4 minute read 16 Nov 2018
business people writing on glass wall in boardroom

How internal audit can help make RPA implementation a success

By

Amy Brachio

EY Global and Americas Advisory Risk Leader

Industry leader in risk management. A voice for working women. Passionate about diversity and inclusiveness. Mother. Wife.

Contributors
4 minute read 16 Nov 2018
Related topics Advisory Risk Automation Digital

Failing to plan for RPA integration can derail potential gains. Internal audit can help mitigate the risks.

Robotic process automation (RPA) is quickly becoming an integral part of how businesses operate, streamlining and aligning many processes that until now have proved tedious, time-consuming and difficult to error-proof.

“Bots” are software that can perform repetitive, high-volume tasks, freeing employees to focus on projects that generate higher value for an organization. Companies are using these applications to improve performance and data quality. But diving into RPA without a strategy that considers all aspects of the risks and costs associated with this technology can be as dangerous as disregarding the technology altogether.

Now is the time to plan for RPA integration. Success relies on a holistic strategy, one where the projected goals of an RPA-assisted operation could prove the difference between being cutting-edge and becoming obsolete. As with any new technology, managing governance, risk and controls is essential. Organizations often underestimate the challenges associated with integrating RPA, which can leave them vulnerable to risks and may result in lost opportunities.

Failing to be proactive could threaten the business environment, derail any potential gains and impact the return on such a major investment.

Diving into RPA without a strategy that considers all aspects of the risks and costs associated with this technology can be as dangerous as disregarding the technology altogether.
Amy M. Brachio
EY Global and Americas Advisory Risk Leader

How can internal audit help?

Internal audit can help the organization before, during and after implementation by:

  • Working with management to identify the risks
  • Providing advice concerning the design of appropriate controls
  • Evaluating the steps taken by management to appropriately address a multitude of risks
  • Recommending internal control enhancements.

As they evaluate the risks, controls and efficiency of RPA during development, implementation and beyond, internal auditors should consider the following key questions:

Before RPA implementation

  • Has executive management defined a strategy, objectives and priorities for RPA adoption across the enterprise?
  • What level of automation currently exists? How mature are the processes in terms of changes that are occurring or new requirements being defined?
  • Has a governance framework been refreshed to address the additional risks from RPA?
  • How will the reallocation and reprioritization of the workforce be managed?
  • Have all appropriate functions within the organization been engaged early and continuously in the journey?
  • Does the organization have the skill sets to deal with the increased complexity presented by RPA?
  • Have security, regulatory compliance, financial, including internal controls over financial reporting (ICFR), and audit considerations been taken into account along with impact to people, process and technology?

During RPA implementation

  • Does the RPA road map include scaling from a proof of concept or pilot to an enterprise platform?
  • Have design changes made during implementation been in accordance with the established RPA governance risk and control framework?
  • Are third-party risks (e.g., contracts or licenses) addressed from RPA product selection through implementation?
  • Does the governance framework address the need for efficient and appropriate controls over the bots?
  • How is the coordination across the three lines of defense being achieved?
  • What mechanisms are in place to monitor the development and effectiveness of the RPA platform against the business requirements?
  • What is the problem resolution process to have automation issues and errors evaluated, corrected, tracked and communicated in a timely manner through resolution?

After RPA implementation and ongoing

  • Does the RPA governance risk and control framework continue to align with business strategies?
  • How is the RPA vendor management integrated into an enterprise vendor management program, including evaluation of third-party risk and software security?
  • Has the impact of RPA on the organization been factored into the IA plan?
  • Is the workforce knowledgeable about the processes and controls for which they are responsible?
  • Which key metrics, including utilization of platform and capacity management, process automation trends, and process (exception) referrals, are measured?
  • How are the effectiveness and efficiency of RPA measured and reported against the projected business case?
  • Have additional opportunities to use RPA for security, operations, control testing, audit functions and cyber orchestration been considered?

Taking a holistic look at RPA

Whether your organization is embarking on its RPA journey or is already well on its way, it is likely that RPA will become an integral part of your key business processes. It’s vital for your organization to establish an RPA strategy that includes comprehensive governance, risk and control practices, and IA can bring business, risk and internal control insights to that strategy.

Organizations may bring in IA after implementation to assess how well the process and controls are operating, but what they fail to understand is the contribution IA can provide before, during and after RPA implementation. IA can help management navigate each stage of RPA implementation by providing an independent evaluation and strategic advice. The financial and reputational implications of waiting to act and getting it wrong are steep.

IA can help chart a course for success.

Summary

Organizations often underestimate the challenges associated with integrating RPA, which can leave them vulnerable to risks and may result in lost opportunities. Internal audit can help the organization before, during and after implementation by identifying risks, and designing and enhancing appropriate controls.

About this article

By

Amy Brachio

EY Global and Americas Advisory Risk Leader

Industry leader in risk management. A voice for working women. Passionate about diversity and inclusiveness. Mother. Wife.

Contributors
Related topics Advisory Risk Automation Digital