Robotic process automation (RPA) has gained popularity in recent years due to its ability to automate mundane and repetitive tasks and drive efficiencies in the workforce’s day-to-day activities. These digital workers are frequently used to perform tasks traditionally performed by humans, such as data entry, data manipulation, and transaction processing. Their ability to work 24/7 without rest creates opportunities for companies to find cost-effective efficiencies and focus their human workforce on more meaningful and fulfilling tasks.
What does the introduction of a digital workforce mean for your Sarbanes-Oxley (SOX) compliance program? When used correctly, RPA can help organizations streamline and automate key processes, reducing the risk of errors and improving the accuracy of financial reporting. It can also help organizations improve the quality of their internal controls, reduce the risk of fraud and increase the speed and accuracy of audit processes. Companies must ensure that their RPA implementation is appropriately supervised, audited and controlled to minimize the risk of errors, fraud or misuse. With the right supervision and control measures in place, RPA can be a valuable tool to achieve SOX compliance objectives.
Over the last 10 years, labor productivity in the U.S. business sector has increased about 15% according to the U.S. Bureau of Labor Statistics – what’s driving that change? Firms are investing in technology and upskilling their employees, making them more productive. Robotic process automation aims to do just that – by streamlining workflows and automating redundant tasks, RPA solutions, such as those offered by UiPath or Blue Prism, are being used to create digital workforces to augment traditional labor inputs. Companies use bots, or digital workers, to perform an ever-growing number of tasks, from managing system integrations, to automating previously manual workflows, to data entry of sales orders and vendor invoices. As digital workers become more pervasive, companies are bringing them into SOX processes and these bots are able to create user-friendly outputs. However, this new digital workforce should not be viewed as a “magic” solution to your workforce challenges. A thoughtful approach should be taken when implementing an RPA program. When considering risks relevant to RPA in a SOX environment, management should understand and evaluate:
While some data cleansing and manipulation can be built into a digital worker’s programming, to achieve the desired outcome, it’s important that they are operating over a set of reliable source data. Data input controls need to be in place over the data utilized by your RPA program to ensure it is processed in an accurate manner as the bot will not necessarily detect errors created through data entry. The quality of the bot output will only be as reliable as the quality of the data provided to it. Before committing to an RPA program or building specific bots, organizations should consider:
Like data sourced from traditional inputs, such as a data warehouse or an enterprise resource planning (ERP) system, RPA tools can pull in data from and operate within a variety of non-traditional sources (e.g., SharePoint, Google Drive, optical character recognition (OCR) tools) to provide additional functionality. Often, these data sources are manually maintained and not subject to data input controls or ITGCs, however, relied upon by the end-user of the bot. In response, management should consider:
RPA tools offer functionality to manipulate data inputs – in similar ways that a human operator would. Often, this involves data cleansing, aggregation, calculations and validations to provide a user-friendly and efficiently derived output. When considering how bots are designed to manipulate data, Management should ask themselves:
ITGCs are in place to provide management comfort that their systems and controls enabled by technology are operating consistently. This is done through a set of controls governing access, change management and operations monitoring. Whether a process is enabled by a traditional ERP or a bot, ITGCs are important to ensure consistent and reliable processing. Management considerations around ITGCs which govern RPA functionality include:
No different than a traditional workforce, digital workers or bots should be monitored for ongoing performance and alignment with changing business conditions. Both IT and business stakeholders should implement processes to monitor changes to the business, such as the addition of new business units or revenue streams, or changes to current data structures, and make necessary changes to RPA functionality. The competitive and dynamic nature of most business environments precludes management from setting and forgetting bots; to achieve effective and reliable RPA functionality relies on monitoring performance and making updates as the business demands, just as you would for your human workforce.
Responding to technological change can be a challenge for many compliance functions, especially as technology is being used to reduce line-of-sight into the backend processes. As the nature of productivity tools are becoming more dynamic and interactive, so should the consideration of controls. Below are three simple steps for management and SOX compliance teams to take to get started in responding to RPA-relevant risks:
As you consider any of these concepts in the context of your SOX environment, Baker Tilly is here to assist and share perspectives. Share your thoughts and challenges you encounter, and we’d be happy to meet with you and discuss these topics and their impact on your SOX compliance program.