services began to automate processes a long time ago, and in many services the corresponding solutions have been in operation for several years. But this does not mean that nothing is happening in the field of automation of SVA processes - on the contrary, in the past year and a half, the process of import substitution of departed or outgoing solutions of Western vendors for Russian ones has been very active. We are witnessing an explosive increase in the number of Russian solutions for automation of corporate control services, and as of December 2023, it is Russian products that are the means of "first choice" for those who plan automation. said Alexey Chernyshev, AVACOR Product Director of Digital Design

Specialized software is mainly used to monitor the process of correcting comments and implementing recommendations based on the results of audits (38%), issuing auditor's papers (34%) and storing auditor's papers (34%). Only 25% of respondents use annual planning software and 28% use audit planning software.

Varvara Solodilova, Head of Analytics, Innotech Group, shares experience in automation of VA processes: a comprehensive GRC platform allows you to automate all key VA processes - long-term planning, planning of inspections, management of methodological documents, conducting inspections, developing and monitoring recommendations, recording working hours, conducting surveys and self-assessments, managing risk implementation events, managing ESG and business continuity.

The main purposes of using specialized software

According to Vasily Chesalov, Risk Management Manager, Internal Control and Audit Department, AvtoVAZ JSC, the company previously used Team Mate software to plan and control audits, but despite the positive experience of use, it is not planned to introduce specialized software in the near future in connection with sanctions risks.

Due to the departure of foreign vendors, the demand for the creation of modern domestic software for internal audit services has sharply increased. According to Denis Belyaev, General Director of Technologies and Business (Technologies. Automation. Business, "TAB), large consulting companies until 2022 preferred to work with foreign vendors, but the situation has changed dramatically and by December 2023 they are actively sharing their experience to create really serious standard domestic solutions. TAB itself plans to produce a mass available solution using modern technologies, including artificial intelligence, in the spring of 2024.

Polina Suslova, head of the implementation of information systems at Quadrium-Systems, notes that in recent years, management has also focused on the task of calculating the cost of the internal control and internal audit function, for the implementation of which a request for software arises. It is necessary to accumulate and systematize information on the costs of conducting an internal audit, allocate labor costs for subjects and audit tasks, calculate the cost of measures to eliminate identified violations and control the effect of the measures taken on the risk level (to what extent the cost of risk and the level of losses after the measures taken).

Vladimir Serkin, head of the internal audit department, PJSC VimpelCom (Beeline), is confident that modern internal audit functions (especially in large companies) can no longer be based on selective testing, because it is time-consuming and not effective. In this regard, it is advisable to invest one-time labor and financial resources in the development of employees, the purchase of software, the hiring of specialized data analysts in order to transfer the work of internal audit to the tracks of automation and continuous inspections using data analytics, which in the future will optimize efficiency.

The survey was attended by 65 internal audit services of different sectors of the economy and different scale of activity (except for the financial sector). 45% of the companies participating in the survey are public joint stock companies. The full text of the study is available on the website of the Institute of Internal Auditors^[1] of the ^[2]

2020:58% of financial institutions do not use specialized software to automate internal audit management

The Association Institute of Internal Auditors"" and the company PwC conducted a joint study of the state and trends in the development of internal audit the Russian in the organizations of financial the sector for 2020. In 2020, the study was attended by heads of internal audit services (hereinafter referred to as IAA) from companies and credit insurance other financial institutions. The findings were data compared to the 2018 results of a similar study. The Institute announced this on December 25, 2020.

The study examined the use of technologies, including the automation of the IAS, as well as the use of continuous audit and data analysis methods.

The study showed a number of important trends in the development of the practice of internal audit of financial institutions related to IT.

Despite the trend of digitalization and automation of business processes of organizations of all sectors of the economy, including the financial sector, which has taken hold in the last decade, more than half (58%) of the surveyed heads of IAS financial organizations said that they did not use specialized software (software) for automation of internal audit management by December 2020. This indicator remained at the level of 2018 (also 58%).

Among the remaining 42% of respondents, the most popular (30%) was the use of proprietary software for the purpose of automating internal audit processes compared to boxed products.

At the same time, the share of respondents using proprietary software for the purpose of automating internal audit processes increased from 21% to 30% compared to 2018.

Among other options for the software used MS Excel , intra-group tools, Aware or products that are under development as of December 2020 were also noted.

It is interesting to note that among respondents who use specialized software for internal audit, the overwhelming majority of respondents (96%) noted that such software is not integrated with the risk management system used in their organization. According to Maria Kedrova, Director of the Internal Audit Department, Renaissance Insurance, the most effective tool is the use of an internal audit management system in conjunction with an automated risk management system. Such an integrated system (for example, such as GRC) allows you to identify new/recurring risk events online, track and update the change in the level of risks inherent in the activities of both an individual department and a company-wide. Based on the system data, management can take prompt response measures to prevent risks, avoid similar losses and reduce the negative impact on the company's performance.

