Building Bot Boundaries: RPA Controls in SOX Systems

Andrew Struthers-Kennedy, Managing Director IT Audit Global Leader
Angelo Poulikakos, Director IT Audit

There is often a tendency in RPA implementations to automate as much as possible, focusing more on the value the technology can deliver and less on what are the right things to automate or what risks may be introduced or increased in the process. This is the natural tension that exists between the pursuit of innovation and the need for controls.  As seasoned business leaders know, innovation is not without risk, and the history of technology initiatives is rife with stories of unintended consequences. For many companies, especially those with SEC reporting obligations, this risk is heightened when finance and accounting processes and controls are the focus of automation initiatives.

As highlighted in our recent Sarbanes-Oxley (SOX) Compliance Survey, SOX effort and costs continue to rise for many organizations, and organizations are increasingly interested in exploring ways in which RPA can help them balance out the SOX effort-cost equation. Yet, RPA is new territory for a majority of organizations, and the implications and risks to internal control over financial reporting (ICFR) are not yet fully appreciated.

This blog post examines some of the SOX compliance challenges that may result from an RPA implementation and how to avoid them.

Common Issues

In the pursuit of RPA adoption, we often see organizations give insufficient consideration to the importance of strong IT general controls (ITGCs) around the RPA implementation process. It is critical to design appropriate security, change management and IT operational controls to help mitigate the risks associated with unauthorized access to the bots, excessive access of the bots themselves, data loss, or data integrity issues. It is not uncommon for bots to be deployed (through either a central RPA platform or as desktop solutions) with default credentials enabled and without proper governance around security and change management.

Another situation that arises frequently is the consolidation of multiple activities into a single automated process to generate efficiencies, only to find out later that the RPA team has inadvertently changed the design of an existing control or unintentionally created a segregation-of-duties (SoD) conflict. SoD conflicts could arise when the organization fails to consider the end result of combined permissions between a user capable of initiating a bot, the actions the bot performs, and the actions of the initiating individual. Consider a transaction that requires a separate initiator and reviewer: If there is a lack of adequate access restrictions or other controls to prevent inappropriate triggering or initiating, the reviewer could also trigger the bot to initiate transaction processing. This type of scenario needs to be thoughtfully considered and planned for as the bots are being designed, secured and deployed.

Minding the Risk

To avoid RPA missteps like this, it is important to engage internal audit and the internal controls team from the outset to help identify potential risks and/or gaps in internal controls based on the RPA road map. This is critical during the process of identifying the areas prioritized for automation, during the implementation of the RPA platform and related governance processes, and during the deployment and ongoing operation of the bots. By including a risk and controls perspective into automation as it is being pursued, an organization will be able to move as fast as possible while remaining safe. One way to think about controls is to view them as the brakes on a race car — not intended to slow the car down but to allowing it to get around curves as fast as possible without crashing.

Before implementing RPA, consider the following five success factors:

  1. Involve internal audit — Engaging internal audit or other internal control teams from the starting line can help surface risks and ensure that proper governance and controls in the new automated environment are considered in the design process and are ultimately in place and functioning properly.
  2. Implement ITGCs — RPA platforms and bots both require proper ITGCs, especially related to security, processing integrity and change management. Internal audit is well positioned to perform an ITGC readiness assessment before bots are deployed in production.
  3. Identify SOX bots – Bots that support transaction processing or have the potential to impact ICFR should be identified and flagged as part of automation opportunity identification and prioritization. There will be extra scrutiny on these bots from external auditors, meaning there should be a commensurate level of review and validation from internal audit/internal controls teams.
  4. Show your work — All bots should be well documented during their design and development in accordance with a well-defined bot development life cycle (similar to system development life cycle, or SDLC) methodology. This means a bot’s requirements, system access, designs and actions should be thoroughly documented (at a keystroke level). Auditors will want to know how a bot’s actions match the actions a person previously performed manually – not just how the bot steps through the process but how it handles exceptions (both business and technical). This is key because the identification and correction of exceptions is vitally important from a controls standpoint. When contemplating the effort to create this level of documentation consider the benefit that this provides and be aware that process discovery technologies are now available.
  5. Verify outputs – Processing integrity is critical. Just because a bot automatically performs a transaction doesn’t mean the business can “set it and forget it.” Business owners of bots need to make sure the automated process is completed effectively by monitoring transactional logs and flagging any unexpected processing activities or errors.

Of course, the items addressed above are just one set of considerations related to bots in the SOX environment. In a future blog, we will explore how RPA solutions and bots should be scoped and tested from a SOX perspective.

Automation, when done right, can be a powerful tool for reducing costs and improving efficiency and can ensure ongoing business relevance in today’s competitive market. So far, there has been limited public discussion by the PCAOB on how RPA should be addressed when part of the scope of SOX activities, although that will likely change. Taking the time to think through and develop good RPA governance and controls from the outset can help ensure that organizations achieve the ROI they seek without creating unintended SOX compliance consequences and exposing themselves to reputation damage and regulatory concerns.

Listen to Protiviti’s recent webinar, Robotic Process Automation and Internal Audit – Are You Ready?

Sharon Delgado, Associate Director, and Cassie Putnam, Director, of Protiviti’s Internal Audit practice contributed to this content.

Add comment