GUEST BLOG POST
Last spring, I read an article on using automation technologies, such as robotic process automation (RPA) and process mining, in internal audit. It was an eye-opening experience.
In all fairness, I had not really put RPA into practice at that time. I had read about it and thought I understood its reach, but nothing more. Data analysis had been a constant during projects, but the approach was time-consuming and a strain on the internal audit team. It was time to shift gear and upgrade the approach.
The article was “Putting Those Bots to Work” by Mike Jacka. In it he urged the internal audit community to “kick itself in the tuchus” and use automation technologies to avoid “becoming irrelevant.” It was a provocative article and a welcome wake up call. Jacka rightfully states that “almost anything related to compliance audits is fodder for RPA.”
If we cut to the chase, the job is straightforward: we download data, analyze it, and use it to discuss processes and controls. Based on what we see and hear, we note control weaknesses and make recommendations to management. The issue is that we waste a lot of time obtaining and formatting data for each audit—the same tables and charts repeatedly. Groundhog Day, but without the festivities.
Two areas are ripe for automation (1) data download and analysis to identify red flags, and (2) data visualization to support audit interviews.
Using RPA to Identify Red Flags
To test and evaluate the practical benefits of RPA, I reviewed our portfolio of audit analyses.
Manual journal entries emerged as a great pick for a pilot bot. The goal of the analysis is simple: identify all journal entries with a red flag. In an audit, a red flag is an indicator that there is a potential compliance or fraud problem. The work performed is repetitive. The internal auditor downloads tables from the ERP, which are large, so the auditor spends a long time staring at the screen. When the extract is finally available, the auditor merges different tables applying standard filters to show outliers and unusual transactions. A great task for a bot.
To kick-start the pilot, I took a free test license from a vendor assigning the challenge to an auditor who had made clear he wanted to learn how to script. Most RPA vendors offer a free online training academy to build the user community. It took the internal auditor approximately 40 hours to complete all the course modules, from the “business analyst” to the “developer” level, where you learn how to configure the bot’s variables, workflows, and controls. It then took the auditor another seven days to design and test the bot for the manual journal entry analysis.
The result was very positive. The auditor now simply presses a button, then the bot does all the work. Logging into the ERP, the bot enters the transaction to access all the tables, selects the tables, defines the period and the entity in scope. Taking the ERP download, the bot saves the file in a specific folder, opens a separate spreadsheet, transfers, and formats the data in the spreadsheet, runs a set of predetermined filters, visualizes the output in the appropriate graph, creates a separate worksheet with all the exceptions, and sends the file off to the auditor.
All of this happens at a very high speed, even when you are not at work. One press of the button allows the auditor to identify postings on weekends, outside of business hours, on high-risk general ledger accounts, with round values or suspicious text, or slightly below the management approval threshold. Critical factors to start our audit work.
In the meantime, additional bots have joined the ranks with a focus on master data, inventory count, fixed asset description, and more.
Process Mining to Support Interviews
Performing an effective process walkthrough can be a source of frustration, and a task made even more complex during remote auditing. Process flows and other spreadsheets are static, hard to share on-screen, and not effective for interactive audit discussions.
Process mining is advertised as the ultimate tool for process discovery and audit, and I can assure you—it is.
Process mining is an analytical technique that enables the user to reconstruct, monitor, and improve business processes in real time by extracting data from system log files. The application’s selling point is its ability to review the entire population of transactions and understand how the work is done beyond the subjectivity of the person performing the activity.
I took the decision to learn, implement, and use the technology with three clear goals in mind:
- Spend time on high-risk transactions and events.
- Easily conduct remote walkthroughs with clients
- Communicate the real impact of a control weakness.
If your company is using process mining in other parts of the business, adoption is a total no brainer. My advice is to start with the procure-to-pay process, a regular topic in most audit programs. Data tables and transactions are relatively well-known by most auditors and the prospect of improving spend management eases the investment decision.
The benefits for the planning and execution of a procure-to-pay audit are tremendous. For any given entity and in less than 30 minutes, audit staff can understand the spend by vendors and categories, the number of purchase orders issued, the ageing of open purchase orders, the mix of invoices without purchase orders, the existence of purchase orders issued after the fact, and many more.
Each transaction is available by entity, vendor, buyer, accountant, and can be analyzed with process flow charts and tables. To verify and investigate the existence of proper source documents, the internal auditor can rapidly get to work, drill down into transactions, explore cases, and select samples.
The Rationale for Securing Resources
Despite the obvious benefits, obtaining funding can be a challenge for internal audit managers. From experience, we saw process mining saving approximately 20 percent of the hours needed for the execution of a regular entity audit. The biggest gain comes with data gathering and sample selection as data is constantly updated and made accessible for the auditor.
Time savings in the order of 20 percent can be a compelling argument if management seeks to reduce compliance cost. But the most critical argument is that the tool provides continuous monitoring capabilities. As such, it allows you to rapidly assess the need for an audit and avoid deploying audit resources to unnecessary activities—a gain of 100 percent.
Finally, the selection of a process mining tool is no longer a jump into the unknown. The market has matured with a few vendors such as Celonis, Software AG, UiPath, or Minit leading the game. Beyond the software cost, it is critical to partner with IT and have a data engineer to design the data cube, mapping each transaction to a process step. The set-up of dashboards, flow charts, and tolerance level is a skill accessible for internal auditors.
The impact of those two technologies for the audit function is non-debatable: you gain time, save money, ask better questions, and have more useful discussion with auditees. There is no reason to procrastinate.
Jean-Marie Bequevort is Expert Practice Leader Internal Audit at TriFinance, a consulting company with offices in Belgium, Luxembourg, Netherlands, and Germany.
Hi Jean,
You wrote a very insightful article. Thank you. I am looking for ideas & tools to use in automating my ITGC, databases,Active Directory, endpoints. Please let me know if you have ideas.
Thank you.