Executive Summary

A typical Robotic Process Automation application provisions the interface with multiple systems that impacts the underlying system control environment.
RPA offers a broader spectrum of internal and external application integration may lead to manual override or unauthorized changes which often goes
undetected. RPA is a risk based implementation approach to effectively manage and monitor the risks arising from automation.

Scope of work How we can help

• Work Area I – Automation (Risk Management by the
BOT)
• Risk Management by the BOT helps to modernize its assessment
processes to make it’s functioning more robust and cost effective.
• Implementing BOT will present an opportunity to automate the
testing of the controls which will improve the risk assessment
process.
• BOT implementation will reduce the overall cost of compliance
operations to make the assessment process more robust and
automated
• Work Area II – Risk Management for the BOT
• Organization’s RPA implementation and advisory services are
designed to help you get comprehensive view of BOT risk
assessment and the managed services the BOT can provide.
• We’ve done this before and are currently working with
you on other BOT implementations: We have effectively
delivered many similar projects at other organizations. We’ve
included and described select projects in the qualifications section of
the proposal. Additionally we will leverage on learnings from our
current BOT implementation engagement with you to enhance the
overall outcome.
• Seasoned team: We have assembled a team of dedicated
practitioners, with the right skillset, the experience needed across
risk and control domains to meet your unique needs.
• Strong relationships with stakeholders and a
demonstrated track record of effective partnering in the
past: Organization has assisted clients with a number of complex
initiatives in the past, through which we have developed a strong
understanding of the company’s operations and philosophy. We will
be able to leverage our experiences and insights gained into various
parts of the organization, including relationships we have fostered
with stakeholders across the company to drive efficiencies.

We will bring a fresh perspective to our approach and partner with you through every step of the process to bring you
the right outcomes on this project.

