Executive Summary
Technology Audit strategy and planning are changing rapidly, driven by Innovation and modernization of Science & Technology. The way enterprises use technologies has also been transformative. With the advent of Blockchain, Artificial Intelligence, Machine Learning, and Robotics, disruptive technologies have significantly changed how consumers, industries, and businesses operate. These disruptive technologies have started several potential challenges for IT Auditors as they strive to provide independent and objective assurance and advice to their stakeholders.
This article focuses on how Technology auditors can transform challenges into successes to bring themselves up to speed with this rapidly changing science and technology innovation. It defines disruptive technologies such as Blockchain, Artificial Intelligence, Machine Learning, and automation. It also describes the challenges of auditing them and how Technology auditors can ask relevant questions and use COBIT to audit disruptive technologies.
Overview of Disruptive Technology
Disruptive technologies have innovative attributes that transform business processes, consumer habits, or enterprise products. Risk-taking organizations (innovators of technology adoption lifecycle) are typically the early adopters of disruptive technologies.
- Blockchain – This is the technology behind Bitcoin and other cryptocurrencies. For an enterprise, Blockchain can change business operations significantly. It records the transaction between two parties using a decentralized distributed ledger using a peer-to-peer agreement to verify and record each transaction. It eliminates any manual verification process.
- Artificial Intelligence (AI) –Artificial Intelligence is an umbrella term that refers to computing systems that mimic human intelligence to perform what a human does and improve the process based on what the computers learn. It has been in existence for more than a decade now. AI is now maturing and is more accessible and tangible. Some practical examples of Artificial Intelligence are Amazon’s Alexa, Self-driven cars, and chatbots.
- Machine Learning – Machine learning refers to computer systems’ capability to learn and adapt through supervised or unsupervised learning. It uses statistical models and computer algorithms to infer and analyze data patterns. Image recognition is one of the highly used use cases of Machine Learning.
- Automation – Automation refers to the business processes and procedures that strive to minimize human inputs. It includes the use of computers and is prevalent in BPA (Business Process Automation) and RPA (Robotic Process Automation). It can range from basic to process automation to Integration automation. It increases productivity and efficiency and reduces human intervention.
Challenges in Auditing Disruptive Technologies
Technology auditors experience several challenges associated with the audit of disruptive technologies. Some of those significant challenges are as follows:
- There is a lack of a mature auditing framework that provides comprehensive guidance on how to audit disruptive technologies.
- Implementing business cases associated with these disruptive technologies is unique to the enterprise that champions it.
- These innovative and disruptive technologies’ definitions, scope, and taxonomy change frequently.
- Because of the complexity of the implementation, enterprises typically outsource or co-source the disruptive technologies audits. As a result, a coherent understanding of the auditing process is not practically possible.
Approach to Auditing Disruptive Technologies
Firstly, the auditor should define the scope and objective, considering the key risk indicators. The auditor should review the organization’s strategy for Disruptive technology and collaborate with stakeholders to understand the business case, business drivers, and broad outcomes.
The auditor should ask questions to understand the following:
- Source of training data
- Potential bias that the data can introduce
- Other date that the management considered for model training
- Legal risk associated with data, e.g., anti-discrimination law
- Measurement and monitoring of decisions out of disruptive technology implementation
- Security testing after deployment
The key risk indicators under consideration should be:
- Number of Disruptive technologies implemented within the organization
- Number of algorithms that deal with sensitive data
- Cost of implementation
- Number of skilled employees
- Third-party implementors involved contracts
- Regulatory requirements
Next, the auditor should map COBIT 2019 framework to the Disruptive technology strategy. It provides the tools, process, desired outcomes, leading practices, and work products across all IT-related domains. Finally, the auditor can create the Risk Control Matrix (RCM) that lists each risk and associated controls. From the COBIT core model, the auditor should focus mainly on Ensured Governance, Managed Strategy, Managed Innovation, and Managed Security Services.
Here are some example activities that the technology auditor can take to audit disruptive technologies
Conclusion
Disruptive Technologies are here to stay, and there have already been several practical usages of these in the regular business and consumer life cycle. Before developing a framework to audit disruptive technologies, the technology auditor should understand the business case, business drivers, and organizational strategy. They should create an inventory of disruptive technologies implementations. In collaboration with the stakeholders, they should identify the risk and associated controls for the RCM. Technology auditors can then leverage and adapt COBIT 2019 as a guide to audit disruptive technologies.