Digital transformation in finance: optimizing RPA
Automation is a valuable lever for managing costs, allowing financial organizations to reevaluate how they are organized, where work gets done, and which processes no longer require human intervention.
Jean-Pierre Maissin - Partner - Artificial Intelligence & Data - Deloitte
Nicolas Griedlich - Partner - Artificial Intelligence & Data - Deloitte
Justin Griffiths - Partner - Assurance - Deloitte
Bettina Werner - Director - Assurance - Deloitte
Gilles Andreini - Senior Manager - Assurance - Deloitte
Anke Joubert - Manager - Artificial Intelligence & Data - Deloitte
Amita Swain - Senior Consultant - Artificial Intelligence & Data - Deloitte
Published on 13 April 2022
Robotic Process Automation (RPA) is a set of software bots that automate employees’ daily repetitive and rule-based tasks, which cannot be directly automated by computers’ operational systems. These automated processes can include document gathering, data retrieval, calculations for reports, and more. RPA’s benefits, such as cost reduction, process efficiencies, control effectiveness and improved customer experiences, have enticed businesses of all sizes to adopt different levels of automation. Compared to other automation technologies, RPA can prove cheaper to implement and quicker to provide the financial and operational benefits that affect organizations’ most common performance measures. Some of RPA’s major benefits include:
- 24/7 operations: allows non-stop performance and eliminates peak-time queues
- Lower costs: reduces labor cost
- Higher data quality: improves data quality by avoiding manual errors and focusing on exceptions
- Better productivity: frees employees from routine tasks and allows them to focus on more productive work
- Systematic internal controls: minimizes human error by performing end to end control and compliance checks on full samples, rather than just a subset of data.
As the financial market increases its adoption and reliance on automation, considerations around governance, risk management and compliance have also emerged. To get the most out of automation and manage the associated risks, organizations must enhance their governance processes accordingly. 
Strategic role of RPA in finance
RPA is rapidly transforming finance functions’ middle- and back-office operations. By embracing complexity and leveraging automation technology in new ways, companies can accelerate their business performance. Some of the major reasons why RPA has gained popularity in finance are:
- The need for a high degree of accuracy and consistency;
- The repetitive and manual nature of transaction processing;
- The need to gather information from various systems or sources;
- The dependency on data entry, data manipulation, and report generation; and
- The need to meet regulatory requirements correctly and on time.
Below are some of the automation hotspots in finance
- Accounts payable: vendor verification and setup, data extraction from invoices, purchase orders, vendor invoice processing;
- Accounts receivable: customer data setup and management, customer data extraction, customer credit monitoring and invoice generation and distribution;
- Intercompany reconciliation: extraction and retrieval of data from files, data validation, exception research and handling, journal entry creation and validation; and
- Financial reporting: trail balance and balance sheets, income statements, updating profit and loss report, and regulatory and management report
RPA use case in the finance function: accounts payable invoicing process
The intelligent handling of invoices is high on most CFOs’ agendas as, in general, finance functions spend a lot of time and resources manually processing invoices. The traditional accounts payable (AP) process involves manually reading invoices and entering invoice data into an enterprise resource planning (ERP) system . Several modern technologies, including RPA, offer intelligent solutions to automate these tedious tasks. If implemented correctly, most of the invoicing process can be automated through RPA.
Figure 1: automated AP invoicing steps
RPA financial risk and control considerations
Although RPA can help finance functions achieve their digital goals by automating manual operations, its implementation generates risks; not just inherently but also from the technology environment it automates. These bot-related risks can increase when external third-party systems, tools and applications are in the mix. Organizations that fail to adequately identify, assess, and manage these new risks may erode or limit the value created by this automation. While around 80% of finance leaders have implemented or are planning to implement RPA, only a few companies have been able to deploy bots successfully on time . To successfully implement and realize the full benefits of RPA, finance functions must consider and take the necessary measures to manage the organizational, financial, technological, operational, and regulatory risks associated with RPA environments. 
Figure 2: key risk considerations of RPA
- Implementation without a proper objective, plan and procedure in place introduces major financial and non-financial loss risks.
- Replacing full-time counterparts may affect employee morale.
- Misalignment, lack of communication and missing RPA knowledge across employees may lead to gaps in roles and responsibilities as well as reputational concerns.
- Bot implementation without a proper control mechanism could fail to address ad-hoc requests and workload peaks.
- Failure to implement a proper operating model could risk organizations’ business continuity and disaster recovery plans.
- Improper vendor and process selection for RPA implementation may result in financial losses.
- Bot-related errors may disrupt the production of internal and external finance reports.
- Failure to implement a plan to measure bot performance or key performance indicators could result in financial losses.
- Lack of clear compliance standards from the regulatory team may affect the bot’s ability to meet compliance standards on time, and may lead to reputational concern.
- Poor user access and credential management of bot may lead to data, security, privacy and fraud risks
- RPA’s broader spectrum of internal and external application/technology integration may lead to enhanced cyberthreats.
- Implementing an automation solution without an embedding/aligning version control design may lead to manual override or unauthorized changes that often go undetected.
Implementing an effective governance framework around RPA
While many finance functions have invested significant time and capital to deploy RPA, their bot utilization rate is around 30% of what is available due to poor governance and an overly burdensome control environment.  To tackle the potential risks introduced by RPA implementation, finance functions must define an effective RPA risk framework and supporting governance model. Figure 3’s risk-controlled framework illustrates the key elements that organizations must consider and embed before adopting RPA to fully benefit from it while also keeping the environment secure and compliant. 
