Robotic process automation (RPA) has received a lot of attention lately for its ability to streamline processes and increase efficiency. Simply stated, RPA is the automation via virtual robots (bots) of computer-based tasks traditionally performed by people. RPA bots consist of software programs that mimic repetitive actions exactly the way a person would perform them.
In the business world, RPA has gained momentum as a tool for automating standard repetitive tasks that require little human judgment or thought. The technology frees up meaningful time for humans to perform work that is, well, more human — tasks that require more analytical or intellectual brain power.
Rudimentary RPA has been around for decades. Spreadsheet macros, for example, have long enabled users to record keystrokes and automate basic tasks with the click of a mouse. Today, RPA bot development is much more sophisticated. Bots are unbound from a single system or database and can manipulate unstructured data — such as by "scraping" it from a screen shot based on a keyword, phrase, or screen location.
The technology's powerful capabilities have enabled multiple uses of RPA, from automating account reconciliations to performing audit tasks. With these capabilities in mind, the internal audit function at YRC Worldwide (YRCW), a trucking company specializing in freight transportation and logistics services for North American shippers, undertook a pilot program to implement RPA technology. The effort was a success, paving the way for a formal implementation plan and future RPA rollout.
The Impetus for RPA
With a staff of 17, YRCW's internal audit function is organized into two distinct groups — one specializing in regulatory compliance and risk-based, back-office assurance and consulting engagements; the other focused on compliance and operational reviews related to YRCW's network of more than 300 freight terminals. Internal audit's RPA pilot focused on this latter area.
YRCW management has consistently made one request of the internal audit team: Provide more audit coverage with the same amount of staff. In keeping with this challenge, audit leadership strives to innovate and has embarked on a strategic mission to create the "terminal audit of the future." Terminal audits consist of transactional and observational testing to provide regulatory and operational compliance assurance, using standard audit programs to provide a consistent measuring stick for evaluating freight terminal performance.
The YRCW audit function has a multiyear track record of year-over-year audit coverage increases. With each successive year, however, these increases become more difficult to sustain. The goal of the audit-of-the-future strategy is to not only increase audit coverage, but also to enhance internal audit's value proposition by adding to its repertoire of services. Audit leadership saw RPA's potential in this regard as a critical piece of internal audit's strategy. Automating portions of the standard terminal audit program could free up valuable staff resources, allowing more focus on other value-added services.
Preparing for Automation
Getting started with RPA does not require specialized skills. Most RPA tools include typical graphical user interfaces with point-and-click functionality that helps beginners get started right away.
Anyone with an advanced foundation in the use of basic software tools like Microsoft Excel can develop rudimentary bots. Nonetheless, technical skills such as coding can be helpful when pursuing more sophisticated bot development, especially if the anticipated RPA initiative is more complex.
More advanced RPA tools also provide for customized coding using either SQL or other coding languages. Individuals who leverage business analyst and coding skills can add significant value to more complex bot development projects.
In preparation for the audit of the future initiative and its RPA component, YRCW internal audit leadership assessed several factors. First, leadership examined staff capabilities, with an emphasis on analytical and technology skills. Although commercial RPA tools have become increasingly user-friendly, application development skills can enhance RPA capabilities significantly. And while YRCW internal auditors had upgraded their technology skills over time through individual development plans, they did not possess the desired coding or business analyst acumen to facilitate RPA.
To incorporate these skills, internal audit leadership repurposed one of its analyst roles, which was vacant at the time, and rewrote the job description to include RPA competencies. Requirements included proficiency with SQL or other relevant coding skills. Audit leadership also sought process improvement and business analyst experience — in addition to a background in internal auditing. And while the candidate who eventually filled the role did not possess RPA experience per se, the individual's background and skills allowed for a short learning curve.
Before launching the initiative, internal audit leadership also needed to establish roles for existing team members. They assigned a project lead to learn RPA basics and inform other team members about key features, tools, and requirements. This effort led to a white paper deliverable aimed at defining what RPA was best suited for, identifying key resource needs, and determining whether audit leadership's vision for RPA was realistic. The white paper included a basic description of RPA, as well as information about expected benefits, how RPA works, bot setup options, common capabilities and uses, risks, and top RPA vendors and tools. The document was instrumental in level-setting the team's base knowledge and understanding of the technology's capabilities and limitations. This common understanding enabled the team to collaborate more effectively on a business case for the use of RPA and plan for implementation.
Proof of Concept
Armed with the white paper research, internal audit began working on a proof of concept to determine RPA's potential value related to the terminal audit program. The process consisted of determining which terminal audit program steps might be suited for RPA conversion and highlighting potential efficiency gains. The team identified steps that involved transactional system testing and other system-related test work versus observational steps for which automation would not be feasible.
Team members also estimated the current level of effort required to complete audit steps, designating each one as easy, moderate, or hard. Moderate or hard steps were flagged as potential candidates for RPA. Steps considered more transactional in nature, and those requiring the auditor to log into multiple systems, were prioritized as optimal candidates. The more difficult and time-intensive the audit step, the better RPA candidate it was deemed. The analysis provided a quantifiable picture of potential time savings, which ultimately affirmed that RPA had the potential to substantially increase terminal audit efficiency. The collaborative analysis and discussions from the proof of concept exercise served as a green light to proceed with a project socialization plan and develop a pilot program.
With the proof of concept well underway, internal audit leadership began to socialize the initiative with key stakeholders. Socialization represented an important step as the time commitment required to fully implement RPA would potentially impact audit coverage in the near term and might require monetary investment down the road.
