CTA helps tech companies reimagine risk management


When a tech company updates its back office, it can also reimagine risk management that drives real returns.


Even the most innovative tech companies have traditionally been slow to update their back-office financial processing and analysis. Now, as more companies are moving to update these business processes, they can also improve their risk management through control test automation (CTA).

Take a deeper dive into CTA

For a detailed analysis of CTA — and an illustrative example of CTA over a user-access provisioning control, download Take control testing to a new level with CTA. Grant Thornton and the AICPA  co-produced the report to shed light on how CTA can be relevant to organizations and their internal and external auditors.


“A high degree of automation is happening in boundary systems for the tech industry,” said Grant Thornton Technology Industry National Managing Partner Andrea Schulz. “So, when the data finally hits the organization, companies have an opportunity. The more advanced your back-office solutions are, the more opportunity you have for control test automation.”


This new opportunity is aligned to meet some of the industry’s top needs.


“If you’re trying to focus on value creation and top-line and bottom-line growth, you're going to be looking to automate,” said Grant Thornton Risk Advisory Services Senior Manager Wes Luckock. “The tech industry has the perfect combination for successful CTA — it has companies with a strong data foundation, strong technology adoption already in place, and a need to optimize. That positions CTA front and center.”


When tech companies apply CTA effectively, they can achieve:

  • More expansive testing: Full populations of data can be tested, rather than just a sample. This more expansive testing can identify errors or issues that could have been missed before due to human error or other limits of sample-based approaches.
  • More efficient testing: Automated testing can reduce work that’s labor-intensive and repetitive. Once testing is efficient and automated, it can also be more continuous — which means your results can be more timely.

To apply CTA effectively, companies need to determine what to automate, where to start and how to implement the solution.



Related resources


What to automate


Advances in technology have introduced new capabilities for CTA in a range of controls across a tech company’s financial reporting and other business processes.


CTA can combine continuous monitoring with customized alerts that indicate when deviations exceed acceptable thresholds. These capabilities can help both internal and external auditors, along with management. Automation can even handle supervisory control activities like authorizations, approvals or reconciliations.


For instance, many tech companies have opportunities to automate and improve controls in ICFR, ITGC and cybersecurity.



IT general control (ITGC)

Headshot of Andrea Schulz

“I think CTA can be most beneficial on the ITGC front. Any engineering time you can save on those operational back-office compliance procedures becomes time they can divert to your customer-facing systems.”

Andrea Schulz

Grant Thornton Technology Industry National Managing Partner  


“I think CTA can be most beneficial on the ITGC front,” Schulz said. For tech companies, ITGC testing often involves engineers who are tasked with the testing because of their position and system knowledge. “Any engineering time you can save on those operational back-office compliance procedures becomes time they can divert to your customer-facing systems,” Schulz said.



Internal control over financial reporting (ICFR)


Internal and external auditors can use CTA to support or gather evidence about the effectiveness of ICFR. A SaaS provider or other company with subscription-based billing can use ICFR control automation to improve revenue recognition, while companies with point-in-time revenue or discrete individual sales can consider access and other controls.




Headshot of Wes Luckock

“If you're trying to improve risk mitigation and manage security threats, automation is perfect for that.”

Wes Luckock

Grant Thornton Risk Advisory Services, Senior Manager


Many companies already have controls to help mitigate the ever-growing need for cybersecurity. “If you're trying to improve risk mitigation and manage security threats, automation is perfect for that,” Luckock said. “You can monitor access controls continuously, more effectively, and ultimately reduce that risk more significantly than you could with traditional processes. With the need to have a higher degree of risk mitigation for cybersecurity threats, it’s hard to do that without increasing headcount or optimizing through technology.”



Compliance and other needs


CTA can also help tech companies improve controls for other operations, reporting or compliance objectives.


“CTA is about controls in general,” Luckock said. “Controls are not just financial. If you build them for mitigating access risks, like an ITGC control for access provisioning and review, that can then be quickly replicated and applied to a code management system. Now, you have an investment with a dual purpose for very little additional effort.”


