governance of technology - uni-due.de...(ci) semi-cognitive robotic process automation (rpa)...

Governance of Technology

Univ.-Prof. Dr. Marc Eulerich

Mercator School of ManagementChair for Internal Auditing

Univ.-Prof. Dr. Marc Eulerich 1

1. Introduction

“The pace of change is so great, there is always something else going on. What that says to me is that you have to have strategic vision and

peripheral vision. Strategic vision is the ability to look ahead and peripheral vision is the ability to look around, and both are important.”

–Carly Fiorina (former Hewlett-Packard CEO) –

• With the adoption of innovative technologies and practices comes an evolving set of risks that must be assessed and managed.

è What innovations and disruptions have affected organizations and their governance?

è How has the company responded (or struggled to respond) to these innovations?

1. Introduction


1. Introduction: Current Innovations


5448

38 35 3328

16 14 11 10

44

0

10

20

30

40

50

60

Data Analytics

Cloud Computing

Agile Proce

sses

Drones /

Mobile

Technology

Robotic Pro

cess

Automation…

Continuous A

uditing

Corporate Stra

tegy Changes

Artific

ial Intellig

ence

Regulatory Change

Digitaliza

tion

Other Innova

tions

DRIVING TECHNOLOGIES% of Participants

Internal Auditors’ Response ƚŽ��ŝƐƌƵƉƟǀĞ�/ŶŶŽǀĂƟŽŶ.........................................................................................................................

Margaret H. Christ, PhD, CIAMarc Eulerich, PhDĂŶĚ��ĂǀŝĚ��͘�tŽŽĚ͕�WŚ�

2.1 Data Analytics

• IT-enabled data analysis techniques used to draw insights from raw information sources

• Data analytics is not necessarily new to many of the organizations, participants agree that it has been transformative for their organizations and the extent of its use continues to increase and evolve

• The most frequent risks faced due to the implementation of data analytics was risks related to data integrity.

• The most frequent tools used were Tableau and ACL. The next most recommended tools included R, Python, and SQL.


2.1 Data Analytics

Best Practices: • Training: Survey respondents described a requirement to learn

and improve data analytics as part of the audit scope and the team's performance goals. Thereby, the IAF was better able to improve performance using data analytics.

• Maintain Strong Data Governance: Organizations should require and enforce the documentation of data libraries, which helps when staff leave their position. Also, spend upfront time to have and to keep data access and to structure the data in a controlled, meaningful way.

• Control of analyses: There is no control over what analyses are done, saved, shared, and relied upon. Thus, duplication and duplicitous analyses that have different results are possible. Providing control over who can perform analyses and how these analyses are reviewed/stored is critical.


2.2 Automatisierung und KI


ACT

like a human

RULESLEARN

REASON

Basic process automation

– Built-in knowledge repository

– Learning capabilities

– Ability to work with unstructured data

– Pattern recognition– Reading source

data manuals

– Natural language processing

Enhancedautomation

– Artificial intelligence– Natural language

recognition and processing

– Self-learning (sometimes self optimizing)

– Processing of super data sets

– Predictive analytics/hypothesis generation

– Evidence-based learning

Cognitive automation

THINK

like a human

2.2 Automatisierung und KI


Automatisierung

— Künstliche Intelligenz

— Spracherkennung und -verarbeitung

— Selbstoptimierung von Algorithmen

— Vorhersage von Analysen und Entscheidungsautomatisierung

— Selbstlernfähigkeiten

— Verarbeitung von nicht strukturierten Daten

— Mustererkennung und -verarbeitung

— Sprachverarbeitung

— Desktop-Anwendung

— Makrobasierte-Anwendung

— OCR und Bildschirmverarbeitung

KognitiveAutomatisierung

Entscheidungsfindung

Erweiterte Automatisierung

Maschinelles Lernen

Mer

kmal

eAn

biet

er

Einfache Automatisierung

Transaktionsbeschleunigung

SAP Nutzungs-

grad Work FlowRPA/ Screen

Scraping

— Desktop-Anwendung

— Richtlinien-digitalisierung

— Entscheidungs-modellierung

— Workflow-Automatisierung

— Nutzung der Möglichkeiten durch individuelles & angemessenes Customizing und Einrichtung von Stammdaten

Machine Learning

Artificial Intelli-gence

2.3 Robotic Process Automation (RPA)

• Automation that allows the user to design a “bot” that performs routine, systematic tasks

• “When we have a [bot] collecting data then we need to understand what is happening. If everything is automated, there is a lot of risk around it, because as soon as the bot or drone starts doing something wrong, it’s going to keep doing it wrong until we catch it. That is the risk around bots in general. They are great because they don’t have human error, but they also don’t have the human brain.“ (CAE from the oil and gas industry)


But these...

