As regulatory requirements grow ever more stringent, automation is no longer optional, especially for public companies. Since the Sarbanes-Oxley Act (SOX) was passed in the U.S. nearly two decades ago, all public companies are required to establish SOX-compliant internal controls and reporting methods. Controls testing is critical to the audit process to ensure controls are performed consistently and accurately.
Faced with increasingly complex processes, scarce IT resources and aging systems, organizations need testing mechanisms that are as streamlined and accurate as possible. In addition, internal audit (IA) teams face increased demand to test and monitor an exponential increase in transactions across a greater number of systems due to increased globalization and digitization — creating still greater potential for risk.
Business processes with significant risk have controls designed to mitigate those risks, after which audit teams must test to ensure the control is effective. In short, dedicated staff are required to perform a control and then audit it, and both must document their work.
These redundancies make compliance costly and resource intensive. Moreover, traditional testing methods use a statistical model to test a small, random sample, typically between 1% and 5% of total transactions. IA teams lack the capacity to scale enough to increase population coverage for more comprehensive testing. Lastly, even though an auditor is independent, they must rely on secondary evidence provided by control owners, which exposes the test to the possibility of error or fraud.
Key benefits of automation
Companies can significantly increase risk assurance and reduce the cost of compliance by automating controls testing, using mainstream robotic process automation (RPA) tools coupled with emerging artificial intelligence (AI) technologies. Automating the audit process allows organizations to test controls in real or near real time and achieve a truly risk-based audit. These digital tools can address most of the challenges IA teams face by transforming the way audit is performed, thus elevating the value of audit by providing the business with higher risk assurance.
Automated controls testing also offers increased visibility into the control environment by creating a digital footprint that captures all actions, interactions and outcomes. This provides greater insights that help management plan audit cycles, identify deficiencies, optimize end-to-end processes and rationalize controls. Ultimately, automating controls testing can lead to continuous monitoring and even automating the controls themselves, allowing IA teams to focus on higher value work that will be critical to the business going forward, particularly as organizations require greater audit coverage with reduced staff.
Here are the most important ways that automation can improve risk assurance:
- Independent testing allows auditors to source evidence directly from systems instead of relying on the business to provide screenshots and other forms of second-hand evidence. At a large insurance client, the audit team relied on management to provide a screenshot of the claims system as evidence of segregation of duties (SOD) between the preparer and the reviewer of a claim. However, there was no way to determine if the screenshot had been edited or if it was for a different claim. Automation enabled auditors to directly and independently access the claim system and verify SOD.
- Full population testing is not practical without automation. Internal audit teams are a cost center with limited resources, which hinders their ability to have adequate coverage for SOX testing. IA largely relies on sample testing for high-volume transactions. Automation addresses this challenge by delivering speed and scale immediately. At another insurance client, the actuarial teams published interest rate changes each month, which were manually updated in enterprise systems. There was a control in place and no mismatches on the updated rates. While the number of interest rate changes involved nearly 10,000 records, the SOX testers used a sample of only 5 to 10 records each month. Using automation, we achieved the speed needed to perform a full-population testing within hours, significantly improving coverage for IA.
- Near real-time testing reduces lag time between control performance and testing. Audit is not a core business activity and is not mission critical, so companies don’t prioritize or direct resources toward audit activities over business functions. As a result, audit activity typically lags behind business activity by weeks or even months. For one client, we reduced the lag time between control performance and testing from approximately three months to 24 hours. The automation solution was non-disruptive to the business, and the audit was performed on tasks that had been completed in the past 24 hours.
- Eliminating the human element improves accuracy. Reducing human error is the most obvious outcome of automation. This is especially important in the audit world, where the margin for error is minimal to none. Because humans are prone to making errors or committing fraud, traditional audit practice requires process checks, which sacrifice speed for accuracy. With automation, audit teams can have both.
- Elevating the quality of work for human auditors enables them to provide greater value to the business. When automation eliminates drudge work like extracting and comparing information from multiple systems, human auditors can focus on higher value, investigative tasks that require expertise, skills and judgment. With full-population testing, our clients can capture exceptions and route them to auditors to investigate. Insights gleaned from auditors’ examinations can then be reported back to management.
- Automation is a catalyst for digital transformation. Automation solutions for audit are designed to independently re-perform the same tasks and processes that need to be audited to ensure they are performed adequately. However, these automations can also be used by the business to perform the original process. Once the business achieves full automation of an end-to-end process, the need for the control goes away as human intervention is eliminated. In our experience, the more business stakeholders of our IA clients understand this, the more interested they are in implementing downstream automation programs in their business areas.