Digital transformation risk
Digital transformation initiatives to create new or augment existing business processes, culture, and customer experiences can generate opportunities for growth and enhanced resiliency. However, rapid digital transformation also introduces new risks. With the perpetual development of technologies like AI, machine learning, internet of things, cloud computing, robotic process automation (RPA), and big data, threats are constantly evolving in scale and complexity.
System implementations
From simplifying processes and optimizing efficiencies to enhancing security and achieving a competitive advantage in the market, implementing the latest IT systems is a foundational element to an organization’s digital strategy. Yet transformative innovations can produce new risks when they do not get the attention they require.
The absence of a well-designed and well-executed project plan for system implementations can result in cascading impacts to key downstream processes. Ineffective implementations include inefficiencies, subpar integration, and compliance risk.
From an operational risk perspective, unforeseen inefficiencies can arise if organizational change management is not properly implemented throughout a project. Implementations of new systems and tools can increase time and effort to complete daily tasks if end users are not properly trained and if awareness and alignment with overall business and strategic objectives are not clearly communicated.
Incompatible system integration can result from a lack of due diligence as early as the vendor selection process or during the requirements gathering phase if the ability to integrate with other new or existing systems, such as cloud applications, payroll systems, and warehouse management systems, is not clearly defined. Confirming appropriate and secure communication among the various systems is critical to avoiding issues. Any deviations of the system dependencies that require additional development should be defined and considered as part of the project and thoroughly tested to confirm security, confidentiality, availability, and integrity.
If compliance is overlooked, significant regulatory and reputational damages can result. Risk management plays a key role in mitigating compliance risk. Management should follow a sequential approach for developing and implementing controls by process maturity. Throughout each phase, it is important to internalize the components and customize deliverables to meet specific departmental and organizational goals. The approach should increase the efficiency of management’s efforts to implement an effective internal control environment over financial reporting, based on the SEC’s guidance for management and the auditing standards of the Public Company Accounting Oversight Board.
Next steps for internal auditors:
- Conduct pre-implementation review (system development life cycle, data, security, process, and controls)
- Conduct post-implementation review
- Conduct integration and middleware review
Robotic process automation
RPA uses bots to facilitate and automate routine manual processes. While RPA has been a hot topic in recent years, its technical complexity has slowed its adoption. With recent advancements and lower-cost providers now available, RPA use is expected to continue throughout 2024. Some key benefits of RPA for the life sciences industry include:
- Real-time analysis and decision-making to respond to emerging situations
- Analyzing trends to address supply chain risks and availability of key drugs and medical supplies
- Eliminating wasted time on manual tasks and opening up capacity to focus on competitive innovation
While it’s important to take advantage of automation’s benefits, it’s equally important to manage the risk of deploying this technology. Bots can be considered as digital workers if proper controls are in place. As organizations continue to digitize processes through RPA, it is important to consider and address key risks by:
- Segregating duties of digital workers to assign a unique identity to each digital worker and developing process to maintain segregation among functions
- Preventing abuse and fraud by restricting access (similar to end users) and enabling privileged ID sessions for which elevated access is required
- Establishing log integrity to confirm audit logging capabilities and implementing procedures to monitor activity regarding sensitive access
Next steps for internal auditors:
- Audit RPA governance
- Audit RPA security
- Review data integrity
- Audit RPA IT general controls
Artificial intelligence
AI has the potential to transform industries and day-to-day jobs, and the life sciences sector has only scratched the surface of its potential. AI could revolutionize nearly every stage of drug development, from drug discovery and diagnostics to clinical trials and supply chain operations. While the opportunities to transform the industry using AI are immeasurable, it is imperative that companies are aware of the risks and challenges to consider, including:
- Data privacy. The use of sensitive PHI and IP are keys to success in the life sciences industry. AI applications can use such confidential information to automate processes, which could pose a risk to exposing confidential and proprietary information. The rapid development of open-source AI tools such as generative AI could pose a threat to a company’s confidential data if appropriate mechanisms are not in place. Such privacy risks might exist through data access, data processing, and data retention.
- Data bias and discrimination. The life sciences industry relies on immense quantities of data from patients, providers, and payers in drug development processes, which might inherently contain biases. Because AI tools use real-world information, data sets and algorithms must be designed to eliminate biases to generate the most value and eliminate adverse consequences.
- Regulatory compliance. Several countries are in the process of drafting AI regulations and guidance frameworks; however, regulations are largely not yet in place due to the rapid technological advancements. The current regulations that exist include guidance in Canada and the European Union (EU), which serve as strong benchmarks for companies to consider, including Canada’s Artificial Intelligence and Data Act (AIDA) and the EU’s Artificial Intelligence Act.
- Knowledge and skill gaps. With the rapid adoption of AI across the industry, there remains a large gap of knowledge and skill sets to be able to fully use the technology while maintaining a risk-averse mindset. While knowledge and skills are evolving to meet technological advancements, it is important to educate employees on best practices and avoid risks that AI might pose. The first step in adapting to these changes is to develop and communicate policies regarding AI use within the organization.
Next steps for internal auditors:
- Review AI policy and procedure
- Review AI governance framework
- Audit algorithmic fairness and bias
Back to top