Many finance and accounting teams, under immense pressure and facing resourcing challenges stemming from the pandemic, are turning to automation for answers. The automation space, which grew at a compound annual growth rate of 30% from 2017 through 2022, must now also contend with COVID-19 as an accelerant.
While intelligent and cognitive automation is now on the scene, robotic process automation (RPA or “bots”) remains an essential steppingstone in bringing automation into an organization’s operations — and one that stands to yield significant advantages and benefits.
RPA specifically can help reduce inefficiencies and streamline mundane processes, enabling CFOs and finance teams to focus on more strategic priorities that demand their attention, including more frequent forecasting and analysis and heightened communications with investors about shifting market risks.
There are many recognized benefits to RPA. Adopting companies report cost savings, greater worker productivity, and the ability to scale operations faster. But many finance departments have expressed hesitancy about leveraging bots despite great interest in the technology. The hesitation is primarily due to concerns about unintended consequences that could impact implementation and create a host of other issues, such as restatements and regulatory matters.
Companies must be aware of the risks associated with redesigning, digitizing, and automating a process. They also have to be mindful of the need for an internal control system to achieve the desired quality and governance needed to leverage bots effectively.
To that end, CFOs need a well-rounded strategy that can bring about RPA’s full potential. Striking the right balance between innovation and risk is key to long-term success. Fear of the unknown should not outweigh the benefits RPA can provide, especially when unintended consequences can be anticipated and minimized. That can be done by evaluating and creating a response to common RPA risks and challenges.
The following are guidelines that can help CFOs and their business and technology teams work through some more common RPA challenges.
Controlling User Access
RPA involves giving users access to bots and assigning bot management to humans — a concept related to the segregation of duties (SOD). If not managed carefully, organizations can unwittingly introduce weaknesses in user access that can, in turn, create fraud and exploitation opportunities. This is particularly concerning when a human manager’s system access conflicts with the bot’s system access or when a human manages multiple bots with conflicting system accesses. Gartner predicts that through 2020, 25% of large enterprises will experience insider fraud due to the lack of proper SOD controls around RPA.
As bots are developed and granted system access, finance organizations — in coordination with their CIOs and IT teams — can follow an identity access management framework (IAM) and questionnaire to circumvent user access risks. For finance professionals, questions like, “Which controls are required to detect and protect exploitation of bot credentials?” and “Can bots be misused to trigger attacks on partners?” are important for effective bot management, especially as it pertains to establishing sound financial controls and managing related fraud risks.
Bot identity management frameworks like this can ultimately help executives anticipate and remove some of the critical conflicts of interest that may arise for humans and bots in the system and other risks related to security, password management, and user access certification.
Enhancing Existing Controls
Once a bot begins operating, control activities must ensure that the bot continues to function correctly. Even though bots can automate the execution of tasks and business activities faster, more consistently, and with minimal error, they cannot replicate human judgment. Bots that are not properly designed, operate in changing business processes, or lack adequate monitoring controls run the risk of inadvertently impacting existing controls or introducing errors. For example, unintended Sarbanes-Oxley (SOX) compliance violations could result.
Therefore, it is critical that companies review existing internal controls and make updates or create new controls that may be needed to ensure that bots monitoring transactional logs or other important finance processes function properly. Thankfully, IT and finance can pinpoint red flags in the early stages of RPA development, testing, and deployment to assess the risks associated with implementation and to maintain an effective control environment.
Managing a Changing Environment
Of course, evaluating the controls environment is never a once-and-done exercise, regardless of whether it is for RPA or something else. There are many factors, both internal to organizations and external in the operating environment, that can impact controls. Changes like new accounting standard updates or shifts in service providers may affect existing bots. For this, organizations will need to determine that processes are in place to track and quickly address any new forces that can have a downstream effect on how bots function within the business.
Technology aside, the introduction of digital technologies also frequently signals changes to structures and teams. For finance teams, this means that many of the manual tasks they used to do are likely to be automated. From a human capital perspective, finance leaders must outline their digital transformation strategies and help employees understand how their new digital co-workers will impact their roles. In most scenarios, bots won’t eliminate jobs, but rather allow CFOs to redirect their teams toward more value-added tasks.
The appetite for RPA is no doubt growing, and the pandemic may be the unintended nudge finance teams needed to kickstart this part of their digital transformations. Automation technologies continue to change while providing a solid foundation for organizations to reap the benefits of the future of work rapidly. Companies that have not yet implemented RPA into their financial processes should note the successes their industry peers are experiencing and consider adoption to aid in their efforts to achieve long-term growth and resiliency. And when they do, adhering to smart and tactical planning may help them avoid unintended consequences and find success.
Scott Szalony is a leader of Deloitte’s digital controllership and finance transformation support. Valeriy Dokshukin is a Deloitte Risk & Financial Advisory leader in digital controllership and intelligent automation.
This publication contains general information only and Deloitte is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this publication.
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. In the United States, Deloitte refers to one or more of the US member firms of DTTL, their related entities that operate using the “Deloitte” name in the United States, and their respective affiliates. Certain services may not be available to attest clients under the rules and regulations of public accounting. Please see www.deloitte.com/about to learn more about our global network of member firms.
Copyright © 2020 Deloitte Development LLC. All rights reserved.