The design and implementation of RPA
A design science study in a healthcare organization
Student name: Jules Rogier Schutte Student number: S3542092 MSc Accountancy & Controlling
Supervisors: prof. dr. J.A. Emanuels, F.J. Bos Ra Date: 28-09-2020
1
ABSTRACT
Robotic process automation (RPA) is the fastest-growing segment of the global software market. This is no less true in healthcare systems in which the constant quest to improve, expand, and reach all those who need their services guides practices geared towards innovation. For the healthcare industry, the use of robotic process automation is one way to improve upon customer care and service. This study examines what preconditions must be met to assure that robotic process automation will be correctly designed and implemented. In this study, a specific process of healthcare organization will be used as a test case for the design and implementation of RPA. Study methodology is based on ‘the design science research method’ paradigm in which different types of data are collected. This data spans from theory’s and literature to interviews with RPA experts and a healthcare organization. The collected data resulted in twelve preconditions which are described in the “artifact” that must support the design and implementation of RPA.
2 CONTENTS ABSTRACT ... 1 1. INTRODUCTION ... 3 1.1 Research Contribution ... 5 2. THEORETICAL FRAMEWORK... 7
2.1 Robotic process automation ... 7
2.2 Internal Control and Preconditions for the Design and Implementation of RPA ... 8
2.3 Acceptance theory ... 10
3. METHODOLOGY ... 12
3.1 The contribution of Information Systems in Design Science ... 12
3.2 Defining a Specific Internal Control Problem ... 14
3.3 Defining the Requirements for the Problem ... 15
3.4 Designing of the Artifact ... 16
3.5 Demonstration and Validation of the Artifact ... 17
3.6 Evaluation ... 18
4. CASE STUDY ... 19
4.1 Problem description ... 19
4.2 Defining the Requirements for the Problem ... 20
4.3 Artifact ... 25
4.4 Demonstration and Validation of the Artifact ... 28
4.5 Evaluation ... 30
5. CONCLUSION AND DISCUSSION ... 31
3
1. INTRODUCTION
On June 24th, 2019, Gartner, Inc. published a news article stating that robotic process automation (RPA)
grew 63% in 2018. The article also states that RPA software revenue grew 63.1% in 2018 for a total revenue of $846 million. RPA is the fastest-growing segment of the global software market, and according to Gartner, Inc., RPA software revenues reached $1.3 billion in 2019. RPA software use is now ubiquitous; it can be found in all industries. The biggest adopters of RPA software are banks, insurance companies, telecom providers, and utility companies. These organizations traditionally have many legacy systems, and they choose RPA solutions that can integrate and function with these older systems (Moore, 2019).
In this contemporary moment, all organizations and institutions have to deal with digitization; subsequently, digitization is no longer a marginal phenomenon. Information systems evolve constantly and bring about new products and opportunities. Therefore, business organizations are continuously undergoing digital transformations. In response to fast-changing circumstances and never-ending innovation, companies are developing multi-faceted information systems so as to improve their effectiveness and efficiency. In a general sense, the characteristics of an organization and the capabilities of its information systems, work systems, and implementation methodologies together determine the extent to which the purpose of an information system can be achieved (Henver et al., 2014). Fettke and Loos (2018), have discussed the structuring of information systems in the context of RPA; they conclude that RPA is strongly linked to information systems.
RPA is a tool that can help organizations become more efficient while reducing costs (PwC, 2017). RPA is a flexible tool that can be used for different processes. For example, both invoice processing and customer account crediting can be done automatically (Lacity et al. 2015) (Seasongood, 2017). Though the application of RPA to auditing remains largely unexplored, audit firms and standard setters have recently shown an interest in using RPA technologies to perform audits (Moffit et al., 2018) (IAASB 2016) (PCAOB 2017a) (KPMG 2016) (PwC 2017). Therefore, it is not surprising that RPA is emerging as an area of interest in healthcare systems (CiGen, 2020).
