Innovators, an interview series, celebrates the boldest thinkers, disruptors and trailblazers shaping the future. We explore the journeys, challenges, and vision of the leaders redefining how we create and consume laws, standards, and guidance. These are the individuals and technologies driving progress.
In this interview, Gert-Jan Gerrits, partner at Forvis Mazars’ IT audit & advisory practice, shares his journey from financial and IT audit at EY to leading innovation at Forvis Mazars, where he has played a key role in transforming audit methodology. Gert-Jan discusses the rapid growth of the firm’s IT audit team, the ongoing development of MAPLE – its award-winning audit methodology platform – and reliable, value-driven use of AI.
1. Gert-Jan, welcome to Innovators. Tell us a bit about your background. What was your first job? What was your first experience of the working world?
I started out my career at EY in financial audit initially. I completed the training to become a CPA under Dutch law and after five or six years, I transferred to the IT audit department within EY. I also became a certified IT auditor under Dutch law.
Something nice to know is that we are the only country in the world to have our own professional body for IT auditors. So, I completed their certification process and worked at EY for a little over 11 years. I also spent eight years outside of audit prior to working at Forvis Mazars. Three of those years I spent as a manager of operations at a healthcare facility, so responsible for IT, HR, finance, quality. I also spent five years as a freelance advisor on topics like finance, IT and operations.
Also good to mention my current role. I’m firstly a partner in the Netherlands, overseeing – co-leading – our practice with two of my colleagues, but I’m also part of our international audit methodology team and focus on IT audit methodology from a financial audit perspective. And for approximately two years, I have been the product owner of MAPLE, an acronym for Methodology and Policy Library Explorer which is a mouthful, therefore we abbreviated it to MAPLE. MAPLE is the name we gave to the Propylon TimeArc solution.
2. What led you to the world of audit and to drive transformation in the space?
I don’t think I’m a typical auditor. I always had a passion for business models – how does an organization work, how does it drive its business forward?
When I started five years ago at Forvis Mazars, we only had a small department of perhaps ten or fifteen people. Now we are almost sixty. So, we really grew a lot. Building an organization and building and helping out young talent, that’s what interests me.
3. What makes Forvis Mazars different?
All organizations say that they are people centric, but I think we really are. And the nice thing is that we are not as big as the Big Four. That’s also not our ambition. We are just behind them, but still a top ten player. We can make a difference; we can build things. That’s what I noticed, starting at Forvis Mazars, that certain areas were in need of development.
At some point, we started to look at the digitization of our audit methodology and that’s where it all started – our relationship with Propylon. We met with Breiffni, had a lot of interaction and exchanging of views. From there, MAPLE evolved.
4. What audit innovation projects are on the horizon for you?
One of the things we’re proud of is getting MAPLE launched, we did that approximately two years ago. Tom Lamers, my buddy on methodology and senior manager on my team, joined me from the start. We launched it for all 34,000 Mazarians, as we were at the time.
Each year, all partners of Forvis Mazars meet up; this is called the CARL conference. In December 2023, we were granted the Business Impact Award on Quality – a huge honor and big thank you to the entire team making this rollout possible. Last December, we set up the integration with our E-file, Atlas Next Gen. When team members now open our E-file and ask a question, they will be automatically redirected to MAPLE based on metadata and also to the specific collection. So, if our teams are working on a PCAOB engagement, for instance, they are redirected to the PCAOB content. Filters are applied to make that easier.
Everybody is talking about AI. We are too. We have GAIA, the global AI assistant – a ChatGPT-like engine on steroids – and we are now setting up an API between TimeArc and GAIA to make the data we have in our collections in MAPLE also available in GAIA. We have basically created another door to this information. You could use TimeArc via MAPLE, but you could also use GAIA and ask your question. And the nice thing is that due to the linkage that you have in TimeArc, each component has its own specific link. That’s also something we provide in the answer so people can go back and verify it. From an audit perspective, that’s really important.
Another thing we are thinking about is provisioning and introducing attributes. That could be country service line, things like that. So based on interest, you would be redirected to the most relevant collection within MAPLE. The dream, I would say, is to have a thousand collections live in MAPLE. The primary goal though would be to get lots of data in.
Importantly, the end user sees curated and approved data. That’s key from an ISQM1 perspective, for instance, but also from an audit standpoint, to make sure that your teams always have the latest version of a document.