We’re not talking about these kinds of

robots …

Although we tend to use these as a visual.



01 Scoping bestimmen

04 Prüfung eines/einer …

Test of Design

Test of Effectiveness

je BOT je BOT

Test of Design

Test of Effectiveness

je ITAC je ITAC

BOT

ITAC

02 GITCs Identifikation und Testing

03 Operating Model

Um die durch Automatisierung veränderte Risiko-position des Unternehmens einschätzen zu können, ist zunächst eine Abgrenzung von RPA gegenüber anderen Automatisierungen sinnvoll. Im Unterschied zu künstlicher Intelligenz und neuronalen Netzen ist Automatisierung mit RPA üblicherweise regel- basiert und deterministisch. Es handelt sich bei RPA um eine vorkonfigurierte Software instanz. Diese verwendet Geschäftsregeln und vordefi-nierte Aktivitäts-Choreografien, „die autonom eine Kombination von Prozessschritten, Aktivitä-ten, Transaktionen und Aufgaben in einem oder mehreren unabhängigen Softwaresystemen ausführen, um ein Ergebnis oder eine Digitalisie-rung mit menschlichem Ausnahme-Management zu liefern“.1

Unternehmen können mithilfe von RPA bei ver- gleichsweise geringem Entwicklungs- und Imple-mentierungsaufwand große Effizienzsteigerungen realisieren – und zwar ohne dass RPA ihr Umfeld, also den betreffenden Prozess oder die Entschei-dungsfindung, verändert.

Und RPA automatisiert nicht nur, sondern kann auch Kontrollaktivitäten durchführen. Dabei eignen sich sowohl Geschäftsprozesse als auch Kontrollen dann besonders gut zur Automatisierung, wenn ein klar dokumentierter und stabiler Prozess vorliegt und es!sich um regelbasierte, repetitive Tätigkeiten mit hohem Volumen und großer Häufigkeit handelt.

Neben den Vorteilen birgt RPA (umgangssprach-lich oft „Bot“ genannt) auch Risiken, die in den bestehenden internen Kontrollsystemen bisher nicht angemessen adressiert sind. Der Zugriff des!Bots auf Systeme und seine Rechte sollte dabei klar definiert werden. Und auch den mensch-lichen Zugriff (ob direkt oder indirekt) auf die Bot-Applikation und den Bot selbst sowie dessen Betrieb gilt es mit geeigneten Freigaberoutinen zu!steuern, um unberechtigte Eingriffe zu verhin-dern. Dazu sind eine ganzheit liche RPA- und Digitalisierungsstrategie sowie die Einbindung der!Anwendungen in das bestehende Interne Kontrollsystem erforderlich.

1 IEEE Corporate Advisory Group 2017

Abbildung 2: Prüfungshandlungen im RPA-Umfeld

»

»

Neben der notwendigen ganzheitlichen Betrachtungs-weise braucht es auch einen!für RPA geeigneten Prüfungsansatz.

14 CGO 07 | 2019 Robot Process Automation und IKS CGO 07 | 2019 15

© 2019 KPMG AG Wirtschaftsprüfungsgesellschaft, ein Mitglied des KPMG-Netzwerks unabhängiger Mitgliedsfirmen, die KPMG International Cooperative („KPMG International“), einer juristischen Person schweizerischen Rechts, angeschlossen sind. Alle Rechte vorbehalten. Der Name KPMG und das Logo sind eingetragene Markenzeichen von KPMG International.

© 2019 KPMG AG Wirtschaftsprüfungsgesellschaft, ein Mitglied des KPMG-Netzwerks unabhängiger Mitgliedsfirmen, die KPMG International Cooperative („KPMG International“), einer juristischen Person schweizerischen Rechts, angeschlossen sind. Alle Rechte vorbehalten. Der Name KPMG und das Logo sind eingetragene Markenzeichen von KPMG International.


