Leverage the New Digital Era for GRC Automation



Learn the new Mantras in technology that is going to re-define the way users interact with business applications to perform their tasks with ease.

We hear very frequently the acronyms “RPA” and “BOT” (and also CHATBOT) that claims to automate high volume, mundane and repetitive tasks that are performed by human beings. Gartner has predicted that by 2021, more than 50% of enterprises will spend more per annum on bots and chatbot creation than traditional mobile app development.

Well, RPA is “Robotic Process Automation” for the ones who are uninitiated into the world of AI (Artificial Intelligence) and ML (Machine Learning). It is a software that can not only automate high volume repetitive tasks but also perform calculations, execute queries and maintain records and results.

“BOT” is short form for “ROBOT”. BOTS are like virtual assistants which can answer questions and help you get things done faster without needing to speak to another human. They are software applications that perform repetitive tasks, often faster than humans. A common task they do is chat, like in question-and-answer format. Some times when you think you’re chatting with a person, you may be chatting with a bot, because they mimic human interaction and conversation.

There are two types of chatbots: Ones that can only respond to very specific commands and is as smart as how it is programmed. Another type of BOT has artificial intelligence and improves constantly via machine learning. It gets smarter the more it crunches large data, talks to people and listens to their conversations or responses.


Let us move on to the subject of how the life of internal auditors, SOX Controllers/ testers, CFOs office, Finance departments can leverage the RPAs and BOTs.

Many organizations embark on a GRC program and decide ultimately on a framework (which includes scope of coverage and overall data structure that supports the internal control environment) and the processes (priority areas that need immediate attention for testing). Roles and responsibilities are then defined to decide which resource would do what kind of compliance activities (testing plans, surveys, assessments, entity-level certifications and so on) across the organization.

This decision is very often supported by a good GRC vendor who provides the application software to set up the internal control monitoring and compliance activities.

Once the GRC implementation is done and usage increases over time, all resources are swamped with more activities and get bogged down with time consuming compliance checks, manual testing and certifications, consolidation of surveys, solving urgent issues and gathering information for producing the next GRC report for top management.


RPA and bots can be innovatively used, become very cost-effective, exciting and simply add more power to these challenges that the GRC team faces.

Let us look at a few examples that can do with some automation techniques.

  1. RPA / BOTS can be made to access multiple data sources (ERP systems, databases, document management systems, etc.). This would help in automating control testing based on criteria or selections done by users.
  2. RPA / BOTS can be used for scheduling automated test runs at specified intervals for Continuous Control Monitoring (CCM) or ad-hoc and gathering the necessary evidences and classify the “pass or fail” criteria.
  3. Many of the manual test plans for controls and compliances are generally rule based steps with documentation and ideally suited for RPAs. This would help in reducing dependence on human testers going around to complete the test steps and then consolidating the answers and evidences. For example, monthly legal compliance checklists (indirect taxes, GST, and many more) can be automated to consolidate information and presented in a dashboard report.
  4. Those instances where responses are delayed or incomplete can be highlighted for action. Exceptions can be flagged off by the BOTS to automatically raise issues for remediation and trigger workflows to concerned persons.
  5. Control design surveys / entity level certifications / C-level questionnaires can be handled automatically by BOTs. Reminders for responses can be sent automatically and results consolidated as a report.
  6. BOTs can be used to take corrective action – say for example – post automatically check mark in the vendor control account is unchecked several times to pass manual journal entries – and this has been brought out by automated control tests – BOTs can actually be made to check on similar control accounts (like customer / inventory, etc.) and do a similar testing and send notifications to control owners on the same for investigation and corrective action.
  7. BOTs can be made to take preventive action – say a user misusing his access rights to make multiple changes to an open transaction or multiple inventory write-offs after the period close or downloading sensitive reports. BOTs can immediately block access to the user with simultaneous notification to his / her manager and based on the manager’s response can unblock the user’s access rights.
  8. BOTs can review and validate master data structures in GRC applications to highlight whether control owners are assigned for control testing, check the risk and control matrix for blank values against risk (meaning there is no control defined for a risk identified).
  9. BOTs can escalate failure of critical controls to line managers, consolidate reports and immediately alert senior management when a significant volume of control failures have been identified for a given organization unit or department.
  10. BOTs can automate mundane tasks like password resetting after necessary validations, triggering Segregation of Duties violation reports with transaction details in near real time, send reminders for firefighter reviews that are pending over a specified number of days, etc.
  11. BOTs can use AI and ML to look at dependencies and patterns in transactions that are tested. For example
    1. a duplicate vendor check was disabled by a user and this was detected as a failure of internal control. It can immediately check transactions to see if there were duplicate invoices recorded the same day / period by another user and a possible collusion between the two users that points to a fraudulent scenario.
    2. Do a pattern analysis of occurrences of multiple credit notes for customers issued during the first week of the next month after sales (to cover up fake customer invoices and boost revenue).
    3. Insert real time control checks within business applications during travel claim settlements and approvals to prevent suspicious or inadvertent claims. Check for history of claims by a particular user, compute standard deviations and exceptions for flagging to managers for real time intervention before claim settlement.
    4. Scan texts / images in documents attached in support of transactions such as Purchase orders, journal vouchers, travel and other reimbursement claims to verify the correctness, relevance and accuracy of the same and highlight mismatches which needs to be probed further by the line managers.

