Robotic process automation (RPA)-enabled environments are quite different from traditional environments supported by the core application’s manual processes and their normal automated application controls. RPA adds an additional layer of complexity, which is intended to increase productivity and quality in the end-to-end execution of the business process. That said, the effectiveness of RPA is dependent on correct design and integration of this new technology within the end-to-end process. The risk introduced in an RPA environment and the top hotspots that should be considered in a typical RPA risk assessment should be explored.
To review the right risk assessment procedures, practitioners need to understand the architecture components of RPA technology. Any RPA technology has a set of three main components:
- Development studio (client-based)—This is the developer tool that is used to build out the bot logic. It is where developers build the step-by-step code that the digital worker will execute.
- Digital worker (bot or robot)—This is the digital account that executes the code developed. It is the bot (i.e. account) that will interact with the different systems to execute the steps as outlined by the developer.
- Automation operator (web-based)—This is the control room where administrators will manage deployment and authentication of the bots. This is a critical application because it is where you can run/stop a bot, troubleshoot errors, manage bot authentications and, most important, deploy new bots in production environments.
Business, compliance and internal audit functions should consistently include regular formal risk assessments in conjunction with any RPA changes to determine the likelihood and impact of all identified risk factors using qualitative and quantitative methods. The key areas for an RPA risk assessment include:
- Governance and oversight:
- RPA governance board and oversight structure— An appropriate level of oversight over the RPA should be developed. This can include a federated, centralized or distributed approach. Oversight responsibilities may include validating RPA program effectiveness and ensuring appropriateness of RPA functionality and funding.
- Annual compliance reviews—Independent reviews and assessments should be performed to ensure that the organization addresses the established RPA policies, standards, procedures and compliance obligations for bot usage.
- RPA controls and risk framework—An RPA controls framework outlining the standards, regulatory, legal and statutory requirements relevant for the business needs should be established and communicated to relevant stakeholders, including developers.
- Bot development and change management:
- Business and compliance functional requirements—Business and compliance specifications for each automation project should be reviewed by the RPA committee, including security and controls and business team members, to validate the appropriateness of the RPA-enabled process design. A post-production review of bot logic against business and compliance requirements should also occur for each RPA deployment project.
- Change management and version controls policies—A set of policies and procedures guiding developers to adhere to an organization’s change management policy should be created and communicated. The set of procedures should also outline any specific tools needed to have a version history of packages developed (e.g. GitHub).
- Change management testing and quality assurance—A quality change control and testing process should be established with a focus on system availability, confidentiality and integrity testing criteria.
- Environment isolation—Production and nonproduction environments should be separated to prevent unauthorized access or changes. Development environment (e.g., UiPath Orchestrator Development environment) and bots should not be connected directly to production systems.
- Cloud and cyberthreats management:
- Encryption configuration—Automation projects should encrypt sensitive data to apply confidentiality compliance requirements (e.g., using algorithms such as Advanced Encryption Standard [AES], Data Encryption Standard [DES], RC2, Rijndael and TripleDES to encrypt and decrypt plain text files processed by bots).
- Infrastructure hardening—Infrastructure environments, including persistence and server layers, should be hardened to provide only necessary ports, protocols and services to meet business needs and have in place supporting technical controls as part of the baseline build standard or template.
- System and Organization Controls reports—Third-party service reports (e.g., SOC 1 or SOC 2 reports) demonstrating compliance with information security and confidentiality, access control, service definitions and delivery level agreements should be reviewed.
These are only the tip of the iceberg. An RPA-enabled environment pushes assurance leaders to upskill their followers to better manage the new risk areas. There are many competing technologies in the RPA and artificial intelligence (AI) spaces, but the approach to managing risk follows the same logic. Leaders should get ahead of RPA and AI technologies and appropriately manage the inherent risk factors to comply with laws and compliance regulations.
Mostafa Elghazaly, CISA, CRISC, CISM, CGEIT, is a content writer, a solopreneur and the founder of Signify Solution LLC.