RPA & Internal Control: Towards a revolution in internal control and Fight against fraud?
”Time and resources constraint”, ”ridiculously complex”, “low added-value”: despite a need that is now hardly questionable, internal control often gets bad press from financial management.
Although, fraud is unarguably one of the main issues of CFOs – 81% declared to be afraid of an escalation in fraud risks – most of them still are reluctant in granting the funds needed to ensure the implementation of high-quality internal control set-up, in a context of high pressure on budgets allocated to so-called “support” functions.
In that context, improving the efficiency of internal control, while keeping its costs under control is a must for finance officers. Then, how can the CFO Office modernize its internal control to adapt to the new challenges while keeping costs low by adopting the new features offered by digital solutions?
Data analysis at the service of the fight against fraud
Even if the “all ERP” solution presents many advantages, particularly on the automatization, functional depth, and real-time flow management, it has also created a risky environment for internal control. Its importance has often been overlooked by companies during the ERP implementation process. Yet, ERP efficiency is limited when it is based on insufficiently automated or integrated built-in controls.
ERP vendors have strengthened their expertise on fraud issues and are putting the emphasis on the importance of managing the tasks allocation, to avoid a single user to hold multiple clearance simultaneously, that would allow him to commit a fraud without any monitoring. Anti-fraud solutions have been developed, based, for instance, on the tracking of actions made on the ERP platform, as well as providing solid audit trails, in order to limit the risk of financial loss for the clients. For instance, SAP software “Fraud Management” allows the tracking of a suspect one-time change in a supplier’s Bank Account Number (BAN) followed by the return to initial situation. A typical tell-tale sign of a fraud in a purchase process. In which case, the dubious supplier’s BAN would be blocked before further investigation.
The boom in volumes of data produced, makes it impossible to proceed to manual controls on each operation. For that reason, new solutions, specifically designed for fighting against fraud have been developed by vendors:
- Kyriba has recently redesigned its financial management platform, with the integration of a module specifically built to fighting fraud (payment screening, fraud detection).
- Solutions such as Supervizor allow an automated control of anomalies, via running continuously a set of generic controls, outside of the clients’ system. Such solutions can evaluate the coherence of an entry in the books and the writer’s field of work – for instance, by detecting the entry of a bank posting by a financial controller in charge of operations not related to treasury. Or by controlling the entries having been written outside of usual work hours or on a holiday.
Tomorrow: is RPA the ultimate company fraud prevention solution?
In a context of budgetary constraint and costs rationalization – hard to combine with the ever-increasing weight of regulations – it is easy to find many opportunities in the automation of the most repetitive task. This automation offers many advantages: human operator error risk reduction, strict compliance with the defined controls process, 24/7 productivity, decrease in training costs due to new regulations and so on.
Beyond this budgetary constraint, robotization can boost the reinforcement of ex-post controls when needed (as they are not integrated beforehand in process or in the ERP by workflows), thus allowing them to become more and more systematic, frequents and exhaustive. Hence, RPA contributes to the strengthening of internal controls sturdiness.
Towards a natural integration of internal controls in the process
It would be reductive to only see RPA as an automated solution limited to the identical reproduction of otherwise manual tasks. To fully exploit its potential, RPA must come with a thought reworking of process and be properly implemented.
Let’s take the example of a purchase process and the automation of the controls related to the approval of a purchase demand, aiming at controlling its legitimacy and avoid over-storage, as well as checking the validation of the demand by the commercial team, purchase manager or inventory head. The following illustration presents the optimization enhancements allowed by RPA, in the case where the robots would – in a first phase – be integrated into an already existing “classic” purchase process.
Step 1: Existing controls automation
This first application has robot and human working together, hand in hand, and is already promising significant productivity gains. Though, in redesigning and thinking a process that would lay on a “from A to Z” automation, a whole new kind of internal control can be glimpsed.
Step 2: Reworking of the process that would make existing ones obsolete
This total automation would necessarily be the result of a reflection beforehand, whose aim is to clarify and optimize the given process and allow additional productivity gains. The human part would only be solicited at the end of the chain, his role being reduced to the control of anomalies.
RPA has already demonstrated some interesting results in the banking and financial sectors in cost-cutting campaigns. RPA could soon be applied to new sectors. Regarding internal controls, automation is still in its infancy. As of now, its main domain of application is the automation of organizational process, which is today’s top management strategic priority. By gradually developing into companies’ organizations, RPA is likely to deeply change the computerized process, playing a key role in the financial management organization since the advent of ERP. It will then be important to understand how far automation can go, and how far should it go regarding internal controls, without having the firm face new risks, requiring the adaptation of audit and risks functions.