Robotic Process Automation (RPA) and the Auditor

ISACA South Florida

September 30, 2020

© 2020 RSM US LLP. All Rights Reserved.

Your Instructors

Jamie Burgess Bob Herman

Partner Director
RPA Partner Sponsor National Risk Consulting RPA
[email protected] Lead
[email protected]

Alexandra Lorié
Director
RPA Methodology Lead
[email protected]

2
Agenda

Topic Presenter Minutes

RPA Overview Jamie 5
RPA Audit Methodology Overview Jamie 20
RPA Methodology Deep Dive: Governance Alex 20
RPA Methodology Deep Dive: Security Bob 20
RPA Methodology Deep Dive: Data Jamie 20
RPA Methodology Deep Dive: Change Alex 20
RPA Methodology Deep Dive: Compliance Bob 15

3
 RPA Overview
What it is and why you should care

4
Strategic Technology Trends for 2020

Four (4) of the top 10 strategic trends for 2020 are related to RPA and
Artificial Intelligence - Gartner, Inc.

Hyper-Automation Human Augmentation

Organizations’ use of Artificial Intelligence (AI) & Using technology and science to heighten a person’s
Machine Learning (ML) to rapidly identify & automate cognitive & physical experiences
all possible business processes

Autonomous Things AI Security

Physical devices that use AI to automate functions Leveraging ML to enhance security defense,
previously performed by humans anticipating attacks & protecting AI-powered systems

5
RPA Overview

What is RPA RPA Extensibility

Robotic process automation Developed bots are capable of

(“RPA”) refers to a set of modular interacting with and integrating
software programs (or “bots”) to disparate enterprise applications,
complete structured, repeatable, databases, and files to limit the
and logic-based tasks by business need to develop custom,
mimicking the actions taken by application specific integrations.
existing human staff.
Robotic Process
Automation

RPA Value Proposition RPA Scalability

Across industries, RPA enables A set of scheduled bots are capable

organizations of all sizes to of running on multiple servers within
efficiently scale operations with a company’s environment
minimal impact to existing business simultaneously with minimal impact
processes. to resource and network capacity.

6
Impact to Organizations

RPA technologies are more effective when

leveraged alongside structured, repeatable
tasks. According to a 2017 survey from
Gartner Research:
• Workers surveyed categorize 35-41% of
their daily work as routine

• 32-37% of work is a mix of routine and

non-routine
Manual aspects of non-routine processes
can also be automated to reduce the
number of touchpoints required to complete.

7
 Common Use Cases
Finance & Audit and
HR/Payroll Network & IT Supply Chain
Accounting Compliance
• Order to Cash / AR • Maintain master Data • Active Directory • Order prioritization • Quarterly User Access
 Credit analysis • Offer letter process • Master data Reviews (UAR)
 Sales order processing • File systems
 • Onboarding and exit management • Data/evidence gathering
Customer MDM • FTP management
 Order entry • Appraisal-updating • Invoice verification • System configuration
 Reports by segments
• Automated installations
process / change payroll • Receipt confirmation testing
• Procure to Pay / AP • Server / application
status • Scheduling processes • Rules-based workpaper
 3-way match monitoring and alert
 • Position management automation
PO issuance management • Reporting
 Invoice receipt • Reporting line change • Orchestration of audit
 Vendor master • Service desk • Production information
automation tools and
 Payment process • Superannuation management capture
scripts
 Duplicate payment • Payments summaries • Notification & escalation • Inbound processing
Tracking • User provisioning and de-
• Record to Report • Employment type • VMware integration • Inventory management provisioning controls
 Monthly close updates • Data movement processes
• Master data management
 Treasury and tax • Service desk reports • Pricing management
• Provisioning compliance
 Financial statements
 General ledger • Distribution • Configuration • Billing • Application change
 Journal entry processing • Leave amendments management • Freight costing management compliance
 Inter-company accounting
• Routine maintenance • Continuous monitoring
 Account reconciliations
 Fixed assets and projects • Reporting automation
 Cost and inventory
accounting

8
 RPA Audit Methodology Overview

9
 How to Evaluate Risk Related to RPA

When we think about RPA, it is natural to focus on

the more obvious risks such as logical security.

It is not always easy to see beyond the risk of the

actual automation regardless if we are talking RPA
bots or other more sophisticated cognitive
technologies such as Artificial Intelligence (AI.)

To evaluate automation risk, you need to be armed

with a comprehensive risk framework.

At the same time, you need to be pragmatic around

how you apply the framework to your automations,
balancing risk with the speed of innovation.

10
 Key Considerations When Evaluating RPA Risk
When evaluating RPA risk it is important to first understand the current
landscape and future RPA roadmap.
• Current level of RPA maturity &
desired future state

Potential Risk / Cost of Remediation Efforts

• Business led vs. IT led innovation
• COE Operating Model (centralized,
decentralized, federated)
Advanced AI
• Adoption and maturity of existing
RPA Maturity

(i.e., self
Auditable - programming –
Cognitive intelligent
Rules based
Automation
(i.e., Machine
systems –
Black Box)
company policies and procedures to
automation Learning)
technologies
(i.e. RPA)
govern automation
Automation
process
evaluation &
implementations.
POC
• Existing governance structures (or
Intro to
Automation –
general
lack thereof)
awareness
• Incentives to automate
Timeline

11
 Key Considerations When Evaluating Automation Risk
Think with the end in mind
When it comes to assessing the risk around RPA/automation, think with the end in
mind:
• What type of compliance and regulatory requirements will I need to deal with in the future?
• Have I truly considered the long-term impact to people, process and technology?
• Are there any key stakeholders that need to involve sooner rather than later?
• Do we have the expertise needed to properly evaluate risk?
• How does my automation strategy align to the organization’s overall business and IT
strategy?

