PROJECT REPORT

OF
DISA 3.0 COURSE
 CERTIFICATE

Project Report of DISA 3.0 Course

This is to certify that we are attending the DISA 3.0 course training being conducted at:

ICAI DLH portal, Virtual Branch From 10th October 2020 to 27th October 2020 and we have the
required attendance.

We are submitting the Project titled: AUDITING ROBOTIC PROCESS AUTOMATION.

We hereby confirm that we have adhered to the guidelines issued by DAAB, ICAI for the project.
We also certify that this project report is the original work of our group and each one of us have
actively participated and contributed in preparing this project. We have not shared the project
details or taken help in preparing project report from anyone except members of our group.

1. Name: MANCHIKANTI VENKATA SAIPRANEETH DISA No.63353 Sd/-

2. Name: MADHURI MURALIDHAR DISA No.63359 Sd/-
3. Name: SAURABH VINOD JAIN DISA No.63336 Sd/-

Date:19-10-2020
 Table of Contents

Details of Case Study/Project(Problem)

Project Report (solution)

1. Introduction
2. Auditee Environment
3. Background
4. Situation
5. Terms and Scope of assignment
6. Logistic arrangements required
7. Methodology and Strategy adapted for execution of assignment
8. Documents reviewed
9. References
10. Deliverables
11. Format of Findings and Recommendations

12. Conclusion
 PROJECT REPORT

AUDITING ROBOTIC PROCESS AUTOMATION SYSTEM OF ABC BANKING GROUP

A. Details of Case Study/Project (Problem)

ABC Banking Group, a global player in the Banking and Financial Service Industry has ventured
into the implementation of Robotic Process Automation (RPA) system into their Business. After
evaluation of various technology vendors they partnered with “Fully Automate”, to implement
the RPA into their business. The company used to rely on outsourced labour force for a lot of
processing jobs which has now been automated using the RPAs. RPAs have been introduced in
fields ranging from payroll administration, customer service, account opening, KYC etc.

The company was being faced with the problem of High volumes, errors in manual processes
and high volume variability in their operations. This required them to launch recruiting process
three to four months in advance, bring staff onboard a month or so early, train them, utilize
them during the surge in work, and then scale back. The frequent recruitment drives lead to
draining a lot of Senior management’s time as well as adding to their operational costs. These
factors contributed to the ABC’s decision of introducing RPA into their business processes.

Since the RPA has now been fully implemented into the ABC Group’s systems, the company
intends to obtain an Post implementation Independent Assessment of their Robotic Process
Automation systems implemented for their Indian Operations through IS audit to assess,
analyse and evaluate whether the defined objectives set at the start of automation were
successfully met, and also pave way for improvements to the existing systems with reference to
their hubs in India. The company also intends to identify any risks associated with their existing
Robotic Process Automation systems so as to establish necessary controls and checks into the
system.
B. Project Report (solution)

1. Introduction

1.1 About ABC Banking Group

ABC Banking Group is an International banking and financial services organization

headquartered in Melbourne with global presence in more than 30 countries. As per the latest
available statistics, Australia is the Company’s largest market serving over Six Million Retail and
Commercial customers through a network of around 600 branches, 30 business centres, 2000
ATMs and leading online and mobile banking applications.

ABC group has a unique portfolio of specialized businesses offers a full range of financial
products and services, including mortgages, credit cards, corporate lending, asset finance, and
more sophisticated investment banking products.

They aim to become the best bank in the world for customers driven by regional trade and
capital flows; providing support to local and global businesses, and connecting with growth
opportunities across Asia Pacific and beyond. The Indian market is expected to play a
prominent role in the growth of ABC Bank in the Asia Pacific domain.

Organization Structure:

The ABC group has a workforce of over 51,000 employees and serves around nine million
customers worldwide.

ABC group established its First Indian Branch in Mumbai, and thereafter in Gurugram and
Bengaluru. ABC group has 6 shared service hub operations around the globe, a significant
shared service hub operation is in Bengaluru employing around 5000 Staff supporting their
business in other parts of the world as well.
 Organization structure at the Top Level of ABC Group

Technology Infrastructure:

ABC Banking Group’s technology vision is to establish “Automated, seamless, straight-through

processing and E-banking with a human face”. The group has made high investments in
technology infrastructure and complicated applications.

ABC currently operates six data centers globally, including two in Australia and one each in New
Zealand, Singapore, Indonesia and Taiwan. Its technology team has virtualized 40 percent of
ABC‘s infrastructure, with a view to hosting 80 percent of its services in a private cloud
environment through encrypted data storage in cloud mechanism.

ABC has now implemented Robotic Process Automation system into its business for a wide
range of functions including KYC, Account opening and closing, Credit card approval, report
automation, compliance etc.

Focus and Business Approach:

The Focus of ABC is on improving the financial wellbeing of their customers; having the right
people who listen, learn and adapt; putting the best tools and insights into their hands; and
focusing on those few things that really add value to customers and doing them right the first
time.
ABC aims to ensure risk management and accountability as central to everything they do and
they have a dedicated Risk Division which is responsible for global risk management framework.
ABC Group’s Internal audit division is an integral part of their governance process and acts as a
catalyst in paving way for continuous improvements.

B. IS Audit and Assurance Firm

M/s MPMS ASSOCIATES, is a 20 year old firm of Chartered Accountants established in the
year 2000 specializing in Information Systems Assurance, Management Consultancy
services. MPMS Associates is lead by Mr. MP who is a qualified Chartered Accountant and
has a Diploma in Information systems audit. MPMS Associates also has a team of qualified
and trained Information System Audit personnel. MPMS has 4 partners who are CAs with
DISA qualification and one partner holding CISA qualification. MPMS have been involved in
providing Information System Systems Assurance for both Public and Private Sector in India
as well as abroad in a wide domain consisting of IT Companies, banks, Major Multinationals,
Manufacturing Companies, E-commerce chains etc. We have deployed our core team of 3
Chartered Accountants, including one partner to conduct the audit of ABC group.

