Are You Familiar With Robotic Process Automation?
Robotic process automation (RPA) has been gaining traction as an efficient way to automate labor-intensive and repetitive tasks across a variety of business functions, including finance, accounting, technology, legal, HR, and, increasingly, audit and compliance.
As the popularity of this relatively simple and affordable technology increases, internal audit departments are starting to realize that RPA can make their work more effective and efficient by improving audit coverage and automating many routine audit tasks. This, in turn, can free up time for more strategic, value-adding work (i.e., work that requires a depth of evaluation and judgment not available through RPA solutions).
That said, there remains precious little adoption of RPA within internal audit. In some cases, this is due to a gap in understanding how exactly RPA should be applied to internal audit activities and which activities are the best candidates to automate. In other cases, the awareness of RPA as an efficiency tool is tempered by an inherent reluctance to innovate that exists with some internal audit functions.
Consider a Structured Approach, but Don’t Overcomplicate It
The best way to determine where RPA can deliver maximum return on investment (ROI) is to take a structured approach to identify, evaluate, categorize and prioritize automation candidates.
For example, suitable tasks for automation are those that are routine, manually intensive, prone to human error and rules-driven (i.e., not overly subjective) and for which supporting data is readily available and easily readable.
This identification process doesn’t need to be complicated. It can be as simple as getting the audit group together and brainstorming about which routine administrative, project-related or stakeholder-facing activities meet the above criteria.
Control-testing automation or use of automation to expand coverage (e.g., through testing larger sample sizes or full populations) are obvious areas to explore, but also consider routine internal audit activities such as document request management, artifact gathering, interactions with GRC platforms, process and control owner follow-ups and reminders, issue validation, and even initial report generation. Some of these more administrative-type tasks are often collectively the most time-consuming while also delivering little value compared to the effort required. Such automation-opportunity brainstorming sessions often yield a medium-to-long RPA candidate list fairly quickly.
The next step is to evaluate this list to determine which candidates are likely to offer the best ROI. This can be accomplished by evaluating the automation potential of each candidate, both in terms of technical feasibility and the expected value that automation can deliver (through increased efficiency, coverage/effectiveness, and even making the job of those currently performing the tasks manually less mentally taxing).
In evaluating potential RPA scenarios and their ROI, it is important to look beyond traditional measures, such as employee reduction or cost savings, to less tangible metrics like increased visibility and credibility for the internal audit organization; increased insight, breadth and depth of coverage; ability to provide more real-time monitoring; and an ability to focus on more value-added activities. These metrics are important because they impact the quality of internal audit’s interactions with its key stakeholders.
A good outcome might also include expanded audit capabilities. In the case of control testing, for example, RPA allows internal audit teams to move beyond traditional detective or preventative methodologies of periodic artifact requests and move to continuous auditing, reducing an audit cycle that may have previously taken several weeks to a fairly instantaneous process. Auditees also benefit because they can spend more time on their business-as-usual activities, and in the event of a control deficiency, they get closer to real-time results and have longer runways for remediation.
Don’t Forget About Governance
Governance – the establishment of policies and the implementation and monitoring of those policies under a governing body – is a foundational component of any RPA program. RPA program governance is not unlike the governance of other technologies, in that it requires a clear strategy, effective risk management, discipline and commitment, good documentation and information sharing, and regular self-evaluation.
Some signs an organization might lack good RPA governance include:
- Lack of a sponsor/champion
- Poorly documented or non-existent policies
- Poorly defined roles
- Knowledge not captured and shared
Learn more about RPA by exploring these related publications on KnowledgeLeader:Deploying Robots Upstream: How to Evaluate the Opportunities and Make the Business Case