Editor's Note: CGI Federal Director of Consulting Services Sean Connell also contributed to this blog post.
Among the benefits of robotic process automation (RPA) is the potential to improve auditability by providing an audit trail for processes that previously were performed outside of any system, and by automating processes sensitive to human error or that pose security risks when done manually. As a consultancy that supports its customers in consistently obtaining clean audit opinions, CGI recognizes not only the impact of these benefits, but also the need to ensure RPA implementations do not adversely impact an agency’s audit. As a best practice, audit risks must be identified and mitigated from the outset of any RPA project.
Auditors are concerned with delivering an independent attestation that the processes and data under review adhere to relevant standards and results are accurate, timely, and secure. To accomplish this, auditors review implementation of controls for areas such as physical access, separation of duties, and process contingencies to ensure compliance. As agencies implement automation, those processes will take their place as potential subjects of audit. For a look at one way to ensure RPA implementations run well, read “5 reasons you need a Robotic Operations Center for RPA,” by Sourabh Pawar.
Auditable components of an RPA project include the RPA tool itself, the systems the software robots (or bots) touch, and the controls around bot development and operations. Any of these components could be included in a financial, performance, or other audit originating from within an agency, or from outside organizations such as the Government Accountability Office. During an audit, auditors will review bot actions and the RPA implementation controls for compliance, like any other aspect of the audited processes.
Agencies can prepare for audits by being aware of the questions auditors might consider as they do their work, which can include:
- Is there enough contextual information to reconcile the RPA platform log with the system(s) audit log to ensure bots are doing what we thought they were doing?
- Do we adequately control access to bot credentials and ensure bot developers cannot gain unwarranted access to systems?
- Do we have proper controls over who can provision and make updates to bots?
- Are rules pertaining to segregation of duties being applied to our bots and to the bot developers?
- Are bots writing, storing, or transporting sensitive data?
- Updates to interfacing systems can cause a bot to malfunction. Is there a process to mitigate this?
- Are procedures in place to handle error cases in a timely manner?
Ensure audit is a proactive consideration
Ensuring these and other audit considerations are accounted for requires early and frequent involvement of agency audit staff. Upfront audit guidance will help avoid bad decisions that could lead to costly future rework and possibly imperil project success.
Two examples where this guidance could be useful come to mind.
First, determining the type of robot to use could be dependent upon audit requirements. Attended robots resident on a worker’s computer can perform tasks within systems the worker can access. For example, an attended bot could take data from a spreadsheet the worker updates and create purchase order line items in a purchasing system using the worker’s credentials. Is this level of automation acceptable to auditors even though the purchasing system will have no record that a robot created the line items?
What if the robot goes a step further and submits the transaction, resulting in updates to the general ledger that are associated with the human user ID? If auditability requirements are such that recording the robotic actions in the RPA platform log is not adequate, an agency may make the determination that an attended robot cannot be used and an unattended robot with its own credentials must be used instead.
The second scenario is data ownership. Many software companies offer RPA platforms and services. What happens if you switch providers? Do you own the automations and audit logs in the RPA platform? Audit requirements will certainly affect how you need to answer these questions. The cost of RPA tools is relatively small as compared to overall implementation costs. Don’t allow cost to drive decisions that might result in unfavorable audit findings; take care to ensure ownership rights are protected.
As with any IT project, involvement of the right stakeholders is key to RPA success. As we have shown above, including the audit function in your RPA project from the beginning will help you make the right decisions and ensure audit issues will not derail your project. Even better, having an audit-approved governance process in place will streamline your path to successfully audited RPA processes.
To learn more about CGI Federal’s work in RPA and other aspects of intelligent automation, download our white paper, “Intelligent automation opportunities in the federal government.”