Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Internal Audit, Risk, Business & Technology Consulting
ROBOTIC PROCESS AUTOMATION (RPA) AND AUDIT
March 2019
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
AGENDA
Digital Workforce: An RPA Overview - How
it works, key technologies, and benefits
Auditing RPA: IA’s role in RPA, Risks to
consider when auditing “bots”
Using RPA for Audit: Leveraging RPA for IA
efficiency
2
DIGITAL WORKFORCE – AN RPA OVERVIEW
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Know your “Robot”
RPA NOMENCLATURE
Robots ARE NOT
Physically functioning, moving machines
Voice controlled personal assistants
ROBOTIC PROCESS
AUTOMATION
Robots ARE
Automation software tools
Programs that improve process efficiency by mimicking human interactions with applications
Perhaps considered a misnomer, “Robotics” is an industry term of art used to describe the digitization of business processes.
In contrast to the machines of the industrial revolution, ‘Robots’ (with respect to process automation), are nothing short of software tools that can automate a range of digital activity.
4
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
WHAT IS RPA?
5
Robotic Process Automation (RPA) is the use of software tools that function as a virtual workforce, managed by business operations teams. RPA software is able to execute pre-determined, rules-based tasks, mimicking human interaction with existing applications to automate a variety of business processes.
Are computer coded software
Enable the automation of repetitive,
rule-based processes
Mimic interactions of users
Work across applications
Robots
Process Robot Capabilities
Automated Data Entry
System Integration
Repetitive Tasks
Process Reconciliation
Data Validation/Quality
Processing Simple Business
Rules
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
WHY IS RPA COMPELLING?
6
Technology-Agnostic
• RPA can work across legacy ERPs, mainframes, custom
applications, desktop applications, and any other types of
IT platforms.
• Any technology platform that can be utilized by a human
can also be navigated by an RPA robot.
Non-Intrusive
• RPA leverages other application software through the
existing application’s interface; therefore, it is not
technically integrated.
• Since complex integration is not required, RPA programs
can be launched in a matter of weeks, resulting in low cost
of implementation and high return on investment.
Scalable and Traceable
• Staff can be trained to maintain, program and deploy
robots.
• Bots are subject to full auditing, with visibility to security
access and modifications.
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
WHAT ARE THE BENEFITS OF RPA?
Reduction in human error
Complete audit trailHigher Quality
Faster processes and availability around the clock
Employees can focus on value-adding activities
Productivity Increase
Lower process costsand scalable
Rapid return on investment
Cost Reduction
Initial results possible within 30 working days
No significant IT development required
Ease of Implementation
7
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
TYPES OF RPA
8
These bots reside on the user’s machine and are invoked by the user. They are
appropriate for tasks that are triggered at programmatically hard-to-detect points.
Attended Automation
Sources: Applied AI
Attended and unattended RPA bots are combined to provide automation for both
front office and back office activities, allowing end-to-end automation of a process.
Hybrid RPA
Unattended Automation
Unattended bots are like batch processes on the cloud. They complete a data
processing task in the background. They are ideal for reducing work of back-office
employees.
