The Practical Aspect: Organizational RPA Adoption and Internal Auditing

Robotic process automation (RPA) adoption is a gateway for the internal audit function to contribute more to the organization. RPA adoption extends the insights of internal auditors in business processes to help innovate new or modified processes to manage changing risk, improve efficiency, enhance reliability, reduce costs or add value to the business.

RPA is the scripting of a task or procedure through robots to help reduce the need for human intervention in process execution. The reference to robots in this instance points to software scripts, or bots, that mimic human interaction and decisioning with an application or multiple application interfaces. For example, UiPath, an RPA software vendor, is working on a robot that can systematically verify the accuracy of signatures on checks deposited at automated teller machines (ATMs). This innovation involves a detailed understanding of the human decision-making process regarding signature verification and then programming the robot to mimic the human judgment involved in it. In early test results, robots succeeded in verifying signatures 80 percent of the time; the remaining 20 percent of the cases were handed over to humans for final resolution.¹ With RPA, the idea is to minimize human interactions, thus limiting delays and individual mistakes, and giving control of the targeted tasks to the machine. Basically, a system is designed through an allocation of tasks between humans and machines.² A simple role-based model of task allocation between humans and machines is comprised of four parts: 

1. No machine role—Machines are simply not ready to take over, or the task is assumed to be within the forte of humans and cannot be allocated to a machine. 
2. Discretionary human role—Based on the end goal or outcome desired, humans decide to limit the machine’s role.
3. Supporting machine role—Computers perform primary data aggregation and manipulation.
4. Integrated machine role—Little or no human intervention (e.g., enterprise resource systems). Typically, such tasks are more abstract in nature and do not follow a standard decision-making process, that is, significant human judgment is involved in the task.³ 

Leveraging the role-based model of task allocation, figure 1 depicts the level of RPA integration and automation for each of the roles identified.

RPA Integration Role Model

Applying the RPA Integration Role Model to the business world, solutions are tailored to fit the organization’s business processes and are based on the type of activity to be performed. An integrated form of RPA can be observed when it comes to handling customer input. For example, RPAs in phone systems can authenticate the user and perform basic customer support activities such as bill payment, fund transfers, account password resets or unlocks.

IF A PROCESS IS MATURE, CHANCES ARE IT CAN BE TRANSFORMED INTO AN IMPROVED ROBOTIC PROCESS WHERE SOME OR MOST OF THE HUMAN TASKS ARE HANDED OVER TO THE COMPUTER.

RPAs in the Supporting Machine Role require a degree of human intervention within the process workflow. This RPA is traditionally found more in back-office activities and can be taught to perform workflow automation with complex, multistep processes. Common examples of this type of RPA include the evaluation of change control management or stale account evaluation where the RPA collates data from multiple systems of record, evaluates the data extracted for predetermined criteria, and then performs an action as a result of the analysis such as notification of an authorized change or the creation of a ticket for access removal.

The Discretionary Human Role RPA suggests a current low degree of automation within the workflow process. RPA adoption in this role could typically perform tasks such as form data validation, gathering of data from diverse systems of record into a centralized repository or alerting of appropriate personnel when previously established thresholds are met. The goal of the process remains a primary focus in determining whether to automate a process component or leave it to the humans.

In the No Machine Role, RPA automation potential is utmost, because the process is irregular, changes frequently, or underlying systems or regulations have constrained its automation potential. Past experiences and assumptions may have determined the unsuitability of automating a process or its components. With new technologies, artificial intelligence (AI) and data analytics, these assumptions are challenged. As a result, the process may be significantly modified using RPA.

Process Characteristics

Determining where to leverage RPA across the organization can be a challenge since much depends on process characteristics. If a process is mature, chances are it can be transformed into an improved robotic process where some or most of the human tasks are handed over to the computer. The benefit of process transformation depends on whether the process is repetitive in nature, is scalable and has historically time-consuming human involvement.⁴ Normally, one should look for improved efficiency, reduced cycle time, enhanced reliability and improvement in the service that is supported by the process. An archive of types of human errors in handling the process can also shed light on whether the risk of erroneous execution can be minimized. This is particularly pressing where the personnel turnover is high, resulting in loss of sophistication in the judgment the process handler achieves over time. If the process is already surrounded by automated activities, it is likely that the transformation can be achieved easily, for the data and applications relevant to the process already exist. The presence of digital inputs is essential; where this is absent, it should be possible to convert necessary additional inputs into digital forms, and this also could result in an improved, efficient and reliable process. Figure 2 illustrates the areas that lend themselves to RPA.

