Internal Audit and Robotic Process Automation (RPA)

In a context with emerging and rapidly changing technolo- gies, organizations are seeking to benefit from technological innovations such as; Blockchain, RPA, Artificial Intelligence, Machine Learning, just to name a few. At the same time, audit professionals are challenged to keep up with changing business processes by means of the necessary knowledge and expertise, to meet stakeholders’ expectations.

In general, technological innovation offers a window of opportunity for Internal Audit to add additional value to the organization, not only in terms of providing ‘Assurance’ but also to act as a ‘Trusted Advisor’. Moreover, Internal Audit should seek the benefits of integrating innovative technology in their own way of working.

One of these (not so new anymore) technologies is Robotic Process Automation (RPA), which in the meantime has been implemented by companies in different industries such as; Banking and Finance, Insurance, Healthcare, Manufacturing, Transport & Logistics and Utilities. After all, software robots seem to be good candidates in order to improve the efficiency and effectiveness of some business processes, to provide better customer experience and to reduce costs

As a result of the increased usage of RPA, Internal Audit functions need to consider the associated risks for the organization and the potential impact of RPA on Internal Audit activities.

In other words: how can Internal Audit position itself towards RPA?

1. What is RPA ?

RPA is not a physical machine or “robot”, but rather is con- figured software that performs the same business activities in the same IT systems according to the same business rules that a human does today. More specifically, “RPA systems are capable of mimicking human user actions: the robot will log into applications, move files and folders, copy and paste data, fill in forms, extract structured and semi-structured data from documents, scrape browsers, and much more.”(1)

RPA has some typical features (2):

  • The automation software sits on top of the enterprise IT systems and does not require the creation or additional development of IT systems.
  • Given the easy-to-use design interface, business professionals rather than IT professionals are capable to configure the automation rules in the software.

A few examples of RPA software vendors are : UiPath Platform, Blue Prism, Automation Anywhere, Microsoft Power Automate (3)

2. RPA versus cognitive automation

Another way to better understand RPA is to highlight some differences with “cognitive automation”. Although both technologies are used to mimic human actions, cognitive automation is a knowledge-based technology to simulate complex tasks involving human judgment and decision-making, while RPA is a process-oriented technology to automate rule-based and repetitive tasks.(4)
However, a strict distinction between both types of technologies is difficult to maintain as both technologies are often combined and integrated in one solution. For example in the context of Anti-Money Laundering where cognitive automation and analytics are used for monitoring purposes (e.g. machine learning models to detect changes in customer behavior or analysis of large amounts of unstructured data to obtain customer knowledge (KYC) in combination with RPA for more administrative tasks (e.g. setting up of customer data, validating customer information,..

3. What are the key advantages of RPA ?

RPA provides many advantages for both the organization, the employee and the customer:

  • RPA can execute repetitive and recurring tasks at a higher pace than humans can do
  • RPA can execute repetitive and recurring tasks with lower error rates than humans can do
  • RPA can execute repetitive and recurring tasks with higher rate of predictability on timing and quality
  • By automating repetitive and recurring tasks, RPA allows freeing up time of human operators to focus on more value-added work

The table below provides a summary of potential benefits of RPA for shareholders, customers and employees.

4. How can internal audit take position toward RPA ?

As with many other technologies, RPA brings both responsibilities and opportunities for Internal Audit
practitioners. For one, Internal Audit has the opportunity to support and guide business leaders in selecting and prioritizing business processes that are suitable for RPA. Secondly, the primary focus of Internal Audit will be on providing advice and assurance regarding risks and controls related to the implementation of RPA. Finally, RPA provides a number of opportunities to optimize the way of working of Internal Audit (7).

 

  1. In summary, following advisory/assurance roles can be adapted by Internal Audit (8) :
    Identify opportunities and risks when selecting processes to become automated
  2. Provide advice and assurance considering
    governance, risk and controls regarding the RPA implementation
  3. Consider RPA to increase efficiency and effectiveness of the Internal Audit department:
4.1  Identify opportunities to embed automation in the business processes

Technological innovation brings the opportunity for Internal Audit, with its unique and broad view and knowledge of the organization, to become a ‘Trusted Technology Advisor’ towards the Board and Management.

Not every process is a good candidate to be automated using RPA technology. There are a number of criteria to determine the suitability of a business process for applying RPA:

  • The process is rules-based: this means that no human judgement/decision-making is involved. Decisions in the process are based on logical ‘If-Then-Else ‘rules.
  • The use of digital data inputs: non-digital data inputs such as printed, scanned, paper documents, are not suitable for RPA. However, they can be made compatible with RPA by using Cognitive Automation technologies such as machine learning, Optimal Character Recognition (OCR),
  • The use of structured data: structured data in automation is considered as “text in the form of an unambiguous sequence of letters or symbols that are inconventional layout or format”(9)
  • A highly repetitive and mature (i.e. stable) process with a low frequency of changes in the process

Obviously, focus should be on the processes with a high potential Return On investment (ROI). Multiple factors can influence the ROI; FTE impact, quality costs, employee satisfaction, customer satisfaction or service availability. (10)

RPA is not the silver bullet to solve all automation challenges. Organizations might make the mistake to jump into an RPA adventure, when in reality alternative solutions may have been better suited (e.g. a straight through processing (STP), business process management (BPM) or workflow solution). (11)

Therefore, Internal Audit can assist the organization in identifying and selecting the appropriate business processes to be automated.

4.2  Provide Support regarding governance, risk and controls throughout the automation proJect life cycle

Ideally, Internal Auditors become involved as soon as possible in the implementation of the RPA program, in order to timely identify risks and provide recommendations on mitigating those risks (e.g. with regards to project management, embedding of automating controls,..)

