Innovation and digital auditing — the journey of the European Commission’s IAS towards state-of-the-art technologies

In a working environment that is increasingly digitalised both internally and externally, auditors must act and react to ensure not only that they make optimum use of the new audit possibilities on offer, but also that they provide advice on where and how their auditees can improve. This also applies to the European Commission’s Internal Audit Service (IAS). Felipe Castro Barrigon is team leader of the IAS’s ‘Innovation and digital auditing’ Working Group. In this capacity, he is at the forefront of exploring new developments that are relevant for the IAS and translating them into daily work practices. Below, he shares some of the key features of the journey the IAS has undertaken and the approach the IAS envisages for the years to come.

By Felipe Castro Barrigon, Internal Audit Service (IAS) of the European Commission

Source: Shutterstock/Photon photo

Setting off…

The need to keep pace with technological developments is something the internal audit profession cannot afford to ignore. The sheer speed of change means that we have to anticipate, plan and react in ways which many might have found unimaginable only a few years ago. The European Commission’s Internal Audit Service (IAS) is no different. We have to leverage those tools and technologies that allow us better to assess not just the risks the Commission faces in this ever-challenging environment, but also the controls put in place to mitigate them. However, we also need the right talent and skills to do this in what is a very competitive market. So how are we tackling this in the IAS?

These challenges have been at the forefront of our thinking for some time now, particularly at our last three IAS annual conferences. In 2017, we discussed ‘Innovation and creativity in internal audit: myth or reality?’ and in 2018, ‘Internal Audit: Embracing the challenges of the future.’ Most recently, in November 2019, we tackled ‘From hindsight to insight and beyond: how Internal Audit may contribute to foresight’.

A constant theme has been the extent to which we, as auditors, struggle to understand how different trends and technologies have an impact on our profession. The very clear message to us here in the IAS was that we simply had to do something. We had to start that journey so as better to understand and tackle the challenges head-on, even if this meant diverting key resources away from other tasks. However, like many such journeys, it is not always clear which path to take and what is really feasible in practice.

To make a start, at the end of 2018 our Director-General, Manfred Kraff, asked the IAS’s IT audit unit to carry out an initial analysis of the new trends and technologies that could be relevant for our work. After this preliminary phase, he decided to set up a dedicated team in the IAS to identify specific areas for further exploration and progressively build up the requisite audit capacity and knowledge. The group’s primary objective is to stay abreast of developments at the European Commission and other EU bodies, but also, more generally, in the public and private sectors. Secondly, it will assess this environment and evaluate its potential impact on the IAS’s work. This thinking is very much in line with a range of ongoing action plans at the Commission to modernise the workplace and improve overall efficiency.

…the journey…

Ever since, we have been exploring different initiatives linked to the European Commission and other EU bodies so as better to understand their objectives and scope, and the impact on the Commission’s operations, and to discuss openly how they can affect and improve our auditing procedures. The areas we have looked at include data analytics, artificial intelligence (AI), blockchain, data visualisation techniques and enhanced digital publishing of our audit documents.

Our approach is based on three types of actions or ‘strands’ for these five different areas (see Figure 1):

1. Inventory: benefit from a knowledge-sharing experience, where auditors can learn from their peers in other Directorates-General and reuse what is already available as much as possible. We have chosen informal ‘brainstorming’ exercises, where we position ourselves very much in ‘open-mind’ and ‘learning-listening’ modes.
2. Pilots: creating ‘playgrounds’ where we can experiment and learn with a ‘hands-on’ type of experience.
3. Awareness raising: Informal ‘TED-TALK’-style presentations to interested IAS staff to share what we learn and capture feedback and ideas.

Figure 1 — Five areas and three strands in the IAS initiative

Source: IAS

We have been in contact with most of the European Commission’s Directorates-General and the EU’s decentralised agencies to gather more information about ongoing projects and tools. At the same time, we have also contacted other public organisations, such as the Dutch Ministry of Finance, the Vlaanderen Lokaal Bestuur (Flanders local government and municipalities) and, of course, the ECA. I am happy to say that this has proved to be very useful. Not only has the experience confirmed that we are not alone in facing these challenges, but — more importantly — these organisations have also inspired us further and provide much food for thought. In particular, we have strengthened our contacts with the ECA, notably the ECALab team and its various initiatives with analytics, AI and blockchain.