Hofmann et al. (2019) found that some companies have already successfully adopted RPA, although the practical application of RPA is still in its infancy. Some scholars and consultants claim that RPA is just one step on the way to more intelligent cognitive automation. Nevertheless, challenges persist. For example, in order for companies to successfully adopt RPA, RPA technologies require a framework to manage risks and controls. However, as organizations eagerly embrace these new tools, the implementation of a governing framework is not always straightforward (Osmundsen et al., 2019). There is no standardized governance framework that fits all organizations or RPA processes, especially when it comes to risk and control programs. Without the proper governance of internal controls, the benefits of using RPA can quickly evaporate. For example, the chief goal of an internal control system is,
4
amongst other things, to provide reasonable and adequate information for financial reporting. This includes reliably drafting of financial statements (Rubino & Vitolla, 2014). Good internal control is considered essential for any company seeking high quality financial reporting (Krishnan, 2005). The implementation of an RPA requires some jobs to be redesigned. It also requires the successful management of robot-human interactions. It is the responsibility of management to prepare employees to manage and understand how to use automated systems (KPMG, 2019) (PwC, 2017) (EY, 2018). Therefore, one important part of implementing RPA involves establishing the preconditions necessary for RPA well before its implementation. These preconditions can contribute to the proper governance of internal controls on the IT technical and the practical aspect of said phenomenon. Romney and Steinbart (2018) describe different risks that lead to preconditions for standard internal control problems. Furthermore, several academics have described different types of preconditions for the use of RPA (Bygstad et al., 2017) (Bygstad and Iden, 2017) (Mezzio et al., 2019) (Osmundsen et al., 2019) (Lacity and Willcocks, 2015). Thus far, none of these studies have used a case study in practice, combined and tested all the preconditions that contribute to internal control, for proper design and implementation of RPA.
This study will investigate the preconditions for the design and implementation of RPA. It is the expectation of this study that ascertaining preconditions should lead to a higher internal control of an information system. The preconditions will be tested at a healthcare institution in the Netherlands which does not currently use RPA. Healthcare systems around the world are on a constant quest to improve, expand, and reach all those who need their services (CiGen, 2020). Digital transformation can lead to improvements, but it also presents challenges. In the past few years, RPA and automation initiatives have drawn much corporate attention (Hofmann et al., 2019) (CiGen, 2020). However, RPA use is not widespread in healthcare settings (Steger, 2020). This research argue that the healthcare industry can use RPA to improve efficiency and reduce costs. The National Healthcare Service (NHS) has significantly benefited from its use of RPA. In that system, the use of RPA has led to improved productivity and cost savings. It has also improved quality and compliance (National Healthcare Service, 2018).
In this research, a healthcare institution will be used as test case. The institution studied is a university hospital. Following Hofmann et al. (2019), the management of the healthcare institution must identify areas that may potentially benefit from the implementation of RPA. In this study, the healthcare institution has presented its own unique internal control problem for a specific process, a billing process. In this case, systems that organize the billing of the secondment of medical specialists are open for an RPA-based solution.
The goal of this study is to understand how the design and implementation of RPA can be controlled by the use of preconditions. In particular, this study investigates the preconditions for the design and
5
implementation of RPA with a test case in mind, the billing process of seconded medical specialists. This research can assist management with governance and can help management teams to accept and implement new technologies. The study will argue for the practical usability of RPA systems. Where in this case, the practical contributions to internal control must be made visible for RPA in the chosen healthcare institution. In this research, secondment billing of medical specialists will be used as a test case. This case study must demonstrate the adequate preconditions for designing and implementing RPA, which can then lead to the widespread design and implementation of RPA across the healthcare sector. This study will be guided by the following research question:
Which preconditions must be met to assure that RPA is reliably designed and implemented?
To answer this research question, an artifact will be created. The artifact in this research must contribute to answering the question of which preconditions are required to successfully design and implement RPA. In addition, this artifact is based and tested on a healthcare institution wherein RPA could result in greater efficiency by streamlining secondment billing of medical specialists. The relevance of this research lies in the fact that technological developments can reduce costs in healthcare institutions (National Healthcare Service, 2018).
1.1 Research Contribution
According to March and Smith (1995) acquiring the knowledge necessary to implement RPA involves two complementary but distinct paradigms: behavioral science and design science. Design science-based research (DSBR) is a relatively new method in the learning sciences (Anderson & Shattuck, 2012) (Brown, 1992). The design science paradigm has its roots in engineering and the artificial sciences (Simon, 1996). It is fundamentally a problem-solving paradigm. This paradigm focuses on redefining and measuring information systems. The goal of design science is to drive innovations that make information systems more effective and efficient. From design science arises design-based research. Design-based research is the other half of the IS research cycle. The IS research cycle creates and evaluates IT artifacts that are designed with the purpose of solving organizational problems. Such artifacts are represented in a structured form that varies from those typically used in mathematics (Henver et al., 2014).
