As technological advancements cause risks to evolve, there is also help in addressing those risks. One such technology is control automation, which, according to an expert, will be critical to the risk management field.
“In my opinion, nearly all signs point to control automation being the future of the risk management profession,” Matt Cassidy (pictured), senior manager for controls advisory at Grant Thornton, told Corporate Risk and Insurance.
Cassidy began by distinguishing between two types of automation: control automation and control test automation. According to him, control automation is exactly what it sounds like – taking a control performed by a control owner and automating the process/control for the control owner. Meanwhile, control test automation involves programming a robot or a script to perform the same testing steps that a control tester would execute to test that control.
There are two main ways of establishing these two types of automation: robotic process automation (RPA) and scripting, he continued. RPA is used for automation by taking a series of programmed tasks and repeating them in a fraction of the time, while scripting applies logic to the data. However, there are benefits and drawbacks to both automation options, he said.
“The first thing we at GT recommend is an assessment of controls,” Cassidy said. “We use a proprietary methodology that takes into account a variety of control and technology factors. After completing the evaluation, the basic process for automating a control is to identify the data, normalize the data into a data set, and apply logic to that data and present results. It is very similar to how someone traditionally tests a control. The primary difference is that it runs in a more programmatic manner and can cover larger amounts of samples in a shorter amount of time.”
Read more: Risk management embraces automation
According to Cassidy, if implemented properly, control automation can lead to savings for the organization.
“When we, as risk management professionals, look at the typical organizational risk management function, we measure the function on compliance/audit coverage, time of execution and reporting, and cost of compliance,” he said. “If done correctly, control and control test automation should significantly increase coverage and reduce time to test and report, as well as the overall cost.”
While control automation indeed is a boon to organizations, some adopters may struggle in harnessing its benefits. According to Cassidy, the main issues companies run into involve client data and technological limitations.
Data, he said, is the most important piece of the puzzle.
“To programmatically assess control and testing steps, the data must be or must be able to be normalized for a system to perform the programmed logic,” he said. “Legacy applications, complicated spreadsheets, and paper present the most difficult scenarios. Many companies are gathering lots of data but need to take the first step in developing a data strategy. Taking on a project like automation may help address and clarify data issues, but will add time and cost to the project.”
Meanwhile, technology limitations also challenge companies attempting automation.
“Many controls, such as Management Review Controls (MRCs), address a specific audit issue or risk but do not necessarily address transactional risks,” Cassidy said. “There is so much human judgement used during the execution and testing of these types of controls that artificial intelligence and machine learning are attempting to solve, but haven’t progressed to the point yet where they can do everything a human does.”
According to Cassidy, these areas are usually not good candidates for automation. This presents a major barrier to automating a control environment, as companies are becoming more reliant on MRCs as key controls.
“Anyone who has worked with Sarbanes-Oxley (SOX) controls in the past few years knows that external auditors and the PCAOB are heavily scrutinizing MRCs,” he added.
While Grant Thornton is better known in the audit market, Cassidy said that the company also has strong capabilities in technology and risk management.
“For control automation specifically, we are leveraging our audit and technology expertise to develop a series of use cases,” he said. “These use cases are based on controls in our internal and external framework. Our goal is to be able to identify controls that fit into a use case quickly, and then begin the process of ingesting the data, performing the testing logic, and reporting results faster and more accurately than a human.”
Cassidy said that by arming its auditors with tools like automation, Grant Thornton allows its people and its clients to address and react to business problems sooner and more precisely. This eliminates the time wasted ticking and tying traditional work papers.
“Together, we can work toward using test results and data insights to develop a resolution to a particular issue,” he said. “At some point in the not-so-distant future, we’ll be able to leverage this automation and the results history to be able to proactively address audit issues before they occur – this will be a complete shift in the risk management industry.”