Auditing at the Speed of Risk with Richard Chambers
Download MP3Attention: This is a machine-generated transcript. As such, there may be spelling, grammar, and accuracy errors throughout. Thank you for your understanding!
Richard Chambers: [00:00:00] So what I think we have to do is really recognize the risk that presents for us as far as developing future generations of internal auditors and accountants and any other profession I can think about. And we'd better be helping these folks to leap the learning curve. We shouldn't refrain from hiring them. We should be willing to bring them in and to help them leap the learning curve and accentuate those skills that I've been talking about. Because otherwise, who's going to be doing that? Who's going to be providing the skepticism, the intellectual curiosity, bringing the institutional knowledge to our to our audit teams in ten years because the rest of us are going to be gone.
Blake Oliver: [00:00:39] Are you an accountant with a continuing education requirement? You can earn free Nasba approved CPE for listening to this episode. Just visit earmarked in your web browser, take a short quiz and get your certificate. Hello everyone and welcome back to the earmark podcast I'm Blake Oliver. Gulliver internal audit is being pulled in every direction, especially when it comes to AI, and the risks are expanding faster than audit plans. For instance, a new Audit Board study says most companies use AI, but only a quarter have fully implemented governance over it. Today, I'm joined by Richard Chambers, senior advisor for risk and audit at Audit Board. We're going to cover how to audit at the speed of risk, how to be independent without being isolated, what AI governance assurance looks like in practice, and how to bring culture risk into every engagement, and how Cass can deepen audit committee trust. Thanks for joining me, Richard.
Richard Chambers: [00:01:35] Well, it's great to be here. Thank you for having me.
Blake Oliver: [00:01:38] So, Richard, just before we started recording, you mentioned that you have notched now 50 years in internal audit. Congratulations.
Richard Chambers: [00:01:46] Thank you. Thanks. It was in September, early earlier in September. Um, I came straight out of college 50 years ago, straight into internal audit. And I've served either in or for the profession. Really, all those, uh, all those years since and, uh, it's, uh, it's been a gratifying career choice. And I'm, uh, I'm very happy that I did.
Blake Oliver: [00:02:08] That's a bit unusual going straight into internal audit. Usually people go into public company audits or or tax external audits. Uh, how did you end up going straight into internal audit?
Richard Chambers: [00:02:20] Yeah. Well, my, uh, you know, and I've, I've written about this and I've, uh, I've talked about it to students and to others. I, I was being very practical. I was a very, uh, very young 21 year old, just barely 21. And I finished my, uh, my accounting degree, my undergraduate degree early, and, uh, and, uh, wanted to go on and get my MBA. Uh, but I needed to have, uh, some steady stream of income in order to be able to do that. So I was looking around at where could I leverage my accounting degree, uh, and, and still be able to get to the university to take the evening MBA classes, and there was a bank across the street from the university that had an internal audit department with an opening. And I signed on, and it turned out to be a career choice that I never really regretted.
Blake Oliver: [00:03:10] So you've been in it for decades. You have seen everything change. What has been the biggest change since you started in Internal Audit 50 years ago?
Richard Chambers: [00:03:21] Well, really, I think the, the, the, the profession has matured. I mean, you know, it's kind of scary to think that the modern internal audit profession is about 100 years old. So I've had the privilege of, of living through about half of that. And so even when I joined the profession in the 1970s, um, it was still a profession that focused largely on financial controls. And, and I would tell you, uh, you know, was largely focused on hindsight, which is, you know, kind of how did we do last year? What I've watched over these ensuing decades, is a profession that has matured in terms of its capabilities, in terms of its focus, in terms of the value that it provides organizations. And while we still do some work in, in the financial space, financial related risks, that that's really a small percentage of what internal audits focus is. And I think that's a myth that a lot of people still carry when it comes to internal audit is that somehow we are modern day corporate bean counters, and that is just not true.
Blake Oliver: [00:04:28] So if we're not focusing on the financials as internal auditors, then what are we focusing on?
Richard Chambers: [00:04:34] Well, I mean, if you think about the full portfolio of risk that an organization has, certainly financial risks are there. But operational risk, technology risks, uh, business strategic risks, these are all comprise a risk portfolio of a typical organization in the 21st century. And so what you will often find is internal audits. Audit plan. The annual plan of coverage is going to mirror those risks. Uh, because and that's not that shouldn't surprise anyone because the process through which we go to determine where our audit coverage is going to be starts with a risk assessment. And so as we work with the executives and boards and others to assess and determine the risks in the organization, uh, we'll find that technology risk. For example, cybersecurity risks have been huge for the last 10 or 15 years. So it shouldn't be a surprise that that now comprises the biggest chunk of a lot of internal audit department plans.
Blake Oliver: [00:05:34] I read all the time about the new fraud risk due to, uh, deep fakes and, um, and, and hacking and cryptocurrency has enabled a lot of this by allowing hackers to demand these enormous ransom payments they could never demand before. Tell me about that. Like, just the just like this, um, crypto hacking stuff. Like, when did that start to become a big deal for internal audit?
