How to Automate Monitoring and Reporting for IT General Controls
What are the benefits when you automate monitoring and reporting for IT general controls? Tania Petrina (Partner, GRC Technology at Ernst & Young) moderates a lively discussion between Solene Alos (Senior Manager, GRC Technology at Ernst & Young), and Anthony Ferrentino (Manager, GRC Technology, Ernst & Young) that covers:
- Three key IT processes that impact automated controls testing
- The organizational benefits when you automate monitoring and reporting IT general controls
- AuditBoard’s unique, cloud-first approach to automation
Watch the full conversation, and read the can’t-miss highlights below.
What key IT processes impact automated controls testing?
Solene Alos (Ernst & Young): There are three key IT processes involved, and the first one is managing access. You must only provide IT environment access to authorized and appropriate users. The second process is change management – how will you make appropriate changes to your IT environment and programs? The third process is IT operations. Make sure that you provide a reliable processing environment that is prepared for routine operating issues. Of course, this leads us into automated control testing.
Automated controls testing is the process of monitoring adherence to internal policies, regulatory requirements, authoritative standards, and control objectives, by leveraging technology. In this case, the technology we’re leveraging is AuditBoard. At any point in time, you can go into your control in AuditBoard, click on the control, click perform testing, and you have right away the results of your testing. AuditBoard works at a real-time frequency, since testing is done and documented at the click of a button.
What are the benefits of automated controls testing?
Solene Alos (Ernst & Young): The first benefit of automated control monitoring is cost savings. When you automate that, you reduce the cost of testing and having control owners manually pull information for you. Other soft benefits include increasing risk accountability within the business. Owners will have greater visibility and ownership of risk, which means greater collaboration across the three lines of defense. Additionally, a lot of control owners in your IT departments get audit fatigue when you need to test ITGCs. They may be getting requests from both internal and external auditors and it’s very tiresome. With a solution like AuditBoard, you eliminate that step of asking them for reports. Now, you get reports directly from AuditBoard, which changes the conversation to valuable questions: is this user receiving appropriate access? How can we improve control effectiveness? How can we identify and manage restraints?
What practical steps help set up automated controls testing?
Solene Alos (Ernst & Young): The first step in your AuditBoard system is having the right data set up. For ITGCs, you’ll need a risk and control matrix in AuditBoard that will outline all your IT risks and controls. These general controls may vary depending on your applications. Beyond your risk and controls matrix you can have your test plans and automated monitoring rules built into the system, so that it pulls the right data from the ERP. You may have several SOX applications and scopes you need to have that documented as well.
The second step is using the right technology. For us, that combination is AuditBoard, Alteryx, and the backend ERP. The third step is risk response: how do you get test results? How do you evaluate them? What are your findings, and what steps are you taking to address the deficiencies uncovered by those findings? The fourth step is identifying what you want to automate. While today’s discussion focuses on IT general controls, but it opens the door to do a lot more via your AuditBoard platform.
The fifth step is a pilot approach: take a small step with something you know will work well from an automation perspective, and see what it will give you. Start small and see what happens in terms of savings and change management.
How do you use AuditBoard to approach automated controls testing?
Anthony Ferrentino (Ernst & Young): AuditBoard has taken a unique approach to automation in their platform. AuditBoard has created a modern, cloud-first API approach to easily integrate the platform into your tech stack. Once you’re connected to those different tools, you’ll drive analytics directly into your AuditBoard platform. I like to think of AuditBoard as a control tower, connected to a variety of different sources.
AuditBoard also allows you to simplify evidence collection and reporting, with the goal of improving quality, providing cost efficiency, and enhancing test effectiveness. Here’s a high level view of how this particular architecture is laid out. The user would start off in AuditBoard in a particular control. The user would determine they want to run a workflow for that control and execute that workflow. The stored logic would then get executed from Alteryx, pull that information from SAP, and then those SAP ITGC results will be fed directly into that particular control. All an auditor has to do is take those results, plug them into their work paper, and then determine in the system whether it’s effective or not effective.
What further steps can you take to implement automated controls testing?
Anthony Ferrentino (Ernst & Young): To recap, some of the benefits of automated control testing include risk accountability within the business, greater control coverage, effort, reduced costs, and manual activities. The steps to implement automated controls testing include understanding your key foundational data elements within your AuditBoard instance, assessing your organization’s technologies, determining the risk response, determining the scope of testing, and then implementing automated testing.
Looking for more thought leadership? Check out our on-demand webinar library for more leaders and experts discussing timely issues, insights, and experiences.