RPA and The Auditor ISACA SFL - Final-09302020 2
RPA and The Auditor ISACA SFL - Final-09302020 2
RPA and The Auditor ISACA SFL - Final-09302020 2
Alexandra Lorié
Director
RPA Methodology Lead
[email protected]
2
Agenda
3
RPA Overview
What it is and why you should care
4
Strategic Technology Trends for 2020
Four (4) of the top 10 strategic trends for 2020 are related to RPA and
Artificial Intelligence - Gartner, Inc.
5
RPA Overview
6
Impact to Organizations
7
Common Use Cases
Finance & Audit and
HR/Payroll Network & IT Supply Chain
Accounting Compliance
• Order to Cash / AR • Maintain master Data • Active Directory • Order prioritization • Quarterly User Access
Credit analysis • Offer letter process • Master data Reviews (UAR)
Sales order processing • File systems
• Onboarding and exit management • Data/evidence gathering
Customer MDM • FTP management
Order entry • Appraisal-updating • Invoice verification • System configuration
Reports by segments
• Automated installations
process / change payroll • Receipt confirmation testing
• Procure to Pay / AP • Server / application
status • Scheduling processes • Rules-based workpaper
3-way match monitoring and alert
• Position management automation
PO issuance management • Reporting
Invoice receipt • Reporting line change • Orchestration of audit
Vendor master • Service desk • Production information
automation tools and
Payment process • Superannuation management capture
scripts
Duplicate payment • Payments summaries • Notification & escalation • Inbound processing
Tracking • User provisioning and de-
• Record to Report • Employment type • VMware integration • Inventory management provisioning controls
Monthly close updates • Data movement processes
• Master data management
Treasury and tax • Service desk reports • Pricing management
• Provisioning compliance
Financial statements
General ledger • Distribution • Configuration • Billing • Application change
Journal entry processing • Leave amendments management • Freight costing management compliance
Inter-company accounting
• Routine maintenance • Continuous monitoring
Account reconciliations
Fixed assets and projects • Reporting automation
Cost and inventory
accounting
8
RPA Audit Methodology Overview
9
How to Evaluate Risk Related to RPA
10
Key Considerations When Evaluating RPA Risk
When evaluating RPA risk it is important to first understand the current
landscape and future RPA roadmap.
• Current level of RPA maturity &
desired future state
(i.e., self
Auditable - programming –
Cognitive intelligent
Rules based
Automation
(i.e., Machine
systems –
Black Box)
company policies and procedures to
automation Learning)
technologies
(i.e. RPA)
govern automation
Automation
process
evaluation &
implementations.
POC
• Existing governance structures (or
Intro to
Automation –
general
lack thereof)
awareness
• Incentives to automate
Timeline
11
Key Considerations When Evaluating Automation Risk
Think with the end in mind
When it comes to assessing the risk around RPA/automation, think with the end in
mind:
• What type of compliance and regulatory requirements will I need to deal with in the future?
• Have I truly considered the long-term impact to people, process and technology?
• Are there any key stakeholders that need to involve sooner rather than later?
• Do we have the expertise needed to properly evaluate risk?
• How does my automation strategy align to the organization’s overall business and IT
strategy?
12
RPA Risk Dimensions
When utilizing automation, is important to note that the automation environment is composed of
three (3) risk dimensions. These risk dimensions should be considered when assessing
automation risk against your risk and controls framework.
Risks associated to the Data managed
Risks associated to the Automation
by the automation.
These risks may impact the operation
These risks relate to the data being
of the Automation itself directly.
used, stored or processed by the
automation for both inputs and outputs.
For example: A developer makes a
code change without properly testing, or
For example: an automation accidently
going through the change management
shares social security numbers with a
process, causing the automation to
vendor due to poor data classification
process information incorrectly.
schemes.
These risks may impact the environment that is interacting with the automation,
even though it is not the automation itself.
For example: A patch is made to the system interacting with the automation causing a
change to the data structure. The automation is not configured to read the new data
structure and stops working, resulting in an impact to all related processes.
13
RPA Risk Drivers
In order to properly assess the risk over an automation implementation, you need to take into
consideration the following risk drivers.
Implementation Approach – How will my automation run?
• Attended Automation
• Unattended or scheduled automation
• Hybrid (mix of attended and unattended)
These risk drivers may change based on the specific automation use case(s), so there
14 needs to be a process to evaluate the risk of each automation development.
