Vishal Kalro - ISC2 Member VoicesBy Vishal Kalro, CISSP  

Operational efficiency, scalability, cost, and value propositions are key considerations for many functions across an organization today. Organizations want to scale to new heights of revenue, market share and sales but without additional workforce and headcount. The enabling functions like Audit & Compliance will need to keep up with the ever-growing organizational footprint and demands under the same constraints. Given this premise the advent and timing of “the bots” couldn’t have been better.

It’s time for Audit & Compliance functions benefit from the bots & related automation technologies and contribute to the overall operational efficiencies. Audit & Compliance are often perceived as a document heavy, highly process oriented, time draining exercise and rightly so to a good extent. Assessors tend to spend a lot of time in walkthroughs, collecting the evidence, documentations, reporting findings, remediations, reviews and sign offs. And all of this at times is a “point in time” exercise. With the advent of Cloud and need for on-going monitoring & compliance to regulations; audit functions are finding it difficult to keep up with traditional way of audits.

This is where Robotic Process Automation (RPA) comes to rescue.  RPA can bring in dramatic efficiencies, reduce the documentation burden and compliance fatigue along with round the clock monitoring. RPA brings a new category of workforce i.e. the bot workforce which can help augment the current audit workforce and help drive scalability, excellence and growth in a cost-efficient manner. RPA is the first step towards building a robust “Continuous Audit program.”

Imagine a Risk Controls matrix to address the technology & other security compliance requirements for a Cloud environment. Each control would require a set of configurations/artifacts to be assessed to meet the compliance requirements. Traditionally an audit would require auditor to extract the configurations/supporting evidence by means of screenshots, scripts or a vendor provided reports; followed by manual analysis and determining the effectiveness of the control at that given point in time. The process will need to be repeated across each in-scope cloud instance. Instead of going the labor intensive, point in time route; RPA based workflows can be used to extract configurations & details from Cloud accounts, collate the information across different accounts and measure the values against a given baseline.

A reporting dashboard could be built to visualize the Cloud compliance details on an on-going basis. Thus, providing real time and round the clock assurance rather than making audit & compliance a point in time exercise. The dashboard could be further enhanced to report anomalies, trigger email alerts, launch JIRA tickets for a follow up action.

Typical RPA based audit & compliance architecture would look something like this –

  • Data lakes & stores represent the systems that need to be audited e.g., Cloud Accounts, SAP systems, traditional OS & DB’s, etc. or systems which contain the audit data like Hadoop or Splunk from where data/configuration could be extracted.
  • RPA Orchestrator is used to develop and implement the Bot workflows. Orchestrator controls the workflows and schedule of the bots.
  • Bots could extract data by means of API’s or screen scrapings
  • The data is then stored in RPA database for correlation and analysis
  • Visualization layer could be built using reporting platforms like Power BI & Tableau.
  • Audit & compliance tickets can be fired to the auditees using JIRA for them to address the audit issues.
  • It can be taken a step further and the automation workflows could be built to put the information together in a work paper format, easing the documentation overhead for auditors.

Thus, it makes audit more of a self-serve continuous activity minimizing the touch points with management and reduces the audit time & effort, making room for reprioritization and focusing on bigger bets.

This is just one example as to how RPA could augment our current audit & compliance workforce and assist in achieving the objective of “Continuous Audit”. The possibilities are endless, it all depends on how we leverage and use the technology for better risk management.

 

Vishal is a risk management evangelist and cybersecurity strategist leading a global cybersecurity and technology risk management function. 18+ years of diversified experience across Enterprise Risk Management (ERM), Data Security and Privacy, Cyber Threat Intelligence, Cloud Security & AI/ML Risk Management.