Thank You!

You are attempting to access subscriber-restricted content.

Are You Ready to Experience Everything Internal Auditor (Ia) Has to Offer?

​Bots of Assurance

Automating internal audit processes can multiply  the function’s capacity to serve the organization.

Comments Views

As important as it is, internal auditing involves a lot of repetitive work to provide assurance and achieve the department’s objectives. There is supporting evidence to request, data to gather, workpaper templates to create, and controls to test. But imagine if these basic tasks could be automated.

That is the promise of robotic process automation (RPA). Many internal audit functions are looking to RPA to multiply the capacity of their teams. These departments are following the lead of the growing number of organizations that are using robots, or bots, to automate business processes — particularly repetitive and often time-consuming process steps. 

RPA can help streamline processes by making them more efficient and more robust against errors. That may be one reason that 40% of internal auditors reported that their organizations currently use RPA in business operations in a poll taken during The IIA’s 2019 International Conference in Anaheim, Calif.

Audit functions can catch up with their organizations’ use of RPA by deploying bots as a digital workforce to enhance their assurance capabilities. Moreover, RPA can free internal audit’s experts from the drudgery of repetitive activities to focus on critical thinking tasks and managing exceptions.

What’s in a Bot?

RPA involves software that autonomously executes a predefined chain of steps in digital systems, under human management. Common capabilities of bots include filling in forms, making calculations, reading and writing to databases, gathering data from web browsers, and connecting to automated programming interfaces. They also can apply different logical rules such as “if, then, else” or “do while.” And those bots don’t sleep, tire, forget, complain, or quit.

With RPA, bots improve over time as people specify the underlying rules, but they cannot learn on their own. Conversely, cognitive automation learns and improves its own algorithms over time based on the given data and experience. 

RPA solutions can deliver benefits such as:

  • Increased efficiency, especially in situations that once involved repetitive and recurring manual work processes.
  • Increased effectiveness and robustness of processes that previously were prone to high error rates.

Organizations are most likely to realize these benefits when they use structured data, which provides the predefined instructions bots need to handle work scenarios. 

Five Types of Uses

Internal audit departments may be slower than their organizations, as a whole, to deploy RPA, but there are many ways they can put the technology to use. Although these applications may differ, depending on each department’s circumstances and capabilities, they can be classified into five categories.

Support This category of applications enables internal auditors to perform or document an audit procedure such as creating workpaper templates. One example of a support application is a bot that downloads attachments. Internal auditors spend a lot of time pulling supporting evidence from electronic sources or waiting for audit clients to do so manually. In a typical enterprise resource planning (ERP) system, auditors may need to take as many as 10 steps to access an electronic attachment. These steps include opening the ERP browser, typing the transaction code, entering the document number and company code, adding the fiscal year, going to the attachments, choosing the correct file path, and entering a file name that complies with a predefined structure.

Bot Programming

When setting up a bot, auditors not only must list the different processing steps, but also state how to get from one step to the next. For example, to access an electronic attachment, from the step where the ERP browser is opened, auditors instruct a bot to type in the transaction code, followed by pressing “enter.” The bot follows the same process as a human user to enter the document number, company code, and fiscal year. Each of the first two entries is followed by pressing “tab.” The third entry is followed by pressing “execute.” 

From there, the bot clicks the attachment button, followed by clicking “Attachment List,” and double-clicking on the attachment file. Auditors specify a predefined valid file path for the bot to follow. Then, they instruct the bot to enter the file name and click “save.” Putting these steps into a loop sequence directs the bot to go through the activities over and over for each document specified in the source listing.

A downloading attachment bot supports internal auditors by pulling electronic attachments automatically and more quickly — in less than 10 seconds per transaction. This can accelerate audit procedures related to vendor invoices, for example. In this context, the bot can support auditors in reviewing potential duplicate payments not yet returned, invoice approvals that are not workflow based, and invoice verification as part of a purchase-to-pay process audit. “Bot Programming,” at right, describes how auditors can use rules to set up a bot. 

Validation Bots in this category validate the accuracy or completeness of transactions under review. An example is a distance bot that validates mileage allowances for a full population of business trips, rather than by sampling. To calculate the distance between the starting point and destination manually using a geographical map service would take up to five steps. These steps include opening the web browser, typing in the starting point and destination address, and copying the distance displayed before continuing with the next distance. 

The distance bot supports internal auditors by pulling as-is distances from the system automatically. This bot is good for performing travel expense audits, particularly in organizations with high expenses from mileage allowances.

Control Testing This category of bots performs all or selected testing steps or attributes for internal controls, especially for IT application controls and IT general controls. Organizations often have a clear picture of the “to be” status of these controls. By translating this clear picture into rule-based procedures, auditors can program bots to test both the design and operating effectiveness of such controls. Bots can quickly identify inappropriate settings organizationwide. For example, within a purchase-to-process audit, bots can test IT application controls such as the duplicate-invoice check and the three-way-match, and prepare standardized audit evidence. 