We are currently in the process of bringing all these results together, but I can already share some possible outcomes by providing a few examples. In the area of AI and data analytics, we are looking into textual analysis by going beyond current searches for key terms towards semantic searches. We found some interesting use cases in the Directorates General for Competition, Communications Networks, Contents and Technology (Connect), and at the Joint Research Centre (JRC). For example, combining searches for and tagging of specific content in multiple documents, and then linking them to audit papers. Another example is the automated summarising of documents or sentiment analysis for surveys. These examples could help us to make the audit review and documentation process more efficient, particularly during fieldwork.

We are also looking at how we can extract unstructured information (e.g. text in pictures, pdf documents, etc.), then convert it into structured information in relational databases before ultimately comparing and cross-checking the result for completeness, accuracy, etc. We have worked hand-in-hand with our Directorate-General for Informatics and the Directorate-General for Budget in order to build a successful proof of concept.

In the area of blockchain, we were very much inspired by what the ECA has done. Initially, this topic was relatively unknown and seen as less relevant for our internal auditing activities until we looked at the ECA’s use case. We joined the ECA, the Directorates-General for Informatics (DIGIT) and Connect, and EU Members States in creating a European Blockchain Service Infrastructure (EBSI) initiative. We are also contributing with functional requirements, and are considering creating a pilot to explore blockchain usage in our audit execution process.

In addition, we are exploring data visualisation tools in certain key areas. Our risk analysis exercises could benefit very much from real-time access to databases providing risk indicators and drill-down capabilities in the Commission’s datasets. We could select our audits in the audit plan, and scope them much better and quicker. During our audits, we could also gain a better understanding of operational data created during process workflows by moving to a different category of performance analysis, for example, by improving our understanding of the bottlenecks in grant-management processes or the performance of workflows in IT systems.

Lastly, another area we are exploring — albeit very tentatively at this stage — is the publication of digital reports. As things stand, we generate ‘traditional–style’ reports, which some regard as lacking what might be termed ‘a rich user experience.’ We are looking at how better citations could provide more contextual information and/or help to measure the impact of our reports, akin to the approach adopted for scientific publications. We are also exploring the use of reference vocabularies currently in use at the Commission to ensure more consistency. We would like to make better use of metadata in our reports, as this would allow us to isolate the different elements in the reports and make them more easily accessible for specific purposes; this is similar to the approach the EU Publications Office would like to use for the publication of the Official Journal.

… and the rewards

Even though the journey is far from complete, it has already been a very rewarding experience. All the initiatives have yielded some unexpected — but very welcome — outcomes. The initial inventory of activities was full of surprises in that it opened up a brave new world and left us wanting to know more, while at the same time reminding us that we needed to keep our focus. The real challenge now will be to translate this into concrete actions in the medium and long terms. We plan to produce a position paper in the first quarter of 2020 that summarises the results of our work so far. This can be used as a basis for defining an action plan and for estimating the resources we will need.

In my view, and regardless of the ‘final’ result — if it can ever be called ‘final’! — there are already many positives to draw upon. This initiative helps to provide a better understanding of the ‘state of the art’ in a number of key technological areas and the projects our colleagues are carrying out. It also helps us better to appreciate the work of many colleagues at the European Commission who are pushing to make improvements in their working methods. We have vastly broadened our network of contacts both at the European Commission and in the other EU institutions. Additionally, a more open, learning-based attitude helps us to build relationships with auditees beyond the usual audit engagement work. Lastly, and very importantly for us, it helps to pave the way for a better working environment, and thus attract new skilled and motivated auditors, thereby making the IAS an exciting and challenging place to be in the near future.

This article was first published on the 1/2020 issue of the ECA Journal. The contents of the interviews and the articles are the sole responsibility of the interviewees and authors and do not necessarily reflect the opinion of the European Court of Auditors.