“Business bots will be the new intangible assets owned and reported by businesses in future. Harvesting and integrating the value derived from these intelligent assets will become crucial for business success.” Chatbots Magazine

The examples given in my above article are only a few samples. The continued evolution of AI is enhancing the potential and functionality of RPAs and BOTS, making possibilities virtually limitless

Digital Transformation re-defines CCM

In complex system landscapes (especially those that have leading ERP solutions that are capable of handling huge data) defining an approach for Continuous Control Monitoring can be overwhelming. The nuances of the very many configuration, master data and transaction controls in the system, when coupled with authorization mechanisms can influence the effectiveness of the controls.

Every auditor (or audit firm) faces the daunting task of defining appropriate audit procedure for various types of audits.

Testing types in a traditional audit generally varies from one or many of the following:

  • Appropriate inquiry about controls in existence,
  • Activities and operations tested through observation of a process / sub process, such as reviewing transactions and supporting documents,
  • Ensuring manual controls are performed by examining and recording evidence,
  • When all the above is not providing sufficient assurance, manually re-performing a control test and compare against the system generated result, and,
  • Using a Computer Aided Automation Tool (CAAT) (e.g. ACL, IDEA, etc.) that helps in looking at a larger sample size out of the data available.

Internal Audit, as the 3rd line of Defence, has to necessarily rely on substantive evidences provided by Continuous Control Monitoring (CCM) that can be corroborated by other audit test procedures.

With an appropriate high performing analytical platform,

  • 100 % coverage of transactions chosen for control testing can be achieved and not just limited to a sample,
  • The statistics (mean, variance, standard deviation, etc.) could be computed over a very large population—could be millions of transactions if you do it over the course of a quarter / year.
  • Technological capabilities of a strong platform can bring in control testing and analysis that applies Artificial Intelligence – through machine learning and pattern analysis across huge data.

Leading companies have started using Continuous Control Monitoring because they reap significant benefits:

  • Proactive detection and corrective measures on time before control deficiencies lead to financial misstatements and losses.
  • Automation techniques available for monitoring and testing helps cover more controls than manual tests done earlier, thereby enabling better coverage and assurances to the top management for certification.
  • Automated control testing makes CCM easier to schedule and evaluate tests and deal with issues.
  • Lesser costs, time and effort as compared to manual testing.
  • Helps bring in transparency for internal, external audits and regulatory requirements.

Leveraging Automation in Continuous Control Monitoring

  • Automated testing used for CCM brings in 360 degrees coverage for key risks. It is not just about “controls monitoring” it is about “risk identification” too!!
  • Access and authorization risks (foundational internal control) to monitor segregation of duties and critical or sensitive access to data.
  • Configuration risks that could arise due to inadvertent or wilful change of system configurations that could have serious repercussions on the efficiency and effectiveness of the controls.
  • Master or static data changes that drives erroneous or suspicious transactions that results in waste, abuse or fraud to the organization.
  • Transactions recorded in the enterprise systems have to be screened for exceptions and deviations to avoid risks.


  • CCM is not just a “nice to have” concept – with almost all regulations like the Indian Companies Act, Stock Exchange Listing Agreements, and several other international requirements on certification of internal controls “efficiency and effectiveness” – it has become a “must-have” need.
  • Automation of CCM with the right technology partner reduces your
    • Time to test
    • Cost of testing
    • Efforts in setting up schedules
    • Find exceptions faster and route them to users for resolution
    • Take preventative steps in critical areas of business to strengthen internal controls in a timely manner
    • Bring in transparency that can be shared with internal / external auditors to save audit time and effort and reliable reporting to the Board and Audit Committee.