The Core Audit team consists of:

1. Mr. MP - Partner- CA with DISA qualification having 15 years experience in IS audits,

Project Post Implementation Assessments and Management consulting
2. Mr. MM – Qualified CA – Experience of 10 years working with Information system
implementation and IS audit
3. Mr. SVJ – Qualified CA – Experience of 10 years working with Information system
implementation and IS audit
4. Mr. AT – Qualified CA – Experience of 10 years working with Information system
implementation and IS audit
5. Mr. SD– Qualified CA – Experience of 10 years working with Information system
implementation and IS audit

Audit team shall also use the services of Information System Specialists and Audit assistants
who shall be deputed to the assignment based on specific requirement basis.

2. Auditee Environment

ABC Bank has adopted world class technology and industry leading best practices in their
business to ensure maximization of customer satisfaction and stakeholder value.
ABC Bank has spent the past year refining a well-developed program of work in an emerging
field known as Robotic Process Automation (RPA), whereby tasks previously conducted by
employees are now done by increasingly intelligent software that learns on the job.
Much of the robotic work was initially being conducted in ABC’s network of so-called captive
centres or hubs in India, the Philippines and China, and is currently incorporating the RPAs
into their operations in Australia as well. They have adopted RPA not as a job reduction
strategy, rather it was a move to refocus human workers on new areas which can add value to
the organization. All the redundant, time-consuming, rule-based tasks are performed through
RPAs whereby the employee time is directed towards higher-value and more rewarding tasks.

The Bank has licenced “Fully Automate”- a global leader in the RPA horizon to implement the
new technology into their business. Currently about 40 processes have been moved to RPA,
out which about 11 processes which are fully implemented in their Indian Operations are
covered in the audit scope based on the Management’s requirements.

Information Security policy:

ABC, being a global Organization, it has a tiered structure of information security policy,
wherein one set applies globally throughout the organization, and other policies apply to
individual geographical or regional entities. This aims at eliminating the difficulties of varying
risk tolerance levels among business units, legal and business cultural differences and policy
differences across geographical boundaries.

The Information Security policy of ABC is well laid out clearly defining the information security
requirements of:
i. Confidentiality: Protecting sensitive information from disclosure to unauthorised individuals
or systems;
ii. Integrity: Safeguarding the accuracy, completeness, and timeliness of information;
iii. Availability: Ensuring that information and vital services are accessible to authorised users,
when required.
Other principles and security requirements such as Authenticity, Non-repudiation,
Identification, Authorisation, Accountability and auditability is also addressed in the
Information Security policy.

At ABC Banking Group considering the security requirements, Information Security policies
have been framed based on a series of security principles. Some of the Information Security
policies relevant RPA system perspective and their needs have been addressed below:
a. New Technology Adoption
• Introduction of new technology and deployment of application & Infrastructure shall go
through Risk assessment and sign off process before implementation in production. The risks
associated with adoption of new & emerging technologies shall be assessed and approved.
b. Log and Audit Trail Policy
• Log and Audit Trail Policy enables creation of quicker and cleaner audit reports, and ensures
that steps that lead to a specific problem are retraceable, be it an error in the RPA
system’s/bot's performance, malicious code or other misuse by an employee. RPA platforms
should offer full audit logs that trace and record every action the software bots and the users
perform within the automation.

c. Encryption Policy
•In the current environment of increasingly open and interconnected systems and networks,
network and data information security are essential. This policy describes cryptography as a
tool for satisfying a wide spectrum of the Information Security Management System (ISMS)
needs and requirements. As per this policy, it is important to choose an RPA product that
stores sensitive information encrypted in a secure database.

As per their policy the Organization Structure of their Information Technology Department of
Indian operations is designed as below:
Regulatory Requirements:

• Compliance to statutory, regulatory and contractual requirements such as Information

Technology (IT) Act 2008, directives and recommendations given by Reserve bank of India to be
ensured

• Compliance with terms/conditions and license requirements for the usage of RPA Systems or
any other proprietary information/material shall be maintained

• Cross border movement of data shall be in accordance with legal and regulatory requirements

• Records shall be retained and managed based on legal and regulatory requirements

3. Background

Robotic Process Automation (RPA) system/Bot implementation in ABC Banking group was
guided by their requirement for managing the variability in operational volumes across periods.

The implementation team for RPA for Indian Operations was headed by the General Manager
Group Hubs working together with the Managing Director the Bengaluru Hub and a very
experienced team of professionals and technology experts were identified to steer the
implementation operations. The identified technology was easy to use and could be learned
easily by the operations team, and not necessarily require technology expertise.

ABC adopted pilot automation in few processes first and thereafter expanding to other areas
after building the confidence and belief in their teams. As per the Service level Agreement, their
technology partner- Fully Automate provided them with on-site consulting support to help
accelerate their learning. “Fully Automate” trained one group and then moved to another
group as the first one gained momentum.

The management of the ABC Group seeks assurance from the IS audit team about their RPA
system on the following:

 Ascertain the degree of success from RPA implementation, evaluate whether the project
has met its goals set and manage the expectations of stakeholders.
 Evaluate efficacy of all elements in working solution to identify potential areas for
improvement and optimize the benefits delivered
 Assess potential risks to business post implementation and develop controls
 Assess how well the project is managed and identify shortcomings if any for future
improvements.
 4. Situation
The introduction of RPA has changed Technology Environment of the company bringing with it
a series of new risks which need to be identified, assessed and addressed. There are multiple
aspects of process automation which lead to an elevated risk exposure as compared to a typical
IT Application. To name a few from an audit perspective, there are changes in process risk
definitions post automation, changes to job roles and access security, application change
management considerations, strategy and governance of RPA environment, etc. RPA being a
new area for the Stakeholders as well as the Business environment as a whole, there is a need
to engage experts to assess various risks and controls in the system post implementation. The
Internal Audit Division of ANZ is Globally Located and managed under the Group Internal Audit
Officer, which has already done the Assessment, pre and post implementation of the RPA in
different countries. In order to have an Independent assessment the company proposes to have
an external IS audit of the Robotic Process Automation System.