Richard Chambers: [00:06:04] Well, I think the, the last ten years, we've really, really, uh, been awakened to the, the risk that cyber presents. I mean, when I was the president and CEO of the I ten years ago, I was really frustrated because I could see how critical of a risk cyber was coming, uh, becoming for companies and organizations, but it wasn't reflected in internal audit plans. And so if I kind of then, uh, fast forward to now, I think really it was it was in the late teens, uh, around the, the Covid era where internal auditors really awakened to, uh, the risk that cyber presented to companies, particularly when the cyber criminals, uh, became, um, much more, um, lethal in terms of the damage they could inflict on or inflict on organizations. So when they started, uh, started tackling, uh, organizations, operational um lines, uh, it became much more critical. Internal audit couldn't really look away much longer. The big challenge, too, has been and remains the talent to be able to do that. Uh, the expertise, you know, we're not naturally going to have that expertise in internal audit. So we're out there constantly trying to recruit for that. And and I think that's been perhaps the largest impediment to internal audit being, uh, being early to that party, so to speak, was just getting the capabilities. And, and now it's about retaining those capabilities because of course, if you've got someone in internal audit with with any kind of, uh, substantial cyber expertise, somebody's going to try and recruit them away. And so it's, uh, it's it's part of why I think talent has been such a huge risk for internal audit in the last decade, and particularly in in the 2020s, it has consistently ranked at or near the top of of the challenges and the risks that chief audit executives say they face is, how do I get the talent and the expertise to tackle all of these new and emerging risks?
Blake Oliver: [00:08:13] So at the same time, we have all these new and emerging risks. We have a risk internal to internal audit, which is we don't have the talent or we don't have the the we don't have the people with the knowledge to be able to assess these risks.
Richard Chambers: [00:08:26] Right. It's it's it's about the way I phrase it. It's it's the risk that we won't be able to recruit and retain the talent we need to address the new and emerging risks in the future. And it's still, you know, I survey the profession around strategic risk annually and and for several years it was the number one risk. It's still number two. Uh, only AI has supplanted it in terms of strategic risk for the for the internal audit profession. But it's likely going to be a, an ongoing, uh, risk and challenge for internal auditors. This idea of where and how do I acquire the talent that I need. You know, if you think about some of the technology skills and particularly cyber skills out there, uh, those who have, uh, who possess those, uh, tend to tend to gravitate more toward operational roles. They want to they want to be out there designing and implementing the controls, not, uh, not trying to detect, uh, weaknesses back in the audit department, but I think we're doing a good job. We've really come a long way, uh, in terms of the value we're adding, uh, to organizations around cybersecurity.
Blake Oliver: [00:09:40] So we've got a list. You have a list of risks. Ai is number one.
Richard Chambers: [00:09:45] Yep.
Blake Oliver: [00:09:46] Talent is number two. What else is on that list?
Richard Chambers: [00:09:50] Well, the the ability to leverage technology, uh, in the use, you know, the the use of technology in internal audit, uh, you know, it's and it's not just a risk that comes from sometimes a, maybe a lack of skills. It's also a lack of, uh, budget to acquire that technology because technology is not cheap, as we know. So those are those are typically the top three. Uh, but then the ability or inability to identify emerging new or emerging risks. Um, we've been in an era of, of what I call perma crisis in the world for the last five years, since the onset of Covid, the world has just been lurching from one risk induced disruption to another. And, uh, and so this environment is, is proving that if you can't identify a new or emerging risk, early enough to be able to help the organization navigate it. The value that you bring is significantly diminished. So, um, those are those are the risks that I think, uh, keep heads of internal audit awake at night when it comes to, uh, the profession in terms of, uh, what what threatens our ability to continue to deliver. But, uh, I don't think we can underestimate how rapidly AI has emerged in that list. Three years ago, four years ago, it wasn't even on the top seven. And now it's number one. And I think we, uh, are likely to see that continue to dominate. Uh, the conversation around internal audit for quite some time.
Blake Oliver: [00:11:27] Ai wasn't even on our list of risks a few years ago now.
Richard Chambers: [00:11:32] Pre not pre 2022. Really. Now you know I will I will acknowledge that I wasn't asking specifically about AI before 2022 after ChatGPT came out and we started to see this rise of generative AI tools, then it became something I was asking about first year. It came in about the middle of the pack. The next year I think it came up to number three and then lurched all the way up to number one, uh, when I surveyed about a year ago. So coming into 2025, um, it it's supplanted the talent risk as the top risk for the profession. And the way I worded the risk is the, the inability, you know, so the risk would be that we're unable to leverage AI to audit more efficiently and effectively in our organizations. And, uh, and I'm not surprised that it's number one. And I'd be very surprised if it's not still number one when I do that survey again in a couple of months.
Blake Oliver: [00:12:31] Well, and there's also the risk of like, data leaks in organizations when employees go and use AI tools that are not, uh, endorsed.
