206

THEME THE CHARTERED ACCOUNTANT

Audit of Robotic Process Automation

(RPA) Software BOTs
Robotic process automation (“RPA”) refers to a set
of modular software programs (or “bots”) to complete
structured, repeatable, and logic-based tasks by
mimicking the actions taken by human personnel.
Usage of Robotic Process Automation tools has
turned out to be one of the key productivity indicators
for all the organizations. Finance, Sales, Marketing,
Procurement, Human resource irrespective of the
functional domains, Bots and other tools are major
enablers in the current set up globally. Focus over
RPAs governance has increased significantly over
the years due to large scale usage. This is reaffirmed
by Gartner projection of Worldwide spending on RPA
CA. Prashant Bhaskar
software to reach $2.9 Billion in 2022 which is an
Member of the Institute
increase of 19.5% from 2021.

Benefits of Using RPA Tools leading to improved customer alleviate the burden of strain,
satisfaction. fatigue and inconsistency to
Increased efficiency and employees, allowing them to
Productivity: RPA can work Improved compliance: focus on more objective and
continuously 24X7 without RPA can help organizations qualitative work.
fatigue, with consistency to adhere to regulations
resulting in faster turnaround and comply with industry These are some of the key
times and increased standards, as it follows benefits which has led
productivity. predetermined/pre-defined organizations to adopt Robotic
rules and processes. Process Automation in their
Cost Effectiveness: RPA critical business processes.
can reduce labor spends Greater scalability: RPA can
resulting in cost savings for be easily scaled up or down
organizations. to meet the changing needs of
the organization. RPA can help
Improved accuracy: RPA can organizations to
reduce the risk of errors and Enhanced data security:
improve the accuracy of tasks,
adhere to regulations
RPA can help organizations to and comply with
as it follows predetermined/ protect sensitive data through
predefined rules. defined rules, standard
industry standards, as it
processes and automating follows predetermined/
Enhanced customer service: tasks pre-defined rules and
RPA can help organizations processes.
to respond to customer Increased employee
inquiries and requests speedily satisfaction: RPA can help to

58 AUGUST 2023 www.icai.org

 207

THE CHARTERED ACCOUNTANT

THEME
Practical Applications across functions RPA as Audit Tool
Risk Assessment – RPA can
Accounting Order to Cash/AR be used as a tool to conduct
and Finance • Credit analysis risk assessments (for both
• Sales order processing Statutory Audits/Internal Audits)
• Customer MDM to identify different types of risk
• Order entry (strategic, operational, financial
• Reports by segments and compliance risk). RPA can
be used to design and develop
Procure to Pay / AP Risk Assessment models
• 3-way match which help in assessing risks
• PO issuance objectively and help in framing
• Invoice receipt risk mitigation actions.
• Vendor master
Field Work – RPA can be used
• Payment process
• Duplicate payment Tracking • To automate tests
Record to Report/R2R • To consolidate data
• Monthly close • To Review supporting
• Treasury and tax documentation
• Financial statements
• To perform Analysis
• General ledger
• Journal entry processing • To identify exceptions
• Inter-company accounting • To perform Continuous
• Account reconciliations Monitoring
HR • Master data Some examples where RPA
• Payroll Processing can be utilized:
• Journal Entries
• Updating Personnel Information • to run pre-defined
Automated scripts to identify
IT • Active Directory
potential fraud transactions
• File systems
• FTP management • to build checks for
• Automated installations ensuring quality of audit
• Server / application monitoring and alert documentation
management • deriving samples based on
• Service desk management set of rules from large set of
• Notification & escalation population
• VMware integration • to save effort, time and thus
• Data movement cost without compromising
• Provisioning on quality and objectives of
• Configuration management audit.
• Routine maintenance Audit Closure and Follow up –
Audit And • Testing scripts/Automation Audit Tools RPA can be used to automate
Compliance • Continuous Monitoring Tools communication and follow up
• Automated Reporting and Scheduling of audit findings.
• User Provisioning and De provisioning Controls
As organizations are embracing
• Data Consolidation and Upload digitization, Auditors would