Overview of functions performed by RPA system/Bot

CUSTOMER SERVICE COMPLIANCE

RPA has been designed to respond to
queries from customers in real time in
relation to Account information,
Application status, Balance Information
etc. by extracting information from the
data system based on rules set for each
query
Bank Being the Center of the Economy is
closely governed and needs to adhere to lot
of compliances. RPA generates various
reports to be submitted to regulators with
24/7 availability and highest accuracy
improving quality of compliance process

ACCOUNTS PAYABLE
CREDIT CARD PROCESSING
Optical character recognition (OCR) reads
RPA validates the customer information
the vendor information from digital copy
from credit card application by
of invoices and provides information to
communicating to multiple systems
RPA system. RPA will validate the
simultaneously to validate the information
information with the information in the
like required documents, background
system and process the payment. If any
checks, credit checks and take the decision
error occurs, RPA will notify the executive
of the basis of rules to approve or
for resolution.
disapprove the credit card application.
MORTGAGE LOAN PROCESSING KYC PROCESS

Process of approving mortgage loan goes
through various checks like credit checks,
repayment history, employment verification and
inspection. RPA performs this process based on
specific set of rules and checks, thereby
accelerates the process of Mortgage loan
processing by providing fast and accurate inputs
to the Credit Department.
RPA system collects, screens and
validates the customer data, and flags
in case of any missing/unauthentic KYC
information in the account. RPA tracks
accounts with missing KYC and sends
automated notification and schedules
calls for the required document
submissions.

FRAUD DETECTION
RPA system helps in detection of potential fraud
by using the “if then” method and flags them to
concerned departments for their action.
Eg: If there are multiple transactions made
within a short time, then the RPA identifies the
account and flags it for a potential threat
GENERAL LEDGER
RPA system integrates data from
multiple legacy systems and validates it
against the rules set and reports in
required format to be updated in the
General Ledger.
ACCOUNT CLOSURE PROCESS

RPA helps banks to close accounts in

exceptional scenarios like customer
REPORT AUTOMATION
failing to provide KYC documents.
RPA systems provide data in multiple formats,
creates report by auto filling the available report ACCOUNT OPENING PROCESS
format to create specific reports to be presented
to the stakeholders without errors. RPA extract information from input forms
and feeds it into different host
applications eliminating manual data
entry requirement.
Internal Audit team at the Global level and the Information System Team in India have
proposed to obtain an External Review and Assessment of their recently introduced RPA
system.

5. Terms and Scope of assignment

Based on the understanding of ABC Bank’s needs for conducting the Post implementation audit
of their Robotic Process Automation System, it is decided to primarily focus on the adequacy,
appropriateness of the System and identify any risks associated therein and also ensure the
Confidentiality, Integrity of the data processed in the RPA enabled environment. In consultation
with the Top Management at their Global Level and the Managing Director and Operations
Director of the Bengaluru Hub, the scope of review primarily will be from security/controls,
regulatory compliance and benefit realization perspective and would involve:

1. Project Execution Review

2. Design Evaluation
3. Operating Effectiveness and Key risk Analysis
4. Legal and Regulatory review
5. Process Mining and Optimization
6. Review Exception handling process
7. Information Security Review

The audit of RPA system shall mainly focus on the major areas where RPA has been
implemented by engaging control and substantive tests using appropriate Computer Assisted
Audit Tools and Techniques (CAAT) as and when required.

6. Logistic arrangements required

Infrastructure required:

ABC Group- India shall appoint one Senior IT Officer part of the implementation team, and
Operations head to co-ordinate for finalizing the initial work plan and shall continue to work
with the Audit team as and when required till the completion of Assignment. The company shall
make available necessary systems, software, software resources and support facilities for
completing the assignment within the appointed time. During the course of audit the following
resource shall be made available:

 2 Nodes with Read only access to extract reports from application

 One Laptop with Windows 10/Microsoft office 2013
 Adequate seating and storage for the team
 Facilities and permissions to have discussions and seek informations from the IT
departments as well as the different user departments where RPAs have been
implemented
 Permission to do Penetration testing on the system
 Permission to carry our Laptop with Computer Aided Audit tools Installed to be used for
our data analysis.
Documents required:

 Service Level Agreement with “Fully Automate”

 User Manuals and Technical Manuals related to the RPA system
 Organization Chart of the Company and IT department
 Access to documents related to Implementation of RPA
 Minutes of the IT Steering Committee and IT Strategy Committee meetings
 Reports of the Internal audit Department with respect to the Audits conducting before,
during and post implementation of RPA system.
 Any other document that may be identified as relevant during the course of audit

7. Methodology and Strategy adapted for execution of assignment

Audit Approach

In tune with the terms and scope of the Assignment, the methodology shall be adapted in
compliance with the IS Audit and Assurance Standards of the Information Technology
Assurance Framework by ISACA.

Our Approach to Assignment shall be as follows:

 A core team of 5 IS audit Professionals shall be deployed for this assignment in batches
of 2 or 3 as per the skill sets required at each stage, under the personal direction and
liaison of our partner Mr. MP.
 A detailed and systematic audit procedure shall be finalized after completing initial
review of the documentation and discussion with the IT Department Personnel and
users

Structured Methodology

The following Structured Methodology shall be adopted for achievement of the objectives of
audit:

 Obtain understanding of the IT resources deployment of ABC

 Obtain an understanding RPA system specification and level of automation and areas
where RPA system has been implemented
 Identification and documentation of Information systems security Policy and other IT
related circulars including those at the global level applicable to India
 Identification and documentation of Organization Structure and Information
architecture
 Identification and documentation of Existing, policies, procedures and practices.
  Review of Project Execution related documentation of RPA system
 Review of Operational Data of system and the system logs
 Risk Evaluation and testing the effectiveness of controls using checklists and other audit
tools
 Formulation of Draft audit report on our findings and seek management response
 Presentation of Final IS audit report with Key Audit findings and agreed action plan
based on feedback of the Management

Audit Plan:

Based on the requirements of ABC Group and Scope of Audit, Audit Plan shall cover the
following:

1. Understanding the Auditee Environment

Discussions with the Internal Audit team, Systems/Implementation Team, Users and
Management. Review of the Policies, organization structure, IT steering committee and
Strategy committee minutes, User Manual and installation documents of RPA system etc.