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
ROBOTICS AND THE INTELLIGENCE
CONTINUUM
9
Rule-based simple to complex (transactional) processes
Pattern recognition within unstructured data
Self-learning rules continuously rewritten to improve performance
RPA
Cognitive
Automation
Artificial
Intelligence
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
RPA GENERAL USE CASES
10
Robotic Process Automation (“RPA”) and Robotic Desktop Automation (“RDA”) have the potential to providing gained
efficiencies in general day-to-day business processes and activities. Many organizations are looking to leverage robotics to
reduce time spent on low level tasks, reduce errors, and minimize rework, all while gaining efficiency
Potential Areas for Automation
RDA/RPA applications:
• Inventory Management
• Demand and supply planning
• Quote, invoice, and contract
management
• Work Order Management
• Freight management
• Return Processing
• Vendor Set Up
• Report Generation
• Trend Tracking
Application of RPA/RDA in Daily Business Activities
RDA/RPA applications:
• Operational accounting (billing
and collections, accounts
receivable)
• General accounting (allocations
and adjustments, journal entry
processing, reconciliations)
• Financial and external reporting
• Treasury processes
• Invoice Processing
• Customer set-up
Supply Chain Finance & Accounting Audit & Compliance
RDA/RPA applications:
• Continuous monitoring
• Control testing
• Data request & control artifact
gathering
• Compliance reporting
• Identifying open items, conducting
follow-up, documenting remediation
status
• Tacking and monitoring key risk
indicators (KRIs)
• Automating reporting & dash boarding
activities
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
RPA GENERAL USE CASES
11
Robotic Process Automation (“RPA”) and Robotic Desktop Automation (“RDA”) have the potential to providing gained
efficiencies in general day-to-day business processes and activities. Many organizations are looking to leverage robotics to
reduce time spent on low level tasks, reduce errors, and minimize rework, all while gaining efficiency
Potential Areas for Automation
RDA/RPA applications:
• Installations
• FTP download, upload, and
backup
• Server and application monitoring
• Folder and file management
• Email related tasks, processing
and distribution
• Batch processing
• Data Aggregation and Migration
• Help Desk Processes
• User Provisioning
Application of RPA/RDA in Daily Business Activities
RDA/RPA applications:
• ERP Automation
• Business Intelligence
• Excel Automation
• Application integration
• Data Migration
• ERP Integration
• CSV File Imports
IT Services Systems and Integration Human Resources
RDA/RPA applications:
• Payroll
• W4 & Employee Form Management
• Onboarding & Off-boarding
• Time & Attendance Management
• Benefits Administration
• Stock Administration
• Education & Training
• Compliance Reporting
• Recruiting Processes
• Personnel Administration
• Data Entry
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
POLL QUESTION #1
12
Where is your organization currently on its RPA journey?
A. Not started
B. Exploring use cases but no bots in production (may have bots in proof of
concept)
C. Program has been established with handful of bots in production
D. Program well established with numerous bots in production
E. Not sure
AUDITING RPA
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
RPA IS A TOP KNOWLEDGE AREA FOR
INTERNAL AUDITORS
14
Source: Protiviti’s 2018 Internal Audit Capabilities and Needs Survey
Robotic process automation, among the top areas in need of improvement, is drawing a significant interest from CAEs and internal audit leaders seeking to learn more about how to use it from a business improvement standpoint, as well as how to audit RPA in the organization.
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
INTERNAL AUDIT’S ROLE IN RPA
Assist the company with the identification of risks associated with implementing RPA
1
Provide guidance around control design/enhancements and testing approach
2
Help the company identify/or recommend controls processes well suited for automation, and assess the impact of automating those controls
3
Assist the company in evaluating the ROI and efficiencies gained though RPA
4
15
Consider how RPA can be used to drive enhanced delivery of IA activities5
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Why Audit RPA?
While robotics afford improved efficiency and
effectiveness, if something goes wrong the negative implications can be rapid and widespread.
.Confirm appropriate controls have been put in place
as processes are automated, and that appropriate governance and ownership is established.
.
Access required to operate RPA is significant and
must be monitored and tested..
The change management process may pose a
serious challenge to maintaining the efficiency and effectiveness levels that robots can achieve.
Processes are often re-engineered prior to and
during the adoption of robots and can result in the loss of controls and introduction of risk.
.
Performance
Governance
Identity Management
Change
Management
Integrity
Are there policies
and procedures in
place defining
governance of
robotics?
Are user profiles reviewed on a periodic
basis to validate access is appropriately
restricted and aligned with the bot’s
functional responsibilities?
How is the RPA performance
monitored and measured?
Are Key Performance Indicators
(KPI) defined?
Are RPA rules routinely
reviewed for accuracy?
Does the change
managementprocess inhibit the
efficiency and effectiveness of
RPA?
Audit Areas of Focus
SecurityAre controls are in place
to prevent malicious
insiders abusing bot
access & authority to steal
confidential information?
AUDITING RPA – WHY AND WHERE?
