iia/isaca/acfe joint conference - chapters.theiia.org county/iia oc presentation... · page 5. rpa...

IIA/ISACA/ACFE Joint Conference

March 16, 2018

Robotics Process Automation


… what if it meant 25% to 40%+ sustainable efficiency gains

… and improved accuracy?

Robotic Process Automation (RPA)

Discussion agenda

1. Introduction to RPA2. Key risks associated with

RPA3. How will internal controls

and internal audit evolve with RPA

4. How can internal audit use RPA


1. Introduction to RPA


RPA is the application of software “robots,” not physical robots, that can mimic human action and perform many manual, repetitive, rules-based tasks at a much greater speed and accuracy than humans. RPA is rapidly gaining adoption in back office functions such as Finance, Tax, HR and IT, as well as the Supply Chain organization and many customer-facing departments.

Pattern-based machine learning

StatisticalOptimized processthrough automation

Improved workflow

Cognitive intelligence

(CI)Semi-cognitiveRobotic

Process Automatio

n

Structured data

interactionIncr

emen

tal

valu

e

Mimics human actions

Augments human intelligence

Mimics human intelligence

What is Robotic Process Automation (RPA)?

Characteristics:1.Focus is on eliminating manual, repetitive,

rules-driven activity that can be anticipated and programmed.

2.The Robots work 24/7, with consistency and accuracy, and at a speed much faster than humans (one RPA robot typically performs 4-5 human FTEs of work)

3.The lines are blurring between traditional RPA and cognitive intelligence. We recommend companies focus on identifying the most beneficial applications of automation and then evaluate the best tools to achieve success.


Presenter

Presentation Notes

Introduction – Show a quick video on RPA In the past, there were screen scrapers and other technologies but the past two years enabled technology to work independently

RPA and the “virtual worker”


Low-risk, low-cost extension of existing technologyRPA is overlaid on existing systems and integrated with existing data minimizing disruption to IT strategy and architecture.

While most RPA applications will be part of the long-term architecture, some applications provide a cost-effective, medium-term solution until core systems are expanded.

ReliabilityNo sick days, services provided 365 days a year

Audit trailFully maintained logs essential for compliance

ConsistencyIdentical processes and tasks, eliminating output variations

Right shoringGeographical independence reducing need to offshore jobs while still delivering cost savings

RetentionShifts human effort toward more stimulating tasks

ROITypical RPA projects with multiple functional “pilots” but generally completed in 9 to 12 months with a return on investment (ROI) < 1 year

Cost savings or avoidance

Ranging from 20–60% of

baseline FTE cost

Opportunity focusedCan focus RPA on only those areas where significant opportunity exists; does not require enterprise adoption

AccuracyDouble-digit reductions in error ratesRPA often “fills the gaps”

between existing systems

ScalabilityInstant ramp up and down to match demand peaks and troughs

ProductivityFreed up human resources for higher value-added tasks.

ERP EPM

CRM

SCM HRIS

Presenter

Presentation Notes

Technology is not new, but has been packaged in a holistic way. Where bots can work in an unattended environment and act as a complete replacement for humans. Bots interact with different applications without having to change the underlying application. A bot is like a human – for e.g. Bots would have a user name and password to log into SAP. So from SAP’s side, there is no difference between a human logging in or a bot.

RPA activities vs. other automation activities What traditional RPA does and what it doesn’t do

Robotics process automation (RPA):A software solution that runs unattended, working like a virtual employee with legacy applications performing repetitive tasks reliably at the user interface level

Other automation technologies:A broad set of complementary technologies that can be brought together to automate a process

Divide up a task into pieces to be solved by technology, low-cost resources, and high-skill resources

Keyword-based character recognition

Optical character recognition (OCR)

Completion of auditable activity logs

Entering data into a system

Composing and sending emails

Rules-based processing and decision making

Comparing data sets

Reading, copying, aggregating data

Automation of clicks, data entry

Machine learning

Variable format processing

Adaptive behavior

Mathematical validations

Conversational Intelligence(chat bots)


Presenter

Presentation Notes

This curve is starting to move to the right. RPA is currently automating deterministic rules. No judgement yet and cannot do advanced AI (for e.g. look at this picture and tell me if it's a cat). OCR is slowly moving to automation. Three things: data quality (digital input), deterministic (map out decision path), structured (AP invoices are hard because invoice comes in on paper and data could be anywhere on the paper; if structured so invoice # is always in same spot, makes it easier).