Richard Chambers: [00:12:41] Well, certainly. Certainly that's part of it. And one of the reasons why I think some internal audit teams are a little slow to adopt. But but you know, sadly, I think when I asked the question and we're we we surveyed around this last year from Audit Board and we're in the process of doing our focus on the future survey for 2026. So I don't have the the final results yet, but I can look at last year and I think we're going to see similar kind of responses when we ask, why are you not leveraging AI more? Uh, the answer, uh, all all too often is we don't really understand it enough. And, uh, and that's a very scary answer, really, because, uh, you know, we're not we're not in an era anymore where you've got, uh, time to study and learn, um, you've got to hit the ground running. And so, uh, I think it's perhaps another reason why it's a number one strategic risk facing internal audit.
Blake Oliver: [00:13:42] The number one strategic risk. It's only become that in the last few years. And there's like would you put um tariffs into that risk bucket. That wasn't even something that was on our agenda.
Richard Chambers: [00:13:56] Right. Well yeah. You're absolutely right. And uh, so so I'm going to be delivering a presentation at the upcoming audit board conference, our audit and beyond around supply chain, uh, disruption and supply chain risks. And of course, that's fueled by tariffs and so many other geopolitical and geoeconomic risks the conflict. But yeah.
Blake Oliver: [00:14:20] Russia, Ukraine, all this stuff. Yeah.
Richard Chambers: [00:14:23] You're right. I mean, if you think about, uh, supply chain risks, uh, for example, uh, it, it it's sort of literally is fueled by all, almost all of these other risks. Right. So the geopolitical conflicts will often Than disrupt supply chains, and that suddenly makes its way to all the way down to consumers. Um, the same time, uh, tariffs, uh, the, the sort of this, uh, period of tariff conflicts or tariff wars that we've been in, uh, and, and it was so disruptive, um, and is and remains so but think about back in the first half of this year, I mean, we were we were hearing, uh, coming out of Washington. We were we were often hearing three different tariff numbers a day, you know. Well, we're going to we're going to make it 10% now. We're going to make it 20%. We're going to make it 50% all in the same day. And I don't know how a risk manager or internal auditors or others in a company that has a huge dependency on supply chains, I don't know how you manage risks in that environment.
Blake Oliver: [00:15:31] I would I would not want to be in that seat.
Richard Chambers: [00:15:33] I do know it really comes down to we have we in and I've talked a lot about this the last few months. We've got to become much better at what I call scenario risk management, because you can no longer have any confidence that one scenario is the only one you have to worry about. You have to think about what are all the possibilities that could happen, you know? Yeah, when it comes to tariffs, I mean, we're we're we're about to see, uh, the US Supreme Court ruling on, uh, ruling on the legality of some of the tariff, uh, decisions that have been made, some of the new tariff rules. So that's another wrinkle out there, you know, because for some reason they said, nope, can't do that. Then suddenly the uncertainty again around tariffs becomes significant. So yeah, it's uh but again this is so so Blake I think this is what the, the 2020s have been about. It's just, you know, this is just the latest example. But it started with Covid. We then lurched out of Covid into into an overheated economy with inflation we hadn't seen in four decades. We we saw the earliest instances of supply chain disruptions. Then geopolitical conflicts broke out, first starting in Europe and later in the Middle East. And it's just been one disruptive event after another. And and that's why, you know, I've, I've attached myself to the or associated myself with this term perma crisis because in some ways we've been in a permanent state of crisis. Uh, we're in our sixth year of it, and and I would submit this is the new normal. Uh, you know, I, I almost hesitate to talk about perma crisis as though it's some unique phenomenon because it's now been around for so long, and the outlook is that we will continue to see disruption in as far out as we can imagine. So this is this is the world in which we have to, um, assess risks that we have to manage risks and that has an internal audit profession. We have to be able to audit those risks.
Blake Oliver: [00:17:43] It's a cliche to say that history repeats itself, but I think it must, because I'm a child of the 80s and I grew up studying in high school, the 60s and 70s, and that was an era that reading about it seems like it felt like it feels now where there's all this geopolitical conflict, political conflict in our country, uh, inflation, uh, supply chain disruption, all of that was happening back then. And it's happening again. And I guess even if it doesn't go on forever, it can go on for quite a while, like a couple decades. So.
Richard Chambers: [00:18:21] Absolutely. And you know, when, when, when inflation first reemerged in 2022, um, right now things seem to be a little bit under control. But when it first reemerged, I found myself one of the few people in our profession who could relate to how you audit in that environment. So I was I was writing and and speaking about, uh, what do you what are the ways that internal audit can help their organizations navigate, uh, the risks around inflation? Um, and and, you know, you're right. It it is there is a certain cyclical nature to, uh, to civilization. And in some ways, uh, we are we are living through very similar times, um, to, to my childhood and young adulthood. Um, we're going back through it again. And, um, I don't know that the answers on how you navigate it are going to be the same, but the, uh, the feeling is very much the same.
