Common Automation Governance Pitfalls and How to Avoid Them
It’s the age of automation, and nobody wants to miss out. Chasing the promise of time and cost savings, optimized resource usage, better-quality outputs, increased productivity and efficiency, and data-driven insight and risk reduction, organizations across industries are racing to adopt the right automations to move their businesses forward. Indeed, Gartner predicts that by 2024, organizations will lower operational costs 30% by combining hyperautomation technologies with redesigned operational processes.
With the rapid advancement of automation technologies, greater accessibility, and “FOMO” spurring them on, organizations are too often allowing functions to be automated without governance. The common misperceptions are that automation is “easy,” implementers can be trusted to ask for help, and collaboration will happen naturally. The truth is that without appropriate levels of governance, automation programs often falter or fail.
Automation is quickly outpacing the controls and compliance mechanisms we have, making it an opportune time to assess automation risk and opportunity across the business. Accordingly, internal audit is well-positioned to take an advisory role in helping to guide automation governance. Involving internal audit early in the automation journey helps organizations expose, anticipate, and manage both risks and potential, thereby avoiding common automation governance pitfalls. Below are the three most common pitfalls we see — and how internal audit can help avoid them.
Pitfall #1: Lack of Executive Sponsorship and Change Management
When organizations lack an executive-level automation champion, automation programs often languish. This lack of executive sponsorship is one of the foremost reasons we’ve seen automation governance centers of excellence fail in their first year.
Automation affects not only processes and technology, but also people. So change management is crucial. An executive sponsor/champion is instrumental not only in driving automation efforts and giving them visibility, but also in evangelizing their impact — helping people understand the benefits, experience the value, and feel less fearful and more invested.
How Internal Audit Can Help:
- Stress the importance of alignment and sponsorship at executive level.
- Use internal audit’s natural cross-functional integration to help evangelize and find opportunities.
- Understand the culture risk your organization faces, helping identify potential challenges (e.g., cultural resistance, slow adoption, lax risk management, need for upskilling). Learn more in Deloitte’s “Enabling Digital Transformation by Managing Culture Risk.”
Pitfall #2: Choosing or Prioritizing the Wrong Areas to Automate
The increasing accessibility of no-code and low-code automation solutions means business users are often leading the way in implementing automations. This approach brings significant risk, including lack of cross-solution or -function interoperability, inability to scale, and heightened security, quality, and compliance issues. There’s also the risk that automation efforts are being misdirected or misprioritized — another top pitfall we’ve seen.
Time, bandwidth, and funds are limited in every organization, and just because something can be automated doesn’t mean it should be. A well-thought-out automation governance framework is needed to define a clear vision and plan for your automation program, including agreeing on objectives and outcomes; establishing a center of excellence (COE) and leadership structure; and documenting a highly organized automation life cycle (more on that below).
How Internal Audit Can Help:
- Get involved in automation governance. Internal audit should have a seat at the table. Help identify, assess, validate, and prioritize opportunities (based on complexity, ROI, security/access issues, etc.), balancing desired outcomes with levels of documentation/effort. Is it worth the time to automate processes? Do they need to be automated end-to-end?
- Map where you want to go. As recommended by Harvard Business Review, this can encompass assessing current capabilities, performing a gap analysis, and sequencing a step-by-step journey. Identify early projects that establish foundational technology and talent infrastructure to support future automations.
- Choose technologies that fit the work. Avoid marrying the organization to one specific technology, instead adopting a best-of-breed approach that embraces hyperautomation and incorporates technologies to solve specific problems.
- Communicate with IT and IT Security. Keep in mind that internal audit can advise and drive automation efforts, but still needs IT’s support. If a group is automating processes that touch different systems, IT should be aware for security reasons. IT should also provide their roadmap to internal audit to avoid duplicating efforts or automating on top of a system with an upcoming major upgrade. For instance, if a system or service is expected to migrate to the cloud, it may be best to wait until the process is in the cloud before automating it.
Pitfall #3: Unstructured Development and Deployment Process
In many organizations, automation development/deployment is quickly becoming more democratized — and less controlled. But many of the business users implementing automations don’t have development backgrounds or know how to build robust deployment pipelines.
That’s why it’s important to document a well-organized automation life cycle to guide efforts. It should cover process ideation, assessment, feasibility, current-state process documentation, proposed solution design, and process reengineering, alongside the standard cycles of development, testing, implementation, deployment to production, evaluation, maintenance, and ongoing improvement.
How Internal Audit Can Help:
- Early on, help account for relevant governance, risk, and control considerations (e.g., compliance, access, security) within the automation life cycle, including a strong focus on ITGCs. Digitize existing or design new controls as needed, and make sure they’re functioning.
- Adopt appropriate frameworks and standards (e.g., COSO Internal Control — Integrated Framework (2013) Principle 9 and 11, Governance and Management Objectives outlined in COBIT 2019) that support integration of regulatory demands and considerations.
- Perform readiness or risk assessments prior to deploying automations.
Move Forward With the Right Balance of Governance
Clearer guidance around the use of automation technologies is likely coming; firms are pushing for it. But forward-thinking organizations are moving ahead despite the uncertainty. Against this backdrop, internal audit has an instrumental role to play in making sure organizations avoid common pitfalls and achieve the right balance of automation governance.
Brett Luis was a VP of Product at AuditBoard, where he focused on enhancing audit products through analytics, automation, and other advanced technologies. Before joining AuditBoard, Brett was on the front lines — supporting public companies in standing up robust internal audit and SOX compliance programs — and in the audit trenches, leading attestation reporting engagements and the IT component of the internal controls and financial statement audits for public registrants. Connect with Brett on LinkedIn.
Joe Kim is a is a Director of Product at AuditBoard, serving as the product leader for AuditBoard’s audit software product line and leading innovation in this space by empowering the next generation of auditors using transformative technology. Joe brings 16 years of experience in both public and private accounting with specializations in workforce automation and data analytics. Connect with Joe on LinkedIn.
Scott Madenburg, CIA, CISA, CRMA, is Market Advisor, SOX & Internal Audit at AuditBoard. Prior to AuditBoard, Scott was Head of Audit at Mobilitie LLC, with nearly two decades experience in operational, IT, and financial auditing, as well as SOX compliance. Connect with Scott on LinkedIn.