How do you plan to assess risk over time?

• Embedded Assurance – Independent, real-time or near time involvement. Control points
are embedded into the SDLC process. Risk is continually assessed and reported.
• Periodic Assessments – Independent, periodic check point assessments/audits of the
process. Key controls are assessed on a periodic basis and deficiencies are reported.

12
 RPA Risk Dimensions
When utilizing automation, is important to note that the automation environment is composed of
three (3) risk dimensions. These risk dimensions should be considered when assessing
automation risk against your risk and controls framework.
Risks associated to the Data managed
Risks associated to the Automation
by the automation.
These risks may impact the operation
These risks relate to the data being
of the Automation itself directly.
used, stored or processed by the
automation for both inputs and outputs.
For example: A developer makes a
code change without properly testing, or
For example: an automation accidently
going through the change management
shares social security numbers with a
process, causing the automation to
vendor due to poor data classification
process information incorrectly.
schemes.

Risks associated to the Environment where the automation interacts with.

These risks may impact the environment that is interacting with the automation,
even though it is not the automation itself.

For example: A patch is made to the system interacting with the automation causing a
change to the data structure. The automation is not configured to read the new data
structure and stops working, resulting in an impact to all related processes.
13
 RPA Risk Drivers
In order to properly assess the risk over an automation implementation, you need to take into
consideration the following risk drivers.
Implementation Approach – How will my automation run?
• Attended Automation
• Unattended or scheduled automation
• Hybrid (mix of attended and unattended)

Location – Where is my automation environment located?

• Control Room/Centralized management of automations
• Servers
• Desktop
• Database
• Network

Expected Results – what exactly is my automation doing?

• Purpose
• Inputs
• Outputs

These risk drivers may change based on the specific automation use case(s), so there
14 needs to be a process to evaluate the risk of each automation development.
 RPA Risk Considerations and the Key Drivers of Risk

Automation is
composed of Automation
four categories. Automation
Governance
Security
These and Operations
categories
drive the risk
areas to be Developing
Automations & Data Managed
considered in On-going by
light of an Change Automation(s)
Management Risk
organizations
Drivers for
specific Automation
compliance
requirements.
Implementation Expected
Approach Results
Location

15
 When to Consider Risk?
There are four (4) main stages to the implementation of automation, identifying the process
to be automated, designing the automation, building, testing and implementing the
automation, and the subsequent monitoring of the automation. With automation, risks exists
within all stages that must be addressed. Specially around the identification and design
stages.

IDENTIFY

DESIGN
SLDC
Stages
IMPLEMENT
Risks at all
MONITOR stages of the
Automation
Lifecycle
16
 Example – AP Invoice Processing Bot with Machine Learning
What is my risk (consider operational, compliance, financial risk)?
Is Bot risk mitigated by other existing controls (Human or Systematic)?
Automated Invoice Processing

17
 Example – AP Invoice Processing Bot with Machine Learning
What is my residual (remaining) risk and how am I comfortable? Potential Next Steps:
What has changed based on an implementation of an RPA bot? 1. Based on my identified risks:
a) Evaluate existing control
points to determine if they
continue to mitigate the
risk(s) to an acceptable
level*
b) Determine residual risk
c) If needed, design
additional controls to
mitigate residual risk
d) Validate additional controls
are operating as expected

*Consider both design and

operating effectiveness
including the precision at which
controls operate.

18
 Example Framework for How to Consider RPA or Automation Risk

An automation (or BOT) should be treated like any other “IT dependency”

What is the bot being used

What could go wrong/ Is the risk significant/
for? What is the impact on No
what is the risk? material? Document risk
the current process?
assessment
Yes
and supporting
Are there other controls that appropriately mitigate the risk to an acceptable level and Yes rational.
have we evaluated these controls?
No
Are we comfortable with the Robotic Development Lifecycle Controls over the Bot (e.g., design, build, testing,
implementation in production, etc.)
Are we comfortable with the completeness and accuracy of data sources?
Are we comfortable that the bot is operating as intended? Are we comfortable with the overall operational process
(Consider Completeness, Accuracy, Validity and Restricted Access Control Objectives)?
Are we comfortable with the underlying IT General Controls over the Bot, Data and Botting Environment (consider
Program Change Management, Security and Computer Operations)?

19
 RSM’s RPA Risk Framework

Governance Security Data Change Compliance

Policies & Change

Cybersecurity Confidentiality Laws
Procedures Management

Logical Program
Competency Integrity Regulations
Access Development

Vendor Physical Configuration

Availability Licensing
Management Access Management

Business Patch Risk

Operations Privacy
Continuity Management Assessments

Incident
Monitoring Traceability Maintenance Logging
Management

20
Let’s Play – Can you Audit RPA?

• For each of the five (5) RPA risk domains you will be provided a
fictitious client scenario.
• You will be asked a number of multiple choice questions after each
scenario.
• For each multiple choice question, select the best answer.
• Keep track of the number of questions you answered correctly.

