Canada: Accelerate | Automation Is Changing The Finance Function

Extreme automation is rapidly changing the very nature of how businesses and their finance functions operate. And as organizations move towards cloud-based services and data-driven systems, it's important that all parties embrace the automation of financial processes and controls through disruptive technologies like Cloud ERPs, artificial intelligence, cognitive computing, robotic process automation, and blockchain.

Extreme automation extracts risk from routine processes and provides the end user with more guaranteed process outcomes at a lower cost. It is most often applied to routine transaction processes and uses embedded application controls, exemption reporting, and cyber security controls testing to maintain integrity.

As the pressure for organizations to embrace new technologies and lower finance costs increases, the race to extreme automation accelerates. So too does the need for better awareness around how automation technologies work, connect to other functions, and alter the control environment. For audit committees, that due diligence includes asking management the right questions around the segregation of duties within and across key applications, and ensuring the CIO and head of internal audit are collaborating to address security and segregation of duties. The importance of establishing proper segregation of duties has existed long before disruptive technologies and extreme automation, but the task now is to apply the foundational principles of a control framework to a cloud and on-premises environment.

Third-party risk also warrants attention. As organizations take to Software as a Service (SaaS) en masse, they are welcoming more external parties into their digital network. That includes parties who may have designed and established their cloud-based service and external partners who have access to it on an ongoing basis. Here again, the access and segregation of duties are critical, both in terms of determining who has permission to remain in the system and in verifying their activity. It also pays to develop an understanding of third-party policies and roles, and build third-party risks into each individual contract.

Preparing for automation boils down to upholding one's duty of care. For audit committees, it also requires forging ahead with a sense of curiosity for new technologies, being open to extreme automation, and making peace with disruption.

What should Audit Committees be asking?

• Does management have the proper segregation of duties for automated systems?
• What oversight and policies do we have around Saas?
• How is management adjusting their risk and controls framework to address security as we bring in new automation technologies and software vendors?
• How is third-party risk being managed? Who are we doing business with and what due diligence was done on our alliance and vendors?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.