Auditing Robotic Process Automation (RPA)

How to audit Robotic Process Automation (RPA)

Robotic process automation (RPA) is automation of a process by using software with artificial intelligence (AI) and machine learning capabilities to handle high-volume, repeatable tasks needed people to do.

A number of years back this had started with OCR based data entry into EPR’s especially around accounts payable. Recently with the advent of AI and ML, RPA has learning capabilities which enable them to be implemented in a number of new areas.

As a result business have started to consider RPA’s and Gartner predicts RPA software spending to reach $1 billion by 2020 with a compound annual growth rate of 41 percent.

As auditors (Internal or external) one needs to understand how to audit RPA to ensure risks around that process are well managed.

The key areas to consider during and audit are:

• Change Management:The auditor needs to understand the controls that exist over changes to the RPA technology. Which includes changes to the logic of the RPA e.g which field to save or which field to add etc., type of transactions to consider, ensuring the right person approved the change, the change was implemented as per the companies change management process.

• Error Reports: Most people assume a software once implemented will work correctly without monitoring. However, RPA is not your typical software as it is processing live transactions automatically and users or processes generating those transactions could change things which will impact how the RPA handles them. The only way to know if all is well in a RPA is by reviewing error reports on a regular basis to ensure that the logic based on which the RPA was build has not changed or inputs coming in the RPA have not changed in anyway.

As a result the auditor needs to ensure that management if getting such error reports, they are being reviewed and action           is being taken on any errors showing up in the reports.

• API’s (or application program interface): The RPA is linked to other applications with API or application program interface, which basically a data pipe transferring data processed by the RPA into the main application where the data is stored by the business. Take Accounts Payable as an example where a RPA has been implemented to scan invoices and extract data to be entered into the ERP. In this instance the RPA will extract all the required data and transfer that to the ERP via a API on a set frequency.

Here the auditor needs to ensure that the API is working properly and the business is monitoring the API. This done to             ensure all data is transferred from the RPA to the processing application or all is received by the RPA. E.g. if the RPA is             processing 1000 invoices a day monitoring of the API will ensure that all data related to all the 1000 invoices has been               transferred to the ERP and we have not missed any transaction.

• Accuracy: Businesses need to monitor the processing accuracy of the RPA to ensure it is effective and providing the level of automation that it was built for. Typically this would be done with some level of quality checks on the RPA outputs. As an auditor one needs to ensure such checks exist and also that the level of errors from these checks are not increasing or changing month on month.

• Business Continuity: Things have a tendency to break and business need to think about contingencies when they do break. In a process which has been automated by robotics business need to think how they will respond if the software has issues. As auditors we need to look at this plan to ensure it is robust and tested.

G R A N D M A R K & Associates works clients implementing RPA to ensure risks are well managed. If you are looking to implement RPA you could connect with us.