www.icai.org AUGUST 2023 59

208

THEME THE CHARTERED ACCOUNTANT

important to implement robust needs to conduct proper due

RPA can significantly security measures (driven diligence on readiness to adopt
change the way work through policies) to protect RPA.
is done, which can be against these risks.
Business Requirements:
disruptive for employees,
Compliance risks: RPA has The organization should have
their way of working, to be designed to comply a clear understanding of its
processes to be adhered with regulations during business expectations and how
to and may involve implementation. It’s important RPA can help to address those
significant change to carefully assess the impact of expectations. This may include
management efforts. RPA on compliance and ensure identifying specific processes
that the implementation is that can be automated, as
compliant in line with statutory well as the potential benefits
have multiple opportunities requirements from time to time. of automation. Business
to save lot of man hours by Environment may vary between
employing RPA and related Change management: RPA divisions and this needs to
Machine Learning and Artificial can significantly change the be clearly captured as part of
Intelligence tools and gain way work is done, which can business requirements.
advantage of technologies. be disruptive for employees,
These would help the auditor to their way of working, processes Process complexity: RPA is
have deep focus and conduct to be adhered to and may most effective for automating
more cutting-edge analysis of involve significant change repetitive, rules-based
risks during the audit process. management efforts. It’s processes. If the process is
important to carefully plan and complex or involves a high
Risks in Adopting RPA communicate the changes to degree of decision-making,
stakeholders regularly to ensure it may not be suitable for
Alongside the benefits, that they are successful. automation.
embedded risks must be
carefully evaluated and Cost: Implementing RPA can IT infrastructure: The
addressed while adopting be expensive, as it requires the organization should have the
Robotic Process Automation purchase of software licenses, necessary IT infrastructure in
(RPA) in an organization as well hardware infrastructure and place to support RPA, including
as when RPA is used as an continuous training to staff. It’s hardware and software
Audit tool by Auditors. important to carefully assess requirements.
the costs and benefits of RPA
Some of the key risks include - to ensure that it is a cost- Data veracity: RPA requires
effective solution. accurate and reliable data
Dependency on technology: to function effectively. The
RPA relies on technology to Overall, it’s important to organization should ensure that
automate tasks, which means carefully assess the risks the data needed for automation
that there is a risk of disruption and benefits of RPA and to is available, of good quality and
if the technology fails or is implement robust measures validated by data owners.
not available. This can have to manage these risks
a significant impact on the before being adopted in any Culture and change
organization. management: The organization
organization’s operations and
should have a culture that
may require contingency plans
to be in place.
Business Readiness to is open to and supportive
Adopt RPA of change, as well as a plan
Data security: RPA relies on in place for managing the
Advantages of using RPA transition to RPA.
the use of data, which means tools are no doubt attractive.
that there could be risks of However, before RPA Skills and resources: The
data breaches or unauthorized implementation, business organization should have the
access to sensitive data. It’s

60 AUGUST 2023 www.icai.org

 209

THE CHARTERED ACCOUNTANT

THEME

Business
Expectation

Process Audit Assurance

Effectiveness,
Process RPA Business Feasibility Effeciency and
Improvements case study Reliability of RPA
systems

