Leverage the New Digital Era for GRC Automation


DIGITAL TRANSFORMATION BRINGS IN A NEW ERA OF AUTOMATION – 

CAN GRC INITIATIVES BE FAR BEHIND IN ADOPTION?

Learn the new Mantras in technology that is going to re-define the way users interact with business applications to perform their tasks with ease.

We hear very frequently the acronyms “RPA” and “BOT” (and also CHATBOT) that claims to automate high volume, mundane and repetitive tasks that are performed by human beings. Gartner has predicted that by 2021, more than 50% of enterprises will spend more per annum on bots and chatbot creation than traditional mobile app development.

Well, RPA is “Robotic Process Automation” for the ones who are uninitiated into the world of AI (Artificial Intelligence) and ML (Machine Learning). It is a software that can not only automate high volume repetitive tasks but also perform calculations, execute queries and maintain records and results.

“BOT” is short form for “ROBOT”. BOTS are like virtual assistants which can answer questions and help you get things done faster without needing to speak to another human. They are software applications that perform repetitive tasks, often faster than humans. A common task they do is chat, like in question-and-answer format. Some times when you think you’re chatting with a person, you may be chatting with a bot, because they mimic human interaction and conversation.

There are two types of chatbots: Ones that can only respond to very specific commands and is as smart as how it is programmed. Another type of BOT has artificial intelligence and improves constantly via machine learning. It gets smarter the more it crunches large data, talks to people and listens to their conversations or responses.

CAN GRC PROGRAMS LEVERAGE THE DIGITAL REVOLUTION?

Let us move on to the subject of how the life of internal auditors, SOX Controllers/ testers, CFOs office, Finance departments can leverage the RPAs and BOTs.

Many organizations embark on a GRC program and decide ultimately on a framework (which includes scope of coverage and overall data structure that supports the internal control environment) and the processes (priority areas that need immediate attention for testing). Roles and responsibilities are then defined to decide which resource would do what kind of compliance activities (testing plans, surveys, assessments, entity-level certifications and so on) across the organization.

This decision is very often supported by a good GRC vendor who provides the application software to set up the internal control monitoring and compliance activities.

Once the GRC implementation is done and usage increases over time, all resources are swamped with more activities and get bogged down with time consuming compliance checks, manual testing and certifications, consolidation of surveys, solving urgent issues and gathering information for producing the next GRC report for top management.

EXTEND THE GRC PLATFORM WITH RPA AND BOTS

RPA and bots can be innovatively used, become very cost-effective, exciting and simply add more power to these challenges that the GRC team faces.

Let us look at a few examples that can do with some automation techniques.

  1. RPA / BOTS can be made to access multiple data sources (ERP systems, databases, document management systems, etc.). This would help in automating control testing based on criteria or selections done by users.
  2. RPA / BOTS can be used for scheduling automated test runs at specified intervals for Continuous Control Monitoring (CCM) or ad-hoc and gathering the necessary evidences and classify the “pass or fail” criteria.
  3. Many of the manual test plans for controls and compliances are generally rule based steps with documentation and ideally suited for RPAs. This would help in reducing dependence on human testers going around to complete the test steps and then consolidating the answers and evidences. For example, monthly legal compliance checklists (indirect taxes, GST, and many more) can be automated to consolidate information and presented in a dashboard report.
  4. Those instances where responses are delayed or incomplete can be highlighted for action. Exceptions can be flagged off by the BOTS to automatically raise issues for remediation and trigger workflows to concerned persons.
  5. Control design surveys / entity level certifications / C-level questionnaires can be handled automatically by BOTs. Reminders for responses can be sent automatically and results consolidated as a report.
  6. BOTs can be used to take corrective action – say for example – post automatically check mark in the vendor control account is unchecked several times to pass manual journal entries – and this has been brought out by automated control tests – BOTs can actually be made to check on similar control accounts (like customer / inventory, etc.) and do a similar testing and send notifications to control owners on the same for investigation and corrective action.
  7. BOTs can be made to take preventive action – say a user misusing his access rights to make multiple changes to an open transaction or multiple inventory write-offs after the period close or downloading sensitive reports. BOTs can immediately block access to the user with simultaneous notification to his / her manager and based on the manager’s response can unblock the user’s access rights.
  8. BOTs can review and validate master data structures in GRC applications to highlight whether control owners are assigned for control testing, check the risk and control matrix for blank values against risk (meaning there is no control defined for a risk identified).
  9. BOTs can escalate failure of critical controls to line managers, consolidate reports and immediately alert senior management when a significant volume of control failures have been identified for a given organization unit or department.
  10. BOTs can automate mundane tasks like password resetting after necessary validations, triggering Segregation of Duties violation reports with transaction details in near real time, send reminders for firefighter reviews that are pending over a specified number of days, etc.
  11. BOTs can use AI and ML to look at dependencies and patterns in transactions that are tested. For example
    1. a duplicate vendor check was disabled by a user and this was detected as a failure of internal control. It can immediately check transactions to see if there were duplicate invoices recorded the same day / period by another user and a possible collusion between the two users that points to a fraudulent scenario.
    2. Do a pattern analysis of occurrences of multiple credit notes for customers issued during the first week of the next month after sales (to cover up fake customer invoices and boost revenue).
    3. Insert real time control checks within business applications during travel claim settlements and approvals to prevent suspicious or inadvertent claims. Check for history of claims by a particular user, compute standard deviations and exceptions for flagging to managers for real time intervention before claim settlement.
    4. Scan texts / images in documents attached in support of transactions such as Purchase orders, journal vouchers, travel and other reimbursement claims to verify the correctness, relevance and accuracy of the same and highlight mismatches which needs to be probed further by the line managers.

