Getting Started With Automation Governance: Charters and COE Models

Getting Started With Automation Governance: Charters and COE Models

Automation technology is now in users’ hands. The proliferation of highly accessible low-code and no-code automation technologies means that IT no longer holds the reins. Users are driving rapid adoption across functions, capitalizing on their increased ability to use automation to both transform and disrupt their organizations. 

Forward-looking organizations are embracing business-driven hyperautomation. The benefits and ROI are clear, proven, and increasingly necessary, given an ever bigger focus on resilience and the need to do more with less. But they’re also focusing on getting the right balance of automation governance in place to manage risk, establish controls, and ensure the discipline, security, and quality that sustain automation programs long-term. 

The rapid pace of this democratized automation brings risk. Automation is outpacing existing controls and compliance mechanisms. Users have greater access to sensitive information, but often lack development and deployment expertise. Implementations may fail to account for interoperability. Organizations should be cognizant of these risks, designing automation governance frameworks that help define, direct, manage, and scale efforts.

Establishing an automation governance charter and center of excellence (COE) model are great places to begin, and internal audit is ideally positioned to get organizations moving in the right direction. Here’s how to get started.  

Key Questions About Automation Governance Objectives 

Begin by asking the right questions to help your organization understand and agree on objectives, which should include:

  • Building out the right capabilities. Are you prioritizing the right work to automate? What automations will deliver the biggest benefits? 
  • Selecting the right technologies. Do automation technologies fit the goals and requirements of the work (e.g., complexity, flexibility, decision-making)?
  • Balancing centralized and individual objectives. How can you encourage and capitalize on user-driven innovation while providing appropriate levels of centralized governance?  
  • Ensuring good governance, security, quality, and compliance. Can you leverage or improve existing controls? What new controls are needed around user/bot access, segregation of duties, and monitoring/measurement? What regulatory/compliance requirements must be considered? 

A robust automation governance framework ensures strategic alignment across the organization. With natural cross-functional integration and risk, compliance, controls, and scoping expertise, internal audit is well-positioned to support organizations in gaining alignment on objectives.      

Build Out Your Automation Governance Charter

Next, use the objectives discussion to begin building out your automation governance charter. The charter provides a framework outlining the organization’s big-picture automation vision and program, including: 

  • Automation objectives and outcomes. Define and align on strategic goals and priorities. 
  • Leadership structure. Include executives, IT, internal audit, HR, finance, and relevant business stakeholders. Ensure cross-functional collaboration, communication, and accountability, clearly defining roles/responsibilities and COE model. Identify an executive sponsor/champion to evangelize impact and drive adoption.
  • Principles, standards, and policies. Agree on what will be automated and how automations will be developed, measured, and sustained. 
  • Automation life cycle. Document a well-organized process covering ideation, assessment, feasibility, current-state process documentation, process reengineering, development, testing, implementation, deployment, and ongoing maintenance and evaluation. 
  • Definition of success criteria. Identify metrics, KPIs, and milestones to measure impact.  
  • Documentation prior to automation. Documentation of the process before automation is critical for business continuity purposes. Automations, bots, scripts, etc may fail for a variety of reasons. Process owners need to ensure documentation of the original process is accurate in the event the process needs to be performed manually.
  • Change management strategy, including education and training. Orchestrate efforts across people, processes, and technology. Convey vision, gain buy-in, confirm feasibility, prove value, and support innovation. Include an upskilling program for leaders and process owners.
  • Reassess process owner responsibilities after automation. After automation is implemented in production, a process owner’s role may change. Change management needs to assess what new owner responsibilities may be for a process — it’s not “set it and forget it”. For example, instead of manually performing the process for every record, owners may have to look for an exception errors report showing that an automation was unable to process the records. The owner may need to investigate and/or manually process the exceptions.

COE Models for Automation Governance 

Automation governance COE models aren’t one-size-fits-all. They also tend to evolve over time. Your goal to choose a model that balances and capitalizes on your organization’s culture, management style, and capabilities, helping to:

  • Coalesce different resources and skill sets.
  • Provide direction, ownership, education, and support. 
  • Drive adoption that helps optimize investments.

CIONET’s The Automation Governance Playbook outlines three primary automation governance models described and illustrated below.


The centralized COE model is right for most organizations setting out on their automation journeys (i.e., first 6–12 months). A single COE owns and “parents” automation governance, infrastructure, standards, development/deployment, and vendor management, supporting interoperability across solutions and functions.

Hub and Spoke / Federated

The hub-and-spoke, or federated, COE model may be the right choice as organizations mature in how they use automation and manage their life cycle. A central COE still provides oversight and manages critical development, but controls are loosened. COEs at the business/functional level manage many developmental and operational aspects of automation. 


In a decentralized COE model, organizations operate separate COEs at the business, functional, or geographic levels. This less common model is best-suited for organizations with a high degree of maturity and expertise in automation development/deployment. 

Optimize Automation Benefits With Good Governance

The potential benefits of automation are massive, and the user momentum can be powerful. Getting the right levels of automation governance in place can help you make the most of that momentum, supporting an automation program that’s targeted, integrated, and sustainable for the long term. Be proactive in your approach to automation governance, making it a strategic imperative — not an afterthought. 


Brett Luis was a VP of Product at AuditBoard, where he focused on enhancing audit products through analytics, automation, and other advanced technologies. Before joining AuditBoard, Brett was on the front lines — supporting public companies in standing up robust internal audit and SOX compliance programs — and in the audit trenches, leading attestation reporting engagements and the IT component of the internal controls and financial statement audits for public registrants. Connect with Brett on LinkedIn.


Joe Kim is a is a Director of Product at AuditBoard, serving as the product leader for AuditBoard’s audit software product line and leading innovation in this space by empowering the next generation of auditors using transformative technology. Joe brings 16 years of experience in both public and private accounting with specializations in workforce automation and data analytics. Connect with Joe on LinkedIn.


Scott Madenburg, CIA, CISA, CRMA, is Market Advisor, SOX & Internal Audit at AuditBoard. Prior to AuditBoard, Scott was Head of Audit at Mobilitie LLC, with nearly two decades experience in operational, IT, and financial auditing, as well as SOX compliance. Connect with Scott on LinkedIn.