necessary skills and resources Scoping of RPA Implementation Phase -

in place to implement and applications for Audit Management may engage
maintain an RPA solution. This Internal audit or Internal Controls
may include hiring or training Organizations have plethora team to perform an Information
employees with relevant of RPA Bots running across Technology General Controls
expertise. different divisions of business ( ITGC) readiness assessment
spread across. It is not before bots are deployed
Statutory/Compliance necessary all the BOTs are in production to specifically
Requirements: Specific relevant for audit. cover areas like security,
Compliance requirements like Nature of engagement processing integrity and change
Data Privacy which may be decides on the scoping of RPA management.
applicable to the organization applications as well as ensuring Operational/Active phase -
as well as specific business the audit deliverables are in Internal Audit is well positioned
process must be studied and line with the expectation of the to perform audit to validate
put in place on time. stakeholders. that RPA BOTS are performing
Scalability: Scalability of Management may engage reliably and effectively as per
the RPA within different Auditors to do specific process the design and development
internal divisions within the audit engagements which may in accordance with the System
organization. be to evaluate existing RPA bots Development Life Cycle(SDLC)
or RPA bots which are in various methodology.
Once decided, Organizations phases (Design, Implementation,
ready to adopt RPA typically Operational) or RPAs which are
have a clear understanding specific to certain processes (say Advantages of using
of their business needs, HR, Accounts Reconciliations). RPA tools are no doubt
processes that can be Design Phase – Management/ attractive. However, before
automated, and the necessary Stakeholder may engage Internal RPA implementation,
IT infrastructure and
resources in place to support
Audit team or Internal Controls business needs to conduct
automation and above all an
team separately to vet controls proper due diligence on
and proper governance are readiness to adopt
effective governance process included in the design of the RPA
for managing of RPA. tool and environment.
RPA.

www.icai.org AUGUST 2023 61

210

THEME THE CHARTERED ACCOUNTANT

Key Risks Drivers • BCP and DRP periodic

testing along with results
documentation should
RPA Governance
cover critical RPA processes
along with their response
RPA Security times. This would provide
an outlook on how RPA
environment is operating
System in RPA Implementation in case of an unplanned
disruptive event taking
SDLC in RPA Implementation place.
• In case failures are identified
during the testing phase,
Data Management and Security
fall back plans must be in
place which provide clearly
Compliances defined steps and guidelines
to be followed
• Incident responses guidelines
Key Risk Drivers and how incorporate any changes. should be clear and precise
auditors need to approach to cover the issues arising
• Updated Policies are
them in RPA Audit in RPA environment are
communicated and available
identified, assessed and
Establishing RPA to all stakeholders.
addressed in a timely manner.
Governance Process • Individuals tasked with Escalation matrix should be
RPA Environment have clearly defined and identified
Good Governance is a system
the necessary skills, which plays a key role in
or process that provides
competency to sustain effective monitoring and
systematic approach that
the RPA Program strategy. timely resolution of issues.
incorporates strategic
planning, risk management and Specific Organizational • Change in Governance,
performance management. training is provided to escalation structure needs
Some of the critical aspects employees deployed in RPA to be communicated to
which requires consideration is roles. relevant stakeholders in a
this regard are: • Roles and responsibilities for timely manner. This needs to
employees in RPA roles are be incorporated in standard
• There exists formally defined operating procedures.
defined in job descriptions.
policies and procedures
over the RPA strategy and • Vendor Management RPA Security
implementation. Program is established Corporations need to address
• Policies are reviewed and which covers the risks to the security needs to guard the
approved periodically to contract and monitor RPA RPA environment from external/
third party vendors. internal threats, malware in
• Documented policies and the ever-changing scenarios.
procedures should cover Critical Security features are
Vendor Management business continuity and listed below:
Program plays a key role disaster recovery plans
in third party vendor considering RPA strategy.
• Firewalls are implemented,
related risks in this era of tested and monitored
In this regard, Business
outsourcing regularly
Impact Assessment exercise
should define critical RPA • Advanced encryption
Processes. standards are used for data

