Digital Transformation – Risk and Control Considerations
We are living in a digital age where companies both big and small are looking to keep pace with the fast moving world of emerging technology. Whether it be something as simple as converting from a manual to a paperless environment, all the way up to implementing complex tools such as process automation and artificial intelligence, companies are transforming the way they operate.
Digital transformation is currently a hot topic as it can affect all companies regardless of size or industry. Digital transformation is the use of digital strategies which incorporate technologies such as robotics process automation (RPA) and data analytics to improve the way they conduct business. Some of the more common transformations involve tasks such as the input and reconciliation of large quantities of data. The automation of these types of processes can result in significant time savings and increased efficiencies and capacity release, some reaching 50% or higher.
Process automation not only saves time and resources; it can also eliminate the majority of the control risk associated with human error if properly implemented and deployed, as the technology will execute the task consistently and accurately on a repeated, continued basis.
Although this is a huge advantage, it does bring with it some additional risks which should be considered when planning and implementing a digital solution, as follows:
1) Is the solution implemented correctly?
If the solution implemented does not execute as intended by the user, then the information produced will not be useful or reliable. As part of the planning and design of a solution, all potential users/owners (ideally this could include members from the business unit, technology and risk/internal audit) should be included in the planning process. Once the solution is implemented, some form of user acceptance testing (UAT) should be carried out over a period of time to ensure that the solution is functioning correctly and provides the expected result.
2) How are failures identified and remediated?
Although a digital solution will run the exact same way 100% of the time, there is still some risk of the solution not running as intended. This can be caused by a file either being corrupted or not being uploaded correctly, which would prevent the solution from executing as designed. As part of the planning phase, the company should incorporate processes and controls that identify points of failure and take action in a timely manner. In addition, both a notification and a correction protocol should be implemented in order to respond to failures.
3) Is user access and change management functionality controlled?
When planning to implement a digital solution, proper considerations should be taken by the company to ensure that only the appropriate individuals have the ability to access the solution and that change management controls are in place. If the solution is not setup within a controlled environment, there exists the risk that an unauthorized individual could potentially make changes (either intentional or unintentional). In addition, there should be controls (i.e., ticketing system) in place to identify any changes that have been made to the solution and the reason for the change. Without a proper tracking mechanism, unauthorized changes may not be identified by the company.
4) Data storage and backup?
Like any system or application, storage and security over data is critical.
- Some important questions to ask include:
Is the data being housed on premises or in the cloud?
- Does the company have controls in place over the backup, maintenance and security of the data?
- Is a third-party vendor being utilized? If so, how does the company gain comfort that the vendor has the proper controls in place over the data in their possession?
Once again, these are all considerations that should be factored in during the planning stage and implementation stage of the solution. Depending on where you are in your digital transformation journey, be sure to consider the additional risks that are associated with an increase in reliance on the technology being deployed. With proper planning and controls around the implementation, risks can be properly mitigated.
PRTS Intelligence Newsletter - Q3