The advent of Robotic Process Automation (RPA) has the potential to disrupt the traditional audit model. With its capability to automate rules-based tasks that are repetitive and manual, RPA is expected to repurpose the role of the auditor by replacing perfunctory tasks and emphasizing higher order thinking skills that will eventually lead to enhanced audit quality. This editorial envisages the future of audit by introducing the concept of RPA and describing its usage in auditing. Moreover, considerations for RPA-based audits and a series of research questions are presented with the objective to create a dialogue in this evolutionary area.
The process of industrialization has led to the progressive automation of tasks aimed at economic efficiencies and improved product quality. Although the creation of production lines by Henry Ford (1922) has been mainly a process of industrial engineering where artisanal processes were formalized into repetitive activities through time and motion studies, these processes evolved with the progressive introduction of machinery and tools into complex constructs with repetitive human work. This process of industrial engineering has not, by and large, been applied in the audit practice world where practice manuals, templated audit plans, and an ever-evolving supportive software combine into a still somewhat artisanal process dominated by anachronistic standards and ad hoc judgment. Recently, several of the major CPA firms have started to rethink their processes in the line of automation including a mix of advanced automation technologies with analytics and cognitive technologies (Figure 1). This process of rethinking has blended with their evolution of the nature of advisory services that are now dominant in these firms.
On the other hand, there is little if any academic research, in this area now named robotic process automation (RPA) that tends, for the leading firms, to focus on artificial intelligence-based issues and not directly on audit automation as proposed by Issa, Sun, and Vasarhelyi (2016). Figure 2 displays a schema whereby the four main areas of the audit overlap in the emerging usage of audit analytics. The key trade-offs and data sources of the past have changed and statutes and procedures have slowed down change in audit, making it less cost effective and of much lower quality.
The overlap of capabilities and functionalities of audit analytics in the four main stages of the audit, the advent of many IT tools, the possibility of automation/formalization of decisions using technology, and the availability of large data make it essential to rethink processes and approaches incorporating technology. These are divided into three main elements:
Parts of the audit that are prone to the utilization of workflow and time and motion improvements;
Parts of the audit that have repeatable judgments that, by and large, are deterministic if the information is available; and
Judgments that are stochastic in nature such that practitioners do not often formulate them in the same manner or agree on similar outcomes.
The first two elements are prime candidates for the use of automation methodologies such as RPA.
What Is RPA?
The IEEE (Institute of Electrical and Electronics Engineers) Standards Association defines Robotic Process Automation (RPA): “A preconfigured software instance that uses business rules and predefined activity choreography to complete the autonomous execution of a combination of processes, activities, transactions, and tasks in one or more unrelated software systems to deliver a result or service with human exception management” (IEEE Corporate Advisory Group 2017). These preconfigured software instances reproduce the work that humans do, and they are called robots, or software robots. In short, RPA robots automate human tasks.
RPA possesses unique characteristics that set it apart from other automation paradigms contained in business process automation, business process reengineering, or business process management systems. First and foremost, RPA robots conduct work the same way that humans do, through the software presentation layer. Logins, emails, analyses, report building, data entry, and other functions are still completed. RPA robots can be compared to the recorded macros in Excel that automate specific tasks. The primary difference between the two is that RPA “macros” can be recorded to work with virtually any existing desktop or server software. RPA software generally includes an interface with a record button that, when activated, generates a script, or robot, as a user performs the task that is to be automated. With some configuration, robots can be trained to read emails, open PDFs, identify salient information, enter data into ERP systems, and send an email to specific supervisors when ambiguity or errors are encountered. All of these actions can be monitored in real time by the user that designed the script, or by other software robots.
Figure 3 displays symbolically the effect of replacement of devices into human-based workflows. These replacements must be considered both in terms of technological process reframing (Issa et al. 2016), as well as in terms of the effects of workforce replacement (Frey and Osborne 2013). Technological process reframing (TPR) is defined by the authors as “the reconsideration of methods and processes on an area of endeavor consequent of the advent of a disruptive technology” (Issa et al. 2016). However, in the current context, some of the technologies have been in use for a while and the strong effect is their utilization for automation of manual tasks that have been utilized in an artisanal way. Work replacement has a large literature that spans many fields and has emerged as a major issue in recent years. In general, the audit profession has been concerned not only about the effect upon the current workforce, but also about the skills needed for the auditor of the future (Appelbaum, Kogan, and Vasarhelyi 2017a).
