Among the new technologies that promise to drive cost savings and improve business efficiency and effectiveness, robotic process automation (RPA) has captured the attention of organizations. A growing number of companies are looking to realize these benefits by automating mundane and repetitive activities. Typically, such RPA initiatives target administrative programs and procedures within a variety of departments, including finance, accounting, technology, legal, HR, audit and compliance.
One Fortune 500 company that provides technology solutions in North America and Europe, identified an opportunity to deploy RPA within its audit department to automate Sarbanes-Oxley (SOX) control testing. Because of the necessary investment, the audit department was keen on partnering with the business to help understand the potential value to the organization of automating certain SOX compliance controls and processes. In an effort to maximize the ROI of the automation effort and avoid missing opportunities, the audit department approached Protiviti with one simple question: “Where and how do we get started?”
Protiviti has provided audit and SOX compliance services to the organization over the last several years. During that time, the Protiviti project team has kept an eye toward finding opportunities to improve the quality and efficiency of their work and deliver cost savings within the audit department. Building an RPA technology strategy to drive efficiencies and cost savings within key business areas of the audit department was thus a welcome opportunity.
Protiviti assembled an RPA assessment team that included both technical resources and members of the audit and SOX compliance teams, allowing it to drive the right synergies and efficiencies during the assessment. The SOX experts in this group were intimately familiar with how much time and effort it took to complete testing, review and validate key reports, complete management reviews, and perform other tasks related to SOX compliance. Further, the integration of the Protiviti audit team resources allowed for the identification and communication of potential risks that may be posed by implementing RPA into SOX compliance procedures and the outlining of appropriate mitigating solutions.
Next, this integrated assessment team worked with the client to create an RPA SOX index — essentially, a broad scoping and prioritization exercise to determine which high-risk SOX control processes/activities offered the most potential to deliver value.
The RPA assessment approach consisted of the following four stages:
Identify — Working with the audit department, the project team defined the objectives of the assessment. Once the objectives were defined, the project team reviewed the current inventory of SOX process controls and other activities and filtered out those that were already automated.
Evaluate — Focusing on the identified controls and activities, the project team evaluated each one of them to determine the potential value that could be delivered by automating it. The team relied on a Protiviti-developed automation evaluation methodology for this step.
Categorize — Once the controls, control processes and activities were reviewed and evaluated against the automation evaluation criteria, they were categorized by automation “themes.” The project team tagged each control/ activity to one of four automation categories based on commonalities among the control/activity population: account reconciliation automation, automation of calculation, automation of user access review and/or provisioning access, or automation of approvals.
Prioritize — Finally, each control/activity was ranked high, medium or low priority for automation, and the ranking was confirmed with the business process owners. The assigned ranking was then used to develop an automation road map, outlining the controls/activities with which to move forward during the automation pilot.
Each phase included a deliberate and methodical evaluation that prioritized the RPA candidates based on their investment return value, avoiding the temptation to automate anything that could be automated. For example, in the evaluation phase, the activity’s frequency, the volume of transactions associated with a process, the availability and accessibility of the data, and other characteristics of the activity were all carefully considered and an aggregated score was assigned reflecting the value potential of the automation.
Similarly, in the prioritization phase, the ranking of candidates took into account not just time and cost savings, but also other aspects, such as the potential of the automated control to reduce errors. Ultimately, these considerations drove the company’s decision on which controls to automate. A high priority designation was reserved for the automation candidates with the most promising ROI, while those less suited for automation and lacking a robust or clear ROI potential were ranked medium or low. Also considered during this phase was how much effort it would take to script the bot for each control.
In the final count, Protiviti came up with a list of more than 100 control/ activity candidates for automation. Thanks to the thorough and methodical approach, the list made sense to management and created a solid business case for further investment. More important, the method helped avoid the “rush to implement” trap that many organizations fall into with new and emerging technologies.
The methodical approach assisted the organization in further defining its RPA strategy and automation road map, allowing management to move forward with confidence in the type of return each automated activity could generate. The work was valuable not only in highlighting what should be automated, but also what shouldn’t be automated within the audit department, even though it’s possible. Organizations that take an honest, risk-informed and ROI-based approach to their automation investment are more likely to succeed in their RPA efforts than those that invest in automation driven by pressure to innovate but without a clear, outcomes-driven RPA strategy.