Blake Oliver: [00:19:19] Well, the key is to be able to identify the risks. If looking at history helps you do that, then we should do that. I feel like accountants should take more history because, I mean, at least in this case, I think it would be really helpful to bring. But to bring this back to like your original point, which is internal audit started 100 years ago all about financials and has dramatically changed over 100 years to now. That's not even really on the list. I mean, it.
Richard Chambers: [00:19:50] Is, you know, the auditing of financial related, uh, issues and risks are still on the list. And, and, and, you know, typically comprises, you know, if you look globally or even in the US, it'll comprise around 25% of a typical internal audit plan. But but again, that's a that's a stark contrast, right, to, uh, to the genesis of this profession when, uh, when we really were an extension of the finance function, the comptroller's function, the CFO function, whatever term you want to use, we really were very much a part of that team. And, uh, and that was by and large, our focus. But, uh, I think rightly so. We have navigated, uh, well away from, uh, an environment where that's all we did. I often make the analogy, you know, because people like to refer to us disparagingly as bean counters, like they do the, the, the accounting profession and even the external auditors. I like to be able to say, well, yes, maybe we were the bean counters. But in today's environment, we have to also understand how those beans are grown, how they're harvested, how they're taken to market. And we have to be able to advise accordingly. So it's, uh, we've gone a long way from, uh, from just being kind of that extension of the finance team.
Blake Oliver: [00:21:12] Yeah. And somebody's got to figure out which beans are the magic beans. Right. So you can you can use that analogy however you like. I don't mind being I don't I like referee, I like thinking of accountants, at least when it comes to external audit as being like the referees of capitalism. People can understand that. And every, every sport needs referees to make sure the game is played.
Richard Chambers: [00:21:32] I think all of us are that what I call the guardians of trust in capital markets? Uh, because whether you're doing external audit work or which is certainly much more visible in, uh, in providing assurance on the, the veracity of financial statements or whether you're the internal auditors working behind the scenes and out of sight. In many ways, the combination of all of our work, I think, is vital to the trust that capital markets need for our systems.
Blake Oliver: [00:22:03] Absolutely. And you look at totalitarian regimes and what are they missing? They are missing those independent voices that speak truth. Absolutely right. That surface the I mean, it's it's it really is it's like that, that that is what's not present anywhere else in the world. It feels like it's like that's what we have. That's our magic part of the magic of America.
Richard Chambers: [00:22:29] Yeah, I think we've still got, uh, opportunities to do better, but I, uh, I'm not ready to trade it for any other system I see.
Blake Oliver: [00:22:36] Well, let's talk about those opportunities, how we can do better. So we're in a perma crisis state, at least for a while. So how do we, as internal auditors stay on top of this stuff? It's changing so rapidly. Uh, you can't just do an annual plan anymore, right?
Richard Chambers: [00:22:54] Well, you certainly, certainly shouldn't. I draw the analogy that having using an annual plan to, uh, to conduct your audit work, um, is is going to leave you incredibly vulnerable. Um, you think about if you prepared your plan, uh, for 2025 last November, December, which is typically when plans are first put together. Um, you know, by May, I think I found that almost 60% of internal audit departments had already had to change their plans because you weren't envisioning. You might have known then how the election came out, but you couldn't truly envision how rapidly a lot of change was about to happen. And so, you know, that's that's part of it is this this idea of being agile and of of what I call leveraging some sort of continuous risk monitoring capability, because if you don't have something, you know, it's not even a matter of ten years ago, I would have said, well, do quarterly risk assessment and update your plan quarterly. You can't do that anymore because as we see from month to month, the risks our organizations face are going to be different. So that's why I think it's so incredibly important now to have some sort of continuous risk monitoring capability in place so that you don't end up being surprised, you know, the, the number one thing that I hear from, uh, from audit committee members when I ask them, what are your expectations for internal audit, um, or even sometimes, uh, management, the C-suite, one of the, one of the most common responses is no surprises.
Richard Chambers: [00:24:37] We want to we want them to help us avoid the surprises. Well, I don't know how in an environment where you get surprised three times a day with what the new tariff rules are going to be, you can help your organization avoid surprises unless you have some sort of continuous risk monitoring capability. And also that that risk monitoring capability begins to look at scenarios that might unfold. So we, the first half of the 2020s, have fundamentally and forever altered how we manage risks. And if it didn't for your organization, uh, you really need to take a hard look, because I don't know how you could be managing risks today like you were pre Covid in 2019.
Blake Oliver: [00:25:21] So what does that look like? What does it mean to be continuously monitoring risk and updating the audit plan? Is that related to this idea of connected risk that you've written about?