RPA Risk Considerations and the Key Drivers of Risk
Automation is
composed of Automation
four categories. Automation
Governance
Security
These and Operations
categories
drive the risk
areas to be Developing
Automations & Data Managed
considered in On-going by
light of an Change Automation(s)
Management Risk
organizations
Drivers for
specific Automation
compliance
requirements.
Implementation Expected
Approach Results
Location
15
When to Consider Risk?
There are four (4) main stages to the implementation of automation, identifying the process
to be automated, designing the automation, building, testing and implementing the
automation, and the subsequent monitoring of the automation. With automation, risks exists
within all stages that must be addressed. Specially around the identification and design
stages.
IDENTIFY
DESIGN
SLDC
Stages
IMPLEMENT
Risks at all
MONITOR stages of the
Automation
Lifecycle
16
Example – AP Invoice Processing Bot with Machine Learning
What is my risk (consider operational, compliance, financial risk)?
Is Bot risk mitigated by other existing controls (Human or Systematic)?
Automated Invoice Processing
17
Example – AP Invoice Processing Bot with Machine Learning
What is my residual (remaining) risk and how am I comfortable? Potential Next Steps:
What has changed based on an implementation of an RPA bot? 1. Based on my identified risks:
a) Evaluate existing control
points to determine if they
continue to mitigate the
risk(s) to an acceptable
level*
b) Determine residual risk
c) If needed, design
additional controls to
mitigate residual risk
d) Validate additional controls
are operating as expected
18
Example Framework for How to Consider RPA or Automation Risk
An automation (or BOT) should be treated like any other “IT dependency”
19
RSM’s RPA Risk Framework
Logical Program
Competency Integrity Regulations
Access Development
Incident
Monitoring Traceability Maintenance Logging
Management
20
Let’s Play – Can you Audit RPA?
• For each of the five (5) RPA risk domains you will be provided a
fictitious client scenario.
• You will be asked a number of multiple choice questions after each
scenario.
• For each multiple choice question, select the best answer.
• Keep track of the number of questions you answered correctly.
21
RPA Methodology Deep Dive:
Governance
22
RPA Governance Considerations
Job
Review Procurement RPO / RTO Classification
Requirements
Performance
Updates Contracts BCP Documentation
Evaluations
Organizational Incident
Job Rotations Monitoring Reporting
Charts Response
23
Governance – Policies & Procedures
• Policies and procedures provide security and operational guidance over the RPA
strategy and technology in place.
− Design: Policies and procedures are formally defined.
− Review: Policies and procedures are reviewed and approved.
− Updates: Updates to the policies and procedures are made as needed, or based on changes
identified during the review process.
− Communication / Availability: Policies and procedures are accessible to employees and
contractors, and changes are communicated.
− Organizational Charts: Organizational structures and reporting lines are defined.
24
Governance – Competency
• Individuals tasked with responsibilities over the botting environment have the
necessary skills to sustain the RPA program strategy.
− Training: Organizational training and education is deployed to provide the necessary skills
for employees in RPA roles.
− Job requirements: Roles and responsibilities for employees in RPA roles are defined in job
descriptions.
− Performance evaluations: Performance for employees in RPA roles are assessed as part of
HR initiatives.
− Succession planning: Organization-wide succession planning takes into account
employees in RPA roles.
− Job rotations: Functional rotations take place as part of succession planning initiatives.
25
Governance – Vendor Management
26
Governance – Business Continuity
• The organization’s business continuity and disaster recovery strategy takes into
account RPA technology in place at the organization.
− Business Impact Analysis (BIA): The BIA outlines the business’ most crucial RPA
processes and technology, and considers the effects of interruptions.
− Recovery Time Objectives (RTOs) / Recover Point Objectives (RPOs): The business
continuity strategy outlines priorities regarding RTOs and RPOs should an outage or
disruption occur that impacts the RPA technology.
− Business Continuity Program (BCP): A comprehensive documented approach outlines
how the organization will continue operating should an unplanned disruptive event take place
over the botting environment.
− Disaster recovery: Disaster recovery plans provide guidelines in recovering operations in
case a disruptive event arises that impacts the RPA environment.
− Incident response: Production issues over the botting environment are identified, assessed,
and addressed in a timely manner.
27
Governance – Incident Management
28
RPA Scenario #1: Governance
Not So Careful Company Inc. (NSCC Inc.) decided to implement the use of RPA bots/“digital
workers” throughout their organization. NSCC Inc. is an SEC registrant and has to comply with
Sarbanes Oxley. They have been told by their RPA vendor that “anyone can create a bot.” To
improve process efficiency and cut costs, they provided all their new hires with RPA training and
licenses to create and deploy “attended” Bots. These Bots are not being controlled via a control room
and implementation of the bots in “production” is at the discretion of each developer once they are
“comfortable” based on their own personal judgement.
