Thoughts on RPA, Compliance & You
Robotic process automation is one of those emerging technologies that everyone loves to talk about implementing, and that many businesses actually are implementing.
So when Protiviti recently published an in-depth report about RPA that explores how to manage the development of RPA within a large enterprise, I read it immediately. Audit, risk, and compliance executives should give the issue some attention too, since there’s certainly a lot of risk around embracing RPA haphazardly.
First let’s remember what robotic process automation is: software that can execute several steps of a transaction without human intervention. As the Protiviti report puts it notes, RPA mimics human actions, to relieve us carbon-based life forms of work that’s tedious and repetitive.
For example, marketing departments use RPA to automate customer outreach. You register for a vendor’s webinar, and a calendar alert appears in your email box. Attend the webinar, and 20 minutes after it ends, you get a follow-up email suggesting you download a white paper. Download the whitepaper, and two weeks later you get invited to a vendor appreciation event in your city. All of that is RPA.
Protiviti surveyed 450 firms across numerous industries to get a better sense of how companies are using RPA today, and how companies plan to use RPA within the next several years. The results are intriguing, and the implications are significant for compliance and audit professionals — because RPA clearly is one of those technologies that could race ahead of your ability to govern its risks.
What stood out to me? A few things.
Companies are not using RPA to cut costs. They are using it to increase productivity and strengthen competitive position. In other words, firms don’t want to adopt RPA so you can “do more with less.” (Barf.) They’re adopting RPA so employees can do more with the same, or do lots more with just a little more, or do different with the same.
You get the idea: RPA is about freeing up employee time and brainpower for other tasks.
That has many implications for audit and compliance functions. For example, the company might explore new markets or develop new products; those are strategic risks that need to be evaluated. Or customer service processes once handled by employees might now be self-service; that could bring operational risks if the RPA fails at some critical moment.
The first example shows how RPA changes a company’s risk profile by letting employees do new things. The second shows how RPA changes the risk profile by letting technology do things employees previously did. Your risk assessment capabilities will need to address both potential shifts. Do you know how to do that? Do you have the staff and expertise to do that?
Other business functions are already embracing RPA right now. Protiviti divided the 450 firms in its survey into “leaders” and “intermediates.” Among the leaders, 46 percent were already using RPA for IT management, 38 percent were using it for marketing and communications, and 30 percent for finance. Only 24 percent, however, were using RPA in auditing or compliance functions. (See chart, below. The numbers were lower across the board for intermediates, but still the same pattern.)
Source: Protiviti
This is one point where compliance and audit executives might experience RPA differently. For example, compliance functions could use RPA to integrate third-party due diligence and training: your compliance technology performs due diligence on a party, determines its likely risks, and spits out some automated requirement for that party to take your anti-corruption training. That’s RPA for your function (assuming you have a vendor that can do this).
Audit executives are in a somewhat different boat, because if you want to audit another function’s use of RPA, they need to implement RPA first. I’ve heard this several times from audit executives, who essentially say, “The finance function is going to embrace RPA this year. We’re waiting for that, so then we’ll have data on every single transaction and won’t need to rely on samples and testing any more.”
That’s reasonable enough, but we’re back to that dynamic of other functions implementing RPA ahead of compliance, audit, and other risk assurance functions — who should be involved in those adoption plans, to be sure nobody embraces RPA without understanding the risks.
Which brings us to…
Not enough companies are involving compliance and audit in RPA projects. Protiviti found that among RPA beginners, 61 percent said new RPA projects are approved by department heads, while only 3 percent use a team or committee for approvals. Among the advanced group, 32 percent used a team or committee, but even in this group, 34 percent still let department heads approve their own projects.
Among RPA beginners 61 percent said new RPA projects are approved by department heads, while only 3 percent use a team or committee for approvals.
Compliance and audit professionals should feel icky about those numbers. Companies are going to embrace RPA much more in years to come; if you look at statistics about how companies plan to embrace RPA several years in the future, those numbers are huge. So audit and compliance executives should be involved in deciding today how those projects of tomorrow get approved. Right now, not enough of you are.
Plan Now for RPA Later
Don’t get me wrong; I’m enthusiastic about RPA’s potential. Compliance officers could use it for due diligence, supply chain certifications, training, and the like. IT departments could use RPA to bolster weaknesses like access control or other provisioning of services, the termination of services and access when an employee departs. Audit executives could use RPA for better testing of internal controls and to get much closer to continuous controls auditing.
Managing the risks of that business transformation, however, will be tricky. In some ways RPA could be a lot like the embrace of social media or cloud-based services — different parts of the enterprise jump onto the technology with both feet, before fully understanding new risks created or old risks magnified. The best way to prevent that is a prudent, thoughtful, collaborative approach to embracing new technology.
Which, of course, happens in Corporate America all the time. Right? Right?