As I was browsing the Onapsis website, specifically the blogs written by my colleagues, I came across this great post by Scott Winter. Scott, who works in our professional services team, works closely with our customers to ensure that they get the most out of The Onapsis Platform, from, among other things, audit and compliance capabilities. While he is focused on audit and compliance a bit differently than I do as a former Chief Audit Executive at publicly traded companies, what he wrote about inspired me to think about how Onapsis helps our customers save valuable time and resources in another key area: Information Technology General Controls (ITGCs).
ITGCs underpin many compliance frameworks, most notably Sarbanes-Oxley (SOX). As I reflected on where I felt my previous audit teams (and organizations) spent a lot of limited (or no) value-added time, it was in this space. You see, behind the curtain of how these audits are executed there are document requests lists. These lists come from your external auditors, internal auditors, including outsourced/co-sourced relationships, and other auditors who may assess your organization's compliance to a specific regulation. They start out innocently enough, with a few dozen requests, and then proceed to explode with what can literally be hundreds of follow-ups. Screenshots of report logic, parameters, workflows, etc. This is a manual process that takes up hundreds, if not thousands of hours of your organization's time by the time you run the information, capture screenshots, document what they are and upload to a document portal. Even an automated control, which once long ago was simply a test of one that either worked or didn’t, is saddled with the myriad of steps I’ve mentioned. My audit team's time was valuable. My organization's time was valuable. This work, for the most part, was not. A necessary evil, I suppose, but one which was painful and inefficient for all involved.
And it isn’t getting any easier, as Protiviti has noted in their 2020 SOX Compliance Survey:
- 25% of controls are automated (but still require manual tasks to test them)
- 65% expect an increase in scope to ITGC
- 60% expect an increase in Segregation of Duties (SoD) testing
- 59% expect an increase in testing of IT reports
- 56% expect an increase in total control count
All of this keeps increasing with no relief coming from the regulators.
This all equates to time and resources that could be better allocated for your organizations that could be used for optimizing more business-critical activities. Even utilization of technology like Robotic Process Automation comes with license costs, implementation costs and maintenance costs. And if you don’t do the coding yourself, the cost to code the bots can strip away most, if not all of the benefits. There HAS to be a better way.
The good news: THERE IS!
Our Audit Efficiency Assessment shows how automating your audit process of continually testing IT controls in SAP and Oracle ERP systems will save you time, resources and costs, while keeping you in compliance with regulations such as Sarbanes-Oxley, GDPR and others.
By automating the continuous assessment of IT controls, Onapsis eliminates manual processes so you can achieve a continuous compliance process for your ERP systems. In near real-time, you can see audit deficiencies as they are identified to quickly address them and stay in compliance. Organizations realize an immediate savings that increases as they mature their automation processes over time.
How do we do it? Rather than that exhausting, manual process of auditing, we can automate up to 92% of the tasks associated with testing and validating ITGCs. Rather than auditors requesting data to the ERP Admin, the ERP Admin adds the request to the queue of tasks. Assuming 1-2 days of delay, the ERP Admin gets the data, processes it, and sends it back to the auditor. If the auditor was not doing something else, he/she can receive the data, and analyze/test it and document the results. Besides the delay in time, there is an inherent risk in this process which is data tampering or human error getting the data: the auditor relies on somebody else to obtain critical evidence.
Using Onapsis, an auditor runs an audit against the desired systems. The Onapsis Platform connects to the system, gets the data immediately, processes it, and analyzes it. The auditor just reviews and documents the results. This work happens with no delay in information, no risks of evidence integrity, allowing the organization to shorten the audit cycle, obtain the results faster and remediate issues swiftly.
Recently, Onapsis put together new offerings to help shine a light on these issues and to allow organizations to understand how they can better avoid downtime. The Audit Efficiency Assessment is complementary and run remotely. It takes less than two hours to complete and does not require installation of any software or access to production systems.
Request your Audit Efficiency Assessment today and see how much you can save by automating your audit process and achieve continuous compliance.