16
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
RPA RISK CONSIDERATIONS
17
Business process objectives not
met
Compliance / reg requirements not
met
Data retention policies not
adhered to by bot design
Human capital / knowledge loss
Bot changes lead to disruption
Upstream / downstream application changes
Access to bot configuration
Lack of transaction oversight
Exceptions not appropriately
handled
Downstream application overload
Bot or bot environment
becomes unavailable
Bot does not achieve
performance expectations /
SLAs
Access to robot’s credentials not
controlled
Security vulnerability affects bot
environment
Excessive access to bot
environment
Human access to bot leads to SOD
risk
GovernanceChange
ManagementIntegrity
Availability and Performance
Information Security
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
POLL QUESTION #2
18
If your organization has deployed bots, has internal audit provided
any advisory or assurance services related to the program?
A. Yes, we have conducted an audit (or performed an advisory review) of
the overall program
B. Not yet, but this is in our plan for the coming year
C. No, and no plans to perform an audit
D. Not sure
USING RPA FOR AUDIT
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
BENEFITS OF AUTOMATION IN AUDIT, RISK, &
COMPLIANCE
Reduce Budget And Resource Constraints
Improved Insight & Depth of Coverage – Quantify & Substantiate
Makes Human Work Less Repetitive And More Analytical – Focus on Higher Value Activities
Increased Breadth of Coverage – Full Population, Statistical Sampling
Proactive Monitoring & “Real Time” Insight
Once Process Is Setup, There is Assurance over Source Data Integrity
Increase Visibility And CredibilityWithin The Organization, Skills Development in Team Members
Potential
Benefits of
Automation
Combining AI with RPA (delivering Intelligent Automation) opens up even more potential
20
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
POTENTIAL RPA USE CASES FOR IA AND SOXPotential Areas for Automation
• Change Management
• New User Access
• Terminations
• User Access Reviews
• Configurable Control
Monitoring
IT General Controls
• New Hire Setup
• New Customer Setup
• New Vendor Setup
• Duplicate Payment
Review
• Reconciliations
• Manual Journal Entries
Business Process
Controls
• Artifact Requests
• Artifact Tracking
• Work Paper Preparation
• GRC Data Download /
Upload
• Remediation Follow Up
• Tracking and Monitoring
KRIs
Internal Audit
Activities
21
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
RPA EVALUATION APPROACH
IdentifyEvaluate
Prioritize
Categorize
Use a deliberate and measured approach to evaluating whether
an activity is a good candidate for RPA…
…Resist the urge to “automate everything” to avoid the
risk of early program failures.
22
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
KEY CONSIDERATIONS
Cost Saving + Time Saving
23
OPPORTUNITY ASSESSMENT – FOCUS ON THE RIGHT AREAS
Logical to Automate
Maturity of Process
Availability of Data
Business Value
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
IDENTIFYING RPA OPPORTUNITYCharacteristics of Processes Ready for Automation
Low Exception RateProcesses that do not have a lot of exceptions to the defined business rules
High VolumeProcesses that have large volumes and occur frequently
ManualProcesses that contain a lot of manual steps
Quality RequirementProcesses that require a low defect ratio
Swivel Chair Processes that involve multiple software applications that are not integrated
Mature and StableProcesses that have been standardized and are unlikely to change soon
Highly Rules-BasedProcesses that do not require a lot of judgement
Large TeamsProcesses that are completed by more than one person
Readable Text FormatProcesses that contain structured data
Stable EnvironmentTechnology systems or organization are not planned to change in the near term
24
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
Opportunity
Assessment
THE RPA DELIVERY LIFECYCLE
Center of
Excellence
Define /
Design
Build / Test
Deploy
Operate
Foundations
Business Foundation• Strategy• Governance• Sponsorship• Business CaseTechnology• Infrastructure• Security Policy• Software• Change
Management
Drive the change, are responsible for the quality of each element, & provide the necessary expertise to deliver an effective RPA program
25
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.
POLL QUESTION #3
26
What progress has your organization’s internal audit function made
with RPA?
A. Not started
B. Exploring use cases but no bots in production (may have bots in proof of
concept)
C. Internal audit has a handful of bots in production
D. Internal audit has a well-established RPA program with numerous bots
in production
E. Not sure
© 2018 Protiv iti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.27
Q & A
© 2018 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not l icensed
or registered as a public accounting firm and does not issue opinions on financial statements or
offer attestation services. All registered trademarks are the property of their respective owners.