Robotics Process Automation

(RPA) - Not Your Average

Macro!
Monday, August 19, 2019
1:30 PM - 2:55 PM CST

Vlad Liska, CIA, CISA, CRMA

Vice President and Senior Audit Manager
Bank of the West

1
 Learning Objectives
• Understand what is Robotics Process
Automation (RPA) and why you should care
• Explore the risk profile impacting people,
process, and technology of this emerging
technology
• Develop and execute an audit program
covering Governance, Risk management, and
internal Controls

2
 What is RPA?
RPA (Robotic Process Automation) is using software
robots (“bots”) to automate manual repetitive business
processes using existing applications, resources, and

X
architecture
• Automates mundane, routine rule-based
tasks
• Introduces digital workforce that co-
exists with humans
• Recent PwC estimates suggest 45% of
work activities can be automated
(Source: ‘Organizing your future with
robotic process automation’, PwC, 2016) Bots are NOT a physical robots

3
What are the benefits of RPA?
Productivity Scalability
High volume in less time Quick ramp up/down

Accuracy Availability
0% error rate Bots don’t sleep!

Predictability Audit Trail

100% consistent output All activity logged

Sample functions: opening emails, moving files,

extracting structured data, calculations, filling in
forms, merging data, etc.

4
 Evolution of RPA
Basics of RPA have a long history…

Sample RPA platforms today include: Blue Prism, Automation Anywhere, UIPath,
WorkFusion, Pegasystems, NICE, etc.

5
Intelligence Continuum

Source: Protiviti Inc., 2018

6
 How is RPA implemented - Technical
• Bots execute scripted procedures by
emulating a user’s actions to complete a
series of tasks (similar to testing
automation)
• The Bots interact with GUI applications at
an object level (were possible)
• Bots also access resources like structured
data (XML, spreadsheets, etc.), databases,
and web services
• Using Windows Active Directory (AD) and
The Bot is simply a Windows
a secure credentials manager; Bot Access Service running on the VDI
= User Access desktop with existing
applications

7
 How is RPA implemented - Organizational
Concept of a Center of Excellence (COE)

Assessment
Framework

8
 RPA Use Case – Sample 1
Example HR Use Case – Saving from the Onboarding System
• Execute assigned tasks in system and save results on specific share drive
• Rename file to match the candidate name

Rename File to
Log-in to
Select each File “Save As” Match
Onboarding
“Open Task” to Share Drive Candidates
System
Name

Monitoring Control – Daily Processing Report (example):

9
 RPA Use Case – Sample 2
Example Business Use Case – Leads Management
• Transfer prospects from marketing system to CRM system
• Distribute prospects to assigned Bankers

Log-in to
Copy Lead Paste in CRM Send to
Marketing
Information System Bankers
System

Monitoring Control – Daily Processing Report (example):

10
 Risk Profile for RPA
• Depends on the risk profile of the underlying
business process and technology deployed
• However, there are some risks specific to RPA
 Bots failing due to IT and business processes changes
 Innate rules not captured (as bots are literal)
 Poor process mapping causes bots to fail
 Systematic and widespread errors (due to bots being
consistently wrong)
 HR risk of robotics automation (automation anxiety and
resistance; perception of bots taking jobs)

11
 Additional Common RPA Risks

Source: Protiviti Inc., 2018

12
 Example Audit Scope
Key processes include:
• Governance which includes
organization, strategy, architecture, and
program / project management
• Risk Management which includes risk
identification, assessment, and
mitigation
• Internal control which includes security
management, business continuity and
disaster recovery, file transfers and
interfaces, vendor management, change
and release management, incident and
problem management, capacity
management, data management, and
backup & recovery

13
 Audit Execution - Governance
Organization & Oversight - To validate the organizational structure
appropriately supports robotics process automation through established
frameworks and management oversight of the process
Risk(s): (A) Lack of a well-defined governance framework may increase
operational, financial and legal / compliance risks; (B) Lack of governance
and oversight results in the disruption of systems, data loss and/or
negative exposure; (C) Lack of enforcement of policies and procedures
results in non-compliance of Bank standards

14
 Audit Execution - Governance
Program Management & SLDC - To validate management has established
a standardized process for the development of automation aligned to the
Bank’s standards
Risk(s): (A) Lack of coverage within guidance documents or policies over
key development or operational activities; (B) Program Management is
insufficient to facilitate the achievement of the program goals and
objectives; (C) Automation work is not initiated and governed to achieve
the intended business objectives; (D) Incomplete or inaccurate testing of
implementation may result in a system that may have missing or erroneous
functionality and that does meet business requirements

15
 Audit Execution - Governance
RPA Strategy - To validate a strategic roadmap that presents the short/long
term goals related to the usage of robotic process automation (RPA)
Risk(s): (A) RPA Roadmap and Strategy is not aligned with business needs
and does not include the required elements including schedules or budget
resulting in inadequate prioritization on planning, resources, or
technologies that support strategic initiatives; (B) Lack of strategic
oversight prevents managerial awareness of activities and events

16
 Audit Execution - Risk Management
Risk Management - Verify that RPA-related risks are identified, assessed
and reduced to levels of tolerance set by enterprise executive management
Risk(s): (A) Risk metrics are not collected or analyzed; (B) A risk profile is
not maintained; (C) Risk is not adequately mitigated; (D) Risk assessments
around RPA are not performed