The operating model will need to shift to support the workforce of the future

Robots do the “what”, freeing up humans to focus on the “why”

► Easily and quickly scale upand down potentially eliminating the need for contingent labor during peak periods

► Consider insourcing tasks previously outsourced

► Reduce cost without moving more jobs offshore

► Top grade onshore workforce to provide:

► Advanced analytics and insights

► Process improvements

► Decision support

Traditional workforce

Contingent workforce

Offshoreworkforce

Roboticsworkforce

Humans and robots teaming together, creating a powerful virtual workforce


Presenter

Presentation Notes

Continued advantages of RPA – Finance personnel will face a change in required skillset. Core finance skillset changes, as more capacity will be used in tasks requiring more intelligence like advanced analysis and interpretation, review and approval, decision making. In addition new technical skills are needed to manage a robotized process. It will be a challenge to apply this change and retain accumulated finance technical knowledge and practical knowledge of organization. When bots are up and running, cost is $1-2 per hour. Work is cheaper, faster, better quality for bot to do than human. If task can't be automated, are there tweaks to the process to make it more structured. Automation anxiety is real. Recommendation is when company starts automation, don't make it a head count factor as people won't engage, won't tell you which processes can be automated. Change management is key. Tone from the top. Focus on people moving from transactional to thinking tasks. Company should define what they'll be doing to alleviate the anxiety and uncertainty. "higher value add activities"

2. Key risks associated with RPA


Key RPA Risks

Policy and governance

Logical user access

System change

management

Timely system

outage/issue detection

Vendor/3rd party

management

Completeness/accuracy of

RPA processing

A lack of robotics governance can lead to ineffective and inefficient process automation and an inability to support and meet business requirements.

Key risks in RPA

Robotics access management is ineffectively managed leading to the compromise of systems, applications and their associated data.

Automation problems are not timely identified and managed leading to a delay in their resolution and resulting in a negative impact to business processes.

Risks are not effectively mitigated for robotics vendor relationship and outsourced services, leading to financial and reputation exposure.

Input/upstream data is not completely/accurately received by the robot, or the robot may fail to completely/accurately process and calculate data to hand off downstream.

Process automation requirements are not appropriately or accurately identified and documented leading to robotics developments that do not meet business needs or support the business/IT strategy resulting in a negative impact on business processes and financials.


Presenter

Presentation Notes

#1 reason RPA fails – System change management, when a change in application, is not communicated to RPA team.. the bot will fail. Enforce proactive change management. Also build test enhancers where bot also runs in QA. It gets scary when person who used to do job has moved to other tasks and not available to fall back on. Mature organizations enforce proactive change control communication. RPA team to be involved in change process. Or can create bot in QA too so it sees changes before they are made to production to allow identification of issue.

RPA risk and controlTop risks and related control activities

A lack of robotics governance can lead to ineffective and inefficient process automation and an inability to support and meet business requirements.

Top RPA risks Illustrative controls for top risksA robotics governance framework is defined and maintained, including leadership, processes, roles and responsibilities, information requirements and organizational structure required to ensure support is aligned to business objectives.

Robotics access control is managed and proper authentication methods are implemented and consistently enforced to prevent unauthorized access.

Robotics change and development requirements are clearly and concisely documented and mapped to business needs to ensure that the changes agree with the business strategy.

Implementation, testing and support requirements are developed and communicated to both business and IT stakeholders.

Automation problems and errors are evaluated, corrected, tracked and communicated in a timely manner through resolution.

Due diligence is performed over robotics vendors to evaluate the risk of the vendor at the onset of the relationship and on a periodic basis. Service level agreements are in place and monitoredtimely.

1

Robotics access management is ineffectively managed leading to the compromise of systems, applications and their associated data.

2

Process automation requirements are not appropriately or accurately identified and documented leading to robotics developments that do not meet business needs or support the business/IT strategy resulting in a negative impact on business processes and financials.

3

Robotics implementations are not appropriately designed and tested leading to requirements not being met or a negative impact on production systems resulting in a negative impact on the business and financial losses.

4

Automation problems are not timely identified and managed leading to a delay in their resolution and resulting in a negative impact to business processes.

5

Risks are not effectively mitigated for robotics vendor relationship and outsourced services, leading to financial and reputation exposure.

6


Presenter

Presentation Notes

Risk and example of controls

RPA risk framework example

1 Robot sessionThe robotic session directly interacts with end-to-end process it supports. Focus on processing integrity, error detection and escalation, as well as segregation of incompatible duties in the automated function.

2 Robot platform

Integration of IA software into your technology stack, integration of RPA development teams with broader technology development teams, implementation of enterprise-wide IA requirements for security safeguards, resiliency and issue management.

3 Application hosts

Considerations to security and change management controls are significant specific to production applications that robots have interaction with. Interdependencies require suitable controls and testing

4 Robot governance

Integrate IA into the enterprise-wide governance including vendor management, change management, risk assessment, benefits realization and tracking, and recognizing and addressing risks unique to digital workforce technology.