2. Project Execution Review

 Review the Project Monitoring activities at the time of implementation which

involves project tracking, reporting and related documentation
 Review Project planning- ie, how well the project activities were planned to better
manage the expectations of the stakeholders for smooth tracking
 Review the Resource Management-Evaluate how well the resources were utilized
to execute the project with the scheduled cost and time.
 Review the risk management by evaluating the risk identification and mitigation
planned during automation and deployment.
 Assess the effectiveness of change management undergone during the
transformation from manual to an automated process

3. Design Evaluation

To evaluate the design of Controls into the RPA system and the exception handling process.
Performing gap Analysis of expected and actual outcomes of the RPA system implementation.
 4. Legal and Regulatory Review

 Evaluate the procedures followed for Change management in the RPA system in
accordance with changes in Legal and regulatory environment.
 Review the RPA system security and protection requirements.

5. Assessing Operating Effectiveness and Key Risks

To assess the effectiveness of operations through controls testing and substantive testing. To
test more of preventive controls and exception-based-testing. Assessment of Logical access
Controls, Environmental Controls, Physical Access controls etc. Some of the key Risks
considered for the audit plan are automation Strategy, Business Continuity, Data protection and
security, Solution and infrastructure architecture, Business processes and Project execution.

6. Process Mining and Optimization

Analysis of business processes based on event logs to identify trends, patterns and details
contained therein in the logs created by the information system. Process mining is performed
using an Event Log created by a RPA system or the Bot. Process mining assumes the existence
of an event log where each event refers to a case, an activity, and a point in time.

7. Information Security Review

 Performing Vulnerability Assessment and Penetration testing
 Solution testing
 Application Code Review
 Configuration and Architecture review

Audit Program

Sl Audit Area Nature of Work to be Performed

No

1 Understand IS Environment of ABC and  Discussion with management

the functionalities and processes
performed by the RPA system
 Discussion with IT department
 Discussion with with User Departments
 Discussion with Project Manager engaged
in the Implementation of RPA system
 Review IS policy, procedures
 Review User manuals
 Review the Business Case Document
related to RPA Implementation
  Review SLA Agreement and Maintenance
contract with “Fully Automate”
 Review of IT General Controls in the
Information System with respect to
Confidentiality, Integrity and Availability.

2 Assess Application level Risks and Review controls implemented to combat the
controls implemented in the RPA following risks
system at the System and Data level  system integrity risks relating
to the incomplete, inaccurate, untimely or
unauthorized processing of data;
 system security risks relating to
unauthorized access to systems or data;
data risks relating to its completeness,
integrity, confidentiality and accuracy;
 system-availability risks relating to the lack
of system operational capability; and
 system maintainability risks in terms of
adequate change control procedures.
 Evaluate the risk and control considerations
using Checklists

Review the flow of transactions in the Conduct a walk-through test to:

RPA
 Analyse both automated and manual part
of the processes to evaluate controls in
data input (electronic or manual),
processing, storage and output which are of
significance to the audit objective.
 Application interfaces with other systems
 Analyse the system of inputting the interest
rate to be charged on loans and system of
changing the rates for loans with floating
rate of interest.
 Perform recalculation on a sample to check
the accuracy and correctness of processing
of data and interest charging
4 Governance of RPA:- varying standards
of risk and controls associated with
different departments
5 Business Continuity plan with respect
to RPA system
6 Review of Customer Care RPA System
7 Review of Compliance and Report
Automation process RPA System
8 Review of RPA System in Accounts
Payable processing Section
 Review whether the change in roles and
responsibilities of employees post
implementation of RPA has been properly
documented and communicated
 Assess whether the different departments
who are using the RPA system are aware
about the correct procedures of Use.
 Review Employee awareness through
discussions with user departments
 Review the documented BCP in respect of
recovery of RPA system in an event of break
down
 Review the Backup procedures
 Check if appropriate action is taken on the
exception logs generated and timely
resolution provided to customers and the
same is adequately documented.
 Discussion with the IT development team
and review Development documents with
the help of an expert if required, to
understand the rules set for the RPA system
in Customer care Department and test
check from logs if the objectives have been
fully implemented.
 Review the rules set for Compliance report
generation through Robotic Process System
 Review if the reports generated are
reviewed by appropriate personnel from
the compliance department before final
submission to authorities and the process is
logged/documented.
 Check the efficiency of the Optical
Character Recognition(OCR) used to for
capturing the vendor information from
documents
  Check the validation rules set for picking
and processing values from invoices
 Check log of cases where validations failed
and review if appropriate timely action is
being taken on the same

 Perform walk-through-test to analyse if the

9 Review of RPA System in Credit Card
checks performed are in accordance with
processing Section
the Credit policy of the bank
 Check log of rejected Applications and
review the actions taken on them

 Perform walk through test to check if credit

10 Review of RPA system in Mortgage
checks, repayment history, employment
Loan Processing
verification and inspection done by RPA
system are as per the Bank’s Credit and
Lending policy
 Review if the appropriate credit officer
further verifies the credit eligibility reports
generated by the RPA system and acts on it.
 Ensure confidentiality and Integrity checks
are incorporated appropriately into various
stages of data input, processing and output.

 Review confidentiality of logs created by

11 Review of RPA system in Fraud
the System in relation to flagged
detection reports
transactions/accounts
 Review the Fraud detection logs flagged by
the system and the action
taken/documented in relation to the same
 Use CASE-ware Idea CAAT tool to Analyse
patterns and draw any conclusions in
 relation to effectiveness of the reports
generated by the RPA system.

 Review controls in relation to maintaining

12 Review of RPA in KYC, Account
Confidentiality, integrity and Availability of
Opening, Account Closing
the data accumulated by the RPA system at
various stages of KYC updation, Account
Opening, Account Closing
 Test check few Account opening and closing
forms manually to ensure if the data is
correctly mapped.
 Use of CAAT tools to check validation and
duplication errors.

