How Audits will change due to RPA

We can read plenty of articles how (in-house) Robotic Process Automation can help External and Internal Auditors to conduct their jobs faster and more accurately (especially when going through large datasets entirely without sampling), by automating their own tasks they were performing manually so far, but we can seldom read anything about whether they should use a whole new approach for their clients, who are already using RPA company-wide.

There are 3 types of audit risks:

• Inherent Risk: inherited from the nature and complexity of the business, and can't be protected or detected by internal controls
• Control Risk: Internal Control failures that can cause material misstatements
• Detection Risk: External Audit failures that can cause incorrect opinion on the financial statements

External auditors are mainly using RPA to lower their Detection Risk, which in itself is a positive step towards increasing accuracy. But the presence of RPA can either impose or lower the risk of financial misstatements, and no one yet is really paying attention on what's going on in this field. I think we should catch the errors where they origin, and not only using preventive and detective actions against them.

How RPA can lower risk

When robotic solutions are built properly, RPA will conduct its activities based on the pre-set business rules that have been built into them. That's meaning two things: (1) there won't be any processing errors due to tiredness of monotony or because of a low level or lack of training, and (2) the robots will not improvise when facing a condition it is not set up to handle, so the standards will be kept in all circumstances.

In addition to these, advanced RPA softwares have built-in version control, and can create logs automatically about the process paths, decision stages, and variables, so we can fairly easily reverse-engineer how an item has been processed. So by lowering operational risk, it will increase the accuracy of financial figures.

How RPA can impose risk

Lowering risk had a single, but nevertheless highly complex condition:

"When robotic solutions are built properly..."

Even though RPA capabilities must have built-in controls in their Delivery Methodologies to ensure high quality standards within their deployed robotic solutions, and should examine a process with full business understanding, we can often see for example that:

• Process Definition Documents are created inaccurately and/or incompletely about the process that is about to get automated,
• The process flow won't be optimised before getting automated, they just implement the same steps they see on the floor being conducted for years,
• Solution Design Documents (which are basically the plans of robotic process flows) are not prepared in advance, so there's no control over improper PDDs, and they start to firefight during development
• And - if created - all these documents are getting signed off by the Process Owners far too quickly to say they reviewed them thoroughly.

In addition to the above, inexperienced RPA teams tend to take on much more complex processes for the sake of showing high results, than they are capable of delivering.

The biggest risk in short: inefficient processes are getting automated improperly. By the time Internal or External Auditors would unveil these faulty processes, the impact on the firm could be tremendously significant. And when they decide to return to manual processing to correct the mistakes, the lost knowledge due to deficient documents that they have about the processes will hinder their success.

What we can do about it

RPA impacts Operational and Audit risks, there's no doubt about that. The questions are:

• Are we able to measure RPA's impact on these risks?
• Are our relevant Internal Controls still able to detect these risks?
• What can Internal Auditors do to mitigate the impact and eliminate the cause?
• What can External Auditors do to still ensure proper financial figures in a changed environment RPA creates?

It might be a solution, if we would conduct audits from time to time on the execution of RPA Delivery Methodologies by examining whether critical business processes have been properly documented before, during and after developments, and how these are automated by the RPA tools in hand, to check the quality of the firms' robotic workforce, and the business continuity plan/readiness upon failover.

So instead of just using RPA to assist during audits, first it should be examined, if RPA is not doing anything out-of-ordinary. We need RPA Surveillance and Forensics.

How Audits will change

Once we made sure that RPA is in fact eliminating operational risk, hence reduces the audit risk significantly, the time (and money) spent on performing external and internal audits can be significantly lowered. Instead of a thorough examination on entire datasets, only certain areas would need to be checked carefully, so they can focus more on checking the possible risks and compliance breaches of newly implemented robotic processes, since RPA together with relevant Internal Controls are ensuring that the rest of the business processes are working just fine.

What do you think how will RPA change the way we think about finance, accounting, financial controls, and business operations in general?

#RPA #Budapest #Hungary #RoboticProcessAutomation