In this two-part series, we explore how organizations can leverage robotic process automation (RPA) and other automation techniques for IT Sarbanes-Oxley (SOX) testing within SAP environments. Today, we review the business need for RPA. Part 2 covers advancements and future use-cases for RPA-based solutions.
Robotic Process Automation (RPA), when deployed correctly, can significantly expedite what would otherwise be heavily time-consuming tasks. When applied to SAP Basis testing, almost the entire data extraction aspect of the testing process can be automated. Not only does deploying an automated solution for testing increase efficiency and quality, it also frees up time for employees to focus on value-add tasks rather than redundant, repetitive activities.
Protiviti’s Enterprise Applications Solutions (EAS) team often supports clients in performing IT Sarbanes-Oxley (SOX) testing of their Enterprise Resource Planning (ERP) systems. Due to the criticality of system security risks, we spend significant time combing through client records of system users with elevated authorization outside their function or with access to sensitive information to test logical access as part of the IT General Control (ITGC) component within IT SOX. Because of the replicable nature of this work, our team discovered how using an automated solution adds significant value during IT SOX testing.
Business Need
Many times, Protiviti’s standard IT SOX work program for SAP requires a significant focus on identifying users who have access that is either above what is needed for their current job responsibilities or deemed too powerful for any user to have. Whether these users receive unwarranted administrator access, can see sensitive financial information or have inappropriate access due to a job change, it is important for clients to understand what user access rights exist in their financial systems. Any inappropriate user access within the system can increase the possibility for fraudulent activities to occur.
Access in SAP is controlled through individual transaction codes. To determine which SAP users have access to sensitive transaction codes, an analysis of over 80 different access queries must be performed. Previously, it was necessary to either run each of these system queries manually or request the client to provide all documentation for the queries. For each query, a user listing screenshot had to be taken to evidence completeness and accuracy of the work; the corresponding listing would then be downloaded to excel for validation. Then, a manual count would determine the number of active users with sensitive access to each transaction code. When performed manually, this involved a significant amount of time, drawing our team’s focus away from contributing more valuable insights to each project. While understanding the users with elevated abilities in the system is extremely important to help our clients secure their financial environments, the process to obtain this information has been tedious and repetitive, serving as a perfect opportunity for automation.
Bot Development
To create the bot, Protiviti leveraged UiPath, the leading provider in the RPA industry. The bot is considered to be ‘attended’, as the actions it takes are reflected on the user’s screen, rather than running in the background.
The bot first navigates to the SAP screen where query criteria are entered to generate a specific user access listing. After automatically filling in the necessary criteria, the bot records a screenshot of the full screen, complete with a date and time stamp for audit compliance. Once the user listing is generated, the bot saves the criteria screenshots and user listing and downloads an Excel file of the output. The bot then returns to the query criteria screen, where screenshots and user listings are pulled for each subsequent query.
Once the bot has cycled through all the pre-coded queries, it uses the Excel output to determine a count of the active dialog users for each query to show true end-user access. The bot then creates a word document outlining the parameters of each query, the active users that meet the specified criteria and screenshots of the criteria and user listing output. This document, as well as the Excel output files, are ready to be turned over to the client almost immediately after the bot finishes running.
Client Spotlight
By leveraging an internal SAP application instance, the team was able to conduct rigorous testing on the bot to ensure the solution was ready to be deployed in client environments. The EAS team identified a potential client to pilot the bot with — a $750 million machine manufacturing company ready to conduct a review of IT SOX compliance on their SAP system.
After a discussion with the client about using an attended bot in their system, the team identified two separate SAP environments where this bot could be leveraged. The only client environment adjustment required to allow the bot to be run was changing a low-risk configuration setting. Once that setting was enabled, the team simply signed in through the Protiviti SAP profile, ran the bot, reviewed the results and passed the deliverables to the client. Leveraging this automation technology freed up our team from time-consuming, redundant work, allowed us to spend additional time reviewing the results with the client, creating more opportunities to deliver exceptional value.
Evolution of Bots
As with any technology, the automation Protiviti has developed to accelerate IT SOX audits are evolving as the team continues to add enhancements. Not only are further improvements possible with the core functionality, but there are also other processes in the IT SOX audit work program to automate.
One step is to develop dynamic functionality where the bot can search different criterion based on client need. This allows us to be more flexible in testing the customized environments of each of our individual clients. While Protiviti’s standard SAP IT SOX program includes robust sensitive access validations, clients may have different custom transactions or developments that would lend themselves well to dynamic functionality. This additional functionality also positions us to adapt quickly to the ever-evolving audit requirements, saving our clients additional rework. While SAP is a significant focus of this iteration of the testing bot, it is not the only enterprise application on which we continue to focus. The organization has evolved to other processes, applications, product versions and areas of focuses depending on our ever-growing client demands.
To drive further value across clients’ ITGC work programs, we have also had success creating bots to confirm password parameter compliance and in automating population extractions to complement the work in the user access space. These bots will continue to be developed, with the ultimate goal of end-to-end automation of the data extraction, testing and documentation requirements of the SAP IT SOX work program. As Protiviti continues to develop in the process automation space, not only do our consultants benefit from more time to contribute value-adding work, but clients will continue to see more efficient, accurate products and cost-effective deliverables through leveraging RPA tools.
To learn more about our SAP capabilities, contact us or visit Protiviti’s SAP consulting services.