Audit and Assurance

Expand all | Collapse all

Auditing Robotic Process Automation RPA

  • 1.  Auditing Robotic Process Automation RPA

    Posted 26 Feb, 2019 06:04
    ​Hi there, I was looking for some guidances or risks associated to RPA technologies. The RPA are increasing in the business to process bulks of information, to input data into the systems and others rutinary tasks. So I was thinking these gadget could be hacked? or missprogramated or made unauthorized changes… and so on…

    As internal audit department we are looking to implement our own RPA to improve our processes, and during this journey I thought and thes risks of this rpa where are they???.


    Simon Toledo
    IT Internal Auditor

  • 2.  RE: Auditing Robotic Process Automation RPA

    Posted 27 Feb, 2019 06:56
    RPA tools can be treated like EUCs or end user computing tools. Which you would test for controls around access and and change management.

    Depending on the actual process that is being automated you can just run it and see what it does. You also have to consider if the rpa is utilizing api connections or leveraging other tools.

    Does it store passwords? Or reference files that it is given access to to which access is restricted. Is that password visible within the rpa file?

    If if you are looking at it from an operational risk standpoint. I would see if they are tracking metrics and logging errors.

    Thats is all I can think of off the top of my head.

    Igor Yezhov

  • 3.  RE: Auditing Robotic Process Automation RPA

    Posted 28 Feb, 2019 13:56
    @Simon Toledo,

    Not something I have audited I'm afraid.  @Igor Yezhov has provided some good pointers.  When auditing an area I'm not familiar with I like to try and break things down to some of the components I am more familiar with.  See for example.  I hope this helps.

    Can any other members provide better advice to Simon on this one?

    Best Regards,


    Ian Cooke
    Audit & Assurance Topic Leader
    ISACA Journal Columnist

  • 4.  RE: Auditing Robotic Process Automation RPA

    Posted 05 Feb, 2020 05:54

    A year late to the thread, but I hope it is of some help to those who may need it.

    Here are some add-on risks  besides what would apply from general controls already pointed out:

    IP leaks through procurement and contracting: RPAs that may be trained for specific industry may be an IP. So contractual clause should cover protection of such an IP.

    ROI not in place: Bots in some cases may be replacing workers. Overall, there is a cost to keep them running not to mention the human(s) overseeing them. So, benefits realization should be in place to accurately measure the costs.

    Insecure code: At least one time there should be a code review to ensure there are no inherent backdoor.

    No audit trail: Clear audit trail to detect manipulated bot activity and to aid forensics investigation.

    Insecure configuration: Configuration repository should be controlled through versioning and monitoring.

    Credential theft: A secure credential vault should be used to prevent credentials theft.

    Lack of data classification: Bots should be setup to apply the classification of data.

    Licensing penalties: Bots may be scaled however licenses may not keep-up. If you have an rapidly scaling environment there should be efficient tracking to avoid penalties.

    Ashok Devaraj
    IT Audits Lead