Goes (2014), mentions that the IS field needs more design science research. Design science research (DSR) is a relatively new paradigm in IS, and its philosophical and methodological foundations are still evolving. Also, the attractiveness of DSR to junior researchers (e.g., doctoral candidates) and the position of DSR publications in top IS journals has been questioned by a number of academics (Cater-Steel et al., 2019). Design is not the only thing that drives innovation. Design science is a unique paradigm that combines all IS paradigms together. Design science is also applicable to the IS paradigms present in RPA. Since RPA is linked to IS (Fettke & Loos, 2018), the research presented here contributes new insights regarding RPA that are linked to internal control and are based on the DSR methods
6
developed for information systems. It is important that the quality of financial reporting generated by RPA be equal to or greater than that of the reports generated by whatever systems were used previously (Krishnan, 2005).
Automation, especially RPA and the and the required preconditions for the design and implementation of RPA are important. The RPA technology become more important in business environments. This study contributes to investigating which preconditions are required for the correct design and implementation of RPA in organizations. The benefit of designing and testing the artifact by making use of a specific case, creates an in-depth analysis. This enhances the practical application of the design and implementation of RPA and should help encourage future research in this area. This research must contribute to the current status and knowledge of what preconditions are required for the design and implantation of RPA, identifies issues about the design and implementation about RPA and gives recommendations for additional research by the use of design science research methods (DSRM). DSRM can be used to improve quality and presentation for this study, and they can even be used to evaluate design science research itself (Hevner et al. 2004). Though various studies are being conducted using the DSRM, many researchers have indicated that more research must be done before the DSRM can be fully accepted. This study can help contribute to the legitimacy of the DSRM. In addition, the combination of design science research and the preconditions for the design and implementation of RPA is, if not unique, at least rare.
7
2. THEORETICAL FRAMEWORK
Research to the preconditions for the design and implementation of RPA can be linked to literature on robotic process automation, internal control, and the acceptance theory.
2.1 Robotic process automation
RPA is a key technology in this age of digital disruption and transformation. According to Osmundsen et al. (2019), RPA enables the automation of repeatable business processes. For example, a software robot can mimic human activities by performing recurring tasks and processes associated with structured data and clear action rules (Davenport & Kirby, 2016) (Fung, 2014) (Sia et al., 2016) (Osmundsen et al., 2019). With the use of artificial intelligence and machine learning, RPA can enable more complex and intelligent process automation. Today, robots are increasingly playing an important role in automating routine processes and workarounds that are otherwise inherently inefficient, time-consuming, and error-prone (Mezzio, Stein, & Stein, 2019).
This research focuses on a small part of robotic process automation (controls, implementation, software robots, projects and processes). To characterize RPA in a structured way, Hofmann et al. (2019), introduced the main characteristics of RPA (Figure 1). They followed the extensive understanding of the IEE Corporate Advisory Group (IEE Corporate Advisory Group, 2017).
FIGURE 1
The nature of robotic process automation (Hofmann et al., 2019)
However, not all processes are suitable for RPA, and a thorough assessment of potential processes is necessary. Processes that can benefit from RPA should be routinized and standardized. They need to have transaction volumes or transaction values that are high and predictable. Furthermore, business rules
8
must be clearly defined, and there should be no need for advanced cognitive assessments. Implementing an RPA can seem intimidating since an RPA must address many moving parts and issues. Organizations need to fully understand current processes to assess the scope of needed change, and they must develop effective deployment and change-management strategies (Mezzio et al., 2019). Notably, introducing an RPA to a firm requires strategic management because an RPA affects more than one department of a business. Indeed, the implementation of an RPA requires cooperation between many different employees and project teams (Bygstad et al., 2017) (Bygstad and Iden, 2017).
One of the main challenges involved in keeping an RPA initiative inside local business units is that the controlling mechanisms needed to coordinate and prioritize different RPA initiatives are often lacking. Without a consistent form of central governance, opening local RPA initiatives leads over time to too many separate initiatives going on simultaneously. When this happens, organizations lose track of their initiatives (Osmundsen et al., 2019). Decision-makers (i.e., managers) must identify areas that may benefit from RPA. Once they select and develop software robots, they must continuously monitor and control them (Hofmann et al., 2019).
This research focuses on a few areas-controls, implementation, software robots, projects and processes. Fundamentally, processes should be routinized and standardized, business rules must also be clearly defined, and organizations must fully understand their current processes. This study checks the validity of these theoretical preconditions that will be used for the design and implementation of RPA. Though this study investigates how preconditions, both within IT and standard internal controls, contribute to the controlling mechanisms needed to coordinate and prioritize different RPA initiatives in the healthcare institution mentioned above. Some issues regarding preconditions are out of scope of this research (i.e., the link between reliable RPA processes and central governance).