In general, if a manual process is repetitive in nature, tangentially touches automated systems, and requires the analysis of large volumes of records or data, there is a chance that the process is a good candidate for RPA adoption. Here are some examples:

• Evaluation of enterprise backups logs and the assignment of troubleshooting tickets for failures
• Analysis of “stale” end user and administrator accounts for certification and potential removal of inappropriate privileges
• Issuing and administration of parking permits
• Employee tax withholding

BluePrism is testing an AI-enabled platform for insurers. The application will automate the process to validate claims and make recommendations for human examiners.⁵

WITHOUT APPROPRIATELY UNDERSTANDING AND DOCUMENTING THE FOUNDATION FOR THE BOT, IT WILL BE DIFFICULT TO DEVELOP A RELIABLE RPA.

Process Adoption

A first step to embedding RPA in any business process is to designate a sponsor. The right level of buy-in from the process owner(s) is a key prerequisite for success. The project sponsor needs to be an individual who has knowledge and awareness of the process and the appropriate level of leadership to guide cultural adoption by team members.  

Next, development of the bot should follow the standard system development life cycle. Requirements for the RPA bot should normally be defined by line of business and process/system dependency teams. A formal, knowledgeable architect should be engaged to aid in mapping or evaluating the existing architecture of the business and system processes. The architectural diagram should include primary and secondary system dependencies, cross-application and human data feeds and data types, and desired output. Without appropriately understanding and documenting the foundation for the bot, it will be difficult to develop a reliable RPA, ensure the appropriate scalability, and provide support once the system moves into the production environment.

While the RPA is being developed, it is important to engage internal audit and risk management functions at the onset of the project. The internal auditors can aid the business process owners in evaluating the process(es) as a whole to understand the impact to the organization, where risk exists within the procedure(s) and the current controls in place to mitigate the identified risk factors. During development of the RPA, primary and secondary controls can be modified or removed from the business process, and some may even be replaced with newly crafted controls. Therefore, it is important for the audit and risk management functions to review the controls to validate if automated functionality is operating as designed, risk is reduced to acceptable tolerance levels and the controls meet the intent of any regulations impacting the control environment. Additionally, line of business control self-assessments will need to be updated to reflect the new processes, risk and controls within the landscape, and personnel supporting the business operations should be trained on the new process and implications of control failure. 

Finally, prior to an RPA bot being placed into production, process owners and project sponsors should reevaluate the metrics and reports provided to senior leadership over key performance indicators (KPIs) and key risk indicators (KRIs).  Management needs to assess the reports to determine if thresholds and KRIs and KPIs are still in alignment with the new business process and if the reports need to be revised to provide correct strategic measurements to senior leadership.

RPA offers organizations a cost-effective opportunity to reevaluate and streamline the current business processes while minimizing the opportunity for human error. Due to the relative ease of RPA implementation and the potential for scalability across the enterprise, RPA is here to stay. And it is the responsibility of the internal audit and risk management functions to be a part of the RPA development to guide the organization through a successful implementation and adoption.

RPA OFFERS ORGANIZATIONS A COST-EFFECTIVE OPPORTUNITY TO REEVALUATE AND STREAMLINE THE CURRENT BUSINESS PROCESSES WHILE MINIMIZING THE OPPORTUNITY FOR HUMAN ERROR.

Endnotes

¹ Loten, A.; “Robots Take on Complex Software Tasks,” The Wall Street Journal, 10 December 2019, B4, https://www.wsj.com/articles/software-robots-get-smarter-thanks-to-ai-11575887400
² Emery, J.; Cost/Benefit Analysis of Information Systems. University of Georgia: The Society for Management Information Systems, 1971
³ Raval, V.; “A Curriculum-Wide Approach to Integration of Computer in Accounting Education,” The Journal of Information Systems, Spring 1989, p. 132–144
⁴ Sanders, C.; “Launching a Value-Based Analytics and RPA Program,” ISACA^® Journal, vol. 6, 2018, https://www.isaca.org/archives
⁵ Op Cit Loten

Vasant Raval, DBA, CISA, ACMA
Is emeritus professor of accountancy at Creighton University (Omaha, Nebraska, USA). The coauthor of two books on information systems and security, his areas of teaching and research interest include financial fraud, information security and corporate governance. He can be reached at vraval@creighton.edu.

Erica Smith, CISA, CISM, Security+
Is an information technology audit manager responsible for the infrastructure and business resiliency and disaster recovery space. She has more than 15 years of experience in information technology support, cybersecurity and information technology audit, and has worked for several industries including oil and gas, retail, healthcare, and financial services. Smith can be reached at ericasmith411@gmail.com.