article banner
Article

SOX internal control testing: approach to automation

Alex Hunt Alex Hunt

SOX compliance can be time and resource intensive. Alex Hunt explains how to start, scale, and mature your SOX automation capabilities to add value across financial and IT operations.

Control testing automation means using programmed workflows to help organisations generate intelligent insights that support risk management and compliance. Organisations can deploy solutions to rapidly help management and assurance teams deliver automated and data-driven insights.

Some examples of effective SOX automation are:

User access and security

Automation can provide a targeted approach to user access testing. Instead of periodic review, it can facilitate automated alerting of new exceptions, such as the use of inactive, privileged, or superuser accounts, failed log in attempts and irregular or out of hours use.

Segregation of Duties (SoD)

Provide transparent, customisable, and interactive analysis of SoD risks. Customisable and interactive views of user responsibilities and conflicts, eliminate false positives, flag high-risk system administrator conflicts and end-user SoD conflicts and associated risks across all business cycles.

Payroll controls

Automation can test many high risk control areas within payroll, such as:

  • if changes to employee information are correctly authorised
  • whether there are any self or inappropriate approvals
  • identifying duplicate or ghost employees
  • reconciling balances per period to payments and the general ledger

How does controls automation work?

To implement controls automation there are a few considerations to ensure it operates effectively.

Define your needs and limitations to process improvements or automation

Understand early on what output you'll need and what limitations may restrict automation. This will help you identify what resources you need to deliver the automation requirements.

Collect and connect to data

Automation is not possible without access to data, understanding what data is available, who the data owners are and how often and easily data is available. Automated connections to live systems will help re-performance but data extracts are an easier way to start.

Analyse data to identify control attributes

Data can be used to identify where exceptions to business rules exist as well as where controls are failing. Think about the scope of testing to consider how you can most effectively test controls.

Build control test step workflows and trigger schedules

When building tests, ensure to thoroughly test the outputs and consider how exceptions can be highlighted. Advance analytics should look to use exceptions to trigger actions such as automatic emails sent to control owners or approval process triggers.

Present results

Visualisation can help identify outliers and exceptions, but also be used as a strong communication tool to highlight trends and performance.

Where to start?

To start delivering controls testing automation effectively, the initial focus should be on quick wins to realise benefits and establish trust in the solutions.

The key stages in ensuring controls automation have the greatest chance of success are:

Identifying controls that can generate quick wins in year one is key to success as it helps derive the maximum initial value. Areas we have found often that drive immediate value are: Security admin - user access provisioning, user termination and access re-certification Change management - application-level change controls and testing change approval

Pilot Evaluate Scale up

To begin automation, starting with a pilot can be beneficial.

Identifying controls that can generate quick wins in year one is key to success as it helps derive the maximum initial value.

Areas we have found often that drive immediate value are:

Security admin -user access provisioning, user termination and access re-certification
Change management -
application-level change controls and testing change approval

After an initial pilot, it's key to evaluate critical decisions for long term successful automation.

Exampled of such decisions are:
Real time or snapshot data -initially data extracts can be easier but require manual processing
How many controls should be in scope
?- Start with a workable number done successfully and build up
Scheduling -
how often do we want to run the control? Should it be manual execution, should it be a single run or run-on-demand? Do you want real-time and trigger notifications on exception?

Build on the pilot prototype and scale up the amount of controls tested and/or complexity of testing.

Good examples of more complex testing would be:
Security admin -privileged access and password configuration
Change management -
changes to production environments and change testing and approval (database / OS)
IT operations -access to key applications and interface jobs failures and exception handling

What else do you need to think about?

Independence of internal audit

Often it's not clear where controls ownership and automation falls within a business. Internal audit may be the function with the capabilities and maturity to initiate automation although in the long run, the ownership should sit with business management as part of the internal control environment.

Documentation requirements

Updating process documentation, control descriptions, and control monitoring run-books with details of the automation are not only essential, but can help develop greater understanding of controls and value and drive standardisation and efficiency.

Monitoring all controls

Controls are often monitored by a variety of different teams across a business and difficult to collate all controls into a single view. Automation should bring data from across an organisation together. It's a perfect opportunity to standardise controls into a single place to gather valuable insights into control performance.

Investment takes time

Automation will not create value overnight. Often the time taken to embed robust automation will mean there are no immediate short-term efficiencies. This is far outweighed by the value, time-saving and increased insights that occur after implementation. Picking the right controls to automate will help drive value quickest.  

Working across an organisation

Automation will require data and resources from across an organisation to work together.  Buy-in from senior leadership is the most effective way to bring together teams such as internal audit, technology, finance, and other data owners to understand what is trying to be achieved and the benefit to the overall organisation.

Effective SOX controls automation will take co-operation and effective planning, but the benefits that it can drive in efficiency, flexibility and insights, mean that organisations need to be giving it due consideration. This in turn allows compliance teams to focus their time in the areas that require their skills and judgement for meeting regulatory obligations and continuous improvement.

For more insight and guidance get in touch with Alex Hunt

UK SOX HUB
A hub for preparing compliance requirements Is your business prepared?
Article

SOX internal control testing: automating for efficiency

Uncover the benefit of automation tools
Article

UK SOX compliance: technology controls

Why are technology controls vital for driving efficiency?