By Tom Venables, Practice Director – Application & Cyber Security at Turnkey Consulting
As technology has advanced, Robotic Process Automation (RPA) has become a valuable tool for finance teams in streamlining everyday processes and operations. Until 2020, RPA worked in combination with skilled human resource to get these vital tasks done – and then came COVID-19.
The economic shock of the pandemic has led many organisations to pare back their workforces, and consequently they are increasingly turning to RPA in order to get the same jobs done for a smaller financial outlay. This acceleration in adoption can deliver huge benefits for these organisations, but comes with a number of tricky challenges to navigate, especially around security, risk and the management of system access.
Removing the margin for error
The premise of using RPA over human finance operatives is clear: robots don't get tired or bored. Even the most skilled and experienced employee in the world will be fatigued by dealing with a seemingly endless stream of invoice amounts, PO numbers and other data and, over time, it's easy for mistakes to creep in.
RPA bots don't have this problem (and neither do they have to be regularly fuelled with coffee). They have the ability to read an invoice, attribute the information within it to the appropriate PO number, and set in motion all the payment and ledger activity related to that data. Not only do they do all that more reliably than humans, but they do so much faster and more cheaply. However, this ideal vision can only be achieved if RPA is built and implemented into a business correctly.
Different cure, same treatment
RPA bots do have incredible capabilities for automating and streamlining all these processes – but they first have to be told exactly what to do and how to do it. At a minimum, the controls that apply to human finance staff also need to be deployed to bots, with a view to these controls being even more robust, given the larger workloads bots can take on. It may also be necessary to amend controls so that they reflect the new ways of working; as the business processes change, so too do the key control points which must be captured.
This requires three key elements to be considered:
- Control execution points: taking an accounts payable (AP) process as an example, an AP clerk will approve processes manually, then pass onto the AP manager so that it has been checked by at least two people. RPA removes this function and reduces the level of human intervention to spot-checks; to avoid errors such as duplicate payments, it is essential to have automated controls working properly.
- Failure indicators: depending on how they are configured, bots can (occasionally) make mistakes, such as misjudging numbers of a similar format and putting a PO number in as an amount. Bots can resolve these issues themselves, but only if they know about the types of errors they should be looking for.
- Robust testing: both of the points above mean rigourous testing is critical; how meticulous that testing needs to be depends on the amount of work RPA is taking on. If, for example, RPA is handling half the cash outgoings at an organisation, then controls need to be sufficiently strong to match the risk posed to the business if things go wrong.
Safety still comes first
Along with controls, how RPA fits in with the organisation's security provisions must also be considered. Bots can process a large number of invoices in a very short period of time. This speed is potentially enough to trigger warnings around security breaches as System Information and Event Management (SIEM) systems may perceive it as abnormal activity and flag it as a threat to the organisation; allowances need to be made to accommodate this major change in 'usual' activity.
It's also worth remembering that bots are also pieces of software and, like any piece of software, they are therefore at risk of cyber attack. Because they are required to process lots of sensitive information at high speed without triggering alerts, they are often an attractive target for cyber-criminals. As well as considering bot security such as who can access their configuration, it is crucial to keep the authorisation assigned to bots to an absolute minimum in order to limit their risk profile and eliminate credentials often given to them that are unnecessary. Minimum authorisation states that the (bot or human) user should have only the level of access needed to perform the tasks required of them. The high volumes of processing undertaken by bot accounts reinforces the need to apply this principle, despite the temptation to ensure they can work with multiple scenarios without interuption by widening authorisation (which increases the risk they can undertake activity they shouldn't).
Overall, RPA bots can and should be immensely powerful assets to most organisations in the unpredictable months and years ahead – but only with the right implementation. With risk, security and controls kept front of mind, the efficiency of finance operations can be improved, resulting in meaningful savings, and a reduction in the pressure put on the human finance staff.