“Business bots will be the new intangible assets owned and reported by businesses in future. Harvesting and integrating the value derived from these intelligent assets will become crucial for business success.” Chatbots Magazine

The examples given in my above article are only a few samples. The continued evolution of AI is enhancing the potential and functionality of RPAs and BOTS, making possibilities virtually limitless

Digital Transformation re-defines CCM

In complex system landscapes (especially those that have leading ERP solutions that are capable of handling huge data) defining an approach for Continuous Control Monitoring can be overwhelming. The nuances of the very many configuration, master data and transaction controls in the system, when coupled with authorization mechanisms can influence the effectiveness of the controls.

Every auditor (or audit firm) faces the daunting task of defining appropriate audit procedure for various types of audits.

Testing types in a traditional audit generally varies from one or many of the following:

  • Appropriate inquiry about controls in existence,
  • Activities and operations tested through observation of a process / sub process, such as reviewing transactions and supporting documents,
  • Ensuring manual controls are performed by examining and recording evidence,
  • When all the above is not providing sufficient assurance, manually re-performing a control test and compare against the system generated result, and,
  • Using a Computer Aided Automation Tool (CAAT) (e.g. ACL, IDEA, etc.) that helps in looking at a larger sample size out of the data available.

Internal Audit, as the 3rd line of Defence, has to necessarily rely on substantive evidences provided by Continuous Control Monitoring (CCM) that can be corroborated by other audit test procedures.

With an appropriate high performing analytical platform,

  • 100 % coverage of transactions chosen for control testing can be achieved and not just limited to a sample,
  • The statistics (mean, variance, standard deviation, etc.) could be computed over a very large population—could be millions of transactions if you do it over the course of a quarter / year.
  • Technological capabilities of a strong platform can bring in control testing and analysis that applies Artificial Intelligence – through machine learning and pattern analysis across huge data.

Leading companies have started using Continuous Control Monitoring because they reap significant benefits:

  • Proactive detection and corrective measures on time before control deficiencies lead to financial misstatements and losses.
  • Automation techniques available for monitoring and testing helps cover more controls than manual tests done earlier, thereby enabling better coverage and assurances to the top management for certification.
  • Automated control testing makes CCM easier to schedule and evaluate tests and deal with issues.
  • Lesser costs, time and effort as compared to manual testing.
  • Helps bring in transparency for internal, external audits and regulatory requirements.

Leveraging Automation in Continuous Control Monitoring

  • Automated testing used for CCM brings in 360 degrees coverage for key risks. It is not just about “controls monitoring” it is about “risk identification” too!!
  • Access and authorization risks (foundational internal control) to monitor segregation of duties and critical or sensitive access to data.
  • Configuration risks that could arise due to inadvertent or wilful change of system configurations that could have serious repercussions on the efficiency and effectiveness of the controls.
  • Master or static data changes that drives erroneous or suspicious transactions that results in waste, abuse or fraud to the organization.
  • Transactions recorded in the enterprise systems have to be screened for exceptions and deviations to avoid risks.