21
 RPA Methodology Deep Dive:
Governance

22
 RPA Governance Considerations

Policies & Vendor Business Incident

Competency
Procedures Management Continuity Management

Design Training Program BIA Identification

Job
Review Procurement RPO / RTO Classification
Requirements

Performance
Updates Contracts BCP Documentation
Evaluations

Communication Succession Disaster

Inventory Monitoring
/ Availability Planning Recovery

Organizational Incident
Job Rotations Monitoring Reporting
Charts Response

23
Governance – Policies & Procedures

• Policies and procedures provide security and operational guidance over the RPA
strategy and technology in place.
− Design: Policies and procedures are formally defined.
− Review: Policies and procedures are reviewed and approved.
− Updates: Updates to the policies and procedures are made as needed, or based on changes
identified during the review process.
− Communication / Availability: Policies and procedures are accessible to employees and
contractors, and changes are communicated.
− Organizational Charts: Organizational structures and reporting lines are defined.

24
Governance – Competency

• Individuals tasked with responsibilities over the botting environment have the
necessary skills to sustain the RPA program strategy.
− Training: Organizational training and education is deployed to provide the necessary skills
for employees in RPA roles.
− Job requirements: Roles and responsibilities for employees in RPA roles are defined in job
descriptions.
− Performance evaluations: Performance for employees in RPA roles are assessed as part of
HR initiatives.
− Succession planning: Organization-wide succession planning takes into account
employees in RPA roles.
− Job rotations: Functional rotations take place as part of succession planning initiatives.

25
Governance – Vendor Management

• Vendor management due diligence practices are established to protect the

organization from third party vendor related risks.
− Program: A vendor management program is in place to drive the requirements to contract
and monitor RPA third-party suppliers.
− Procurement: New RPA vendors are subject to a vendor evaluation process before a
contract is established.
− Contracts: Contracts with RPA third-party service providers are developed with legal counsel
to conform with legal and regulatory requirements.
− Inventory: A central repository of all RPA third party vendor contracts is maintained.
− Monitoring: RPA vendors and service agreements are evaluated to determine organizational
needs and requirements are being met.

26
Governance – Business Continuity

• The organization’s business continuity and disaster recovery strategy takes into
account RPA technology in place at the organization.
− Business Impact Analysis (BIA): The BIA outlines the business’ most crucial RPA
processes and technology, and considers the effects of interruptions.
− Recovery Time Objectives (RTOs) / Recover Point Objectives (RPOs): The business
continuity strategy outlines priorities regarding RTOs and RPOs should an outage or
disruption occur that impacts the RPA technology.
− Business Continuity Program (BCP): A comprehensive documented approach outlines
how the organization will continue operating should an unplanned disruptive event take place
over the botting environment.
− Disaster recovery: Disaster recovery plans provide guidelines in recovering operations in
case a disruptive event arises that impacts the RPA environment.
− Incident response: Production issues over the botting environment are identified, assessed,
and addressed in a timely manner.

27
Governance – Incident Management

• Incident management processes are in place to detect, assess, and address

incidents impacting the RPA environment.
− Identification: Incident response program provides guidance to identify, evaluate, and
resolve potential incidents impacting the RPA environment.
− Classification: Incidents impacting the RPA environment are classified and ranked
according to priority and impact to the organization.
− Documentation: Incidents impacting the botting environment are documented and tracked
until resolution.
− Monitoring: Monitoring tools are in place to detect potential incidents impacting the RPA
environment.
− Reporting: Incidents impacting the RPA environment are reported to internal and external
stakeholders based on reporting requirements.

28
RPA Scenario #1: Governance

Not So Careful Company Inc. (NSCC Inc.) decided to implement the use of RPA bots/“digital
workers” throughout their organization. NSCC Inc. is an SEC registrant and has to comply with
Sarbanes Oxley. They have been told by their RPA vendor that “anyone can create a bot.” To
improve process efficiency and cut costs, they provided all their new hires with RPA training and
licenses to create and deploy “attended” Bots. These Bots are not being controlled via a control room
and implementation of the bots in “production” is at the discretion of each developer once they are
“comfortable” based on their own personal judgement.

Today (Assume today’s date is July 1st), NSCC Inc. estimates they have at least 50 bots in
production. Management is very proud of that figure and feels like they are making great progress
against their “digital” strategy in which RPA is at the cornerstone. As the bot development process
was very decentralized and unstructured, documentation of how the bots were identified, designed
and how they were tested is with the person who developed each bot.

29
RPA Governance Polling Question #1

Given the scenario, what are the applicable concerns/risks?

A. NSCC Inc. does not have a standardized SDLC methodology for bot
building and it is likely that many of the bots created lack formal design
documentation and testing evidence.
B. Bots are not running in a control room. Therefore, Management really had
no control over the bots.
C. NSCC Inc. is a SEC registrant and has to comply with Sarbanes Oxley. It
is highly likely that there are Bots performing tasks that are relevant to
SOX compliance and will likely lead to significant and possibly material
control weaknesses.
D. All of the above

30
RPA Governance Polling Question #1

Given the scenario, what are the applicable concerns/risks?

