RPA: First Steps to Greater Internal Audit Efficiency

Why IA Leaders Should Care About Robotic Process Automation

Robotic process automation (RPA) is drawing significant interest from Chief Audit Executives and internal audit leaders seeking to learn more about how to use it from a business improvement standpoint, as well as how to audit RPA in their organizations. Protiviti’s Andrew Struthers-Kennedy and Angelo Poulikakos discuss why RPA use remains low among internal audit departments and how organizations can change the tide to save costs and time.

with co-author Angelo Poulikakos

As the popularity of robotic process automation (RPA) increases, internal audit departments are starting to realize that this relatively simple and affordable technology can make their work more effective and efficient by improving audit coverage and automating many routine audit tasks. This, in turn, can free up time for more strategic, value-adding work that requires a depth of evaluation and judgment not available through RPA solutions.

That said, there remains little adoption of RPA within internal audit. In some cases, this is due to a gap in understanding exactly how and where RPA should be applied to internal audit activities. In others, the awareness of RPA as an efficiency tool is tempered by an inherent reluctance to innovate.

Consider a Structured Approach, But Don’t Overcomplicate It

The best way to determine where RPA can deliver maximum return on investment (ROI) is to take a structured approach to identify, evaluate, categorize and prioritize automation candidates.

For example, suitable tasks for automation are those that are routine, manually intensive, prone to human error and rules-driven (i.e., not overly subjective) and for which supporting data is readily available and easily readable.

Control-testing automation or use of automation to expand coverage (e.g., through testing larger sample sizes or full populations) are obvious areas to explore, but also consider routine internal audit activities, such as document request management, artifact gathering, interactions with GRC platforms, process and control owner follow-ups and reminders, issue validation and even initial report generation. These more administrative-type tasks are often collectively the most time-consuming while also delivering little value compared to the effort required. Asking the audit group to hold an automation-opportunity brainstorming session usually yields a medium-to-long RPA candidate list fairly quickly.

Next, evaluate this list to determine which candidates are likely to offer the best ROI by looking at the automation potential of each, both in terms of technical feasibility and the expected value that automation can deliver through increased efficiency and coverage/effectiveness.

In evaluating the ROI of potential RPA scenarios, look beyond traditional measures, such as employee reduction or cost savings, to less tangible metrics, like increased visibility and credibility for the internal audit organization; increased insight, breadth and depth of coverage; ability to provide more real-time monitoring; and ability to focus on more value-add activities. These metrics are important because they impact the quality of internal audit’s interactions with its key stakeholders.

A good outcome might also include expanded audit capabilities. In the case of control testing, for example, RPA allows internal audit teams to move beyond traditional detective or preventative methodologies of periodic artifact requests to continuous auditing, making almost instantaneous an audit cycle that may have previously taken several weeks. Auditees also benefit because they can spend more time on their business-as-usual activities and, in the event of a control deficiency, they get closer to real-time results and have longer runways for remediation.

Automated artifact gathering can also position internal audit to be more autonomous: for example, IA functions can partner with the business to understand the process followed to generate audit artifacts (including the systems involved) and subsequently work to automate these processes.

Generated artifacts can be stored in a centralized repository on a routine schedule (e.g., monthly) or RPA bots can be designed to generate the information at will. Additional bots can be designed to tick-mark evidence to aid the internal audit testing process. The measuring of the ROI of automated artifact gathering and testing should consider the time and effort saved on both the audit and business sides.

A word of caution: Often an existing process may require some tweaks to make it a better candidate for automation. Streamlining processes should always be done prior to automating them.

Once the candidates have been identified and prioritized, it is relatively simple to group them by commonalities and then develop a prioritized roadmap outlining which controls/activities will be automated and in what order.

Take the First Steps Now

An old Chinese proverb says every journey begins with a single step. RPA is among the hottest technologies in the market, and there is no reason for internal audit to fall behind in its evaluation and adoption. Taking the first steps often involves tasking an IA team member with a strong aptitude in technology and interest for innovation to take a lead role in developing the automation capability for the broader IA team. Generally, this starts by providing the entire IA team with an initial RPA-awareness session so that everyone understands the technology, the benefits and the processes fit for RPA.

From there, additional in-depth sessions can be provided related to the roles and responsibilities of RPA stakeholders (e.g., business analyst, bot developers), the functions of a Center of Excellence and the overall robotic operating model. Most RPA vendors make (often free) training resources available on their websites for both technical and nontechnical resources. Alternatively, an organization can jump-start its RPA efforts by engaging a third party, but building long-term sustainability requires in-house expertise.

RPA is not a cure-all. Bots, while good at handling highly manual and repetitive rules-based processes, are not the right answer for all activities. A bot is a point solution that can sometimes perpetuate rather than address issues of legacy environments and “technical debt.” Implementing RPA is not a substitute for core platform modernization — though it often can make the process of bridging legacy systems more efficient prior to a modernization project. Nor is every process or task a good automation candidate. Finally, automating a broken process can potentially expose companies to the real risk of making bigger mistakes even faster.

Among the risks associated with implementation of RPA are:

• Picking the wrong activities or process for automation
• Workforce disruption and/or loss of knowledge capital
• Masking legacy environment issues and technical debt
• Insufficient governance and oversight, resulting in lost ROI and increased operational risk
• Insufficient consideration of bot impacts on existing technology and infrastructure