Identifying risks and controls when implementing RPA solutions in a SOX environment

Robotic process automation (RPA) has gained popularity in recent years due to its ability to automate mundane and repetitive tasks and drive efficiencies in the workforce’s day-to-day activities. These digital workers are frequently used to perform tasks traditionally performed by humans, such as data entry, data manipulation, and transaction processing. Their ability to work 24/7 without rest creates opportunities for companies to find cost-effective efficiencies and focus their human workforce on more meaningful and fulfilling tasks.

What does the introduction of a digital workforce mean for your Sarbanes-Oxley (SOX) compliance program? When used correctly, RPA can help organizations streamline and automate key processes, reducing the risk of errors and improving the accuracy of financial reporting. It can also help organizations improve the quality of their internal controls, reduce the risk of fraud and increase the speed and accuracy of audit processes. Companies must ensure that their RPA implementation is appropriately supervised, audited and controlled to minimize the risk of errors, fraud or misuse. With the right supervision and control measures in place, RPA can be a valuable tool to achieve SOX compliance objectives.

Robotic process automation – digital workforce:

Over the last 10 years, labor productivity in the U.S. business sector has increased about 15% according to the U.S. Bureau of Labor Statistics – what’s driving that change? Firms are investing in technology and upskilling their employees, making them more productive. Robotic process automation aims to do just that – by streamlining workflows and automating redundant tasks, RPA solutions, such as those offered by UiPath or Blue Prism, are being used to create digital workforces to augment traditional labor inputs. Companies use bots, or digital workers, to perform an ever-growing number of tasks, from managing system integrations, to automating previously manual workflows, to data entry of sales orders and vendor invoices. As digital workers become more pervasive, companies are bringing them into SOX processes and these bots are able to create user-friendly outputs. However, this new digital workforce should not be viewed as a “magic” solution to your workforce challenges. A thoughtful approach should be taken when implementing an RPA program. When considering risks relevant to RPA in a SOX environment, management should understand and evaluate:

1. Controls over source data including non-traditional RPA inputs and the transfer of data between systems
2. Programmed logic designed to manipulate source data
3. IT general controls (ITGCs) that support the continued reliability of the environment
4. Digital workforce governance

Source data

While some data cleansing and manipulation can be built into a digital worker’s programming, to achieve the desired outcome, it’s important that they are operating over a set of reliable source data. Data input controls need to be in place over the data utilized by your RPA program to ensure it is processed in an accurate manner as the bot will not necessarily detect errors created through data entry. The quality of the bot output will only be as reliable as the quality of the data provided to it. Before committing to an RPA program or building specific bots, organizations should consider:

1. Which data elements, including customer orders, vendor invoices and customer pricing, are relied on for RPA operations?  
2. Are there effective controls in place to validate that data entered in the source system are complete, accurate and valid? 
3. If data is automatically interfaced to the source system via a scheduled job or application programming interface (API), are there effective controls in place to validate the complete and accurate transfer of data?
4. If data warehouses are used, consider:

• How have data tables/fields been mapped between the source system(s) and data warehouse?
• Are relevant stakeholders aware of the composition and source of each custom table within the data warehouse?
• Are there effective controls in place to validate that data mappings between the source system and data warehouse are appropriate?
• How does data interface from the source system to the data warehouse? Are there effective controls in place to validate that data interfaces completely and accurately?
• Are ITGCs in place and operating within your data warehouse to ensure ongoing reliability over the input of data to support RPA operations?
• Is access to maintain critical financial datasets restricted to a limited number of appropriate users?

Non-traditional RPA inputs

Like data sourced from traditional inputs, such as a data warehouse or an enterprise resource planning (ERP) system, RPA tools can pull in data from and operate within a variety of non-traditional sources (e.g., SharePoint, Google Drive, optical character recognition (OCR) tools) to provide additional functionality. Often, these data sources are manually maintained and not subject to data input controls or ITGCs, however, relied upon by the end-user of the bot. In response, management should consider:

1. Which data elements are relied on by the end-user and where are those data elements sourced? If sourced from traditional sources, see considerations above.
2. If not, what controls are in place to validate the completeness, accuracy and validity of data? Is the data source subject to ITGCs?
3. How is the data pulled in by the bot? Does the bot use scheduled jobs, application programming interfaces (APIs) or programmed logic within the RPA tool to extract data? What controls are in place to validate the complete and accurate transfer of data?

Data manipulation

RPA tools offer functionality to manipulate data inputs – in similar ways that a human operator would. Often, this involves data cleansing, aggregation, calculations and validations to provide a user-friendly and efficiently derived output. When considering how bots are designed to manipulate data, Management should ask themselves:

1. How was the bot programmed? Specifically, what actions does the bot take after data intake and prior to data output?
2. Does the end user rely on specific controls or validations performed by the bot? For example, is the bot configured to exclude transactions that meet specific criteria, such as being created and approved by the same person?
3. If the bot is responsible for executing controls, have the control activities been identified within a formal control matrix?
4. What auditable evidence is available to demonstrate that the bot is performing the data manipulation as intended?
5. Should the data output be monitored in some manner that would aid management in detecting deviations in the bot’s processing driven by changing data models or business processes?

ITGCs

ITGCs are in place to provide management comfort that their systems and controls enabled by technology are operating consistently. This is done through a set of controls governing access, change management and operations monitoring. Whether a process is enabled by a traditional ERP or a bot, ITGCs are important to ensure consistent and reliable processing. Management considerations around ITGCs which govern RPA functionality include:

1. Who has access to modify RPA logic? Are RPA bots managed by a centralized center-of-excellence or owned by individual business units/owners?
2. Is there a formal process to manage changes to bot logic? Are appropriate users involved in the testing and validation of changes prior to implementation?
3. If bots store data in temporary data tables, what controls exist to ensure that only appropriate personnel have access to the data
4. How are RPA errors managed? Is there a process in place to identify errors/abends and resolve them in a timely manner?

Digital workforce governance

No different than a traditional workforce, digital workers or bots should be monitored for ongoing performance and alignment with changing business conditions. Both IT and business stakeholders should implement processes to monitor changes to the business, such as the addition of new business units or revenue streams, or changes to current data structures, and make necessary changes to RPA functionality. The competitive and dynamic nature of most business environments precludes management from setting and forgetting bots; to achieve effective and reliable RPA functionality relies on monitoring performance and making updates as the business demands, just as you would for your human workforce.

Where to begin

Responding to technological change can be a challenge for many compliance functions, especially as technology is being used to reduce line-of-sight into the backend processes. As the nature of productivity tools are becoming more dynamic and interactive, so should the consideration of controls. Below are three simple steps for management and SOX compliance teams to take to get started in responding to RPA-relevant risks:

1. Inventory your environment – identify which bots are currently (and planned to be) relied upon to achieve financial reporting and operational objectives.
2. Understand how relevant bots are being used and what data elements are relied upon.
3. Monitor your environment and update RPA logic to keep pace with business and organizational changes.

As you consider any of these concepts in the context of your SOX environment, Baker Tilly is here to assist and share perspectives. Share your thoughts and challenges you encounter, and we’d be happy to meet with you and discuss these topics and their impact on your SOX compliance program.