2.2 Internal Control and Preconditions for the Design and Implementation of RPA
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines internal control as “a process, effected by an entity’s board, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives such as effectiveness and efficiency of operation, reliability of financial reporting, and compliance with regulation” (Committee of Sponsoring Organizations of the Treadway Commission, 1992). Internal control of information systems is commonly referred to as IT. Internal control implements control measures (i.e., policies and procedures) for both the IT infrastructure and the various systems functioning throughout an organization (Norman et al., 2009) (Dale Stoel & Muhanna, 2011).Internal control represents an increasingly important corporate governance framework that facilitates operations, makes strategies to improve the performance of a company, and helps successfully implements business plans (Simons, 1995) (Sarens & De Beelde, 2006). Internal control reduces the risks created by the presence of errors and irregularities in financial reporting. The internal control
9
system aims, amongst other things, to provide reasonable assurance that financial reporting is reliable and that there is an appropriate capacity for drafting financial statements (Rubino & Vitolla, 2014). The emphasis on good internal control arises because internal control is considered essential for quality financial reporting (Krishnan, 2005).
There are different control activities for accounting information systems. Control activities are policies, procedures, and rules that provide reasonable assurance that control objectives are met, and risk responses are carried out. Management must make sure that:
1. Controls are selected and developed to help reduce risks to an acceptable level. 2. Appropriate general controls are selected and developed using the correct technology.
3. Control activities are implemented and followed as specified in company policies and procedures.
The different control procedures fall into different categories: (1) proper authorization of transactions and activities; (2) segregation of duties; (3) project development and acquisition controls; (4) change management controls; (5) design and use of documents and records; (6) safeguarding of assets, records, and data; and (7) independent checks on performance (Romney & Steinbart, 2018). These different control activities should also help the design and implementation of an RPA.
Several scholars have described the different activities of RPA software robots and how these robots work. According to existing literature, the activities of these robots can be converted into risks. Since the design and implementation of RPA involves risk, preconditions must be established to assist in the design and implementation of RPA. In order to understand the concept of preconditions, the study of Mezzio et al. (2019) should be considered.
Mezzio et al. (2019), has explored several “critical success factors” to ensure successful implementation and wide acceptance of RPA strategies within an organization. The study discussed the following critical success factors: (1) change management; (2) personal identification; (3) process optimization; (4) governance and controls; (5) training and enablement; and (6) continuously monitor for return on investment. In this study, the preconditions closely match the critical success factors of Mezzio et al. (2019). However, in this study emphasis is placed on the success factors from the control perspective and therefore these critical success factors are called preconditions.
For example, the following risks must be covered with preconditions: If an RPA robot is assigned a login ID and a password, and it works in the same way as a human employee who solves recurring tasks (Osmundsen et al., 2019), there is a risk that an employee may log in with the credentials of the robot (segregation of duties). The typical robot collects structured data from one or several systems, performs some predefined calculations, and registers the results into another system. The robot itself does not store any data (safeguarding assets, records and data). Tasks requiring different (manual) handlings
10
benefit from control. When an RPA executes such tasks, it can actually lend more reliability to an accounting information system (Romney and Steinbart, 2018).
According to Lacity and Willcocks (2015), RPA has three distinctive features compared to other automation tools: (1) RPA is easily configured, and implementing does not require that developers need programming abilities; (2) RPA software is non-invasive, which refers to RPA software sitting on top of existing systems (independent check on performance) and accessing systems in the same way humans would (segregation of duties); and (3) RPA is enterprise-safe, and it easily meets IT requirements such as security, scalability, and auditability (safeguarding assets, records, and data).
I expect that the internal control literature will contribute to the creation of an artifact. Furthermore, the literature has examples on how RPA can be designed and implemented in such a way as to ensure that risks are eliminated. This literature must contribute to a reliable design and implementation process of RPA on both the IT and the practical aspect of internal control. The seven categories of control activities identified by Romney and Steinbart (2018) are expected to have a significant impact on the design and implementation of RPA. In this study, these categories will be covered by preconditions. These preconditions will be investigated and validated by interviews with experts.
2.3 Acceptance theory
Organizational investments in computer-based tools that can be used to support planning, decision-making, and communication processes are inherently risky. Unlike clerical paperwork-processing systems, end-user computing tools often require managers and professionals to interact directly with hardware and software. Unfortunately, end-users are often unwilling to use computer systems that, if used appropriately, have the potential to generate significant performance gains (Davis et al., 1989) (Alavi & Henderson, 1981) (Nickerson, 1981) (Swanson, 1988).