A. NSCC Inc. does not have a standardized SDLC methodology for bot
building and it is likely that many of the bots created lack formal design
documentation and testing evidence.
B. Bots are not running in a control room. Therefore, Management really had
no control over the bots.
C. NSCC Inc. is a SEC registrant and has to comply with Sarbanes Oxley. It
is highly likely that there are Bots performing tasks that are relevant to
SOX compliance and will likely lead to significant and possibly material
control weaknesses.
D. All of the above
31
RPA Governance Polling Question #2

What strategies would you use to better understand these

concerns/risks?
A. Perform an ITGC audit of NSCC’s RPA control room.
B. Review all system generated audit logs to identify transactions that are
being performed by Bots in production.
C. Inventory existing bots and perform risk assessment. Perform detailed
walkthroughs over higher risk bots.
D. All of the above

32
RPA Governance Polling Question #2

What strategies would you use to better understand these

concerns/risks?
A. Perform an ITGC audit of NSCC’s RPA control room.
B. Review all system generated audit logs to identify transactions that are
being performed by Bots in production.
C. Inventory existing bots and perform risk assessment. Perform detailed
walkthroughs over higher risk bots.
D. All of the above

33
RPA Governance Polling Question #3

What are some of the recommendations you would offer NSCC Inc. to better
control their RPA environment (assume the worst case scenario)?
A. Remove all RPA licenses from users and centralize RPA development within IT.
B. Create additional oversight and governance around the intake and deployment
process. Involve Internal Audit and Compliance to ensure Bots that are relevant
to SOX are certified/validated prior to being placed into production.
C. Ensure policies and procedures related to the development and deployment of
bots are up to date, communicated and considers the relevant risks.
D. B and C only

34
RPA Governance Polling Question #3

What are some of the recommendations you would offer NSCC Inc. to better
control their RPA environment (assume the worst case scenario)?
A. Remove all RPA licenses from users and centralize RPA development within IT.
B. Create additional oversight and governance around the intake and deployment
process. Involve Internal Audit and Compliance to ensure Bots that are relevant
to SOX are certified/validated prior to being placed into production.
C. Ensure policies and procedures related to the development and deployment of
bots are up to date, communicated and considers the relevant risks.
D. B and C only

35
Leader Board

How many multiple questions did you answer correctly?

A. 3 – RPA Ninja (100%)
B. 2 – RPA Brown Belt
C. 1 – Keep Trying. Don’t give up
D. 0 – Are you paying attention?

36
 RPA Methodology Deep Dive:
Security

37
 RPA Security Considerations

Logical Physical
Cybersecurity Operations Monitoring
Access Access

Personnel
Encryption Authentication Back-ups Triggers
Access

Privileged Access
Firewalls Restores Alerts
Access Logs

Access Facility
DMZ Provisioning Processing Health
Monitoring

Access Environment
Antivirus Monitoring Schedules Capacity
Removal

Access Entryway Exception

IDS / IPS Communication
Reviews Controls Handling

38
RPA Security Considerations - Cybersecurity

• Organizations should protect its bot systems and data from external
threats and malware
− Encryption: controls and risks focus on security and encryption of data at rest and
data in motion using advanced encryption standards.
− Firewalls: environment should be logically segmented. Firewalls should be
implemented and monitored regularly.
− DMZ: Demilitarized zones should be used to restrict direct public access to the
botting environment.
− Antivirus: controls should establish deployment and monitoring of AV to protect
against the introduction of malicious software to the botting environment.
− IDS/IPS: Intrusion Prevention/Detection Systems should be used to block high risk
external breach attempts. Logs from these systems should be reviewed and
responded to accordingly.

39
RPA Security Considerations – Logical Access

• Individuals tasked with responsibility for managing bot access should apply
strong authentication methods and should regularly review bot user access.
− Authentication: access to bots and bot data should be protected with strong authorization
practices. Multifactor authentication should be used for access to mobile devices and non-
console access.
− Privileged Access: focus is on minimizing the risk of corruption to the botting environment
and the loss of bot data. Privileged accounts should be restricted to authorized users and
these accounts should be periodically reviewed.
− Access Provisioning: controls should address risk that user access privileges granted are
not authorized.
− Access Removal: controls should address risk that user access is not timely updated or
disabled after a change in employee status which could lead to inappropriate access to the
bot environment and its data.
− Access Reviews: reviews should be performed over all user access and permissions on a
periodic basis.

40
RPA Security Considerations – Physical Security

• Risks to the physical security of the location housing the bot should be mitigated
with environmental controls and physical access restrictions.
− Personnel Access: physical access to the locations housing the bots should be restricted to
authorized individuals to prevent the compromise of data integrity.
− Access Logs: management should maintain and monitor access logs for all individuals
entering the physical location of the bot. Unidentified access should be researched and
resolved.
− Facility Monitoring: security teams should monitor the facility and use surveillance tools to
ensure that only authorized individuals are accessing the building.
− Environment Monitoring: controls ensuring the physical safety of the equipment should be
implemented to protect the equipment from fire damage, power outages, and over heating.
− Entryway Controls: automated tools such as badge access and security codes should be
used to restrict access through entryways.

41
RPA Security Considerations - Operations

• The bot, bot data, and bot environment should be backed-up according to an
established schedule, restore testing should be performed, and job failures
should be resolved.
− Backups: incremental data backups of the bot environment should be performed on a daily
basis to ensure that critical bot systems may be recovered in the event of disaster.
− Restores: data recovery exercises should be performed at least annually to ensure that
critical bot systems can be successfully recovered in the event of disaster.
− Processing: critical jobs interacting with the bot environment should be configured to
process at scheduled times and frequencies. Job history logs should be regularly reviewed,
and job failures should be addressed in a timely manner.
− Schedules: access to modify the bot’s job scheduler should be restricted to authorized
individuals to help ensure data integrity.
− Exception Handling: job processing errors and failures should be monitored, researched,
and resolved.

