RPA is the automation of digital processes in which a software robot takes over the human actions in any software. The technology simplifies the build, deployment, and management of software robots that emulate human actions interacting with digital systems and software.
In this article, we will outline the use of RPA and the impacts on organizations with their audits. The technology is evolving and now is the time to understand and prioritize opportunities for RPA within businesses and audits. Successful implementation of RPA allows companies to gain efficiencies in repeatable processes/tasks that are associated with all types of audits, including SOC 2 audits.
RPA Implementation Phases & Benefits
Organizations within all industries can utilize RPA to automate tedious tasks that require minimal to no involvement of humans. The one major difference RPA has from traditional automation is that there is no requirement for coding or integration with legacy systems. This allows organizations to have robots up and running relatively quickly and with minimal cost.
RPA robots (BOTs) can perform predefined tasks within the current underlying IT structure, such as preparing invoices or running master data set-up routines. The BOTs have their own names/logins and can interact with systems and applications in the same way as humans. BOTs have the ability to access applications, perform and complete tasks such as data entry, and then sign out of their accounts. Common examples of RPA:
- Employee onboarding tasks
- Customer order processing
- Call center operations
- Scheduling systems
- Data entry
What are the Phases of RPA Implementation?
- The key here is to identify processes that would gain efficiencies and deliver tangible business outcomes with automation.
- RPA objectives should be clearly defined and with key stakeholder involvement.
- Vendor Selection
- This is one of the keys to RPA success and companies should select vendors based on factors such as capabilities, technical requirements, and business case.
- Companies should consider allowing a vendor to complete all configuration tasks for an initial project before taking development in-house to manage configuration on future projects.
- Implementation, Review, and Final Approvals
- This should be considered the most important phase.
- Provide training to all resources involved with the implementation.
- Documentation of key process areas.
- Testing of the environment to identify errors and allowing time for updates.
- Key stakeholder involvement for reviews and approvals.
- Steps taken here to ensure project success could provide the foundation for future RPA projects.
- Deployment/Launch of the Robot
- Once the RPA is launched the work doesn’t stop!
- This phase involves planning for the ongoing success of the software through proactive maintenance.
- Develop RPA strategy to align with business initiatives.
These phases provide a high-level overview, but organizations should always document a thorough project plan for each RPA project. As organizations mature throughout the RPA process, they should establish internal expertise or Subject Matter Experts (SMEs) that would provide essential skills in the long term.
What are the Benefits of RPA?
- Increased Productivity
- BOTs can handle the tasks that are repeatable and mundane for humans in a lot less time. For example, a task that may take a human 3-4 hours would only take the BOT 20 minutes if configured properly.
- Increased Efficiency
- BOTs can work 24/7 and never require breaks.
- Generally, a robot could perform as many manual tasks as 2-4 employees can.
- Increased Security
- When RPA parameters are strictly defined, the risk of data breach/leaks between platforms is relatively minor.
- Reduced human contact during the processing of sensitive data can help achieve compliance and implementation of governance practices.
- Optimized Resource Use
- Humans are prone to errors when it comes to repetitive and mundane tasks. RPA frees up employees from these tasks which allows them to focus on other more important business objectives.
How Will Robotic Processing Automation (RPA) Impact the Auditing Field?
There is always an impact when it comes to compliance and audits as businesses of all sizes adopt RPA technologies. RPA is an evolving technology/process so there are no set standards/frameworks specifically available for auditing RPA environments. Auditors are responsible for performing procedures throughout the audit lifecycle to address the risks emerging from an RPA environment. All domains of general IT controls such as access management, change management, and system operations should be assessed for relevant BOTs. In most cases, a BOT should be viewed as a human during an audit. It should follow the same procedures for onboarding and offboarding in terms of system access. All BOT activity should be monitored and logged the same way human/user activity is monitored and logged.