13 Review of RPA system in General  Check interface of RPA system with other
Ledger Updation systems from where data is to be extracted
to be posted to the General Ledger

14 Review of Exception logs of the RPA
system generated processes
 Review if the company has appropriate
monitoring process for exception handling
 Use CAAT tools like CASE ware Idea to
analyse patterns and trends in Exception
handling to see if there is any deficiencies in
the initial source code developed

Review of the Change Management Review systems in place like approving authority,
system established by the organization documentations etc. in respect of the following
15
 Raising Change Request
 Prioritizing change requests
 Carrying out Changes
 System Document Maintenance
 Testing changes
 Releasing changes
 Record Maintenance
 8. Documents reviewed

 Service Level Agreement with “Fully Automate”

 User Manuals and Technical Manuals related to the RPA system
 Organization Chart of the Company and IT department
 Access to documents related to Implementation of RPA
 Minutes of the IT Steering Committee and IT Strategy Committee meetings
 Information Security policy of ABC Banking Group
 RPA exception handling Logs
 Standard Operating Procedure (SOP) of the organization

9. References
For Successful execution and completion of the assignment, the following references were
used:

1. www.icaew.com- ICAEW’s online assurance resource

2. www.cpajournal.com
3. www.automationanywhere.com
4. Gartner- Report on Robotic Process Automation-Implications for Internal Audit
5. EY Report on - Risk and control considerations within robotic process automation
implementations

6. Robotic Process Automation – Driving the Next Wave of Cost Rationalisation

7. ( Minefields, September 2017)
8. The Future of the Profession (ICAEW, 2017)
9. Module 6,3 and 1 of Background Material of DISA 3.0 by ICAI
10. RBI Guidelines on Information Security, Electronic Banking, Technology risk
management and cyber frauds

10. Deliverables

The audit assignment is Intended to create the following deliverables :

a) Checklist for audit

b) Draft IS Audit Report with Management response
c) Final IS Audit Report
 11. Format of Findings and Recommendations
Key Audit Findings and Recommendations:
Sl Finding
No.
1
RPA system Bot in customer service
process notifies the incomplete
transactions due to business exceptions
only the Customer service supervisor by
mail.
2
RPA system Bot in Fraud Detection
Process flags over 500 cases on a weekly
basis. As noticed by the exception
handling review done by the Credit
control department, it is seen that about
60% of the cases, the department
personnel has marked that it is normal
occurrence in the account. This may be
due to incorrect parameters set in
configuration.
3 RPA system in Credit Management is not
fully utilized. Sending reminders for
periodical submission of Stock statement
and Receivables statement to Business
and institutional clients is not
automatically enabled in the RPA system
4 It was seen that 2 CIF numbers were
generated by the RPA system for same
person, one taking Aadhar Card as base
document and other with the PAN.
Risk Recommendation
Implication
Medium The RPA system to be programmed
to mark mail copy to the Manager-
Customer relations for better
accountability and monitoring of the
exception situations
Medium The Programmer may be asked to
review the parameters set for
flagging transactions as unnecessary
flags can add to manual work in
processing the same by concerned
department which defeats the
purpose of the bot.
Medium In order to ensure Compliance and
continued loan facility maintenance
of business accounts, the RPA system
can be programmed to send
reminders by mail/automated
telephone call to customers to submit
the Stock/receivable statements 5-7
days before the due date.
High Necessary control checks to be
programmed into the RPA system to
flag Name and Date of birth matching
instances so that secondary checks
can be enabled to avoid such
instances in future.
5 Instances were noted where RPA system High
has updated Form 15G/H for deposit
account holders whose cumulative
annual Interest is higher than the
maximum amount not chargeable to tax
6 Password Management System of High
Software Bots needs to be improved. The
passwords and other credentials are
being stored in encrypted file in the
server system itself.
7 Upgradation of Security solutions to High
provide extra layer of protection to data
and RPA system access. Also considering
the sensitivity of information processed
by the system the security settings may
be upgraded to latest security solutions
available in the market. ABC currently
has access through Swiping employee
cards, logical access control in the form
of passwords and Usage logging enabled
for RPA system servers.
Controls need to be programmed to
ensure that 15G/H be marked as yes
only for Account holders whose
projected interest for the year on
deposit accounts is less than set
amount.
A credentials vault should be used to
store the encrypted passwords and
credentials that the RPA software
robots need to login to company
databases and other websites during
automation.
1. Consider Employing Multi layer
security solutions that provide extra
layer of protection for admin
accounts, privileged password
management, session recording etc.
2. Consider Incorporating
latest industry standard Transport
Layer Security (TSL) 1.2 protocol,
which is designed to protect the
privacy of information communicated
over the Internet
 12. Conclusion
The success of any entity in the Banking business revolves around customer satisfaction in
which the use of specific technology plays a key role to generate efficiency. Robotic Process
automation systems are transforming the business landscape by delivering fast and accurate
service and improving customer experience.
ABC Bank has been successful in integrating the Robotic Process Automation System or Bots in
their structure and this has resulted in an array of benefits, of which few important benefits are
discussed under:
 Enhanced Customer Satisfaction- The turnaround time for resolved standardised queries
of Customers has significantly reduced from hours to few minutes. Completeness and
Accuracy of responses is also at a high level as errors due to manual process are
avoided.
 Reduction in recruitment costs and efforts of Senior Management- The costs involved in
launching frequent recruitment drives and training of employees has been considerably
reduced.
 Increased level of Employee satisfaction: RPA relieves employees from mundane,
redundant and repetitive tasks, leading to better job satisfaction.
 Competitive advantage : Post the implementation of RPA into their systems, ABC has
seen a fair increase in its market share as the technology adoption has given a
competitive edge over other players in the market.
As with any technology, RPA also comes with a lot of risks. There are changes in process, risk
definitions post automation, changes to job roles and access security, application change
management considerations, strategy and governance of RPA environment, etc. We have
reviewed the user-access management, change management, operations, and program
development for each RPA system implemented in the hubs in India.