 KEY TAKEAWAYS FOR ADOPTING CONTINUOUS CONTROL MONITORING

  • CCM is not just a “nice to have” concept – with almost all regulations like the Indian Companies Act, Stock Exchange Listing Agreements, and several other international requirements on certification of internal controls “efficiency and effectiveness” – it has become a “must-have” need.
  • Automation of CCM with the right technology partner reduces your
    • Time to test
    • Cost of testing
    • Efforts in setting up schedules
    • Find exceptions faster and route them to users for resolution
    • Take preventative steps in critical areas of business to strengthen internal controls in a timely manner
    • Bring in transparency that can be shared with internal / external auditors to save audit time and effort and reliable reporting to the Board and Audit Committee.

Foundation for internal control

Getting on top of access and authorization risks.

The most important and basic foundation to be laid for internal controls starts with assessing who are the persons who have authorization to do business transactions and what kind of responsibilities and reach they have within the organization. Very often we find that people are given too much responsibilities to conduct processes that the oversight of what they transact does not get enough attention.

Maker-checker (or Maker and Checker, or 4-Eyes) is one of the central principles of authorization in the information systems of financial organizations. The principle of maker and checker means that for each transaction, there must be at least two individuals necessary for its completion. While one individual may create a transaction, the other individual should be involved in confirmation/authorization of the same. Here the segregation of duties plays an important role. In this way, strict control is kept over system software and data, keeping in mind functional division of labor between all classes of employees.”

(Source: //en.wikipedia.org/wiki/Maker-checker )

Many types of risks stem from neglecting this very important control. Typically called “segregation of duties” (SOD in short), this is the first check done by internal or external auditors. Across the world, many existing and proposed regulations (such as Sarbanes Oxley, Japanese SOX (JSOX), etc.) as well as standards brought about by IIA/ ISACA strive to bring to the fore this issue of SOD risk as the main focus for the agenda of auditors and management alike.

Segregation of Duties (SOD) is a basic internal control that can help you ensure that no single individual has the authority to execute combinations of two or more transactions that can typically become situations that can be “conflict of interest”, giving rise to potential business risks. Typical examples such as the same person issuing a purchase order and approving himself, receiving collections and adjusting against receivables, access to personnel master data with sensitive information and administering payroll, authorization to change programs in the software and also access to production systems, ability to change bill of materials and also issue production orders for manufacture, etc.

One may wonder – is this possible in a lean and mean organization? Almost all transactions are done by a few persons and how can I establish controls? Does this mean that I have to over-staff my business operations just to ensure a “no-SOD risk” scenario? Well, to be honest, there can never be a “no-SOD risk” scenario in such cases – but good practice demands that the organization is aware of the existing risks and takes suitable steps for supervisory controls or mitigation through reports or other procedures.

Irrespective of the industry or size of the organization, it is considered good practice to be aware of and sensitive to how authorization policies are enforced and ensure that roles and responsibilities do not permit excessive powers that could be unintentionally or intentionally misused.

However, large organizations with a huge user population, will find this a challenge because the user management (such as creation, modification, blocking, deleting, etc.) is generally the responsibility of the IT department. Complex IT landscapes makes it all the more challenging for them to ensure the spotting of SOD risks, because they deal with only the technical requirement for user life cycle management. Many IT departments / CIOs / CTOs are more worried about SLAs for ensuring quick productivity for granting access and they may have little or no time for understanding the SOD risk domain (sometimes spanning across multiple applications).

It is often the lack of shared responsibility between IT and the other departments such as finance or internal audit that this falls between two stools – and if some untoward risk occurs and a financial aberration, information loss or physical loss of assets happens – then the blame game starts on who is responsible for the event.

Let us look at the key points for this program to be successful.

  1. Executive sponsorship – the tone at the top decides the importance for bringing in needed steps to bring in this internal control. That means, business teams have to understand and collaborate with the technical IT team to map the risk domain with the user life cycle management. Answering questions like “What if these two business tasks are given to the same person? What is the impact and potential risk? How critical is this risk (to help ranking priorities)”.

