Implementing Robotic Process Automation For Internal Audit
Robotics process automation (RPA) has become an efficient way to automate labor-intensive and repetitive tasks across a variety of business functions, including finance and accounting, legal, HR, commercial loan operations and, increasingly, internal audit (IA).
Since many internal audit processes are manual and repetitive in nature (such as validating the removal of system access rights for terminated users or change management testing), requiring significant time to perform and remain consistent year-over-year, IA departments are beginning to realize that RPA can make their work increasingly efficient and improve audit coverage.
While RPA is widely acknowledged to give organizations the opportunity to achieve significant efficiency-driven cost savings, there are some areas within IA where it may not be the right solution given factors such as data privacy requirements or lack of sufficient business value being generated. However, implementing bots where thoughtful and appropriate can make a difference across many IA departments.
How RPA Drives Value In Internal Audit
We have found that internal audit can use their knowledge of RPA to assist in identifying opportunities to embed automation-enabled controls within the business and/or apply RPA to their own audit procedures in the following ways:
1. Sampling Risk
When performing an audit, data samples are often selected since it is not practical to manually test a full population of large data sets. Selecting samples, which are representative of the population, means that internal auditors test only a small percentage of control executions manually.
Through automated testing, internal audit can expand the audit coverage by examining full populations of data rather than sampling, and management can achieve greater confidence that controls are designed and operating effectively.
2. Audit Frequency
Due to the risk-based approach followed by IA departments (and the time-sensitive nature of some internal audit work), some business areas may not be audited every year, and sometimes only every two or three years.
RPA has the potential to enable organizations to increase the frequency of testing and, in many cases, transition to a continuous auditing model for providing more timely insights to the business.
3. Annual Risk Assessment
Many IA departments today still follow the traditional method of performing an annual risk assessment as the precursor to the annual audit plan. This requires gathering data points from each audit area and assigning a risk-based score to each. This can be a time-consuming task, requiring the accumulation of data from each audit area across the enterprise.
RPA could automate the tracking of progress against the annual audit plan and track and monitor key risk indicators (KRIs), which are taken into account when performing the annual risk assessment for the audit universe. As agile auditing becomes more widely adopted, RPA can be used to create a continuous monitoring/auditing program using this model.
4. Audit Committee Reporting
A large portion of management time in audit is spent in reporting. Audit reports go to the chief audit executive (CAE) and onward to the audit committee. Traditionally, they are lengthy, verbose reports that take significant time to complete.
RPA could assist IA leadership in automating reporting and dashboarding activities, including populating audit committee and management report templates.
Key Considerations For RPA Implementation: Before And During Implementation
1. Clearly define the vision and strategy for automation. Look for processes that:
- Have a clearly definable Return on Investment (ROI)
- Relate to an area of key business risk to the organization
- Have reliable and quality data inputs
- Are rules-based and remain relatively stable period over period
- Are labor-intensive and subject to human error
- Occur frequently and are generally inefficient
2. Define roles, responsibilities and structures for identifying which tests and processes are the most promising candidates for automation.
3. Develop processes for approving designs and deployment methods, and develop standardized documentation. Don’t assume existing manual processes are compliant with policy or are ready to be automated. There may be some inefficiencies to remove before introducing RPA.
4. Partner with your security team early, identify authentication mechanisms for the bots and develop security policies for privacy and data protection.
5. Establish clear change management processes and controls.
6. Continuously test and monitor.
7. Train your staff.
8. Question whether RPA is the best solution for making a process more efficient. Could building an API (application programming interface) into a legacy system be more cost-efficient than introducing RPA in order to bring efficiencies?
Key Considerations For RPA Implementation: After Implementation
1. Think about metrics and how to measure them. How are you going to measure ROI over the life of the bot(s)?
2. After successful implementation and rollout, consider developing a robotic center of excellence (CoE) for enhanced governance.
3. Plan your strategy if the bots are not running as smoothly as expected.
Overall, internal audit functions are evaluating the emerging possibilities from RPA deployments across the organization and how the technology can be leveraged to improve efficiency and effectiveness within their own activities. Ensure strong program leadership and don’t underestimate the need for strong governance