The Pain of Automation

Internal audit leaders are looking at automation technologies for many of the same reasons as business management. Automated processes can run in the background, allowing auditors to look at more things in less time than they could manually. Also, deviations from expected or acceptable results can be brought to auditors’ attention more quickly (in near-real time) than with periodic manual review. Advantages such as continuous monitoring, automation of repetitive processes and the ability to audit large populations (as opposed to sampling) offer internal audit departments the opportunity to expand their view, do more with limited resources and, most important, provide greater value to the enterprise.

In light of these possibilities, optimism around automation in internal audit is understandably high. In a recent survey, nearly half of US risk and compliance professionals, internal auditors, executives and board members surveyed said their organization planned to modernize its compliance function in the year ahead.¹ However, according to another study, just 14 percent of internal audit functions could be considered advanced in their technology adoption (including the use of robotic process automation [RPA] to expand the expediency and coverage of their audits), while 83 percent are either adopting advanced technologies at a slower pace or not at all.²

These findings suggest that, in spite of the promised benefits of automation, internal audit departments are encountering hurdles on the path toward realizing those benefits. Three of the key hurdles that almost any internal audit function will come up against are choosing the right processes to automate, getting the solution (i.e., software) developed and navigating the complex ways in which automated internal audit processes interact with other areas of the business.

Process Identification and Selection

One of the fundamental challenges internal audit departments face in implementing RPA is choosing the process, or processes, to be automated. It is not always obvious what the department should focus on or prioritize.

For example, applying a risk-based approach might point toward investing resources in developing RPA based on the areas of greatest risk to the organization. If the internal auditors are looking at an area of critical risk, so the thinking goes, then they want to maximize the effectiveness of the audit processes they are using to perform that role.

On the other hand, some audit functions would rather focus their automation efforts on those audit processes that have the greatest potential for efficiency within the internal audit function. In this line of thinking, if automation efforts focus on automating the least valuable and/or least efficient processes to free up auditor capacity, it allows the department to do more across the board with finite resources.

Further complicating the choices is the fact the internal audit department may not be solely responsible for making the selection. If the department is participating in a larger, organization-scale automation initiative, people outside the department may have a say in what processes are chosen for automation.

Even if the organization has a well-conceived system in place to select processes for automation, a good set of performance measures is also needed to inform that system and accurately assess which processes will have the greatest return on investment (ROI). Many organizations do not have sufficient performance data, and that can lead to the risk of automating the wrong things.³ Most likely, though, the decision is going to come down to money saved. This is important for internal audit departments seeking funding and support for automation efforts. The better they can make the ROI case and quantify the benefits of automation in terms of cost savings, the easier it will be to justify their selection of processes to automate.

In addition to ROI potential, the process in question must have reliable, quality input. The quality and reliability of the data input into an automated process is the single greatest determinant of whether users will be able to trust its output.⁴

Many internal audit functions will look at the processes they currently perform and choose automation for those that RPA can help them do better. However, this is not necessarily the best approach. Audit functions can fall into the trap of simply retrofitting old procedures with new technology to make them incrementally better.⁵ Ideally, audit functions should look at how RPA can help them adopt new capabilities to deliver value to the organization that they could not previously.

Whether looking at new or existing processes, internal audit departments that are trying to build momentum on the path toward automation should look for a process that:

• Has a clearly definable ROI
• Relates to an area of key business risk to the organization
• Has reliable, quality inputs
• Is labor intensive, subject to human error and generally inefficient

These are the areas internal audit should target first, and formalized RPA projects should focus on a limited number of high-impact targets to preserve momentum.⁶

Solution Development

Even though a process may be an ideal candidate for RPA in theory, actually developing the technology to automate it can present numerous challenges and choices. Presuming the internal audit staff typically does not retain the expertise to write bots and develop software, these services will have to come from within the organization’s IT/engineering staff or from an external vendor. Each presents its own challenges.

For example, when leveraging engineering resources from within their own organization, internal audit departments may find themselves at the mercy of the enterprise’s larger technology development pipeline. The way this pipeline is prioritized can have a big impact on the progress of internal audit’s automation initiatives, particularly if the engineering resources are subject to top-down pressure to push lower profile (or non-client-facing) projects down the list.

Conversely, when the internal audit department utilizes a vendor to create automation solutions, all of the aspects of third-party risk management, including service level agreement (SLA) and security/confidentiality, come into play. In particular, ongoing updates and maintenance will be tied to the vendor solution going forward, and it may not be feasible to bring these in-house once a customized automation process is established by the vendor; so the internal audit department should understand the ongoing requirements just as well as the upfront ones. Plus, the internal audit department must ensure that needs are accurately defined and scope is carefully managed to avoid implementing a more powerful and, thereby costly, solution than is absolutely necessary. Weighing and balancing these trade-offs is important to do prior to committing to a course of action for automation.

RPA experts insist that robots do not make mistakes and, if they are programmed correctly, RPA technologies have great potential to save auditors’ time through the automation of routine, repetitive, rule-based actions. However, if they are programmed incorrectly or incompletely or are altered, errors can be introduced during the automated process. These process automation errors can perpetuate larger, systematic errors to a greater degree than similar manual processes. Therefore, whether the solution is being developed in-house or by a vendor, correct documentation of each step and rule in the processes to be automated and verification of bot functionality must be performed before implementation of RPA, and it is important to understand the demands this will place on internal audit resources before the solution development process begins.

Throughout the solution development process, internal audit automation leaders should also remain aware of their alternatives. A fully customized, fully automated solution may, in fact, not be the ideal solution for every automation project. For example, if 80 percent of the process in question can be automated fairly easily, but the remaining 20 percent would come at a high relative cost, then automating the 80 percent may be the ideal solution for the department’s needs.⁷ Indeed, full automation can be undesirable based on the application. Processes that involve decisions that humans need to make are not suited to total automation.⁸ RPA is not the only mode of automation, either. Replacing legacy systems or building powerful application programming interfaces (APIs) into legacy systems may allow organizations to automate processes with less effort than building RPA solutions, and those leading automation efforts should avoid fixating on RPA alone for automation.

