Robotic process automation: A primer for internal

audit professionals
Companies are racing to unlock value from the next people to get comfortable with digital labor, often
generation of digital technologies, including digital serve as a stepping stone to more comprehensive
labor, which has moved far beyond using macros on initiatives that use machine learning or other forms of
a spreadsheet. Robotic Process Automation (RPA)– artificial intelligence.
one form of digital labor–involves the use of software
For internal audit, RPA brings both opportunity and
robots to automate processes. These robots are easy to
responsibility. Internal audit has the opportunity to be
configure, require little IT expertise and can be quickly
a trusted advisor and collaborate with the other
trained and deployed to automate manual tasks. They
functional and business unit leaders on ways to
can perform activities such as copying and pasting
enhance the control environment as business processes
data between applications, reconciling and cross-
are redesigned and automated using RPA. Within
referencing data between different systems and
internal audit, new testing approaches will
conducting high-level decision-making at key points in
be needed for automated processes. Internal audit
the business process. RPA is even being used in more
professionals also have a responsibility to understand
dynamic settings, including activities that involve
risks introduced by RPA and ensure their firm’s
direct interactions with customers and employees,
controls are well designed and operating effectively
such as processing customer insurance claims or
to mitigate those risks. And, perhaps the greatest
setting up new employees with the right level of
opportunity: testing of controls and other
IT access.
departmental tasks can be automated through RPA,
The impact of RPA on a company’s operations and expanding internal audit’s capacity and freeing
competitive positioning is significant on a number of auditors to focus on more value-added activity.
fronts: economic value, workforce advantages, quality
As RPA momentum
improvements, flexible execution, speed and agility.
increases, internal audit
professionals can keep
PwC estimates that 45% of work activities can pace by helping the
be automated, and this automation would save company understand and
$2 trillion in global workforce costs 1. control RPA risks and by
In addition, RPA projects that prove the value of embracing RPA within
automation technology and enable an organization’s their own organization.
1 Based on PwC estimates

PwC | Robotics Process Automation: A primer for internal audit professionals 1

Helping the company understand and control Chief Audit Executives (CAEs) and their teams need to
RPA risks understand how the organization is using RPA and
Automation can certainly increase compliance and how that impacts its risk profile by thinking broadly
reduce risk. Unlike humans, who may skip a process about exposure across multiple categories of risk
step, or are inconsistent in the way they process a (Figure 1). Establishing governance of RPA and
transaction, a software robot performs the task in a relevant controls up front should help effectively
standard manner, free of bias or any variation, thus mitigate risks. By embedding governance, risk
ensuring a high level of accuracy. But RPA can also management, and controls into the enterprise’s
introduce risks if appropriate controls are not in place mobilization and deployment of RPA, organizations
and monitored. For instance, because RPA action is can catch issues before they arise. Getting it right from
consistent, any error becomes a systemic and the start is far more effective and cost efficient than
widespread issue across that business process and data cobbling together a patchwork of policies and
set. Or, if there is a business process change but the controls later.
robot has not been modified to reflect that change, it
may fail to perform or introduce inaccuracy. Another Internal audit’s early involvement in an RPA
potential risk? If someone gains unauthorized access to initiative ensures a balanced discussion, risk
a robot, it could be altered or used to conduct assessment and agreement on the overall
unauthorized processing. governance framework and process design.

Figure 1: 5 categories of risk to consider when implementing an RPA program

PwC | Robotics Process Automation: A primer for internal audit professionals 2

Automating control performance, controls Beyond the automation of controls testing, RPA offers
testing and other internal tasks significant potential to change how internal audit
Controls by their very nature require a consistent works. For example, some of the tasks that RPA could
repetitive activity and level of documentation – automate include:
characteristics that make them ideal automation  Identifying open items, sending emails to
candidates. In addition to helping the company responsible parties, conducting follow-up
understand RPA risks, internal audit is in a principal when due dates are not met and documenting
position to identify and recommend controls that remediation status
are well suited for automation. Automating control
performance has a positive ripple effect on internal  Tracking progress against the annual audit plan or
audit. Testing approaches will need to be redesigned tracking and monitoring key risk indicators (KRIs)
for newly automated processes, but testing of the  Automating reporting and dashboarding activities,
automated control is likely far more efficient. including populating audit committee and
Many CAEs are looking for ways to satisfy basic management report templates or internal audit’s
internal control compliance requirements in a more balanced scorecard
efficient way. Where control automation is not possible  Evaluating data quality in any system, such as in
or yet in place, automating control testing may be an master data files, checking for completeness of
opportunity. In a large organization the use of RPA to fields, duplicates and validation
automate the testing of general controls could
potentially free thousands of auditor hours to focus on To realize the benefits of RPA, deployment
other high priority audits. must be managed with the same discipline and
consideration as any other technology-based project.
Internal audit should leverage the company’s digital
Through automated testing, internal audit
initiative as a technology platform to reduce its cost
can test full populations of data rather than
and increase risk coverage.
sampling and management can have greater
confidence that controls are designed and From PwC’s experience, a successful rollout of RPA
operating effectively. requires consideration of a full framework: a strategy
that drives selecting the right processes and
prioritizing these processes; governance; development,
testing and deployment; and the right infrastructure,
support and operating model to manage the new
robotic workforce. A formal strategy and roadmap will
provide the level of rigor around the automation
initiative that is required to make it a sustainable,
transformative program. Well designed and delivered
training can quickly arm internal audit end users with
the skills necessary to execute a long- term, sustainable
digital workforce in the new operating model.

PwC | Robotics Process Automation: A primer for internal audit professionals 3

Taking action now
CAEs are continually pressured to raise Internal the organization’s RPA initiatives and to build a
Audit’s business contribution and to optimize strategy and roadmap for its own RPA adoption. As
cost. RPA offers the potential to deliver sizable the next wave of emerging technologies disrupts every
improvements in productivity, cost and risk coverage. industry, forward-thinking audit committees will be
It’s time for internal audit to proactively engage in asking about RPA, and CAEs who mobilize now can be
ahead of the curve.

Questions CAEs should consider

Contact us
For a deeper discussion on how you can maximize the potential of RPA in your organization, please contact:

Sachin Mandal Carolyn Amrein Jenna Switchenko Ryan Martin Seth Rosensweig
Principal Director Director Principal Principal
(973) 580 9950 (646) 471 4215 (617) 530 7539 (617) 530 5986 (646) 471 6762
sachin.k.mandal carolyn.m.amrein jenna.o.switchenko ryan.d.martin seth.rosensweig
@pwc.com @pwc.com @pwc.com @pwc.com @pwc.com

© 2017 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC
network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.