“You’re investing to reduce your compliance costs and the burden on engineering teams from a financial compliance standpoint and a regulatory compliance standpoint, but then you also can repurpose that for reducing cybersecurity risk and a risk of inappropriate access to sensitive code,” Luckock said. “That's important for the tech industry.”


Where to start


“With the tech industry, CTA is about optimizing the resources that you have — making them more effective and efficient, often to meet investor expectations,” Schulz said.


Tech companies have seen a lot of right-sizing that reduced staff after the pandemic boom. In many areas, they are looking for automation to help maintain or improve performance with limited resources. “CTA helps to make your people more efficient and also gives you better insights,” Schulz said.


To gain efficiencies — efficiently — you need to know where to start.



The decisions


Automated testing is easier to implement for some controls than others. Generally, it’s quicker to automate controls that are objective rather than subjective. For instance, it’s relatively straightforward to automatically compare all vendor billings and reimbursements, sending an alert if the amount of a reimbursement does not equal the amount billed on the invoice. It’s more challenging to automatically test whether the amount on the invoice is reasonable.


So, the first candidates for CTA are often controls with clearly defined attributes like tolerances, distinct values or pass-fail conditions:

  • Authorizations
  • Approvals
  • Verifications
  • Segregation of duties
  • Provisioning and deprovisioning
  • Data access and security configurations

“Think about your non-subjective business processes,” Schulz said. “The procure-to-pay process is a great candidate, or you can look at financial reporting.” Companies might also consider their HR processes for termination controls, employee onboarding or access provisioning. To achieve the quickest returns on CTA, companies need to find a combination of non-subjective processes and quality data.




The data


CTA also requires clear and comprehensive data. “When you embark on a CTA plan, look for where you have structured data standardization,” Schulz said. “Maybe it’s a business process where you are using a number of hosted systems, so the data is more standardized.


As with most automation, CTA can only be as good as its information. For instance, whole-population testing is only comprehensive if its data population is complete and accurate. Fortunately, CTA can extract preformatted information directly from existing systems or applications when it’s designed and implemented effectively.


How to implement


If a control needs to answer a clear question about a large volume of high-value data, that might be a great candidate for automation. For instance, if an organization sends tens of thousands of checks to vendors each year, CTA can test that every check matches the amount on the respective invoice and has the required approvals — and it can do that in a tiny fraction of the time that a person would take to test a sample of transactions. However, people still play an important role in CTA.




The people


Human involvement in CTA is essential to help ensure strong governance. Organizations need to establish responsibilities and accountabilities for designing, implementing and maintaining effective governance over the IT environment and the controls that will support a CTA program.


One important function is that people need to test and validate the automations that an organization has developed. Validation often requires test runs that verify accuracy and consistency by comparing the CTA results to those from manual testing. The validation team might need to help modify controls and recalibrate automations several times before implementation.


Leaders need to carefully determine an acceptable failure rate for a control or control objective, appropriately evaluate the results and conclude its operating effectiveness. In some cases, like security access approvals, that acceptable failure rate might be zero. However, if you set a failure rate of zero on a control that requires manager approval for expense reimbursements, then you need to design a process for coverage when a manager is on vacation. You might need to set the control’s failure rate at a higher value  with a separate control or control attribute to ensure that finance investigates deviations and identifies whether an appropriate delegate is designated.


CTA considerations become more complicated as the controls and automated testing become more complex. However, the biggest challenge can be the data and technologies that feed the automation.



The technology


Often, automations need to integrate data from a range of systems or sources, and that can require a range of technologies.

Headshot of Wes Luckock

“To implement CTA, the easiest part is configuring the logic for the testing. The hardest part is accessing the data to perform the testing.”