Today (Assume today’s date is July 1st), NSCC Inc. estimates they have at least 50 bots in
production. Management is very proud of that figure and feels like they are making great progress
against their “digital” strategy in which RPA is at the cornerstone. As the bot development process
was very decentralized and unstructured, documentation of how the bots were identified, designed
and how they were tested is with the person who developed each bot.
29
RPA Governance Polling Question #1
30
RPA Governance Polling Question #1
32
RPA Governance Polling Question #2
33
RPA Governance Polling Question #3
What are some of the recommendations you would offer NSCC Inc. to better
control their RPA environment (assume the worst case scenario)?
A. Remove all RPA licenses from users and centralize RPA development within IT.
B. Create additional oversight and governance around the intake and deployment
process. Involve Internal Audit and Compliance to ensure Bots that are relevant
to SOX are certified/validated prior to being placed into production.
C. Ensure policies and procedures related to the development and deployment of
bots are up to date, communicated and considers the relevant risks.
D. B and C only
34
RPA Governance Polling Question #3
What are some of the recommendations you would offer NSCC Inc. to better
control their RPA environment (assume the worst case scenario)?
A. Remove all RPA licenses from users and centralize RPA development within IT.
B. Create additional oversight and governance around the intake and deployment
process. Involve Internal Audit and Compliance to ensure Bots that are relevant
to SOX are certified/validated prior to being placed into production.
C. Ensure policies and procedures related to the development and deployment of
bots are up to date, communicated and considers the relevant risks.
D. B and C only
35
Leader Board
36
RPA Methodology Deep Dive:
Security
37
RPA Security Considerations
Logical Physical
Cybersecurity Operations Monitoring
Access Access
Personnel
Encryption Authentication Back-ups Triggers
Access
Privileged Access
Firewalls Restores Alerts
Access Logs
Access Facility
DMZ Provisioning Processing Health
Monitoring
Access Environment
Antivirus Monitoring Schedules Capacity
Removal
38
RPA Security Considerations - Cybersecurity
• Organizations should protect its bot systems and data from external
threats and malware
− Encryption: controls and risks focus on security and encryption of data at rest and
data in motion using advanced encryption standards.
− Firewalls: environment should be logically segmented. Firewalls should be
implemented and monitored regularly.
− DMZ: Demilitarized zones should be used to restrict direct public access to the
botting environment.
− Antivirus: controls should establish deployment and monitoring of AV to protect
against the introduction of malicious software to the botting environment.
− IDS/IPS: Intrusion Prevention/Detection Systems should be used to block high risk
external breach attempts. Logs from these systems should be reviewed and
responded to accordingly.
39
RPA Security Considerations – Logical Access
• Individuals tasked with responsibility for managing bot access should apply
strong authentication methods and should regularly review bot user access.
− Authentication: access to bots and bot data should be protected with strong authorization
practices. Multifactor authentication should be used for access to mobile devices and non-
console access.
− Privileged Access: focus is on minimizing the risk of corruption to the botting environment
and the loss of bot data. Privileged accounts should be restricted to authorized users and
these accounts should be periodically reviewed.
− Access Provisioning: controls should address risk that user access privileges granted are
not authorized.
− Access Removal: controls should address risk that user access is not timely updated or
disabled after a change in employee status which could lead to inappropriate access to the
bot environment and its data.
− Access Reviews: reviews should be performed over all user access and permissions on a
periodic basis.
40
RPA Security Considerations – Physical Security
• Risks to the physical security of the location housing the bot should be mitigated
with environmental controls and physical access restrictions.
− Personnel Access: physical access to the locations housing the bots should be restricted to
authorized individuals to prevent the compromise of data integrity.
− Access Logs: management should maintain and monitor access logs for all individuals
entering the physical location of the bot. Unidentified access should be researched and
resolved.
− Facility Monitoring: security teams should monitor the facility and use surveillance tools to
ensure that only authorized individuals are accessing the building.
− Environment Monitoring: controls ensuring the physical safety of the equipment should be
implemented to protect the equipment from fire damage, power outages, and over heating.
− Entryway Controls: automated tools such as badge access and security codes should be
used to restrict access through entryways.
