Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Internal Audit, Risk, Business & Technology Consulting
Among the new technologies that promise to drive cost savings and improve
business efficiency and effectiveness, robotic process automation (RPA) has
captured the attention of organizations. A growing number of companies
are looking to realize these benefits by automating mundane and repetitive
activities. Typically, such RPA initiatives target administrative programs and
procedures within a variety of departments, including finance, accounting,
technology, legal, HR, audit and compliance.
One Fortune 500 company that provides technology solutions in North
America and Europe, identified an opportunity to deploy RPA within its
audit department to automate Sarbanes-Oxley (SOX) control testing. Because of
the necessary investment, the audit department was keen on partnering with
the business to help understand the potential value to the organization of
automating certain SOX compliance controls and processes. In an effort to
maximize the ROI of the automation effort and avoid missing opportunities,
the audit department approached Protiviti with one simple question: “Where
and how do we get started?”
Keys to Success
Change Requested
Guidance on how to create an
innovative audit program utilizing
next-generation robotic process
automation (RPA) technology
Change Envisioned
Automate repetitive and time-
consuming Sarbanes-Oxley (SOX)
accounting controls and processes
Change Achieved
A comprehensive assessment of
control testing and/or control
processes identified the best
candidates for automation with
the greatest overall ROI potential.
CLIENT STORY
Fortune 500 company drives RPA innovation with a strong ROI-based strategy
protiviti.com Client Story
Building a Blueprint
Protiviti has provided audit and SOX compliance services to the organization
over the last several years. During that time, the Protiviti project team has
kept an eye toward finding opportunities to improve the quality and efficiency
of their work and deliver cost savings within the audit department. Building
an RPA technology strategy to drive efficiencies and cost savings within key
business areas of the audit department was thus a welcome opportunity.
Protiviti assembled an RPA assessment team that included both technical
resources and members of the audit and SOX compliance teams, allowing
it to drive the right synergies and efficiencies during the assessment. The
SOX experts in this group were intimately familiar with how much time and
effort it took to complete testing, review and validate key reports, complete
management reviews, and perform other tasks related to SOX compliance.
Further, the integration of the Protiviti audit team resources allowed for
the identification and communication of potential risks that may be posed
by implementing RPA into SOX compliance procedures and the outlining of
appropriate mitigating solutions.
Next, this integrated assessment team worked with the client to create an
RPA SOX index — essentially, a broad scoping and prioritization exercise to
determine which high-risk SOX control processes/activities offered the most
potential to deliver value.
The RPA assessment approach consisted of the following four stages:
Align on Objectives
Build Automation Road Map
Define Evaluation Criteria Define Automation Themes Rank Each Candidate
Control Set/Activities Select Automation Candidates Categorize by Theme
IDENTIFY EVALUATE PRIORITIZECATEGORIZE
CLIENT STORY
protiviti.com Client Story
Identify — Working with the audit department, the project team defined the
objectives of the assessment. Once the objectives were defined, the project team
reviewed the current inventory of SOX process controls and other activities and
filtered out those that were already automated.
Evaluate — Focusing on the identified controls and activities, the project team
evaluated each one of them to determine the potential value that could be
delivered by automating it. The team relied on a Protiviti-developed automation
evaluation methodology for this step.
Categorize — Once the controls, control processes and activities were
reviewed and evaluated against the automation evaluation criteria, they were
categorized by automation “themes.” The project team tagged each control/
activity to one of four automation categories based on commonalities among
the control/activity population: account reconciliation automation, automation
of calculation, automation of user access review and/or provisioning access, or
automation of approvals.
Prioritize — Finally, each control/activity was ranked high, medium or low
priority for automation, and the ranking was confirmed with the business
process owners. The assigned ranking was then used to develop an automation
road map, outlining the controls/activities with which to move forward during
the automation pilot.
A Clear and Methodical Process Focused on Value Delivery
Each phase included a deliberate and methodical evaluation that prioritized the
RPA candidates based on their investment return value, avoiding the temptation
to automate anything that could be automated. For example, in the evaluation
phase, the activity’s frequency, the volume of transactions associated with a
process, the availability and accessibility of the data, and other characteristics of
the activity were all carefully considered and an aggregated score was assigned
reflecting the value potential of the automation.
Similarly, in the prioritization phase, the ranking of candidates took into account
not just time and cost savings, but also other aspects, such as the potential of the
automated control to reduce errors. Ultimately, these considerations drove the
company’s decision on which controls to automate. A high priority designation
was reserved for the automation candidates with the most promising ROI, while
those less suited for automation and lacking a robust or clear ROI potential were
ranked medium or low. Also considered during this phase was how much effort
it would take to script the bot for each control.
In the final count, Protiviti came
up with list of more than 100
control/activity candidates for
automation. Thanks to the thorough
and methodical approach, the list
made sense to management and
created a solid business case for
further investment. More important,
the method helped avoid the “rush
to implement” trap that many
organizations fall into with new
and emerging technologies.
CLIENT STORY
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0918-102117 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face
the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk
and internal audit to our clients through our network of more than 70 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies,
including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948,
Robert Half is a member of the S&P 500 index.
In the final count, Protiviti came up with a list of more than 100 control/
activity candidates for automation. Thanks to the thorough and methodical
approach, the list made sense to management and created a solid business
case for further investment. More important, the method helped avoid the
“rush to implement” trap that many organizations fall into with new and
emerging technologies.
The methodical approach assisted the organization in further defining its RPA
strategy and automation road map, allowing management to move forward
with confidence in the type of return each automated activity could generate.
The work was valuable not only in highlighting what should be automated, but
also what shouldn’t be automated within the audit department, even though
it’s possible. Organizations that take an honest, risk-informed and ROI-based
approach to their automation investment are more likely to succeed in their
RPA efforts than those that invest in automation driven by pressure to innovate
but without a clear, outcomes-driven RPA strategy.
CLIENT STORY