robotic process automation (rpa) and audit...robotic process automation, among the top areas in need...

Internal Audit, Risk, Business & Technology Consulting

ROBOTIC PROCESS AUTOMATION (RPA) AND AUDIT

March 2019

© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.

AGENDA

Digital Workforce: An RPA Overview - How

it works, key technologies, and benefits

Auditing RPA: IA’s role in RPA, Risks to

consider when auditing “bots”

Using RPA for Audit: Leveraging RPA for IA

efficiency

2

DIGITAL WORKFORCE – AN RPA OVERVIEW


Know your “Robot”

RPA NOMENCLATURE

Robots ARE NOT

Physically functioning, moving machines

Voice controlled personal assistants

ROBOTIC PROCESS

AUTOMATION

Robots ARE

Automation software tools

Programs that improve process efficiency by mimicking human interactions with applications

Perhaps considered a misnomer, “Robotics” is an industry term of art used to describe the digitization of business processes.

In contrast to the machines of the industrial revolution, ‘Robots’ (with respect to process automation), are nothing short of software tools that can automate a range of digital activity.

4


WHAT IS RPA?

5

Robotic Process Automation (RPA) is the use of software tools that function as a virtual workforce, managed by business operations teams. RPA software is able to execute pre-determined, rules-based tasks, mimicking human interaction with existing applications to automate a variety of business processes.

Are computer coded software

Enable the automation of repetitive,

rule-based processes

Mimic interactions of users

Work across applications

Robots

Process Robot Capabilities

Automated Data Entry

System Integration

Repetitive Tasks

Process Reconciliation

Data Validation/Quality

Processing Simple Business

Rules


WHY IS RPA COMPELLING?

6

Technology-Agnostic

• RPA can work across legacy ERPs, mainframes, custom

applications, desktop applications, and any other types of

IT platforms.

• Any technology platform that can be utilized by a human

can also be navigated by an RPA robot.

Non-Intrusive

• RPA leverages other application software through the

existing application’s interface; therefore, it is not

technically integrated.

• Since complex integration is not required, RPA programs

can be launched in a matter of weeks, resulting in low cost

of implementation and high return on investment.

Scalable and Traceable

• Staff can be trained to maintain, program and deploy

robots.

• Bots are subject to full auditing, with visibility to security

access and modifications.


WHAT ARE THE BENEFITS OF RPA?

Reduction in human error

Complete audit trailHigher Quality

Faster processes and availability around the clock

Employees can focus on value-adding activities

Productivity Increase

Lower process costsand scalable

Rapid return on investment

Cost Reduction

Initial results possible within 30 working days

No significant IT development required

Ease of Implementation

7


TYPES OF RPA

8

These bots reside on the user’s machine and are invoked by the user. They are

appropriate for tasks that are triggered at programmatically hard-to-detect points.

Attended Automation

Sources: Applied AI

Attended and unattended RPA bots are combined to provide automation for both

front office and back office activities, allowing end-to-end automation of a process.

Hybrid RPA

Unattended Automation

Unattended bots are like batch processes on the cloud. They complete a data

processing task in the background. They are ideal for reducing work of back-office

employees.

https://blog.appliedai.com/rpa/#use-cases


ROBOTICS AND THE INTELLIGENCE

CONTINUUM

9

Rule-based simple to complex (transactional) processes

Pattern recognition within unstructured data

Self-learning rules continuously rewritten to improve performance

RPA

Cognitive

Automation

Artificial

Intelligence


RPA GENERAL USE CASES

10

Robotic Process Automation (“RPA”) and Robotic Desktop Automation (“RDA”) have the potential to providing gained

efficiencies in general day-to-day business processes and activities. Many organizations are looking to leverage robotics to

reduce time spent on low level tasks, reduce errors, and minimize rework, all while gaining efficiency

Potential Areas for Automation

RDA/RPA applications:

• Inventory Management

• Demand and supply planning

• Quote, invoice, and contract

management

• Work Order Management

• Freight management

• Return Processing

• Vendor Set Up

• Report Generation

• Trend Tracking

Application of RPA/RDA in Daily Business Activities


• Operational accounting (billing

and collections, accounts

receivable)

