The age of automation is here, and with it comes opportunities for integrating Internal Audit (IA) robotic process automation (RPA) into the third line of defense (aka Internal Audit). IA departments, large and small, have already begun their journey into the world of automation by expanding their use of traditional analytics to include predictive models, RPA, and cognitive intelligence (CI). This is leading to quality enhancements, risk reductions, and time savings—not to mention increased risk intelligence.
The automation spectrum, as we define it, comprises a broad range of digital technologies. As shown below, at one end are predictive models and tools for data integration and visualization. At the other end are advanced technologies with cognitive elements that mimic human behavior.
Many IA organizations are familiar with the first part of the automation spectrum, having already established foundational data integration and analytics programs to enhance the risk assessment, audit fieldwork, and reporting processes. As these organizations work their way across this continuum, some have begun to adopt Internal Audit RPA in conjunction with certain CI tools, collectively known as RPA&CI, to help drive efficiency and effectiveness, expand capacity, boost quality, and enable greater audit coverage. Machine learning and artificial intelligence (AI) are at the far end of this range, with fewer organizations having reached this level of digital maturity. But this situation is changing fast.
Cognitive technologies are expected to become more prevalent in the near future as early adopters demonstrate their ability to enhance the value proposition of the internal audit function. For example, some IA organizations have effectively piloted the use of AI to proactively identify emerging risks for risk assessments. With IA departments starting to extend into the far end of the spectrum, the future of Internal Audit RPA is now.
As illustrated below, there are many ways IA can leverage automation capabilities throughout the audit life cycle, including risk assessments, audit planning, fieldwork, and reporting.
Here are a few examples of how investments in Internal Audit robotic process automation technologies can yield positive returns by improving the effectiveness and efficiency of audit processes and providing greater insight to the business:
There are three key steps for IA organizations to take as they embark on their journey to automate audit processes.
As a first step, leaders should review the current state of the IA organization to understand where and how Internal Audit automation technologies can be embedded and to identify reasons for doing so. An organization's vision and strategy for automation could span a single application or an entire transformation. For instance, an organization may wish to automate:
Whether IA envisions leveraging automation to accomplish one or more of the above, or something else entirely, a strategy for the transformation should be articulated and communicated up-front.
This is necessary to facilitate an effective implementation, ongoing maintenance, and risk mitigation. It's important that the operating and governance framework isn't designed in a vacuum, and that it aligns to enterprise standards and leading practices that exist within the organization. Some key components of this infrastructure include:
The target-state operating model should be a natural extension of the existing IA operating model, but it will have some key differences with respect to the interplay of people, process, and technology. The IA function should consider where it stands with respect to these three components, as seen below.
Once the IA function has considered how automation can reshape its operating model in terms of people, processes, and technologies, it should also consider how the target state integrates with the larger organization's automation initiatives. For instance, automation frameworks and governance structures may already exist within a center of excellence or global business process organization. IA should also explore whether other functions could benefit from similar automation technologies. For instance, it's conceivable that risk and compliance could leverage the same or similar robotics logic as IA plans to use in audit testing. Accordingly, a shared services model or a collaborative rollout may be a cost-effective option for deployment.