Richard Chambers: [00:25:34] Well, that's a very important part of it. But I think it starts to a certain extent for the internal auditors. So then we'll then we'll, we'll expand into connected risk. But for, for me it's about understanding what are the the key risk indicators that could change the, the the risks that your organization faces. And so it's the ability to, uh, to work uh, hopefully in collaboration, which is the connected risk angle. But it's this idea of being able to once you do a risk assessment, let's say you're still going to do an annual risk assessment, because I find that a majority of internal audit departments still go through that process formally at least once a year. But it's then about being able to say, okay, now we have the we have the snapshot. We have the picture of what the risks could be that we could be facing in the coming year. Now let's figure out how do we know if those are shifting up or down, and what kind of key risk indicators do we want to be watching. And this is also where AI comes in because I think AI has the capability of helping you in that continuous risk assessment process. In fact, of all the ways internal auditors can use AI. I'm the most impressed right now by how it could be used to help them identify and monitor risks not only that impact the broader macro economy or the broader markets, but their own companies. So so I think that's part of what continuous risk monitoring looks like. But we can't do this alone, right. That's been the the the legacy of the last 15 to 20 years since the introduction of this term, the three lines of defense when the three lines of defense was conceived. I think it was a great way to help articulate why internal audits so valuable. It's the what is that?
Blake Oliver: [00:27:33] What does that mean? Three lines of defense.
Richard Chambers: [00:27:35] So the three lines of defense was a concept originated in Europe, but it kind of quickly made itself into the mainstream. And even at the idea when I was the CEO there in 2000, I think it was 11 or 13, we embraced it and put a position paper out there on it. But three lines of defense simply means there are three lines of defense that an organization needs to have in place to ensure that its controls, that its risks are effectively assessed and its controls are designed and implemented and functioning properly. The first line is management. Management has the the obligation to identify and to understand the risks their organizations face, and then to design and implement the controls to manage those risks. First line. Second line are the the monitoring and oversight functions that often are put into place by management to help management assess whether those controls are designed and implemented correctly and functioning properly. These are functions like, um, you know, your compliance function, your risk management team, maybe your corporate investigations. These are the monitoring and oversight functions that work for management. The third line is internal audit. It's really it really comes down to this. If you don't design, if you don't assess controls properly, you don't design or implement the controls correctly and you don't catch it through your monitoring and oversight. The third and final line of defense for the organization is your internal auditors. Because if the internal auditors don't catch it, then it's what I call the abyss. Usually it ends up either damaging your organization through some major calamity or your external auditors catch it or something happens that is not good for the enterprise. So that's why I think the three lines of defense was so popular within the internal audit community, because it really helped to illustrate the vital role we play in organizations. Yeah.
Blake Oliver: [00:29:37] The last line of defense.
Richard Chambers: [00:29:38] I'm sorry.
Blake Oliver: [00:29:39] It's the last line of defense is internal.
Richard Chambers: [00:29:41] Audit. It is. It's the third and last line now. So that was the original three lines of defense concept. Uh, and by the way, as the third line of defense, we don't work just for management. We also work for the board. So we have greater independence, right? That's one of the reasons why I think the third line of defense is so important for an organization. But we as as we went through the 20 tens, we began to appreciate that defense was was important defending against failures to defending against corporate, Uh, um, calamities is important, but that's not the only thing that we as internal auditors can do. So we revise the three lines of defense model in 2019 and it became the three lines model. We dropped defense and we said, hey, there's got to be greater cross-collaboration between the first, second and third, because if everybody's just sitting in a silo doing their thing, then then nobody has complete visibility, uh, at any given point in time. So the three lines model and, you know, one of the things that has always characterized internal audit is the independence that it has to have independence within the organization to carry out its work free of interference.
Richard Chambers: [00:30:57] Right. And so I think a lot of internal auditors began to use that concept of independence as a crutch. They would say, well, I can't look at that. I can't help you with that issue because I have to be independent. And so we said in the revised three lines model independence does not mean isolation. And so if you think about that for a moment, that really in a nutshell I think sums up why connected risk is so important. So connected risk is the concept that, you know, not only do you have to have some communication across the three lines, but there has to be some collaboration too. So you need to have management being able to depend on on the oversight functions and on the internal auditors to help them carry out their work and, and, and to give them real time feedback if they're designing and implementing controls that aren't working correctly. So again, this this is about recognizing that risks are interconnected. And we have to remain interconnected in the three lines model in order to be able to help the organization navigate those risks.
Blake Oliver: [00:32:09] Well, and when it comes to something like AI, which spans the whole organization. It's a tool we're using internally as auditors. It's a tool that executives are using. It's a tool that like, ah, everybody could be using, right. You can't just like look at it in isolation. Like it has to be holistic.
Richard Chambers: [00:32:31] Absolutely. And and you know, you think about it. It's it's it very much crosscuts a lot of risk. So obviously there's the, you know, the operational risk. There's the technology and, uh, data protection and privacy risks. Uh, there's also the compliance risk. Increasingly, there are new compliance rules and laws and regulations governing how AI is being used. Um, and so all of these risks are flowing from how the enterprise is using or not using AI. So yeah, it's a it's a really good example of why you've got to be, um, much more collaborative, communicative. Um, when it comes to how are we managing risk? I kind of liken it to, uh, you know, if you think about and use an analogy that the enterprise is like a seagoing vessel, it would be like only having a lookout with eyes faced in one direction. Um, you know, we've seen, you know, over the centuries, even, uh, that seagoing vessels realized you've got to have eyes focused in multiple directions, uh, to protect the the ship, to protect the sea vessel. So I'm simply saying if if your if your internal auditors are looking in one direction and your risk managers are looking in another, your compliance guys are looking in another, but they aren't sharing what they're seeing. Um, then you don't know whether there's gaps, you don't know whether you're both looking at the same thing. And you also don't have a chance to compare notes and share perspectives and And expertise.