41
RPA Security Considerations - Operations
• The bot, bot data, and bot environment should be backed-up according to an
established schedule, restore testing should be performed, and job failures
should be resolved.
− Backups: incremental data backups of the bot environment should be performed on a daily
basis to ensure that critical bot systems may be recovered in the event of disaster.
− Restores: data recovery exercises should be performed at least annually to ensure that
critical bot systems can be successfully recovered in the event of disaster.
− Processing: critical jobs interacting with the bot environment should be configured to
process at scheduled times and frequencies. Job history logs should be regularly reviewed,
and job failures should be addressed in a timely manner.
− Schedules: access to modify the bot’s job scheduler should be restricted to authorized
individuals to help ensure data integrity.
− Exception Handling: job processing errors and failures should be monitored, researched,
and resolved.
42
RPA Security Considerations - Monitoring
• Those tasked with responsibility for maintaining the bot environment should
utilize and configure system health monitoring solutions to track and resolve
detected issues.
− Triggers: the organization’s management should identify triggers within the botting software
that indicate the need for real-time follow-up activities.
− Alerts: monitoring and alerting features should be enabled to automatically notify
management in the event of an identified trigger’s occurrence.
− Health: monitoring tools should be configured to alert management in the event of a critical
bot system health issues affecting disk space, performance, scheduled tasks, and the bot’s
software/hardware.
− Capacity: monitoring tools should be configured to alert management in the event of bot
system reaching or nearing its systemic memory capacity.
− Communication: alerts should be automatically generated and sent to all relevant bot team
members. Clear and effective communication methods should be used to track and resolve
identified issues.
43
RPA Scenario #2: Security
SOD Inc. runs SAP and has implemented several bots in the procure to pay cycle.
The bots are used to automate purchase order creation, automate the goods receipt
process and automate invoice processing. SOD Inc.’s purchasing, receiving and AP
departments love their digital works. As a result of their digital worker automating
tasks that are repetitive and very manual in nature, they now have time to focus on
tasks that are considered to be more value added to SOD Inc.
As part of your SOX testing you notice one user with the ID “BOT1”. BOT1 has
been granted the security profile “SAP_ALL” which, in turn, provides unlimited
access to the SAP application. BOT1 is a “dialog ID” which, in SAP, means that
anyone with knowledge of the user ID and password can logon as that user. Based
on your RPA training, you know that the Bot needs access to a dialog user ID in
order to access SAP. However, you notice that there do not appear to be any other
user IDs in the system with a similar naming convention.
44
RPA Security Polling Question #1
45
RPA Security Polling Question #1
46
RPA Security Polling Question #2
47
RPA Security Polling Question #2
48
RPA Security Polling Question #3
What are some of the recommendations you would offer SOD Inc. to better
control their RPA environment (assume the worst case scenario)?
A. Remove the BOT1 account and do not rely on automation for this process as
there is too much risk associated with SAP_ALL access.
B. Perform a detailed review of the BOT1 user activity for the audit period and
continue reviewing in future periods.
C. Create a standardized naming convention for all bot-related accounts, store
password for bot-accounts in an approved password vault that is only accessed
by authorized individuals, change password to bot account periodically, and
review the bot accounts’ activity periodically.
D. Compare the BOT1 account’s last log-in date to SAP with the most recent Bot
job execution and verify that the two activities occurred at the same time.
49
RPA Security Polling Question #3
What are some of the recommendations you would offer SOD Inc. to better
control their RPA environment (assume the worst case scenario)?
A. Remove the BOT1 account and do not rely on automation for this process as
there is too much risk associated with SAP_ALL access.
B. Perform a detailed review of the BOT1 user activity for the audit period and
continue reviewing in future periods.
C. Create a standardized naming convention for all bot-related accounts, store
password for bot-accounts in an approved password vault that is only accessed
by authorized individuals, change password to bot account periodically, and
review the bot accounts’ activity periodically.
D. Compare the BOT1 account’s last log-in date to SAP with the most recent Bot
job execution and verify that the two activities occurred at the same time.
50
Leader Board
51
RPA Methodology Deep Dive: Data
52
RPA Data Considerations
Processing
Disposal Prevent Notices Track
Capacity
53
RPA Data Considerations: Confidentiality
54
RPA Data Considerations: Integrity
55
RPA Data Considerations: Availability
56
RPA Data Considerations: Privacy
57
RPA Data Considerations: Traceability
• You need to be able to tell what happened with the data through the
process.
