GRC and ERP specific tools - Most large ERP systems now have tools that will specifically help with Financial and IT controls testing, such as journal postings, user access, and segregation of duties.
Extract Transform Load (ETL) - ETL is the process to take system data and prepare it for analysis. There are many tools on the market such as Alteryx, Knime or IDEA that perform data ingestion and transformation. These are versatile and ideal for aggregating data together and cleansing the data into a usable format.
Robotic Process Automation - Automation can make repetitive tasks simple and easy. Whether it’s through a scripted data query or specific RPA tool, end to end automation of workflows will save a significant amount of time, around c.70% compared to manual methods. Automation can cover a wide variety of SOX related tasks, such as extracting data, performing tests of detail, populating dashboards and exception alerting.
Visualisation and dashboards - Tools such as Power BI, or Tableau enable the creation of visuals that allow you to create monitoring solutions. They can facilitate continuous auditing for real time exception flagging. Dashboards can be published and shared with senior stakeholders to provide timely engaging and interactive reporting of the assurance process.
Process mining– Tools such as PAFNow, Minit and Celonis allow effective mapping of end-to-end processes in a visual way to identify control breakdowns and optimisation opportunities.
End-User Computing (EUC)– In-house and user developed applications or critical spreadsheets can be a significant risk to businesses as they are not subject to the organisations IT general controls. Tools such as those from CIMCON will allow you to discover EUCs across your organisation, how to log and manage them and deep dive into specific files to highlight exceptions and integrity risks.
Platform as a Service/Software – Cloud services are available for all of the digital tools listed here which mean they can be deployed flexibly and licence subscriptions are based on usage. This avoids significant investment of internal IT resources needed for new hardware and software.
And, what are the challenges?
The biggest challenge is ensuring you have the correct strategy for using tools and technologies to modernise your SOX internal control testing. Any approach should focus on achieving quick wins by leveraging existing tools and skills to demonstrate value before progressing to long term transformation goals.
Asking a few big questions at the start can help you manage it.
What are the costs?
Tools and licences can be expensive to purchase and configure to your needs. Think about leveraging existing tools you already have in the business. The likelihood is that these may be enough to get started on short term needs or a pilot. Also, consider if you can utilise lower entry cost or open-source tools.
What's the return on investment (ROI)?
The time savings generated from automation are often underestimated and it’s also worth considering how less disruptive an automated approach will be to finance and IT personnel once established. There is less burden on the business as compliance activity is automated and employees can spend this saved time on higher value activities. Consider if other areas of the business may benefit from using these tools, as this will mean there is greater return on investment for the business.
Do you have the right skills and knowledge?
Most organisations will not necessarily have all the skills in the business to run all the tools they would ideally use. Training, piloting, recruitment, and external help are all effective ways to increase skills and knowledge.
What tools do you need?
There are numerous digital solutions on the market that can deliver automated compliance. There is no one size fits all solution, however, end-to-end digital auditing solutions exist that package together the necessary digital components for automation. These solutions are a good option for organisations with limited digital capabilities as it means only one investment, instead of bringing together multiple tools.
Investing in efficiency
Automated SOX solutions enable data gathering, control assessments, testing, signoffs, evidence, and workflow documentation all to be handled in one system. This means the management and review by external auditors are simpler and easier to demonstrate compliance and deliver assurance.