We draw Management attention to one of the major risks associated with RPA systems, ie.,
Cyber security and resilience. There may be chances of Abuse of privileged access, mismanaged
access entitlements and disclosure of sensitive data by personnel who are associated with the
maintenance and change management process of the RPA which must be closely monitored by
the Bank. The company may also look into the possibilities of integrating RPA system into the
internal Audit functions.

Any RPA system requires proactive measures to manage the changing Business processes and
constant review of risk and control profile of the Organization. A healthy dose of risk
management can allow software robots to become trusted enablers in an organization’s digital
transformation journey.
CHECKLIST FOR AUDIT
Sl No. AREA

1 STRATEGY AND GOVERNANCE

a Does the RPA governance risk and control framework continue to align with business
strategies?

b Has an operating model been established to govern, manage, operationalize and scale
the program and life cycle of RPA system ?

c Is the workforce knowledgeable about the processes and controls for which they are
responsible?

d Has the impact of RPA on the organization been factored into the Internal Audit plan?

PROCESS LIFE CYCLE

A Has a consistent, end-to-end methodology been established to manage the RPA life
cycle

B Has exception handling of the processes handled by RPA system/bots been conducted
to monitor performance and manage any encountered exceptions (e.g., technical or
operational)?
C How is the RPA vendor management integrated into an enterprise vendor
management program, including evaluation of third-party risk and software security?

VALUE MEASUREMENT

A Have key performance indicators (KPIs) and key risk indicators (KRIs) been defined to
proactively assess the RPA program’s health(e.g., engagement and acceptance,
efficiencies gained, development pipeline and training)?
B Has the return on investment been measured (e.g., cycle time, transactions processed
and capacity gains) and socialized to challenge the speed and targets for further
automation?
 ALIGNMENT AND CHANGE

A Has the organization planned accordingly for the new competencies required to
sustain the RPA program strategy?
B Has organizational training and education been deployed (and how frequently) to
provide the necessary skills uplift (e.g., awareness, foundations and development)?
C Have new learning paths, job descriptions and workforce planning changes been
defined to promote the program’s sustainability?
TECHNOLOGY

A Has the organization effectively collaborated with the RPA vendor to agree upon
licensing, communication channels, interaction points and service-level agreements
(e.g., software issues, configuration management, enhancements and defects)?
B Has the organization challenged the compatibility of RPA with the underlying
architecture and infrastructure (e.g., synchronization,server changes, entitlement
management, business continuity and disaster recovery)?
C Has a controlled, non-production innovation and test lab been established to
challenge the feasibility of the integration of RPA with further emerging technologies?
D Has a knowledge-management repository been established to capture relevant RPA
lessons learned, accelerators, enablers and
artifacts to promote organizational consistency?
ENTERPRISE INTEGRATION

A Have RPA teams effectively integrated with organizational transformation teams to

maximize synergies (e.g., business process management) and minimize duplication?
B Have the security implications (e.g., privileged access management, denial of service
and platform vulnerabilities) and regulatory implications (e.g., privacy and across
borders) of RPA been proactively considered?
C Has the impact on core technology processes (e.g., change management and logical
security) and system integration been evaluated and communicated as a result of
introducing RPA?
 DRAFT INFORMATION SYSTEM AUDIT REPORT FOR ABC BANKING GROUP-INDIAN OPERATIONS

ON

POST IMPLEMENTATION IS AUDIT OF ROBOTIC PROCESS AUTOMATION SYSTEM

Name of the Audit Firm conducting Audit M/s MPMS ASSOCIATES.,

CHARTERED ACCOUNTANTS
SL. No POINTS VERIFIED
OBSERVATIONS MADE

1 Reliability, authenticity and accuracy of output Based on test checks performed on the output
generated by RPA system the same is found to be in order

2 Reliability, authenticity , correctness and Based on walk-through tests and analysis of

accuracy of data processing by RPA system transactions using CAAT tools, the data
processing is found to be in order.

3 Whether the data used by the RPA system is Yes the data in encrypted as necessitated by the
properly encrypted to prevent any Information Security Policy. However we
misappropriation as per the IS policy of ABC recommend use of credential vault to store the
bank. encrypted passwords of the RPA system.

4 Review of Exception handling in Customer Notification of Exceptions are being sent to the
Service System RPA customer service supervisor only and no mail is
being marked to the Customer service manager.

5 Review of Fraud Detention logs generated by RPA system Bot in Fraud Detection Process flags
the RPA system over 500 cases on a weekly basis. As noticed by
the exception handling review done by the
Credit control department, it is seen that about
60% of the cases, the department personnel has
marked that it is normal occurrence in the
account. This may be due to incorrect
parameters set in configuration

6 Deficiencies in RPA system in Credit control and RPA system in Credit Management is not fully
monitoring utilized. Sending reminders for periodical
submission of Stock statement and Receivables
statement to Business and institutional clients is
 not automatically enabled in the RPA system.

7 Uniqueness of CIF numbers for each customer
for all accounts held by him not ensured
It was seen that 2 CIF numbers were created by
the RPA system for same person, one taking
Aadhar Card as base document and other with
the PAN. This is due to lack of controls designed
to check duplication in records.

8 Creation credentials in RPA Yes, each bot is assigned with separate Login
ID’s and passwords.

9 Definition of parameters for marking 15G/15H
receipt on Deposit accounts
Instances were noted where RPA system has
updated Form 15G/H for deposit account
holders whose cumulative annual Interest is
higher than the maximum amount not
chargeable to tax

10 Review of access controls and security of RPA Upgradation of Security solutions to provide
system and servers. extra layer of protection to data and RPA
system access. Also considering the sensitivity
of information processed by the system the
security settings may be upgraded to latest
security solutions available in the market. ABC
currently has access through Swiping employee
cards, logical access control in the form of
passwords and Usage logging enabled for RPA
system servers.

11 Review of Password Management system of Password management of RPA system needs to

RPA. be improved by using facilities like credentials
vault.

IT GENERAL CONTROLS

12 Whether Access Controls to RPA system are clearly Yes

mapped to authorized personnel of the IT department.

Whether Physical and logical access controls are in place

Yes
to prevent unauthorized access or use of RPA system
assets
13 Whether the location of RPA system and related Yes
information system assetsare free from environmental
hazards such as fire, water seepage, direct sunlight etc.?