− Track: activity, follow the course or trail of someone or something (historical)
− Trace: procedure to investigate the source of something (current)
− Capture: all activity performed by bot and to the bot regarding data usage
− Accountability: unique id's, access restrictions
− Storage: retention of the logs and key data points
58
RPA Scenario #3: Data
Problem Statement
UrHealth, LLC (UH), is a company that connects consumers with health
specialists and attempts to provide a personalized report of providers
meeting their needs. In doing so, the company collects customers’
personable identifiable information, including addresses, medical information,
and credit card information (for premium services).
To improve efficiencies, UH has implemented an RPA solution where bots
scrape customer information submitted in the new patient questionnaire, as
well as uploaded documents, to input into the UH database. The data that is
obtained by the bots is stored on a company server that also hosts other
internal data and is unencrypted. Presently, the company does not perform a
review of employees with access to the shared drive.
RPA Data Polling Question #1
Given the details provided in the scenario, which of the following risk
should be assessed?
A. Data collected from customers is not retained in keeping with Data
Retention requirements
B. PII customer data is unsecured and could be accessed by inappropriate
and/or unauthorized users
C. Data scraped by the bot is inaccurate and subsequent services provided
to the client is irrelevant
D. It is illegal to sell recommendations for medical providers as a service in a
user’s state
60
RPA Data Polling Question #2
Based on the RPA Scenario, what could have been done differently
to better secure the patient data in question?
A. During the design phase of the RPA bot development, the RPA team should
have involved those familiar with UH's data protection policies to design proper
data controls and procedures.
B. During the testing phase of the RPA bot development, the RPA team should
have validated that required data privacy controls are operating as expected.
C. After go-live, the RPA directories which contain confidential patient data should
be included as part of UH's periodic user access reviews.
D. All the above.
62
RPA Data Polling Question #2
Based on the RPA Scenario, what could have been done differently
to better secure the patient data in question?
A. During the design phase of the RPA bot development, the RPA team should
have involved those familiar with UH's data protection policies to design proper
data controls and procedures.
B. During the testing phase of the RPA bot development, the RPA team should
have validated that required data privacy controls are operating as expected.
C. After go-live, the RPA directories which contain confidential patient data should
be included as part of UH's periodic user access reviews.
D. All the above.
63
Leader Board
64
RPA Methodology Deep Dive:
Change
65
RPA Change Considerations
Approved
Development
or Change Change Program Configuration Patch
Request Maintenance
Management Development Management Management
DEV
Design SOD Requirements Communicate Reviews Planned
Documentation
Approved
Testing
QA Testing Authorizations Approved Approvals Communicate
Approval to
Promote Version Implementation
Change Plans Tested Communicate Assessed
Control
Segregated
Environments Rollback Document Document Document
PRD
66
RPA Change Considerations: Change Management
• Effective change management procedures should be
established to prevent unauthorized changes or accidental
changes that break the bot.
− SOD: Access to make changes in the botting application is restricted
to authorized personnel and appropriate segregations of duties
exists
− Approvals: Changes to the bot are approved and documented by
appropriate personnel prior to implementation under normal
circumstances and timely post-change in emergency situations
− Testing: Changes to the bot, bot security environment, and data
sources are tested before being promoted in the production
environment.
− Version Control: Versions of bot and data source changes are
labeled, controlled, and archived to prevent erroneous use during
maintenance, testing, quality assurance, and promotion to
production
− Segregated Environments: Segregated development/test and
production environments are in place in the RPA environment
67
RPA Change Considerations: Program Development
• Extensive planning and testing for new bot implementations should be robust to
avoid implementing an ineffective solution.
− Requirements: A policy exists and reflects the entity's system development life cycle (SDLC)
expectations as it relates to new software RPA solutions or significant changes impacting the
bot environment.
− UAT: New RPA software solutions or significant SDLC type changes to the bot, bot security
environment, and data sources are tested.
− Authorizations: Appropriate approvals, Go-Live approvals,
− Implementation Plans: New RPA software solutions or significant SDLC type changes to the
bot, bot security environment, and data sources documentation includes requirements,
designs, and implantation plans/checklists.
− Rollback: Roll back procedures are in place in case of an emergency with a deployed
change in production. Roll back plans for the bot, bot security environment, and data sources
are included and approved in the event of a change implementation failure.
68
RPA Change – Configuration Management
71
RPA Change: Example 1
72
RPA Change: Example 2
• Application upgrade
• NetSuite
configuration change
• Key report change
73
RPA Change: Example 3
• Patch applied
74
RPA Scenario #4: Change
NVC Inc. has 100 bots running in production. All 100 bots are controlled
via an RPA control room. Based on your interview with the RPA control
room admin, they were able to get you comfortable with certain aspects
of their change management process.
