Internal audit group converts SOX testing to real time, extends coverage tenfold using RPA
As internal audit organisations look for effective ways to perform their work in a more agile manner, including how to leverage methodologies, data and technology to add value and become strategic advisers to their business partners, many are finding that the use of robotic process automation (RPA) checks a lot of boxes.
RPA integration into internal audit functions is expanding and improving productivity across many different sectors. In a recent successful engagement, Protiviti was retained by the internal audit team of a Fortune 500 organisation to help automate functions within their department. The objective was to use RPA to reduce manual effort, improve testing coverage and increase the reliability of Sarbanes-Oxley (SOX)-related IT controls testing.
Evaluation and Bot Development
The engagement team reviewed the SOX IT controls library to identify controls that would be best suited for automation. The goal of the exercise was to find automation candidates that would yield higher value with relatively low effort. The controls were evaluated and categorised according to value or potential benefits (e.g., time savings, enhanced risk monitoring) and automation complexity (e.g., system dependencies that could make the automation process difficult).
After evaluating controls across 13 different systems, the team found that those associated with the company’s ERP system had many favorable characteristics, including consistent and well-structured artifacts, which met the project criteria. Walkthrough meetings were conducted with control owners to gain a detailed understanding of how the artifacts were generated and the level of access required. Based on the walkthroughs, a subset of controls was selected for the project. The team built a bot development process for each automation, including process definition documents, solution design specifications, and bot testing plans. Bots were developed for each control using UiPath.
Improved Quality, Reduced Testing Cycle
The engagement team successfully demonstrated that bots, if operationalised, can reduce the time to generate audit artifacts and perform controls testing by more than 80% and can be configured to significantly increase testing coverage. The engagement also identified opportunities to improve reliability and coverage of testing and advance RPA efforts for additional IT controls.
The next logical step for any organisation looking to deploy RPA in an IT control or other environment would be to establish a center of excellence to ensure that the implementation is executed according to plan and that ongoing maintenance and bot oversight is performed.
Specifically, the RPA delivered the following key benefits:
- Improved quality by reducing human error and creating a complete audit trail to support testing activities.
- Reduced the testing cycle from over eight weeks to near real time, with no document requests or delays.
- Generated and tested control artifacts five times faster.
- Increased testing coverage tenfold over the previous manual sample-based testing, replacing manual samples with population-based testing in nearly real time.
Although this engagement focused on IT controls testing, the broader goal of internal audit in this engagement was to engage first- and second-line partners in real-time risk management. By educating their business partners on risk and providing them with the tools to monitor compliance, internal audit can provide better and more relevant assurance and strengthen relationships throughout the organisation. In the case of this organisation, the successful RPA deployment has also positioned the internal audit team as a knowledgeable and trusted advisor to other parts of the organisation looking to achieve similar process improvements through automation.
Of course, once you build something, you have to maintain it. For this internal audit group, this engagement was only an initial project to spearhead a broader program. The next logical step for any organisation looking to deploy RPA in an IT control or other environment would be to establish a center of excellence to ensure that the implementation is executed according to plan and that ongoing maintenance and bot oversight is performed.
As RPA use for a variety of functions increases, it is important for internal audit leaders to not only become familiar with the technology and how it works but also learn how to control the associated risks. This engagement illustrates one way to simultaneously acquire that knowledge and position internal audit as an RPA resource for all internal stakeholders, adding value to the entire organisation.