Ep. 82: Ben Jackson - Do Your Company's Internal Controls Mitigate the Risk of AI?

Contact Ben Jackson:
https://www.linkedin.com/in/bmgjmba/


FULL EPISODE TRANSCRIPTMitch:
(00:00)
 Welcome back for episode 82 of Count Me In. I'm your host,
Mitch Roshong, and I'm here to bring you another conversation
about all things affecting the accounting and finance world.
Today's guest is Ben Jackson. Ben is a Certified Coach, Speaker,
teacher, and trainer, and he's also the managing partner of Ben
Stu LLC, a business and leadership consulting company. Ben joined
Adam to talk about the importance of internal controls, and
having the proper policies in place to manage the emergence of AI
and RPA in the accounting world. He addresses some of the risks
presented, particularly with the recent remote work environment
and how to overcome additional challenges when looking to lead
the finance and accounting function. Let's go ahead and listen to
their conversation now.

Adam: (00:58)
So with the advancements of technology, such as AI and RPA across
the accounting space, can you discuss your thoughts on internal
controls and the new policies and procedures that should be
implemented because of these new technologies?

Ben: (01:13)
Well, you know, with the new technology that's going on, I don't
really think that the internal controls really need to change.
What I think they need is they need to be updated. See one of the
things that we talk about with internal controls is who's
responsible. When you have AI and you have, you know, the
automatic accounting processes that are working, you need to
establish who is that responsible person to make sure that
they're working in the best way. So once you establish that
responsibility, then you have to go back to where the next step
is segregation of duties. Somebody is responsible to make sure
that it's working the way it's supposed to work, as in the
program. So whoever's that programmer needs to validate it. That
the program is executing as expected, and then you need to add in
the controller or the accountant who needs to come in and make
sure that before you post an action, an action that it's
reviewed. So you're really adding a couple extra steps to ensure,
but you changed what goes on. So I think that you need to add
some testing procedures to make sure that'd be for execution that
it's there, and then also as you let these things automatically
run, you need to have some spot checks and audits internally that
bring forth those changes and then you'll know whether or not
something is wrong.

Adam: (02:51)
So that makes sense. So you're saying that you don't need to
change anything. It just needs to be maybe brought into the new
age of what's happening around us. Cause internal controls aren't
going to change, but we need to make sure that people, the right
people are in place to make sure that the they're responsible for
doing their duties in essence

Ben: (03:10)
Correct. You know, one of the things that happens is, you know,
when you think about the top six things that happen with internal
controls, you know, the first two are really talking about
establishing the responsibility, and then segregation of duties.
The next thing becomes documenting the procedure. That is a very
important thing with internal controls is having a documented
procedures. When you have those procedures documented, it makes
it easy for somebody to take on a role. For example, if you have
change in, people. People changes always make things difficult.
Well, if I have AI and you know, automatic processing running,
then I need to give the new person who goes and sits in those
seats, what really happens and what they need to check for. So if
I don't give them what the documented process is, then they're
sort of stuck and they don't know that something's automated
running in the background, and then they don't know how to fix
it, how to look at it, if there's a problem, and who do they go
and talk to. So that becomes very important, you know,  in
the next step. So, you know, when you talk about AI and you talk
about automated processing and letting things just run, you know,
we've already established who was responsible, between a tech
person and an accountant, to make sure that those two roles are
responsible. We've segregated who's really responsible for
whatever, and then we have that next thing, which is a documented
procedures. One of the things that I like to do when I look at
internal controls is to create a RACI. Who's responsible, who's
accountable, who's consulted and who's informed. So that actually
helps with internal controls because then you know exactly who
you need to go to if something is wrong or when you noticed,
things during an audit, you can go, okay, you should know who,
who entered the, program for the automatic entries. Now, the
problem with AI is AI is always thinking, and because it's always
thinking you sort of control the parameters, that it looks at,
and that control will always be a consistent review. And again,
it doesn't change the fact that the internal control is there. It
changes what the internal control should be.

Adam: (06:12)
Definitely. So do you have some examples maybe you can give of,
maybe updating internal controls, or some of the things you've
been talking about, some specific examples that you could
share?

Ben: (06:24)
For updating internal controls, I recently consulted with an
organization who didn't have a lot of internal controls. And,
during the process, I noticed that there were open system users
that had the ability to do some things that they shouldn't be
doing. So we put in plan in a place where we actually created a
table for what the internal control could be or should be based
on their current platform. So in doing so, what you do is you
sorta look at their current processes and then you assign someone
in the finance group to monitor what's really going on. Because
the system, the company is a small company. So a lot of people
wear many hats. So locking down the system is not a great idea.
The better idea is saying, okay, I know what my parameters are.
How do I validate that everybody is doing things correctly? So
when you do notice an error, we you bring it up to the CFO and
the management team and make some decisions on what do we need to
change in a process and how do we correct some things so that
consistency is improved. One of the things that you do with these
controls as you're growing your company, you want to make sure
that they're in place so that everybody knows the rules and that
it's not risked, there's no risk to the company. So in
implementing this, we also identify what the potential risk is.
If somebody doesn't catch it, and that becomes important for the
stockholders, and when I say stockholders or the stakeholders,
it's who we have to report to, because it could be on any scale
of company, who you're giving these reports to. They have to know
that they could be confident in the data, and that accounting is
really looking at what's transactionally happening, whether
through systemic processes or manual processes.

Adam: (09:05)
You mentioned that there are always risks involved with any
internal control, knowing that the main risk is what if the
internal control fails? Are there some pitfalls that people can
look out for as they're looking to maybe update their internal
controls or looking to make them more holistic?

Ben: (09:23)
Are there things that people can do to mitigate risk? Of course.
One of the things that I suggest is having a quarterly review,
and sort of keeping the scorecard from the review to see how many
errors were caught, what were the risks? So it's like doing a
risk assessment, and in doing the risk assessment and you sit
there and you say, okay, did this control work? You know, how
many, how many purchase o...