GRC Tuesdays: Usage of Chatbot for Internal Audit

Back in August 2020 (GRC Tuesdays: Internal Audit 4.0) and even before in August 2016 (GRC Tuesdays: What Will GRC Look Like in 2021? An Anticipation Scenario) I started mentioning the usage of Natural Language Processing – or NLP – in Governance, Risk, and Compliance and how it would enable GRC functions to leverage advanced technologies such as chatbots.

Since then, I have regularly received questions on what a chatbot could look like for an audit department for instance. In short: why don’t I prove my point and provide real use cases?

Oh, and before you ask: no, I didn’t mean for this blog to coincide with the latest Matrix instalment. The bots I’ll be discussing here are definitely a lot more amicable and less terrifying. As far as I know, they haven’t (yet?) decided to take over the world.

Before we start: what really is a “chatbot”?

In a nutshell, a chatbot is a virtual assistant with which a user – human or other program – can communicate with and that simulates the interaction this user would have with a human agent.

Most chatbots leverage Natural Language Processing capabilities to analyse the text of the request and then map its words, relation between these words, and the context of the query against an entry in a database to trigger the appropriate predefined response: retrieve an answer to a question from a Q&A catalogue or create an action in a system (submit vacation, play a song, track a shipment, etc.).

These chatbots can further use Machine Learning to improve their accuracy by refining their responses based on feedback from previous users. In this regard, it’s “intelligent” since the chatbot learns from its exchanges.

How can it be used for internal audit?

Here, imagination – and coding of the response of course – is the limit!

But before you embark on a chatbot journey, I would strongly suggest documenting all the priority use cases you would like it to address. I have myself created a chatbot that I poorly designed and can tell you that, after some attempts to get it back on track, I simply decided to start from scratch with more use cases in mind and it’s now a lot easier to maintain!

Below are just a few use cases that you may want to consider when applying this technology to internal audit:

1st use case: asking for support on features and functionalities

If you have ever provided a software to end-users, chances are that you regularly receive questions on how to use such and such functionalities. Instead of manually and individually answering such questions, why not train the chatbot to do so? If you don’t want to detail the endless list of capabilities addressed by your audit solution, a first step at least would be to point users to the help guide.

In this first example below, this is exactly what was done:

2nd use case: improving audit efficiency

We’re now going a step further: no more troubleshooting but really focusing on improving efficiency of the process. Like all other colleagues, auditors have a lot on their plate. Gaining a few minutes here and there every day can amount to a substantial amount. And truly alleviate some of the burden.

In our example below, instead of searching for the number of overdue action plans that were created to respond to a finding, the auditor can directly ask it to the chatbot. Yes, they would get the same result by going to the dedicated screen and filtering the data, but this way, they don’t even need to do this.

And this can be applied to all steps of the audit process, for instance:

* Managing the audit activity => “What are the top risks?” This can retrieve the top risks and help build a risk-based audit plan

* Planning the engagement => “Can you help me with sample work program templates?” This can help the audit team more quickly prepare their engagement based on best practices for instance

* Performing the engagement => “Do I have any pending tasks?” From approving findings, to reviewing reports, updating progress status, etc. these are all tasks that auditors need to perform on a daily basis. Helping them navigate the most urgent ones and make them directly accessible can be a true time saver

* Monitoring the progress => as we have seen just above, retrieving the overdue actions automatically would help the auditor navigate straight to the relevant information without effort

3rd use case: increasing user’s knowledge

Not all use cases need to be about efficiency or productivity. Satisfying one’s curiosity – and helping increase their knowledge and expertise in an area might also be a perfect candidate for a use case. As illustrated below:

As a result, I would suggest considering adding some Q&A that address specifically these generic questions about internal audit that may be raised. And why not point users to internal or external training and expert sources that can further help them?

Since these chatbots are evolutive by nature, regularly reviewing the questions asked and improving the responses in the Q&A database will ensure that you continuously increase the relevance of the chatbot. But also, this may even help you understand if there are any particular issues that the audit department might be facing. Sometimes, people prefer to ask a machine as there is no judgement. Detecting these early warning indicators is not the role of the chatbot of course, but this is where human analysis takes its full measure!

What about you, what other use cases could you think of for internal audit? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard

Note: all the screenshots in this blog are from a chatbot that was created as an “art of the possible” illustration by my colleagues from the SAP GRC Demo Team based on suggestions collected from GRC stakeholders across the globe. To achieve this, they leveraged SAP Conversational AI and integrated it into SAP Audit Management.