Más contenido relacionado
La actualidad más candente (20)
Similar a Internal Audit Considerations in Creating an RPA Program (20)
Más de Auxis Consulting & Outsourcing (14)
Internal Audit Considerations in Creating an RPA Program
- 2. Presenters
2
Rene Herrera
IT Audit Director
Office Depot
Larry Burke
Principal, Risk Consulting
Focal Point
Eduardo Diquez
Intelligent Automation
Consulting Director
Auxis
David Graff
Principal, Risk Consulting
Focal Point
© 2021, Focal Point Data Risk, LLC. All rights reserved.
- 3. Agenda
• Putting RPA into Context
• Internal Audit’s Three-Pronged Role
• Internal Audit as an RPA User
• Internal Audit as a Consultant
• Internal Audit as Assurance
• Significant Risks Associated with RPA
• Putting a Governance Structure in Place
• Getting Started
• Panel Discussion
• Open Q&A
3
© 2021, Focal Point Data Risk, LLC. All rights reserved.
- 4. RPA in Context
4
National Security Commission on Artificial Intelligence, March 2021
Prediction
Event forecasting and pattern
analysis have impacted nearly
all industries (e.g. finance,
farming, and transportation)
Examples:
Preventative
vehicle
maintenance
Precision
agriculture
Planning and Optimization
Determining necessary steps
to complete a series of tasks
can save time and money, and
improve safety
Examples:
Transportation
planning in
cities
Modeling and Simulation
Modeling our physical,
economical, and social world
to support the study and
testing of operations without
interfering or interrupting
ongoing processes
Examples:
COVID-19
research
Tracking space
debris
Natural Language Understanding
Machines can process,
analyze, understand, and
mimic human language, either
spoken or written
Examples:
Richer human-
computer
interaction
Computer Vision
Perceiving and learning visual
tasks from the world through
cameras and sensors
Examples:
Livestock
monitoring
Robotic Process Automation (RPA)
Software robotics to help
organizations automate
tedious and repetitive tasks
Examples:
RPA platforms
Current
Application of AI
in Key Areas
© 2021, Focal Point Data Risk, LLC. All rights reserved.
- 5. What is Internal Audit’s Role in RPA?
5
IA as a USER IA as a CONSULTANT IA as ASSURANCE
Modern Internal Audit Teams have three primary avenues in which to interact
with robotic process automation.
In all three instances, the goal is to drive value for the business
Internal Audit leaders should look for
processes within their department’s
control to implement RPA.
Internal Audit leaders should advise
the business on where they could
leverage RPA as a value driver.
Internal Audit leaders should
evaluate RPA governance, risk
management, and control processes.
© 2021, Focal Point Data Risk, LLC. All rights reserved.
- 7. IA as an RPA User
Data gathering and cleansing for analytics. An RPA
Center of Expertise (CoE) can generate and
standardize data to run custom analytics, doing the
work of pulling the data to be used by internal and
external auditors, including automation checks for
completeness of fields, duplicates and validation, etc.
Risk assessment. Bots can help automate the initial
data gathering and classification for the annual risk
assessment process.
Population gathering. During the sampling and initial
evidence gathering for standard evidence for controls,
bots can help process data populations and do so more
efficiently and accurately than humans can.
Automation of controls. Bots can run controls testing
- especially for control areas that are standardized,
such as where tickets and fields are consistently used.
Project management. Bots can identify open items,
send follow-up emails and document status, etc.
7
Can the current human activity be process
mapped (i.e., is it the same repetitive process
being done each time)?
If the activity requires human judgment, can
the rules on how to make that judgment be
defined to cover all angles?
Does the activity pull and put data from and in
the same place every time (i.e., the same field
name or same location of the field on a
particular screen of a system)?
NO YES
NO YES
Human Task
Human Task
RPA Candidate
YES
NO
Human Task
© 2021, Focal Point Data Risk, LLC. All rights reserved.
- 8. Opportunities: Audit and control automation
8
• As expectations for audit and compliance functions increase, the ability to
manage workload, increase efficiency and effectiveness, while meeting a
changing regulatory landscape will be a differentiator
• Firms may look to technology to address new audit testing needs and
increase efficiency. A number of technical approaches such as RPA can
help achieve targeted automation of the audit process
• Reduce cycle time for heavily manual data collection and preparation for testing
• Reduce cost associated with non-decision making manual process
• Increase traceability test steps performed
• Increase consistency of test supporting documentation and execution
• Ability to execute a variety of tests by using/modifying previously built test steps
Audit Process Enhancement Opportunities
Where automation can make a difference
Sponsor focus
• Internal audit
• Compliance
• Privacy
• Attest services sponsors
• Automation of highly time consuming, complex or repetitive manual control
execution due to information gathering, desperate systems, or spreadsheet
manipulation
• Frequent failures of manual controls where highly predictable outcome of
controls to support key compliance requirements (SOX, Privacy, other
regulatory requirements)
• Increase predictability of effectiveness related to control execution
• Increase in traceability through logging of RPA functions and outcome
(completeness and accuracy of execution)
• Reduce effort related to heavily manual data collection and review for control
execution
• Timeliness of control execution
Control efficiency/effectiveness opportunities
Where automation can make a difference
Sponsor focus
• CFO/Controller
• Compliance
• Privacy
• CIO
© 2021, Focal Point Data Risk, LLC. All rights reserved.