1
Detailed Approach: User Access Creation and Modification process
As-Is Process
• Testing Team requests for population of User
access provisioning / roles modified per
application
• Testing Team selects samples based on size of
population
• Testing Team requests for approval evidences
for samples selected for testing
• Testing Team manually checks for all approvals
for user access provisioning / roles modified
• Testing Team manually checks whether access
granted is prior to approvals provided
• Testing Team follows the same process per
application for all in-scope applications
• Testing Team would collate all exceptions
manually for deficiency evaluation
To-Be Process
• BOT is configured on centralized UAM tool which
is interfaced with all the applications.
• BOT will extract population for all new/modified
access granted during audit period.
• BOT will test all tickets for new access or
modified access with the respective approvals in
each application
• BOT will throw an exception report for all
unauthorized accesses granted or access
granted prior to approvals
• BOT will collate exceptions for all applications for
further deficiency evaluation
BOT benefits
• With the application of BOT, testing can be done
for 100% of the population as against a sampled
testing approach under manual testing. This
would give more comfort on the testing
conducted
• Testing time for a sample user request under
manual approach would take ~20 minutes. This
time would be reduced to ~2 minutes by
applying a BOT
• Testing would be on a continuous basis without
intervention of IT and business teams thus
saving efforts on data extraction and evidence
gathering
• BOT would directly throw the exception report so
that the tester can devote time to the exception
handling
2
Detailed Approach: User Access Revocation
As-Is Process
• Testing Team requests for User access policy on
access revocation
• Testing Team requests for population of User
exits per application
• Testing Team selects samples based on size of
population
• Testing Team manually checks whether user
access is revoked within the SLA defined in
policy
• Testing Team would collate all exceptions
manually for deficiency evaluation
To-Be Process
• BOT is configured on centralized UAM tool which
is interfaced with all the applications.
• BOT checks for User access policy on access
revocation
• BOT picks up population of User exits per
application
• BOT checks all cases of user exits and whether
user access is revoked within the SLA defined in
policy
• Testing Team would collate all exceptions
manually for deficiency evaluation
BOT benefits
• With the application of BOT, testing can be done
for 100% of the population as against a sampled
testing approach under manual testing. This would
give more comfort on the testing conducted
• Testing time for a sample user request under
manual approach would take ~20 minutes. This
time would be reduced to ~2 minutes by applying
a BOT
• Testing would be on a continuous basis without
intervention of IT and business teams thus saving
efforts on data extraction and evidence gathering
• BOT would directly throw the exception report so
that the tester can devote time to the exception
handling
3
Detailed Approach: User access review
As-Is Process
• Testing team checks for User access review
policy for the frequency to conduct User access
reviews
• Testing team requests for User access review
samples for each application to the IT team
• Testing team follows up for evidences with the
IT team of each application in-scope
• Testing team checks whether the User access
review is performed by each functional head for
their respective functions
• Testing team collates the issues for further
discussion
To-Be Process
• BOT will review the policy document for User
access review
• BOT will draft emails requesting evidences from
the IT teams for User access review performed for
each application in scope
• BOT will send reminders to the IT teams for any
User access review evidences not received in time
• BOT will review the User access review evidences
for each application and check whether the review
was performed by functional heads for each
application
• BOT will highlight issues for access review not
performed and collate issues for further discussion
BOT Benefits
• With the application of BOT, testing can be done
for 100% of the population as against a sampled
testing approach under manual testing. This
would give more comfort on the testing conducted
• Testing time for a sample request under manual
approach would take ~20 minutes. This time
would be reduced to ~2 minutes by applying a
BOT
• Testing would be on a continuous basis without
intervention of IT and business teams thus saving
efforts on data extraction and evidence gathering
• BOT would directly throw the exception report so
that the tester can devote time to the exception
handling
4
 Detailed Approach: Incident Management Process
As-Is Process
• Testing team will download population of
change requests from the Incident reporting
tool
• Testing team would select 1 sample for Design
testing and samples for operating effectiveness
testing based on sampling approach. Incidents
would be selected based on severity or any
other criteria
• Testing team would follow up for evidences on
root cause analysis (RCA) and remedial actions
taken
• Testing team would check if the incidents were
resolved as per defined SLA for severities
noted
• Testing team would collate all exceptions
manually based on the type of deficiencies
noted
To-Be Process
• BOT will extract population of all incidents from
the Incident Reporting Tool
• BOT will search folders and check evidences for
root cause analysis (RCA) and remedial actions
taken
• BOT check if the incidents were resolved as per
defined SLA for severities noted
• BOT will flag out exceptions for change requests
not complying with the defined process
• BOT will check for any repeat incidents which can
be passed on for problem management and
investigation
BOT Benefits
• With the application of BOT, testing can be done
for 100% of the population as against a sampled
testing approach under manual testing. This would
give more comfort on the testing conducted
• Testing time for a sample request under manual
approach would take ~20 minutes. This time
would be reduced to ~2 minutes by applying a
BOT
• Testing would be on a continuous basis without
intervention of IT and business teams thus saving
efforts on data extraction and evidence gathering
• BOT would directly throw the exception report so
that the tester can devote time to the exception
handling
5
Detailed Approach: Change Management Process
As-Is Process
• Testing Team will download population of
change requests from the Change request tool
• Testing Team would select 1 sample for Design
testing and samples for operating
effectiveness testing based on sampling
approach
• Testing Team would manually check
Segregation of environments for all
applications in scope by requesting evidences
• Testing Team would manually check for
Segregation of duties for each application in
scope
• User Acceptance Testing (UAT): Testing Team
would manually check for UAT sign off for all
applications in scope for Design effectiveness
as well as for operating effectiveness for
samples selected
• Migration approval: Testing Team would
manually request for migration approvals for
all applications in scope
• Testing Team would collate all exceptions
manually based on the type of deficiencies
noted
To-Be Process
• BOT will be implemented to collect population of
change requests from the Change request tool
• BOT can be configured to analyze the
parameters for change requests used such as–
Normal change or Emergency change, Low,
Medium or High level change
• BOT would test below controls for:
• Segregation Of Environments: BOT will collect IT
environment details for development, test and
production environment.
• Segregation of duties : BOT will check whether
developer has access to Production environment
• Migration Approval : Bot will check for migration
approvals and authenticate with the Delegation
of Authority matrix for the changes to be
deployed in production environment.
• BOT will gather evidences for User Acceptance
testing
• BOT will flag out exceptions for change requests
not complying with the defined process
BOT Benefits
• With the application of Bot, testing can be done
for 100% of the population as against a
sampled testing approach under manual testing.
This would give more comfort on the testing
• Testing time for a sample change request under
manual approach would take ~20 minutes. This
time would be reduced to ~2 minutes by
applying a Bot
• Testing would be on a continuous basis without
intervention of IT and business teams thus
saving efforts on data extraction and evidence
gathering
• BOT would directly throw the exception report so
that the tester can devote time to the exception
handling
6