Presentation is loading. Please wait.

Presentation is loading. Please wait.

Robotics Process Automation (RPA) - Not Your Average Macro!

Published byArnold Claussen Modified over 5 years ago

Similar presentations

Presentation on theme: "Robotics Process Automation (RPA) - Not Your Average Macro!"— Presentation transcript:

1 Robotics Process Automation (RPA) - Not Your Average Macro!
Monday, August 19, 2019 1:30 PM - 2:55 PM CST Vlad Liska, CIA, CISA, CRMA Vice President and Senior Audit Manager Bank of the West 1

2 Learning Objectives Understand what is Robotics Process Automation (RPA) and why you should care Explore the risk profile impacting people, process, and technology of this emerging technology Develop and execute an audit program covering Governance, Risk management, and internal Controls 2

3 Bots are NOT a physical robots
What is RPA? RPA (Robotic Process Automation) is using software robots (“bots”) to automate manual repetitive business processes using existing applications, resources, and architecture X Automates mundane, routine rule-based tasks Introduces digital workforce that co-exists with humans Recent PwC estimates suggest 45% of work activities can be automated (Source: ‘Organizing your future with robotic process automation’, PwC, 2016) Bots are NOT a physical robots 3

4 What are the benefits of RPA?
Productivity High volume in less time Scalability Quick ramp up/down Accuracy 0% error rate Availability Bots don’t sleep! Predictability 100% consistent output Audit Trail All activity logged Sample functions: opening s, moving files, extracting structured data, calculations, filling in forms, merging data, etc. 4

5 Evolution of RPA Basics of RPA have a long history…
Sample RPA platforms today include: Blue Prism, Automation Anywhere, UIPath, WorkFusion, Pegasystems, NICE, etc. 5

6 Intelligence Continuum
Source: Protiviti Inc., 2018 6

7 How is RPA implemented - Technical
Bots execute scripted procedures by emulating a user’s actions to complete a series of tasks (similar to testing automation) The Bots interact with GUI applications at an object level (were possible) Bots also access resources like structured data (XML, spreadsheets, etc.), databases, and web services Using Windows Active Directory (AD) and a secure credentials manager; Bot Access = User Access The Bot is simply a Windows Service running on the VDI desktop with existing applications 7

8 How is RPA implemented - Organizational
Concept of a Center of Excellence (COE) Assessment Framework 8

9 RPA Use Case – Sample 1 Example HR Use Case – Saving from the Onboarding System Execute assigned tasks in system and save results on specific share drive Rename file to match the candidate name Log-in to Onboarding System Select each “Open Task” File “Save As” to Share Drive Rename File to Match Candidates Name Monitoring Control – Daily Processing Report (example): 9

10 Log-in to Marketing System
RPA Use Case – Sample 2 Example Business Use Case – Leads Management Transfer prospects from marketing system to CRM system Distribute prospects to assigned Bankers Log-in to Marketing System Copy Lead Information Paste in CRM System Send to Bankers Monitoring Control – Daily Processing Report (example): 10

11 Risk Profile for RPA Depends on the risk profile of the underlying business process and technology deployed However, there are some risks specific to RPA Bots failing due to IT and business processes changes Innate rules not captured (as bots are literal) Poor process mapping causes bots to fail Systematic and widespread errors (due to bots being consistently wrong) HR risk of robotics automation (automation anxiety and resistance; perception of bots taking jobs) 11

12 Additional Common RPA Risks
Source: Protiviti Inc., 2018 12

13 Example Audit Scope Key processes include:
Governance which includes organization, strategy, architecture, and program / project management Risk Management which includes risk identification, assessment, and mitigation Internal control which includes security management, business continuity and disaster recovery, file transfers and interfaces, vendor management, change and release management, incident and problem management, capacity management, data management, and backup & recovery 13

14 Audit Execution - Governance
Organization & Oversight - To validate the organizational structure appropriately supports robotics process automation through established frameworks and management oversight of the process Risk(s): (A) Lack of a well-defined governance framework may increase operational, financial and legal / compliance risks; (B) Lack of governance and oversight results in the disruption of systems, data loss and/or negative exposure; (C) Lack of enforcement of policies and procedures results in non-compliance of Bank standards 14

