The central topic at Controlling 2019 was unquesionably S/4HANA. That's understandable when you consider this is a specialized event for SAP Controllers, many of whom are tasked with modernizing their financial landscape - and evaluating the options for doing so.
But the most intriguing session title at the whole show was Kent Bettisworth's "SAP's Leonardo plus RPA and audit considerations." I didn't know what the controllers at the show would think about RPA, but the session was surprisingly well attended.
After the presentation, I taped two podcasts with Bettisworth. One was on the latest in revenue recognition for SAP customers, which is right in Bettisworth's wheelhouse. The other podcast, now live, is on the convergence of auditing and RPA (podcast also embedded below).
A longtime independent SAP consultant and CEO of Bettisworth and Associates, Bettisworth had always made a point of getting ahead of the curve on where SAP financials, asset management, and project systems is headed. His RPA presentation was done in the context of SAP Leonardo, but most of his views are relevant to auditors and RPA projects - regardless of whether they are running SAP.
We started with the kick off question of Bettisworth's presentation: should your audit committee care about the quickening pace of technology change? As he told me:
The answer is yes, absolutely. Because from an audit perspective, and an audit committee, you know a couple things. One, that you don't know everything, and two, that you're one step behind the next bad event from an audit issue such as a hack, or a cyber-security issue.
Some digital change agents might not concern themselves with getting auditors on board, but that's wrong-headed. Auditing, compliance and security are at the core of many obstacles that prevent business transformation from happening. Because if you can't check those boxes, then forget about your next-gen project. Bettisworth:
That is exactly right. In fact, the audit committee ought to be viewed more as an enabler. That's your risk mitigation backstop, and you should be utilizing them.
To understand the impact of RPA on auditors, you have to start with the PCAOB (Public Company Accounting Oversight Board). The PCAOB was generated out of the 2002 Sarbanes-Oxley Act. In May 2019, the PCAOB issued some new guidance on the role of technology in auditing.
A couple of things happened. One, they released the results of auditing 2018 audits, not just in the US, but from around the world. And the results that came out of there touched on a number of key items. One, that audit firms are starting to look at artificial intelligence and robotic process automation to do a better audit job, but also that companies were not paying enough attention to the cyber security risks.
That PCAOB guidance sparked Bettisworth to dig into this from the SAP side.
Both audit firms and audit companies and specifically, the audit committees need to pay a lot more attention to cybersecurity than they are today. And this is where I made the connection with SAP Leonardo. If you're going to put in place "robots" to automate a lot of activities... let's say if 80% of your ERP system is core business processes that everybody does, they should be done the exact same when you're going to automate that.
The PCAOB, saw in the audit results the opportunity for a lot of significant mistakes, if you're not paying attention to what you're automating and how the robot is doing that.
The downside to RPA surfaced quickly:
The PCAOB saw in the audit results the opportunity for a lot of significant mistakes, if you're not paying attention to what you're automating and how the robot is doing that.
The notorious "black box" of machine learning can pose auditing problems also:
So for example, if you have a robot that is performing a task, and you are doing some coding around developing that robot, at the end of the day, it has to be able to explain how it works, and you have to be able to say that you tested it adequately all the way through.
Bias is the another problem:
The second part of that was: if there's some algorithms in there, you have to make certain that those algorithms are free of bias towards one kind of outcome or the other.
That sparked Bettisworth to dig further:
It just dawned on me that, "Oh geez, you have employees and companies that are going to sit down with young auditors and talk about the processes," and the auditor's going to say, "Well, tell me how this robotic process works for clearing out a payables account." And the young employee is going to say, "I don't know, it's a robot." So there's a huge risk there that audit committees need to be paying attention to, and be ahead of the curve on educating and evaluating exactly what's coming into the company.
I told Bettisworth that's my biggest beef with the "AI is going to change security" crowd. AI tools are needed for security because the "bad guys" are already using them to probe your systems:
You're one step behind them. They're ahead of you. So how do you mitigate that exercise? The PCAOB, one of their board members, Kathleen Hamm, spoke about this... She said clearly cyber threats are the number one threat, not just to companies - and we see headlines every day - but it's a fundamental threat to our, the basis of our capitalist system.
We wrapped the podcast by discussing RPA use cases for auditors. Bettisworth:
Obviously the number one target of every audit firm is to make certain that for your investors, that they can trust that revenue number. So in the past they might only audit exceptions or transactions posted at the end of the year.
Now they have the opportunity to look at the entire population and use a bot to pull that, to find the anomalies, look at the patterns, see what doesn't fit and pull it out.
That's the type of use case that companies can get to - if they can overcome the obstacles Bettisworth cited.
Now you're really talking about value added of a bot. Now you're getting to the core of building the foundation of trust on our capitalist system and on the financial information that we depend so heavily, which is exactly why the auditor existed in the first place.
The podcast goes deeper, but that gives a flavor for how auditors and automation intersect. You can also download the podcast.