Home / Resources / ISACA Journal / Issues / 2020 / Volume 2 / How Internal Audit Can Help Capture Value in Robotic Process Automation Projects

How Internal Audit Can Help Capture Value in Robotic Process Automation Projects

Author: Kevin M. Alvero, CISA, CFE, and Kevin McCarthy, CISA
Date Published: 28 February 2020
español | 中文

A fundamental value proposition of robotic process automation (RPA) is its ability to reduce time spent on repetitive, rule-based tasks, thereby freeing up precious time that can be allotted to more value-added work. However, a survey of 1,000 US information workers indicated,

Businesses are adopting automation but are falling far short of realizing its full value—and therefore failing to capture significant potential gains in revenue, efficiency, innovation, and worker satisfaction.1

Internal audit should play a critical role in ensuring that organizations receive the most value possible from RPA initiatives. When organizations have a “digitally fit” risk function—one with the skills and competencies to assess risk and provide assurance around the organization’s digital initiatives while the risk function itself is more data driven and digitally enabled—organizations get more value than anticipated from their digital investments and are better able to manage transformation-related risk.2

Therefore, internal audit must be savvy as it relates to any risk that could threaten to impact the value of RPA projects. As it relates to intelligent automation specifically, there are four high-level categories in which to group common automation project pitfalls:3

  1. Risk and governance—Lack of ownership and oversight of the automation program
  2. Authentication of bots—Lack of accountability and controls for ownership, security and integration of bots
  3. Program and bot monitoring—General lack of control ensuring bot functionality and issue resolution
  4. Change management—Lack of formal and consistent requesting and implementing of changes

Along with these areas, internal auditors should also be attuned to more subtle risk related to attitudes and expectations toward RPA projects. Attitudes toward the value of different types of work, along with expectations about how automation will impact the future state of job roles, are factors in the success of RPA projects and should not be ignored. While processes and technologies can be documented and tested more easily than so-called human factors, these risk factors can impact RPA value in real ways. A two-pronged, advisory/assurance approach to internal audit around automation initiatives is recommended and, in the advisory role in particular, internal audit may recommend actions to mitigate some of these “soft” risk factors.

True Value

RPA relieves some of the burden of routine, repetitive labor (e.g., rubber-stamp, push-button, swivel-chair) so that workers can focus more of their time and energy on tasks that require their uniquely human skills and add value to the organization. However, it is a perceptual pitfall to assume that these value-added activities will necessarily be more valuable to the organization than the ones RPA is performing.

In the broader RPA conversation, people sometimes equate repetitive, boring, thankless tasks with low-value tasks. But this notion raises a logical problem: If a particular task is really low value, then why are workers spending their time on it at all, and why would the organization invest in it even further by devoting resources to implementing an RPA solution for this low-value task? The answer might be some variation of “it has to be done” or “there is no choice.” However, if a task is truly something that must be done to run the business, then, by definition, it is not a low-value task. Indeed, some of the most valuable tasks an organization performs are routine and repetitive, such as approvals or taking inventory.

Hence, if a task is truly low value, the organization should not try to automate it; it should just stop doing it.4 Furthermore, internal audit should help to ensure that the organization is not attempting to automate ineffective processes.5 In theory, workers should always be doing the work that is most valuable to the organization, whether it is boring, interesting, repetitive or unique, which means that the expectation that RPA will enable people to finally get down to the “important” business is probably going to lead to some level of disappointment. What RPA can do is enable workers to engage in a greater number of value-yielding tasks because time-consuming, yet important, work is being done more efficiently.

Accurate and consistent assessment of a process’s value and quality is one of the most important ingredients in a successful RPA project. With this in mind, one of the ways internal audit can help to guard against unrealized value in RPA is to assess the process that management uses to value tasks and ensure that it is realistic and aligned both with organizational objectives and employee attitudes.

ACCURATE AND CONSISTENT ASSESSMENT OF A PROCESS’S VALUE AND QUALITY IS ONE OF THE MOST IMPORTANT INGREDIENTS IN A SUCCESSFUL RPA PROJECT.

Taking a Step Back

Another reason organizations may not realize the full value of time saved via RPA is because they do not take the best approach when deciding what to do with the time saved.

For starters, management should both understand and communicate what the extra capacity gained from RPA will be used for before RPA initiatives begin. This is critical both for making the return on investment (ROI) case for investment in RPA technology and for getting workers to buy in and support RPA projects. If management waits until after a process is automated to determine what to do with the time saved, it will likely be met with conflicting priorities and risk ultimately not using the time in the way that is most valuable to the organization.

 

Internal audit, for its part, should not look at RPA projects in isolation, but rather in the context of the organization’s larger digital strategy, and it should ensure that management has done the same. Risk functions such as internal audit, with their broad, cross-departmental view of the organization, “must go all-in on the organization’s digital plan.”6 If there is an indication of uncertainty about the planned use of time saved via RPA or how it aligns with the organization’s larger digital strategy, this should signal to internal audit that there is potential risk for under-realizing the value of an RPA project.

Meanwhile, every organization, in some way or another, prioritizes its project list based on what is most important and what resources are available. However, organizations are selling themselves short if they take newly available hours and simply apply them to the next most-important projects on the list—projects that they previously could not find time to undertake. This is because that old priority list was based on old capabilities.