When Is RPA Appropriate?
Although the scope of RPA-appropriate tasks and processes is increasing, there are certain attributes that are helpful in identifying them (Lacity, Willcocks, and Craig 2015). First, well-defined processes are more automatable. Because robots currently still need precise instructions in order to successfully complete tasks, tasks with significant ambiguity are not typically candidates for automation. Second, high volume, repeated tasks can benefit more from automation. Tasks associated with payroll, accounts payable, and accounts receivable are often mundane and recurring, making them good candidates. Third, mature tasks should be targeted. They have more predictable outcomes and the costs are known. Automating these types of tasks is less risky.
The business process improvement literature and professional auditing literature suggest that RPA can result in improved processes and economies of scale when the steps to perform a rules-based task are repetitive and manual. Conversely, RPA is less appropriate for those tasks that require elements of human judgment, that have uncertain outcomes, or that occur infrequently. When implementing RPA for the first time, organizations should look for easy wins; hence, complex and subjective tasks should be avoided.
RPA IN AUDIT
RPA has been widely implemented by business organizations ranging from automatic invoice processing to automatic calculation of credit to a customer's account (Lacity et al. 2015; Seasongood 2016), albeit the application of RPA to auditing remains largely unexplored. Given the recent interest by audit firms and standard setters about the use of technology in audits (IAASB 2016; PCAOB 2017a; KPMG 2016; PwC 2017), it is not surprising that RPA is emerging as an area of interest. From an auditing perspective, manual and repetitive audit tasks such as reconciliations, internal control testing, and detail testing can be automated. As a result of this automation, auditors would be able to allocate more resources to audit areas that are complex in nature (e.g., estimation of fair value investments), or to investigating items that are potential anomalies, eventually leading to higher audit quality.
Automation Tools for Audit
Before the term RPA became mainstream and narrowly defined, the automation of audit tasks was accomplished using a series of tools, which might be used independently, or in conjunction with one another. Table 1 describes a variety of open source and vendor-provided tools that assist with the automation of audit tasks (including RPA). While Excel is indispensable in audit tasks, how Excel would be used for automation requires some consideration. Presently, auditors use Excel to select samples, run tests, and document audit procedures. In these cases, Excel audit templates require manual editing by the user to enter data, perform calculations, and document results. As discussed above, Excel macros are a utility that can automate repetitive audit work functions. With Excel macros, the user has the ability to preprogram functions that execute audit tasks sequentially. Similarly, CaseWare IDEA software for auditing and monitoring has preprogrammed audit capabilities that allow the auditor to import a dataset and select an audit task for execution from the user interface.
Python and R are examples of scriptable languages that can enable automation in audits, although using them requires experienced developers and a high degree of customization.1 These tools are free to use and they provide more flexibility than Excel or IDEA to automate audit tasks. In addition to enabling comparable features to Excel macros and IDEA, other audit-relevant capabilities include web scraping and importing and exporting data. Additional possibilities to automate a wide range of audit tasks include:
Use Python, for example, to write code that imports audit files from various sources and loads it to IDEA or Excel;
Use IDEA or Excel to run preprogrammed audit functions such as reconciliation performance; and
Have IDEA or Excel create new documents with the results of audit procedures.
The above scenario assumes a variety of tools are used in conjunction, however, another possibility would be to use RPA tools to complete all the tasks. RPA vendors like UiPath and Blue Prism2 offer similar automation capabilities as Excel, IDEA, Python, and R, but do not require programming at the user-level interface.
MOVING TOWARD RPA-BASED AUDITS
Since RPA has great potential to transform the audit profession and change the role of the auditor by replacing perfunctory tasks and emphasizing higher order thinking skills, it is paramount to have a plan of action that will ensure a smooth transition (Lacity et al. 2015; Seasongood 2016). In essence, the role of the auditor would be repurposed and changed from being a data collector, processor, analyzer, and disseminator to primarily emphasizing the evaluation component of audit procedures. However, before this change takes place, there are several RPA implementation stages that should be considered. In particular, for RPA to come to fruition, audit firms should consider the following:
Which audit process should be targeted for automation?