Data Generation For internal audits requiring access to extended data sets, bots in the data generation category provide access to new data sources such as electronic attachments and temporary data sets. Data extraction bots support upgraded analytics and can reduce false positives by considering new data sources. This capability can reduce follow-up activities for false positives while increasing efficiency. For example, these bots can extract data from PDF text in less than one second and from image files in less than three seconds.

Reporting Auditors can use bots in this category to create reports or operate follow-up procedures. If internal audit does not use specialty audit software — or plan to introduce it — bots can automate repetitive activities such as report creation based on an audit program and sending follow-up reminders and inquiries.

Plan for the Pitfalls

The previous examples demonstrate how bots can enable the internal audit function to accomplish results more quickly and without human errors. While the improvements may outweigh the implementation costs, internal audit should be aware of risks across three dimensions: operations, reporting, and compliance. Internal auditors should manage these risks from the beginning and throughout the implementation of RPA. They should start by addressing some common pitfalls.

Disregarding Other Automation Possibilities Do not automate audit procedures with RPA when other affordable software or more advantageous automation possibilities are available. For example, specialty audit software may be used for reporting and follow-up activities.

Outsourcing Full Bot Programming RPA bots can be improved over time as auditors specify rule-based procedures to reduce the number of false positives and false negatives. Outsourcing this programming can make internal audit dependent on a third party to establish the logic followed by each bot. Instead, internal audit should obtain advice from external parties, if needed, while keeping most bot programming in-house.

Complying With the RPA Tool’s Terms of Use Software license terms may prevent internal audit from taking an existing RPA tool used in selected subsidiaries and using it for organizationwide audits. Typically, the license is for the licensee’s (subsidiary’s) direct business purposes — not for all affiliates across the organization. Examine the terms of use carefully.

Starting With Bots

Knowledge of RPA’s benefits and risks can prepare internal audit to explore the technology’s potential. These tips can help internal audit get started.

Identify Use Cases Auditors should begin by identifying their department’s recurring activities. Where is time lost because of repetitive activities? Where does the department want to provide higher assurance by increasing sample sizes or extending substantive audit procedures? This identification exercise should be separate from the discussion about how to automate internal audit activities. It also may comprise both full and partial automation.

Internal audit can use workshops to identify automation opportunities. During these sessions, auditors can use a matrix to prioritize cases based on the potential benefits of automation and the feasibility of doing so. Mapping automation opportunities by end-to-end processes usually doesn’t pay off. Instead, internal audit should map subprocesses or process variants because these are at an actionable level. However, not all subprocesses or variants are an opportunity for automation. 

In addition, internal audit should not create silos between different automation possibilities. When assessing use cases, internal audit should consider RPA as one alternative among many. 

Assess the Internal RPA Landscape Because internal audit is not usually the early adopter for RPA within organizations, the department should identify tools and resources already in use. To realize RPA’s full potential, auditors should assess the various tools on the market. 

Instead of going on its own, internal audit can partner with the organization’s existing RPA users to develop a pilot to demonstrate how RPA can be used in audits. Choosing a use case that allows internal audit to quantify its benefits can support internal discussions and decisions about using RPA.

Motivate the Internal Audit Team The pilot’s results and the possibilities of learning from RPA are two main drivers for motivating the internal audit team to apply the technology. Demonstrating learning opportunities is easy by using online tutorials, community forums, and free trial versions. These resources can provide online training and enable internal auditors to become familiar with RPA tools. Trial versions, in particular, can show auditors how easy it is to use the tool, which can motivate them to use it.

RPA in Alignment

In addition to these three tips for getting started, internal audit should create an implementation plan and align RPA with its overall digital labor strategy. This plan should balance an understanding of the technology’s risks with the benefits of target-oriented approaches to implementing it. 

To realize RPA’s benefits in the long run, internal audit should deploy it from a governance perspective. The board’s support can especially enable the chief audit executive to develop a clear plan for automating different internal audit processes. Because other business functions may be using RPA, internal audit needs to align its RPA implantation with these existing activities to generate synergies and avoid duplication of efforts. That understanding can position internal audit to put RPA to use and also drive effective reviews of the organization’s RPA program. 

Justin Pawlowski
Marc Eulerich
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to remove comments.

About the Authors



Justin PawlowskiJustin Pawlowski<p>Justin Pawlowski, CIA, CCSA, CRMA, is chief audit executive at ALSO Holding AG in Emmen, Switzerland, and a 2015 <em>Internal Auditor</em> magazine Emerging Leader.​</p>



Marc EulerichMarc Eulerich<p>​Marc Eulerich is professor for internal auditing at University of Duisburg-Essen in Germany.<br></p>


Comment on this article

comments powered by Disqus
  • AuditBoard_Apr 2020_Premium 1
  • Fastpath_Apr 2020_Premium 2
  • IIA Membership Centers_Apr 2020_Premium 3