Adopting robotic process automation in Internal Audit

Using robotic process automation to fortify the third line of defense

​With automation technologies advancing quickly and early adopters demonstrating their effectiveness, now is the time to understand and prioritize opportunities for Internal Audit robotic process automation. And to take important steps to prepare for thoughtful, progressive deployment.

Internal Audit begins an automation journey

The age of automation is here, and with it comes opportunities for integrating Internal Audit (IA) robotic process automation (RPA) into the third line of defense (aka Internal Audit). IA departments, large and small, have already begun their journey into the world of automation by expanding their use of traditional analytics to include predictive models, RPA, and cognitive intelligence (CI). This is leading to quality enhancements, risk reductions, and time savings—not to mention increased risk intelligence.

Disruptive automation technologies

The automation spectrum, as we define it, comprises a broad range of digital technologies. As shown below, at one end are predictive models and tools for data integration and visualization. At the other end are advanced technologies with cognitive elements that mimic human behavior.

Many IA organizations are familiar with the first part of the automation spectrum, having already established foundational data integration and analytics programs to enhance the risk assessment, audit fieldwork, and reporting processes. As these organizations work their way across this continuum, some have begun to adopt Internal Audit RPA in conjunction with certain CI tools, collectively known as RPA&CI, to help drive efficiency and effectiveness, expand capacity, boost quality, and enable greater audit coverage. Machine learning and artificial intelligence (AI) are at the far end of this range, with fewer organizations having reached this level of digital maturity. But this situation is changing fast.

Cognitive technologies are expected to become more prevalent in the near future as early adopters demonstrate their ability to enhance the value proposition of the internal audit function. For example, some IA organizations have effectively piloted the use of AI to proactively identify emerging risks for risk assessments. With IA departments starting to extend into the far end of the spectrum, the future of Internal Audit RPA is now.

The benefits of embedding automation

​As illustrated below, there are many ways IA can leverage automation capabilities throughout the audit life cycle, including risk assessments, audit planning, fieldwork, and reporting.

Here are a few examples of how investments in Internal Audit robotic process automation technologies can yield positive returns by improving the effectiveness and efficiency of audit processes and providing greater insight to the business:

  • Better use of scarce resources. By replacing manual activities, Internal Audit RPA can free up capacity for teams, allowing personnel to focus on higher-value activities, such as quality assurance reviews, exception management, process improvement, and interpersonal interactions. In turn, this shift toward value-added activities can improve operating effectiveness, allowing the IA organization to keep pace with business changes and the associated impact.
  • Increased efficiency and reduced costs. RPA&CI can operate and execute audit tasks around the clock at an accelerated pace (in many cases, more than 90 percent faster than manual processes). By reducing time-consuming manual activities, Internal Audit automation can lead to significant cost savings.
  • Higher quality output. RPA&CI enables tasks to be performed more uniformly and efficiently. Plus, the results are highly traceable and auditable. With inherent process standardization, fewer manual errors are likely to occur, which improves the accuracy and quality of audits. When mistakes, manual or otherwise, are made, they can be detected more readily and rectified more easily due to the systematic nature of the process.
  • More business value. Nearly every IA organization seeks to increase assurance and coverage. RPA&CI furthers this goal by enabling IA to move from statistical sampling to full population testing. These technologies can also enable organizations to increase the frequency of testing,and in many cases, transition to a continuous auditing model for providing more timely insights to the business. As technologies evolve, business value is expected to increase in tandem, enabling proactive insights and root cause analysis in reporting.

Three steps to consider when getting started

There are three key steps for IA organizations to take as they embark on their journey to automate audit processes.

Step 1: Clearly define the vision and strategy for automation

As a first step, leaders should review the current state of the IA organization to understand where and how Internal Audit automation technologies can be embedded and to identify reasons for doing so. An organization's vision and strategy for automation could span a single application or an entire transformation. For instance, an organization may wish to automate:

  • Test steps within a single audit or process
  • A data extraction process to supply standardized information for use within multiple processes or audits
  • Operational activities such as hours tracking, board reporting, or managing certifications and continuing professional education (CPE) credits

Whether IA envisions leveraging automation to accomplish one or more of the above, or something else entirely, a strategy for the transformation should be articulated and communicated up-front.

Step 2: Build a foundational infrastructure to support deployment of automation capabilities

This is necessary to facilitate an effective implementation, ongoing maintenance, and risk mitigation. It's important that the operating and governance framework isn't designed in a vacuum, and that it aligns to enterprise standards and leading practices that exist within the organization. Some key components of this infrastructure include:


  • Enhanced governance. This begins with defining roles, responsibilities, and structures for identifying which tests and processes are the most promising candidates for Internal Audit automation. A governance framework should also address processes for approving designs and deployment methods, along with developing standardized documentation.
  • Change management. Change is inevitable. That's why it's essential to have protocols for monitoring and addressing changes to the automated tests and processes themselves, as well as for handling associated downstream impacts.
  • Continuous testing and monitoring. Due to the dynamic nature of business processes, periodic quality assurance testing is imperative. Furthermore, testing and monitoring should be done frequently enough to keep up with the changing environment.
  • Exception handling and processing. A framework and process should be developed to triage issues that may arise, differentiating between operational and technical exceptions and routing them appropriately.
  • Skill sets and training. Utilizing automation and cognitive intelligence tools often requires IT and data-science skill sets that are not native to a traditional Internal Audit organization. Program leaders should conduct ongoing capability assessments, either providing roles-based training to supplement gaps or onboarding new resources as necessary.


Step 3: Develop a target-state operating model to support and sustain automation

The target-state operating model should be a natural extension of the existing IA operating model, but it will have some key differences with respect to the interplay of people, process, and technology. The IA function should consider where it stands with respect to these three components, as seen below.


Once the IA function has considered how automation can reshape its operating model in terms of people, processes, and technologies, it should also consider how the target state integrates with the larger organization's automation initiatives. For instance, automation frameworks and governance structures may already exist within a center of excellence or global business process organization. IA should also explore whether other functions could benefit from similar automation technologies. For instance, it's conceivable that risk and compliance could leverage the same or similar robotics logic as IA plans to use in audit testing. Accordingly, a shared services model or a collaborative rollout may be a cost-effective option for deployment.

Did you find this useful?