iia/isaca/acfe joint conference - chapters.theiia.org county/iia oc presentation... · page 5. rpa...
TRANSCRIPT
Page 3
… what if it meant 25% to 40%+ sustainable efficiency gains
… and improved accuracy?
Robotic Process Automation (RPA)
Discussion agenda
1. Introduction to RPA2. Key risks associated with
RPA3. How will internal controls
and internal audit evolve with RPA
4. How can internal audit use RPA
IIA/ISACA/ACFE Joint Conference
Page 5
RPA is the application of software “robots,” not physical robots, that can mimic human action and perform many manual, repetitive, rules-based tasks at a much greater speed and accuracy than humans. RPA is rapidly gaining adoption in back office functions such as Finance, Tax, HR and IT, as well as the Supply Chain organization and many customer-facing departments.
Pattern-based machine learning
StatisticalOptimized processthrough automation
Improved workflow
Cognitive intelligence
(CI)Semi-cognitiveRobotic
Process Automatio
n
Structured data
interactionIncr
emen
tal
valu
e
Mimics human actions
Augments human intelligence
Mimics human intelligence
What is Robotic Process Automation (RPA)?
Characteristics:1.Focus is on eliminating manual, repetitive,
rules-driven activity that can be anticipated and programmed.
2.The Robots work 24/7, with consistency and accuracy, and at a speed much faster than humans (one RPA robot typically performs 4-5 human FTEs of work)
3.The lines are blurring between traditional RPA and cognitive intelligence. We recommend companies focus on identifying the most beneficial applications of automation and then evaluate the best tools to achieve success.
IIA/ISACA/ACFE Joint Conference
Page 6
RPA and the “virtual worker”
IIA/ISACA/ACFE Joint Conference
Low-risk, low-cost extension of existing technologyRPA is overlaid on existing systems and integrated with existing data minimizing disruption to IT strategy and architecture.
While most RPA applications will be part of the long-term architecture, some applications provide a cost-effective, medium-term solution until core systems are expanded.
ReliabilityNo sick days, services provided 365 days a year
Audit trailFully maintained logs essential for compliance
ConsistencyIdentical processes and tasks, eliminating output variations
Right shoringGeographical independence reducing need to offshore jobs while still delivering cost savings
RetentionShifts human effort toward more stimulating tasks
ROITypical RPA projects with multiple functional “pilots” but generally completed in 9 to 12 months with a return on investment (ROI) < 1 year
Cost savings or avoidance
Ranging from 20–60% of
baseline FTE cost
Opportunity focusedCan focus RPA on only those areas where significant opportunity exists; does not require enterprise adoption
AccuracyDouble-digit reductions in error ratesRPA often “fills the gaps”
between existing systems
ScalabilityInstant ramp up and down to match demand peaks and troughs
ProductivityFreed up human resources for higher value-added tasks.
ERP EPM
CRM
SCM HRIS
Page 7
RPA activities vs. other automation activities What traditional RPA does and what it doesn’t do
Robotics process automation (RPA):A software solution that runs unattended, working like a virtual employee with legacy applications performing repetitive tasks reliably at the user interface level
Other automation technologies:A broad set of complementary technologies that can be brought together to automate a process
Divide up a task into pieces to be solved by technology, low-cost resources, and high-skill resources
Keyword-based character recognition
Optical character recognition (OCR)
Completion of auditable activity logs
Entering data into a system
Composing and sending emails
Rules-based processing and decision making
Comparing data sets
Reading, copying, aggregating data
Automation of clicks, data entry
Machine learning
Variable format processing
Adaptive behavior
Mathematical validations
Conversational Intelligence(chat bots)
IIA/ISACA/ACFE Joint Conference
Page 8
The operating model will need to shift to support the workforce of the future
Robots do the “what”, freeing up humans to focus on the “why”
► Easily and quickly scale upand down potentially eliminating the need for contingent labor during peak periods
► Consider insourcing tasks previously outsourced
► Reduce cost without moving more jobs offshore
► Top grade onshore workforce to provide:
► Advanced analytics and insights
► Process improvements
► Decision support
Traditional workforce
Contingent workforce
Offshoreworkforce
Roboticsworkforce
Humans and robots teaming together, creating a powerful virtual workforce
IIA/ISACA/ACFE Joint Conference
Page 10
Key RPA Risks
Policy and governance
Logical user access
System change
management
Timely system
outage/issue detection
Vendor/3rd party
management
Completeness/accuracy of
RPA processing
A lack of robotics governance can lead to ineffective and inefficient process automation and an inability to support and meet business requirements.
Key risks in RPA
Robotics access management is ineffectively managed leading to the compromise of systems, applications and their associated data.
Automation problems are not timely identified and managed leading to a delay in their resolution and resulting in a negative impact to business processes.
Risks are not effectively mitigated for robotics vendor relationship and outsourced services, leading to financial and reputation exposure.
Input/upstream data is not completely/accurately received by the robot, or the robot may fail to completely/accurately process and calculate data to hand off downstream.