Robotsession


Presenter

Presentation Notes

Robot session = runtime resource or machine that is performing the task. Need to control access to bot. Virtual machines in cloud. Platform = Tasks are stored in database. Who has access to code? Process for making changes to code? Hosts = Using VM or desktops? Access to them? Governance = what can be automated and what should not? What are processes for RPA program? Who should be decision makers? Usually companies create on VMs.

3. How will internal audit and internal controls change


Automation “hot spots” for Finance

1

2

3

4

6

7

8

9

10

5

Operational finance and accounting

► Automating pricing reviews based on customer contracts and pre-approved price lists

► Calculation and processing of rebates► Downloading of detailed monthly sales data and

calculation of commissions► Creating files and emails to gain approvals ► Posting to detailed sub systems and General Ledger

Standard Journal entries► Creation of standard monthly journal entries using pre-

populated templates provided by different business users► Performing validation analytics► Posting to ERP

Accounts payable processing► Vendor set up and maintenance► Automating the workflow processes and approvals► Data entry and payments preparation

Expense Reimbursement► Automating policy compliance reviews► Calculation of purchase discounts► Compliance and management reporting► P Card or expense program maintenance

Intercompany reconciliation

Regulatory & Management reporting

► Automated checking and reconciliation of intercompany balances

► Basic research and reporting for exceptions► Creating exception file and email report for

finance review and approval

Accounts Receivable processing

► Automating processing of payments and bulk payment files for journal entries to sub system

► Data capture and cleansing to support automated generation of regulatory reports

► Pre-populating complex annual reporting ► Automating the preparation of management review

slide decks by collecting data from multiple finance systems and reports

Automation hot spots

► Credit approvals & customer master file maintenance► Order processing► A/R – cash receipts processing & sending late notices via email

Account and Bank reconciliations► Automating the download of subaccount balances and bank statements► Uploading detailed transaction data from various sub systems► Reconciling balances and transactions to core finance sub systems► Creating balancing journal entries to handle discrepancies

Accounting change► Automating the collection of data for leases or

revenue transactions► Categorizing, summarizing and analysing data

based on history and pre-established parameters► Producing reports for internal analysis

► Pre-population of forecasts using historical and market data► Loading pre-populated balances into the planning system► Creating variance reports to pre-population and to actuals

Financial Planning & Analysis (F,P&A)


Presenter

Presentation Notes

EY has ventured into many of these. Internally, EY is one of the largest users of bots in the world. Have about 700 internal bots for $60 million annual savings; 3-4 years into RPA process. Goal is to have $1 billion cost savings related to bots by 2020. GDS has RPA team for doing EY global automation. Can also share videos from Chiradeep.

Bank confirmation functional diagram


RPA enables higher levels of efficiency and effectiveness while better utilizing talented resources

Cost savings and activity realignment are achieved by addressing: Finance process redesign System enhancements Organization design

Linking RPA to transformation Finance example


Goal is to do “more with less”— reduce the amount of time Finance staff spend on transaction processing and manual, repetitive tasks so they can focus on higher value, decision support functions

Normal support

Many manual controls

SEC focused Operations secondary

Manually intensive Redundant Not integrated Decentralized

Financial analysis Performance management Problem solving Forecasting Risk management

Embedded systems controls Quality over quantity SEC and internal

management reporting

Integrated systems and processes Shared services

Decision support10%

Decision support 60%

Control 20%

Control10%

Reporting 10%

Reporting 20%

Transactionprocessing 60%

Transaction processing 10%

Finance today Finance tomorrow

Finance as a business partner

Presenter

Presentation Notes

Some employees won't make the transition so need to think about what to do with these employees. Millennials don't want to do transactional tasks. Example of Millennials getting used to automation with their cell phone but then back in time at work do to manual vlookups. Transaction processing decreases, Decision support increases.

4. How can internal audit use RPA


Automation “hot spots” for Risk and Controls

Automation hot spots

1

2

34

6

5

Data collection and transformation► Collect data from multiple disparate systems.

