What is Robotics Process Automation (RPA) and why should internal auditors care about it?
RPA is software that imitates human interaction with computer systems to accomplish tasks.
RPA can log into multiple systems, navigate through user interfaces or command line functions to add, update, or download data, create tickets, place orders, or basically anything else a human can do.
Except think (and some vendors would disagree with that).
RPA is software, not a physical robot. RPA is a virtual robot, similar to how a virtual machine does not have physical hardware of its own.
In this post, I use RPA, robotics, and robot interchangeably; each term refers to the same thing.
Here’s links to short videos that provide more info on RPA.
- What is RPA, by EY* (animated overview) https://www.youtube.com/watch?v=tnUSN2JLDOI
- RPA overview, by Accenture (provides a detailed example) https://www.youtube.com/watch?v=fIw7BwIoGus
- How to train robot to open Excel, load file, analyze data* https://www.youtube.com/watch?v=ydQ0b23FLMk
The software used is BluePRISM, which some say is the most user friendly software, and is ranked in the top 4 vendors in this space.
*This video is no longer available…
Why Auditors Need to Understand RPA
Unless you work for a small company, your employer might already have robotics in place, or you might someday soon.
That means that you will need to audit an RPA process someday.
The company I’m working at currently is using robotics, but we haven’t audited any of it. Yet.
Your audit department should determine whether your company is already using RPA, and if so, where? How critical is the process? What’s the risk?
From the research I’ve done, auditing RPA is similar to any other software/application audit, with a couple caveats:
- Governance, which is always an issue with technology implementations.
- Do you have standards and policies regarding where it can and cannot be implemented based on regulatory and risk factors? At this point, no regulations or laws specifically mention RPA, but that can change quickly.
- Is this governance managed and controlled centrally? Or are different departments creating and managing their own robots with their own governance standards?
- How many robots can one company effectively manage?
- How to determine the Return on Investment (ROI) on this type of project and can the ROI actually be achieved?
The main problem with RPA is NOT that it is hard to implement, but that the ROI isn’t realized (like many other types of IT projects).
Success should be measured by the hours the process took before vs. the hours it takes after installing a robotic process. Don’t fall in the trap of only measuring whether it displaced any workers. - Does the company have a plan for dealing with the displaced workers and the fears that those who keep their jobs might experience?
- The biggest risk is that the robotic process is not treated like a regular user, application, or process — RPA must be monitored, logged, and security access needs to be checked periodically, etc. All people, not just auditors, should have a healthy skepticism of robots, but sometimes people trust an automated process too much.
- Processes are often re-engineered prior to automation, so watch out for controls that get dropped or new risks that are created.
- A special change management process is often required for RPA, especially if the robot is going to make changes to the network or applications, or perform automated testing. Or perhaps the robot will update pricing or client names and addresses. How will those types of changes be tracked and approved?
- Accuracy of the process provided to the robot. If the software or algorithm is incorrect, robots can make mistakes much faster than humans. Imagine a robot sending out embarrassing tweets at 100 per second.
- Shadow robotics. Vendors will tell you that you can implement robotics without IT, and you can. But like any other software, IT and your risk management functions can warn you about possible pitfalls and help you with the implementation.
- RPA requires God-like access to the network, applications, databases, and other storage locations (shared drives, Sharepoint, SAN, etc.). The more complicated the process and the more data required, the more access required.
- Personal user IDs should not be used for RPA, not even for proof-of-concept testing. It’s just to easy to leave it that way if the process is put into production. Insist on system/generic IDs.
- When automated processes start to fail, robots can make critical errors extremely fast with disastrous results. Is there a way to shut one or more (or all) robots down if needed? Is this regularly tested?
Advantages of Robotics
The best thing about robotics is that you don’t have to change your current systems for a robot to work with them. In other words, no integration required. You just “train” the robot in what you want it to do, just like a new employee (except that you never need to repeat things or remind a robot).
The second best thing is that robots work 24 hours a day, don’t take breaks or ask for raises, don’t need a cube or a cafeteria, and work a lot faster than humans.
A third plus is once you’ve trained one robot, you don’t have to train the second or third robot to do the same job. You just provide the additional robot with the training (program sequence) that contains the rules and parameters for doing the job.
Also, if you program them correctly, robots are much more accurate than humans.
Finally, because robots are software, you can get a great audit trail for everything they do, which benefits compliance.
Will Robotics Replace Internal Auditors?
That remains to be seen, but robotics can’t replace human judgement.
Shortly after this post appeared, ACL posted this about data robots. It doesn’t seem to address robots much, but encourages auditors to not sit back and ignore the changes that are occurring…
At least one of the Big 4 is using robotics to perform audits (EY seems to be leading in this area). If all the data is available and the testing is straightforward (match this change with an approved request, or pay invoices only when they meet certain criteria), robotics works.
If data is missing or an item doesn’t follow the programmed rules, the robot flags the transaction for an internal auditor to research and review.
One thing I’m concerned about is when something changes from year to year, will a robot understand the impact of that change, and what other parts of the process are affected by it? Not if that impact isn’t included in the robot’s training.
However, a human who understands the process and has expertise in that area is more likely to put 2 & 2 together (did I just refer to auditors as humans? :)
Having said that, consider this: finance functions are ripe for robotics. If much of finance is done by robots that don’t make mistakes and create great audit trails, what will remain to audit? The auditing of the audit trail can be performed by a robot.
So if the function can be automated, so can the auditing of it. RPA is only one way to automate business processes; automation is happening all around us on many levels and with many tools, including ACL.
If you are purely a financial auditor, the writing is on so many walls these days. NOW is the time to get some expertise in auditing operations and IT. NOW is the time to step up your analytics expertise!
So yes, robotics could replace some of the work auditors do, but probably not all of it. And someone needs to be able to audit the robotic process.
Finals Thoughts
Robotics is great at replacing simple, defined processes, which are usually performed by entry-level workers. Eventually, robotics and other automation forces may replace some entry-level jobs at larger companies.
So when many of the entry-level jobs are automated, how does a high school or even a college graduate find an entry-level job?
I believe the answer is to learn to think critically and creatively AND to be more technical. Not enough people think hard enough, in my opinion. Or are technical enough.
Also, remember that although automation replaces jobs, it also creates new jobs and frees people up to do other things. In addition, technology and the job market are always evolving, so some of the jobs people will be doing in 5-15 years haven’t been dreamed up yet, because the market isn’t there yet. The key is to keep evolving your skills…
My next post continues this thought, specifically, can robotics replace ACL, IDEA, R, Power BI, etc.? See Will Robotics (RPA) Replace ACL?
See also Robotics to Replace ACL, Part 2
ITauditSecurity 
Pingback: Will Robotics (RPA) Replace ACL? | ITauditSecurity
Hi There,
THANKS SO MUCH for sharing this!
Great write up, your efforts are much appreciated.
Thanks,
Krish
LikeLike
Pingback: ACL Robotics is NOT Robotics | ITauditSecurity