Process automation requirements are not appropriately or accurately identified and documented leading to robotics developments that do not meet business needs or support the business/IT strategy resulting in a negative impact on business processes and financials.
IIA/ISACA/ACFE Joint Conference
Page 11
RPA risk and controlTop risks and related control activities
A lack of robotics governance can lead to ineffective and inefficient process automation and an inability to support and meet business requirements.
Top RPA risks Illustrative controls for top risksA robotics governance framework is defined and maintained, including leadership, processes, roles and responsibilities, information requirements and organizational structure required to ensure support is aligned to business objectives.
Robotics access control is managed and proper authentication methods are implemented and consistently enforced to prevent unauthorized access.
Robotics change and development requirements are clearly and concisely documented and mapped to business needs to ensure that the changes agree with the business strategy.
Implementation, testing and support requirements are developed and communicated to both business and IT stakeholders.
Automation problems and errors are evaluated, corrected, tracked and communicated in a timely manner through resolution.
Due diligence is performed over robotics vendors to evaluate the risk of the vendor at the onset of the relationship and on a periodic basis. Service level agreements are in place and monitoredtimely.
1
Robotics access management is ineffectively managed leading to the compromise of systems, applications and their associated data.
2
Process automation requirements are not appropriately or accurately identified and documented leading to robotics developments that do not meet business needs or support the business/IT strategy resulting in a negative impact on business processes and financials.
3
Robotics implementations are not appropriately designed and tested leading to requirements not being met or a negative impact on production systems resulting in a negative impact on the business and financial losses.
4
Automation problems are not timely identified and managed leading to a delay in their resolution and resulting in a negative impact to business processes.
5
Risks are not effectively mitigated for robotics vendor relationship and outsourced services, leading to financial and reputation exposure.
6
IIA/ISACA/ACFE Joint Conference
Page 12
RPA risk framework example
1 Robot sessionThe robotic session directly interacts with end-to-end process it supports. Focus on processing integrity, error detection and escalation, as well as segregation of incompatible duties in the automated function.
2 Robot platform
Integration of IA software into your technology stack, integration of RPA development teams with broader technology development teams, implementation of enterprise-wide IA requirements for security safeguards, resiliency and issue management.
3 Application hosts
Considerations to security and change management controls are significant specific to production applications that robots have interaction with. Interdependencies require suitable controls and testing
4 Robot governance
Integrate IA into the enterprise-wide governance including vendor management, change management, risk assessment, benefits realization and tracking, and recognizing and addressing risks unique to digital workforce technology.
Robotsession
IIA/ISACA/ACFE Joint Conference
Page 14
Automation “hot spots” for Finance
1
2
3
4
6
7
8
9
10
5
Operational finance and accounting
► Automating pricing reviews based on customer contracts and pre-approved price lists
► Calculation and processing of rebates► Downloading of detailed monthly sales data and
calculation of commissions► Creating files and emails to gain approvals ► Posting to detailed sub systems and General Ledger
Standard Journal entries► Creation of standard monthly journal entries using pre-
populated templates provided by different business users► Performing validation analytics► Posting to ERP
Accounts payable processing► Vendor set up and maintenance► Automating the workflow processes and approvals► Data entry and payments preparation
Expense Reimbursement► Automating policy compliance reviews► Calculation of purchase discounts► Compliance and management reporting► P Card or expense program maintenance
Intercompany reconciliation
Regulatory & Management reporting
► Automated checking and reconciliation of intercompany balances
► Basic research and reporting for exceptions► Creating exception file and email report for
finance review and approval
Accounts Receivable processing
► Automating processing of payments and bulk payment files for journal entries to sub system
► Data capture and cleansing to support automated generation of regulatory reports
► Pre-populating complex annual reporting ► Automating the preparation of management review
slide decks by collecting data from multiple finance systems and reports
Automation hot spots
► Credit approvals & customer master file maintenance► Order processing► A/R – cash receipts processing & sending late notices via email
Account and Bank reconciliations► Automating the download of subaccount balances and bank statements► Uploading detailed transaction data from various sub systems► Reconciling balances and transactions to core finance sub systems► Creating balancing journal entries to handle discrepancies
Accounting change► Automating the collection of data for leases or
revenue transactions► Categorizing, summarizing and analysing data
based on history and pre-established parameters► Producing reports for internal analysis
► Pre-population of forecasts using historical and market data► Loading pre-populated balances into the planning system► Creating variance reports to pre-population and to actuals
Financial Planning & Analysis (F,P&A)
IIA/ISACA/ACFE Joint Conference
Page 16
RPA enables higher levels of efficiency and effectiveness while better utilizing talented resources
Cost savings and activity realignment are achieved by addressing: Finance process redesign System enhancements Organization design
Linking RPA to transformation Finance example
IIA/ISACA/ACFE Joint Conference
Goal is to do “more with less”— reduce the amount of time Finance staff spend on transaction processing and manual, repetitive tasks so they can focus on higher value, decision support functions
Normal support
Many manual controls
SEC focused Operations secondary
Manually intensive Redundant Not integrated Decentralized
Financial analysis Performance management Problem solving Forecasting Risk management
Embedded systems controls Quality over quantity SEC and internal
management reporting
Integrated systems and processes Shared services
Decision support10%
Decision support 60%
Control 20%
Control10%
Reporting 10%
Reporting 20%
Transactionprocessing 60%
Transaction processing 10%
Finance today Finance tomorrow
Finance as a business partner
Page 18
Automation “hot spots” for Risk and Controls
Automation hot spots
1
2
34
6
5
Data collection and transformation► Collect data from multiple disparate systems.
