Balancing the Benefits with the Risks of Emerging Technology
Benefits. A well-known example of an emerging technology is artificial intelligence (AI). This technology has many facets, including machine learning, natural language processing and speech recognition. In September/October 2020, the Information Systems Audit and Control Association (ISACA) and Protiviti conducted a global survey of over 7,400 IT audit leaders and professionals to get their perspectives on the top technology risks their organizations will face in 2021. Nearly 50% of the over 4,500 global respondents to the ISACA survey showed they are already using AI technologies (22%) or are in the planning and pilot stages of adopting them (27%).
Companies that have adopted emerging technologies, such as AI, hope to benefit from the competitive advantages that these technologies can provide. For example, cost savings and heightened revenues are made possible through increased efficiency and enhanced customer products and experiences.
Companies can speed up the adoption of emerging technologies by investing broadly across the company and using technologies in a way where the responsibility resides with the process owner. This approach generates better cost savings as process owners can solve a business problem specific to them, resulting in operational efficiencies and an increase in quality analysis.
Internal audit can also embrace AI technologies to enhance risk monitoring and control effectiveness. In a use case-specific example, machine learning can analyze general ledger data and pinpoint incorrect or fraudulent journal entries among thousands of other transactions. Note that larger and more complex business problems—which may have a broader impact across multiple areas of the business or have aspects that present greater risk to the company—would require collaboration and consultation with data scientists, who could be internal personnel or consultants.
Risks. Companies adopting emerging technologies must not only consider the benefits but also the associated risks. To develop an understanding of individuals' perceptions, the ISACA survey asked respondents to indicate their views on the risks of adopting AI technologies. Most respondents rated the risks associated with AI to be low (30%) or medium (33%), whereas only 9% determined AI to be high risk. In practice, companies must consider the maturity and complexity of the business processes using AI to determine true risk to the company.
One risk is that these emerging technologies will not achieve companies' expectations. To combat this risk, a clear vision needs to be established and supported by defined objectives with realistic targets. Due diligence involves thorough research to identify requirements for new projects that have a significant impact on the company. IT governance should play a substantial role as emerging technologies are being integrated into the business, including representation across different IT groups—such as application development, security, and infrastructure—within the IT governance process. This will enable communication across various parts of the business and help identify additional needs while streamlining project implementation. Monitoring and regular status updates should be communicated to senior leadership throughout the project, as well as post-launch to help determine if ROI was achieved or miscalculated.
Risks can also emerge from changing regulations that may limit the success of an emerging technology. For example, privacy laws related to the collection of consumer data could impede a company's ability to use successfully certain emerging technologies by disrupting current products and services in production. New regulations are imminent, especially surrounding algorithmic bias for technologies that affect customers. Continuous monitoring of new regulations and nimble development processes are necessary to ensure models comply with changing and new regulations.
Finally, there is a risk that a misconfiguration of the technology could cause an algorithm error issue, which would affect data quality and create threats to data security. These risks can be mitigated by putting strong change management processes in place. These processes ensure test cases are effectively designed and performed, that version controls appropriately log changes to models and source code repositories, and that peer reviews are conducted for coding and model changes. During the planning and building phase, it is critical to be mindful of the data set to identify potential biases and ethical dilemmas.
Adopting emerging technologies can create competitive advantages, but these benefits are naturally accompanied with risk. Process owners can take a proactive approach to identify risks by engaging with internal audit or enterprise risk management. Starting discussions about risks and controls early in the technology's implementation will help identify any unaddressed issues and process improvements and ensure emerging technologies are successfully integrated into the business.