  2. Defining respective groups and responsibilities – Business teams such as finance or internal audit must own up responsibility for defining SOD risks in understandable terms and the technical IT team should own up administering user management tasks to reflect the authorization policies with SOD enforced.

  3. Technical definitions mapped to ‘business roles’ – We all know that business teams focus on operations and transactions and the technicalities behind how these transactions are referred to internally by the systems are not known to them. For example, “create purchase order” is a business task, “execute transaction XYZ01” is a technical command in a software. This is where the business and technical teams need to sit together and map technical definition of roles with understandable business terminology.

  4. Develop risk matrix / matrices – Once the various business transactions are understood by all the teams, it becomes important to visualize what potential conflicts could arise if there is a combination of business transactions and this is where the “risk” is identified. The risk statement may state that when an employee has excessive authorization in, say accounts payable- like creating master data for vendors, initiate purchases and make payments to the vendor, it could result in a potential fraud situation. Every industry, functional area of every business has its own unique set of risk statements and has to be carefully evaluated. It is not uncommon for large global organizations to have multiple risk matrices for different business units, differing business models and varied locations. Knowledge of the particular industry, business unit and location is important to perform a customized analysis of the risk matrices that is suitable for each business model.

  5. Understand current situation – Analysis of current user authorizations and their roles is the first step to identifying current status of SOD and the potential impact on various business processes. Some companies employ consulting firms who bring in their own software to run the analysis which is then perused by the company for prospective correction of SOD. However this approach is only a temporary approach, since manual efforts may not be suitable for a continuing analysis and preventative authorization mechanism. Alternatively, many organizations opt for specialized software for access governance that when connected to your software systems, has the intelligence to surface the potential SOD risks. Organizations that have a long term vision of the user access governance will opt for this approach, since cleaning up SOD risks is not a one-time activity. It needs constant monitoring due to user life cycle changes like addition of new users, new tasks, promotions, transfers, off-boarding from company, etc.

  6. Remediating SOD risks – Once the analysis report is studied, you may want to take corrective action like removing unwanted authorizations from users who have critical SOD risks. This is referred to as “remediation”. This activity also includes removing unwanted authorizations contained in role definitions.

  7. Mitigating SOD risks – Mitigation implies accepting the SOD risk by putting in supervisory or compensating controls to lessen the severity of the risk. Typically organizations that have lean and mean staffing, or are spread into remote locations with limited resources benefit by putting in mitigating controls that have additional checks and balances over transactions. Example of a typical SOD violation – an accounting department staff has several authorizations such as recording journal entries, adjusting receivables and writing off bad debts – you may want to put in supervisory controls such as a daily report going for a sign-off to his / her manager for journal entries, approval work-flow for writing off bad debts that could be applied as mitigating controls.

  8. Get to know SOD risks when provisioning users and roles in the system – it would be best practice to pro-actively get to know SOD risks even before you grant users access and authorizations into your systems. The risk matrix that you have finalized will provide you the intelligence to compare what is requested or asked for as authorizations by each user or groups. Unless you have a very small business operation, comparing each and every authorization request against the risk matrix kept in a spreadsheet is cumbersome, time consuming and may result in missing out certain risks. There are options available in the marketplace for software that not only provide best practice risk matrices for various processes but also help in automating the whole process – starting from access request, approval by manager who gets visibility into any SOD risks, applying mitigating controls, work-flow messages to the technical team to do the final provisioning into the business applications. Obviously, the latter approach of automating the user provisioning is superior because it eliminates manual checking, comparison and provisioning that could lead to costly human errors.

  9. Continuous and preventative checks on SOD risks – If you are a small organization with limited employees, you may want to go the manual way of checking for SOD risks periodically (say every quarter) either with the help of internal staff or external consultants. On the other hand, a large organization with huge number of employees, contractor or other external people accessing their systems, would do well to opt for a technology solution that helps them identify SOD risks automatically and help in provisioning / de-provisioning users in a seamless way.

  10. Say NO to common log-in user accounts and shared passwords – it becomes a challenge and defeats the very purpose of identifying the users who have SOD risks when you have a group of users sharing a common user ID / account. In such a case, if there is a generic or shared account it become impossible to pin point with certainty who was the individual who used that shared account. As for sharing passwords between colleagues and friends, this is a problem of organizational culture and discipline has to be inculcated through corporate training programs.