62 AUGUST 2023 www.icai.org

 211

THE CHARTERED ACCOUNTANT

THEME
in transit as well as data at should have restricted the organization. There are
rest access. several steps that can be
followed when conducting a
• Organizations are storing • Periodic review and
review of the system change
their data in the cloud, which monitoring should be
means cloud security is management control:
conducted on physical
essential. Encrypted storage access logs to ensure
• Define the scope of the
helps to maintain the restricted access is
review: It's important to
privacy of that data. Users enforced.
clearly define the scope
should ensure that data is
• Physical Facility also needs of the review, including
encrypted in-flight, while in
to follow regulatory and the specific systems
use, and at rest in storage.
other certifications (e.g., ISO, and controls that will be
• Intrusion Detection systems/ EHS). This in a way ensures evaluated.
Intrusion prevention systems that minimum/standard
are implemented and • Gather data: To conduct the
requirements for application
monitored regularly for any review, it will be necessary
of BCP and DRP will be met.
breach attempts. to gather data about the
• Incremental backups of RPA current system change
• Strong Authentication environment need to be management controls,
Methods (Multiple factor done regularly in line with including information about
Authentication) are applied business criticality. Backup the controls themselves, the
for managing RPA bot procedures are defined and tools and technologies used,
access. are listed out in standard and the outcomes of the
• Privilege Accounts (Super documentation. controls. This can be done
user Access) usage is • Monitoring tools are through interviews, surveys,
minimal and restricted to implemented to capture and and other data-gathering
few users based on specific notify critical system health methods. Care must be
needs. Their usage is issues, errors in scheduled taken to ensure authenticity
regularly monitored. bot run, performance of data source.
• Bot password is encrypted issues affecting the RPA • Analyze data: Once the
and cannot be accessed by environment. These data has been gathered,
company personnel. Any Incidents and failures are it's important to analyze
communication performed appropriately identified, for its purpose, integrity,
by the robot across different documented, escalated
representation and veracity.
networks is encrypted. and remediated in a timely
These would get reflected
manner.
• Vulnerability Assessment through identifying trends,
should be done by Review of System Change patterns, or areas where the
independent third-party management controls are not meeting the
professionals. needs of the organization.
A review of the system
• Access removal ensures change management control • Develop
timely and immediate is a process of evaluating recommendations: Based
removal of users who is out and analyzing the controls on the analysis of the data,
of system or organization. in place to ensure the it will be necessary to
effectiveness, efficiency, and develop recommendations
• Access reviews should be for improving the system
compliance of the system
conducted on a regular basis change management
change management process
and should extensively cover controls. These
in an organization. This can be
the access provisioning rules
done to identify any areas for recommendations should
and permissions.
improvement and to ensure be specific, actionable and
• Physical access to the that the controls are aligned aligned with the needs and
location hosting the RPA with the needs and goals of goals of the organization.

www.icai.org AUGUST 2023 63

212

THEME THE CHARTERED ACCOUNTANT

• Implement to be vetted and approved integrated into design to

recommendations: Once at appropriate levels ensure minimal damages
the recommendations have before development of bot in the event of change
been developed, it will be commences. implementation failure.
necessary to implement • Standard Documentation • Maintenance activities for
them to improve the system should be prepared and RPA environment needs
change management available for requirements, to be planned. Checks
controls. This may design and implementation should be in place to
involve updating policies, plans. ensure monitoring and
procedures and tools as
• Configurations should be review activities are done
well as providing training to
as per agreed design and pre and post completion of
ensure that the changes are
any changes are vetted maintenance activities.
successful.
and approved. Appropriate Data Security
SDLC in RPA communication regarding
Implementation and the changes should be made Data breaches have become a
Maintenance to relevant stakeholders who regular occurrence worldwide
could be impacted by the and has serious repercussions
• Management should on the running of the business.
changes.
have a structured way of Data breach average cost
assessing which processes • Segregation is in place with increased from USD 4.24
are suitable for automation. respect to Production and
million in 2021 to USD 4.35
The company has systems development environment.
million in 2022.
development life cycle • Segregation of duties with
(SLDC) policies and respect to access rights is RPA accesses, Processes,
procedures in place that are maintained so that code stores, disposes data to
updated on a periodic basis. changes, configuration accomplish the task for which
The benefits of RPA may changes are not done by it is built and operated. It is
not outweigh the cost of the same person i.e., person imperative that data security is
investment, and the creation developing the code should considered at the governance
of multiple robots may lead not place the change in layer. Following aspects are
to duplication of efforts and Production environment. critical while data is considered
disjointed RPA environment. in RPA Environment:
• Changes to the RPA after
• Some of the factors which launch in production are o Confidentiality
need to be considered authorized, tested, and
before RPA is implemented o Integrity
approved by appropriate
for a process: Management. Changes o Availability
o Nature of process covered include changes o Privacy
(Complex/simple, Priority, to the automation software
and changes to the key • In case confidential/Sensitive
Structured/Unstructured) data is used, care should be
automation scripts (robots)
o Degree of decision making that are performed by the taken to ensure
involved/Subjectivity software. o Access is restricted and
o Cost benefit Analysis • Version control is regulated
o Human intervention maintained before and after o Secure Storage is planned
o Security and implementation of RPA so and wherever possible
Confidentiality that changes are labeled, confidential data is not
controlled, and prevented stored
o Stability of the process from being erroneously used.
o After processing, data is
o Data Source Quality • Rollback procedures have not retained and disposed
• RPA Requirements need to be considered and of in an apt manner

