Automation: Even the Gods Need It07, August 2018
The International Society for Automation (ISA) defines automation as “the creation and application of technology to monitor and control production and delivery of products and services.” While the word “automation” was coined by Ford Motor Co. Vice President Delmer S Harder in 1946, automation is not a modern phenomenon. In fact, it dates all the way back to Hellenic Greece. Homer first used the term “automaton” in the tale of Hephaestus, the Greek God of blacksmiths, artisans, metalworking and the art of sculpture. Hephaestus was tasked with manufacturing weapons used by the Gods of Mount Olympus. He created automatons to help him with the task. Automatons were self-operating machines, or robots, fashioned from metal. Even the Gods needed automation to help them with their tasks. Internal auditors are but mere mortals who could be saving a substantive chunk of their work time by automating access control management.
Thirteen weeks a year. One whole week every month. Nearly one and a half days every week — that is how long it typically takes for the internal audit teams using a manual process to run a simple segregation of duties (SOD) risk analysis report! Despite consuming a lot of man-hours, the results are a far cry from being a reliable depiction of access risks in the SAP system, invariably amounting to audit deficiencies.
According to Michael Rasmussen of GRC 20/20 Research, technologies like automation enable GRC and make it more efficient, effective and agile. As a matter of fact, automation is the backbone of avant-garde governance, risk and compliance (GRC). Although spreadsheets and manual processes kicked off the era of GRC, it was
n’t until access control and risk management were automated that reports were produced with confidence and the goal of compliance became easier. There are also other distinct benefits to automating access control management, such as
1. Cost Factor: The number one reason to switch to an automated process is the cost factor associated with the manual process. As we mentioned earlier, manual reports cost over 25 percent of an employee’s time every week. That is time that could be spent on other business-critical tasks like building a robust cybersecurity strategy, for instance. A leading technology company reported spending over 700 total employee hours on one single analysis at a cost of over $121,000 per analysis, totaling nearly $500,000 per year.
2. Security Risks: According to the Association of Certified Fraud Examiner’s (ACFE) 2018 Reports to the Nations Global Study on Occupational Fraud, typical organizations lose five percent of their revenues to fraud in 2017. An earlier ACFE’s Global fraud study discovered that organizations with weak controls suffered twice as much the average loss from internal fraud. A good strategy to combat internal threats remains to limit account privileges. Practicing the principle of least privilege (POLP) to ensure users have the bare minimum permissions they need to perform their work, can reduce the overall risk to the organization. The challenge in achieving this using a manual process is that there is no visibility into the utilization data to see the full impact of the access granted to each individual user. In a global, agile organization, scalability and control over access control become another issue. Automated controls software can use transactional utilization data to see what kinds of access are assigned to which roles and identify gaps for tighter, more effective controls. Further, these reports are intuitive and easy-to-understand by even the business process owners (BPOs) ensuring that security is the concern of not just the IT administrators.
3. Regulatory Risks: Apart from the direct cost, there is also the added cost of not automating related to not being compliant with regulations, such as Sarbanes Oxley, and auditing fees. Manual processes tend to have a higher margin of error, and thus are subjected to longer and more detailed audits. Errors in reporting can potentially translate to significant deficiencies or material weakness. Depending on the severity and frequency, these could have a serious impact on the company’s bottom line.
From manufacturing to GRC technologies, we are in the era of everything 4.0. A crucial aspect for success in today’s digital age remains the trend of automation. While some relate automation with increased human job elimination, it has also been a heaven-send in some industries where man-hours are reduced by cutting repetitive, tedious tasks, with an added advantage of eradicating human errors.