Blake Oliver: [00:34:09] As a sailor myself, I like that analogy. Where does the where does the radar system fit into all of this in the modern era?
Richard Chambers: [00:34:16] Well, that's that's a great that's a great analogy because what I've been saying is for internal as internal auditors, you know, this the the idea that we use our manual risk assessments, uh, to be able to identify, uh, risks that the organization's facing, uh, you know, it's it's kind of how our forefathers, uh, monitored the weather. You know, they go out and they look at the sky and they'd say, okay, it's clear. I live on the Atlantic Ocean. I could walk out, uh, the back of my house right now and look out across the Atlantic Ocean. And it's it's beautiful. The sky is blue, the seas are calm, but there are at least two, maybe three tropical disturbances that I know are out there that I wouldn't see if I wasn't using technology like satellites and radar. Not that I'm using them, but that the meteorologists weren't. So I've been preaching to internal auditors for a decade. We need to think more like meteorologists and look beyond the horizon in, uh, in helping to identify the risks that could overtake our organizations.
Blake Oliver: [00:35:21] Let's talk specifically about AI, the number one risk everyone's interested in knowing more. So you've written about this. Can you summarize where you would recommend me? Let's say I'm a CA. Where should I be starting with with AI. I have I haven't done anything yet. Where do I.
Richard Chambers: [00:35:41] Yeah where do I begin? I think unfortunately you're you're you've got too much company. If, uh, if you're a CA who hasn't done much yet, we're we're still, uh, we're in the process, as I said, of, of doing our annual survey around this. And, and I'm still finding that far too many, uh, don't have final numbers to share, but far too many, um, internal audit departments are still, very timid when it comes to using AI. And so what I think has to happen is we have to become more knowledgeable. We have to we have to educate ourselves on it. I saw some numbers recently where, you know, we still have our proverbial heads in the sand when it comes to AI. I don't think a lot of us are willing to acknowledge or want to acknowledge that it it is potentially an existential threat to some internal audit functions if they don't fundamentally alter the way they deliver value to their organizations. Um, because we see the capabilities that that AI can bring, you know, and so you think about the use cases for AI, it starts with our with our risk assessments. So if you're getting ready to do an annual risk assessment, why aren't you out there querying AI about what are potential risks that your industry could be facing? What are emerging risks that no one is talking about that's affecting your industry? These aren't the this isn't the answer. These are the questions. And so what I think you're then able to do is to use what you, what AI can provide you to as a starting point to say, okay, now let's let's see how much of this is really pertinent to our organization.
Richard Chambers: [00:37:28] So it starts with the risk assessment. But then it carries right on through the audit processes. The data collection and analysis is right in AI's wheelhouse. Uh, you know, that's that's very much um, that's very much about gathering, uh, a lot of, of data, uh, analyzing it, drawing conclusions from it. And so to me, that's another place where if I'm a chief audit executive, I'd be looking at how are my how are my peers, those that are real trailblazers in using AI, how are they doing that? And then, of course, you can take, uh, the results that that come out of the data analysis and collection, and you can actually get, uh, good AI tools to even write your reports and, uh, and potentially monitor corrective actions afterwards to see whether you need to go in and do any kind of additional follow up work. You know, the the thing that worries me is that I think a lot of us are still in denial. I've got a, uh, I've been talking about this for a while, and having had the chance to watch it over over five decades, I've seen it happen repeatedly when there are new, um, rapid technological developments or innovations. Is that that as the internal auditors were often a little late to the party? Uh, and maybe some of it is, uh, our risk averse nature. We don't want to be, uh, first adopters because, uh, you know, maybe we do something that could damage our credibility or our reputation. So we kind of stand back and we let others be the pioneers. Um, and, and we eventually get there. We talked earlier about how that was the case with cyber security.
Richard Chambers: [00:39:12] We eventually got there. And now that's a very much a an ongoing part of our audit plans. But I fear that, um, AI will wait for no one. And, uh, and if we, uh, if we stand back to kind of gaze out there, who's using it and how they're using it, and we don't, uh, get out there and pioneer some of it ourselves. I think we're putting ourselves in a very perilous situation. Um, I don't think AI is destined to replace internal auditors, but like a lot of people, I believe it's destined to replace internal auditors who don't use it. And, uh, and so I think this is, um, perhaps. Well, I mean, I don't think it's hyperbole for me to say, in the five decades I've been in internal audit, there's never been a greater risk to this profession in terms of becoming, um, irrelevant or less valuable. Um, you know, I wrote a piece a couple of months ago. How do we win the race for relevance in the era of AI? Because in many ways, AI can, can replicate and can do much of what we've traditionally done. And so the answer becomes, well, we better we better leverage our human superpowers because there are things we can do as human internal auditors that AI cannot do. Starting with professional skepticism, intellectual curiosity. Um, you know, our relationship acumen, these are these are the skills that I think will differentiate us going forward. Um, but but again, it is there's there's a clarion call out there right now to this profession to, uh, step up, embrace AI, and, uh, And don't. Don't dally.