• General accounting (allocations

and adjustments, journal entry

processing, reconciliations)

• Financial and external reporting

• Treasury processes

• Invoice Processing

• Customer set-up

Supply Chain Finance & Accounting Audit & Compliance


• Continuous monitoring

• Control testing

• Data request & control artifact

gathering

• Compliance reporting

• Identifying open items, conducting

follow-up, documenting remediation

status

• Tacking and monitoring key risk

indicators (KRIs)

• Automating reporting & dash boarding

activities


RPA GENERAL USE CASES

11

Robotic Process Automation (“RPA”) and Robotic Desktop Automation (“RDA”) have the potential to providing gained

efficiencies in general day-to-day business processes and activities. Many organizations are looking to leverage robotics to

reduce time spent on low level tasks, reduce errors, and minimize rework, all while gaining efficiency

Potential Areas for Automation


• Installations

• FTP download, upload, and

backup

• Server and application monitoring

• Folder and file management

• Email related tasks, processing

and distribution

• Batch processing

• Data Aggregation and Migration

• Help Desk Processes

• User Provisioning

Application of RPA/RDA in Daily Business Activities


• ERP Automation

• Business Intelligence

• Excel Automation

• Application integration

• Data Migration

• ERP Integration

• CSV File Imports

IT Services Systems and Integration Human Resources


• Payroll

• W4 & Employee Form Management

• Onboarding & Off-boarding

• Time & Attendance Management

• Benefits Administration

• Stock Administration

• Education & Training

• Compliance Reporting

• Recruiting Processes

• Personnel Administration

• Data Entry


POLL QUESTION #1

12

Where is your organization currently on its RPA journey?

A. Not started

B. Exploring use cases but no bots in production (may have bots in proof of

concept)

C. Program has been established with handful of bots in production

D. Program well established with numerous bots in production

E. Not sure

AUDITING RPA


RPA IS A TOP KNOWLEDGE AREA FOR

INTERNAL AUDITORS

14

Source: Protiviti’s 2018 Internal Audit Capabilities and Needs Survey

Robotic process automation, among the top areas in need of improvement, is drawing a significant interest from CAEs and internal audit leaders seeking to learn more about how to use it from a business improvement standpoint, as well as how to audit RPA in the organization.


INTERNAL AUDIT’S ROLE IN RPA

Assist the company with the identification of risks associated with implementing RPA

1

Provide guidance around control design/enhancements and testing approach

2

Help the company identify/or recommend controls processes well suited for automation, and assess the impact of automating those controls

3

Assist the company in evaluating the ROI and efficiencies gained though RPA

4

15

Consider how RPA can be used to drive enhanced delivery of IA activities5


Why Audit RPA?

While robotics afford improved efficiency and

effectiveness, if something goes wrong the negative implications can be rapid and widespread.

.Confirm appropriate controls have been put in place

as processes are automated, and that appropriate governance and ownership is established.

.

Access required to operate RPA is significant and

must be monitored and tested..

The change management process may pose a

serious challenge to maintaining the efficiency and effectiveness levels that robots can achieve.

Processes are often re-engineered prior to and

during the adoption of robots and can result in the loss of controls and introduction of risk.

.

Performance

Governance

Identity Management

Change

Management

Integrity

Are there policies

and procedures in

place defining

governance of

robotics?

Are user profiles reviewed on a periodic

basis to validate access is appropriately

restricted and aligned with the bot’s

functional responsibilities?

How is the RPA performance

monitored and measured?

Are Key Performance Indicators

(KPI) defined?

Are RPA rules routinely

reviewed for accuracy?

Does the change

managementprocess inhibit the

efficiency and effectiveness of

RPA?

Audit Areas of Focus

SecurityAre controls are in place

to prevent malicious

insiders abusing bot

access & authority to steal

confidential information?

AUDITING RPA – WHY AND WHERE?

