August 28, 2019
August 28, 2019
Contributor: Jordan Bryan
The growing use of robotic process automation calls for internal audit leaders to understand the technology's risks and opportunities.
Robotic process automation (RPA) is pervasive in finance, accounting, shared services and other areas of organizations where processes are stable, repeatable and high volume. As a result, audit leaders need to understand the associated risks and consider how implementing RPA can improve the audit department’s own processes.
“Because audit will be faced with providing assurance over many newly automated processes, audit teams should, at a minimum, conduct RPA governance reviews to provide assurance over organizational RPA implementations,” says Malcolm Murray, VP and Team Manager, Gartner. “Audit should also be aware that RPA can not only exacerbate well-known risks, but also create new ones.”
Robotics software is distinguished from other forms of automation by its ability to span multiple systems. It is flexible, mimics human interaction with IT systems and can be taught nearly any standard rule-based process or activity — enabling it to execute rule-based steps in a fraction of the time it would take a person. The software can also record and capture a series of steps across multiple systems.
Although RPA often includes advanced cognitive computing capabilities that automate decision making, such as machine learning, RPA by itself is at the low end of the spectrum for automation solutions.
Implementing RPA across the organization means that audit is likely to encounter robotics software during audit engagements. Because RPA mimics human activities, many controls around RPA processes are similar to those of the processes they are replacing. However, RPA implementation often includes process redesigns and new risks related to new technologies.
Audit should therefore consider the risks to the business, including governance and legal, when evaluating RPA pilots or implementations. The need to address these and other risks calls for teams to play a new role. Audit leaders must now ensure that:
Learn more: Internal Audit and RPA
Audit departments are also starting to use RPA, given the many repetitive tasks auditors conduct. RPA automates standard steps in audit engagements like gathering all data, including prior audit findings, during the risk assessment phase. Audit teams can also automate certain reviews during the audit, such as password tests or contract reviews.
“Audit itself has large opportunities to realize the benefits of RPA,” says Murray. “There are clear opportunities for audit teams to automate the many repetitive, low-value, time-consuming activities and free auditors’ time for higher-value tasks.”
Leaders should look for processes within their department’s control to implement RPA. Based on the impact of the process or activities, leaders can ask themselves three key questions to understand if RPA is appropriate:
If the answer is yes to all three questions, then the process or activity is a candidate for RPA. If the rules can’t be defined or articulated, it’s best to leave those tasks to humans. Remember: RPA is most effective when used to create efficient processes that allow human resources to be deployed to higher-value activities. RPA should improve human work rather than hinder it or make its execution more complicated.
Also, consider how new processes fit into larger audit workflows. RPA works best when it compliments audit workflows and is integrated into familiar activities. RPA bots with little relationship to auditor workflows are unlikely to be used.
Join your peers for the unveiling of the latest insights at Gartner conferences.
Recommended resources for Gartner clients*:
*Note that some documents may not be available to all Gartner clients.