Are adequate controls in place to combat risks associated

with these hazards Yes

14 Whether the RPA system and related information system Yes

assets are maintained in clean and neat environment.

15 Whether INPUT power to UPS is ON continuously. Yes, INPUT power to UPS is ON

continuously in all branches an hubs

16 a) Whether periodic maintenance check is done for UPS YES, Register for Record of maintenance
& Batteries? and breakdowns is being maintained.
However the record is not seen updated.
b) Record of Breakdowns is maintained, and any
breakdowns incidents occurred during the year.

17 Periodic back up of Emails sent by RPA system and YES maintained and found in order
whether same is stored such that it can be retrieved as
and when required

18 Maintenance of Report Backups and backups of System YES maintained and found in order
logs of RPA systems

19 Is easy access to Main switch available, to switch off Yes, Main switch is available near
power in case of emergency to avoid any damage to IT Manager’s Cabin in branches and hubs
assets including RPA system? and Access is easy.

20 Business Continuity Plan (BCP) - Whether BCP Document YES it is available.

is properly updated incorporating the specific plan in
relation to RPA system and is available ?
Staff is aware of BCP but no alternate site
Whether staff are aware about the BCP & alternate site
identified during inspection.
identified.

21 I.T. assets (Hardware, Software, licences etc) inventory is YES

maintained and verified with books of a/c.(obtain I.T.
Assets jotting from fixed assets cell-Report
discrepancies, if any.)
22 Whether the different departments who are using the Yes, the bank has a policy employee
RPA system are aware about the correct procedures of training sessions at regular intervals to
Use ensure the proper idea about RPA to
them.

23 Whether input power to Server is continuously ON for Yes, Power to SERVER is being supplied
regular updates in Robots for better performance of RPA. continuously, so that regular updated to
the system will not get disturbed, which in
turn lead to better functioning of RPA.
 MANAGEMENT REPONSE TO FINDINGS IN THE DRAFT AUDIT REPORT
Sl No Audit Findings Management Response
1 Register for Record of maintenance and a Noted for compliance
breakdown is being maintained. However
the record is not seen updated.
2 RPA system Bot in customer service process Recommended for updation of Manager’s
notifies the incomplete transactions due to email id as well
various exceptions only the Customer
service supervisor by mail.
3 RPA system Bot in Fraud Detection Process Recommended to reassessing the parameters
flags over 500 cases on a weekly basis. As to the IT Development and change
noticed by the exception handling review management team
done by the Credit control department, it is
seen that about 60% of the cases, the
department personnel has marked that it is
normal occurrence in the account. This may
be due to incorrect parameters set in
configuration

4 RPA system in Credit Management is not Recommended for checking the incorporation
fully utilized. Sending reminders for of the same into RPA system to the IT
periodical submission of Stock statement Development and change management team
and Receivables statement to Business and
institutional clients is not automatically
enabled in the RPA system.

5 It was seen that 2 CIF numbers were Noted for corrections in duplicates validation
created by the RPA system for same controls
person, one taking Aadhar Card as base
document and other with the PAN.

6 Noted for corrections in input validation

Instances were noted where RPA system
controls
has updated Form 15G/H for deposit
account holders whose cumulative annual
Interest is higher than the maximum
amount not chargeable to tax
8 Adding to additional security layer to to The recommendations made are being
data and RPA system access considered for implementation

9 Scope for improving Security in relation to The recommendations made are being
password management of RPA system considered for implementation

Sd/-

CA MP,FCA,DISA
Place- Mumbai Managing Partner
Date: 19.10.2020 MPMS Associates
Mno. XXXXXX
FRN.00XXXXX
 MPMS Associates
Chartered Accountants

IS AUDIT REPORT
on
Post Implementation Audit of Robotic Process Automation System of ABC Banking Group-
Indian Operations
Objectives of the Assignment

The primary objective of this Information Systems Audit Report assignment was to provide
assurance to the management of ABC Banking Group on the Confidentiality, Integrity,
Availability of Information and adequacy of controls in the Robotic process Automation system
implemented by the Bank in their Hubs and Branches in India and comment on the following
key aspects:

 The degree of success from RPA implementation, evaluate whether the project has met
its goals set and manage the expectations of stakeholders.
 Evaluate efficacy of all elements in working solution to identify potential areas for
improvement and optimize the benefits delivered
 Assess potential risks to business post implementation and develop controls
 Assess how well the project is managed and identify shortcomings if any for future
improvements.
We have conducted the audit at the Bengaluru Shared Service Hub and Branches in Mumbai,
Gurugram and Bengaluru.

Scope of Review and Terms and Reference

Based on the understanding of ABC Bank’s needs for conducting the Post implementation audit
of their Robotic Process Automation System, primarily focus of audit was on the adequacy,
appropriateness of the System and identification of any risks associated therein and also
ensuring the Confidentiality, Integrity of the data processed in the RPA enabled environment.
The detailed scope of review/consultation was decided in consultation with the Top
Management at their Global Level and the Managing Director and Operations Director of the
Bengaluru Hub.The scope of review primarily was from security/controls, regulatory
compliance and benefit realization perspective and involved the following:

a) Project Execution Review

b) Design Evaluation
 c) Operating Effectiveness and Key risk Analysis
d) Legal and Regulatory review
e) Process Mining and Optimization
f) Review Exception handling process
g) Information Security Review
The audit also involved visit of 3 branches and Shared Services Hub covering Environmental
and Physical Access Controls Review, Logical Access Controls review as implemented,
Application controls as implemented and review of policies, procedures and practices relating
to IT implementation.