17
 Audit Execution - Internal Control
Security Management - Access is approved, updated, and revoked by
appropriate manager in accordance with Policy. Access is reviewed
periodically for appropriateness (including both roles and permissions).
Periodically, privileged access is also reviewed for reasonableness
Risk(s): (A) Inappropriate or excessive access to systems, resulting in loss
of system or operational integrity; (B) RPA infrastructure may not be
configured correctly resulting in instability and security vulnerabilities which
could impact business operations; (C) Unauthorized changes to Blue Prism
or the bots are not detected

18
 Audit Execution - Internal Control
File Transfer & Interfaces - Monitoring processes are in place to help
ensure availability of interfaces. Processes are in place to ensure data is
timely, complete, and accurate for transmissions. Processes exist to
identify and resolve potential data errors on interfaces and data
transmission (such as duplicate transmissions). File transmissions and
interface connections are encrypted
Risk(s): (A) Processing is disrupted due to system unavailability; (B)
Sensitive data is compromised during transmission

19
 Audit Execution - Internal Control
Vendor Management - Valid, reviewed, and approved contracts are in
place with the required regulatory and legal language. Periodic review of
the vendors Statement of Controls report or site review report if available.
Risk assessments are completed for vendors. Periodic performance
monitoring activities are completed
Risk(s): (A) Lack of Vendor Reviews invalidates Contracts; (B) Lack of
Vendor risk mitigation controls exposing internal and external systems to
attack; (C) System is unavailable, quality of customer service does not
meet Bank expectations, services not performed timely or accurately

20
 Audit Execution - Internal Control
Change & Release Management - Management has established a process
for changes to systems and monitors the effectiveness of the process
Risk(s): (A) Processing is disrupted due to system unavailability, resulting
in errors being introduced into production; (B) Misalignment of new
technology or system initiative with corporate strategy and priorities; (C)
Lack of interoperability is creating inefficiency or error; (D) Business
requirements do not address all of the RPA needs

21
 Audit Execution - Internal Control
Incident & Problem Management - Incident management meets internal
expectations; Ability to detect the causes that are the source of incidents
and serious defects in the service provided
Risk(s): (A) Excessive response time for incident resolution, non-
compliance with the expected service levels, unavailability, poor
performance; (B) Client dissatisfaction, recurrence of incidents, and poor
service due to repeat incidents

22
 Audit Execution - Internal Control
Capacity Management - Monitoring, optimization, and anticipation of the
capacity and performance of services are correctly performed
Risk(s): (A) Inability to anticipate and meet the future needs of clients,
service disruption, poor performance

23
 Audit Execution - Internal Control
Data Management - Data management meets the organization’s defined
policies and standards
Risk(s): (A) Inconsistent or inadequate risk mitigation activities due to
incomplete data; (B) Data quality errors are introduced, persist, or multiply
as data flows through the infrastructure; (C) Data quality issues are not
resolved in a timely manner

24
 Audit Execution - Internal Control
Business Continuity & Disaster Recovery - Business Continuity and
Disaster Recovery Plans are in place and updated regularly. Recovery
tests are performed periodically to ensure that users can access the
systems. Any action items are resolved timely. Alternate sites have been
designated for critical functions and systems
Risk(s): (A) Disruption of systems and normal business due to a disaster
causing system outages

25
 Audit Execution - Internal Control
Backup & Recovery - Up-to-date backups of programs and data should be
available in emergencies
Risk(s): (A) Backups are not available when needed

26
 Thematic Considerations
• Establish and maintain a comprehensive strategy / roadmap for RPA
• Optimize / re-engineer underlying business process first
• Adhere to design standards for producing consistent, sustainable bots
which can be more easily maintained and managed
• Implement stable infrastructure and partner closely with IT
• Understand the risk profile / Manage automation anxiety
• Maintain a consistent in-take mechanism for the submission of use cases
• Updated Business Continuity Plans (BCPs) to include RPA

27
 Conclusion
• Evolution of RPA – regulatory expectations / cyber crime
• Usability of bots to support Audit?
• Questions / Comments / Experiences?

You !
Th a nk

28
About me… Vladimir Liska, CIA, CISA, CRMA
Vice President and Senior Audit Manager
Inspection Générale
[email protected]
Tel. 402.918.1103 (office)

Vlad Liska is a Vice President and Senior Audit Manager at Bank of the West
based in Omaha, NE. As a manager in Inspection Générale (IG), Vlad leads
Inspection’s coverage of the Bank’s most critical enterprise projects, vendor
management functions, and data management audits supporting the Bank’s
capital planning and management (including stress testing for CCAR, DFAST,
and other regulatory reporting). Vlad’s team is responsible for audit coverage
of overall data governance and management including data availability,
usability, integrity, quality, and security as well as audits of the governing
processes, defined procedures, and management execution across the
organization. Prior to this position, Vlad was the risk coverage officer for the
technology and corporate support functions at TD Ameritrade. Vlad has
worked in various positions in the internal audit group of TD Ameritrade as well
as various technology and audit positions with PwC, First Data Corporation,
and the Principal Financial Group.

Vlad holds a Bachelor of Arts degree in Computer Science from Simpson

College in Indianola, Iowa and a Master of Science in Information Technology
Management from Creighton University in Omaha, Nebraska. He has served
on the faculty at the University of Nebraska at Omaha and is an avid speaker
at local and national conferences including the IIA District Conference,
NebraskaCERT, MISTI SuperStrategies, ISACA CACS, and AuditWorld.
https://www.linkedin.com/pub/vlad-liska-cia-cisa-crma/0/54a/3ab

29