Many finance and accounting teams, under immense pressure and facing resourcing challenges stemming from the pandemic, are turning to automation for answers. The automation space, which grew at a compound annual growth rate of 30% from 2017 through 2022, must now also contend with COVID-19 as an accelerant.
While intelligent and cognitive automation is now on the scene, robotic process automation (RPA or “bots”) remains an essential steppingstone in bringing automation into an organization’s operations — and one that stands to yield significant advantages and benefits.
There are many recognized benefits to RPA. Adopting companies report cost savings, greater worker productivity, and the ability to scale operations faster. But many finance departments have expressed hesitancy about leveraging bots despite great interest in the technology. The hesitation is primarily due to concerns about unintended consequences that could impact implementation and create a host of other issues, such as restatements and regulatory matters.
Companies must be aware of the risks associated with redesigning, digitizing, and automating a process. They also have to be mindful of the need for an internal control system to achieve the desired quality and governance needed to leverage bots effectively.
The following are guidelines that can help CFOs and their business and technology teams work through some more common RPA challenges.
Controlling User Access
RPA involves giving users access to bots and assigning bot management to humans — a concept related to the segregation of duties (SOD). If not managed carefully, organizations can unwittingly introduce weaknesses in user access that can, in turn, create fraud and exploitation opportunities. This is particularly concerning when a human manager’s system access conflicts with the bot’s system access or when a human manages multiple bots with conflicting system accesses. Gartner predicts that through 2020, 25% of large enterprises will experience insider fraud due to the lack of proper SOD controls around RPA.
As bots are developed and granted system access, finance organizations — in coordination with their CIOs and IT teams — can follow an identity access management framework (IAM) and questionnaire to circumvent user access risks. For finance professionals, questions like, “Which controls are required to detect and protect exploitation of bot credentials?” and “Can bots be misused to trigger attacks on partners?” are important for effective bot management, especially as it pertains to establishing sound financial controls and managing related fraud risks.
Enhancing Existing Controls
Once a bot begins operating, control activities must ensure that the bot continues to function correctly. Even though bots can automate the execution of tasks and business activities faster, more consistently, and with minimal error, they cannot replicate human judgment. Bots that are not properly designed, operate in changing business processes, or lack adequate monitoring controls run the risk of inadvertently impacting existing controls or introducing errors. For example, unintended Sarbanes-Oxley (SOX) compliance violations could result.
Therefore, it is critical that companies review existing internal controls and make updates or create new controls that may be needed to ensure that bots monitoring transactional logs or other important finance processes function properly. Thankfully, IT and finance can pinpoint red flags in the early stages of RPA development, testing, and deployment to assess the risks associated with implementation and to maintain an effective control environment.
Managing a Changing Environment
Of course, evaluating the controls environment is never a once-and-done exercise, regardless of whether it is for RPA or something else. There are many factors, both internal to organizations and external in the operating environment, that can impact controls. Changes like new accounting standard updates or shifts in service providers may affect existing bots. For this, organizations will need to determine that processes are in place to track and quickly address any new forces that can have a downstream effect on how bots function within the business.
Companies that have not yet implemented RPA into their financial processes should note the successes their industry peers are experiencing and consider adoption to aid in their efforts to achieve long-term growth and resiliency. And when they do, adhering to smart and tactical planning may help them avoid unintended consequences and find success.
Scott Szalony is a leader of Deloitte’s digital controllership and finance transformation support. Valeriy Dokshukin is a Deloitte Risk & Financial Advisory leader in digital controllership and intelligent automation.