The Malta Independent on Sunday
The 3 Rs of finance automation: RPA, Risk, Rewards
Accounting and finance organisations are rapidly adopting robotic process automation, but bots can also introduce new risks to internal controls and day-today operations.
Many companies are rapidly digitising parts of their business with robotic process automation (RPA)—computer-coded, rules-based software bots that automate certain human tasks. Unlike AI, RPA bots are unable to learn from data patterns and make judgments; rather, they replicate actions a human would likely take.
There are several benefits to RPA. It can be used to automate processes without compromising the underlying infrastructure. The bots can follow prescribed protocols and procedures with precision, increasing compliance and cost efficiencies. In addition, RPA can be less expensive to implement than other automation options, such as those that integrate machine learning or AI, and quickly deliver benefits to the business. In fact, RPA may grow to nearuniversal adoption within the next five years as companies continue to search for new ways to support digital transformation, according to a Deloitte survey.
Accounting and finance is a common focus of RPA deployment across industries for several important reasons: the high degree of accuracy and consistency required; the manual and repetitive nature of transaction processing; the need to gather information from fragmented systems; and the significant volumes of data entry, data manipulation, and report generation inherent to the function. Indeed, a significant number of roles in backoffice accounting and finance are ripe for automation, including transaction processing related to accounts payable/receivable, cash management, and project accounting as well as higher-level tasks such as closing the books, consolidating financial statements, and management reporting.
Although RPA may reduce unintentional or intentional human errors, the implementation of bots as part of a broader automation strategy presents new risks for businesses to understand and mitigate. Failure to address these considerations may result in financial losses or other business challenges. However, thoughtful accounting and finance leaders are taking steps to create governance models for their automation programs and implementing repeatable processes for selecting and developing bots, reassessing the adequacy of internal controls, and managing and monitoring the efficacy of RPA tools. Establishing an effective governance model to support digital transformation, including the use of RPA tools, can ensure that organisations remain audit ready.
Risk and Control Considerations
Chief among the risks RPA can introduce is the effect it may have on an organisation’s internal control over financial reporting (ICFR), and specifically those controls over IT. Abnormal bot activity can severely affect existing IT system functions; what’s more, failure to monitor and identify changes to algorithms supporting RPA or the data sources and applications used for automation may result in significant control failures.
From an operational perspective, consider that a single bot may perform the work of multiple employees, resulting in concentrated risk. Meanwhile, processing errors in the fast-paced environment in which bots and algorithms operate can magnify the effects of mistakes. Failure to create nimble oversight and control mechanisms can also lead to operational inefficiencies when bots or algorithms require changes.
There also are regulatory issues to consider. Bot-related errors can affect the integrity of internal and external financial reports, cybersecurity programs, and compliance with data privacy regulations, all of which can lead to direct costs to the business and reputational damage.
Teaming Up to Address Risk
It is critical for organisations to assess how digital transformation, including the use of RPA, affects risk assessments and the control environment, including standards, processes, and structures. Teams comprising IT, finance, and accounting leaders can take several steps to enable a smooth transition to automated tools.
Teams can develop a governance framework that establishes ownership and responsibility for running and maintaining bots. An effective framework creates accountability throughout the RPA life cycle: ideation of the automation strategy; design and testing of bot functionality and outputs; implementation of bots; and monitoring of bot effectiveness. Lack of an effective governance model—for example, an RPA centre of excellence—will likely limit an organisation’s ability to achieve substantial RPA scale and maximise its value.
Creating policies related to the selection, development, and use of bots within the organisation is important and can include success measurement criteria and KPIs. Appointing bot managers to oversee automated work is also beneficial. There may be opportunities to leverage existing controls when deploying bots; in fact, business and IT leaders can review the adequacy of existing controls to potentially leverage or enhance them in the robotics environment.
IT can play a critical role in user access and change management. The team can define access management by system, services, applications, and user account. In addition, they can extend existing change management models to account for the introduction of bots and track internal or external changes that could affect the bot environment and performance. Bots also can be configured to detect and report errors and raise exceptions so issues can be addressed in real time.
Education and training programs are also valuable for heading off risks. Well-constructed programs can help management, business owners, and the internal audit function develop an understanding of how bots affect risk assessment and guide which new or modified controls are necessary for automation and monitoring.
Further, leading organisations strive to remain audit ready as they enable RPA. In addition to management’s annual assessment of the company’s ICFR, they can keep external audit requirements in mind when implementing bots, communicating with auditors throughout development and implementation of RPA. Holding planning meetings and regular discussions about ICFR implications can help preparers and auditors align their thinking regarding risk assessment and the identification of relevant controls, which can ultimately streamline the audit process.