Competitive excellence demands the implementation of data analytics and automation technologies, such as robotic process automation (RPA) and self-service data analytics. These technologies allow organizations to collate and analyze data from massive data sets that are too large to compile in database and spreadsheet applications. In some cases, they can download a trial version and quickly build databases.
Applications like this have driven global organizations to increase their investments in data analytics and automation technologies to streamline repetitive manual processes into powerful and effective automated processes. Annual worldwide spending on RPA technology is projected to grow from $3.6 billion to $42 billion over the next five years, according to Zinnov, a global management consulting company based in Bangalore, India.
Yet, while intelligent automation can provide significant financial and operational benefits, it also can cause considerable reputational, regulatory, financial, and operational damage when it goes wrong. For example, if automation is left unattended, it could lead to errors in critical processes that affect accounting and financial reporting outputs. Internal audit can assist executives and the board in assessing these risks and establishing a governance framework in anticipation of exponential organizationwide adoption of automation and analytics applications.
The driving force behind investments in process automation lies in the potential for realizing large annual cost savings, especially when these technologies are scaled throughout the organization. “For a mid-table Fortune 1000 organization with around $20 billion in revenue and 50,000 employees, automating 20% of estimated addressable activity through RPA could result in $30 million of bottom-line impact each year,” Deloitte reports in The Robots Are Ready. Are You?
C-level executives responding to a 2020 Protiviti survey say the biggest benefits of process automation include increased productivity, better quality, stronger competitive market position, higher customer satisfaction, greater speed, and employee satisfaction from elimination of mundane tasks. However, respondents report encountering obstacles such as inability to prioritize potential RPA initiatives, concerns about cybersecurity and data privacy, high implementation costs, difficulty in scaling applications, and making a convincing business case.
While the development time of RPA projects typically ranges from several weeks to a few months, self-service data analytics projects can be deployed even faster. Simple processes can be automated within a few hours or a few days.
Traditionally, return on investment (ROI) on automation is measured by how many hours are saved. Both RPA and self-service analytics have demonstrated high ROI, when comparing resources invested in the automation projects to the value returned through capacity creation and efficiency. Value is realized by redeploying employee hours saved elsewhere, contributing to organizational productivity (see “Capabilities of RPA and Self-service Data Analytics” below).
To maintain risk transparency, it is essential for internal audit to create a risk-scoring mechanism that assesses each automation project based on applicable risk dimensions. Starting with the model risk methodology Allan Sammy describes in his June 2018
Internal Auditor article, “Auditing Analytic Models,” his scorecard can be expanded to include key metrics specifically pointed toward automated accounting and finance processes:
Complexity. If the automation deployment is more complex in terms of processing steps, technologically, or is specialized/customized in a way that makes it more intricate, these deployments score higher on the complexity scale.
Economic loss. An increased level of precision is required when failure could result in a direct or explicit economic loss to a client or counterparty.
Consumer. Regulatory risk will be higher if the automation deployment produces outputs for reports that are intended for external regulators and will be audited
- or examined.
Success rate. A historical computation compiles the success rate of the automation run over a prescribed reporting period, such as a month, quarter, or year.
Dependency. When automation deployments produce outputs that serve as inputs into other automation deployments, dependency is higher, because an error in this type of automation will permeate other processes.
“Risk Assessment of an Automated Process” (below) is an example of how a scorecard can be applied in an accounting or finance department. Each unique automation deployment risk is scored according to five dimensions unique to the automation environment of those functions. Internal auditors can use this method to assess the risk of each individual automation project deployment, which is usually related to a specific process such as a bank reconciliation.
Because each automation deployment has a different degree of risk related to complexity, economic loss, ultimate consumer, success rate, and dependency, each project will carry a risk score across these five dimensions. By documenting the total risk of individual projects and their related processes, internal auditors can provide management with risk transparency over the automation portfolio and design risk responses strategically.
GOVERNING THE DIGITAL ENVIRONMENT
As companies deploy automation and analytics to accelerate routine processes and create efficiency, the biggest threat to success in scaling these programs is the lack of governance over the risks and controls in this new digital environment. Many organizations that have embraced digital transformation may still be operating under fragmented legacy governance structures that have failed to keep pace with the growth in data analytics tools. Worse yet, governance may be an afterthought, even as build after build propagates dependency after dependency, incrementally adding risk to the data analytics portfolio.
This governance vacuum is compounded by a regulatory gap. For example, in the highly regulated world of accounting and finance, currently there is a lack of specific regulations or guidance on how to establish stable governance and internal controls for automated processes.
Companies are subject to a variety of regulations and governance frameworks such as Section 404 of the U.S. Sarbanes-Oxley Act of 2002, The Committee of Sponsoring Organizations of the Treadway Commission’s
Internal Control–Integrated Framework and Enterprise Risk Management–Integrating
With Strategy and Performance, and the U.S. Federal Reserve Data/Model Governance framework. Each mandates that internal controls be effective, risks be managed, and quality of data inputs be high. However, existing laws and frameworks fall short of offering specific guidelines on how to assess the added risks that arise from operating in this new, automated processing environment. Internal audit can lead the governance effort over analytics and automation programs by focusing on three areas.
Training on Analytics and Automation Capabilities Internal audit can contribute to effectively auditing and mitigating risks in the automation and analytics environment by understanding these tools and their capabilities. This includes ensuring that training and development in this area are available throughout the organization.
Leading Through the Analytics and Automation Governance Committee The governance of analytics and automation programs usually occurs through an automation center of excellence or multidisciplinary governance committee. Internal audit should interface with these functions and take a leadership role in overseeing deployments of these technologies. This can enable internal audit to ensure that appropriate internal controls and end-to-end process assurance are embedded into the deployments from the onset.
Identifying High-ROI Analytics and Automation Opportunities Internal auditors can leverage their deep knowledge of organizational processes to advise management by identifying high-ROI analytics and automation opportunities throughout the organization, which can be challenging to find. By taking this proactive role, internal audit can contribute to the success of scaling the analytics and automation.
PROTECTING DIGITAL VALUE
While analytics and automation deployments may disrupt accounting processes, internal audit has a tremendous opportunity to contribute to the effort of governing these new technologies. Internal auditors also can perform rigorous risk assessments around analytics and automation projects to help the organization anticipate new risks and protect its digital value. Equipped with full risk transparency, internal audit can provide the organization with the critical capability to prioritize risk responses, reduce risk exposure, and successfully advance digital transformation programs.
Nathan E. Myers, CPA, a digital transformation consultant in New York, also contributed to this article.