Leading Insights Blog

Three Practical Recommendations to Secure Robotic Process Automation (RPA) in a Federal Information Technology (IT) environment

Written by Principal, Mark Munster

Overview

Screen-Shot-2021-07-16-at-1.00.53-PM-1024x580.png (1024×580)As technology advancements continue at a rapid pace and agencies face the challenge to increase efficiency across their operational processes, the use of RPA is becoming more prevalent across the Federal Government.

RPA is a rapidly growing Automation technology that allows software, (referred to as a “bot”) to emulate and integrate the actions of a human interacting with systems to execute a business process. RPA software automates repetitive work tasks such as executing queries; performing calculations; creating and updating records; filling out forms; producing reports; and executing other high-volume or time-consuming transactional tasks that involve moving data within and between applications.

The Federal Government is also implementing RPA to support key business processes and internal control activities.  This may include, for example, operational controls that support critical security functions (e.g., audit log monitoring); processes that support information technology general controls (ITGC) (e.g., account management removal); as well as business processes that support internal controls over financial reporting (e.g., financial reporting reconciliations).

As RPA Program Teams begin their journey with this technology, a coordinated and integrated effort with key assurance stakeholders will help manage risks associated with proper security control selection and testing and the development of the artifacts that support internal control and audit activities.  This article provides three overarching recommendations for RPA Program Teams to support the successful implementation and operation of the program.

Challenge

Unique challenges exist for emerging and pre-production RPA programs.  Program Teams can often overlook fundamental security and internal control requirements.  This results in increased risks to the program.  Additionally, for production bots that support security operations and financially relevant business processes, there is an increased risk to the overall financial systems control environment.  Ultimately, this can have a high degree of impact on the reliability of control performance over these financially relevant processes and systems, in addition to third party service providers leveraging this technology to improve the efficiency of their operations.

Bots can work in “attended” or “unattended” deployment modes:

  • An attended bot can perform automations as part of an end-to-end process with human involvement (i.e., humans initiate the bots)
  • An unattended bot executes automations and interacts with applications independent of any human involvement. (i.e., a command center or orchestration server operates the bots).

Each deployment mode has risks to consider.  Additionally, as programs mature (typically measured by the number of unattended bots in a production environment), additional controls will be selected and implemented, and artifacts will be produced to support the decision-making, growth, and performance of the program.

Recommendations

There are three overarching recommendations for RPA Program Teams when implementing or executing RPA programs:

  1. Involve Key Stakeholders

The General Services Administration (GSA) RPA Program Playbook depicts the RPA Program in part based on the number of bots in production.  RPA Program Teams, regardless of the level of maturity of the program, should consider involving key assurance stakeholders throughout.  This will ensure that the proper security and internal controls are considered early and throughout, from pilots to product-ready bot development.

RPA Program Teams typically consist of, at a minimum:

  • The System Owner (i.e., the owner of the technology)
  • Project Manager (PM)
  • RPA Development Team
  • Consultation with the Chief Information Officer (CIO)/technology office
  • Key Assurance Stakeholders (individuals or groups) with the following broad responsibilities: Systems Security, Information Security, Privacy, IT Risk Management, Internal Compliance, and Internal Controls
  • Additional collaboration may be required from key business stakeholders sponsoring and participating in pilots, use case workshops, software testing, or stakeholders impacted by Agency automation initiatives.
  1. Implement Security and Internal Controls for Key Risk Areas

While implementing RPA brings operation effectiveness and efficiency to an organization, it also introduces risks the existing business system environment.  The RPA Program Teams should proactively identify, assess and manage the risks with appropriate controls.

In our experience, RPA Program Teams should pay particular attention to certain focus areas.  Minimally, we recommend the following considerations to implement key security and internal controls over the following risk areas:

  • Program Management (e.g., Project Management, Technical Evaluations, Vendor Selection, Pilots, Obtaining Security Approval)
  • Risk and Governance (e.g., Security Strategy, Policies and Procedures, Risk Management Framework, Data Strategy)
  • Access Controls (e.g., Access Authorization/Reauthorization, Logging and Monitoring, Protection of Credentials, Physical Access, Network Security)
  • Configuration Management (e.g., Change Management, Program Development, Patch Management, Maintenance)
  • Segregation of Duties (e.g., Segregation of Duties [SoD] Matrix, Incompatible Business Transactions, Administrator Access, Developer Access)
  • Bot Deployment and Monitoring (e.g., Data Input Validation, Completeness and Accuracy, Error Handling, Error Resolution).
  1. Develop and Maintain Key Artifacts

A critical component of the program is to produce and maintain the right documentation to support the program and audit response activities.  At a minimum, the following artifacts should be created, retained, and maintained to support compliance activities:

  • Privacy Impact Analysis
  • Security Impact Analysis
  • RPA Security Plan (e.g., RPA Standards, Naming Conventions, Testing Protocols, Operational Protocols)
  • Security Architecture
  • Initial Security Approvals
  • High Risk Control Considerations (i.e., Access Controls, Configuration Management Controls, Segregation of Duty Controls)
  • Data Sharing Agreements (DSA)
  • Interconnection Security Agreements (ISA)
  • Memorandums of Understanding (MOU)/Memorandums of Agreement (MOA).

Connect with us

This publication is for informational purposes only and does not constitute professional advice or services.  Readers should first consult with a professional before acting with regard to the subjects mentioned herein.  

Kearney & Company is a CPA firm that is focused on providing accounting and consulting services to the Federal Government. For more information about Kearney & Company, please visit us at www.kearneyco.com or contact Mr. Phil Moore, Partner, at (703) 931-5600 or via e-mail at [email protected].

To top