A PAPER PRESENTED AT THE 52ND QUARTERLY GENERAL MEETING OF THE ASSOCIATION OF CHIEF AUDIT EXECUTIVES OF BANKS IN NIGERIA (ACAEBIN) HELD ON JUNE 23, 2022, AT LAGOS ORIENTAL HOTEL, VICTORIA ISLAND, LAGOS.
The year 2020 saw the globe plunge into an unprecedented health crisis, the likes of which could not have been anticipated by global institutions, world governments, health/environment/security agencies or any scientific or technology-based entities. Today, in 2022, the impact of the changes the world at large has experienced in every sector and on every continent are still being dealt with by governments, businesses, and individuals.
Almost in one fell swoop, things that erstwhile were deemed impossible, difficult, or challenging became the order of the day. With lock-downs instituted from one country to the other where people could not go about their daily lives, let alone carry out their regular business – the lock-downs bringing about stay-at-home orders; permissions for only key businesses to operate; sanitization/protection measures; international travel bans – and the impact of these on personal relations and business operations, led people to find alternative ways to keep their lives and businesses going.
1. Working with Technology, Working Through Technology
The resulting adaptations and innovations that occurred in 2020 led to the execution of a high volume of internet based and technology driven activities and operations, including the golden “work from home” style of business operations that continued into 2021.
As a high number of people across the globe came to terms with remote operations, the digital presence of individuals and businesses grew astronomically – from daily communications on social media platforms, to official meetings on Zoom, Teams, and other virtual meeting platforms, to e-payments via online banking and mobile applications, to cloud computing and storage, to remote management and reviews of numerous tasks and operations using video streaming and other audio-visual tools.
With these, new ways of working with technology and through technology became the order of the day and now in 2022 we are living in a new normal of hybridization – a merging of the innovations, learnings and realizations brought about by the pandemic, with the old ways of physical, in-person operations – which continues to evolve.
2. Digitization in the Banking Industry and the New Players
This new normal we are in today shows a continuous integration of digitization in our daily lives and by extension in our business operations. As financial institutions, the emergence of FINTECH companies is not a new topic; we now have banks either acquiring FINTECHs, FINTECHs acquiring banking licenses and banks creating FINTECH arms. We have now moved forward to telecoms entities providing banking services to their customers – MTN and Airtel have been granted payment service Bank (PSB) licenses by the Central Bank of Nigeria, where deposit takings, cross border payments, e-wallet operations, and debit/pre-paid cards can be offered to customers.
MTN’s MoMo Payment Service Bank (MoMo PSB) Limited, formally commenced operations on the 19th of May 2022 with an agent network of over 166,000 active agents.
The foregoing mean growth in customer base, transactions, revenue, regulations and by default, growth in risks, controls, and compliance concerns. The new normal demands evaluation of the opportunities presented by the changed or hybrid operations in each specific organization using methods that match the development. This implies that relying on or requiring physical proximity to, manual handling or operation of and/or central or fixed location or base for deliberation, review, assessment or reporting on activities need to change as the digital space, where most of the new transactions will take place, is not limited to physical or singular unique location(s).
3. Changing Customers in the Digital Era
Digitization has brought a whole new approach to how people live their daily lives and conduct their businesses. The future is coming, some would argue that it is already here. Let’s project a little bit into the future: millennials, also known as Generation Y, are generally those aged 26 to 41 (born 1981 – 1996) are the working age we have today; Gen Z are generally those aged from 10 to 25 (born 1997 – 2012) are working age and soon to be working age.
Today’s Gen Z are tomorrow’s millennials, and this group (Gen Z) who have grown up or are growing up playing with their parent’s mobile phones at the age Gen Y played physical card or board games; who are attending coding classes during summer holidays at the age Gen Y was learning about chat rooms on the internet and who play video games with people half a world away whom they will never meet at the age Gen Y was going to their friends’ houses to play video games with people in their neighborhood or school; are the business owners, industry leaders and global leaders that we will have tomorrow. Can we take a moment to envision a world run by such digitally sensitized people?
4. Evolving Risks in the Digital Era
As our businesses adapt to bring services closer, faster and more conveniently to current, prospective and future clients, the attendant risks and controls required to manage such risks cannot be overstated.
Just as banking evolved from having your bank account accessible from a specific branch of a specific bank located at a specific location, to where we now have borderless banking accessible from an app in a phone in our pocket; the risks have evolved from guarding the bank branch to guarding the internet connection points, cloud storage and intranet connections of our banks – all words and concepts that would have been strange as recently as 40 years ago.
The exposures to financial loss and data compromise in the digital space is a significant concern that requires auditors who not only understand internal business processes but also have the skills base to understand the digital processes and exposures the Bank faces.
The anonymity that digitalization brings – remote account opening processes, use of robots by tech-savvy individuals, groups and entities to simplify processes (or impersonate actual humans), single individuals creating multiple accounts either of their own making or by impersonating existing individuals – is an avenue for revenue leakage and reputational damage for Banks. Auditors need to think along such lines in the execution of their roles.
5. Evolution of Regulatory Requirements
We cannot overlook the regulatory angle of increased digitization. Regulatory frameworks will, by necessity, continue to evolve in order to put checks in place around the operation and reporting of new technologies adopted by Banks. From the use of banker’s cheques to the use money of transfer forms; from the use of ATMs to the use of internet banking and POS machines; from the use USSD (Unstructured Supplementary Service Data) codes and mobile money apps to the use of QR (Quick Response) codes, regulations have evolved to protect customers and Banks from exploitation, abuse and misuse.