RPA can be used for different applications. These include reducing time and costs, improving work quality, and increasing profits (Cooper et al., 2019) (Evermann et al., 2017). The main purpose of implementing an RPA is to have tasks normally performed humans be completed by robots (Fettke & Loos, 2018).
Besides dealing with the technical preconditions for the design and implementation of RPA, the implementation of an information system must be accepted. This is mentioned in acceptance theory. Acceptance theory can contribute to the creation of more reliable RPA processes, and it can complement to the internal control. People who are responsible for the operation of RPA, including employees who have to work with technology and people who will be replaced by RPA, are crucial to the successful design and implementation of RPA. To solve some of the problems brought about by RPA, Davis developed a Technology Acceptance Model (TAM) (1986). The TAM focuses on the fact that people have different, individual opinions regarding technology. The TAM shows that the successful adoption of a technology is determined by perceptions of that technology’s usefulness and ease of use (Figure 2).
11
FIGURE 2
Technology acceptance model (Davis,1986)
According to Davis (1989), the perception of a system’s ease of use and usability indicates the attitude that a person is likely to adopt towards a system and its proper use. A highly useable technological system leads to an improvement in job performance, in the person or employee’s opinion. Furthermore, experience with ease of use leads to the use of technology for free (Davis, 1989).
This study focuses on the preconditions, that will arise by the design and implementation of RPA. This study also focuses on the preconditions associated with the implementation of RPA for the specific case in this study. Based on the literature, I expect that acceptance theory influences the design, implementation, and use of RPA. With acceptance theory in mind, one can suggest that perceived usefulness and perceived ease of use are important factors influencing the adoption of new technologies. Since RPA falls under the category of new technology, acceptance theory should guide organizations’ design and implementation of RPA into their business models. It is expected that the acceptance theory in this research is relevant for answering the research question, even if this is not a technical precondition. But an precondition that is important for the process of the design and implementation of RPA. The acceptance theory can contribute to a more practical precondition of enabling acceptance for the design and implementation for RPA. Therefore, the acceptance theory can contribute to this research.
12
3. METHODOLOGY
This study is a qualitative study that follows a design science-based approach to create an artifact for an internal control problem for the design and implementation of RPA.
Design science-based research follows five steps in order to find a solution to a research question. Hevner (2004) and Peffers et al. (2008) describe the standard version as comprising the following phases and steps: (1) problem identification; (2) define demands and constraints concerning a solution; (3) design and development of a solution (artifact); (4) demonstration/testing of the design; (5) evaluation and communication (Figure 3).
FIGURE 3
Design science-based approach
3.1 The contribution of Information Systems in Design Science
Effectively converting RPA-based strategies to an infrastructure requires extensive design activity from an organization. A successful organizational infrastructure and information system design must be created to create an effective information system structure. Such independent design activities are central to the information systems discipline (Hevner et al., 2004). In this study, the focus lies with the information systems discipline, as information systems research must address the interplay between business strategy, IT strategy, organizational infrastructure, and information systems infrastructure (Kalakota & Robinson, 2001) (Orlikowski & Barley, 2001).
According to March and Smith (1995), there are two design processes and four design artifacts identified, these were produced by design-science research into information systems. The first process is “build,” the second is “evaluate.” The four artifacts are as follows: constructs, models, methods, and instantiations. These artifacts are built to address unresolved problems (Hevner et. al 2004). Although many scientists have contributed to design science research focusing on information systems, the study of Hevner et al. 2004 gave design science research its real momentum (Cater-Steel et al., 2019).
13
Moreover, Hevner et al. 2004 study has been recognized as the “de facto standard for the conduct and evaluation of design science research” (Venable, 2010). New work that leverages deployment and large-scale in-field experimental validation has also been carried out (Parsons et al. 2011), (Bapna et al. 2013), (Nunamaker et al. 2011). All these projects successfully used the DSRM, and this leads one to conclude that the DSRM is more suitable than the natural science research method for investigating a case within a healthcare organization. The DSRM has three specific objectives in mind. These objectives are, as defined by Peffers et al. (2008): (1) provide a nominal process for the conduct of design science research, (2) build upon prior literature about design science in information systems and reference disciplines, and (3) provide researchers with a mental model or template for structuring research outputs. These objectives help improve the production, presentation, and evaluation of design science research (Hevner et al. 2004).
Following the theory and the method of DSR, RPA is strongly linked to design science research and the practical solution of information system problems. Recently, numerous studies that investigate RPA have been done so by the use of the DSRM (Moffit et al., 2018) (Hoffman et al., 2019) (Aalst et al, 2019) (Cooper et al., 2019) (Syed et al., 2020). Therefore, one can conclude that the design science paradigm is appropriate for studying RPA.