How can audit procedures be distilled into small steps suitable for automation?
What audit procedures can result in automation?
Are data in a machine-readable format?
Based on the assessments made in previous stages, what audit procedures should be targeted for automation?
Does RPA function as envisioned in a prototyping stage?
Through evaluation and feedback, can areas for improvement be identified?
In this stage, the audit firm would evaluate audit processes where automation would add value. Processes suitable for automation are likely to be those that require a significant amount of human effort to execute repetitive rules-based tasks. Once the audit process is identified, the RPA team, which would include the audit firm in conjunction with the RPA developer (e.g., a business user, the IT department within a firm, a consulting firm, or an academic institution), would engage in gathering knowledge about the process. That is, the team would gain an end-to-end understanding about the phases in the process.
Audit Procedure Modularization
Upon obtaining an understanding of the audit process, the RPA team would have to consider breaking down audit procedures within the process into narrow categories. For software programs to function as intended, they would need to have detailed instructions to perform a particular task. As an example, a human can understand and execute the command “go check unread email” without much instruction, but a software program would need a number of pre-embedded conditions to execute the same task; in this situation, the software would require commands that relate to opening the internet browser, entering credentials to log in, and checking unread email.
Audit Procedures for Automation
Categorizing audit procedures into narrow steps can help the RPA team envision audit procedures that are, and are not, suitable for automation. The RPA team can assess whether the small audit modules (i.e., narrow audit steps) identified in Stage 2 meet the following conditions:
Does the module require structured judgments? (Structured judgments may be more automatable than unstructured judgments.)
Does the module use data that are available in digital format? If not available in digital format, can they be converted to it?
If it is not possible to obtain data in digital format, or convert data to digital format, can the audit module be reframed to obtain the same level of audit evidence?
For those modules that meet Criteria 1 to 3, what are the analytics that can be deployed to meet audit objectives?
Standardization of Data
An important component of preparing for RPA-based audits would be to consider the sources and labels of the data. After all, audits are founded upon the evaluation of financial and nonfinancial data that comprise financial statements. Data should be in a structured format for the software program to successfully interpret the inputs (data attributes) of automated audit procedures. The reality, however, is that data that are collected as audit evidence come from different sources and in different labels, even though the labels represent the same object. For example, Report A may have a label “sales,” while report B may have a label “revenue.” Such label inconsistency would create interpretation challenges for the software program. To address this concern, standardization of the data would be necessary.
The standardization of data can take the form of a template that employs the same labels for data attributes that represent the same object. The AICPA Assurance Services Executive Committee Audit Data Standard (ADS) initiative parallels this vision and recognizes the benefits of data standardization (AICPA 2013).
Selection of Audit Procedures for Automation
While a number of audit procedures may be suitable for automation, it may not be feasible to automate them all. This would occur under two scenarios. In Scenario 1, the audit procedure is rules-based and thus automatable, but its inputs cannot be collected digitally or transformed to digital content efficiently. Under the second scenario, the audit procedure is rules-based and automatable, but it would incur high levels of overhead that might diminish the benefits attained from automation. Overall, a cost-benefit assessment should be performed to evaluate the automatable audit procedures that would add value in the long term.
Prototyping and Experimentation
The second-to-last stage in moving toward RPA-based audits would be to design and implement prototypes for the audit procedures selected in Stage 5. The prototype would consist of one, or a combination, of the RPA tools highlighted in Table 1. Implementation of the prototype would also be necessary to ensure that it functions as envisioned. Prototype implementation would entail feeding data to the audit procedure to validate the preprogrammed conditions.
Evaluation and Feedback
Prototyping the RPA audit tool can help the RPA team assess whether the automated audit procedure is ready to be launched during real audit engagements. It is possible that the RPA audit tool may need to be refined, perhaps by embedding additional rules, or by modifying existing rules. The following section describes an RPA-based audit procedure.