Best Practices: • Recognize your limitations and focus on what you know: While some

companies suggested that auditors feel confident that they know enough about technology to perform an effective audit of RPA, others cautioned against overreaching. Auditors should focus on what they know well and not try to audit a technology that they do not truly understand.


Pattern based machine learning

Statistical modelling

Improvedworkflow

Cognitive intelligence

(CI)Semi-cognitive

Robotic Process

Automation(RPA)

Structured data

interaction

Incr

emen

tal v

alue

Mimics human intelligence

Past

1990’s–2000’s

Present Future

Optimized processthrough automation

2015–2020 2020+

Augments human intelligenceMimics

human actions

2.4 Artificial Intelligence (AI)

• Processes that use intelligent machines to work and react similarly to humans, characterized by machine learning

• One of the greatest risks identified of using AI is that individuals may usesome form of AI but not understand what the AI is actually doing. When a new scenario is introduced, the concern is that the AI can be misapplied because of this lack of understanding

• Finally, of all the innovations measured, respondents report that they are the least prepared and least effective in the area of AI.


Supervised Machine Learning

Reinforcement Machine Learning

Unsupervised Machine Learning

Artificial Neural Network

Time Series Forecasting

User Behavior Analytics

Genetic Algorithms


Univ.-Prof. Dr. Marc Eulerich 12Trends in Internal Auditing and Corporate Governance - SS 2018

Comparing outcomes to another source(s)

Understand and evaluate the AI model(s)

Develop AI solution(s) in a controlled environment

But each approach has its limitations

01 02 03

• Another (reliable) source might not exist

• Not always feasible to replicate the model / develop an alternative

• And if you have another source: why develop the AI solution in the first place?

• Model might be too complicated to understand

• Model uses techniques such as deep neural networks that are notorious in terms of explainability.

• Skilled people using a rigorous methodology in a secure environment is no guarantee for quality outcomes

• Using a rigorous methodology is in tension with an agile and explorative approach that is common in data science.

A governance framework helps define the optimal combination of controls across these three approaches


Best Practices:• Training: Internal auditors need training, and as one respondent described,

internal auditors must “understand the principles of AI not just [recognize] the phrase as a buzz-word.”

• Understand the organizational plan for AI: Another respondent recommended that internal audit functions get a road-map for how process owners and executive management plans to roll out AI in the future so internal audit can prepare.


2.5 Digitalization

• Digitalization is changing a business model by the use of digital technologies to provide new, value-producing opportunities

• In particular, digitalization is associated with increased cybersecurity risks because now key data and inputs are collected, recorded, stored and processed electronically.

• There are key risks related to the functionality of the technology itself. Technology failure or obsolescence can have a major impact on operational performance or the value proposition of the organization.


Transformation und digitale Veränderungen (1/3).

Künstliche Intelligenz

Cloud Computing

Robotics (RPA)

SonstigeBlockchain

Big Data/Analytics

Source: PwC (2017). Confidence in the future: Emerging technology and the finance function.

2.5 Digitalization

Best Practices:

• Hiring the right (technology-focused) skillset: As organizations move to digitalize their operations, it becomes more critical that the internal audit staff have the appropriate technical acumen and IT risk knowledge.

• Invest in your people: Innovation like digitalization requires a flexible, agile internal audit workforce. CAEs also recommend really investing in the existing audit staff by increasing targeted training and working to make them true experts in the field. Specific training/skills described include cyber-security and network security.


3. Conclusion: Strong Governance / Role in ERM

Strong Governance• While “strong governance” seems like an obvious best practice for all

organizations, it becomes even more critical in organizations that are encouraging innovation.

Role in ERM• In general, this recommendation highlights the importance of the assurance

functions being knowledgeable about all organizational risks early enough such that it can prepare to address them as needed.


Univ.-Prof. Dr. Marc Eulerich

0203/379-2600

[email protected]

Universität Duisburg-EssenMercator School of ManagementLehrstuhl für Interne RevisionLotharstraße 6547057 Duisburg

https://www.linkedin.com/in/marc-eulerich-52075718a

@

YOU CAN DOWNLOAD CURRENT RESEARCH PAPERS FOR FREE ON:SSRN.COM

governance of technology - uni-due.de...(ci) semi-cognitive robotic process automation (rpa)...

Documents