Article

Internal control testing: approach to automation

Alex Hunt
By:
banner image
Internal control compliance can be time and resource intensive. Alex Hunt explains how to start, scale, and mature your testing automation capabilities to add value across material controls.
Contents

Control testing automation means using programmed workflows to help organisations generate intelligent insights that support risk management and compliance. Organisations can deploy solutions to rapidly help management and assurance teams deliver automated and data-driven insights. Developing automation capabilities requires investment but it creates the opportunity for compliance activity to be automated and allow your teams to deliver greater value adding work.

Internal control compliance activity varies from long-standing US Sarbanes-Oxley (US SOX) programmes to new programmes established to meet internal control reporting requirements from the 2024 UK Corporate Governance Code (the Code), which requires companies to report on the effectiveness of their material controls. 

Some examples of effective control automation are:

User access and security

Automation can provide a targeted approach to user access testing. Instead of periodic review, it can facilitate automated alerting of new exceptions, such as the use of inactive, privileged, or superuser accounts, failed log in attempts and irregular or out of hours use.

Segregation of Duties (SoD)

Provide transparent, customisable, and interactive analysis of SoD risks. Customisable and interactive views of user responsibilities and conflicts, eliminate false positives, flag high-risk system administrator conflicts and end-user SoD conflicts and associated risks across all business cycles.

Payroll controls

Automation can test many high risk control areas within payroll, such as:

  • if changes to employee information are correctly authorised
  • whether there are any self or inappropriate approvals
  • identifying duplicate or ghost employees
  • reconciling balances per period to payments and the general ledger

How does controls automation work?

To implement controls automation there are a few considerations to ensure it operates effectively.

Understand early on what output you'll need and what limitations may restrict automation. This will help you identify what resources you need to deliver the automation requirements.

Automation is not possible without access to data, understanding what data is available, who the data owners are and how often and easily data is available. Automated connections to live systems will help re-performance but data extracts are an easier way to start.

Data can be used to identify where exceptions to business rules exist as well as where controls are failing. Think about the scope of testing to consider how you can most effectively test controls.

When building tests, ensure to thoroughly test the outputs and consider how exceptions can be highlighted. Advance analytics should look to use exceptions to trigger actions such as automatic emails sent to control owners or approval process triggers.

Visualisation can help identify outliers and exceptions, but also be used as a strong communication tool to highlight trends and performance.


Where to start?

To start delivering controls testing automation effectively, your initial focus should be on quick wins to realise benefits and establish trust in the solutions. Identifying controls that can generate these wins in year one is key to success as it helps derive the maximum initial value. Areas we have found often that drive immediate value are:

  • Security admin - user access provisioning, user termination and access re-certification
  • Change management - application-level change controls and testing change approval.
Pilot Evaluate Scale up

To begin automation, starting with a pilot can be beneficial.

Identifying controls that can generate quick wins in year one is key to success as it helps derive the maximum initial value.

Areas we have found often that drive immediate value are:

Security admin -user access provisioning, user termination and access re-certification
Change management -
application-level change controls and testing change approval

After an initial pilot, it's key to evaluate critical decisions for long term successful automation.

Examples of such decisions are:

Real time or snapshot data -initially data extracts can be easier but require manual processing
How many controls are in scope
- start with a workable number done successfully and build up 
Scheduling
- how often do we want to run the control? Should it be manual execution, should it be a single run or run-on-demand? Do you want real-time and trigger notifications on exception?

Build on the pilot prototype and scale up the amount of controls tested and/or complexity of testing.

Good examples of more complex testing would be:

Security admin -privileged access and password configuration
Change management
- changes to production environments and change testing and approval (database / OS)
IT operations - access to key applications and interface jobs failures and exception handling

 

What are the challenges?

The biggest challenge is ensuring you have the correct strategy for using tools and technologies to modernise your internal control testing. Any approach should focus on achieving quick wins by leveraging existing tools and skills to demonstrate value before progressing to long term transformation goals.

Asking a few big questions at the start can help you manage it. 

Tools and licences can be expensive to purchase and configure to your needs. Think about using existing tools; the likelihood is that these may be enough to get started on short term needs or a pilot. Also, consider if you can utilise lower entry cost or open-source tools.  

The time savings generated from automation are often underestimated and it’s worth considering how less disruptive an automated approach will be to finance and IT personnel once established. There is less burden on your organisation as compliance activity is automated and employees can spend this saved time on higher value activities. Consider if other areas may benefit from using these tools, as this will increase your return on investment.  

Most organisations will not necessarily have all the skills in the organisation to run all the tools they would ideally use. Training, piloting, recruitment, and external help are all effective ways to increase skills and knowledge.  

There are numerous digital solutions on the market that can deliver automated compliance. There is no one size fits all solution, however, end-to-end digital auditing solutions exist that package together the necessary digital components for automation. These solutions are a good option for organisations with limited digital capabilities as it means only one investment, instead of bringing together multiple tools.  

 

What else do you need to think about?

Often it's not clear where controls ownership and automation falls within an organisation. Internal audit may be the function with the capabilities and maturity to initiate automation although in the long run, the ownership should sit with business management as part of the internal control environment.

Updating process documentation, control descriptions, and control monitoring run-books with details of the automation can help develop greater understanding of controls and value and drive standardisation and efficiency.

Controls are often monitored by a variety of different teams across an organisation and it's difficult to collate all controls into a single view. Automation should bring data from across an organisation together. It's a perfect opportunity to standardise controls into a single place to gather valuable insights into control performance.

Automation will not create value overnight. Often the time taken to embed robust automation will mean there are no immediate short-term efficiencies. This is far outweighed by the value, time-saving and increased insights that occur after implementation. Picking the right controls to automate will help drive value quickest. 

Automation will require data and resources from across an organisation to work together.  Buy-in from senior leadership is the most effective way to bring together teams such as internal audit, technology, finance, and other data owners to understand what is trying to be achieved and the benefit to the overall organisation.

 

Effective controls automation will take co-operation and effective planning, but the benefits that it can drive in efficiency, flexibility and insights, mean that organisations need to be giving it due consideration. This in turn allows compliance teams to focus their time in the areas that require their skills and judgement for meeting regulatory obligations and continuous improvement.

For more insight and guidance get in touch with Alex Hunt

How we helped a client demonstrate testing of its IT controls for SOX compliance, automating for efficiency and insight.
Automating assurance for IT controls and US SOX compliance
Read this article