As internal audit functions are challenged to adopt more agile methodologies and provide deeper and more strategic insights, often in real-time or near real-time, audit leaders are looking for enabling technology that will help them meet these new and growing demands.
Many leaders, however, are having a hard time deciding where to start. A recent Protiviti survey of next-generation internal audit (IA) practices found that most IA functions are still considering or are in the very early stages of automation, and 10% remain on the fence, counting themselves among the ranks of the “digital skeptics.”
One big takeaway from that survey was that long-term digital success often starts with small initiatives. That’s the approach taken by audit leaders at one global communications company, who took great strides toward digital maturity and saved hundreds of hours of audit time by deploying technology to help manage user access reviews. That initial success paved the way for even bigger opportunities.
Rapid global expansion, primarily through acquisitions, created a complex network comprising more than 60 systems and more than 3,000 users spread around the globe. As a public company, the organization was required to control and monitor user access, and to review and report on the effectiveness of those controls under Sarbanes-Oxley (SOX).
Most of these systems were operational in nature, but they were in-scope for SOX reporting because they tied into the financial system and therefore created a threat vector. With so many systems and users being added and terminated on an ongoing basis, it was no easy task making sure all users had appropriate access and that terminated users were removed in a timely manner.
After a successful trial, in which automation was able to significantly reduce review time, the client deployed RPA to 25 additional systems. It became clear that automation could free up hundreds of hours of reviewer time that could be put to more strategic use.
Access review and reporting is one of those tedious, time-consuming, repetitive and high-volume tasks that are essential and mandatory but eat up a lot of time and add little value to the organization. With more than 300 designated access reviewers, the director of IT compliance and the chief audit executive recognized both the need to automate and the suitability of this audit process for automation. They asked Protiviti to help as a natural extension of an existing contract to perform periodic SOX audits.
Given the high-volume, repetitive nature of the access review process and the client’s previous familiarity with robotic process automation (RPA), a bot deployment seemed like a logical first step. The project team started small, with a successful proof of concept on a single system. After a successful trial, in which automation was able to significantly reduce review time, the client deployed RPA to 25 additional systems. It became clear that automation could free up hundreds of hours of reviewer time that could be put to more strategic use. Three years into the deployment, the company continues to expand its use of RPA as an important component in the audit function’s digital transformation.
The successful deployment of RPA for SOX purposes inspired the audit team to look for other ways to apply enabling technology to improve audit processes. One of the first opportunities to emerge was in procurement, where a complex migration of dozens of systems to the Oracle Cloud had created some inconsistencies in the creation of purchase orders (POs) and the application of invoices against those POs. Protiviti worked with audit managers under the direction of the CAE using the Celonis process mining tool to identify previously hidden glitches and disconnects and propose a solution that would potentially eliminate process-related late payment fees and penalties.
In addition to mapping workflows, process mining allowed the company to drill down into specific transactions to identify problematic vendor relationships and find ways to work with those vendors more effectively. Once Protiviti helped identify areas for potential improvement, the company’s audit team took over, working internally with the finance department to implement changes.
“With this project, our client achieved the perfect trifecta of quantifiable business value, utilization of advanced technology and integration with next-gen internal audit methodology, which is a focus for the company. The success of the pilot set the foundation for the organization to confidently take on more strategic and impactful pursuits with automation and next-gen methodology.”
— Anthony Chalker, Managing Director, Protiviti
Empowered by enabling technology (automation) and next-generation internal audit methodologies, auditors at the communications company were able to free up time that could be reallocated to more strategic activities, such as process mining, which helped uncover and address disconnects that were resulting in late fees and strained vendor relationships. These tools and methodologies improved governance and elevated the skill set of the internal audit function, added value to the organization, and moved the audit function forward on the path to digital maturity.