When robotic processes are implemented, such as continuous monitoring and testing of whole populations of data (as opposed to sampling), they do not merely make more worker hours available; they can also affect the risk associated with certain business processes (e.g., cost, error rate). This means that for organizations to get the most value out of the time saved through RPA, management needs to take a step back and look holistically at the prioritization of projects/activities based on the organization’s new normal. If business area management has not undertaken a holistic review of how it provides value to the organization based on its new capabilities, then it is unlikely to realize the full value of RPA. In other words, internal audit should be aware that RPA is not treated as a bolt-on technology that simply facilitates business as usual.7

Employee Attitudes

When employees have negative or misaligned expectations about how RPA will impact their jobs, it can stand in the way of organizations reaping the full benefit of RPA investment. Some employees are more optimistic than others about the impacts of RPA. According to a survey of information workers, 78 percent said automation will allow them to spend more time on the interesting and rewarding aspects of their job.8 If this does not come to fruition—if employees do not ultimately find themselves spending more time on what they perceive to be more interesting and rewarding aspects of their work—then it could harm employee attitudes toward current and future RPA initiatives.

IF EMPLOYEES BELIEVE THEIR JOBS WILL BE THREATENED DUE TO AUTOMATION, IT FOLLOWS THAT THEY MIGHT BE UNMOTIVATED TO WORK TOWARD ENSURING THAT THE FULL EFFICIENCY BENEFITS OF AN RPA PROJECT ARE REALIZED.

Meanwhile, in the same survey, 33 percent of workers said they believed their jobs could be replaced by automation, and about 25 percent indicated that they did not feel they could get another job at their current organization if that happened. If employees believe their jobs will be threatened due to automation, it follows that they might be unmotivated to work toward ensuring that the full efficiency benefits of an RPA project are realized.

Still other employees may believe that relief from repetitive tasks will make their job profiles less demanding, enabling them to complete their work at a more comfortable pace or reach a better work-life balance. However, these employees are likely to be disappointed, particularly if they work in the United States. While annual hours per worker fell steadily over the past half century in countries including France, Germany, Great Britain, the Netherlands and elsewhere, the average US workweek has not budged from 40 hours in more than 30 years, despite revolutionary increases in the speed and efficiency of information work brought on by advances in computing and Internet technologies.9

While it may seem intuitive that employees would welcome offloading their busy work, it might not necessarily be the case. To employees who equate being busy with importance and value, they may believe their lack of busyness will equate to a lack of their perceived value to the organization.10 If this is the case, they may—consciously or unconsciously—replace automated busy work with new busy work that is less valuable to the organization than other alternatives.

Communication is critical to mitigating risk associated with employee attitudes but, in some cases, business management may be focused on the more technical aspects of executing an RPA project and not give communication and change management the attention they need. This is where the objectivity of internal audit is valuable to ensure that both sides of the coin are being adequately addressed. Internal auditors should notice whether the RPA project includes a robust communications plan (i.e., written and verbal), appropriate training, updates to job descriptions and responsibilities (where applicable), sufficient explanation of the rationale of the project, and clear ownership for addressing employee questions and concerns. These elements will help to set expectations at the right level and reduce the risk posed by employee attitudes.

Managing Expectations

In the age of RPA, the qualities that make people uniquely human make up an increasingly large share of their value to an organization. At the same time, the so-called human factor can prevent organizations from realizing the full value of time saved from RPA initiatives if people’s expectations are not well managed. Management must be sensitive and informed about the risk that attitudes pose toward the success of RPA projects and take steps to ensure that they communicate realistic and accurate expectations about how RPA will impact people. Internal audit, meanwhile, by understanding and identifying the subtle factors that can undermine the realization of RPA’s full value, can help the organization avoid disappointment and lost value.

Endnotes

1 Smartsheet, “Automation in the Workplace 2017,” June 2017, https://www.smartsheet.com/sites/default/files/smartsheet-automation-workplace.pdf
2 PricewaterhouseCoopers (PwC), “Being a Smarter Risk Taker Through Digital Transformation,” 2019, https://www.pwc.com/us/en/cfodirect/multimedia/webcasts/2019-risk-review-study.html
3 KPMG, “Intelligent Automation and Internal Audit,” 2018
4 Claman, P.; “Stop Doing Low Value Work,” Harvard Business Review, 1 June 2016, https://hbr.org/2016/06/stop-doing-low-value-work
5 Op cit KPMG
6 Op cit PwC
7 Ibid.
8 Op cit Smartsheet
9 Spross, J.; “The Case for the 28-Hour Work Week,” The Week, 15 January 2018, https://theweek.com/articles/747843/case-28hour-work-week
10 Pinsker, J.; “‘Ugh, I’m so Busy’: A Status Symbol for Our Time,” The Atlantic, 1 March 2017, https://www.theatlantic.com/business/archive/2017/03/busyness-status-symbol/518178/

Kevin M. Alvero, CISA, CFE
Is senior vice president of internal audit, compliance and governance at Nielsen Company. He leads the internal quality audit program and industry compliance initiatives, spanning the company’s Global Media products and services.

Kevin McCarthy, CISA
Is Nielsen’s vice president of internal audit, where he manages the organization’s third-party external audit engagements regarding compliance to the various media research standards.