Figure 3: key aspects of an RPA risk management framework
1. Governance strategy
An effective operating model establishes accountability throughout the RPA lifecycle, from the ideation, design, and implementation of the RPA strategy to the monitoring of the bots’ effectiveness. As a first step, companies must define: 
- The type of operating model (centralized, decentralized or federated);
- A strategic vision, mission, and implementation roadmap; and
- Governance processes and project management.
2. Policies and procedures
A well-developed set of policies and procedures will not only serve as a roadmap for daily operations but also help ensure compliance with laws and regulations, guide decision-making and streamline internal processes. Companies must outline and develop mature policies and procedures relating to: 
- Process and vendor selection criteria;
- Bot development and deployment standards and best practices;
- Regulatory and compliance standards for processes and third-party vendors;
- Bot performance measurement criteria and key performance indicators;
- Business continuity and disaster recovery; and
- Incident management.
3. Roles and responsibilities
By clearly defining roles and responsibilities, companies can better manage their segregation of duty (SOD) risk while consolidating processes under fewer bots and increasing their usage rates. Companies must consider these factors when defining roles and responsibilities: 
- Define stakeholders, IT and process owners, and their duties throughout the RPA implementation;
- Create a mature enterprise communication plan;
- Implement a change management strategy to enable organizational change; and
- Run education and training programs to help employees gain the right skills and understand their responsibilities.
A methodical and standardized approach to process development can help reduce organizations’ development and maintenance efforts while eliminating process discrepancies. Below paragraph illustrates the standards and best practices that organizations can follow to correctly and efficiently implement RPA bots. 
- Discovery phase: select right process and vendor as per defined criteria, develop and maintain all documents as per defined standards;
- Build phase: follow best practices to develop and deploy the bot, implement logging mechanism to handle exception, configure role-based access; and
- Run phase: Monitor bot performance, review the log files, maintain compliance checklist to ensure the bot meets the regulatory requirements.
5. Tools and technology
While RPA allows for a greater range of internal and external applications, tools and third-party vendor integration, companies must manage the associated technology risks, such as increased data breaches and cyberthreats, by: 
- Setting up a code and knowledge management repository for effective version control;
- Collaborating with the RPA vendor to agree upon licensing, communication channels, interaction points and service-level agreements to avoid data breaches;
- Setting up a test lab to conduct compatibility tests of RPA tools or third-party vendors with the underlying IT infrastructure; and
- Setting up an innovation lab to explore new RPA initiatives and conduct feasibility tests before integrating RPA with other emerging technologies.
6. Data and cyber
A corrupted robot can create severe data and security threats for the companies and all stakeholders involved. After implementing RPA, companies must analyze its impact on their IT infrastructure (including databases, operating systems, networks and credentials) to ensure their RPA environments are compliant and audit-ready. The following controls can help companies ensure their bot is secure and compliant: 
- Implement a vulnerability management program covering the RPA landscape;
- Set up a password vault to manage the bot’s credentials, and frequently rotate these credentials;
- Conduct a security risk check before providing the bot access to a third-party application;
- Assign a unique identity to each RPA bot and process;
- Enable privileged session management;
- Lock down bot behavior to avoid abuse and fraud; and
- Conduct a periodic review of the bot’s scripts to verify and confirm no personal data is involved in the bot’s implementation.
. Gartner Gartner Says Finance Leaders Must Balance Risk Management and Productivity When Using RPA . Gartner https://www.gartner.com/en/finance/insights/robotics-in-finance . Aimultiple, RPA in banking: https://research.aimultiple.com/banking-rpa/ . Cleartax, AP invoicing process: https://cleartax.in/s/accounts-payable-invoice-processing . Deloitte, risk management for bot: in-risk-bot-risk-management-noexp.pdf (deloitte.com) . Deloitte, auditing RPA environment: in-ra-auditing-the-rpa-environment-noexp.pdf (deloitte.com) . Deloitte, compliance modernization: us-compliance-modernization-robotics.pdf (deloitte.com) . Team International, RPA governance model: https://www.teaminternational.com/rpa-governance- model/ . MindField, governance in automation: Webinar - Governance of RPA - TY Page (mindfieldsglobal.com) . Deloitte, RPA internal controls over financial reporting: https://www2.deloitte.com/content/dam/Deloitte/us/Documents/audit/ASC/us-aers-robotic-process-automation-internal-controls-over-financial-reporting-considerations-for-developing-and-implementing-bots-september2018.pdf
- Since RPA was introduced to the business world, it has advanced dramatically to transform the way we operate. If properly configured and deployed, RPA can translate into significant time and cost savings.
- Innovative solutions are designed to be disruptive and often come with new risks. Well-planned governance and the right set of internal controls to mitigate risks can go a long way to ensure your RPA efforts achieve their maximum potential.
- With good governance and effective monitoring, companies are more likely to avoid surprises, allowing them to focus on efficiency, speed, and transparency.
- Well-governed robots in finance may not only reduce a finance team’s workload and help them focus on more value-adding tasks, but they can also support internal and external audits by increasing the reliance on automated controls and processes.
- Effective governance can boost the success of finance functions across all industries by providing proper guidance to teams, leveraging world-class standards and procedures, allowing the automation of labor-intensive and error-prone processes, and enabling your company to achieve its automation objectives.