Wes Luckock

Grant Thornton Risk Advisory Services, Senior Manager


“To implement CTA, the easiest part is configuring the logic for the testing. The hardest part is accessing the data to perform the testing,” Luckock said. “Most of the time required to implement CTA is usually spent acquiring and pairing the data for the system that’s being built.”


If an organization is automating a process that involves invoice data, for instance, the invoices might be stored in different formats, on different systems or even require OCR technology to digitize. CTA can extract data from existing systems, but that data might not be ready to process. “With ERP systems, every entity is going to have a slight variation in the way they implement it,” Luckock said.


Evaluate your environment and consider the systems and technologies that you already have in place as you determine the most cost-effective and low-maintenance approach for CTA. Your environmental factors might lead you to a customized solution. “CTA can be achieved in a lot of different ways,” Luckock said. “You can write Python scripts to achieve it with coding, you can leverage applications to do workflow automation and there are a number of other technologies that can be mixed and matched to achieve the goal of automating testing.”


The potential of AI


AI capabilities have the potential to empower CTA in multiple ways. “For data extraction, data processing, evaluation of test procedures that aren't straightforward logic — all of these things that have limited CTA could be alleviated, to some extent, by using AI models,” Luckock said.

Headshot of Andrea Schulz

“It strengthens your control environment because you'll be able to react to any deviations or even prevent more deviations up front.”

Andrea Schulz

Grant Thornton Technology Industry National Managing Partner 


“Is AI going to alleviate everything? Likely not. It could mean that we can go from automating 30% of an organization’s controls to automating 70% — it depends on several factors, but we know it's going to be more,” Luckock said.


“For something like, ‘Read this payment’s business justification and determine whether it's reasonable,’ we couldn't have automated that before,” Luckock said. “Now, with large language models, we will be able to train models to understand the business and what’s reasonable. Then, they can actually make a preliminary judgment-based conclusion that’s reviewed by a human.”


In other cases, AI analysis and machine learning can help identify more complex issues that warrant attention. Schulz said, “I think that AI can help for real-time anomaly detection, because you can better identify what you're expecting in terms of the transaction patterns and protocols, then deploy that through continuous auditing for your control testing.” With more continuous testing, in more cases, your control environment can improve overall.


“It strengthens your control environment because you'll be able to react to any deviations or even prevent more deviations up front,” Schulz said. “A lot of control exceptions in some environments are a result of manual controls that did not occur or deviated from how they should occur. By putting in measures up front, you might be able to prevent deficiencies from arising. If a deficiency does arise, and CTA detects it, you can remediate it more quickly to help reduce its impact.”


This proactive approach to controls can help tech companies reimagine and evolve their risk management plans overall. It can even help companies move from a “testing mindset” to a more integrated business process mindset where the system becomes the control.




The system as the control


Effective CTA programs can include monitoring activities, supervisory controls or both. They can lead to better risk management across the enterprise by enabling detailed analysis with pattern and deviation identification that ultimately drives more timely decisions.



“When you get on the path of automating control testing, you can get to a point where you're looking at everything and monitoring activities continuously for the purpose of testing,” Luckock said. “That can almost become a better form of the control process itself — or almost become the control. By better understanding and automating control test procedures, you can almost build a better control system for risk management.”


With a better and more comprehensive understanding of what you need to ensure and how that can be logically captured, companies are already making an investment that better informs their systems, solutions, infrastructure and processes — to manage risks and drive more stable results across a more controlled enterprise environment.



Content disclaimer

This Grant Thornton Advisors LLC content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.

Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.

For additional information on topics covered in this content, contact a Grant Thornton Advisors LLC professional.



Tax professional standards statement

This content supports Grant Thornton Advisors LLC’s marketing of professional services and is not written tax advice directed at the particular facts and circumstances of any person. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. If you are interested in the topics presented herein, we encourage you to contact a Grant Thornton Advisors LLC tax professional. Nothing herein shall be construed as imposing a limitation on any person from disclosing the tax treatment or tax structure of any matter addressed herein.

Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.


CTA insights from other industries




Our technology and telecommunications featured industry insights