Not every automation of a business process should by default be evaluated and followed-up by the Internal Auditor. As always, a risk-based approach will determine how much resources Internal Audit needs to assign to the automated process.

Risk factors to be considered can be: complexity of the process, exposure to cyber risks, regulatory requirements etc.

Therefore, Internal Audit can assist the organization in identifying and selecting the appropriate business processes to be automated.

In the figure below we present 6 key risk categories that should be considered by Internal Audit.

5. Key risks related to RPA

RPA projects need to be considered in the context of the overall digital strategy of the organization. Internal Audit needs to evaluate the alignment between the RPA project and the general strategy of the organization in order to realize the value of the RPA project.

Questions that can be considered are:

  • Did management properly identify and assess the potential value of the RPA project?
  • The RPA project is aligned with the general strategy of the organization
  • How will saved time/FTE’s be (strategically) leveraged within the organization?

5.2. Governance & compliance risks

Ownership and roles & responsibilities regarding the RPA program should be clearly defined and communicated.

Questions that can be considered are:

  • Is project sponsorship properly assigned in order to obtain the required buy-in from the process owners, employees, IT, external stakeholders..?
    • Is it, for example, sufficiently clear what is being managed by IT and the business?
    • Does sufficient buy-in from the IT department exists? The IT department can support the business with; the onboarding of the software, modification of the access security and change management policies, Business Continuity Management, change management, data and system security,.
  • Has an adequate sourcing model been selected with appropriate third parties?
  • Have risks and controls been identified and assessed? Have results been communicated to stakeholders?
  • Compliance risks are being assessed on a periodical basis, considering the applicable policies, procedures and compliance requirements?

5.3. Identity & Access management (IAM)

The automation of business processes results in actions to be performed more anonymously, quicker, … Because the RPA software automates multiple processes, it typically has more access and hence more impact on the process outcomes than individuals could have. Hence appropriate controls on who can access and control the automation software, what the software can access etc are needed.

Questions that can be considered are:

 

  • Appropriate and secure access and password rules are applied?
  • Administrator accounts are proper and securely managed?
  • Software robots are uniquely identifiable?
  • Only authorized users have access to the access credentials of the software robots?
  • An audit trail is available in order to trace transactions performed by the software and to ensure accountability
5.4. Deployment, development and IT change management

An interesting statement is that “Software robots should be considered as a hybrid-half worker, half software. Robots are part of the workforce, so they need to be managed like humans. They are also part of IT and need to be managed like SW” (12).

Questions that can be considered are:

  • Did we pick the right RPA tooling in line with the business strategy. Tools can be deployed on desktops or servers but they can also be cloud-based. Each tool brings different risks . (13)
  • Did we take all relevant requirements (from business, compliance,..) timely into account when developing or selecting software?
  • Have all functional scenarios of the process been verified in a testing environment that is an exact copy of the production environment before releasing the robot software into production? (14)
  • Have the non-functional and security requirements been verified in a testing environment, with a focus on availability, confidentiality and integrity criteria ?
  • Have production and non-production environments been adequately separated to prevent unauthorized access and changes or unintended corruption of production systems during testing.
  • Have change management policies and procedures been put in place, to ensure for instance that all interdependencies have been addressed and that only tested and approved updates and configuration changes are being deployed in production?

5.5. Information security and privacy

As any other software the RPA robot is vulnerable for hacking and mis-use. Since the RPA interacts directly with the business processes and the enterprise data, the impact of a successful attack and malicious use is potentially large. Insecure storage, transfer or manipulation of data by the robot software might result in severe impact on the business process outcome or even a data breach.

Questions that can be considered are (15):

  • Have text files containing sensitive data, that are used by the robot, been encrypted to assure confidentiality while the data is at rest?
  • Has the infrastructure, including storage and servers, been hardened to allow only the necessary ports, protocols and services to meet business needs?
  • Have appropriate tools and access controls been put in place?
  • If available, third-party service reports (e.g., SOC 1 or SOC 2 reports) demonstrating compliance with information security objectives and delivery level agreements are being reviewed on an annual basis?

5.6. Business continuity

In case of a disruptive event, a proper back-up plan and disaster recovery plan for the RPA needs to be available.

Questions that can be considered are:

  • Does the RPA software support a critical business activity?
  • An assessment has been performed on the impact of the loss of the RPA software?

6. Assuring the flawless operations of the RPA-Application controls

It might be required for Internal Audit to evaluate application controls of the RPA software which is applied in business processes. This way auditors can evaluate the completeness, confidentiality and accuracy of data transfers and data processing by the RPA software and between the RPA software and other applications (e.g. interface controls, batch-job controls,..)

To be able to perform an application control evaluation on the RPA software, auditors should sufficiently understand the RPA process, which include collection, input, processing and output of data.

7. Increase internal Audit efficiency through the use of RPA

Finally, Internal Audit can position itself towards RPA as a user of the automation technology to increase efficiency and effectiveness of the activities of the own department.

Opportunities can be identified throughout the audit life cycle: risk assessment, audit planning, audit fieldwork and audit reporting. The key message is the same: “employ RPA for any routine administrative activities to improve efficiency of planning, testing and reporting activities”

Each stage has the potential to automate some of its processes. In the table below, we list some examples:

Bereik je doelstelling dankzij onze diensten

Audit

Tax

Accounting and Reporting

IT Services

q

Risk Management

Corporate Finance

Uw expert

gorik van den bergh
Gorik Van den Bergh