Control testing automation means using programmed workflows to help organisations generate intelligent insights that support risk management and compliance. Organisations can deploy solutions to rapidly help management and assurance teams deliver automated and data-driven insights.
Some examples of effective SOX automation are:
Automation can provide a targeted approach to user access testing. Instead of periodic review, it can facilitate automated alerting of new exceptions, such as the use of inactive, privileged, or superuser accounts, failed log in attempts and irregular or out of hours use.
Provide transparent, customisable, and interactive analysis of SoD risks. Customisable and interactive views of user responsibilities and conflicts, eliminate false positives, flag high-risk system administrator conflicts and end-user SoD conflicts and associated risks across all business cycles.
Automation can test many high risk control areas within payroll, such as:
To implement controls automation there are a few considerations to ensure it operates effectively.
Understand early on what output you'll need and what limitations may restrict automation. This will help you identify what resources you need to deliver the automation requirements.
Automation is not possible without access to data, understanding what data is available, who the data owners are and how often and easily data is available. Automated connections to live systems will help re-performance but data extracts are an easier way to start.
Data can be used to identify where exceptions to business rules exist as well as where controls are failing. Think about the scope of testing to consider how you can most effectively test controls.
When building tests, ensure to thoroughly test the outputs and consider how exceptions can be highlighted. Advance analytics should look to use exceptions to trigger actions such as automatic emails sent to control owners or approval process triggers.
Visualisation can help identify outliers and exceptions, but also be used as a strong communication tool to highlight trends and performance.
To start delivering controls testing automation effectively, the initial focus should be on quick wins to realise benefits and establish trust in the solutions.
The key stages in ensuring controls automation have the greatest chance of success are:
Identifying controls that can generate quick wins in year one is key to success as it helps derive the maximum initial value. Areas we have found often that drive immediate value are: Security admin - user access provisioning, user termination and access re-certification Change management - application-level change controls and testing change approval
To begin automation, starting with a pilot can be beneficial.
Identifying controls that can generate quick wins in year one is key to success as it helps derive the maximum initial value.
Areas we have found often that drive immediate value are:
After an initial pilot, it's key to evaluate critical decisions for long term successful automation.
Exampled of such decisions are:
Build on the pilot prototype and scale up the amount of controls tested and/or complexity of testing.
Good examples of more complex testing would be:
Often it's not clear where controls ownership and automation falls within a business. Internal audit may be the function with the capabilities and maturity to initiate automation although in the long run, the ownership should sit with business management as part of the internal control environment.
Updating process documentation, control descriptions, and control monitoring run-books with details of the automation are not only essential, but can help develop greater understanding of controls and value and drive standardisation and efficiency.
Controls are often monitored by a variety of different teams across a business and difficult to collate all controls into a single view. Automation should bring data from across an organisation together. It's a perfect opportunity to standardise controls into a single place to gather valuable insights into control performance.
Automation will not create value overnight. Often the time taken to embed robust automation will mean there are no immediate short-term efficiencies. This is far outweighed by the value, time-saving and increased insights that occur after implementation. Picking the right controls to automate will help drive value quickest.
Automation will require data and resources from across an organisation to work together. Buy-in from senior leadership is the most effective way to bring together teams such as internal audit, technology, finance, and other data owners to understand what is trying to be achieved and the benefit to the overall organisation.
Effective SOX controls automation will take co-operation and effective planning, but the benefits that it can drive in efficiency, flexibility and insights, mean that organisations need to be giving it due consideration. This in turn allows compliance teams to focus their time in the areas that require their skills and judgement for meeting regulatory obligations and continuous improvement.
For more insight and guidance get in touch with Alex Hunt.