Download presentation
Presentation is loading. Please wait.
Published byArnold Claussen Modified over 5 years ago
1
Robotics Process Automation (RPA) - Not Your Average Macro!
Monday, August 19, 2019 1:30 PM - 2:55 PM CST Vlad Liska, CIA, CISA, CRMA Vice President and Senior Audit Manager Bank of the West 1
2
Learning Objectives Understand what is Robotics Process Automation (RPA) and why you should care Explore the risk profile impacting people, process, and technology of this emerging technology Develop and execute an audit program covering Governance, Risk management, and internal Controls 2
3
Bots are NOT a physical robots
What is RPA? RPA (Robotic Process Automation) is using software robots (“bots”) to automate manual repetitive business processes using existing applications, resources, and architecture X Automates mundane, routine rule-based tasks Introduces digital workforce that co-exists with humans Recent PwC estimates suggest 45% of work activities can be automated (Source: ‘Organizing your future with robotic process automation’, PwC, 2016) Bots are NOT a physical robots 3
4
What are the benefits of RPA?
Productivity High volume in less time Scalability Quick ramp up/down Accuracy 0% error rate Availability Bots don’t sleep! Predictability 100% consistent output Audit Trail All activity logged Sample functions: opening s, moving files, extracting structured data, calculations, filling in forms, merging data, etc. 4
5
Evolution of RPA Basics of RPA have a long history…
Sample RPA platforms today include: Blue Prism, Automation Anywhere, UIPath, WorkFusion, Pegasystems, NICE, etc. 5
6
Intelligence Continuum
Source: Protiviti Inc., 2018 6
7
How is RPA implemented - Technical
Bots execute scripted procedures by emulating a user’s actions to complete a series of tasks (similar to testing automation) The Bots interact with GUI applications at an object level (were possible) Bots also access resources like structured data (XML, spreadsheets, etc.), databases, and web services Using Windows Active Directory (AD) and a secure credentials manager; Bot Access = User Access The Bot is simply a Windows Service running on the VDI desktop with existing applications 7
8
How is RPA implemented - Organizational
Concept of a Center of Excellence (COE) Assessment Framework 8
9
RPA Use Case – Sample 1 Example HR Use Case – Saving from the Onboarding System Execute assigned tasks in system and save results on specific share drive Rename file to match the candidate name Log-in to Onboarding System Select each “Open Task” File “Save As” to Share Drive Rename File to Match Candidates Name Monitoring Control – Daily Processing Report (example): 9
10
Log-in to Marketing System
RPA Use Case – Sample 2 Example Business Use Case – Leads Management Transfer prospects from marketing system to CRM system Distribute prospects to assigned Bankers Log-in to Marketing System Copy Lead Information Paste in CRM System Send to Bankers Monitoring Control – Daily Processing Report (example): 10
11
Risk Profile for RPA Depends on the risk profile of the underlying business process and technology deployed However, there are some risks specific to RPA Bots failing due to IT and business processes changes Innate rules not captured (as bots are literal) Poor process mapping causes bots to fail Systematic and widespread errors (due to bots being consistently wrong) HR risk of robotics automation (automation anxiety and resistance; perception of bots taking jobs) 11
12
Additional Common RPA Risks
Source: Protiviti Inc., 2018 12
13
Example Audit Scope Key processes include:
Governance which includes organization, strategy, architecture, and program / project management Risk Management which includes risk identification, assessment, and mitigation Internal control which includes security management, business continuity and disaster recovery, file transfers and interfaces, vendor management, change and release management, incident and problem management, capacity management, data management, and backup & recovery 13
14
Audit Execution - Governance
Organization & Oversight - To validate the organizational structure appropriately supports robotics process automation through established frameworks and management oversight of the process Risk(s): (A) Lack of a well-defined governance framework may increase operational, financial and legal / compliance risks; (B) Lack of governance and oversight results in the disruption of systems, data loss and/or negative exposure; (C) Lack of enforcement of policies and procedures results in non-compliance of Bank standards 14
15
Audit Execution - Governance
Program Management & SLDC - To validate management has established a standardized process for the development of automation aligned to the Bank’s standards Risk(s): (A) Lack of coverage within guidance documents or policies over key development or operational activities; (B) Program Management is insufficient to facilitate the achievement of the program goals and objectives; (C) Automation work is not initiated and governed to achieve the intended business objectives; (D) Incomplete or inaccurate testing of implementation may result in a system that may have missing or erroneous functionality and that does meet business requirements 15
16
Audit Execution - Governance
RPA Strategy - To validate a strategic roadmap that presents the short/long term goals related to the usage of robotic process automation (RPA) Risk(s): (A) RPA Roadmap and Strategy is not aligned with business needs and does not include the required elements including schedules or budget resulting in inadequate prioritization on planning, resources, or technologies that support strategic initiatives; (B) Lack of strategic oversight prevents managerial awareness of activities and events 16
17
Audit Execution - Risk Management
Risk Management - Verify that RPA-related risks are identified, assessed and reduced to levels of tolerance set by enterprise executive management Risk(s): (A) Risk metrics are not collected or analyzed; (B) A risk profile is not maintained; (C) Risk is not adequately mitigated; (D) Risk assessments around RPA are not performed 17
18
Audit Execution - Internal Control