For both the organization and auditor, it is important to understand the level of RPA whether it is partially or fully in place. This is critical in audit planning and helps identify the impact of the controls. BOTs should be considered as elements of the IT environment. Not every BOT may be relevant for the audit. Any control that is performed by BOTs such as generating reports that are used by the auditor or management needs to be in the audit scope. For SOC 2 audits, RPA should be considered as an automation tool and organizations should consider the risk of using compliance automation tools and how these SOC 2 software tools impact the audit process.
To learn more about SOC 2 automation, check out our article AICPA FAQs on SOC 2 Automation Tools: Insights from an Auditor.
RPA can not only provide organizations with benefits and value to their business operations but there are several ways RPA can provide value throughout the audit process.
Examples of RPA during an Audit
- System Reports
- RPA can be used to drastically reduce hours per year of manual reviews of system reports and improve audit compliance. For example, manual expense report reviews that take several hours for a human to check for completeness and accuracy could be automated and save both the organization and auditor valuable time, as well as help prevent audit fatigue.
- Audit Populations
- RPA gives the ability to audit entire populations rather than the samples. Tests can be run automatically to get results that can be analyzed for an exception or anomaly in the test.
- Reconciliations of System Data
- Hundreds of hours during each audit can be saved by having an RPA configured to perform the reconciliation of data from a different system.
- RPA can help detect suspicious logs associated with IT systems.
- Automated Evidence Collection
- All audits have a mostly manual process of evidence collection which includes many system-generated reports that auditors rely on. RPA can automatically gather documentation of IT systems, transactions, and controls which helps provide continuous assurance, thereby enabling quicker corrective action.
Questions to Consider Throughout the RPA Audit Process:
- RPA Strategy and Governance
- Have you considered the impact of the RPA on your control environment?
- Is RPA included in your overall risk management strategy?
- Change Management
- What procedures are followed for Change management?
- What does the BOT development process entail and how is it controlled?
- Access Management
- Does each BOT have its own login credentials (username/password)?
- How are administrative/elevated access accounts within the RPA environment controlled?
- Are passwords encrypted and stored as per password policies and procedures?
- Cyber Threats & Vulnerabilities
- Are there any associated cyber-risks?
- Does your vulnerability management program cover the BOT environment?
- Business Continuity
- Do you have recovery capability and plans to ensure any disruption in the BOT availability does not impact the business operations?
- Is there a plan for situations where the human workforce no longer knows the manual steps that were previously taken prior to the BOT?
Internal/External audit teams and management are able to considerably reduce hours and resources by deploying BOTs in functions with repetitive tasks. There are several efficiencies that can be gained with RPA in Audits and organizations must prioritize the opportunities for automation. This allows management and the auditors to spend more time focusing on other higher-risk objectives/controls.
The mission to implement RPA in business can seem like a daunting effort, but organizations should determine which processes can be automated to give them the most benefits. This allows them to brainstorm with the right RPA partner to figure out the impact of RPA on people, procedures, and policies. The benefits and value to business operations/objectives should be the main priority, but organizations should always consider how RPA impacts their audits.
As the technology evolves and its adoption becomes mainstream, there will be updated guidance and standards for auditing these environments, so it is best for organizations to remain informed on the industry through updates and changes. Audit firms can provide detailed guidance and instructions around the testing of controls with RPA implementations. It is always best to engage with your audit firm during all the phases of the RPA implementation to ensure compliance.
If you have questions regarding RPA in audits or are interested in engaging our auditing services, please feel free to contact us and our team of audit professionals at Linford & Co.
Umar has over 15 years of experience in internal control-based audit, project management, cybersecurity consulting, attestation, and assurance services; 7 of those years were with the “Big Four” accounting firm, KPMG. He has overseen numerous SOC 1 and SOC 2 audits and other IT Compliance audits, including NIST 800-53. He has vast experience implementing comprehensive IT compliance frameworks for clients both in the public and private sectors. Umar is a certified information systems auditor (CISA) and received his Bachelor of Science degree in Business Information Technology from Virginia Tech.