Blake Oliver: [00:41:01] Just thinking about what we've talked about over the last 40 minutes and thinking about what I know AI is good at. It seems like such a perfect fit for internal audit. Going down this list, I wrote down the four things you mentioned. The first one was using AI to identify risks that I know. That is a great use because these generative AI models have vast knowledge. They've read every book, every bit of text you can find on the internet, every YouTube video. It's just beyond comprehension. Yes. And they, they the models are built on that. And so you and I can only ingest and build a model for like a tiny subset of all the human knowledge. And so what we don't know we don't know is a huge risk.
Richard Chambers: [00:41:54] Right.
Blake Oliver: [00:41:55] But you can use these AI tools to identify the unknown or the hidden risks. So it's not going to give us the answer, but it can help us like think about things we weren't thinking about.
Richard Chambers: [00:42:08] Absolutely. You know, the thing that amazes me about AI and I, I try and experiment with it on a daily basis. I try and use it for, uh, some of the research that I do. I, I sort of refer to it as my research assistant. Yes. If I'm getting ready to write a new article, I'll ask, uh, I'll ask for some input on ideas for, uh, outlining it and key points to make. Um, but what's what's fascinating to me is that it will take me longer to write the prompts than it will take it to give me the answer. And, uh, and, you know, a lot of times I'll want to be very specific about the guidance I'm giving it, but the hesitation is never there. Immediately answers. Now, do I think that we still have risks about relying on the work of AI. Um, I do. I think it's still prone to, you know, hallucination to, in some instances, hyperbole. I've been experimenting with putting, uh, prompts into my own, uh, to my own, uh, ChatGPT profile, uh, to kind of tone down, uh, some of AI's tendency to get a little carried away with use of.
Blake Oliver: [00:43:18] It can be sycophantic.
Richard Chambers: [00:43:19] Hyperbole. Yeah, but but here's the thing. I just don't see any limitation right now on what it's going to be capable of doing, except except for the the sort of these inherent superpowers that we have as humans that at this point, uh, AI can't replicate. So the intellectual curiosity, the professional skepticism, uh, in in some ways, you know, even the critical thinking, you know, so these are some of the things that I think we better we better really accentuate. The other thing I worry about is and and I wrote about this a few weeks ago, I think maybe in an Accounting Today article, but it, you know, is that we're reading daily now about how, uh, AI is wrecking the, the, the, the market for new college graduates, because a lot of what college graduates have traditionally been able, the way they've traditionally been able to ease into professions is by doing some of the more rudimentary kind of tasks. Right. But but AI is prime for rudimentary tasks. So a lot of the things we would have traditionally asked new college graduates who come into our departments to do AI is taking over. And so we no longer are hiring as extensively, directly out of colleges. And so what I think we have to do is really recognize the risk that presents for us as far as developing future generations of internal auditors and accountants and any other profession I can think about, and we'd better be helping these folks to leap the learning curve. We should. We shouldn't refrain from hiring them. We should be willing to bring them in and to help them leap the learning curve and accentuate those skills that I've been talking about. Because otherwise, who's going to be doing that? Who's going to be providing the skepticism, the intellectual curiosity, bringing the institutional knowledge to our to our audit teams in ten years because the rest of us are going to be gone.
Blake Oliver: [00:45:20] They're not going to be doing the routine work, the data collection and analysis, like taking all that data and putting it into a spreadsheet or a work paper and doing the analysis like AI agents can already do that really well, and they're just going to get better. But there is one thing that you have talked about a lot that AI cannot do, and I'm convinced will not be able to do until there's a fundamental change in the technology and that is to integrate and understand culture because culture, human culture is highly contextual. And the the body language, the way people talk to each other, all of that is context that the AI just cannot have access to. Right. You can't convert that into text.
Richard Chambers: [00:46:08] Certainly not at this point. Not at this point. And it would be difficult for me to foresee that it could. But culture is such, such a critical risk for organizations. I've done two major research projects on it. I did 1 in 2023, uh, with Cynthia Cooper, the former chief audit executive of Worldcom. Uh, we just did a second one this year, uh, looking at, uh, at it, uh, from the perspective of getting more involvement from the three lines into assessing culture and, and culture remains this sort of underestimated, uh, risk and, and and the and the damage that a toxic or unhealthy culture can do to an organization. And so you're right. I don't believe, again, I think that in order to assess culture, you have to be able to draw on some of those uniquely human skills that I've been talking about. Yeah, I often comment that and I didn't I didn't coin this expression. It came to me when I was speaking to an audience in, uh, in India three, 6 or 7 years ago, probably, I was talking to a group of, of, uh, chairmen of the boards of big Indian companies. These were all older, older gentlemen, older ladies who are chairmen of the boards of their companies. And I talked about internal audit as a as and its ability to help audit and provide assurance around culture. And at the end, one of them stood up and he said to me, he said, I think it's really good you're you're talking about this.