Data may need to be extracted from mainframe screens, PDFs, images, or websites, preventing automation using common tools such as SQL
► Use alternate tools in addition to robotics for data extraction and interpretation
► Consolidate supporting information and documentation
► Transform data from complex structured information to standard templates required for testing
Issue identification and upload► Identify failures and report issues in issue
management platforms► Consolidate issues and conduct bulk uploads of
test issues
Control testing execution► Conduct preliminary analysis, and
initial test scripts execution for rules based, logical tests
► Integrate and execute scripts based on defined inputs and rules
► Tests requiring human judgments to interpret information could be pre-analyzed for an analysts to review based on set criteria and self-learning algorithms using structured information (cognitive)
Quality Control► Systematic controls to ensure
quality through the testing process (cognitive)
► Identify exceptions in testing process (cognitive)
Report Development► Generate consolidate
reports using predefined logic for various aggregated reporting required
► Generate reports based on trends and issues identified in Test Execution (cognitive)
IIA/ISACA/ACFE Joint Conference
GRC/tool reporting data collection► Consolidate data for report
development from disparate compliance , security or issue management platforms
► Distribute reports to owners, or publish on accessible location
Page 20
Identifying RPA Risk opportunitiesAudit execution and control automation
Audit Process Enhancement Opportunities► As expectations for audit and compliance functions increase, the
ability to manage workload, increase efficiency and effectiveness, while meeting a changing regulatory landscape will be a differentiator
► Organizations may look to technology to address new audit testing needs and increase efficiency. A number of technical approaches such as RPA can help achieve targeted automation of the audit process.
Where Automation Can Make a Difference► Reduce cycle time for heavily manual data collection and
preparation for testing► Reduce cost associated with non-decision making manual
process► Increase traceability test steps performed► Increase consistency of test supporting documentation and
execution► Ability to execute a variety of tests by using/modifying previously
built test steps
Sponsor Focus► Internal Audit► Compliance► Privacy► Attest services sponsors
Control Efficiency/Effectiveness Opportunities
► Automation of highly time consuming, complex or repetitive manual control execution due to information gathering, desperate systems, or spreadsheet manipulation
► Frequent failures of manual controls where highly predictable outcome of controls to support key compliance requirements (SOX, Privacy, other regulatory requirements)
Where Automation Can Make a Difference
► Increase predictability of effectiveness related to control execution
► Increase in traceability through logging of RPA functions and outcome (completeness and accuracy of execution)
► Reduce effort related to heavily manual data collection and review for control execution
► Timeliness of control execution
Sponsor Focus► CFO/Controller► Compliance► Privacy► CIO
IIA/ISACA/ACFE Joint Conference
Page 21
► Do your users need to frequently copy information from one system to standard templates?
► Is your information sourced from multiple source systems?
► Do you require large amounts of time and effort to perform simple, repetitive tasks manually?
► Are rule-based tests being performed?
► Do your users have to make the same updates in multiple places/ systems?
► Do you require multiple similar reports to be generated manually?
► Can certain issue-logging details be captured automatically?
► Are calculations required to assess compliance?
► Does the test require comparison of data sources?
Identifying RPA Risk opportunitiesCriteria and indicators
Testing and controls automation provides flexibility and connectivity between applications, increases the effectiveness of applications, and completes routine activities that previously required manual effort. However, automation does not replace existing computing capabilities, and does not generally replace entire roles. Each function/process should be evaluated to determine potential opportunities.
Identify where teams are manually … ► Accessing and gathering data from multiple systems ► Simple transformation of data from multiple sources ► Checking data quality for structure data ► Executing simple checks that require no judgment
Select tests that are … ► Well-defined, relying on rules rather
than judgment ► Structured data is being used for testing ► Time consuming, while being time-critical ► Executed very often (i.e. daily or weekly) ► Using multiple systems that are not fully integrated ► Relatively stable regulatory requirements ► Require calculations that can be automated
Affirmative answers to the following questions are a good indicator that the test area may benefit from automation:
IIA/ISACA/ACFE Joint Conference
EY | Assurance | Tax | Transactions | Advisory
About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.
Ernst & Young LLP is a client-serving member firm ofErnst & Young Global Limited operating in the US.
© 2018 Ernst & Young LLP.All Rights Reserved.
1708-2382611ED None
This material has been prepared for general informational purposesonly and is not intended to be relied upon as accounting, tax or otherprofessional advice. Please refer to your advisors for specific advice.
ey.com