  11. Periodic reviews on SOD risks and mitigation controls – Encourage and bring about periodic reviews of user access rights and their roles by management and internal audit so that you are always on top of risks before they become loss events. Ensure that mitigation is given after serious consideration of each and every case and not as a matter of routine, because the context of the authorization request may vary based on business unit, location, criticality, etc.

  12. Take steps for tracking emergency authorizations – There will always be situations in organizations that require some persons to do additional duties or tasks in emergency situations or due to the absence of some colleagues. This would entail granting temporary access rights that may result in segregation of duties risks. It is necessary to get log reports of what transactions were performed in the system during this period of excessive authorization and check whether any critical information was altered knowingly or unknowingly.

In summary, while technology and software solutions would help a lot to bring in this important internal control, it is the will and vision behind this program by a collaborative team that would ensure sustainable success in the long term.

Internal Controls – its importance

There are many definitions of internal control, and I give below one of them retrieved from Business Dictionary website.

(Read more: //www.businessdictionary.com/definition/internal-control.html )

“Systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to (1) conduct its business in an orderly and efficient manner, (2) safeguard its assets and resources, (3) deter and detect errors, fraud, and theft, (4) ensure accuracy and completeness of its accounting data, (5) produce reliable and timely financial and management information, and (6) ensure adherence to its policies and plans.”

Very often people think that internal controls (or failure thereof) are relevant only for financial statement reporting. While the main focus is on accounting and auditing certifications about the achievement of an organization’s objective through reliable financial reporting and compliance with laws, regulations and policies, the other areas of business operations are equally important and to be addressed.

Whether you are a small business or a large organization or even a family-owned proprietorship concern, you cannot survive without basic internal controls over your operations. You need to have appropriate checks and balances in all your processes and clearly laid out procedures that can be monitored or are auditable.

Internal control is a key element in many statutes like the Sarbanes-Oxley Act, Foreign Corrupt Practices Act, Indian Companies Act, etc. and even in some stock exchange listing agreements as well.

In the Indian Companies Act, the meaning of the term ‘internal financial controls’ although given only in an explanation to section 134(5)(e) dealing with directors’ reporting responsibilities, the said explanation lays down very wide responsibilities regarding internal financial control, which includes both financial reporting controls and business controls. However as per the Amendment to the principal Act, limits Auditors’ responsibility for reporting on internal financial controls will be limited to financial statements. They will not be required to report on the business controls.

In today’s digital economy there is hardly any business that does not have financial processes that are automated through software solutions such as ERP, accounting software, etc. that have embedded internal controls.

However this does not mean that one can rest assured that all internal controls are addressed and working effectively. The risks related to changes in internal control settings / design going unnoticed may have far-reaching effects on the financial reporting accuracy or in information loss or damage to physical assets or other resources or fraudulent activities.

Key points to note about Internal controls

  1. Internal controls are not a one time set up activity. Of course while setting up you need to have a robust design that addresses your business processes and compliance requirements.

  2. The initial internal controls put in place needs to be monitored periodically for its adequacy because the dynamics of business may bring in new processes or even some changes in the way processes are handled.

  3. Business transactions and operations should not suffer because of over-control, neither should it be impacted by deficiency of control that exposes you to risks. You should strive to achieve a balance checking the risk-control coverage.

  4. Just because you have the best ERP or other software solution with pre-built controls does not mean that it is sacrosanct in design. Most software solutions offer many control configurations that are flexibly left to your option. You need to evaluate the control design to see whether it suits your unique business processes.

  5. As businesses continue to evolve, the internal controls needs to be continuously assessed and monitored for its adequacy, effectiveness and efficient operation. Employees or persons who have authorizations to perform business transactions or set up of the software, may unknowingly change some controls without understanding the impact on your business.

  6. You may have manual procedures or processes which are sometimes not supported by your system software – such as compliance with laws that require physical inspection, reporting and certification of documents, statutory filings, safety procedures in plants, storage locations, etc. These business controls are equally important and should form part of the overall list of controls.

  7. Insiders / fraudsters or manipulators may take advantage of some weak internal controls to benefit themselves or their counterparts either through access to sensitive information or causing financial leakage that could go unnoticed for a long time.