Richard Chambers: [00:47:43] And I think it's really good for internal auditors to be in this space. But keep this in mind you normally rely on your sense of sight and sound when you're doing your audits. But to assess culture, you also have to be able to rely on your sense of smell. And so if you think about it, yeah, AI could probably help assess, uh, what's said and what's documented and seen, uh, related to a culture. But there there's a human instinct there, a human ability to say, yeah, they may say they're doing all this, but what's really happening when no one's looking is this. And that's why I think humans will, will inevitably be an important part of assessing culture. Where I thought you were going with that question a minute ago was one thing that AI cannot do and should not do is assess its own governance. To me, that's a hugely important role for internal audit going forward is to provide assurance around the overall effectiveness of governance over AI. Is it being appropriately managed? Are there ways that it's being used? Nefariously. How reliable is it and what risks does its use present to our organization? I, I shudder to think that there may be a day where we ask AI to assess its own governance, because we would never do that with anyone else.
Blake Oliver: [00:49:17] Yes. I, um, well, and and there will be organizations that do this that will choose to take the human out of the loop and put the AI in control. And it's going to be fascinating to see what happens. Yeah, I my guess is there will be some spectacular crashes. There will be some failures as a result. And um, But, you know, there's also these huge opportunities if you can put it into a good use case and monitor it and, uh, you know, keep control over it. It's. Yeah. Right. It's it's a very powerful.
Richard Chambers: [00:49:56] And we can't lose sight of what, what skills we inherently possess that can't be programed. And as long as we recognize those skills and as long as we're recruiting for those skills and internal audit and not getting out there and finding somebody who's got great data analytics expertise and, you know, the kinds of things that even five years ago we prized, uh, in internal audit are not going to be the things that are going to help us win the race for relevance in the future.
Blake Oliver: [00:50:29] Let's do one final topic here, and that is the relationship with the audit committee. And I feel like this is actually tied to what we just discussed, which is the culture, the smell, the feel. Um, like an AI internal auditor is not going to have a relationship with the audit committee.
Richard Chambers: [00:50:47] Well, I you know, I think, I think audit committees, if there's anyone slower than internal auditors to recognize the value, uh, that AI or the opportunities that AI presents, if there's anyone out there slower than the internal auditors, I think it may be the board's. And I don't want to generalize, uh, but in many ways, these are these are folks usually of my generation or even maybe some that are older. There are many older than me now. But but I do think there's a sort of an apprehension on their part about relying too extensively on AI. I can tell you, I chair an audit committee of a, of a major, um, organization. And, and one of the things that we routinely do in our audit committee is to schedule, uh, speakers to come in and talk to us about how we, as an audit committee could use AI tools to help execute our responsibilities, but the relationship between internal audit and the audit committee is very, very important. You know, the audit committee and sadly, in a lot of companies, audit committees are made up of of retired big four partners and others who have a very traditional view of what internal audits role should be. Fortunately, I think they've been able to recognize in the last decade that the risks are far more critical, that the risk to their organizations are far more diverse than just financial risks. So they're relying more and more on internal audit to do that. But we have to be willing we have to be courageous enough in internal audit that even if they don't see the value we can bring is to kind of, you know, grab them by the face and focus them on it, because I think we do a disservice to them and to our companies if they don't realize the value we can bring. If if we're content to just answer the questions they ask, um, then I worry that we're not really serving our organizations well. We have to be willing to help them understand the questions they need to be asking us.
Blake Oliver: [00:52:57] And that is the human thing that AI can't do. You can try this. You can try to get ChatGPT to ask the questions, to design its own prompts. But there is something that happens when you put it in a loop where eventually it fails. So there's like something that's human that we have that these AI tools don't have. And I feel like it has something to do with knowing which question to ask. Like ChatGPT can give you a list of possible questions.
Richard Chambers: [00:53:32] Intellectual curiosity, intellectual curiosity. Blake, that's the, uh, that's, you know, of all the the human powers or human superpowers I've been alluding to, I think that intellectual curiosity is going to be one that that serves us very, very well in this race for relevance.
Blake Oliver: [00:53:50] And what a difference that is from the bean counter view of internal audit. Like you get to be so curious as an internal auditor these days.
Richard Chambers: [00:53:59] Yep.
Blake Oliver: [00:54:00] I have been speaking with Richard Chambers, senior advisor for risk and audit at Audit Board. Richard, thanks for talking to me and educating me about all of this change that's happening in internal audit. I I'm sure our listeners got a lot out of it as well. I mean, if I was starting out again today, I'd be looking at a career in internal audit. So thank you.
Richard Chambers: [00:54:23] Thank you. Thanks, Blake. And, uh, and my pleasure to be with you.
Creators and Guests