Security Management - Access is approved, updated, and revoked by appropriate manager in accordance with Policy. Access is reviewed periodically for appropriateness (including both roles and permissions). Periodically, privileged access is also reviewed for reasonableness Risk(s): (A) Inappropriate or excessive access to systems, resulting in loss of system or operational integrity; (B) RPA infrastructure may not be configured correctly resulting in instability and security vulnerabilities which could impact business operations; (C) Unauthorized changes to Blue Prism or the bots are not detected 18
19
Audit Execution - Internal Control
File Transfer & Interfaces - Monitoring processes are in place to help ensure availability of interfaces. Processes are in place to ensure data is timely, complete, and accurate for transmissions. Processes exist to identify and resolve potential data errors on interfaces and data transmission (such as duplicate transmissions). File transmissions and interface connections are encrypted Risk(s): (A) Processing is disrupted due to system unavailability; (B) Sensitive data is compromised during transmission 19
20
Audit Execution - Internal Control
Vendor Management - Valid, reviewed, and approved contracts are in place with the required regulatory and legal language. Periodic review of the vendors Statement of Controls report or site review report if available. Risk assessments are completed for vendors. Periodic performance monitoring activities are completed Risk(s): (A) Lack of Vendor Reviews invalidates Contracts; (B) Lack of Vendor risk mitigation controls exposing internal and external systems to attack; (C) System is unavailable, quality of customer service does not meet Bank expectations, services not performed timely or accurately 20
21
Audit Execution - Internal Control
Change & Release Management - Management has established a process for changes to systems and monitors the effectiveness of the process Risk(s): (A) Processing is disrupted due to system unavailability, resulting in errors being introduced into production; (B) Misalignment of new technology or system initiative with corporate strategy and priorities; (C) Lack of interoperability is creating inefficiency or error; (D) Business requirements do not address all of the RPA needs 21
22
Audit Execution - Internal Control
Incident & Problem Management - Incident management meets internal expectations; Ability to detect the causes that are the source of incidents and serious defects in the service provided Risk(s): (A) Excessive response time for incident resolution, non-compliance with the expected service levels, unavailability, poor performance; (B) Client dissatisfaction, recurrence of incidents, and poor service due to repeat incidents 22
23
Audit Execution - Internal Control
Capacity Management - Monitoring, optimization, and anticipation of the capacity and performance of services are correctly performed Risk(s): (A) Inability to anticipate and meet the future needs of clients, service disruption, poor performance 23
24
Audit Execution - Internal Control
Data Management - Data management meets the organization’s defined policies and standards Risk(s): (A) Inconsistent or inadequate risk mitigation activities due to incomplete data; (B) Data quality errors are introduced, persist, or multiply as data flows through the infrastructure; (C) Data quality issues are not resolved in a timely manner 24
25
Audit Execution - Internal Control
Business Continuity & Disaster Recovery - Business Continuity and Disaster Recovery Plans are in place and updated regularly. Recovery tests are performed periodically to ensure that users can access the systems. Any action items are resolved timely. Alternate sites have been designated for critical functions and systems Risk(s): (A) Disruption of systems and normal business due to a disaster causing system outages 25
26
Audit Execution - Internal Control
Backup & Recovery - Up-to-date backups of programs and data should be available in emergencies Risk(s): (A) Backups are not available when needed 26
27
Thematic Considerations
Establish and maintain a comprehensive strategy / roadmap for RPA Optimize / re-engineer underlying business process first Adhere to design standards for producing consistent, sustainable bots which can be more easily maintained and managed Implement stable infrastructure and partner closely with IT Understand the risk profile / Manage automation anxiety Maintain a consistent in-take mechanism for the submission of use cases Updated Business Continuity Plans (BCPs) to include RPA 27
28
Conclusion Evolution of RPA – regulatory expectations / cyber crime Usability of bots to support Audit? Questions / Comments / Experiences? Thank You! 28
29
About me… 29 Vladimir Liska, CIA, CISA, CRMA
Vice President and Senior Audit Manager Inspection Générale Tel (office) Vlad Liska is a Vice President and Senior Audit Manager at Bank of the West based in Omaha, NE. As a manager in Inspection Générale (IG), Vlad leads Inspection’s coverage of the Bank’s most critical enterprise projects, vendor management functions, and data management audits supporting the Bank’s capital planning and management (including stress testing for CCAR, DFAST, and other regulatory reporting). Vlad’s team is responsible for audit coverage of overall data governance and management including data availability, usability, integrity, quality, and security as well as audits of the governing processes, defined procedures, and management execution across the organization. Prior to this position, Vlad was the risk coverage officer for the technology and corporate support functions at TD Ameritrade. Vlad has worked in various positions in the internal audit group of TD Ameritrade as well as various technology and audit positions with PwC, First Data Corporation, and the Principal Financial Group. Vlad holds a Bachelor of Arts degree in Computer Science from Simpson College in Indianola, Iowa and a Master of Science in Information Technology Management from Creighton University in Omaha, Nebraska. He has served on the faculty at the University of Nebraska at Omaha and is an avid speaker at local and national conferences including the IIA District Conference, NebraskaCERT, MISTI SuperStrategies, ISACA CACS, and AuditWorld. 29
Similar presentations
© 2025 SlidePlayer.com Inc.
All rights reserved.