In this excerpt from How to Breeze Through Audits Without Putting Business On Hold, we look at the part SaaS ERPs play in audit success or failure and how thorough testing can not only improve your ability to demonstrate compliance, but also cut the time your subject matter experts (SMEs) spend with auditors.
Part of an auditor’s responsibility is to ensure that the systems they are auditing are ‘under control’. No company runs without some issues, but it’s how you manage the issues that determines how extensively he or she will investigate your company’s approach. The more that you can demonstrate that you are proactively controlling your processes, the easier the audit should be.
If your company relies on an enterprise SaaS system like Workday, Oracle or SAP to manage your HR, finance, and customer support processes, then it’s likely that large portions of your audit data will originate from this system. Because these digital systems carry out business processes and automate controls around those, it’s easy to assume that the processes within are compliant. But this overlooks two crucial facts:
- These systems are not infallible. The integrity of every process and control is only as good as the system’s configuration and the information that staff input.
- These aren’t static systems. Even if a system was painstakingly configured with absolutely flawless compliance in place at launch, your system changes on a regular basis. Processes are added and updated as the business grows and evolves. Roles and lines of approval change. Teams merge. Companies merge. Vendors release software updates. And with change, the security of processes and their controls can be compromised.
While the business teams that maintain your system may be testing it regularly to ensure that essential functionality and controls are still intact after changes are introduced, manually testing it screen by screen and field by field is difficult and time consuming. Consequently, most teams are limited to testing the ‘happy paths’—in other words, confirming or refuting the expected. For example, your procurement process might look like this: your Supplier Administrator creates a new supplier, the system prompts your Accounting Manager to review and approve it, your Accounts Payable Analyst inputs the supplier’s invoice, and the system prompts your Cost Centre Manager to review and approve payment. Staff would test this pathway to ensure each step works as intended.
“…most teams are limited to testing the ‘happy paths’—in other words, confirming or refuting the expected…but what about unintended actions, malicious actions, or unintended access to information within the system?”
But what about unintended actions, malicious actions, or unintended access to information within the system? How can you be sure that a person is not able to set up a fictitious supplier and pay that ‘company’ without that being approved or bypassing approvals? How can you be certain that users can’t see the bank details of their colleagues, or their salaries, or that individuals can’t give themselves one-time payments?
The Audit Advantages of Automated Testing
One way to safeguard your system against unexpected actions is by introducing an automated testing tool. Automated testing of enterprise SaaS ERP configurations empowers companies to test their processes and controls with greater depth, breadth, consistency, and speed than staff are capable of manually: both the planned and unplanned scenarios.
“It can take on the testing of the happy paths, and whenever a change in the system causes a break to the process or control, it immediately flags it.”
The software monitors your SaaS system–comparing what is supposed to happen with what is actually happening. It can take on the testing of the happy paths, and whenever a change in the system causes a break to the process or control, it immediately flags it. But it also allows you to expand the scope of what you’re testing to include toxic combinations—those unintended processes that you want to be certain to prevent. Automated testing of your SaaS system allows SMEs to turn to auditors and not just say: “Yes, we have a process for that. This is how it is set up in our SaaS system.” They can also say: “This is how we verify the control is working properly each week. Here is the test evidence of that. And here are the tests we run to double check that the control can not be bypassed via other pathways in the system. When a test fails, we get an immediate flag.”
While automated testing requires capital investment, it also provides your company with its best option to safeguard the processes and controls within and eliminate the risks around the digital systems that underpin your business.