In the second episode of our podcast, Risk Grustlers, we are stepping into the future of audits with Shashank Karincheti, the mastermind behind Razorpay’s cutting-edge IT GRC.
Shashank unravels the secrets to streamlining compliance, optimizing efficiency, and maximizing accuracy and discusses perspectives on audit automation for organizations of all maturities.
He offers an inside look at the decision-making process between in-house development and partnering with third-party vendors for automation and highlights the power of culture and strategy as he explains how alignment of business goals, industry regulations, and company values is the key to automation triumph.
Get ready to delve into the strategic considerations behind prioritizing audit processes, establishing metrics and KPIs, and measuring the true effectiveness of automation programs.
Without further ado, let’s take a look at what our host Pratyush Kukreja and guest Shashank Karincheti uncovered in their illuminating conversation.
PK: Let’s talk about audit automation, which is something you’ve been championing at Razorpay. Given the evolving landscape of cybersecurity and fintech in India, audit automation can mean different things depending on the organization’s maturity. Where do you see audit automation fitting into your context?
SK: That’s a great question, Pratyush. In many cases, audits are seen as a checklist exercise, where you complete certain tasks and consider the job done. However, nowadays, audits are more about compliance by design. For example, certifications like SOC 2 require specific criteria to be met, indicating the presence of controls that provide a level of comfort. So, in our context, audit automation means creating a platform where compliance and framework requirements are built-in, ensuring a bigger picture of security and control.
PK: So, audit automation is about standardizing processes and incorporating compliance and framework requirements. It helps provide real-time insights and visibility into the state of compliance, making it easier to assess and manage.
SK: Exactly! Audit automation allows us to focus on the actual work rather than spending excessive time on manual tasks. It enables us to measure compliance levels, identify areas for improvement, and streamline the overall audit process. It also helps optimize our resources and reduce the time required for audits.
PK: That’s fascinating. So, as you continue to mature in your automation journey, how do you establish metrics and KPIs to measure the effectiveness of your automation program?
SK: Good question. One of the key metrics is the percentage of compliance achieved based on the established frameworks. We want to ensure that we are meeting the requirements set by various regulations and certifications. Additionally, we track the reduction in man-hours required for tasks that can be automated. By leveraging automation tools, we aim to minimize the effort needed for audits and enhance productivity within the compliance team.
PK: That makes sense. It’s crucial to track the time and effort saved through automation and demonstrate the return on investment. So, in your experience, when it comes to automation, organizations often face the build vs. buy decision. How do you approach this and what value does partnering with vendors bring?
SK: Indeed, it’s a common challenge. While we have the skills to build automation tools in-house, we believe in focusing our core capabilities on our products and services. Partnering with vendors allows us to leverage their expertise in automation and benefit from their specialized solutions. It also helps us ensure scalability, performance, and the ability to handle complex frameworks. Through robust vendor management practices, we maintain control over sensitive data while benefiting from the vendor’s domain knowledge and tool capabilities.
PK: I see. So, it’s about utilizing external expertise and specialized tools to optimize efficiency and scalability while maintaining control over data. Finally, for organizations starting their journey towards audit automation, what would be your recommended playbook to build a strong foundation?
SK: To begin, it’s essential to understand the nature of your business, whether it’s B2C or B2B, and the industry you operate in. This understanding will shape your compliance and framework requirements. Next, focus on building a culture of compliance and make it a part of your organization’s DNA. Understand the relevant frameworks, such as ISO 27001, and prioritize your actions accordingly. Lastly, once you have this foundation in place, you can evaluate automation tools and decide which processes to automate and which ones require manual handling.
PK: Great advice! Building a culture of compliance and aligning it with the organization’s goals is key. Thank you, Shashank, for sharing your insights and experiences with us today. It was a pleasure talking to you.
SK: The pleasure was mine, Pratyush. Thank you for having me.