Previously mentioned literature should lead to the successful development of the so-called “artifact”. Furthermore, the literature on RPA, internal control, and acceptance theory provides information regarding the expectations of the preconditions for the subject, as well as the implementation and use of RPA. On the other hand, the literature on information systems and the design science research method clarifies how an artifact can be designed using the specific research methods suited to information systems. These notions are summarized in the conceptual model (Figure 4).
FIGURE 4 Conceptual model
14
3.2 Defining a Specific Internal Control Problem
This study attepmts to define a specific internal control problem or challenge based on information gathered from the interview held in a healthcare organization. This interview will be held at an healthcare organization that does not yet use RPA. Based on studies that have measured the impact of automation, RPA can be used to improve efficiency and reduce costs in the healthcare industry more widely (National Healthcare Service, 2018). Notwithstanding the successful implementation of RPA in the National Healthcare Service, RPA use is still not widespread in healthcare settings (Steger, 2020). Therefore, this study focuses on an internal control problem at a healthcare institution in the Netherlands. The healthcare institution that will be used as test case in this research, is a university hospital. According to the World Health Organization, a hospital is summarized as a: “a healthcare institution that provides patient treatments with the help of specialized medical specialists, nurses and medical equipment” (World Health Organization, 2020). In this university hospital, a specific process is used for the case study. The process used is the invoicing process of seconded medical specialists. In this specific process, a medical specialist from the university hospital, will be seconded on the basis of his or her skills and knowledge to another hospital. Through this secondment, medical specialists generates revenues for the university hospital. The revenues they generate, will be based on pre-established contracts. Based on these contracts, the financial administration invoices these contracts to the hospital where the medical specialists are seconded.
The internal control problem in this process was developed out of two unstructured interviews. The interviews were held with the purpose to gather background information about the healthcare organization, to specify the internal control problem, and to get clear view of the industry. The interviews were conducted with the aim to find a process lacking in effectiveness and efficiency in a healthcare organization. Such a process would be suitable for RPA. These interviews took place with a member of finance from an academic hospital and a member of a big-four accounting and consulting firm who has extensive knowledge and experience with RPA in healthcare intuitions. The first interview was taken at the healthcare organization. The second interview was conducted by telephone in accordance to safety measures implemented in response to Covid-19. Both interviews lasted approximately 60 minutes (Table 1). Johannesson & Perjons 2014 argue that the interview method used is better for investigating complex issues, namely because respondents can express their ideas and feelings in a more unrestricted way in such interviews. This method is best suited to realizing the main goals of this study.1 In addition to the interviews, a number of workshops involving students and teachers
from the University of Groningen took place in order to share knowledge with each other about the problem.2
1 Extensive motivation and interview questions are included in the appendices. 2 More information about the problem can be found in the introduction and case study.
15
TABLE 1 Interviews conducted
Interview Date Duration Type of interview Subject Function interviewee
1 05-03-2020 60 minutes Unstructured Interview Gaining knowledge about internal control problems within the organization Head Financial Services/Healthcare institution 2 18-03-2020 60 minutes Unstructured Interview RPA in healthcare organizations Partner Accountancy Firm (RPA/Healthcare)
3.3 Defining the Requirements for the Problem
In the second stage of the research, the demands and constraints regarding finding a solution to the problem were defined. To become familiar with a problem, theoretical and field research must be done. This study is case based. A case-based study focuses on one instance of a phenomenon and offers a rich, in-depth description of that instantiation.
For this case-based study, several existing literature and scientific research about internal controls, preconditions and automation were used.3 Using existing literature and research as a source of data
means that data can be collected much more quickly than it can when interviews are the primary data source. In addition, data was collected from interviews about RPA and possible preconditions for the design and implementation of RPA. According to Johannesson & Perjons (2014), these data will be helpful to improve accuracy and to broaden the picture in terms of the research problem. These types of sources are generally viewed as credible according to Johannesson & Perjons (2014).
This study focuses on the preconditions for the design and implementation of RPA and in this case, what should contribute to design and implementation of an RPA for the invoice process of the secondment of medical specialists. To assure a reliable design and implementation of an RPA for the secondment invoice process, it is necessary to understand the secondment invoice process, the information systems and the internal controls. The literature study must concern the design and implementation of an RPA. Romney and Steinbart, 2016 have compiled a large body of literature that describes information systems. This literature is used as a guidance, as these academics have already written extensively about the design and implementation of information systems and their internal controls. In addition, this study used various scientific studies related to internal control and the use of RPA.
16
Since the literature of RPA and the internal control of RPA is scarce, more data has been collected using interviews. Subsequently, this data should provide more information about the selected process for this case study and the preconditions for the design and implementation of RPA. These interviews took place with a member of finance from an academic hospital and a consultant of a big-four accounting and consulting firm who have extensive knowledge and experience with RPA in healthcare intuitions. Both interviews were conducted by telephone in line with safety the measures undertaken to prevent the spread of Covid-19; these semi-structure interviews lasted about 60 minutes. This interview method was used to give the interviewees freedom in their answers and to ensure that the correct information is collected (Table 2). The third interview must discover the current billing process of seconded medical specialists in the care organization. The fourth interview must discover an existing RPA process at work in healthcare institutions and the risks and preconditions for the design and implementation of RPA in this specific process. These preconditions for the design and implementation of RPA must be compared and matched to the internal control literature.4 The literature, in combination with interviews, must
guarantee the reliability of the artifact.
TABLE 2 Interviews conducted
Interview Date Duration Type of interview Subject Function interviewee
3 15-04-2020 60 minutes Structured Interview RPA in the
organization Head Financial Administration/Healthcare institution 4 06-05-2020 60 minutes Semi-structured Interview Preconditions of RPA Lead developer (RPA/Healthcare)/Accountancy Firm
3.4 Designing of the Artifact
In the third stage of the thesis, the design and development of the artifact are discussed. The construction of the artifact must be formed by the information collected from the interviews, the literature study and an analysis of an existing RPA process (Johannesson & Perjons, 2014). In this phase, it must be clear which requirements the artifact must meet and to what standards the artifact must accord to. Most importantly, the artifact should contain the preconditions for the design and implementation of an RPA for the specific case. For the design of the artifact, the model of an flowchart was chosen. This is a descriptive model. A flowchart clearly describes in which order preconditions must be met for design
17
and implementation of RPA. This flowchart must indicate the preconditions that must be met for each step in the design and implementation process of RPA. The artifact that has been designed has to incorporate the research results gathered from the interviews and the literature review. Shukor et al. (2017) created different requirements for a flowchart. These requirements are also used for this artifact, since the framework differs minimally.5 The flowchart will be filled with preconditions which are
completed with specific explanations of the preconditions for the investigated case study process. After this step, the expectation is that the artifact will be designed in accordance with the appropriate theories as well as the practical knowledge taken from interviews. This step leaves some uncertainty as to whether sufficient information has been collected. If sufficient information has not been collected, the artifact is unreliable and incomplete. In addition, there might be uncertainty about reliability even if the information is correct. If the information is unreliable or incorrect, the artifact is also incorrect. Therefore, testing the artifact is an essential step.
3.5 Demonstration and Validation of the Artifact
According to Peffers el al. (2008), the demonstration of the artifact is to solve one or more instances of the problem. This could involve the use of the artifact in experimentation, simulation, case study, proof, or other appropriate activity. The question that should be answered is: ‘How can the artefact be used to
address the explicated problem in a single case?’ The answer to this question will consist primarily of
descriptive knowledge as to describing how the artefact works in a single situation but also explanatory knowledge as to why the artefact works. It is necessary to choose or design a case upon which to apply the artefact. The possibilities could be a fictitious or real-life case. (Johannesson & Perjons, 2014) In order to guarantee reasonable reliability and completeness, the demonstration is based on the collected data from the billing process in the healthcare organization. It was investigated whether the design of the preconditions in the artifact can be applied to the secondment process and whether all data is complete about the secondment process. To increase the feasibility of the demonstration, a fictitious case is also be used i.e., a standard billing process described by Romney and Steinbart (2016). Based on this process, checks were performed whether the preconditions that occur in the artifact correspond to preconditions that are standard in a billing process. Since no other fictitious case or real-life case is available, this is the most feasible process for testing RPA use in billing. Moreover, with this method, the real-life case has been combined with a fictional process to ensure the validity of this research. This is a combination of the prescribed options (fictitious or real-life case) of (Johannesson & Perjons, 2014). To ensure a higher validity, the question that should be answered is: ‘How well does the artefact solve
the explicated problem and fulfil the defined requirements?’ The answer to this question can be found
in two ways: (1) by determining to what extent an artefact is effective for solving the explicated problem and (2) by investigating knowledge about the artefact around its structure, function, underlying kernel
18
theories, and implementation principles (Johannesson & Perjons, 2014). The evaluation and tests were conducted for a final assessment of the artifact’s utility. The test is based on an ex ante evaluation i.e., means that the artifact will be evaluated without being used. In effect, the artifact won’t be used before the artifact is completely reliable through a strategy of naturalistic evaluation. According to Johannesson & Perjons (2014), the interview strategy is the right method for this type of validation. One respondent was used, for the reason that this type of test is just an extra validation method of the results. The respondent for this interview is a consultant of a big-four accounting and consulting firm who has extensive knowledge of and experience with RPA. The interview was conducted by telephone and lasted approximately 60 minutes. A structured interview method was used (Table 3). The interview questions will be based on the structured walkthrough of Shukor et al. (2017) and will fulfill the requirements regarding the reliability of the artifact.67 This test is used because these the requirements were tested on
a real-life case which was similar to the case being investigated.
