More accounting professionals have embraced robotic process automation in their practice, driving new efficiencies by freeing people from repetitive manual tasks. However, it’s no panacea, and effective implementation requires organizations consider some key challenges that could hurt firm viability in the long run, according to a recent study published in Accounting Horizons.
The researchers — Marc Eulerich of University of Duisburg-Essen; Nathan Waddoups of University of Denver; Martin Wagener of University of Duisburg-Essen; and David Wood of Brigham Young University — interviewed 26 RPA stakeholders at a Fortune 500 company to ascertain the challenges, drawbacks and pitfalls of using RPA. They then validate their findings by having the company’s external auditors, 16 chief audit executives and 22 information technology audit specialists review and opine on the results.
Interviews revealed several persistent motifs as leaders spoke of the challenges that came with implementing RPA at their firms. Many of the challenges, ironically, are linked to its strengths of being easy to use, low cost and minimally invasive.
For one, certain organizations might view RPA more as a Band-Aid to preserve a suboptimal process versus fundamentally designing the workflow (though the paper did not elaborate on specific examples.) One leader likened it to a sort of drug that can relieve pain but doesn’t solve the actual problem. Along similar lines, there were also critiques of RPA being overlaid on top of existing technology, versus replacing it.
Second, the paper talked about how RPA, poorly implemented, can introduce internal control and security issues, like uncontrolled bots, unknown bots, a failure to assess bot risk, fraudulent bot activities and changing processes leading to bots providing bad data. Once again, this is an ironic effect of how easy certain solutions make setting up new bots.
“Related to this, several interviewees reported an inability to track RPA activities within the organization, mentioning that there are some ‘dark spots’ in the company because of bots being unregistered with the IT department. One participant even noted that the external auditor identified some bots that were unknown to the company’s financial reporting team but material to the external audit. Because bots were rapidly developed and introduced, the company struggled in establishing and maintaining an accurate inventory of all bots,” said the paper.
Researchers quoted one leader saying his organization has 185 bots that he knows about, and conceded it could be more.
These security issues also come from these bots sometimes requiring credentials or passwords themselves to do their jobs effectively — and, much like people, they can be manipulated into giving these up to ill-intentioned parties. As such they have become prime hacking targets. If someone can hack a bot, they could potentially hack the entire organization as well.
Furthermore, the researchers noted that, unlike humans, bots don’t always recognize when a process has changed and so they proceed as usual, which can lead to the provision of bad data and the end user may not necessarily recognize it as such.
Third, the paper discussed how the savings that RPA introduces from time and efficiency gains can potentially be offset by new costs in monitoring, assurance and security. Internal controls over financial reporting, for instance, may need to be regularly tested by an independent assessor and be extensively documented, which potentially represents a high workload. Security measures, too, can represent an increased expense.
Fourth, related to the previous point, are the challenges of RPA governance as a whole. Determining a governance structure that balances the autonomy and motivation that come with a decentralized RPA environment against the assurance and control that comes from a centralized one. Leaders are not necessarily all on the same page when it comes to where this balance is struck.
“Although this issue is common to other technologies, it appears to be especially problematic with RPA because the technology does not require advanced technical skills that are often only found in centralized IT groups. Several interviewees described their desire for a complete RPA development process with adherence to all standards and regulations, whereas other interviewees argued for leaner processes that allowed for more autonomy,” said the paper, noting a particular challenge here is aligning IT and non-IT control requirements.
The final challenge mentioned was knowledge loss. Leaders expressed concern about domain knowledge loss as more processes become automated — with humans no longer as involved as the were before, some professionals may forget what the process involved in the first place. Second, though, is the issue of employees who created or managed the bots leave the organization, especially when there is not proper documentation.
Overall, the researchers said organizations would do well to keep these challenges in mind when considering their own RPA implementation.
“Raising these issues should allow practitioners to make more informed decisions regarding RPA implementations and help inform them regarding the problematic areas that require better governance,” said the paper’s abstract.