COSO offers governance framework for robotic process automation

The Committee of Sponsoring Organizations of the Treadway Commission published a framework for imposing internal controls over robotic process automation.

COSO is jointly sponsored by the American Accounting Association, the American Institute of CPAs, Financial Executives International, the Institute of Management Accountants and the Institute of Internal Auditors.

The publication, Achieving Effective Internal Control Over Robotic Process Automation, was commissioned by COSO and co-authored by Marc Eulerich, a professor of internal auditing at the Mercator School of Management at the University Duisburg-Essen in Germany; Jan Gruene, a leader for Digital Internal Audit at Deloitte Germany’s Risk Advisory Practice; and David A. Wood, an accounting professor at Brigham Young University in Utah. It describes an RPA governance framework designed to help organizations maximize RPA benefits while mitigating risks through an effective internal control framework. COSO already provides widely used frameworks for internal controls and enterprise risk management and earlier this year began working with the National Association of Corporate Directors on developing a corporate governance framework.

Robotic process automation relies on computers to perform repetitive, rules-based tasks that have traditionally been performed by humans. However, the COSO paper notes that RPA technology comes with significant governance and control challenges that should be addressed to maximize RPA’s benefits while mitigating the associated risks. 

The white paper provides a guide for integrating RPA governance requirements with the COSO Internal Control Integrated Framework. COSO’s RPA governance framework identifies several governance areas and control requirements to address common challenges associated with RPA, including security vulnerabilities, process knowledge loss and uncontrolled bot proliferation. RPA offers significant advantages, but also introduces risks such as inconsistent bot deployment, increased potential for security breaches, and difficulties in scaling automation efforts. 

“The integration of RPA governance principles with the COSO-ICIF framework is an important step for organizations looking to not only leverage the benefits of automation but also maintain a robust system of internal controls,” said COSO executive director and chair Lucia Wind in a statement Thursday. “This publication provides practical strategies and best practices for ensuring that RPA implementations align with established governance principles, thus protecting organizations from emerging risks and enabling long-term success.”

COSO acknowledged that RPA offers organizations significant efficiency, cost savings and accuracy improvements, but warned that it also introduces some unique governance and internal control challenges. RPA provides ease of use, low cost, and scalability but that can lead to ad-hoc implementations that bypass traditional IT governance frameworks, creating potential security risks and operational inefficiencies. The paper discusses how organizations can align RPA governance with the five key components of the COSO-ICIF framework: control environment, risk assessment, control activities, information and communication, and monitoring activities.

“By addressing each component of the COSO framework in relation to RPA, organizations can develop a holistic approach to governance that supports both innovation and control,” Wind stated.

By mitigating the various risks through a structured internal control framework, organizations can make sure their RPA initiatives contribute to overall operational effectiveness while maintaining a high standard of governance and risk management.