We also have enablement, as I call it. So, tools, templates, things like that. We want to set up an interface between MAPLE and our E-file, so basically, you can just pull the most recent version of a template into your file when you need it. The benefit is that it will make our audit file more agile and easier to maintain versions.
Lastly, we are 100+ countries strong and approximately half of the countries use MAPLE already. Some countries have their own local requirements on language and currently, translation occurs manually. The risk there is that certain words could get lost in translation. We are thinking about setting up a pilot. English is our core language, but we also want to make MAPLE available in local languages. Some countries even require that you have a methodology available in your own local language. This is where RWS’s expertise comes in. RWS has an extensive track record of doing translations in highly regulated and sensitive areas.
We have thousands of pages of methodologies, policies, things like that to translate. It’s impossible and not affordable to translate this manually. AI could be a good use case. Certain paragraphs can be translated through AI because it doesn’t make a difference. But with some paragraphs, you need to get into the nitty gritty. ‘Should’ and ‘could’ make a huge difference for audit. Therefore we always need some kind of human intelligence.
5. What are your predictions for AI?
I don’t believe that AI will take over, but AI can help you out and that’s also how we’re implementing it – as a guidance tool, but to prevent obvious mistakes, too. Teams can now be supported with self-directed review. Also, when using GAIA, you will always get a disclaimer that emphasizes that we can help you, but you need to verify the answer.
AI is rising to the top of the hype cycle, perhaps just past the peak. And now we’re thinking about what the best use case could be.
We’re currently calling this ‘AI’, but AI has been around for years. What I always say is that AI is performing the generation, but it is prompted by, and reviewed with, human intelligence. That’s the way it should be.
6. What regulatory challenges or risks are facing the auditing profession?
We see a lot of strict regulations in certain countries and a lot of auditing is still principle-based. But in reality, the review process, as conducted by e.g. regulators, takes place via a rules-based approach. If this is the case and if you know the rules, AI can help you and maybe say, okay, this rule didn’t apply or hey, this doesn’t make sense what you’re doing because in nine out of 10 engagements, you did it another way. This is a nice AI use case. Basically, you could say that AI could be a new team member.
The question now is, how do I get assurance that the team member is trustworthy and not malicious? Because the AI could also be trained in a certain way to become malicious. And that’s one challenge that we are facing. In addition, from an audit perspective I think it will be a challenge for the profession to give assurance because we don’t yet fully understand AI; it’s not like a marble that you can simply track and examine. The question is if we ever will fully understand AI, but also do we need to fully understand it?
If I tie it back to MAPLE, because we have large manuals, many pages of text, it’s important that we can pinpoint, but it’s more important that we can pinpoint to the correct paragraph and not the wrong one. It’s always a risk that AI could hallucinate.
7. There are auditor shortages globally. What are you seeing in the group? How can the auditing profession solve that?
It’s important to keep the profession interesting for young people. Secondly, we have so much tooling available nowadays. We should leverage that and also, if we get assurance from it, skip certain substantive procedures. So, pull less samples, for instance, if we don’t need them, because we already get a lot of assurance from a tool.
It’s a tricky one. From a regulatory perspective, but also from an organizational standpoint, it’s challenging. Because you need to put trust in the tool, and as I said, it could be malicious. But how do we know?
Here I see a bright future for the IT auditor. The IT auditor can offer assurance, either positive (OK) or negative (not-not OK), on these topics. To further clarify audit terminology, a double denial (not-not OK) is distinct from a simple affirmation. We choose our words carefully to avoid placing trust on inappropriate topics. But even a double denial can bring a lot of assurance and take away uncertainties we might have on a topic or an application.
8. If you could travel back in time and speak with your younger self, what advice would you give?
Take it easy and always take time to build relationships. I always go fast. But when I was younger, I wanted to do it all even faster. Over time I learned, okay, sometimes you need to take it easy, really interact, listen, think and take action. That’s what I like about Forvis Mazars, we do it differently. We foster collaboration on a global level.
One of the things we’re doing right now, for instance, is that we’re organizing our first ever global IT specialist conference in Bled, Slovenia. We will have people from almost 40 countries joining. The event builds a community of tech-savvy IT specialists, and will aim to push our methodology set-up, train the trainer, and drive progress together. There’s a saying, ‘alone you go faster, together you go further’ and that’s, I think, the way to go.
Thank you, Gert-Jan, for participating in this interview.
