Many leaders, however, are having a hard time deciding where to start. A recent Protiviti survey of next-generation internal audit (IA) practices found that most IA functions are still considering or are in the very early stages of automation, and 10% remain on the fence, counting themselves among the ranks of the “digital skeptics.”
One big takeaway from that survey was that long-term digital success often starts with small initiatives. That’s the approach taken by audit leaders at one global communications company, who took great strides toward digital maturity and saved hundreds of hours of audit time by deploying technology to help manage user access reviews. That initial success paved the way for even bigger opportunities.
Acquisitions create complex systems
Rapid global expansion, primarily through acquisitions, created a complex network comprising more than 60 systems and more than 3,000 users spread around the globe. As a public company, the organisation was required to control and monitor user access, and to review and report on the effectiveness of those controls under Sarbanes-Oxley (SOX).
Most of these systems were operational in nature, but they were in-scope for SOX reporting because they tied into the financial system and therefore created a threat vector. With so many systems and users being added and terminated on an ongoing basis, it was no easy task making sure all users had appropriate access and that terminated users were removed in a timely manner.
After a successful trial, in which automation was able to significantly reduce review time, the client deployed RPA to 25 additional systems. It became clear that automation could free up hundreds of hours of reviewer time that could be put to more strategic use.
Access review and reporting is one of those tedious, time-consuming, repetitive and high-volume tasks that are essential and mandatory but eat up a lot of time and add little value to the organisation. With more than 300 designated access reviewers, the director of IT compliance and the chief audit executive recognised both the need to automate and the suitability of this audit process for automation. They asked Protiviti to help as a natural extension of an existing contract to perform periodic SOX audits.
RPA paves the way
Given the high-volume, repetitive nature of the access review process and the client’s previous familiarity with robotic process automation (RPA), a bot deployment seemed like a logical first step. The project team started small, with a successful proof of concept on a single system. After a successful trial, in which automation was able to significantly reduce review time, the client deployed RPA to 25 additional systems. It became clear that automation could free up hundreds of hours of reviewer time that could be put to more strategic use. Three years into the deployment, the company continues to expand its use of RPA as an important component in the audit function’s digital transformation.
Digging deep with process mining
The successful deployment of RPA for SOX purposes inspired the audit team to look for other ways to apply enabling technology to improve audit processes. One of the first opportunities to emerge was in procurement, where a complex migration of dozens of systems to the Oracle Cloud had created some inconsistencies in the creation of purchase orders (POs) and the application of invoices against those POs. Protiviti worked with audit managers under the direction of the CAE using the Celonis process mining tool to identify previously hidden glitches and disconnects and propose a solution that would potentially eliminate process-related late payment fees and penalties.
In addition to mapping workflows, process mining allowed the company to drill down into specific transactions to identify problematic vendor relationships and find ways to work with those vendors more effectively. Once Protiviti helped identify areas for potential improvement, the company’s audit team took over, working internally with the finance department to implement changes.