Internal Audit, Risk, Business & Technology Consulting

Among the new technologies that promise to drive cost savings and improve

business efficiency and effectiveness, robotic process automation (RPA) has

captured the attention of organizations. A growing number of companies

are looking to realize these benefits by automating mundane and repetitive

activities. Typically, such RPA initiatives target administrative programs and

procedures within a variety of departments, including finance, accounting,

technology, legal, HR, audit and compliance.

One Fortune 500 company that provides technology solutions in North

America and Europe, identified an opportunity to deploy RPA within its

audit department to automate Sarbanes-Oxley (SOX) control testing. Because of

the necessary investment, the audit department was keen on partnering with

the business to help understand the potential value to the organization of

automating certain SOX compliance controls and processes. In an effort to

maximize the ROI of the automation effort and avoid missing opportunities,

the audit department approached Protiviti with one simple question: “Where

and how do we get started?”

Keys to Success

Change Requested

Guidance on how to create an

innovative audit program utilizing

next-generation robotic process

automation (RPA) technology

Change Envisioned

Automate repetitive and time-

consuming Sarbanes-Oxley (SOX)

accounting controls and processes

Change Achieved

A comprehensive assessment of

control testing and/or control

processes identified the best

candidates for automation with

the greatest overall ROI potential.

CLIENT STORY

Fortune 500 company drives RPA innovation with a strong ROI-based strategy

protiviti.com Client Story

Building a Blueprint

Protiviti has provided audit and SOX compliance services to the organization

over the last several years. During that time, the Protiviti project team has

kept an eye toward finding opportunities to improve the quality and efficiency

of their work and deliver cost savings within the audit department. Building

an RPA technology strategy to drive efficiencies and cost savings within key

business areas of the audit department was thus a welcome opportunity.

Protiviti assembled an RPA assessment team that included both technical

resources and members of the audit and SOX compliance teams, allowing

it to drive the right synergies and efficiencies during the assessment. The

SOX experts in this group were intimately familiar with how much time and

effort it took to complete testing, review and validate key reports, complete

management reviews, and perform other tasks related to SOX compliance.

Further, the integration of the Protiviti audit team resources allowed for

the identification and communication of potential risks that may be posed

by implementing RPA into SOX compliance procedures and the outlining of

appropriate mitigating solutions.

Next, this integrated assessment team worked with the client to create an

RPA SOX index — essentially, a broad scoping and prioritization exercise to

determine which high-risk SOX control processes/activities offered the most

potential to deliver value.

The RPA assessment approach consisted of the following four stages:

Align on Objectives

Build Automation Road Map

Define Evaluation Criteria Define Automation Themes Rank Each Candidate

Control Set/Activities Select Automation Candidates Categorize by Theme

IDENTIFY EVALUATE PRIORITIZECATEGORIZE

CLIENT STORY

protiviti.com Client Story

Identify — Working with the audit department, the project team defined the

objectives of the assessment. Once the objectives were defined, the project team

reviewed the current inventory of SOX process controls and other activities and

filtered out those that were already automated.

Evaluate — Focusing on the identified controls and activities, the project team

evaluated each one of them to determine the potential value that could be

delivered by automating it. The team relied on a Protiviti-developed automation

evaluation methodology for this step.

Categorize — Once the controls, control processes and activities were

reviewed and evaluated against the automation evaluation criteria, they were

categorized by automation “themes.” The project team tagged each control/

activity to one of four automation categories based on commonalities among

the control/activity population: account reconciliation automation, automation

of calculation, automation of user access review and/or provisioning access, or

automation of approvals.

Prioritize — Finally, each control/activity was ranked high, medium or low

priority for automation, and the ranking was confirmed with the business

process owners. The assigned ranking was then used to develop an automation

road map, outlining the controls/activities with which to move forward during

the automation pilot.

A Clear and Methodical Process Focused on Value Delivery

Each phase included a deliberate and methodical evaluation that prioritized the

RPA candidates based on their investment return value, avoiding the temptation

to automate anything that could be automated. For example, in the evaluation

phase, the activity’s frequency, the volume of transactions associated with a

process, the availability and accessibility of the data, and other characteristics of

the activity were all carefully considered and an aggregated score was assigned

reflecting the value potential of the automation.

Similarly, in the prioritization phase, the ranking of candidates took into account

not just time and cost savings, but also other aspects, such as the potential of the

automated control to reduce errors. Ultimately, these considerations drove the

company’s decision on which controls to automate. A high priority designation

was reserved for the automation candidates with the most promising ROI, while

those less suited for automation and lacking a robust or clear ROI potential were

ranked medium or low. Also considered during this phase was how much effort

it would take to script the bot for each control.

In the final count, Protiviti came

up with list of more than 100

control/activity candidates for

automation. Thanks to the thorough

and methodical approach, the list

made sense to management and

created a solid business case for

further investment. More important,

the method helped avoid the “rush

to implement” trap that many

organizations fall into with new

and emerging technologies.

CLIENT STORY

© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0918-102117 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face

the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk

and internal audit to our clients through our network of more than 70 offices in over 20 countries. 

We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies,

including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948,

Robert Half is a member of the S&P 500 index.

In the final count, Protiviti came up with a list of more than 100 control/

activity candidates for automation. Thanks to the thorough and methodical

approach, the list made sense to management and created a solid business

case for further investment. More important, the method helped avoid the

“rush to implement” trap that many organizations fall into with new and

emerging technologies.

The methodical approach assisted the organization in further defining its RPA

strategy and automation road map, allowing management to move forward

with confidence in the type of return each automated activity could generate.

The work was valuable not only in highlighting what should be automated, but

also what shouldn’t be automated within the audit department, even though

it’s possible. Organizations that take an honest, risk-informed and ROI-based

approach to their automation investment are more likely to succeed in their

RPA efforts than those that invest in automation driven by pressure to innovate

but without a clear, outcomes-driven RPA strategy.

CLIENT STORY