15 Audit Execution - Governance
Program Management & SLDC - To validate management has established a standardized process for the development of automation aligned to the Bank’s standards Risk(s): (A) Lack of coverage within guidance documents or policies over key development or operational activities; (B) Program Management is insufficient to facilitate the achievement of the program goals and objectives; (C) Automation work is not initiated and governed to achieve the intended business objectives; (D) Incomplete or inaccurate testing of implementation may result in a system that may have missing or erroneous functionality and that does meet business requirements 15

16 Audit Execution - Governance
RPA Strategy - To validate a strategic roadmap that presents the short/long term goals related to the usage of robotic process automation (RPA) Risk(s): (A) RPA Roadmap and Strategy is not aligned with business needs and does not include the required elements including schedules or budget resulting in inadequate prioritization on planning, resources, or technologies that support strategic initiatives; (B) Lack of strategic oversight prevents managerial awareness of activities and events 16

17 Audit Execution - Risk Management
Risk Management - Verify that RPA-related risks are identified, assessed and reduced to levels of tolerance set by enterprise executive management Risk(s): (A) Risk metrics are not collected or analyzed; (B) A risk profile is not maintained; (C) Risk is not adequately mitigated; (D) Risk assessments around RPA are not performed 17

18 Audit Execution - Internal Control
Security Management - Access is approved, updated, and revoked by appropriate manager in accordance with Policy. Access is reviewed periodically for appropriateness (including both roles and permissions). Periodically, privileged access is also reviewed for reasonableness Risk(s): (A) Inappropriate or excessive access to systems, resulting in loss of system or operational integrity; (B) RPA infrastructure may not be configured correctly resulting in instability and security vulnerabilities which could impact business operations; (C) Unauthorized changes to Blue Prism or the bots are not detected 18

19 Audit Execution - Internal Control
File Transfer & Interfaces - Monitoring processes are in place to help ensure availability of interfaces. Processes are in place to ensure data is timely, complete, and accurate for transmissions. Processes exist to identify and resolve potential data errors on interfaces and data transmission (such as duplicate transmissions). File transmissions and interface connections are encrypted Risk(s): (A) Processing is disrupted due to system unavailability; (B) Sensitive data is compromised during transmission 19

20 Audit Execution - Internal Control
Vendor Management - Valid, reviewed, and approved contracts are in place with the required regulatory and legal language. Periodic review of the vendors Statement of Controls report or site review report if available. Risk assessments are completed for vendors. Periodic performance monitoring activities are completed Risk(s): (A) Lack of Vendor Reviews invalidates Contracts; (B) Lack of Vendor risk mitigation controls exposing internal and external systems to attack; (C) System is unavailable, quality of customer service does not meet Bank expectations, services not performed timely or accurately 20

21 Audit Execution - Internal Control
Change & Release Management - Management has established a process for changes to systems and monitors the effectiveness of the process Risk(s): (A) Processing is disrupted due to system unavailability, resulting in errors being introduced into production; (B) Misalignment of new technology or system initiative with corporate strategy and priorities; (C) Lack of interoperability is creating inefficiency or error; (D) Business requirements do not address all of the RPA needs 21

22 Audit Execution - Internal Control
Incident & Problem Management - Incident management meets internal expectations; Ability to detect the causes that are the source of incidents and serious defects in the service provided Risk(s): (A) Excessive response time for incident resolution, non-compliance with the expected service levels, unavailability, poor performance; (B) Client dissatisfaction, recurrence of incidents, and poor service due to repeat incidents 22

23 Audit Execution - Internal Control
Capacity Management - Monitoring, optimization, and anticipation of the capacity and performance of services are correctly performed Risk(s): (A) Inability to anticipate and meet the future needs of clients, service disruption, poor performance 23

24 Audit Execution - Internal Control
Data Management - Data management meets the organization’s defined policies and standards Risk(s): (A) Inconsistent or inadequate risk mitigation activities due to incomplete data; (B) Data quality errors are introduced, persist, or multiply as data flows through the infrastructure; (C) Data quality issues are not resolved in a timely manner 24

25 Audit Execution - Internal Control
Business Continuity & Disaster Recovery - Business Continuity and Disaster Recovery Plans are in place and updated regularly. Recovery tests are performed periodically to ensure that users can access the systems. Any action items are resolved timely. Alternate sites have been designated for critical functions and systems Risk(s): (A) Disruption of systems and normal business due to a disaster causing system outages 25

