Ep. 82: Ben Jackson - Do Your Company's Internal Controls Mitigate the Risk of AI?

Aug 17, 2020

Ask episode

Chapters

Transcript

Episode notes

Contact Ben Jackson: https://www.linkedin.com/in/bmgjmba/

FULL EPISODE TRANSCRIPT
Mitch: (00:00)
Welcome back for episode 82 of Count Me In. I'm your host, Mitch Roshong, and I'm here to bring you another conversation about all things affecting the accounting and finance world. Today's guest is Ben Jackson. Ben is a Certified Coach, Speaker, teacher, and trainer, and he's also the managing partner of Ben Stu LLC, a business and leadership consulting company. Ben joined Adam to talk about the importance of internal controls, and having the proper policies in place to manage the emergence of AI and RPA in the accounting world. He addresses some of the risks presented, particularly with the recent remote work environment and how to overcome additional challenges when looking to lead the finance and accounting function. Let's go ahead and listen to their conversation now.

Adam: (00:58)
So with the advancements of technology, such as AI and RPA across the accounting space, can you discuss your thoughts on internal controls and the new policies and procedures that should be implemented because of these new technologies?

Ben: (01:13)
Well, you know, with the new technology that's going on, I don't really think that the internal controls really need to change. What I think they need is they need to be updated. See one of the things that we talk about with internal controls is who's responsible. When you have AI and you have, you know, the automatic accounting processes that are working, you need to establish who is that responsible person to make sure that they're working in the best way. So once you establish that responsibility, then you have to go back to where the next step is segregation of duties. Somebody is responsible to make sure that it's working the way it's supposed to work, as in the program. So whoever's that programmer needs to validate it. That the program is executing as expected, and then you need to add in the controller or the accountant who needs to come in and make sure that before you post an action, an action that it's reviewed. So you're really adding a couple extra steps to ensure, but you changed what goes on. So I think that you need to add some testing procedures to make sure that'd be for execution that it's there, and then also as you let these things automatically run, you need to have some spot checks and audits internally that bring forth those changes and then you'll know whether or not something is wrong.

Adam: (02:51)
So that makes sense. So you're saying that you don't need to change anything. It just needs to be maybe brought into the new age of what's happening around us. Cause internal controls aren't going to change, but we need to make sure that people, the right people are in place to make sure that the they're responsible for doing their duties in essence

Ben: (03:10)
Correct. You know, one of the things that happens is, you know, when you think about the top six things that happen with internal controls, you know, the first two are really talking about establishing the responsibility, and then segregation of duties. The next thing becomes documenting the procedure. That is a very important thing with internal controls is having a documented procedures. When you have those procedures documented, it makes it easy for somebody to take on a role. For example, if you have change in, people. People changes always make things difficult. Well, if I have AI and you know, automatic processing running, then I need to give the new person who goes and sits in those seats, what really happens and what they need to check for. So if I don't give them what the documented process is, then they're sort of stuck and they don't know that something's automated running in the background, and then they don't know how to fix it, how to look at it, if there's a problem, and who do they go and talk to. So that becomes very important, you know, in the next step. So, you know, when you talk about AI and you talk about automated processing and letting things just run, you know, we've already established who was responsible, between a tech person and an accountant, to make sure that those two roles are responsible. We've segregated who's really responsible for whatever, and then we have that next thing, which is a documented procedures. One of the things that I like to do when I look at internal controls is to create a RACI. Who's responsible, who's accountable, who's consulted and who's informed. So that actually helps with internal controls because then you know exactly who you need to go to if something is wrong or when you noticed, things during an audit, you can go, okay, you should know who, who entered the, program for the automatic entries. Now, the problem with AI is AI is always thinking, and because it's always thinking you sort of control the parameters, that it looks at, and that control will always be a consistent review. And again, it doesn't change the fact that the internal control is there. It changes what the internal control should be.

Adam: (06:12)
Definitely. So do you have some examples maybe you can give of, maybe updating internal controls, or some of the things you've been talking about, some specific examples that you could share?

Ben: (06:24)
For updating internal controls, I recently consulted with an organization who didn't have a lot of internal controls. And, during the process, I noticed that there were open system users that had the ability to do some things that they shouldn't be doing. So we put in plan in a place where we actually created a table for what the internal control could be or should be based on their current platform. So in doing so, what you do is you sorta look at their current processes and then you assign someone in the finance group to monitor what's really going on. Because the system, the company is a small company. So a lot of people wear many hats. So locking down the system is not a great idea. The better idea is saying, okay, I know what my parameters are. How do I validate that everybody is doing things correctly? So when you do notice an error, we you bring it up to the CFO and the management team and make some decisions on what do we need to change in a process and how do we correct some things so that consistency is improved. One of the things that you do with these controls as you're growing your company, you want to make sure that they're in place so that everybody knows the rules and that it's not risked, there's no risk to the company. So in implementing this, we also identify what the potential risk is. If somebody doesn't catch it, and that becomes important for the stockholders, and when I say stockholders or the stakeholders, it's who we have to report to, because it could be on any scale of company, who you're giving these reports to. They have to know that they could be confident in the data, and that accounting is really looking at what's transactionally happening, whether through systemic processes or manual processes.

Adam: (09:05)
You mentioned that there are always risks involved with any internal control, knowing that the main risk is what if the internal control fails? Are there some pitfalls that people can look out for as they're looking to maybe update their internal controls or looking to make them more holistic?

Ben: (09:23)
Are there things that people can do to mitigate risk? Of course. One of the things that I suggest is having a quarterly review, and sort of keeping the scorecard from the review to see how many errors were caught, what were the risks? So it's like doing a risk assessment, and in doing the risk assessment and you sit there and you say, okay, did this control work? You know, how many, how many purchase o...