Risks Presented in Adopting RPA
with co-author Barton Edgerton
A large number of organizations are quickly moving to implement robotic process automation (RPA) across a wide variety of corporate functions, ranging from shared services to finance. Most audit departments will soon confront RPA in many processes previously controlled by humans. This presents a new set of challenges for auditors as they confront a new technology, altered processes to accommodate that technology and new emerging risks.
Some publications suggest that robots will soon invade the corporate enterprise, but the truth is they are already here and being deployed in great numbers. Just under two years ago, 70 percent of shared services functions at large organizations reported that they had not done any work with robotics. Today, only 17 percent of shared services functions remain in that category. Robotic process automation (RPA) is also pervasive in finance, accounting and other areas of the business where processes are stable, repetitive and high volume. As the use of RPA expands, audit cannot help but face formerly human-controlled processes that are now performed robotically.
Robotics software differs from other forms of automation by its ability to span multiple systems. It is also extremely flexible and can be taught nearly any standard rules-based process or activity. It mimics human interaction with IT systems, but can execute rules-based steps in a fraction of the time a person can. The software can also record and capture a series of steps across multiple systems.
Although RPA can include advanced cognitive computing capabilities that automate decision-making, it does not have to. RPA by itself is at the low end of the spectrum of automation solutions. Advanced cognitive computing tools can include, for example, the use of machine learning to interpret unstructured data and identify patterns and solutions. These may be added to RPA, but they are not a necessary feature. The ultimate end of this continuum is true artificial intelligence, which has yet to be developed but refers to machines that possess intelligence indistinguishable from that of a human.
RPA is quickly becoming ubiquitous in large organizations. By 2020, automation and smart machines will reduce employee requirements in these shared services centers by 65 percent. By then, more than 40 percent of data science tasks will be automated. Within the next few years, audit is increasingly likely to encounter RPA in routine audit engagements.
RPA’s purpose is to mimic human activities, therefore many controls around RPA processes are likely to look similar to those of the processes they are replacing. However, RPA implementation often includes process redesign, which will introduce new business, governance and cybersecurity risks to organizations. Audit should, therefore, consider the following risks when evaluating RPA pilots or implementations:
- Unsuitable Human System Integration — Because RPA bots often mimic exact human activity (e.g., opening and reading email), organizations should be careful to ensure that such access does not automatically initiate other types of rights for services. For example, several organizations have reported that the creation of an employee ID, which is necessary for creating an email username, also initiated the purchase and delivery of cell phones and security badges that were then sent to bot
- Tough Job Changes — RPA implementation often changes day-to-day jobs of those employed not only in direct bot implementation, but also in upstream and downstream processes.
- Software Overreach — Despite being a new tool with low implementation costs and quick turnaround time, organizations run the risk of applying the tool to processes where traditional tools are more appropriate.
- Disconnected Vendors — Because RPA is so easily implemented, business units may implement RPA independently and outside of managed vendor relationships, placing the business at risk from having several unconnected vendors supplying the same services.
- Implementation Mismanagement — While it’s easy to implement, there’s still a decent number of aspects involved in RPA implementation – such as scripting, day-to-day administration and exceptions monitoring – that require a clear governance structure to include established roles and responsibilities.
- Mishandled Objective Setting — As with human systems, RPA processes should retain clear segregation of duties so that it is not the same employee in charge of, for example, creation, maintenance, monitoring and reprogramming.
- Poor Business Integration – Unless integrated into central systems, RPA can sit outside of IT security protocols, increasing IT risks.
- Malware – Bots may not have the ability to differentiate fraudulent emails from legitimate ones, increasing the potential exposure to malware.
- Vendor Protection – There is no security standard among RPA vendors, leading to significant variation in the work organizations must perform to ensure a secure environment.
To address these and other risks, audit is starting to play a new role in many organizations. Audit’s work can include:
- Governance: An RPA program should have a robust governance structure to determine roles and responsibility for developing and maintaining appropriate controls. This approach will help determine which processes are appropriate for RPA, how RPA is implemented and how the processes are maintained. Audit should ensure that the appropriate governance structure is in place and followed, and it can also help the business create the framework.
- Controls Review: RPA implementation often includes process re-engineering. Audit must ensure that relevant controls are not accidentally eliminated and that new risks have adequate controls in place.
- Exception Management: RPA can increase the volume of transactions processed, which may greatly increase the number of process exceptions. Audit should be tasked with making sure there is a clear process in place to effectively manage these exceptions.
- Business Continuity: Like with any technology, there’s always a risk of hiccups. With RPA, it’s audit’s responsibility to assure the rest of the business that newly automated systems have back-up plans for continuing critical operations in the event RPA systems go down accidentally or on purpose.
RPA is here and likely to be the vanguard of automation efforts that will continue to make headway into the corporate enterprise. As audit encounters RPA, it must be on the lookout for new risks that might arise. Further, there are clear opportunities for audit to add value. Governance, controls review, expectations management and business continuity present early opportunities for audit to support automation across the firm.