hand shake around the globe


Financial reporting RPA risks and controls

A two-part series focused on key RPA controls considerations

To take full advantage of financial reporting automation that may create efficiency and free up resources, companies must ensure that it’s being used wisely. When you consider robotic process automation (RPA) risks and controls before you deploy, and create an environment for apt and adept automation, you can be confident that the work your bots do moves your business forward.

The importance of RPA risks and controls

Companies across all industries are working to digitize parts of the business with robotic process automation (RPA), often referred to as “bots.” RPA programs use computer-coded, rules-based software bots to replicate the actions that a human would take to complete a computer-based task. The goal is to make the execution of simple tasks more efficient and effective, freeing up human capital to focus on more strategic priorities.

Gartner projects spending for RPA software to reach over $2 billion in 2022. Forrester, meanwhile, has predicted the RPA software market to total $2.9 billion in 2021. With such rapid growth and widespread adoption, companies are advised to strike the right balance between innovation and risk.

7 key steps to building an RPA controls environment

As RPA programs provide platforms that enable companies to move further along the automation spectrum toward more intelligent automation, there is a greater need to understand the appropriate level of risk with technology adoption. What is less known are the risks associated with RPA and the system of internal control. Here are seven key steps to building a risk-controlled robotic environment.


1. Establish a governance framework: An RPA risks and controls program depends on an appropriate governance model inclusive of an overall automation strategy. The clearly defined, well-documented processes and controls of an effective governance operating model directly affect an organization’s ability to address the financial and operational risks surrounding the adoption of bots.

2. Develop automation coding and configuration: As companies select their RPA platform, details of both the business and solution design requirements of relevant automation should be maintained, so internal and external auditors can perform appropriate automated control testing procedures. Companies that do not plan for appropriate documentation during the development of bots may create a gap in the system of internal control.

3. Leverage existing controls: As companies develop bots, they should assess the impacts of the bot on its existing controls. After a bot begins operating, control activities are needed to address the risks of the designed automation not operating properly. Companies could benefit from having RPA controls, such as monitoring transactional logs and unexpected activities, to make sure the automated process is completed effectively.

4. Determine access: In a traditional IT environment, there are system IDs and end-user IDs. There are the same number of IDs as business roles. Whether companies decide to deploy automation representing “digital workers” or deploy a combination of “digital workers” and humans accessing the same IT systems, distinguishing between humans accessing and bots accessing IT systems becomes ever more important.

5. Manage a changing environment: Effective change management is critical to a company’s RPA risks and controls. Existing change management models should be extended to account for the existence of bots and to track the impacts of internal or external changes—things like system upgrades, change in service providers, change in process workflows, change in reporting requirements, and even changing schedules.

6. Detect and report: When a bot fails, management should carefully evaluate the nature of the failure, any changes within the source data, and the magnitude of the failure. The results of management’s evaluation should not only be used to fix the issue with the bot’s operation, but also to evaluate the related policies and procedures within their bot development

7. Monitor and escalate: The results of an entity’s ongoing and/or separate evaluations of internal control performance should inform management as to when there may be a deficiency in their RPA risks and controls environment. Management is expected to maintain appropriately designed and effective general information technology controls for the relevant IT components associated with a digital worker, as well as policies and procedures around process governance in which bots are utilized.

To read the full paper, please download the PDF.

To read part one in our series, please see below.

For questions, contact us.

Fast, accurate, and inexpensive

RPA, unlike artificial intelligence, cognitive computing or machine learning, is unable to learn from data patterns and make judgments. A bot replicates actions that a human would take to complete a computer-based task. Bots operate in the user interface layer where they automate processes without compromising the underlying IT infrastructure. Bots follow prescribed protocols and procedures, allowing increased compliance and cost efficiencies.

RPA may be inexpensive to implement compared with other financial reporting automation technologies and can quickly provide financial and non-financial benefits.

Be external audit ready

Success requires proactive communications with auditors throughout the journey to implement RPA. Holding planning meetings and regular update discussions about the ICFR implications are encouraged practices to help preparers and auditors align their thinking regarding risk assessment and the identification of relevant controls, which will streamline the audit process.

Robot mind analyzing

To read the full paper, please download the PDF.

For questions, contact us.

Contact us to learn more about RPA

  Yes         No

The services described herein are illustrative in nature and are intended to demonstrate our experience and capabilities in these areas; however, due to independence restrictions that may apply to audit clients (including affiliates) of Deloitte & Touche LLP, we may be unable to provide certain services based on individual facts and circumstances.

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?