The respondents also shared plans to automate the management of internal audit. It is curious that the most popular was the answer that specialized software for automating internal audit management is not planned to be implemented within the next 1-2 years (43%). For comparison, this figure in 2018 was 73%. Just over a third (35%) of respondents find it difficult to answer this question. And only 22% of the surveyed IAA managers plan to introduce specialized software in the next 1-2 years. At the same time, among insurance organizations, about 44% of respondents plan to introduce such software, while in credit institutions - only 25%.

According to Natalia Tsangl, head of the internal audit service of the leasing company PJSC TransFin-M, deputy director of the Banking Institute of the Higher School of Economics, the reason that the majority of respondents do not use specialized software is due to the limited budgets of the IAA. At the same time, there is an increase in respondents who realize the need to use such software and plan to implement it in the near future.

In addition to automation of IA management, an important aspect of internal audit automation is the automation of individual procedures that services perform both as part of inspections and on a regular basis. It is in this area that there is significant potential to improve the efficiency of the IAS, increase risk coverage, improve the quality of auditors' observations by moving from selective verification to a complete analysis of the entire array of audited data, the speed of detection or even prevention of possible errors and inconsistencies.

According to the survey data, more than a third (37%) of all respondents from IAS financial organizations do not use audit automation tools as of December 2020. Moreover, among insurance organizations, the share of respondents who do not use such instruments is 45%, and among credit organizations - 35%.

Tools for automation of audit procedures used by IAA of financial institutions:

Marziyat Mamalaeva, Head of the Internal Audit Department, Alfa-Bank JSC, shares the experience of the headed division: the use of process mining during internal audits makes it possible to identify, for example, steps/stages of the audited process with deviations from the declared process (including "freezes") and find opportunities for their optimization.

Interestingly, automated tools for conducting a continuous audit are still inactive used by respondents - only 11% declared its use in their activities.

Audit automation tools used in credit and insurance institutions:

Despite a significant proportion of respondents (37%) who do not currently use audit automation tools, most of them (63%) replied that in the future (on the horizon of 3 years) do not plan to start using such tools.

Only a little more than a third (37%) of respondents think about starting using data extraction and analysis tools other than MS Excel, continuous audit or process mining.

According to Andrei Dalinenko, Director of the Internal Audit Department of PJSC Rosbank"," in the context of mass digitalization of document management and the general growth of electronic data, effective tools for extracting, processing and analyzing data are, rather, a necessary and normal part of the professional life of the internal auditor, rather than something desirable, but optional. Such promising areas as data visualization their automatic processing with application, algorithmic programming tools data science and process mining open up huge opportunities to improve the quality and depth of internal audit audits. Of course, the development of this area requires both the support of the company's management with the allocation of the necessary investments, and the involvement of specialized specialists in the internal audit team with the simultaneous development of the necessary culture and competence among the auditors themselves.

Audit automation tools to be used in the next 3 years:

It is interesting to understand the reason why IAAs are not yet ready to automate their audit procedures. Answering this question, the majority (67%) of respondents, as a key reason, indicated an insufficient budget of the IAA for the acquisition and/or development of such tools. Also, many (40%) respondents noted as one of the reasons the insufficient level of automation of processes in the organization to ensure the effective use of such automated tools.

It is worth noting that the same proportion (40%) of respondents consider the advantages of using audit automation tools not obvious compared to the costs of their implementation and application. Only a small proportion of respondents (13%) indicated the reason why their IAAs do not plan to use tools to automate audit procedures, the insufficient level of competence of internal auditors to use such tools.

According to Anna Sukhova, head of the internal audit service of RGS Bank, due to the progressive growth in computerization and digitalization of the business, as well as taking into account the shift in focus on digital interaction with the client, as of December 2020, the ability to work only with data spreadsheets is not enough. It is necessary to improve the skills of working with digital information in order to independently receive an independent and objective result of its processing.

It is very curious that none of the respondents indicated the poor quality of data in the information systems of their organizations as one of the reasons why it is not planned to use audit automation tools.

Natalia Tsangl, head of the internal audit service of the leasing company PJSC TransFin-M, deputy director of the Banking Institute of the Higher School of Economics, is confident that in the future the need to use tools to automate audit procedures will only increase, so internal auditors will have to seriously think about their use. The business environment is becoming more complex, more competitive, general automation and information security are more in demand. Requirements for internal audit will also grow. Providing a quick, clear and high-quality audit result, the unconditional assistant of which can be automation tools, is the main competitive advantage of IAA.

See also

• Banking informatization trends
• Russian banking informatization market in 2017 - 2018
• IT innovations in the Russian banking sector
• Bank of Russia regulatory sandbox
• Information technology at Sberbank
• Sberbank's Big Data is growing at a frantic pace. How is this supermassive stored and used?
• Information technology in VTB Group
• Blockchain in Russia
• Prospects for blockchain in the Russian banking sector
• Information security in banks
• Cybersecurity in Russian banks: VMware and TAdviser research
• Technologies for internal audit of financial institutions
• National Biometric Platform (NBP)
• Unified Biometric System (UBS) of Bank Customer Data
• Biometric identification (Russian market)
• Digital transformation of Russian banks
• Central Bank policy in the field of information protection (cybersecurity)
• Bank losses from cybercrime

Notes