All public companies with listings on the American stock exchange must comply with the Sarbanes-Oxley Act, also known as SOX compliance. This act covers various responsibilities for companies to limit the risks of fraud and criminal behavior. Maintaining SOX compliance is often a time-intensive and costly task. Many parts of the business must be examined in detail. Luckily, these controls are mostly rule-based and repetitive. Therefore, automation of SOX controls is fit for Robotic Process Automation (RPA). This results in sigificant time and cost savings. And also it enables continuous monitoring of controls or at least increased frequency of control execution. As a bonus the risk of error is reduced or even completely removed by replacing manual checks with automated checks.
Earlier this year Darling Ingredients asked Tacstone to do a RPA pilot. The aim of the pilot was to automate a number of SOX controls. Darling is a global developer and producer of sustainable natural ingredients from edible and inedible bio-nutrients. Darling creates a wide range of ingredients and customized speciality solutions for customers in the pharmaceutical, food, pet food, feed, industrial, fuel, bioenergy and fertilizer industries. Darling’s IT landscape includes multiple JD Edwards instances, where IT Application Controls (ITAC) are audited monthly. In just a few weeks, Tacstone developed a working “software robot” which now performs the ITAC controls fully automatically. The result is a situation with continuous monitoring and a reduced risk of audit failures.
Continuous monitoring SoX controls
Watch a full walk-through of the robot and the results in the video below. This video shows how the software robot uses of the graphical user interface of applications (as employees do), but also works with applications like Excel and JD Edwards on the background. The control consists of three main steps:
All JD Edwards application permissions are extracted and placed in a centralized database. The latest version of the control sheet is retrieved from the central Document Management System.
- Executing the controls
The database with permissions is queried upon by an RPA robot, checking each version of every application based on the control sheet containing the exact rules and exceptions. The result of each check is clearly documented in a logging file.
If one or more controls fail, the ITAC team is notified that action needs to be performed regarding the specific failed controls. If all controls succeed, a confirmation is sent via e-mail with the full log of performed checks.
- Increased frequency of control checking
- Reduced the risk of failure by continuous monitoring of operating effectiveness
- Substantial reduced amount of time spend on IT audit (time savings for JD Edwards Process Owners on manual compliance reviews
This first robot has been used as an example to inspire employees within Finance, HR, IT and Internal Auditing to ideate and qualify possible (business) tasks to automate. A business case and project plan will be developed to set up an in-house RPA Centre of Excellence, in which Darling will develop its own expertise and a library of reusable robots and workflows. This team will continue to design, develop and implement software robots in the Netherlands, and look for opportunities to scale globally.