16


RPA RISK CONSIDERATIONS

17

Business process objectives not

met

Compliance / reg requirements not

met

Data retention policies not

adhered to by bot design

Human capital / knowledge loss

Bot changes lead to disruption

Upstream / downstream application changes

Access to bot configuration

Lack of transaction oversight

Exceptions not appropriately

handled

Downstream application overload

Bot or bot environment

becomes unavailable

Bot does not achieve

performance expectations /

SLAs

Access to robot’s credentials not

controlled

Security vulnerability affects bot

environment

Excessive access to bot

environment

Human access to bot leads to SOD

risk

GovernanceChange

ManagementIntegrity

Availability and Performance

Information Security


POLL QUESTION #2

18

If your organization has deployed bots, has internal audit provided

any advisory or assurance services related to the program?

A. Yes, we have conducted an audit (or performed an advisory review) of

the overall program

B. Not yet, but this is in our plan for the coming year

C. No, and no plans to perform an audit

D. Not sure

USING RPA FOR AUDIT


BENEFITS OF AUTOMATION IN AUDIT, RISK, &

COMPLIANCE

Reduce Budget And Resource Constraints

Improved Insight & Depth of Coverage – Quantify & Substantiate

Makes Human Work Less Repetitive And More Analytical – Focus on Higher Value Activities

Increased Breadth of Coverage – Full Population, Statistical Sampling

Proactive Monitoring & “Real Time” Insight

Once Process Is Setup, There is Assurance over Source Data Integrity

Increase Visibility And CredibilityWithin The Organization, Skills Development in Team Members

Potential

Benefits of

Automation

Combining AI with RPA (delivering Intelligent Automation) opens up even more potential

20


POTENTIAL RPA USE CASES FOR IA AND SOXPotential Areas for Automation

• Change Management

• New User Access

• Terminations

• User Access Reviews

• Configurable Control

Monitoring

IT General Controls

• New Hire Setup

• New Customer Setup

• New Vendor Setup

• Duplicate Payment

Review

• Reconciliations

• Manual Journal Entries

Business Process

Controls

• Artifact Requests

• Artifact Tracking

• Work Paper Preparation

• GRC Data Download /

Upload

• Remediation Follow Up

• Tracking and Monitoring

KRIs

Internal Audit

Activities

21


RPA EVALUATION APPROACH

IdentifyEvaluate

Prioritize

Categorize

Use a deliberate and measured approach to evaluating whether

an activity is a good candidate for RPA…

…Resist the urge to “automate everything” to avoid the

risk of early program failures.

22


KEY CONSIDERATIONS

Cost Saving + Time Saving

23

OPPORTUNITY ASSESSMENT – FOCUS ON THE RIGHT AREAS

Logical to Automate

Maturity of Process

Availability of Data

Business Value


IDENTIFYING RPA OPPORTUNITYCharacteristics of Processes Ready for Automation

Low Exception RateProcesses that do not have a lot of exceptions to the defined business rules

High VolumeProcesses that have large volumes and occur frequently

ManualProcesses that contain a lot of manual steps

Quality RequirementProcesses that require a low defect ratio

Swivel Chair Processes that involve multiple software applications that are not integrated

Mature and StableProcesses that have been standardized and are unlikely to change soon

Highly Rules-BasedProcesses that do not require a lot of judgement

Large TeamsProcesses that are completed by more than one person

Readable Text FormatProcesses that contain structured data

Stable EnvironmentTechnology systems or organization are not planned to change in the near term

24


Opportunity

Assessment

THE RPA DELIVERY LIFECYCLE

Center of

Excellence

Define /

Design

Build / Test

Deploy

Operate

Foundations

Business Foundation• Strategy• Governance• Sponsorship• Business CaseTechnology• Infrastructure• Security Policy• Software• Change

Management

Drive the change, are responsible for the quality of each element, & provide the necessary expertise to deliver an effective RPA program

25


POLL QUESTION #3

26

What progress has your organization’s internal audit function made

with RPA?

A. Not started

B. Exploring use cases but no bots in production (may have bots in proof of

concept)

C. Internal audit has a handful of bots in production

D. Internal audit has a well-established RPA program with numerous bots

in production

E. Not sure

© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.27

Q & A

© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not l icensed

or registered as a public accounting firm and does not issue opinions on financial statements or

offer attestation services. All registered trademarks are the property of their respective owners.

robotic process automation (rpa) and audit...robotic process automation, among the top areas in need...

Documents