42
RPA Security Considerations - Monitoring

• Those tasked with responsibility for maintaining the bot environment should
utilize and configure system health monitoring solutions to track and resolve
detected issues.
− Triggers: the organization’s management should identify triggers within the botting software
that indicate the need for real-time follow-up activities.
− Alerts: monitoring and alerting features should be enabled to automatically notify
management in the event of an identified trigger’s occurrence.
− Health: monitoring tools should be configured to alert management in the event of a critical
bot system health issues affecting disk space, performance, scheduled tasks, and the bot’s
software/hardware.
− Capacity: monitoring tools should be configured to alert management in the event of bot
system reaching or nearing its systemic memory capacity.
− Communication: alerts should be automatically generated and sent to all relevant bot team
members. Clear and effective communication methods should be used to track and resolve
identified issues.

43
RPA Scenario #2: Security

SOD Inc. runs SAP and has implemented several bots in the procure to pay cycle.
The bots are used to automate purchase order creation, automate the goods receipt
process and automate invoice processing. SOD Inc.’s purchasing, receiving and AP
departments love their digital works. As a result of their digital worker automating
tasks that are repetitive and very manual in nature, they now have time to focus on
tasks that are considered to be more value added to SOD Inc.
As part of your SOX testing you notice one user with the ID “BOT1”. BOT1 has
been granted the security profile “SAP_ALL” which, in turn, provides unlimited
access to the SAP application. BOT1 is a “dialog ID” which, in SAP, means that
anyone with knowledge of the user ID and password can logon as that user. Based
on your RPA training, you know that the Bot needs access to a dialog user ID in
order to access SAP. However, you notice that there do not appear to be any other
user IDs in the system with a similar naming convention.

44
RPA Security Polling Question #1

Given the scenario, what are your top 3 concerns/risks?

A. Who has access to the BOT1 user ID?
B. When was the BOT1 ID created, and is the access still required?
C. There seem to be no other BOT accounts. Could there be other BOT
accounts that don’t follow this naming convention?
D. All of the above

45
RPA Security Polling Question #1

Given the scenario, what are your top 3 concerns/risks?

A. Who has access to the BOT1 user ID?
B. When was the BOT1 ID created, and is the access still required?
C. There seem to be no other BOT accounts. Could there be other BOT
accounts that don’t follow this naming convention?
D. All of the above

46
RPA Security Polling Question #2

What strategies would you use to better understand these

concerns/risks?
A. Perform a follow-up inquiry with the Bot Management team and the SAP
management team to identify other bot accounts and to learn more about
the BOT1 ID.
B. Obtain relevant user activity logs and verify with management that there
has been no anomalous or unexpected activity by the BOT1 user.
C. Mark the account as inappropriate and fail the control you are reviewing.
D. A and B

47
RPA Security Polling Question #2

What strategies would you use to better understand these

concerns/risks?
A. Perform a follow-up inquiry with the Bot Management team and the SAP
management team to identify other bot accounts and to learn more about
the BOT1 ID.
B. Obtain relevant user activity logs and verify with management that there
has been no anomalous or unexpected activity by the BOT1 user.
C. Mark the account as inappropriate and fail the control you are reviewing.
D. A and B

48
RPA Security Polling Question #3

What are some of the recommendations you would offer SOD Inc. to better
control their RPA environment (assume the worst case scenario)?
A. Remove the BOT1 account and do not rely on automation for this process as
there is too much risk associated with SAP_ALL access.
B. Perform a detailed review of the BOT1 user activity for the audit period and
continue reviewing in future periods.
C. Create a standardized naming convention for all bot-related accounts, store
password for bot-accounts in an approved password vault that is only accessed
by authorized individuals, change password to bot account periodically, and
review the bot accounts’ activity periodically.
D. Compare the BOT1 account’s last log-in date to SAP with the most recent Bot
job execution and verify that the two activities occurred at the same time.

49
RPA Security Polling Question #3

What are some of the recommendations you would offer SOD Inc. to better
control their RPA environment (assume the worst case scenario)?
A. Remove the BOT1 account and do not rely on automation for this process as
there is too much risk associated with SAP_ALL access.
B. Perform a detailed review of the BOT1 user activity for the audit period and
continue reviewing in future periods.
C. Create a standardized naming convention for all bot-related accounts, store
password for bot-accounts in an approved password vault that is only accessed
by authorized individuals, change password to bot account periodically, and
review the bot accounts’ activity periodically.
D. Compare the BOT1 account’s last log-in date to SAP with the most recent Bot
job execution and verify that the two activities occurred at the same time.
50
Leader Board

How many multiple questions have you answered correctly?

A. 6 – RPA Ninja (100%)
B. 4-5 – RPA Brown Belt
C. 1-3 – Keep Trying. Don’t give up
D. 0 – Are you paying attention?

51
 RPA Methodology Deep Dive: Data

52
 RPA Data Considerations

Confidentiality Integrity Availability Privacy Traceability

Processing
Disposal Prevent Notices Track
Capacity

Retention Detect Monitoring Commitments Trace

Protection Correct Back-ups Choice Capture

Access Accuracy Restores Consent Storage

Disclosure Completeness SLA Collection Structure

53
RPA Data Considerations: Confidentiality

• If confidential data is used by the bot, additional considerations need

to be given.
− Disposal: disposing of confidential data in a secure matter
− Disclosure: avoid unauthorized disclosure
− Retention: in accordance with requirements
− Protection: secure space
− Access: restrictions to only authorized personnel

54
RPA Data Considerations: Integrity

• Data integrity throughout the process is a key success factor

− Prevent: unauthorized access that can impact integrity, have validations and
security measures in place
− Detect: issues with the data used in the process, reconciliations and reviews
− Correct: if a mistake is noted, have a process in place to correct the data
value
− Accuracy: all transaction amounts are accurate throughout the process
− Completeness: all items have been processed