REVENUE TEST WITH RPA
Implementing RPA for revenue testing can potentially improve audit quality. Revenue is a key audit area that is frequently audited and is generally an area of high audit risk. Yet, PCAOB inspection briefings consistently highlight revenue as an audit area with recurring audit deficiencies (PCAOB 2017b). Because many of the audit procedures for the revenue account involve manual and repetitive tasks, RPA can improve audit quality by testing the population of revenue transactions and allowing the auditor to more precisely evaluate and address the risk of revenue material misstatement. Figure 4 depicts how RPA can assist auditors in the execution of reconciliations, analytical procedures, control testing, and detail testing.
Reconciliation and Analytical Procedure
RPA can perform revenue reconciliations by automatically (1) logging in to the FTP (file transfer protocol) server set up by the auditor and the client to share client files, (2) entering a query to search for the revenue listing and trial balance, (3) extracting the revenue transaction listing and trial balance, (4) importing the revenue transaction listing and the trial balance to Excel or IDEA, (5) calculating the total per the revenue transaction listing, and (6) comparing the total per the listing to the total reported in the trial balance revenue account. Once the reconciliation is performed, RPA can be used to compare the total calculated in Step 4 to the total revenue audited in the previous year. To accomplish this task, the RPA program can (1) log in to the prior year audit workpapers, (2) enter a query to search for the audited revenue amount, (3) extract a report presenting the prior year revenue balance, (4) import the report to Excel or IDEA, (5) compare the total revenue amount from the current year to the total revenue amount from the prior year, and (6) generate an alert if the difference between balances exceeds a 5 percent threshold of materiality. The alert can be presented to the auditor as part of the audit workpaper dashboard. Alternatively, the RPA program can email the auditor every time there is an alert. If no differences are noted, the RPA program can move on to perform the subsequent audit tasks, as described below.
Internal Control Testing and Substantive Testing
The risk-based approach guides auditors in their assessment of the risk of material misstatement. This assessment is performed during the period under audit, with an initial assessment performed during planning and an ongoing assessment performed during internal control and substantive testing. The ongoing assessment of risk is generally based on a review of a sample of transactions that are tested (PCAOB 2010; AICPA 2012). With RPA, the full population of sales can be tested to validate the operating effectiveness of internal controls and management's assertions. As a result, full-population testing enables auditors to eliminate sampling risk and assess audit risk more precisely (Appelbaum et al. 2017b).
Auditors can accomplish this task by having an RPA program set up to automatically match purchase orders, invoices, and shipping documents. The program can check that the price and quantity on each of the documents match. This test can help auditors validate the effectiveness of preventive internal controls that are established within a business organization's computer system. In addition, this test can help auditors verify management's assertions of existence, completeness, and valuation.
RPA can assist auditors with this dual-purpose test by automatically (1) logging in to the FTP, (2) entering a query to search for the three digital documents outlined above, (3) extracting the three documents, (4) importing the three digital documents outlined above, (5) performing the three-way match, and (6) generating alerts for auditors to review for items that do not match. Ultimately, RPA for revenue testing provides expanded coverage of the revenue account, reduces the time spent performing audit tasks, and guides auditors to focus on higher priority tasks, such as evaluating items that do not conform to the automated three-way match described.
CONSIDERATIONS FOR RPA-BASED AUDITS
As the auditing paradigm shifts from largely manual to a combination of manual and automated audit procedures, there are several considerations that audit firms should take into account as they prepare to adopt RPA technologies. These considerations relate to the reliability of RPA tools and data, the possibility of dealing with a large number of notable items (RADAR 2017), privacy and security, and the economics of RPA.
Reliability of RPA Tools
Appelbaum et al. (2017b) suggest that audit firms planning to use data analytics tools should be prepared to assess their reliability. Similarly, audit firms that seek to use RPA tools should consider how these tools will be validated and deemed reliable. The data science team within the audit firm could validate these tools by reviewing the settings of the RPA software and by running data simulations that would enable them to observe the inputs and the expected outputs of the RPA software. An interesting question that arises is how frequently RPA software validation should occur. Should it occur once a year, before the annual audit kicks off? Should it occur every quarter, in anticipation of quarterly reviews? Or, should it occur on a continuous basis?