Data privacy laws, information assets of customers and the internal policies on access to, storage and security over customer and Bank proprietary data/information are areas auditors need to monitor, with increasing importance as the world moves forward in the digital space. With open banking today and its use of APIs (Application Programming Interfaces), this is a key area that cannot be overlooked.
Today, we have the advent of crypto currencies. Regulations around these and future innovations need to be covered by audit teams. Processes, controls and regulations around the recognition, reporting, safeguarding and management of crypto currency accounts, account holder information, transactions and all the possible money laundry and financing of terrorism risks that such innovation can bring are areas auditors must watch out for.
The Central Bank of Nigeria issued a circular to all deposit money banks and payment service providers in February 2021 on its regulatory framework for open banking in Nigeria; CBN Regulatory Guidelines on the e-Naira was issued in October 2021 – to provide few examples of new regulations coming up in the digitization age.
6. Auditing in a Digital Era
The tools, knowledge and skills of internal auditors must evolve with the evolving times. The tools used to carry out audits; the knowledge – terms, terminologies, applications, options, uses – of digital platforms, outlets, services; and the skills – comfort with basic computer applications and IT (Information Technology) audit software, development of IS (Information Systems) audit skills, (re)learning – must rise to meet the changes in the industry.
The volume and breadth of transactions, reports, customer service requests, incident reports, regulatory filing and the checks that will need to be done on these items cannot be done effectively with the usual tools and cannot be done effectively using the usual processes.
Throughout the history of auditing, audit tools have had to be more advanced or at least at par with the tools used by process owners. As of today, there is no audit team that does not use a computer system and one or more software applications to carry out their audits. From the use of various Spreadsheet software applications to the Computer Assisted Audit Techniques (CAATs) i.e. specifically designed auditing software; our current audit teams leverage existing technologies in executing their roles.
Our current audit teams generally are divided – in one way or another – between business process auditors and IT/IS auditors and perhaps Investigation or Forensic teams. While IT/IS auditors specialize in the audit of information technology or information systems, the future demands that business process auditors, who are now dealing with more advanced and more technical business processes, require more advanced and more technical IT and IS audit skills to bring increased value to their audit execution and in proffering recommendations.
We know from experience that the computer knowledge, expertise and experience of our audit teams has direct impact on their ability to optimize the use of the technology available to them. Likewise, our auditors’ knowledge, expertise, and experience of existing and advancing technologies will have a direct impact on their ability to review and advise management on risks and controls related to technologies adopted by the organization.
7. The Digital Reality – Experiencing Tomorrow, Today
Technological advancement in hardware and software applications, have brought about automations that continuously reduce the need for human interference in processes and by default, human interference in auditing of such processes; especially where the applications are intelligent systems that learn and evolve based on their learnings – most commonly referred to as AI (Artificial Intelligence).
We have robots responding to customer queries on websites and mobile apps, we have cookies that record and report on webpages visited by website users, we have algorithms that report on how often an item was clicked on, how long a page was open and whether a transaction was concluded on shopping sites, streaming services, social media sites, etc. We can speak to our phones and other devices, and they respond to our enquiry.
Virtual reality (VR) systems are growing in the real world – once mainly only focused on or used by gamers, now we have the metaverse where a whole ecosystem can be created for people to live digital lives, where meetings can be held in virtual reality simulated spaces by people in different locations on the globe, each fully seated at a desk or in a board room with a presentation being made by a facilitator in a virtual office with attendees using avatars of their choosing.
8. A look at Banking Trends
Accenture’s report on “Banking Top 10 Trends for 2022” provides a good summary of all the aforementioned topics and considerations. 6 of the 10 items speak directly to what we have discussed:
- Everyone wants to be a super-app: Super-apps are dominating more aspects of the digital world and human interaction. Banks face a high-stakes choice to compete or collaborate.
- Innovation makes a comeback: To keep up with fintechs and other competitors, banks are rediscovering their creative mojo and asking a simple, powerful question: “Why not?”
- The digital brain gets a caring heart: Banks are looking for ways to have meaningful conversations with customers in digital spaces. Technology like AI can help make the human
- Digital currencies head for college: With cryptocurrencies here to stay, experiments like CBDCs are gathering momentum. The search is on for use cases that prove the economic
- Smart operations put zero in their sights: Artificial intelligence and machine learning in banking now surpass humans in some tasks. Applying this tech will bring zero waste operations within
- Payments: anywhere, anytime … and now anyhow: The next payments revolution will stem from open networks, which empower banks to reimagine their payments offerings for newly-demanding
In conclusion, where in the past auditors used paper and the infamous green pen auditors and their tools continue to evolve to meet or stay ahead of the technologies used by businesses.
A new breed of internal auditors will be needed to move organizations forward in the digital world. Business must recognize and support this as our auditors are a vital part of our workforce – trainings, sessions, seminars, knowledge sharing, meetings and all other avenues where new technologies are discussed should have audit team members in attendance and continually learning to stay ahead of or at least in sync with the changes.
The journey has already begun, the digital role of audit in each organization must be defined, the mindsets and aspirations of internal auditors must be assessed and any roadblocks to the achievement of digital auditors must be identified and addressed by each organization.
For this, regular upskilling, trainings, attendance at seminars and knowledge-sharing sessions, continuous engagements with groups such as the Association of Chief Audit Executives of Banks in Nigeria (ACAEBIN), security agencies and continuous interactions with regulators, would serve to keep auditors abreast of new technologies, audit approaches and guidelines and regulations affecting new and emerging technologies.
Thank you for the opportunity given to NOVA Merchant Bank to host the Association on the 52nd Quarterly General Meeting. I wish you successful deliberation in the course of your meeting.
NATH UDE MD/CEO
NOVA MERCHANT BANK LTD