In this two-part series, we explore how organizations can leverage robotic process automation (RPA) and other automation techniques for IT Sarbanes-Oxley (SOX) testing within SAP environments. In Part 1, we reviewed the business need for RPA. Today, Part 2 covers advancements and future use-cases for RPA-based solutions.
Robotic Process Automation (RPA), when deployed correctly, can significantly expedite what would otherwise be heavily time-consuming tasks. And that is the case at Protiviti where our Business Applications Team (BAS) and Enabling Technology team joined forces to reduce the amount of time to complete SAP Basis testing by 95%. These advanced automations or accelerators can be utilized for IT Sarbanes-Oxley (SOX) testing within SAP S/4HANA and SAP BW HANA environments and expedites the following activities:
- automatically captures t-code and authorization object screenshots
- documents completeness and accuracy attributes
- extracts required files for testing
- consolidates access points for easy review and testing
This solution not only reduces the time for Protiviti to conduct testing but also increases standardization and quality of work.
Protiviti continues to advance the accelerator’s capabilities, as SAP Sensitive Access is an ever-changing and evolving area that requires consistent analysis in order to stay in line with the current market risks. After successfully piloting the RPA-based solution to assist a machine manufacturing company 3 years ago, this updated accelerator (which is housed on Protiviti’s Technology Accelerator Platform which has over 30 scalable automations that can help execute audits faster) introduces new functionality allowing Protiviti to dynamically input the t-codes and authorization objects required for extraction and automatically creates access validation worksheets to streamline testing from start to finish. Doing this same work manually used to take over 100 hours but now can be completed in less than a day’s worth of hours.
Protiviti’s pilot client, a $750 million machine manufacturing company, has been running these accelerators two times per year for the past three years. Below is a progression of the automation advancements:
- During year one, the customer ran it within their SAP S/4HANA and SAP BW HANA systems. This automation freed up additional time to review the results with the client, which provided increased opportunity to remediate inappropriate user access, automatically generate remediation evidence, and avoid a year-end audit exception.
- In year two, the accelerator was enhanced to align it with our current-state leading practice SAP ITGC Risk and Control Matrix. Additional transaction codes and authorization objects were added and updated to ensure all sensitive access data aligns with current sensitive access requirements including 77 t-codes for SHIPERP within SAP S/4HANA.
- In year three, the team automated not only the evidence extraction but the audit evidence work papers as well. The full automation now saves 95% of time compared to year one when the process was fully manual.
The continued use of automation led to identifying new areas of improvement and continued advancements year over year.
To create the SAP Extraction Accelerator, Protiviti leveraged a combination of Microsoft’s PowerPlatform and UiPath, a leading provider in the RPA industry. The accelerator is an ‘attended bot,’ as the actions it takes are reflected on the user’s screen, rather than running in the background. Utilizing the pre-built accelerator on Protiviti laptops offers a quick start or the out-of-the-box method where no updates or changes must be made.
As organizations look for ways to automate and increase efficiencies in day-to-day activities, low-code automation technologies such as RPA in this SAP ITGC Sensitive Access accelerator enable tremendous opportunities in SAP ITGC and SOX testing. Since test steps are generally repetitive, using automation to automate testing is a great solution. Not only does automation reduce the time it takes to extract the data and generate audit evidence, but also minimizes (or essentially eliminates) manual user mistakes, further reducing review time. Teams can now spend more time focused on activities that will add value to the organization, rather than manually taking screenshots and formatting files for auditors.