64 AUGUST 2023 www.icai.org

 213

THE CHARTERED ACCOUNTANT

THEME
storing and using collected adequate risk assurance on
Good Governance is information. Data privacy these applications. Rise of
a system or process requirements prompt cyber-attacks has challenged
that provides systematic businesses to treat sensitive Organisations’ responsibility
approach that incorporates data with more caution towards business and has
and take proactive steps increased liabilities manifold.
strategic planning,
to strengthen their data Systems which are biased,
risk management and management strategies/ error-prone or used for
performance practices for any information unethical purposes pose
management. that could be harmful to significant reputational risks to
individuals if breached. The the organization that owns it.
General Data Protection
• RPA environment should As we embark on this
Regulation (GDPR), CCPA:
ensure that data integrity transformational journey, it
The California Consumer
is maintained throughout is imperative to focus on the
Privacy Act, PCI-DSS,
the process. Checks and basic tenets of: Transparency,
HIPAA and other regional
validations need to be part Integrity, Accuracy,
privacy legislations are some
of design to prevent any Completeness and Reliability
of the common compliance
errors or data intrusion laws which specifically deal while evaluating the risks
which may impact integrity with Data Privacy. associated with the governance
besides ensuring data is of these applications.
processed completely and • Licensing of RPA bots –
accurately. In RPA environment, User References
access and appropriate • https://www.gartner.com/
• Availability of accurate and licensing requirements en/newsroom/press-
complete data in a timely should be addressed pre releases/2022-08-1-rpa-
manner is critical factor in and post implementation. forecast-2022-2q22-press-
the success of the RPA. Care must be taken to release
Data Sources need to be ensure access is provided as • https://www2.deloitte.com/
clearly defined. per agreed licensing norms. content/dam/Deloitte/in/
Documents/risk/in-ra-auditing-
• Data retention should be as • Risk Assessment – the-rpa-environment-noexp.pdf
per policy and compliance Periodically risk assessment • https://www.ibm.com/in-en/
requirements. needs to be done for security/data-breach?utm_
Compliance identification of potential content =SRCWW&p1=
risks. The identified risks Search&p4=437000726
Compliance in relation to RPA should be evaluated for any 45662502&p5=e&gclid=
environment can cover different significant deficiency in the EAIaIQobChMIu9 -gqs3r-
process/functionality of the gIVaJJmAh0qAwT
facets and as more automation
hEAAYASAAEgLNcPD
is happening across functions Application. Risks identified
_BwE&gclsrc=aw.ds
with fulcrum being data, this must be mitigated by way of
change in process/system • https://www2.deloitte .com/
area has been evolving: content/dam/Deloitte/in/
or through preventive/
Documents/risk/in-ra-auditing-
• Data Privacy – Vast corrective measures. the-rpa-environment-noexp.pdf
sensitive information is
Conclusion • http://isaca-denver.org/
collected from customers/ Chapter- Resources/
vendors by businesses at With the evolution of Machine EYRPAAIRisk Slide Deck.pdf
different touch points in learning and Artificial
operations of the business. Intelligence products, 
This collected sensitive opportunities are wide open
information poses risks to (albeit risks associated with), Author may be reached at
both customers and the Organisations need to gear [email protected] and
companies responsible for up to the task of providing [email protected]

www.icai.org AUGUST 2023 65