Our Audit Approach

The Audit was carried out as per Audit Plan and Program, which were discussed with the
audit team of ABC and ABC’s senior management. We have used the COBIT issued by
ISACA,USA for this review. The Key tasks of our Audit plan are highlighted below:

 Discussions with the IT department and user management

 Review of Circulars issued by ABC Ltd relating to IT operations, Information Security
Policy
 Review of Environmental Access and Physical Access controls
 Review of Project Execution related documentation of RPA system
 Review of Operational Data of system and the event logs
 Risk Evaluation and testing the effectiveness of controls
 Review of RPA systemTechnical and User Manuals and SLA with Vendor
 Examination access rights in the RPA system
 Examination of data input, and output controls in RPA system
 Observation of the users and the system in operation
 Examination of processing controls in RPA system using test data
 Review of Reports and Audit Logs in System Software

Audit Environment

We have conducted IS Audit at the Shared Service hub and branches of ABC Bank in India using
a Windows 7 Computer connected to the Bank’s Server with a read only access to the softwares
by using various CAAT tools for Data Analysis. We have also visited and reviewed operations at
all branches and conducted discussions with the personnels of the User Departments.
Audit Reports
We issued a draft report outlining our observations, issues and recommendations and obtained
feedback from the Management. Further, a meeting was held with Senior Management and IT
Department represented by Mr. ASD, Managing Director of the Indian Operations, Mr. RTG,
CTO, Mr. DFG, CIO and Mr. JKL, AGM (Finance and Accounts) where the issues and
recommendations were discussed in detail.

The report incorporates all the issues, which have been agreed and confirmed. This IS Audit
report includes the following annexures and has to be read in its totality

1. Key Audit Findings, their risk implication, and the management responses
2. Security and Access Control Review of RPA system

Overall Conclusions
Based on our review, our overall conclusions on specific areas are as follows:

Security and Access Controls

Our review of security and access controls at the IT Environment and specifically RPA system as
reviewed by us and as implemented by ABC confirms that appropriate security and
access controls have been implemented and the same are in operation. Our test checks have
revealed that systems of security and controls are reliable.

However, there are some areas where controls need to be strengthened and these are given in
Annexure 2.

Business Process Controls

Our review of business process validations and data integrity controls covering all the
corefunctions of ABC as facilitated by RPA system such as interest computation, KYC checking,
Account Opening, Closing Report Automation etc. confirms that all related data have been duly
captured, processed and stored correctly andcompletely subject to some instances which have
been listed out in the Key audit findings as Annexure 1 to this report.
However, there are cases of deficiencies in input control validations, further scope of
automation etc which have come to our notice during the process of review, and are
highlighted in annexure 1.

Further Action

We consider that the recommendations given in annexure to this report would be very useful
for facilitating business process controls of ABC and will aid in improving the effectiveness of
RPA system. We would like to affirm that the matters included in this report are those which
came to our notice during our review by following normal Information System audit procedures
by complying with globally applicable Information Systems Auditing Standards, Guidelines and
Procedures that apply specifically to Information Systems Auditing issued by ISACA, USA and
Security and Control Practices as outlined in COBIT 2019 also issued by ISACA as applied to ABC
operations for review of RPA system implementation.

Further, on account of limitations of scope and time, we have used sample test and test check
approach. Hence, certain areas, which are outside the scope of this review such as source code
review, implementation controls and general controls specific to branches are not covered.

Sd/-

CA MP,FCA,DISA
Place- Mumbai Managing Partner
Date: 19.10.2020 MPMS Associates
Mno. XXXXXX
FRN.00XXXXX
UDIN: 20XXXXXXXA12345
 Annexure 1
Key Audit Findings

Sl Finding Risk Recommendation Management

No. Implication Response

1 RPA system Bot in Medium The RPA system to be Noted for compliance
customer service process programmed to mark mail copy to
notifies the incomplete the Manager-Customer relations
transactions due to for better accountability and
business exceptions only monitoring of the exception
the Customer service situations
supervisor by mail.

2 RPA system Bot in Fraud Medium The Programmer may be asked to The parameters set is
Detection Process flags review the parameters set for being sent for review.
over 500 cases on a weekly flagging transactions as
basis. As noticed by the unnecessary flags can add to
exception handling review manual work in processing the
done by the Credit control same by concerned department
department, it is seen that which defeats the purpose of the
about 60% of the cases, the bot.
department personnel has
marked that it is normal
occurrence in the account.
This may be due to
incorrect parameters set in
configuration.

3 RPA system in Credit Medium In order to ensure Compliance and Noted for
Management is not fully continued loan facility improvements in the
utilized. Sending reminders maintenance of business accounts, system.
for periodical submission of the RPA system can be
Stock statement and programmed to send reminders by
Receivables statement to mail/automated telephone call to
Business and institutional customers to submit the
clients is not automatically Stock/receivable statements 5-7
enabled in the RPA system days before the due date.
4 It was seen that 2 CIF
numbers were generated
by the RPA system for same
person, one taking Aadhar
Card as base document and
other with the PAN.
5 Instances were noted
where RPA system has
updated Form 15G/H for
deposit account holders
whose cumulative annual
Interest is higher than the
maximum amount not
chargeable to tax
High Necessary control checks to be Noted for compliance.
programmed into the RPA system
to flag Name and Date of birth
matching instances so that
secondary checks can be enabled
to avoid such instances in future.
High Controls need to be programmed Noted for compliance
to ensure that 15G/H be marked
as yes only for Account holders
whose projected interest for the
year on deposit accounts is less
than set amount.
 Annexure 2

Security and Access Control Review

Sl Findings Risk Recommendation Management

N Implication
o.
1 Upgradation of Security solutions to High
provide extra layer of protection to
data and RPA system access. Also
considering the sensitivity of
information processed by the
system the security settings may be
upgraded to latest security solutions
available in the market. ABC
currently has access through Swiping
employee cards, logical access
control in the form of passwords and
Usage logging enabled for RPA
system servers.
2 Password management of RPA High
system needs to be improved. The
passwords and other credentials are
being stored in encrypted file in the
server system itself.
Response
3. Consider Employing Multi Noted for
layer security solutions that Compliance
provide extra layer of protection
for admin accounts, privileged
password management, session
recording etc.
4. Consider Incorporating
latest industry standard Transport
Layer Security (TSL) 1.2 protocol,
which is designed to protect the
privacy of information
communicated over the Internet
A credentials vault should be Shall be
used to store the encrypted implemented
passwords and credentials that
the RPA software robots need to
login to company databases and
other websites during
automation.