Robotic process automation (RPA) is pervasive in finance, accounting, shared services and other areas of organizations where processes are stable, repeatable and high volume. As a result, audit leaders need to understand the associated risks and consider how implementing RPA can improve the audit department’s own processes.
“Because audit will be faced with providing assurance over many newly automated processes, audit teams should, at a minimum, conduct RPA governance reviews to provide assurance over organizational RPA implementations,” says Malcolm Murray, VP and Team Manager, Gartner. “Audit should also be aware that RPA can not only exacerbate well-known risks, but also create new ones.”
Understand RPA software
Robotics software is distinguished from other forms of automation by its ability to span multiple systems. It is flexible, mimics human interaction with IT systems and can be taught nearly any standard rule-based process or activity — enabling it to execute rule-based steps in a fraction of the time it would take a person. The software can also record and capture a series of steps across multiple systems.
Although RPA often includes advanced cognitive computing capabilities that automate decision making, such as machine learning, RPA by itself is at the low end of the spectrum for automation solutions.
“ RPA works best when it compliments audit workflows and is integrated into familiar activities”
Auditing robotic processes
Implementing RPA across the organization means that audit is likely to encounter robotics software during audit engagements. Because RPA mimics human activities, many controls around RPA processes are similar to those of the processes they are replacing. However, RPA implementation often includes process redesigns and new risks related to new technologies.
Audit should therefore consider the risks to the business, including governance and legal, when evaluating RPA pilots or implementations. The need to address these and other risks calls for teams to play a new role. Audit leaders must now ensure that:
- An appropriate RPA program governance structure is in place and followed.
- Relevant controls in RPA implementation are not accidentally eliminated and new risks have adequate controls in place.
- A clear process is in place to effectively manage process exceptions that are likely to increase as transaction volume increases.
- Newly automated systems have adequate plans in place to continue critical operations in case of intentional or unintentional RPA system outages.
Learn more: Internal Audit and RPA
Implement RPA inside audit departments
Audit departments are also starting to use RPA, given the many repetitive tasks auditors conduct. RPA automates standard steps in audit engagements like gathering all data, including prior audit findings, during the risk assessment phase. Audit teams can also automate certain reviews during the audit, such as password tests or contract reviews.
“Audit itself has large opportunities to realize the benefits of RPA,” says Murray. “There are clear opportunities for audit teams to automate the many repetitive, low-value, time-consuming activities and free auditors’ time for higher-value tasks.”
Leaders should look for processes within their department’s control to implement RPA. Based on the impact of the process or activities, leaders can ask themselves three key questions to understand if RPA is appropriate:
- Can the current human activity be process mapped (i.e., is it the same repetitive process being done each time)?
- If the activity requires human judgment, can the rules on how to make that judgment be defined to cover all angles?
- Does the activity pull and put data from and in the same place every time (i.e., the same field name or same location of the field on a particular screen of a system)?
If the answer is yes to all three questions, then the process or activity is a candidate for RPA. If the rules can’t be defined or articulated, it’s best to leave those tasks to humans. Remember: RPA is most effective when used to create efficient processes that allow human resources to be deployed to higher-value activities. RPA should improve human work rather than hinder it or make its execution more complicated.
Also, consider how new processes fit into larger audit workflows. RPA works best when it compliments audit workflows and is integrated into familiar activities. RPA bots with little relationship to auditor workflows are unlikely to be used.