- 9. IA as a Consulting Partner
What does internal audit bring to the table as a
consulting partner?
Intimate knowledge of the organization
Relationships across the enterprise
Identify opportunities for automation
Eye toward thoughtful implementation
Baked-in (instead of bolted on) governance
9
Reduced Cost
Automation replaces high-touch, repetitive,
manual audit activities
Increased Quality
Automations, once configured and controlled,
execute consistently and without error
Increased Efficiency
Automation allows more to be done across a
broader range of audit activities with the same
number of people
Increased Assurance
Automation permits evaluation of larger numbers
of transactions, even up to one-hundred percent
sample size
Improved Insights
Automation allows for efficient analysis of large
data sets, with conditional analysis, to create
better insights
Benefits of RPA
© 2021, Focal Point Data Risk, LLC. All rights reserved.
- 10. Common Areas for RPA Implementation
10
Financial planning & analysis (FP&A)
Regulatory & management reporting
Accounting change
Expense reimbursement
Intercompany reconciliation
Accounts receivable processing
Accounts payable processing
Operational finance and accounting
Standard journal entries
Account and bank reconciliations
IT Policy Distribution and Training
Automated Reporting
Help Desk Management
Event Management
Security Monitoring
Software Installation
Application Testing
Ongoing Application Monitoring
File Management
Identity and Access Management
Quality control
Report development
GRC data collection
Data transformation
Control testing execution
Issue identification and upload
Finance Information Technology Risk and Compliance
© 2021, Focal Point Data Risk, LLC. All rights reserved.
- 12. Corporate Governance Model
12
Corporate Governance addresses power and relationships between:
Seeks Feedback on Internal
Control Environment
Provides Audit and
Advisory Services
Reports Periodically
Approves Strategy and Monitors Management
Provides Independent
Reporting
to
BOD
Establishes Independence
of
IA
and
Provides Risk Input
Internal Audit Helps Management and BOD
Reduce Information Asymmetry
Management
Internal
Audit
BoD
(Represents owners)
© 2021, Focal Point Data Risk, LLC. All rights reserved.
- 13. Governance Under New IIA Model
13
Institute of Internal Auditors, “The IIA’s Three Lines Model.” Available at the global.theiia.org.
- 14. Establishing Effective RPA Governance
14
RPA Technology Council
Develop consistent enterprise-
wide policies, best practices, and
technology solutions.
Executive Leadership
Promote adoption and facilitate
RPA program success through
investment and sponsorship.
RPA Programs
Functional groupings of RPA
initiatives, which leverage
enterprise standards and controls.
Business Champions
Align business needs and initiatives
with current and emerging RPA
Program capabilities.
RPA
Governance
Model
© 2021, Focal Point Data Risk, LLC. All rights reserved.
- 15. Significant Risks Associated with RPA
15
SDLC Operational Regulatory Organizational
Technology Financial Cybersecurity IAM
© 2021, Focal Point Data Risk, LLC. All rights reserved.
- 16. IA as an Assurance Partner
16
To successfully implement RPA, Internal Audit
needs to focus on key business risks, without
creating undue friction.
Focus initially on three key areas:
Validate security risks
Audit the SDLC
Manage organizational change
© 2021, Focal Point Data Risk, LLC. All rights reserved.
- 17. Most Common Controls to Monitor Risks
17
Examples:
SDLC
DR/BCM
System Access
SoD
Key Capabilities:
Cross-functional
Upstream and Downstream
Preventative
Examples:
Business Process Reconciliations
RPA Bot Monitor (guardrails)
Change Management
Key Capabilities:
Speed of Detection
Precision (root cause)
Detective
Managing RPA risks require
you to have properly
configured controls at the
enterprise level (e.g., SDLC),
as well as those specific to
the RPA program (e.g., bot
monitor).
These controls need not be
an impediment to RPA
implementation. But they
should be in place before
wide-scale RPA adoption.
© 2021, Focal Point Data Risk, LLC. All rights reserved.
- 19. Rene Herrera
IT Audit Director
Office Depot
Larry Burke
Principal, Risk Consulting
Focal Point
Eduardo Diquez
Intelligent Automation
Consulting Director
Auxis
David Graff
Principal, Risk Consulting
Focal Point
Panel Discussion
© 2021, Focal Point Data Risk, LLC. All rights reserved.