Robotic process automation (RPA) has been gaining traction as an efficient way to automate labor-intensive and repetitive tasks across a variety of business functions, including finance, accounting, technology, legal, HR, and, increasingly, audit and compliance.
As the popularity of this relatively simple and affordable technology increases, internal audit departments are starting to realize that RPA can make their work more effective and efficient by improving audit coverage and automating many routine audit tasks. This, in turn, can free up time for more strategic, value-adding work (e.g., work that requires a depth of evaluation and judgment not available through RPA solutions).
That said, there remains precious little adoption of RPA within internal audit. In some cases, this is due to a gap in understanding how exactly RPA should be applied to internal audit activities and which activities are the best candidates to automate. In other cases, the awareness of RPA as an efficiency tool is tempered by an inherent reluctance to innovate that exists with some internal audit functions.
Consider a Structured Approach, but Don’t Overcomplicate It
The best way to determine where RPA can deliver maximum return on investment (ROI) is to take a structured approach to identify, evaluate, categorize and prioritize automation candidates.
For example, suitable tasks for automation are those that are routine, manually intensive, prone to human error and rules-driven (i.e., not overly subjective) and for which supporting data is readily available and easily readable.
This identification process doesn’t need to be complicated. It can be as simple as getting the audit group together and brainstorming about which routine administrative, project-related or stakeholder-facing activities meet the above criteria.
Control-testing automation or use of automation to expand coverage (e.g., through testing larger sample sizes or full populations) are obvious areas to explore, but also consider routine internal audit activities such as document request management, artifact gathering, interactions with GRC platforms, process and control owner follow-ups and reminders, issue validation, and even initial report generation. Some of these more administrative-type tasks are often collectively the most time-consuming while also delivering little value compared to the effort required. Such automation-opportunity brainstorming sessions often yield a medium-to-long RPA candidate list fairly quickly.
The next step is to evaluate this list to determine which candidates are likely to offer the best ROI. This can be accomplished by evaluating the automation potential of each candidate, both in terms of technical feasibility and the expected value that automation can deliver (through increased efficiency, coverage/effectiveness, and even making the job of those currently performing the tasks manually less mentally taxing).
In evaluating potential RPA scenarios and their ROI, it is important to look beyond traditional measures, such as employee reduction or cost savings, to less tangible metrics like increased visibility and credibility for the internal audit organization; increased insight, breadth and depth of coverage; ability to provide more real-time monitoring; and an ability to focus on more value-add activities. These metrics are important because they impact the quality of internal audit’s interactions with its key stakeholders.
A good outcome might also include expanded audit capabilities. In the case of control testing, for example, RPA allows internal audit teams to move beyond traditional detective or preventative methodologies of periodic artifact requests and move to continuous auditing, reducing an audit cycle that may have previously taken several weeks to a fairly instantaneous process. Auditees also benefit because they can spend more time on their business-as-usual activities, and in the event of a control deficiency, they get closer to real-time results and have longer runways for remediation.
Automated artifact gathering can also position internal audit to be more autonomous while reducing the burden on the business. For example, internal audit functions can partner with the business to understand the process followed to generate audit artifacts (including the systems involved) and subsequently work to automate these processes.
Artifacts can be generated and subsequently stored in a centralized repository on a routine schedule (e.g., monthly), or RPA bots can be designed to generate the information at will. Once the audit artifacts are generated, additional bots can be designed to tick-mark evidence to aid the internal audit testing process. A key point: The measuring of the ROI of automated artifact gathering and testing should consider the time and effort saved on both the audit and business sides.
A word of caution: Often, an existing process may require some tweaks to make it a good (or better) candidate for automation. Streamlining processes should be done prior to automating them. There is little sense in automating a poorly designed or a continuously changing process.
Once the candidates have been identified and prioritized to a shorter list of high-value targets, it is a relatively simple matter to group them by commonalities and then develop a prioritized road map outlining which controls/activities will be automated, and in what order.
Take the First Steps Now
An old Chinese proverb says every journey begins with a single step. RPA is among the hottest tech in the market, and there is no reason for internal audit to fall behind in the evaluation and adoption of how it can deliver efficiency, effectiveness and other benefits to the IA activity. Taking the first steps often involves tasking an IA team member with a strong aptitude in technology and interest for innovation to take a lead role in developing the automation capability for the broader IA team. Generally, this starts by providing the entire IA team with an initial RPA-awareness session so that everyone understands the technology, the benefits and the processes fit for RPA.
From there, additional in-depth sessions can be provided related to roles and responsibilities of RPA stakeholders (e.g., business analyst, bot developers), the functions of a Center of Excellence, and the overall robotic operating model. Most RPA vendors make training resources available on their websites (many of which are free), and it doesn’t take much time to get up to speed. Training tracks are available for both technical and nontechnical resources. Alternatively, an organization can jump-start its RPA efforts by engaging a third party, but even so, building long-term sustainability is going to require in-house expertise.
For further reading, check out the RPA section on our website. To see an example of how one organization approached audit automation for Sarbanes-Oxley compliance using Protiviti’s approach, click here. Also, explore related blog posts on The Protiviti View.
Andrew Struthers-Kennedy, a Managing Director with Protiviti’s IT Audit practice, contributed to this content.
good