Imagine an internal auditor who is confronted with a disastrous robotic process automation (RPA) implementation. Her company spent millions of dollars to implement 50 robots, or “bots,” but the project had yielded only a single functioning bot. Making matters worse, hackers compromised that bot and drained the company’s bank account with a succession of undetected $0.99 electronic transactions. Could the auditor have prevented these things from happening?
RPA can potentially reduce costs, improve accuracy and productivity, and eliminate tedious processes. It works by building software robots that can mimic the actions of a person on a computer, automating otherwise manual processes.
Bots are highly fragile and are not intelligent. Unlike artificial intelligence, they can only do exactly what they are told to do. And access to the technology is growing, with Microsoft recently adding RPA functionality to Microsoft Office, putting it on millions of corporate desktops.
As with any new technology, internal auditors must be aware of RPA’s risks. The potential for a bot to make a mistake multiple times in seconds creates unique risks to assess.
Validate Security Risks
Assessing RPA’s risks must begin with considering access security to the bot. RPA providers offer both on-premises and cloud-based solutions, with all the risks typical of these approaches.
Most RPA solutions do not house any “at rest” data, reducing the risk that sensitive data will be captured if the bot is hacked. Instead, bots operate on an organization’s applications using credentials just as a human user would. That means a bot can be hacked and coded to perform fraudulent, unethical, or hostile actions.
Examining the security around the RPA tool is critical, including access restrictions. Auditors should understand the security around each of the applications that the bot accesses and the controls around data that the bot “writes.”
As internal auditors begin to operate within bot-enabled environments, they should consider whether the bots are achieving their business purposes. Internal audit should be a partner, along with information security, in all RPA implementations. Their independent advice should improve clarity around the business objectives for each bot development. Business analysts should establish and track clear, objective performance metrics. Auditors should provide assurance about whether the bots are fulfilling their missions and meeting compliance objectives.
An additional challenge is disagreement about segregation of duties issues around bots. Because bots lack a sense of doing “wrong,” some auditors say programming them with incompatible duties does not violate segregation of duties. Others say such programming introduces additional fraud risk because a person will have access to the bot’s program while in the production environment. Each organization should address this issue within its risk management framework and culture.
Audit the Development Life Cycle
Internal audit should provide assurance of the organization’s RPA developments. Development of each bot should follow the organization’s system development life cycle (SDLC).
System Changes Auditors should consider both the “upstream” systems that the bot pulls data from as well as the “downstream” systems that the bot writes data to. That is because bots break easily in dynamic environments, requiring constant reprogramming and sometimes complete redevelopment. Any change in a relevant system can create an irreconcilable error in the bot’s performance. Auditors should ensure that the SDLC considers these issues.
Bot Access A best practice is to have one person create and test the bot in a “sandbox” — a controlled space outside the production environment. From there, another person moves the bot into production, while a third person manages its ongoing activities.
Governance Internal audit should be concerned with both ownership and governance of all active bots, looking for potential conflicts within the governance structure. Some organizations house the RPA program within IT, others at the business-unit level, and still others within a shared services area. Additionally, many organizations manage bot governance through centers of excellence that develop and manage the overall RPA strategy.
Bot Activity Most RPA solutions offer audit logs to facilitate review of the transactions each user conducts during a logon session. Auditors should examine RPA user profiles to identify segregation of duties conflicts, excessive access levels, access provisioned to terminated employees, and activity conducted by terminated bots. Additional reviews of the audit logs can reveal inappropriate activities, including attempts to repurpose the bots while in production.
A common practice is to provide each bot with a set of system credentials to access the enterprise resource planning system. In reviewing audit logs for the organization’s non-RPA systems, auditors should look for irregular bot activities, as well as interactions with human credentials that might create a segregation-of-duties issue. Poor governance over RPA can allow a single person to use a bot to commit fraud.
Managing Organizational Change
In the story about the internal auditor faced with a poor RPA rollout, the culprit was the company’s culture. Employees had been reading articles about bots taking their jobs and fought the success of the implementation. What the company did not do well was communicate the RPA program’s objectives and achieve cultural buy-in.
A consistent theme of successful RPA implementations is beginning by automating a single, high-impact, high-visibility process. A great candidate is a highly manual, tedious process that one or more employees dread doing. Once this process is automated, it frees employees from a mundane task, enabling them to add greater value to the organization.
A further consideration for internal audit is assessing the capabilities and competencies of the internal and external personnel tasked with developing and managing the company’s RPA program. Have each of these people been trained in RPA? Are roles adequately segregated, documented, and understood? Auditors should review the credentialed training programs offered by RPA vendors and seek training, themselves.
Improving the Odds
Internal auditors should be frequent advisors throughout RPA initiatives. To be effective, the audit function must establish an appropriate baseline of controls around bots and include RPA in its audit plan. Moreover, auditors can provide independent advice on prioritizing the best automation opportunities. In this way, internal audit can improve cultural acceptance and improve the odds that RPA will benefit the business.