Data may need to be extracted from mainframe screens, PDFs, images, or websites, preventing automation using common tools such as SQL

► Use alternate tools in addition to robotics for data extraction and interpretation

► Consolidate supporting information and documentation

► Transform data from complex structured information to standard templates required for testing

Issue identification and upload► Identify failures and report issues in issue

management platforms► Consolidate issues and conduct bulk uploads of

test issues

Control testing execution► Conduct preliminary analysis, and

initial test scripts execution for rules based, logical tests

► Integrate and execute scripts based on defined inputs and rules

► Tests requiring human judgments to interpret information could be pre-analyzed for an analysts to review based on set criteria and self-learning algorithms using structured information (cognitive)

Quality Control► Systematic controls to ensure

quality through the testing process (cognitive)

► Identify exceptions in testing process (cognitive)

Report Development► Generate consolidate

reports using predefined logic for various aggregated reporting required

► Generate reports based on trends and issues identified in Test Execution (cognitive)


GRC/tool reporting data collection► Consolidate data for report

development from disparate compliance , security or issue management platforms

► Distribute reports to owners, or publish on accessible location

SAP transport testing bot video


Identifying RPA Risk opportunitiesAudit execution and control automation

Audit Process Enhancement Opportunities► As expectations for audit and compliance functions increase, the

ability to manage workload, increase efficiency and effectiveness, while meeting a changing regulatory landscape will be a differentiator

► Organizations may look to technology to address new audit testing needs and increase efficiency. A number of technical approaches such as RPA can help achieve targeted automation of the audit process.

Where Automation Can Make a Difference► Reduce cycle time for heavily manual data collection and

preparation for testing► Reduce cost associated with non-decision making manual

process► Increase traceability test steps performed► Increase consistency of test supporting documentation and

execution► Ability to execute a variety of tests by using/modifying previously

built test steps

Sponsor Focus► Internal Audit► Compliance► Privacy► Attest services sponsors

Control Efficiency/Effectiveness Opportunities

► Automation of highly time consuming, complex or repetitive manual control execution due to information gathering, desperate systems, or spreadsheet manipulation

► Frequent failures of manual controls where highly predictable outcome of controls to support key compliance requirements (SOX, Privacy, other regulatory requirements)

Where Automation Can Make a Difference

► Increase predictability of effectiveness related to control execution

► Increase in traceability through logging of RPA functions and outcome (completeness and accuracy of execution)

► Reduce effort related to heavily manual data collection and review for control execution

► Timeliness of control execution

Sponsor Focus► CFO/Controller► Compliance► Privacy► CIO


Presenter

Presentation Notes

If you think about your recurring audit, many are routine tasks for sample testing. With RPA, can do 100% testing on ongoing testing to reduce risk. For high risk areas, can do 100% testing for monitoring.

► Do your users need to frequently copy information from one system to standard templates?

► Is your information sourced from multiple source systems?

► Do you require large amounts of time and effort to perform simple, repetitive tasks manually?

► Are rule-based tests being performed?

► Do your users have to make the same updates in multiple places/ systems?

► Do you require multiple similar reports to be generated manually?

► Can certain issue-logging details be captured automatically?

► Are calculations required to assess compliance?

► Does the test require comparison of data sources?

Identifying RPA Risk opportunitiesCriteria and indicators

Testing and controls automation provides flexibility and connectivity between applications, increases the effectiveness of applications, and completes routine activities that previously required manual effort. However, automation does not replace existing computing capabilities, and does not generally replace entire roles. Each function/process should be evaluated to determine potential opportunities.

Identify where teams are manually … ► Accessing and gathering data from multiple systems ► Simple transformation of data from multiple sources ► Checking data quality for structure data ► Executing simple checks that require no judgment

Select tests that are … ► Well-defined, relying on rules rather

than judgment ► Structured data is being used for testing ► Time consuming, while being time-critical ► Executed very often (i.e. daily or weekly) ► Using multiple systems that are not fully integrated ► Relatively stable regulatory requirements ► Require calculations that can be automated

Affirmative answers to the following questions are a good indicator that the test area may benefit from automation:


Presenter

Presentation Notes

Need rules based tasks, deterministic, digital quality data. Can be personal so need to discuss with IA/company where issues are found, manual tasks are. Example of 17 FTEs responding to employee tasks on available paid time off. IA can drive RPA agenda since they have a wide view of the business. IA also can focus on areas of consistent audit findings. Proof of concept in 2-4 weeks; first bot 12 weeks, after 8-10 weeks. Questions How to you buy a bot? Lots of tech vendors (60-70 company); BluePrism, RelyPath, Automation Anywhere are big ones. EY mainly uses BluePrism. If processes aren't standardized, hard to use bots. Can use RPA as carrot to drive common processes.

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

Ernst & Young LLP is a client-serving member firm ofErnst & Young Global Limited operating in the US.

© 2018 Ernst & Young LLP.All Rights Reserved.

1708-2382611ED None

This material has been prepared for general informational purposesonly and is not intended to be relied upon as accounting, tax or otherprofessional advice. Please refer to your advisors for specific advice.

ey.com

iia/isaca/acfe joint conference - chapters.theiia.org county/iia oc presentation... · page 5. rpa...

Documents