55
RPA Data Considerations: Availability

• Data required for processing needs to be available​

− Processing Capacity: resources utilized
− Monitoring: proactive monitoring of the environment​
− Backup: for data used in the environment​
− Restore: ability to recover data​
− SLA : for addressing issues

56
RPA Data Considerations: Privacy

• If data with privacy requirements is used by the bot, additional

considerations need to be taken.
− Notices: how is your data used
− Commitments: towards its security and usage
− Choice: opt in or out, choice to modify or delete your private data
− Consent: obtain consents for usage
− Collection: secure methods and storage

57
RPA Data Considerations: Traceability

• You need to be able to tell what happened with the data through the
process.
− Track: activity, follow the course or trail of someone or something (historical)
− Trace: procedure to investigate the source of something (current)
− Capture: all activity performed by bot and to the bot regarding data usage
− Accountability: unique id's, access restrictions
− Storage: retention of the logs and key data points

58
RPA Scenario #3: Data

Problem Statement
UrHealth, LLC (UH), is a company that connects consumers with health
specialists and attempts to provide a personalized report of providers
meeting their needs. In doing so, the company collects customers’
personable identifiable information, including addresses, medical information,
and credit card information (for premium services).
To improve efficiencies, UH has implemented an RPA solution where bots
scrape customer information submitted in the new patient questionnaire, as
well as uploaded documents, to input into the UH database. The data that is
obtained by the bots is stored on a company server that also hosts other
internal data and is unencrypted. Presently, the company does not perform a
review of employees with access to the shared drive.
RPA Data Polling Question #1

Given the details provided in the scenario, which of the following risk
should be assessed?
A. Data collected from customers is not retained in keeping with Data
Retention requirements
B. PII customer data is unsecured and could be accessed by inappropriate
and/or unauthorized users
C. Data scraped by the bot is inaccurate and subsequent services provided
to the client is irrelevant
D. It is illegal to sell recommendations for medical providers as a service in a
user’s state

60
RPA Data Polling Question #2

Given the details provided in the scenario, which of the following

risk should be assessed?
A. Data collected from customers is not retained in keeping with Data
Retention requirements
B. PII customer data is unsecured and could be accessed by
inappropriate and/or unauthorized users
C. Data scraped by the bot is inaccurate and subsequent services
provided to the client is irrelevant
D. It is illegal to sell recommendations for medical providers as a
service in a user’s state
61
RPA Data Polling Question #2

Based on the RPA Scenario, what could have been done differently
to better secure the patient data in question?
A. During the design phase of the RPA bot development, the RPA team should
have involved those familiar with UH's data protection policies to design proper
data controls and procedures.
B. During the testing phase of the RPA bot development, the RPA team should
have validated that required data privacy controls are operating as expected.
C. After go-live, the RPA directories which contain confidential patient data should
be included as part of UH's periodic user access reviews.
D. All the above.

62
RPA Data Polling Question #2

Based on the RPA Scenario, what could have been done differently
to better secure the patient data in question?
A. During the design phase of the RPA bot development, the RPA team should
have involved those familiar with UH's data protection policies to design proper
data controls and procedures.
B. During the testing phase of the RPA bot development, the RPA team should
have validated that required data privacy controls are operating as expected.
C. After go-live, the RPA directories which contain confidential patient data should
be included as part of UH's periodic user access reviews.
D. All the above.

63
Leader Board

How many multiple questions have you answered correctly?

A. 8 – RPA Ninja (100%)
B. 5-7 – RPA Brown Belt
C. 2-4 – Keep Trying. Don’t give up
D. 0-1 – Are you paying attention?

64
 RPA Methodology Deep Dive:
Change

65
 RPA Change Considerations
Approved
Development
or Change Change Program Configuration Patch
Request Maintenance
Management Development Management Management
DEV
Design SOD Requirements Communicate Reviews Planned
Documentation

Approvals UAT Appropriate Testing Approved

Approved
Testing
QA Testing Authorizations Approved Approvals Communicate

Approval to
Promote Version Implementation
Change Plans Tested Communicate Assessed
Control

Segregated
Environments Rollback Document Document Document
PRD

66
RPA Change Considerations: Change Management
• Effective change management procedures should be
established to prevent unauthorized changes or accidental
changes that break the bot.
− SOD: Access to make changes in the botting application is restricted
to authorized personnel and appropriate segregations of duties
exists
− Approvals: Changes to the bot are approved and documented by
appropriate personnel prior to implementation under normal
circumstances and timely post-change in emergency situations
− Testing: Changes to the bot, bot security environment, and data
sources are tested before being promoted in the production
environment.
− Version Control: Versions of bot and data source changes are
labeled, controlled, and archived to prevent erroneous use during
maintenance, testing, quality assurance, and promotion to
production
− Segregated Environments: Segregated development/test and
production environments are in place in the RPA environment

67
RPA Change Considerations: Program Development

• Extensive planning and testing for new bot implementations should be robust to
avoid implementing an ineffective solution.
− Requirements: A policy exists and reflects the entity's system development life cycle (SDLC)
expectations as it relates to new software RPA solutions or significant changes impacting the
bot environment.
− UAT: New RPA software solutions or significant SDLC type changes to the bot, bot security
environment, and data sources are tested.
− Authorizations: Appropriate approvals, Go-Live approvals,
− Implementation Plans: New RPA software solutions or significant SDLC type changes to the
bot, bot security environment, and data sources documentation includes requirements,
designs, and implantation plans/checklists.
− Rollback: Roll back procedures are in place in case of an emergency with a deployed
change in production. Roll back plans for the bot, bot security environment, and data sources
are included and approved in the event of a change implementation failure.

