One of the key benefits of implementing robotic process automation (RPA) is the ability to quickly launch automated processes in limited scope while standardizing the processes as you go. But rapid deployment also presents several potential risks for Sarbanes-Oxley project management teams to assess and monitor.
Gartner’s Future of Finance research recently identified RPA as putting internal controls at risk, as a rush to adoption has created risk management blind spots.
Accountability and governance throughout the RPA lifecycle are essential for mitigating fraud and maintaining effective controls. Further, not having a clear enterprise-wide structure for roles and responsibilities on an RPA team risks leaving gaps in qualifications for the people completing the duties and providing the oversight that RPA requires.
Organizations typically launch RPA governance programs in one of three models: centralized, federated, or decentralized.
Centralized models have the benefit of concentrating governance in a center of excellence while allowing for developing standards to mitigate controls risk across the enterprise. Decentralized models disperse governance across the business units that deploy their own RPA programs, with the potential benefit of more flexibility.
Gartner’s 2019 State of RPA Survey shows that 85% of organizations rely on centers of excellence, which necessitate a centralized or federated governance model.
Starting with a centralized model allows organizations to get a firm handle on risk-screening protocols, with the benefit of evolving toward a decentralized model in the future. As an RPA program matures, organizations can right-size their operating model by deciding what to pare back or scale up — all with the assurance that the right controls are in place — to end up with something more flexible, such as a federated or decentralized model.
Case Study: Business-First RPA Screening
One example of that approach is a large technology firm that benefited from centralizing first, which allowed it to clarify where its RPA use cases would and would not have implications for the internal controls team.
The company determined that its SOX team spent too much time reviewing RPA use cases for internal controls impact. Instead, it wanted the team to maximize the use of its expertise by spending time on higher-level issues related to SOX screening, as opposed to screening every low-level request relating to RPA.
By implementing a “business-first” SOX screening process — where business units lead a decentralized RPA screening process as opposed to having a center of excellence that scrutinizes every use case — the team now has more time to thoroughly assess use cases flagged for potential SOX impact and determine the next steps for mitigating risk.
Many organizations have their SOX teams review all RPA use cases. But when designing its approach, the company knew such excessive time spend would be unnecessary, because its RPA program was structured to have little SOX impact.
The company’s SOX project management office created screening guidelines to enable its business-first RPA screening approach. These illustrative guidelines, in the form of screening questions, help process owners gauge potential SOX impact.
The screening questions include:
- Is the proposed RPA process automating any existing SOX control(s)?
- Is the proposed RPA process automating any review steps within existing controls?
- Will the proposed RPA process impact key system-generated or system-ingested reports already in scope for SOX?
- Is there any impact to upstream or downstream processes or controls?
If the answer to any of the above questions is yes or unclear, the business process owner notifies the SOX team, which performs a standard impact analysis.
This analysis includes a review of process flows and a walk-through with staff who perform the task that would be automated.
The company’s approach for business-first internal controls screening of RPA allows the small SOX program management office to make the best use of its expertise to drive value. The team can confine its direct involvement to demonstrating the proposed RPA process with the business during the user review phase, including the Business Requirement Document and process flows.
This saves time and unlocks SOX staff resources for higher-value work, such as direct risk mitigation, control design improvement, and end-to-end process reviews.
At a high level, this approach also improves the organization’s broader controls environment. Not only are RPA process owners more accountable for assessing SOX impact, but business and finance teams have a greater sense of ownership over financial reporting risk, thereby raising the level of internal controls awareness throughout the organization.
Hilary Richards is a vice president, advisory, at Gartner.