Robotic Process Automation (RPA) – Forward Thinking Innovation
Automation presents many opportunities for internal audit
Business owners and shareholders are experiencing the desire for increased productivity and efficiency. At the same time, there is a war on talent. The desired talent in your business consists of people looking for meaningful work as a motivator. Research performed by Gartner suggests that increasingly more than ever, people want their employers to recognize their value and that purpose-driven work is essential to thriving. This is the value that employees expect their employers to provide. In addition, technological advances focusing on digital transformation, customer expectations, and globalization have increased the need for higher productivity and efficiency.
While some forms of automation have been in existence since the widespread adoption of computers, today’s RPA leverages emerging technologies such as machine learning and artificial intelligence. Today, automation software can perform complex and straightforward human-like functions such as interpreting, classifying, deciding, acting, and learning.
With the ability to automate a vast range of processes, automation has empowered many organizations as a digital workforce. A wide range of organizational sizes, industries, and functional units within an organization, including internal audit, experience benefits from advancements in automation
Benefits of Robotic Process Automation
To realize increased productivity and efficiencies and provide the value-add experience that people are looking for from their employers, businesses must embark on a digital transformation journey and leverage automation to evolve and innovate. Automating business processes using software robots (or ‘bots’) allows companies to:
- Increase productivity and efficiencies by:
- Reducing the risk of transactional and processing errors
- Increasing capacity and optimize workflows (scalable infrastructure)
- Saving time and effort, as a bot operates 24 hours a day /7 days a week/365 days a year
- Allowing for cost savings to be realized, since bots operate more efficiently
- Improve the employee work experience by:
- Automating the repetitive, mundane, and rules-based tasks
- Allowing for the employee to focus on more meaningful, value-add, strategic and challenging tasks
How Does RPA Impact Internal Audit?
While RPA presents new and innovative ways for the business to address productivity and workforce engagement challenges, it can also introduce new risks to the organization that internal audit can assist the business to mitigate. Internal audit is not immune from productivity and workforce engagement challenges; thus, internal audit should see if there are opportunities to leverage RPA within the internal audit process. As such, RPA presents both an opportunity and responsibility for internal auditors, as it impacts them in two distinct ways:
- Involvement as a value-added assurance partner and trusted advisor to the business to help the organization mitigate RPA risk
- Utilizing RPA to realize internal audit’s own efficiencies
Involvement as Value-Added Assurance Providers
Internal audit plays a vital role in adapting and considering the governance, risk, and control implications of automated processes and the underlying automation technology. As business processes are automated, the organization’s control environment will need to reflect these changes. A strong understanding of how automation is used is essential for the process owners and the internal audit function, as the associated risks that emerge will inevitably shift and introduce new risks. Internal audit plays a crucial role in ensuring that the organization addresses automation-related risks and that management has implemented the appropriate controls to manage these risks.
Involvement as Trusted Advisors
Part of an internal audit function’s responsibility is to provide strategic advice and insight. By helping the organization identify, understand, and control RPA related risks, internal auditors can position themselves as a value add and trusted advisors in some of the following ways:
- Ensure that risks and impacts to the organization’s governance framework and internal controls are identified early on by being involved from the start as the organization embarks on its automation journey.
- Advise management on their consideration of risk, monitoring of controls, and helping facilitate lessons learned as part of post-implementation activities.
- Help identify automation opportunities and provide recommendations on prioritizing processes that are ideal candidates for automation.
- Perform process efficiency reviews to recommend process optimization opportunities before a process is automated. Automating a “bad” or inefficient process would waste time, cost, and effort.
- Be involved in the vendor selection process, ensuring that qualified vendors are considered and that the automation software aligns with existing systems and the organization’s infrastructure.
A Closer Look from a Controls and Risk Perspective
Common areas for internal auditors to consider when auditing automation technologies are the following:
- Governance – an RPA program should have a robust governance structure to determine ownership, ensure oversight, and define roles and responsibilities. Internal audit should ensure that an appropriate governance structure, framework, and related policies are in place and adhered to.
- Access management – Collaboration between internal auditors and key stakeholders is essential to understand the business process at a holistic and granular level to discern the risk of unauthorized access to the automation program.
- Job logs – the automation software should produce job logs that record the actions taken by the bot to demonstrate a complete audit trail.
- Efficacy – what controls are in place to ensure that the effectiveness of the automation program is monitored and performing as intended to achieve the business process objectives? Has management considered monitoring tools or key performance indicators to ensure that the automation program operates effectively?
- Optimization of the underlying process – is the underlying process optimized and operating efficiently? Automating a process that is not optimized, has redundant steps, or is not operating efficiently can result in re-work and more costs in the long term. It should not be assumed that existing manual processes are compliant with policies and procedures or are ready to be automated due to underlying efficiencies.
