Imagine an internal auditor who is confronted with a disastrous robotic process automation (RPA) implementation. Her company spent millions of dollars to implement 50 robots, or "bots," but the project had yielded only a single functioning hot. Making matters worse, hackers compromised that hot and drained the company's bank account with a succession of undetected $0.99 electronic transactions. Could the auditor have prevented these things from happening?
RPA can potentially reduce costs, improve accuracy and productivity, and eliminate tedious processes. It works by building software robots that can mimic the actions of a person on a computer, automating otherwise manual processes.
Bots are highly fragile and are not intelligent. Unlike artificial intelligence, they can only do exactly what they are told to do. And access to the technology is growing, with Microsoft recently adding RPA functionality to Microsoft Office, putting it on millions of corporate desktops.
As with any new technology, internal auditors must be aware of RPA's risks. The potential for a hot to make a mistake multiple times in seconds creates unique risks to assess.
Validate Security Risks
Assessing RPA's risks must begin with considering access security to the hot. RPA providers offer both on-premises and cloud-based solutions, with all the risks typical of these approaches.
Most RPA solutions do not house any "at rest" data, reducing the risk that sensitive data will be captured if the hot is hacked. Instead, bots operate on an organization's applications using credentials just as a human user would. That means a hot can be hacked and coded to perform fraudulent, unethical, or hostile actions.
Examining the security around the RPA tool is critical, including access restrictions. Auditors should understand the security around each of the applications that the hot accesses and the controls around data that the hot "writes."
As internal auditors begin to operate within bot-enabled environments, they should consider whether the bots are achieving their business purposes. Internal audit should be a partner, along with information security, in all RPA implementations. Their independent advice should improve clarity around the business objectives for each bot development. Business analysts should establish and track clear, objective performance metrics. Auditors should provide assurance about whether the bots are fulfilling their missions and meeting compliance objectives....