360° Control Automation, Monitoring & Enforcement
Guest Blog by Michael Rasmussen, Research Analyst at GRC 20/20 Research Business today is changing minute-by-minute and second-by-second. Processes and technology and their configurations are changing. Employees and their access into systems are changing as they are hired, change roles, inherit rights, and ultimately leave the organization. Transactions and vendors are changing. The pace of change in business today requires new approaches to control automation. Control monitoring and testing in the past involved random sampling, an approach that is dated and out of step for the dynamic nature of business today. Random sampling and monitoring of controls only cover a small fraction of the configurations, master data, segregation of duties/access rights, and transaction controls in an organization’s environment. Manual processes for control monitoring that focus on random sampling leaves the organization with a false sense of control where, in reality, there can be significant control issues that expose the organization to malicious and inadvertent issues and events. Random sampling of controls results in:
- Consumption of time. Massive amounts of internal control and internal audit time are needed for random sampling and that only covers a small percentage of controls
- Inevitability of failure. It is too easy to make errors, miss the critical things, and fail to uncover wrong-doing and issues.
- Glossing over issues. When something is found it is too easy for internal control functions and auditors to gloss over it as they do not have the cycles to unpack it and find out what happened. Issues require time to investigate and requires more sampling.
- Getting to the bottom line. It takes even more time to understand the financial impact and exposure a control issue, failure, or actual wrong doing brings to the organization.
- Longer audit cycles. Manual processes that only do random sampling means the organization has longer audit cycles and staff are over worked. This either slows business down, or results in superficial audits and control evaluations as internal control and audit teams have to keep up and do not have the time.
- 100% control monitoring. The organization can do full transaction and control testing and review, and not just a small percentage.
- Focus on exceptions. The organization can avoid all the maze of false positives and rabbit trails that lead to nowhere by focusing on the exceptions with real business exposure.
- Financial impact analysis. The organization can automate the overall financial impact and analytics to prioritize and act on the most significant control issues that expose the organization.
- Ensure compliance. The organization can ensure nothing is slipping through the cracks that an external auditor or regulator may find. This results in less to no audit findings and potential avoidance of fines and penalties.
- Resource focus on what matters. The organization benefits by freeing up resources doing manual and random sampling of controls to allowing these people to address real control issues that are automatically discovered.
- Streamlined reporting. The organization can see reports and control issues in real-time and not have to spend weeks consolidating manual testing reports that take a lot of employee time to build and point to issues and patterns of behavior that could have been addressed early on with real-time visibility.