By Pip Butt CA and Nathalie Van Nueten

Robotic process automation (RPA) can play an exciting role in audit and assurance. Used effectively, this technology can improve the efficiency and quality of governance, tax, audit and other regulatory obligations and reporting.

RPA is best used for activities involving data gathering, entry and validation. It can simplify and improve the way you work including:

• improving accuracy and consistency of repetitive manual tasks
• dedicating more time to complex and judgmental areas
• improving efficiency and productivity by reducing turnaround time on otherwise labour intensive activities
• reducing risks arising from human errors in respective manual tasks.

It is for these reasons that large financial services organisations have applied RPA to process transactions such as credit applications, simplify and accelerate financial reporting processes, as well as support the identification of fraud.

For accounting and audit professionals keen to start introducing RPA tools, or ‘bots’, into their day-to-day lives, the first question might be where to begin? Should bots be used as a preventive or detective control measure?

In most organisations the answer will be at the start of the chain as a preventive tool. This avoids effort at the back end and time delays between origination, identification and remediation.

Enhancing preventive measures on the front line should enable operations to remediate issues before they are picked up by the second line of defence (risk and/or compliance) or third line of defence (audit). This also ensures more accurate management reporting and increases confidence in outputs.

Risk and compliance functions can also use bots as detective controls or indicators of control breakdowns. An automated detection methodology across purchasing, payments, sales, tax, payroll, etc, could search through millions of transactions and other disparate data quickly to identify anomalous transactions that might be worth a closer look.

How can CAs get the RPA ball rolling?

Pip Butt CA.

Chartered accountants are well placed to take a lead role on RPA for preventive and detective control measures. The following are some ways CAs can help their clients or organisations get started.

1. Identify the right processes to automate. Are there areas frequently causing compliance issues due to human error? Does the risk remain high enough to warrant RPA? If so, what RPA controls could pick up these exceptions and remediate in real time?

“Identify the right processes to automate. Are there areas frequently causing compliance issues due to human error?”

2. An easy guide to RPA suitability is asking the following questions:

a. Are the tasks rule based, without the need for human judgement or intuition?

b. Is the process made up of repetitive manual tasks?

c. Are the documents in a structured format that could be understood by a machine?

d. Does the current process require a high volume of manual effort per period?

3. Find similarities in processes and business requirements. Slight tweaks to the bots could enable multiple business risks to be met across management accounting, tax, assurance and reporting. If bots are already being used at an operational level, think about how to extend the flow of pre-populated information into management accounts and down to assurance.

4. Understand the data flows. Assess whether the completeness, accuracy and classification of information has been properly considered. Are you leveraging the right data for the right purposes? In order to ensure your organisation is compliant with its tax, audit and other regulatory obligations, you need to know its data and use of its data. Use it to deliver more effective management information tailored to the accountabilities of each layer of management.

5. Flag any continuity risks. There are risks of operations being impacted if RPA systems go down, especially if key people who used to perform those tasks have left the organisation. There is also the risk of possible loss of institutional knowledge by digitising processes without first capturing the reasons why things are done the way they are. Capturing this information in risk systems or knowledge repositories, including the rationale behind the automation, reduces the institutional risk.

RPA can introduce all kinds of new risks and controls issues, so you really need to think them through ahead of time. Legal, compliance and risk teams need to know how the bots will work in each and every instance. For example, where a bot is external facing, have cyber threats been considered? The need for assurance is not always on the radar of innovators. It pays to bring risk and assurance teams into the conversation early on.

Pip Butt CA is a director with PwC in Sydney. She advises the firm’s national assurance practice and clients on innovation, emerging technologies and RegTech.

Nathalie Van Nueten is a director with PwC in Sydney and the Intelligent Automation leader for the Assurance practice. The practice focuses on the control of automation by enterprise risk and control functions, and optimizing risk and control activities through automation. These services span the use of automation from robotics process automation (RPA), machine learning (ML) and artificial intelligence (AI).

Read more: