Financial reporting RPA risks and controls

1. Establish a governance framework: An RPA risks and controls program depends on an appropriate governance model inclusive of an overall automation strategy. The clearly defined, well-documented processes and controls of an effective governance operating model directly affect an organization’s ability to address the financial and operational risks surrounding the adoption of bots.

2. Develop automation coding and configuration: As companies select their RPA platform, details of both the business and solution design requirements of relevant automation should be maintained, so internal and external auditors can perform appropriate automated control testing procedures. Companies that do not plan for appropriate documentation during the development of bots may create a gap in the system of internal control.

3. Leverage existing controls: As companies develop bots, they should assess the impacts of the bot on its existing controls. After a bot begins operating, control activities are needed to address the risks of the designed automation not operating properly. Companies could benefit from having RPA controls, such as monitoring transactional logs and unexpected activities, to make sure the automated process is completed effectively.

4. Determine access: In a traditional IT environment, there are system IDs and end-user IDs. There are the same number of IDs as business roles. Whether companies decide to deploy automation representing “digital workers” or deploy a combination of “digital workers” and humans accessing the same IT systems, distinguishing between humans accessing and bots accessing IT systems becomes ever more important.

5. Manage a changing environment: Effective change management is critical to a company’s RPA risks and controls. Existing change management models should be extended to account for the existence of bots and to track the impacts of internal or external changes—things like system upgrades, change in service providers, change in process workflows, change in reporting requirements, and even changing schedules.

6. Detect and report: When a bot fails, management should carefully evaluate the nature of the failure, any changes within the source data, and the magnitude of the failure. The results of management’s evaluation should not only be used to fix the issue with the bot’s operation, but also to evaluate the related policies and procedures within their bot development

7. Monitor and escalate: The results of an entity’s ongoing and/or separate evaluations of internal control performance should inform management as to when there may be a deficiency in their RPA risks and controls environment. Management is expected to maintain appropriately designed and effective general information technology controls for the relevant IT components associated with a digital worker, as well as policies and procedures around process governance in which bots are utilized.