68
RPA Change – Configuration Management

• Configurations should be closely monitored ensuring configuration

changes do not inadvertently break the bot.
− Communicated: Configuration changes impacting bots, botting environment or data
sources are communicated to personnel impacted by the change prior to
deployment to production.
− Appropriate Access: Segregation of duties access rights are in place where the
person developing a bot, bot security environment, or data source configuration
change is not the same person migrating the change to the production environment.
− Approved: Changes to the bot are approved and documented by appropriate
personnel prior to implementation under normal circumstances and timely post-
change in emergency situations
− Tested and Documentation: Configuration changes to the bot are tested &
documented before being promoted in the production environment.
RPA Change – Patch Management

• Patch deployments should be effectively planned, documented, and

communicated to ensure bot operations aren’t impacted.
− Reviews: Monitoring is in place to identify patches that have been released
to address security vulnerabilities to deployed bots, botting environment, and
data sources.
− Testing, documentation, and Approvals: Patches to the bot, bot security
environment, and data sources are tested, documented, and approved before
being promoted in the production environment.
− Communicated: Patches impacting bots, botting environment or data
sources are communicated to personnel impacted by the change prior to
deployment to production.
RPA Change Considerations: Maintenance

• Maintenance plans should be established, documented, and

communicated
− Planned: A maintenance plan/schedule is defined to appropriately plan for
maintenance activities to the bot, bot data, or botting environment.
− Assessed & Approved: Maintenance changes to the bot, bot security environment,
and data sources are authorized and approved before being promoted in the
production environment.
− Communicated: Maintenance changes made to the bot's hosting environment
generates an automated alert that notifies Information Technology and other key
members of management for investigation.
− Documented: A policy exists to address requirements related to the monitoring and
maintenance of bots in the production environment.

71
RPA Change: Example 1

• Data format change

• Data field change
• Database upgrade

72
RPA Change: Example 2

• Application upgrade
• NetSuite
configuration change
• Key report change

73
RPA Change: Example 3

• Patch applied

74
RPA Scenario #4: Change

NVC Inc. has 100 bots running in production. All 100 bots are controlled
via an RPA control room. Based on your interview with the RPA control
room admin, they were able to get you comfortable with certain aspects
of their change management process.
They were able to show you how they could revert back to the prior 3
versions of the RPA code as needed, they were able to talk through
how all changes need to be documented on a change control form and
that all changes require testing evidence and approval from a business
owner.
They were able to show you that they are able to match bot changes
(per the control room log) to an RPA change control form.
75
RPA Change Polling Question #1

Which type of change could break or disrupt bot performance?

A. Applying a patch
B. Updating a key report query
C. Moving to a new application version
D. Changing database tables
E. All of the above

76
RPA Change Polling Question #1

Which type of change could break or disrupt bot performance?

A. Applying a patch
B. Updating a key report query
C. Moving to a new application version
D. Changing database tables
E. All of the above

77
RPA Change Polling Question #2

What is a good way to test their change management process?

A. Observe the bot running to make sure it works
B. Test a sample of changes to obtain comfort that the process is
operating effectively.
C. Inquire of the bot owner and decide if you trust him
D. There is no good way

78
RPA Change Polling Question #2

What is a good way to test their change management process?

A. Observe the bot running to make sure it works
B. Test a sample of changes to obtain comfort that the process is
operating effectively.
C. Inquire of the bot owner and decide if you trust him
D. There is no good way

79
RPA Change Polling Question #3

Given the scenario, what additional questions might you have of the RPA control
room admin related to their change management process? What’s missing?
A. Is there a 2 or 3 tier environment that segregates production from development and test
environments?
B. How is access setup within the RPA control room? What access do RPA developers
have?
C. Who is responsible for moving tested and approved changes into production and how
does this process work?
D. How do you know if changes occur to the systems that the Bots interact with? How is
regression testing handled?
E. All of the above.

80
RPA Change Polling Question #3

Given the scenario, what additional questions might you have of the RPA control
room admin related to their change management process? What’s missing?
A. Is there a 2 or 3 tier environment that segregates production from development and test
environments?
B. How is access setup within the RPA control room? What access do RPA developers
have?
C. Who is responsible for moving tested and approved changes into production and how
does this process work?
D. How do you know if changes occur to the systems that the Bots interact with? How is
regression testing handled?
E. All the above.

81
Leader Board

How many multiple choice questions have you answered correctly?

A. 11 – RPA Ninja (100%)
B. 7-10 – RPA Brown Belt
C. 3-6 – Keep Trying. Don’t give up
D. 0-2 – Are you paying attention?

82
 RPA Methodology Deep Dive:
Compliance

83
 RPA Compliance Considerations

Risk
Laws Regulations Licensing Logging
Assessment

Vulnerability
HIPPA GDPR RBAC Management Data

Threat
Privacy PCI Usage RBAC Audit
Intelligence

Data Risk
Federal Restrictions
Identification Transaction
Protection

Risk
GLBA State Acquisition Operations
Mitigation

Risk
Federal Industry Agreement Incidents
Evaluation

84
RPA Compliance Considerations: Laws

• When bots process / handle data governed by laws applicable to the

Organization, additional consideration needs to be given.
− HIPAA: Health Insurance Portability & Accountability Act
− Privacy: Collecting & disseminating data in accordance with public,
governmental, and industry expectations / requirements
− Data Protection: Securing collected data in accordance with public,
governmental, and industry expectations / requirements
− GLBA: Graham Leech Bliley Act
− Federal: consider for all countries / municipalities where the data is collected
& disseminated