Reliability of Data
For audit automation to add value and improve audit quality, it is important to evaluate the reliability of the data. Data validation checks, such as ensuring proper segregation of duties and tests of application controls, can help auditors assess the validity of data contained within digital reports that are to be used for RPA-based audit testing. Essentially, reliable electronic audit evidence would be the first stage toward data standardization. Data standardization can then be accomplished by selecting audit-related data fields from reports and importing them into an ADS for a particular audit area. As the data that are transferred from one source to a standardized template can suffer from data corruption, audit firms should also consider data validation checks to reconcile data from the original reports to the data per the ADS.
Numerous Notable Items
One of the benefits of deploying RPA software is that it expands the coverage of audit testing to the full population. However, the trade-off to consider under the full-population testing approach is the large number of notable items that the auditor would have to investigate. Certainly, investigating a large number of notable items, some of which could end up being very insignificant or false positives, would contrast the objective of moving toward RPA-based audits. Several methods to address this challenge have been proposed in the continuous auditing literature. As examples, Alles, Brennan, Kogan, and Vasarhelyi (2006) propose the forwarding of anomaly alerts to business process owners, while Issa and Kogan (2014) propose a method to filter anomalies by homogenous subpopulations to discriminate the anomalies that are more suspicious. Audit firms considering the use of RPA software should evaluate the various methods for the processing of notable items that this software is expected to generate. Importantly, by its inherent definition, it is possible that RPA can assist with the automatic processing of these items.
Privacy and Security
As the application of RPA to audits would entail managing digital audit evidence, privacy and security concerns naturally arise. Unfortunately, cybersecurity breaches are not rare events, and audit firms are not immune to this risk (Li 2017). Deloitte, one of the largest accounting and consulting firms, was the victim of a cybersecurity attack in 2017 in which the perpetrators compromised its cloud-based email system and attained client records (Deloitte 2017). Since auditors collect confidential data, such as employee social security numbers, compensation data, and contractual terms for patent development, it is expected that cybersecurity breaches will impose high costs to audit firms. These costs would reflect reputational damage and potential litigation. Consequently, audit firms that expect to adopt RPA software should determine measures to monitor for and prevent cybersecurity breaches and assess the potential costs in the event that they occur (Farahmand, Navathe, Sharp, and Enslow 2005).
Economics of RPA
Increases in demand and supply for RPA-based audits call into question the pricing of RPA-based audit services. Although RPA software would be classified as a fixed cost by nature and incorporated into the fixed-fee audit contract (Palmrose 1989), audit firms should consider the variable costs related to the development of RPA software and auditor training (Alles, Kogan, and Vasarhelyi 2002). Audit firms may consider developing RPA software in-house or hire consulting firms to develop RPA software to automate certain audit procedures. In addition, auditor training would be necessary to ensure automation capabilities are properly deployed. As a result, fixed and variable RPA costs are important factors for audit firms to consider as they assess the costs and benefits of RPA implementation. Another interesting question is the effect of scale on the adoption of RPA services: as large firms could allocate RPA development costs among their larger clients, what would happen in smaller firms? Finally, the question of generalizability of RPA solutions and their marketing by audit tool vendors comes into consideration, also affecting the economics of RPA. Four decades ago, each of the then “Big 8” firms had their own IT audit packages; now they use ACL and IDEA.
RPA AREAS FOR FUTURE RESEARCH
As the audit paradigm evolves toward the integration of RPA tools for improved audit quality, a number of research issues arise:
RPA tools for audit: Which of the RPA tools are most promising? Is the use of a combination of RPA tools optimal?
Toward RPA implementation in audits: What challenges arise from the RPA implementation stages described? Are data conversion, or standardization, primary challenges? How should those challenges be addressed?
Audit tests with RPA: What accounts or business processes would benefit from RPA audit tests? Can RPA audits tests be applied to the different phases of the audit model?
Reliability of RPA tools: How should RPA tools be evaluated? How frequently should RPA tool validation occur?
Reliability of data: How is the provenance of digital reports ensured? How is the provenance of data that are transmitted to ADS ensured?
Numerous notable items: What methods are effective for handling large numbers of notable items? Can RPA tools be used to automate handling of notable items?
Privacy and security: How should audit firms manage digital audit evidence to minimize the risk of cybersecurity failures?
Economics of RPA: Would the audit firm spread the cost of RPA software development and training across audit clients? Would audit fees comprise manual effort and RPA software amortization?
