n
nBy Vishal Kalro, CISSP n
nMeet the Bots – Our NextGen Technology Auditors
n
n
n
n
nOperational efficiency, scalability, cost, and value propositions arenkey considerations for many functions across an organization today.nOrganizations want to scale to new heights of revenue, market share andnsales but without additional workforce and headcount. The enablingnfunctions like Audit & Compliance will need to keep up with thenever-growing organizational footprint and demands under the samenconstraints. Given this premise the advent and timing of “the bots”ncouldn’t have been better.n
nn
n
n
n
nIt’s time for Audit & Compliance functions benefit from the botsn& related automation technologies and contribute to the overallnoperational efficiencies. Audit & Compliance are often perceived asna document heavy, highly process oriented, time draining exercise andnrightly so to a good extent. Assessors tend to spend a lot of time innwalkthroughs, collecting the evidence, documentations, reportingnfindings, remediations, reviews and sign offs. And all of this at timesnis a “point in time” exercise. With the advent of Cloud and need fornon-going monitoring & compliance to regulations; audit functions arenfinding it difficult to keep up with traditional way of audits.n
nn
n
n
n
nThis is where Robotic Process Automation (RPA) comes to rescue. RPA cannbring in dramatic efficiencies, reduce the documentation burden andncompliance fatigue along with round the clock monitoring. RPA brings annew category of workforce i.e. the bot workforce which can help augmentnthe current audit workforce and help drive scalability, excellence andngrowth in a cost-efficient manner. RPA is the first step towardsnbuilding a robust “Continuous Audit program.”n
nn
n
n
n
nImagine a Risk Controls matrix to address the technology & othernsecurity compliance requirements for a Cloud environment. Each controlnwould require a set of configurations/artifacts to be assessed to meetnthe compliance requirements. Traditionally an audit would requirenauditor to extract the configurations/supporting evidence by means ofnscreenshots, scripts or a vendor provided reports; followed by manualnanalysis and determining the effectiveness of the control at that givennpoint in time. The process will need to be repeated across each in-scopencloud instance. Instead of going the labor intensive, point in timenroute; RPA based workflows can be used to extract configurations &ndetails from Cloud accounts, collate the information across differentnaccounts and measure the values against a given baseline.n
nn
n
n
n
nA reporting dashboard could be built to visualize the Cloud compliancendetails on an on-going basis. Thus, providing real time and round thenclock assurance rather than making audit & compliance a point inntime exercise. The dashboard could be further enhanced to reportnanomalies, trigger email alerts, launch JIRA tickets for a follow upnaction.n
nn
n
n
n
n
n
n
n
n
n
n
]]>
n
n
nTypical RPA based audit & compliance architecture would looknsomething like this –n
nn
n
n
n
n
n- n
- Data lakes & stores represent the systems that need ton be audited e.g., Cloud Accounts, SAP systems, traditional OSn & DB’s, etc. or systems which contain the audit datan like Hadoop or Splunk from where data/configuration could ben extracted. n
- RPA Orchestrator is used to develop and implement the Botn workflows. Orchestrator controls the workflows and schedulen of the bots. n
- Bots could extract data by means of API’s or screenn scrapings n
- The data is then stored in RPA database for correlation andn analysis n
- Visualization layer could be built using reporting platformsn like Power BI & Tableau. n
- Audit & compliance tickets can be fired to the auditeesn using JIRA for them to address the audit issues. n
- It can be taken a step further and the automation workflowsn could be built to put the information together in a workn paper format, easing the documentation overhead forn auditors. n
n
n
nThus, it makes audit more of a self-serve continuous activitynminimizing the touch points with management and reduces the auditntime & effort, making room for reprioritization and focusing onnbigger bets.n
nn
n
nThis is just one example as to how RPA could augment our currentnaudit & compliance workforce and assist in achieving thenobjective of “Continuous Audit”. The possibilities are endless, itnall depends on how we leverage and use the technology for betternrisk management.
nn
n
n
n
nnVishal is a risk management evangelist and cybersecurity strategistnleading a global cybersecurity and technology risk managementnfunction. 18+ years of diversified experience across Enterprise RisknManagement (ERM), Data Security and Privacy, Cyber ThreatnIntelligence, Cloud Security & AI/ML Risk Management.n
n