Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
23 October 2018

The rise of robotic process automation in centralising controls

Robots are on the rise in business.

As organisations become ever more focused on replacing manpower with technology in service delivery, an increasing number are turning to Robotic Process Automation (RPA) to streamline and automate certain processes.


In fact, a recent report by Everest Group found that 28% of firms were already using automation-deployed technology, whilst 50% of global IT service centres were actively deploying automation pilots. It also predicted that the global automation market would be worth nearly $5billion by 2020.

What exactly is RPA?

In simple terms, RPA means the deployment of a virtual cohort of ‘robots’ that are used to imitate human users by performing repetitive manual work across applications and systems, but without the need for complex systems integration. These robots can interact with a user interface just like a human would and switch between tools to perform tasks such as copying and pasting data.

The benefits of this are obvious, as it frees up staff from repetitive and time-consuming work and cuts down on human error – thus driving efficiency and productivity, reducing cycle time, and improving accuracy.

RPA is often adopted by departments such as finance and operations, where departmental pain points can be easily alleviated by automating ‘RPA friendly’ tasks such as data entry, payments and invoice processing.

But RPA can also play a significant role in supporting the centralisation of the risk and controls function.

How RPA can drive controls centralisation   

The traditional approach to managing risk has often been to allow each individual business unit to control its own area of responsibility, rather than having one centralised team that manages risk across the organisation.

But RPA now offers the opportunity to centralise controls without the need for a heavily-staffed ‘Centre of Excellence’ (CoE) to manage the process. That’s because RPA is able to reduce the amount of manual intervention needed throughout the controls process, so that IT administrators just receive noted exceptions, rather than actually operating an excessive number of controls. This helps to remove the unnecessary duplication and overlap of controls and drive better integration of controls across the enterprise.

The RPA solution effectively tells them what they need to think about, based on what it defines as being necessary to bring to their attention. This obviously takes a lot of work away from staff responsible for controls, allowing them to concentrate on more productive work - such as further developing the internal controls framework - as they don’t have to look at as many control activities as before. A CoE then becomes a more affordable reality, as it has been designed with automation at the core.

Levels of RPA in controls automation

How RPA is used in controls will obviously vary from business to business, but it has three main strands:

Automating existing manual controls: The simplest way of using RPA is by automating what you've already been doing manually, such as batch jobs and simple scripts. For example, you could automate the review of certain logs – e.g. user activity and admin activity logs - to keep a check on certain unauthorised transactions

Automating controls testing: You can also use RPA to bring in more efficiencies through the testing of controls, by implementing automated scripts with analytical capability. This removes the need for a human user to analyse testing data and deem a control to be either effective or ineffective. For example, RPA can be used to test the status of default user account control. This can be end-to-end as it can even fill in documentation templates for the controls tested and then store in a document repository for review.

Automating controls monitoring: The third role of RPA in controls is through implementing continuous monitoring systems with controls dashboards that constantly watch over controls. For example, automatic and continuous monitoring of change management controls can be established to ensure all changes are approved and adequately tested before being moved into production. Other examples are to identify usage conflicts of Segregation of Duties within the system or to spot suspicious exceptions within a defined process that may require investigation.

In summary

It is important to remember that RPA is not a straight substitute for human risk and controls management. People must still run the controls process and ultimately make the necessary decisions. But with the ongoing advances in machine learning, it means RPA is likely to be an increasingly important component of controls.

This will mean regulators taking considerable interest, especially as robotics may worry many employees in regards to their future responsibilities and employment. Although, increased use of RPA will also create new employment opportunities that combine automation and risk management competencies.

Executives must also be ready to assess whether too much reliance is being placed on RPA and whether the intended purpose has grown too large, particularly where decision-making is concerned.

Overall, RPA presents an exciting opportunity for risk and controls, but ultimately it can’t automate everything. Organisations must ensure that RPA is there to speed-up processes, to scale the number of controls in place and to free up staff to do the work that robots can’t – such as innovating, problem solving and making decisions.

With the increasing cost of managing compliance, risk and controls continues to be a focus for business leaders, shareholders, auditors and regulators. While most organisations are still operating at the relatively early stages of their automation journey,  RPA is now regarded by many as the future of controls.