Key stakeholders in the socialization effort included internal audit's reporting hierarchy (i.e., the audit committee and the chief financial officer) and operations leadership (the primary audit client). Additionally, support from YRCW's IT team was particularly important, as anticipated transformational benefits required direct access to organizational data.
To gain stakeholders' buy-in and support, internal audit needed them to understand both the long-term benefits and the short-term impacts of the RPA initiative. Socialization involved scheduling brief meetings to educate stakeholders on RPA and its merits. Most of them were familiar with RPA from a business process perspective but had not considered the application as it related to the terminal audit process. During the meetings, internal audit also presented the proof of concept results and proposed value proposition for RPA adoption. Because the white paper and proof of concept supported a definitive value proposition, socialization proved merely a formality and the RPA initiative received unqualified support to proceed.
The proof of concept's final phase involved developing a pilot bot. Development consisted of several steps:
- Identifying an appropriate RPA tool.
- Selecting a terminal audit program step that would serve as an appropriate candidate for RPA.
- Working with staff auditors to itemize the tasks required to complete the audit step.
- Developing the RPA bot logic.
- Testing, troubleshooting, and refining the bot.
- Demonstrating the bot.
RPA tool selection is often the first barrier internal audit groups face when looking to pilot an RPA initiative. Especially for smaller internal audit functions, where resources tend to be scarce, monetary investment in a tool that may or may not add substantial value can be a tough sell. Fortunately, several vendors offer web-based RPA tools that provide a basic functionality version, enabling users to get started for free. Internal audit chose this approach for its pilot. After reviewing and trying several free tools, internal audit selected one that had an established reputation and appeared capable of accommodating the pilot.
The team chose a pilot audit step that involved several manual audit tasks: logging into multiple systems, navigating to various application screens, acquiring specific lists and fields of data so that a sample of test items could be identified, and analyzing the sample data in a spreadsheet to determine the test outcome. Moreover, anticipated bot efficiencies enabled the auditors to replace judgmental sampling with full population testing.
After defining the new testing approach, the audit team initiated bot development. The process involved recording each of the audit tasks, step-by-step, in the RPA tool. In many ways, development resembled macro programming within a spreadsheet application — auditors captured tasks such as mouse clicks, keystrokes, and login credentials, which they automated using the tool.
|Think Before You Automate|
Internal auditors should not undertake bot development projects hastily or without sufficient planning and support. Audit functions looking to pursue RPA should consider:
- A proof of concept (including pilot) should be performed to ensure adequate value exists to justify the RPA initiative.
- Rudimentary (free) tools and skills can get the initiative started, but more advanced tools and coding skills may be required to complete the journey.
- Direct access to data adds exponential value.
- Partnering with IT or other groups using RPA enables internal audit to leverage internal subject matter expertise and reduce development expenditure.
- Program quality and sustainability requires close attention to RPA governance.
The pilot project yielded valuable insights about bot development, such as process intricacies often taken for granted when people perform testing. For example, the team realized the value of direct access to data versus indirect access via screen capture. Some steps in the bot development process involved accessing mainframe screens and "scraping" the needed data from them. However, certain application screens consist of mere images and not actual data — i.e., renderings for the user interface.
People recognize images easily, but RPA tools vary in their ability to process them. The pilot bot could not recognize data captured as imagery, causing problems at this point in the audit step. The bot would either fail or seize up when encountering this task, requiring manual intervention to complete the step. If direct access to the data could be acquired, the bot would be able to continue processing the audit step to completion. At the time of the pilot, direct access to some of the data was not available.
As a result, the pilot bot produced favorable but incomplete results. The audit step chosen for the pilot usually took an auditor one to two hours to complete manually. Up to the point where screen images proved a barrier, the pilot bot completed the step in about one minute, with an additional 20 minutes of manual processing required by an auditor.
Even when factoring in the manual work, automation yielded considerable time savings. If direct access to data could be obtained, the bot could complete the entire audit step even more efficiently — in two minutes or less. This discovery highlighted the critical value of direct data access to bot development for future RPA rollout. Through some additional support provided by the IT group, internal audit ultimately acquired direct access to the necessary data and completed the pilot bot.
Internal audit compared the bot test results with results from manual completion of work to ensure consistent outcomes. It found that pilot results were of higher quality (full population testing vs. a sample) and significantly more efficient (approximately 90 seconds vs. 1–2 hours to complete the audit step).
The Road Ahead
Having validated the potential for bots to increase audit efficiency, YRCW internal audit is now poised to initiate a formal RPA implementation plan. The plan will prioritize audit steps for bot development as well as consider RPA's governance implications. It will address many of the considerations necessary in any IT development environment, including development standards, change management, and user testing.
Internal audit leadership will also need to determine the appropriate post-pilot RPA tool to use, and if necessary, build a business case to justify and secure funding. Additionally, leadership will need to evaluate how to redeploy staff once bot efficiencies start to materialize.
Vehicle for Change
Like many technology tools, RPA is not a one-size-fits-all solution. Its application model and value potential differ for each organization. Ultimately, the value of RPA lies in automating standard activities that are performed frequently. Internal audit functions whose audit plan includes substantial compliance assurance engagements that are repeated frequently are likely to have a better business case for RPA than those whose plan comprises a greater proportion of operational and consulting projects. For internal audit functions where RPA makes sense, it can be a game changer.