They were able to show you how they could revert back to the prior 3
versions of the RPA code as needed, they were able to talk through
how all changes need to be documented on a change control form and
that all changes require testing evidence and approval from a business
owner.
They were able to show you that they are able to match bot changes
(per the control room log) to an RPA change control form.
75
RPA Change Polling Question #1
76
RPA Change Polling Question #1
77
RPA Change Polling Question #2
78
RPA Change Polling Question #2
79
RPA Change Polling Question #3
Given the scenario, what additional questions might you have of the RPA control
room admin related to their change management process? What’s missing?
A. Is there a 2 or 3 tier environment that segregates production from development and test
environments?
B. How is access setup within the RPA control room? What access do RPA developers
have?
C. Who is responsible for moving tested and approved changes into production and how
does this process work?
D. How do you know if changes occur to the systems that the Bots interact with? How is
regression testing handled?
E. All of the above.
80
RPA Change Polling Question #3
Given the scenario, what additional questions might you have of the RPA control
room admin related to their change management process? What’s missing?
A. Is there a 2 or 3 tier environment that segregates production from development and test
environments?
B. How is access setup within the RPA control room? What access do RPA developers
have?
C. Who is responsible for moving tested and approved changes into production and how
does this process work?
D. How do you know if changes occur to the systems that the Bots interact with? How is
regression testing handled?
E. All the above.
81
Leader Board
82
RPA Methodology Deep Dive:
Compliance
83
RPA Compliance Considerations
Risk
Laws Regulations Licensing Logging
Assessment
Vulnerability
HIPPA GDPR RBAC Management Data
Threat
Privacy PCI Usage RBAC Audit
Intelligence
Data Risk
Federal Restrictions
Identification Transaction
Protection
Risk
GLBA State Acquisition Operations
Mitigation
Risk
Federal Industry Agreement Incidents
Evaluation
84
RPA Compliance Considerations: Laws
85
RPA Compliance Considerations: Regulations
86
RPA Compliance Considerations: Licensing
• User access to the RPA platform, the bots in production, and the access to
integrated systems require appropriate consideration.
− RBAC: Role-Based Access Controls
− Usage: of the RPA platform (i.e.: deployed bots / bots running concurrently), as well
as connected application limitations and processing capacity
− Restrictions: imposed by the terms and conditions of the RPA platform and/or
connected applications
− Acquisition: of new systems and/or entities integrated into the production
environment by the Organization
− Agreement: terms and conditions surrounding all processes affected by bot
deployment
87
RPA Compliance Considerations: Risk Assessment
• Logging of activity related to RPA bot operations and user activity on the platform is
essential to providing assurance of compliance with laws, regulations, and agreements.
− Data: data logging allows management to review what types of data their bot is processing, to
categorize data, and to ensure data is maintained according to laws, regulations, and
agreements.
− RBAC Audit: Role-based access controls allow for management to ensure that a user’s actions
align to their assigned role and expected responsibilities.
− Transactions: transaction logging allows management to review transactions and to ensure that
the organization is in compliance with its covenants.
− Operations: operations logging allows management to ensure that the bot processes are
functioning as expected.
− Incidents: logging of incidents allows management to review and ensure that incidents are
resolved appropriately.
89
RPA Scenario #5: Compliance
PII Inc. has decided to implement a bot that automates the termination process
across Windows Active Directory (AD) and all systems that are not SSO (Signal
Sign-on). Basically, the bot is designed to login to the Workday HR system to gather
terminated employee information based on a termination flag within workday. The
bot downloads the entire employee record of each terminated employee. The Bot
then searches the employee record and extracts the user ID for each terminated
employee and adds this to a list of users to disable. The bot then logs into AD, as
well as all systems that are not SSO (Signal Sign-on), and disables the user ID.
The bot runs everyday at 5pm and is scheduled in the RPA control room. The bot is
only programmed to look for users who where set to be terminated on the same
day. Employees who were set to terminate in the past or who are set to be
terminated in the future are ignored. This is a “no touch” process. If the employees
are flagged for termination in Workday… the bot will disable their access
automatically.
90
RPA Compliance Polling Question #1
91
RPA Compliance Polling Question #1
92
RPA Compliance Polling Question #2
93
RPA Compliance Polling Question #2
94
Leader Board
95
96
97