- Loss of data – are backups performed per the organization’s risk tolerance? Internal audit needs to consider the risks and controls surrounding the potential loss of data.
- Business continuity – Internal audit needs to consider whether the automation technology has adequate controls in place to continue critical operations if RPA systems are not available.
- Change management – is there a change management policy in place, and is it followed? Internal audit teams should ensure that change management processes and procedures are implemented and adhered to, including stakeholder communication plans.
- Exception handling and processing – does a documented process exist to triage issues that may arise? Are tools in place to automatically alert for when error handling is required? Internal auditors must consider whether job error or exception logs are produced and whether or not a person reviews them.
- Completeness, accuracy, and integrity of data – do controls exist to ensure that bots continue to perform as intended and that data processed remains complete, accurate, and maintains integrity?
As automation initiatives evolve and continuously change, an organization’s internal audit function will need to continue to assess the related risks as part of its risk assessment activities.
How Internal Audit Can Utilize RPA to Realize Efficiencies
For internal audit functions, it can be challenging to obtain the necessary budgets and executive and Board support to substantiate the financial spend on new technologies such as automation tools. However, RPA can be used to realize greater efficiencies and improve audit coverage.
What’s the best way for internal auditors to make their case? Here are some RPA cases for the internal audit function to demonstrate the importance of greater efficiencies to focus on more value-add activities.
- Risk assessment, materiality, and scoping – automation can be used to extract data to determine proposed materiality. This can be done by comparing or benchmarking other internal or third-party data sources (i.e., market data). It can also be applied to identify anomalies within transactions and processes to determine the scope and focus on areas that present a greater risk. RPA can monitor key risk indicators (KRIs) considered during the annual risk assessment.
- 100% testing of the population – Through automated testing, RPA can examine and test entire data populations, while internal auditors can focus on the exceptions or anomalies identified by the bot. This will allow management to have greater confidence that critical controls are designed and operating effectively.
- Population of working papers – RPA can pre-populate certain audit documents such as test matrices, testing attributes, and working paper templates.
- Automation of testing – automation can be used for repetitive and mundane audit procedures.
- Reporting – typically, the internal audit activity has to create different versions of reports for various stakeholders. RPA can assist with automating reporting and dashboarding activities.
- Continuous auditing – rather than meeting with auditees for interim and period end, automation can audit year-round and provide test results, reducing fieldwork for auditors and being less invasive to their auditees. This will help to reduce audit fatigue of auditees.
Overall, internal audit teams should clearly define their vision and strategy for automation, ensuring that there is a clearly definable return on investment (ROI). The use of automation by the internal audit function can:
- further reduce audit risk;
- identify and provide more significant insights into anomalies;
- reduce manual errors in repetitive and mundane testing; and
- allow for the focus on higher value-added activities such as investigating anomalies and root causes.
Given internal audit’s role in leading the organization to strengthen its risk, control, and governance processes at a holistic level, internal audit is best suited to assist the organization on its automation journey from an advisory and assurance perspective. Internal audit’s deep understanding of individual business processes and the organization’s overall objectives and strategy can provide significant insight and value into automation strategy and governance and weakness in the control environment to address automation-specific risks.
How Richter can help
Richter’s Risk, Performance, and Technology team focuses on assisting organizations in implementing state-of-the-art, specialized software solutions to revolutionize their business operations and IT infrastructures. We are committed to providing continuous support, identifying and providing improvement areas for enhancing and improving the organization’s control environment, and providing realistic and customized advice and recommendations. Richter’s team of experts can provide advisory or assurance services in the following areas related to automation:
|Service Area||Service Type||Example|
|Internal Audit – Automation Subject Matter Expertise||Internal Audit Mandate Execution||Conduct an internal audit engagement over an automated process to provide management, the Board, and other stakeholders with reasonable assurance that critical risks have been addressed.|
|Advisory Support||Provide subject matter advice on the internal controls that should be in place to address the risks that a new automation solution brings to your organization.|
|Automation Strategy and Governance||Process Harmonization and Optimization||Ensure that the process is streamlined and standardized before automation.
|Automation Roadmaps||Conduct workshops with key stakeholders in your organization to identify and prioritize processes that are candidates for automation while maximizing your return on investment.|
|Automation Strategy, Governance & Policy Development||Build an automation strategy to align with your business objectives across the organization that is sustainable.
Develop policies and procedures surrounding the automated process.
|Automation Implementation Services||Vendor Selection||Select the right automation vendor for your organization, aligned with your strategic plan and technology roadmap.|
|Project/Project Management and Implementation Support||Leveraging our project management expertise, act as a trusted partner of your organization to manage the automation implementation throughout all stages of the project management lifecycle.|
|Managed Services||Management and Maintenance Support||Support the automation solution post-implementation. This includes managing changes and errors and providing the necessary solution support.|