Performing manual processes can seem like constantly rolling a boulder uphill. In addition to internal policies and procedures for operational efficiencies, organizations may be required to generate, review, reconcile, approve, and submit reports to conform to an alphabet soup of state, federal, and industry regulations.
These include Sarbanes-Oxley (SOX) and Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA) for financial reporting, Payment Card Industry (PCI) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for data privacy and protection, and other applicable regulations.
While not all regulations and requirements overlap in subject matter, each requires organizations to implement and monitor a system of controls and processes to ensure relevant functions are consistently and accurately performed.
This often results in a significant number of manual controls that must be implemented, often with limited overlap.
Automating control performance, completely or partially, can significantly reduce the human labor effort associated with manual, repeatable tasks.
This post highlights key considerations for automating common manual processes. As you plan to automate portions of your control environment, evaluate where the most efficiency can be gained. Prioritize areas where the cost-benefit in both time and effort is most beneficial to your organization.
Common Manual Processes
These are the most common manual processes and activities with the greatest potential for automation:
- Report generation. If you use the same parameters each time you run a report (e.g.: GL entries for the open period) or incrementing parameters (e.g.: changes completed in the last 30 days), it is easy to automate report generation and have them delivered into a set location or mailbox for additional action.
- Workflows. Automating compliance tasks such as approvals through workflow management is an easy way to remove writing emails and pulling evidence from a mailbox. Many ticketing systems have workflow management software built in, and you can start processes with a report emailed to the system, generating a ticket based on a template for your task.
- Reconciliations. If you’re matching values between reports from two systems, and you can obtain reports in a consistent format, it may be relatively simple to automate the comparison so a script returns variances. This would limit time spent on manual inspection of the documentation.
- User access management. By linking a script to a daily export from your HR/Payroll system, you can trigger access revocation at the network layer and for some applications as well. This provides an opportunity to eliminate one of the most common exceptions in IT compliance testing. Similarly, you can use a script to grant certain default accesses without IT intervention. If you’ve taken it a step further and documented an access matrix which details the access all employees should have based on job title, you may be able to grant all necessary access for new employees this way, or modify for existing employees with job title changes.
- User access review. If you document the access matrix referenced above, you can also use this for access reviews, even if your access management scripts can’t manage the access due to system design. This means your reviewers would only need to review the access matrix and any deviations detected by the system. If access provisioning, modification, and revocation are managed through automated processes, it would reduce the likelihood of deviations.
- Vulnerability scanning. Many compliance regulations and frameworks require the implementation of cybersecurity practices. One of the most common is periodic vulnerability scanning. Most scanners have the ability to kick off scans on a set schedule, and provide the output to mail or dashboard recipients for interpretation and follow-up. Configuring the output to email scan results to a ticketing system will automatically create a ticket to start remediation activities.
- Other commonly automated processes include journal entry validation, accrual calculation, policy confirmations, change management validations, and data monitoring, classification, and purging.
To begin with, look for opportunities to streamline and to implement automated processes with appropriate monitoring:
Identify components of control execution, or verification steps, that can be automated. Look for tasks that don’t require professional judgement, or where systems are already designed for automation.
- Enabling application configurations: There may be existing functionality in implemented systems that can replace manual tasks
- Request submission processes: Requests that can be routed through standardized forms and would typically be validated against defined criteria
- Transaction monitoring: Approved transactions which can be compared to predefined criteria, such as approval limits, on a periodic basis
- Report generation: Reports which are based on static or incremental parameters
Automating these tasks with simple pieces of code or job scheduling tools can free up time for other job functions.
Design and implement automation so that it can be managed through systems rather than by people. There are a number of tools available and several are probably already present within the IT environment. They allow organizations to designate where information comes from, who acts on that information and in what capacity and what triggers the next stage of the process. If you have robust procedures and control narratives, you can save time by extracting this information from those documents.
Monitor processes to verify that automation functions as intended and there is continued process improvement. Continuous monitoring allows you to identify ineffective or inefficient processes earlier, facilitating a process change before it becomes an operational or compliance issue. Depending on the frequency of the process being monitored, this may mean monthly or quarterly validations by an independent group, such as your compliance or internal audit team, to validate a representative sample of control occurrences. There are two main types on monitoring.
- KPI-based monitoring based on key performance indicators (KPIs). Based on the notifications, you can validate that processes continue to function as expected and troubleshoot if there are issues. This is typically centralized and manual but in most monitoring tools dashboards can help reduce manual effort. This data can also be used for process mining, driving efficiency of automated processes.
- KRI-based monitoring based on key risk indicators (KRIs). This is sometimes called continuous monitoring. Despite the connotation associated with the word “continuous,” it actually means periodic validations to ensure that processes are working as intended, align with current organizational risk assessments, and continue to be improved.
If issues or improvement opportunities are identified, the group can facilitate discussion with the control and automation owners to design and implement process modifications, or replacements when necessary. This monitoring may also serve as a secondary, or non-key, control to support compliance efforts in the event of a control failure within the environment.
To find out how Weaver can help you go from pushing boulders to using a conveyor belt for the heavy lifting, please contact us. We are here to help.
Authored by David Friedenberg, CISA, CRISC, CISSP, QSA.