26 Audit Execution - Internal Control
Backup & Recovery - Up-to-date backups of programs and data should be available in emergencies Risk(s): (A) Backups are not available when needed 26

27 Thematic Considerations
Establish and maintain a comprehensive strategy / roadmap for RPA Optimize / re-engineer underlying business process first Adhere to design standards for producing consistent, sustainable bots which can be more easily maintained and managed Implement stable infrastructure and partner closely with IT Understand the risk profile / Manage automation anxiety Maintain a consistent in-take mechanism for the submission of use cases Updated Business Continuity Plans (BCPs) to include RPA 27

28 Conclusion Evolution of RPA – regulatory expectations / cyber crime Usability of bots to support Audit? Questions / Comments / Experiences? Thank You! 28

29 About me… 29 Vladimir Liska, CIA, CISA, CRMA
Vice President and Senior Audit Manager Inspection Générale Tel (office) Vlad Liska is a Vice President and Senior Audit Manager at Bank of the West based in Omaha, NE. As a manager in Inspection Générale (IG), Vlad leads Inspection’s coverage of the Bank’s most critical enterprise projects, vendor management functions, and data management audits supporting the Bank’s capital planning and management (including stress testing for CCAR, DFAST, and other regulatory reporting). Vlad’s team is responsible for audit coverage of overall data governance and management including data availability, usability, integrity, quality, and security as well as audits of the governing processes, defined procedures, and management execution across the organization. Prior to this position, Vlad was the risk coverage officer for the technology and corporate support functions at TD Ameritrade. Vlad has worked in various positions in the internal audit group of TD Ameritrade as well as various technology and audit positions with PwC, First Data Corporation, and the Principal Financial Group. Vlad holds a Bachelor of Arts degree in Computer Science from Simpson College in Indianola, Iowa and a Master of Science in Information Technology Management from Creighton University in Omaha, Nebraska. He has served on the faculty at the University of Nebraska at Omaha and is an avid speaker at local and national conferences including the IIA District Conference, NebraskaCERT, MISTI SuperStrategies, ISACA CACS, and AuditWorld. 29

Download ppt "Robotics Process Automation (RPA) - Not Your Average Macro!"

Similar presentations

Roadmap for Sourcing Decision Review Board (DRB)

Roadmap for Sourcing Decision Review Board (DRB)
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
CIP Cyber Security – Security Management Controls

CIP Cyber Security – Security Management Controls
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Chapter 5 5-1 © 2009 Pearson Education, Inc. Publishing as Prentice Hall.

Chapter © 2009 Pearson Education, Inc. Publishing as Prentice Hall.
Information Security Policies and Standards

Information Security Policies and Standards
TEL382 Greene Chapter 11. 10/27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.

TEL382 Greene Chapter /27/09 2 Outline What is a Disaster? Disaster Strikes Without Warning Understanding Roles and Responsibilities Preparing For.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
By Saurabh Sardesai www.starvaluemodel.com October 2014.

By Saurabh Sardesai October 2014.
The Information Systems Audit Process

The Information Systems Audit Process
ITIL: Why Your IT Organization Should Care Service Support

ITIL: Why Your IT Organization Should Care Service Support
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.

Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM 817.352.4929 or

Why Information Governance….instead of Records & Information Management? Angela Fares, RHIA, CRM, CISA, CGEIT, CRISC, CISM or
Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.

Compliance System Validation - An Audit Based Approach December 2012 Uday Gulvadi, CPA, CIA, CISA, CAMS Director - Internal Audit, Risk and Compliance.
Copyright 2005 Welcome to The Great Lakes TL 9000 SIG TL 9000 Requirements Release 3.0 to Release 4.0 Differences Bob Clancy Vice President, BIZPHYX,

Copyright 2005 Welcome to The Great Lakes TL 9000 SIG TL 9000 Requirements Release 3.0 to Release 4.0 Differences Bob Clancy Vice President, BIZPHYX,
Product Quality, Testing, Reviews and Standards

Product Quality, Testing, Reviews and Standards
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.

Security Baseline. Definition A preliminary assessment of a newly implemented system Serves as a starting point to measure changes in configurations and.
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.

Similar presentations

Ads by Google