ComplianceTechnology

Bots and SOX: IT Auditors Tap RPA To Reduce Repetitive Work

By September 11, 2024No Comments

One member’s IT audit team blazes the automation trail for the broader finance organization to use time-saving bots.

The job of IT auditors at many NeuGroup companies includes testing and auditing automated controls and compliance related to the Sarbanes-Oxley Act (SOX). Auditing those controls manually is often a painstaking and repetitive process, so implementing robotic process automation (RPA) to get the job done makes a lot of sense.

  • That was among the takeaways from a recent monthly session of NeuGroup for IT Auditors where one member shared that they worked with the IT team to adopt RPA, developing bots to perform what some members in other sessions have called “dumb” work.
  • That has proven to be a smart move that saves time in completing SOX audits and has paved the way for other automation in the broader finance function at the company.

Bots, humans and tickets. A manual IT audit of systems with SOX controls previously required auditors to pick random electronic tickets submitted by employees using software programs—including those used for IT service requests and project management. Selecting the tickets is a task that requires no judgment—hence the “dumb” label.

  • One person on the member’s team who presented at the session said, “We had 20-plus SOX controls for which we were spending time pulling tickets throughout the year. There is no judgment in it at all.” That made the job perfect for bots that use no judgment in selecting tickets, freeing up humans to do more value-added work.
  • The team presented a demo of a bot pulling tickets from a large pool of samples and performing the SOX testing. The process includes extracting key information such as ticket numbers, approval details and a PDF screenshot of the ticket.

Bot best practices and alerts. Selecting the right software systems to automate is critical. You don’t want to unleash bots in programs where user interfaces are likely to change frequently, requiring the bot to be updated constantly.

  • The member’s team also noted that the IT team needs to consider the potential impact on the bot of changes to “upstream” systems that feed information into the software being audited.
  • Build alerts into your bots. The IT audit team at the member company is notified if a bot encounters a problem. “If a bot fails, it sends a chat to all of us,” the member said.
  • Reports need to be generated showing how well the bots are performing. “We have monthly evidence that says the bot ran so many times and there weren’t any issues with the bot,” they said.
  • A chat channel also alerts qualified users when the bot is being used and identifies who initiated the process.

External auditors and access management. That last point highlights the importance of thinking through access—an issue you can expect outside auditors to pay a lot of attention to, according to members.

  • “Our external auditors are looking for all kinds of controls around these bots around change management and security,” a member from a different company said. “Not only in terms of quarterly access reviews of who has access to the bot, but also reviewing access the bots have to the applications themselves.
    • “There’s a whole host of controls they are suggesting,” they added. “You would think automations would make things easier, but it also it adds a lot of controls on the back end.”
  • That’s in part because a bot often requires privileged access to the general ledger or data related to AR or AP. You have to create a separate ID for the bot to gain access, and that has to be shared with the team managing it.
  • The presenting member suggested integrating RPA with a credential management tool. Their team is in the process of doing this as they identify more bot use cases.
    • “There are certain bots that are in our pipeline that we have put on hold because we have not yet answered all of the security questions there,” they said.

Pushing back. The presenting member made a distinction about controls and coming to an agreement with outside auditors about processes where there is no judgment.

  • “Look at things where you get irrefutable evidence—screenshots, downloads, and PDFs of tickets—where there’s no judgment involved, no decision-making on the part of the bot. If the bot is just performing that function, then we have been able to not do additional controls on our bots,” they said.
  • The member noted that if bots were being used by the business in their execution of controls, rather than by the IT audit team doing SOX testing, additional controls may be required.

The benefit of being first. Being the first team to adopt RPA for what senior management considered a strategic advantage meant IT audit at the presenting company did not have to produce a return on investment within two years, the company’s normal requirement for tech investments.

  • The leeway reflected management’s belief that the work IT audit did with IT to develop the bots would be a sort of force multiplier to pave the way for other functions inside and outside of finance. That is proving accurate, and new investments will require a ROI projection.
  • “We have a cadence now, where we have a spreadsheet where you can input your ideas. Then you can use a ROI calculator and if it passes muster, then we’ll make the decision from there,” the member said.
  • “Being the first ones to do it, we ran into some challenges that we didn’t plan for—some infrastructure and connections for integration. Those were not envisioned in our effort. But once that’s done—it only has to be done once. Our investment was a little bit greater, but we felt pretty good about making that investment.”
Justin Jones

Author Justin Jones

More posts by Justin Jones