85
RPA Compliance Considerations: Regulations

• In addition to adherence to laws at various levels of government,

consideration needs to be given to applicable regulations (rules
effecting those who deal directly with a specific agency).
− GDPR: General Data Protection Regulation (EU)
− PCI: Payment Card Industry
− Federal: US does not currently have federal-level data privacy regulations
− State: (e.g.) California Data Protection Act
− Industry: healthcare, financial, education, governmental

86
RPA Compliance Considerations: Licensing

• User access to the RPA platform, the bots in production, and the access to
integrated systems require appropriate consideration.
− RBAC: Role-Based Access Controls
− Usage: of the RPA platform (i.e.: deployed bots / bots running concurrently), as well
as connected application limitations and processing capacity
− Restrictions: imposed by the terms and conditions of the RPA platform and/or
connected applications
− Acquisition: of new systems and/or entities integrated into the production
environment by the Organization
− Agreement: terms and conditions surrounding all processes affected by bot
deployment

87
RPA Compliance Considerations: Risk Assessment

• Prior to implementation of an RPA solution, and periodically

thereafter, the Organization should perform key components of a
Risk Assessment.
− Vulnerability Management: ongoing “practice of identifying, classifying,
prioritizing, remediating, and mitigating" software vulnerabilities
− Threat Intelligence: gathering and assessment of information about threats
and threat actors
− Risk Identification: listing potential risks and implications
− Risk Mitigation: taking steps to reduce adverse affects of identified risks
− Risk Evaluation: determining the significance of the identified risk
88
RPA Compliance Considerations: Logging

• Logging of activity related to RPA bot operations and user activity on the platform is
essential to providing assurance of compliance with laws, regulations, and agreements.
− Data: data logging allows management to review what types of data their bot is processing, to
categorize data, and to ensure data is maintained according to laws, regulations, and
agreements.
− RBAC Audit: Role-based access controls allow for management to ensure that a user’s actions
align to their assigned role and expected responsibilities.
− Transactions: transaction logging allows management to review transactions and to ensure that
the organization is in compliance with its covenants.
− Operations: operations logging allows management to ensure that the bot processes are
functioning as expected.
− Incidents: logging of incidents allows management to review and ensure that incidents are
resolved appropriately.

89
RPA Scenario #5: Compliance

PII Inc. has decided to implement a bot that automates the termination process
across Windows Active Directory (AD) and all systems that are not SSO (Signal
Sign-on). Basically, the bot is designed to login to the Workday HR system to gather
terminated employee information based on a termination flag within workday. The
bot downloads the entire employee record of each terminated employee. The Bot
then searches the employee record and extracts the user ID for each terminated
employee and adds this to a list of users to disable. The bot then logs into AD, as
well as all systems that are not SSO (Signal Sign-on), and disables the user ID.
The bot runs everyday at 5pm and is scheduled in the RPA control room. The bot is
only programmed to look for users who where set to be terminated on the same
day. Employees who were set to terminate in the past or who are set to be
terminated in the future are ignored. This is a “no touch” process. If the employees
are flagged for termination in Workday… the bot will disable their access
automatically.

90
RPA Compliance Polling Question #1

Given the scenario, which of the following risks should be assessed?

A. The bot downloads the entire employee record that likely includes sensitive
information such as each employee’s social security number. The bot is likely
downloading more information that is needed to perform the automated task.
B. Where is the employee data being stored? Is it in a secure location? How is access
being restricted?
C. Given that the bot runs daily and “Employees who were set to terminate in the past
or who are set to be terminated in the future are ignored”, there is a risk that if the
bot did not run on a particular day, a terminated employee would not be revoke by
the RPA automation.
D. All of the above

91
RPA Compliance Polling Question #1

Given the scenario, which of the following risks should be assessed?

A. The bot downloads the entire employee record that likely includes sensitive
information such as each employee’s social security number. The bot is likely
downloading more information that is needed to perform the automated task.
B. Where is the employee data being stored? Is it in a secure location? How is access
being restricted?
C. Given that the bot runs daily and “Employees who were set to terminate in the past
or who are set to be terminated in the future are ignored”, there is a risk that if the
bot did not run on a particular day, a terminated employee would not be revoke by
the RPA automation.
D. All of the above

92
RPA Compliance Polling Question #2

What strategies would you use to better understand these

concerns/risks?
A. Perform a detailed walkthrough of the process to better understand and
control the risks.
B. Review and assess controls around the BOT schedule in the control room.
C. Review and assess mitigating controls performed by management (e.g.:
periodic User Access Reviews).
D. All of the above
E. N/A – These risks are not significant

93
RPA Compliance Polling Question #2

What strategies would you use to better understand these

concerns/risks?
A. Perform a detailed walkthrough of the process to better understand and
control the risks.
B. Review and assess controls around the BOT schedule in the control room.
C. Review and assess mitigating controls performed by management (e.g.:
periodic User Access Reviews).
D. All of the above
E. N/A – These risks are not significant

94
Leader Board

How many multiple questions have you answered correctly?

A. 13 – RPA Ninja (100%)
B. 8-12 – RPA Brown Belt
C. 4-7 – RPA Yellow Belt
D. 0-3 – Today is not your day. Still a White Belt

95
96
97