Finally, the solution development process should not be cordoned off from the internal audit staff and restricted to the technology experts who are writing software. It is critical that internal audit departments integrate the intended users of the solution into the development process and train them because, for one thing, a person has to be able to evaluate when an automated output is wrong.⁹ The audit functions most advanced in their use of technology are developing their people and processes at the same time.¹⁰ Not only should people be trained on how to utilize an RPA solution, it is also critical that they understand the benefits from a strategic perspective. If these are not explained properly, the concept can generate anxiety (e.g., Will these software robots be taking away our jobs?). These concerns can contribute to inertia for launching RPA projects. In any automation effort, the benefits of less time spent on tedious, repetitive tasks and freeing up staff time to focus on more value-added activities should be communicated early and often to all stakeholders.

Garbage In, Garbage Out
While internal audit departments generally do not have the expertise to develop technology solutions in-house, they still play a critical role in the ultimate success of an automation solution based on how well they educate the software developers about their needs and objectives throughout the project, not just at the beginning. The usefulness of a technology solution will directly correlate to the ability of the business process owners and subject matter experts to explain, step-by-step, how a process is conducted, from end to end. If the internal audit department does not take care to articulate its needs thoroughly and accurately, then the resulting technology solution will not succeed. Screenshots and/or screen video recordings of staff performing the actions can be helpful in this process. Templates and completed examples are also useful ways to smooth the discovery and evaluation phases of potential automation projects. Before coding, technical review by those responsible for writing the actual programming code is also a necessary input. Having dedicated outreach staff for organizationwide automation initiatives is also helpful for disseminating information about what RPA can and cannot do for enterprise teams.

Process Interactions

Evaluating a process for automation on its own merits can be complex enough, but it is often compounded by interaction with other areas. Robots (in the RPA context) are entirely technology agnostic and can be used with any application, so they can work across functions and across applications.¹¹

However, a process’s interactions may not be purely technological. For example, considerations must be made for legal and regulatory compliance. At one internal audit shop, the team was motivated to work toward automating a process that consisted of collecting field audit data manually on paper forms. As they set about developing an electronic form that could be completed on a tablet device and then uploaded to a cloud storage drive where the structured data could be used for enhanced analysis, they encountered a roadblock when they discovered that their plan conflicted with the organization’s policy prohibiting the transmission of personally identifiable information (PII) on the cloud storage drive, and alternative approaches had to be considered.

Another aspect of process interaction is that if internal audit departments are seeking to automate processes related to specific areas of the enterprise’s business, then they must consider the risk of those solutions becoming obsolete if the business changes. When the business changes, the people on the internal audit staff can be assigned to go audit something else, but repurposing a technology solution designed to perform one task and having it perform another may not be as straightforward. This means that internal audit functions should have alignment with business management regarding strategy before pursuing automation initiatives that are tied to the internal audit of a particular area of business.

Conclusion

The potential benefits of automation to internal audit are real and well documented. Just as real, but perhaps less well documented, are the hurdles internal audit departments are facing on their way to realizing the benefits of automation.

Success begins with choosing the right process to automate and continues with the meticulous documentation and mapping of the current process and defining the requirements of the automation technology to ensure that it works and meets the needs of the users. Beyond basic user testing, users should be integrated into the solution development process so they not only understand how to use the tool, but also its strategic benefits and the potential impact of malfunction. Finally, the broader interactions of the process to be automated should be considered to avoid surprises down the road.

With careful planning and evaluation, automation solutions using tools such as RPA have the potential to streamline audit and business processes and make monitoring of controls more efficient. Decisions about what processes to automate should carefully consider benefits, risk and trade-offs. While many processes can be automated, there must be a disciplined prioritization process to choose which should be automated to make these efforts worthwhile.

Endnotes

¹ Salierno, D.; “Tech Adoption Falls Short,” Internal Auditor, vol. 75, iss. 5, October 2018, p.11-12
² PricewaterhouseCoopers, “2018 State of the Internal Audit Profession Study,” https://www.pwc.com/sg/en/publications/state-of-internal-audit-profession-study-2018.html
³ Ramamurthy, R.; “RPA—Five Biggest Hurdles and How to Overcome Them,” LinkedIn.com, 17 April 2017, https://www.linkedin.com/pulse/rpa-five-biggest-hurdles-how-overcome-them-ravi-ramamurthy/
⁴ McCollum, T.; “Audit in an Age of Intelligent Machines,” Internal Auditor, December 2017
⁵ PricewaterhouseCoopers, “Revolution Not Evolution: Breaking Through Internal Audit Analytics’ Arrested Development,” January 2018, https://www.pwc.com/us/en/services/risk-assurance/library/internalauditanalyticsrevolution.html
⁶ Applied AI Blog, “14 RPA Pitfalls and the Checklist for Avoiding Them [2019 Update],” 31 December 2018, https://blog.appliedai.com/rpa-pitfalls/
⁷ Ibid.
⁸ Shacklett, M.; “Business Process Automation: Where It Works, and Where It Doesn’t,” ZDnet.com, 3 August 2015, https://www.zdnet.com/article/business-process-automation-where-it-works-and-where-it-doesnt/
⁹ Op cit McCollum
¹⁰ Campbell, J.; “Intelligent Automation/RPA and Use for Internal Controls,” IIA Florida West Coast Chapter and West Florida ISACA Chapter Fraud and Security Seminar, 6 December 2018
¹¹ Ibid.