How can internal audit help?
Internal audit can help the organization before, during and after implementation by:
- Working with management to identify the risks
- Providing advice concerning the design of appropriate controls
- Evaluating the steps taken by management to appropriately address a multitude of risks
- Recommending internal control enhancements.
As they evaluate the risks, controls and efficiency of RPA during development, implementation and beyond, internal auditors should consider the following key questions:
Before RPA implementation
- Has executive management defined a strategy, objectives and priorities for RPA adoption across the enterprise?
- What level of automation currently exists? How mature are the processes in terms of changes that are occurring or new requirements being defined?
- Has a governance framework been refreshed to address the additional risks from RPA?
- How will the reallocation and reprioritization of the workforce be managed?
- Have all appropriate functions within the organization been engaged early and continuously in the journey?
- Does the organization have the skill sets to deal with the increased complexity presented by RPA?
- Have security, regulatory compliance, financial, including internal controls over financial reporting (ICFR), and audit considerations been taken into account along with impact to people, process and technology?
During RPA implementation
- Does the RPA road map include scaling from a proof of concept or pilot to an enterprise platform?
- Have design changes made during implementation been in accordance with the established RPA governance risk and control framework?
- Are third-party risks (e.g., contracts or licenses) addressed from RPA product selection through implementation?
- Does the governance framework address the need for efficient and appropriate controls over the bots?
- How is the coordination across the three lines of defense being achieved?
- What mechanisms are in place to monitor the development and effectiveness of the RPA platform against the business requirements?
- What is the problem resolution process to have automation issues and errors evaluated, corrected, tracked and communicated in a timely manner through resolution?
After RPA implementation and ongoing
- Does the RPA governance risk and control framework continue to align with business strategies?
- How is the RPA vendor management integrated into an enterprise vendor management program, including evaluation of third-party risk and software security?
- Has the impact of RPA on the organization been factored into the IA plan?
- Is the workforce knowledgeable about the processes and controls for which they are responsible?
- Which key metrics, including utilization of platform and capacity management, process automation trends, and process (exception) referrals, are measured?
- How are the effectiveness and efficiency of RPA measured and reported against the projected business case?
- Have additional opportunities to use RPA for security, operations, control testing, audit functions and cyber orchestration been considered?
Taking a holistic look at RPA
Whether your organization is embarking on its RPA journey or is already well on its way, it is likely that RPA will become an integral part of your key business processes. It’s vital for your organization to establish an RPA strategy that includes comprehensive governance, risk and control practices, and IA can bring business, risk and internal control insights to that strategy.
Organizations may bring in IA after implementation to assess how well the process and controls are operating, but what they fail to understand is the contribution IA can provide before, during and after RPA implementation. IA can help management navigate each stage of RPA implementation by providing an independent evaluation and strategic advice. The financial and reputational implications of waiting to act and getting it wrong are steep.
IA can help chart a course for success.