TPR and RPA: With the availability of RPA, what new assurance processes should be created, how should old processes be redesigned, and how should audit standards be changed?
The most apparent benefit of RPA in the audit is the reduction of time spent within highly repetitive processes. “Taking the robot out of the human” (Blue Prism 2017) returns more value-creating work back to the auditors. Other benefits include more reliability, perfect audit trails, enhanced service quality, and improved security (McClimans 2016).
Assuming perfect training, robots can perform audit tasks error free, which leads to higher-quality data, improved reports, and fewer downline error-correction functions. In addition, robotic work can leave reliable and trustable records of what was accomplished. Since the robot must perform within the scope of a prescribed script, auditing a robot is theoretically simpler than auditing a human. RPA-enabled processes also lead to superior service. By simply reducing the amount of time between invoice and payment, application and loan approval, or purchase order and fulfillment, satisfaction increases for both the customer and supplier. Improved security comes from reducing human interaction with sensitive systems and bringing more processes in-house by replacing outsourced functions with in-house software robots.
In a recent survey conducted by Knowledge Capital Partners (Hindle, Lacity, Willcocks, and Khan 2018), and commissioned by Blue Prism,3 users overwhelmingly acknowledged the benefits of RPA. Respondents claimed that RPA led to greater service quality, exceptional ROI, increased process automation, improved compliance, greater business agility, and improved total business value.
In addition to the benefits outlined above, RPA implementations carry intrinsic risks. According to Knowledge Capital Partners (Hindle et al. 2018), about 30–50 percent of RPA projects fail. They also identify eight areas of manageable risk related to strategy, sourcing, tool selection, project time estimates, operations and execution, change management, maturity, and stakeholder buy in.
With regard to stakeholder buy in, one risk is the potential conflict with an organization's IT department. RPA can be implemented by nontechnical business users, yet IT may view these implementations as “shadow” IT projects, solutions not sanctioned or supported by IT. For example, in one institution an RPA robot performed work so rapidly, it raised red flags with the IT department (Lacity et al. 2015). Since they were not notified of the robot, the IT department met the solution with skepticism and offered their own automation as an alternative. Shadow IT is also risky because it is often poorly documented, and knowledge of how to use the tools can be lost as personnel leave their positions. In short, a best practice for RPA implementation is to work in concert with the IT department. RPA should be an enterprise-led solution with stakeholder buy in at the earliest planning stages.
Another concern with RPA is that software robots will replace human jobs. In fact, one RPA key performance indicator (KPI) is the number of human labor hours that are saved per month, or the number full-time equivalent (FTE) employees whose work is now being conducted by robots. However, in current available white papers, vendors and proponents of RPA do not address the factor of robots replacing human workers. Instead, they tout the benefits of allocating mundane, repetitive tasks to software agents, which frees up human workers to perform tasks that require creativity, complex decision making, and emotional insight. Nevertheless, the risk is ever present and is subtly acknowledged in one white paper that predicts RPA will allow businesses to expand without hiring more employees (Chappell 2017).
Moreover, as RPA vendors improve their software with artificial intelligence, contextual learning, and advanced cognitive capabilities, more and more human-like tasks will be performed by software robots (The Institute for RPA 2015). As low-level, repetitive, mundane tasks and mid-level decision-making tasks are taken over by software robots, it is easy to imagine organizational hierarchies that are fundamentally the same shape, but of a different composition (see Figure 3). Finally, if established organizations are not willing to retire employees whose functions have been replaced by robots, emerging organizations that incorporate the RPA paradigm from their inception will seize a competitive advantage.
These two languages, or better named environments, have extensive libraries of public code that can be used in a wide variety of applications. Although they require more programming skills from users, the scope of their libraries is very large. It must be noted that as these are all contributed code, their level of scrutiny and validation is different from proprietary environments such as ACL Analytics or CaseWare IDEA.
Please refer to https://www.uipath.com/platform and http://blueprism.com/our-products?imt=1&utm_campaign=Search&utm_source=Adrac&utm_medium=CPC&utm_content=&utm_term=blue+prism for UiPath and Blue Prism, respectively.
Blue Prism is the market leader in RPA.
The authors are thankful for the comments received from Tavish Tejas, Abigail Zhang, Keyi Zhao, and Yixun Zhou.