Macro trends such as global cost competitiveness and cyber risk are driving organizations to innovate. One of the innovations that many organizations are implementing is robotic process automation (RPA), the automation of repetitive human activity in existing systems.
RPA uses coded scripts, or "bots," that work across multiple applications to perform repetitive, nonvalue-added, manual tasks. Automating these processes yields a higher processing rate in a fraction of the time. All facets of business can benefit from bots processing transactions, data, or requests.
In addition to their benefits to the business, emerging technologies such as RPA also impact internal audit and its value proposition. While the use of bots promotes an environment for internal controls and compliance auditability, additional review and considerations may arise. Management will call on internal audit to review these automated processes.
What's a Bot?
RPA bots perform tasks consisting of a wide variety of steps. They can validate system data, determine conclusions through logical checks, generate documents and information requests, and input received data into systems. Examples across the business include following up on invoice delivery dates with suppliers, performing pricing analysis, and processing leave of absence requests.
For invoice delivery, the bot begins by executing validation reports for invoices with unknown delivery dates and the associated supplier contact information. Then, the bot populates an email template requesting additional information from the supplier, performing follow-up as needed. Suppliers respond via a standardized form that allows the bot to extract the information and upload it to the purchasing system. If information is received in an incorrect format the bot can't read, escalation protocols flag these instances for human review. Furthermore, the bot works within the purchasing and email systems under a provided username and password, following the regular established invoice delivery date follow-up process. Bots can complete thousands of these emails in a day, which would otherwise take a group of employees more than a week.
By performing these types of repetitive time-consuming tasks, RPA can increase productivity, speed, and consistency of execution and employee satisfaction. The increase in employee bandwidth can enable employees to focus on higher-value tasks, further increasing efficiencies and driving down cost. Moreover, RPA can minimize common errors caused by human operators.
The process improvements from using RPA can quickly surpass gains from other business strategies such as outsourcing. Unlike some outsourcing arrangements, though, RPA allows an organization to retain control over business processes, quality consistency, and security of intellectual property.
Moreover, organizations can get started with RPA quickly. Bots can be trained for their new job (coded, tested, and deployed) and then turned over to the business for monitoring and management within 12 weeks. Once deployed, bots can be scheduled to process large amounts of mundane tasks continuously. Other bots may only need to run periodically to handle the workload available. No changes to current systems or interfaces are required, lowering the cost of entry, as bots work within existing processes. This activity includes logging into systems as a user to complete tasks, providing an audit trail for their activity.
A New Mission
To accomplish its mission to help add value and improve the organization's operations, internal audit needs to review the three core elements of its value proposition: assurance, insight, and objectivity. As innovations change the business landscape, internal audit must adapt and realign its value proposition to help the business meet its strategic, financial, and compliance objectives in new ways.
In organizations that are adopting RPA, internal audit can provide assurance that controls programmed into automated processes will drive down risk. The goal of leveraging technology, especially in repetitive tasks, is to drive down overhead cost. As a result, reducing overhead applied to products and services will have a positive impact on overall expenditure.
However, leveraging emerging technology comes with risk. The security of new technology is not as robust as established technology and is more prone to breaches, hacks, and malware.
Economic Impact of Cybercrime (PDF), a February study by the Center for Strategic and International Studies, estimates that the global cost of cybercrime could be as much as $600 billion. Recent headline-making breaches of personal information and cyberattacks have negatively impacted companies' brands and may severely limit their ability to maintain customers or win new business.
From mom-and-pop shops to Fortune 100 companies, cybersecurity is critical, yet the demand for cybersecurity skills has outpaced the supply. Internal auditors with a strong competency in IT controls will be crucial in providing assurance that the technology control environment is effective in safeguarding proprietary information from intruders.
Identification of automation opportunities occurs continuously. Internal audit should get involved at this first step, which they can accomplish as part of the regular audit process. During reviews, auditors should partner with stakeholders to examine and map current processes and discuss potential inefficiencies.
Outside of the audit process, internal audit and other internal groups such as data scientists, process-improvement experts, IT, and business process owners can collaborate to explore solutions to streamline processes. These teams should continuously assess existing processes and procedures to break out of the "if it is not broken, do not fix it" mindset.
A key difference between RPA and other IT applications/tools is the shortened development cycle. While many aspects remain the same — such as separate testing/production environments, quality assurance testing, and change management — additional concerns and control differences may arise from the agile development cycle and the use of the bots themselves. Reviews should ensure general IT controls and processes such as enterprise password requirements, backups, and regression testing are followed during bot development. International companies also should consider foreign regulations and export/import concerns.
Teams involved in RPA implementation may leverage existing control testing and monitoring activities, but they may need to consider new aspects. For example, U.S. Sarbanes-Oxley Act of 2002 IT testing reviews items such as appropriate access to financial systems and generic usernames. When there are bots involved, this testing also should include bot user profile review and testing for ownership/access to the bots themselves.
When performing RPA audits, internal auditors should ask questions concerning new considerations such as:
- Who manages password updates for the bots to ensure company password requirements are being followed?
- Is there a plan in place to address situations where a bot fails to appropriately escalate exception incidents that would impact the financial statements, systems, or processes?
- Are bots accounted for on software license reviews and are they functioning on the most current versions of software?
- What is the disaster recovery and business continuity plan for RPA?
Internal audit's role in robotic process automation is not limited to assisting stakeholders and other functions in their solutions to streamline processes. Becoming part of the company's RPA team also means reviewing processes within the audit department, embracing change, and encouraging innovative discussions to leverage emerging technologies.
The internal audit department also can benefit from bots. Tasks that can be automated through RPA include manipulation of digital/electronic data, standardized inputs and formats, and rule-based processes that yield a low number of exceptions. Many of these types of tasks exist within the internal audit process.
After the annual audit plan is finalized, a bot could set up and populate each audit with appropriate checklists and templates to eliminate the need for manual set-up. During audits, bots could handle a variety of tasks such as automatically creating workpaper attachments and filling out standardized templates and headings in workpapers, streamlining cross-references and issues, and creating reports.
Data analysis could be performed with trends noted and ready for management review. After an audit is completed, a bot could send the audit report to stakeholders, consolidate management responses, and follow up as due dates approach.
Challenging the Organization
While the core elements of value delivered to the organization remain the same, internal audit also must act as a proactive thought leader about new innovations. The audit function must continuously challenge the organization and communicate the importance of automation, driving efficiencies, and streamlining processes.
By partnering with technology and implementation teams, internal audit can be an integral part of implementing RPA and provide assurance on system controls. In addition, auditors must continuously educate themselves to be ready to tackle obstacles the organization may face over the next horizon.