ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > Internal Audit Should Take Multifaceted Approach to Robotic Process Automation

Internal Audit Should Take Multifaceted Approach to Robotic Process Automation

David Malcom, Managing Director, Global IT Internal Audit Lead – Accenture
| Posted at 3:02 PM by ISACA News | Category: Audit-Assurance | Permalink | Email this Post | Comments (1)

David MalcomIn the same manner that the adoption of ERP applications and the use of offshore labor arbitrage and outsourcing previously transformed the workplace, robotic process automation (RPA) and intelligent automation are demonstrating the potential to be the next megatrends to help organizations improve the efficiencies and performance of back-office operations. As many organizations are just beginning their journeys to implement RPA technologies, this presents an opportunity for internal audit groups to work with their stakeholders to ensure appropriate governance and controls are built into the design of their RPA programs.

There are several risks in establishing an RPA program that internal audit should assess before organizations look to begin deploying bots into production.

  • First and foremost, ensure the organization has established guidelines for the development of RPA capabilities and clear ownership for the ongoing run and maintenance of activities associated with managing this technology.
  • Secondly, tried and true IT general controls that internal audit assesses in just about every review should be designed into RPA operations. Access to bots, change management, data integrity and disaster recovery/business continuity–all are critical operational procedures that should be defined prior to utilizing any bots in production.
  • Finally, internal audit can assist management with defining appropriate key performance indicators (KPIs) and benefits realization processes to monitor and measure the success of an RPA program.

As internal auditors, we should also evaluate the potential efficiencies that can be gained through adopting RPA capabilities ourselves.

  • At a time where we find ourselves in an increasing struggle to attract and retain top talent, utilizing RPA capabilities to automate highly manual, repetitive tasks that require little judgment could help provide opportunities to free our staff to focus on more interesting activities, improving their engagement.
  • Any audit testing that internal audit performs involving calculations, variance analysis, and reconciliations are prime candidates to be automated. Additionally, operational procedures that all internal audit departments perform, including the distribution of audit documentation requests and issue follow-up, can also be performed by RPA capabilities.

My department recently conducted a successful pilot where we automated the evidence gathering and testing of several SOX IT general controls. This is very straightforward testing that my team has been doing for years and, to be honest, no one really enjoys performing. We are now looking for additional ways we can leverage RPA to provide more real-time insights to our stakeholders and enable our team to focus on higher-value activities.

RPA is quickly moving from an emerging technology to an integral component of organizations’ operational capabilities. It is critical for internal audit to understand the associated risks that come with the adoption of RPA and provide assurance that their organization has designed effective controls as part of their RPA program. Additionally, internal audit should not ignore the value that can be gained by adopting RPA itself and the efficiency opportunities RPA can provide the department. As security and IT audit practitioners, we all have roles to play in ensuring our organizations deploy this new technology in a controlled manner.

Editor’s note: For more resources related to this topic, view ISACA’s new Audit Outlook video series.

Comments

Nicely Put

Thank you for the welcome thought out article, David!
MarkB at 6/8/2019 3:29 PM
You must be logged in and a member to post a comment to this blog.
Email