TABLE 3 Interviews conducted
Interview Date Duration Type of interview Subject Function interviewee
5 12-06-2020 60 minutes Structured interview
by the use of a structured walkthrough Validation Artifact Lead developer (RPA/Healthcare)/Accountancy Firm
3.6 Evaluation
In the last phase of the study, the results of the validation are discussed in how these results affect the artifact.
6 Extensive motivation and interview questions are included in the appendices. 7 Requirements are described in the validation phase.
19
4. CASE STUDY
4.1 Problem description
Based on the literature and the first two interviews by the use of the DSRM, the main purpose of this research is to create an artifact that will be valuable in assessing preconditions for the design and implementation of RPA. The artifact will focus on the preconditions for the design and implementation of RPA with the focus on a test case at a healthcare institution. When an RPA is properly designed and implemented, it reduces the workload of the staff in the healthcare organization for a specific process. In order to guarantee the management and the auditor that the robot is correctly designed and implemented and thus reliable, there must be a framework that describes all preconditions for the design and implementation process of an RPA. When using this framework, management must be able to trust that the RPA is properly designed and implemented in the organization.
During an interview at a healthcare institution, it emerged that many financial processes are still not running properly. In the first unstructured interview, we discussed which processes within the organization are lacking in efficiency and may benefit from the implementation of RPA. The head of finance believed that there were many opportunities to automate processes. Since there are currently no RPAs available at this particular healthcare institution, the institution has no existing knowledge regarding the controllability and reliability of RPA. This study, therefore, focuses solely on the preconditions for the design and implementation of RPA.
Based on the first interview, a second unstructured interview was planned. This interview was held with a member of a major accounting firm in the Netherlands. This particular interviewee specializes in RPAs designed specifically for healthcare institutions. An exploration into the RPA field was performed to determine which standards are already known as well as what these standards are based on. During the interview, it has been concluded that there is no standard checklist with preconditions based on scientific research that investigates the implementation of RPAs designed for the purpose of replacing user controls; existing checklists only use practical guides that were prepared by the accounting firm itself. After two interviews, workshops with staff members from the University of Groningen, and a literature study, a new problem arose. Simply put, it became apparent that one must ask which preconditions must be met to assure that an RPA is correctly designed and implemented. To solve this problem, an artifact will be created. The artifact will be a method that can control the preconditions associated with the design and implementation of RPA. The artifact will be designed with the test case , from the healthcare organization, in mind.8 At this moment, there are still many other processes in the healthcare industry
that an RPA can be applied to.
20
4.2 Defining the Requirements for the Problem
In this part of the study, interview data will be cross-checked with the literature and theory. Once this step has been taken the artifact can be created. From this analysis two types of preconditions derived: (1) Preconditions to determine whether a process is suitable for the design of RPA; and (2) preconditions for the implementation of RPA for a suitable process. This separation has been made for a clear elaboration of the preconditions.
4.2.1 Preconditions to Determine whether a Process is Suitable for the Design of RPA
The preconditions to determine whether a process is suitable for RPA, are preconditions to determine whether an process is suitable for the design of an RPA, before the implantation of an RPA in a suitable process.
The preconditions are based on the theoretical information available in the literature and on collected interview data. In this section, theoretical knowledge will be matched to the practical knowledge collected from interviews. Moreover, the interviews about the preconditions associated with the design and implementation of RPA are based on general processes and not on specific administrative care processes, like the billing processes used to invoice seconded medical specialists. Based on interview IV, one can assume that there is little difference between contract billing in healthcare and in other kinds of businesses.
Before the appropriate robot can be designed, a process choice has to be made. This choice must meet four conditions. First, the theoretical underpinning of the study and the interviews suggest that a good start of the design is crucial to developing a successful RPA (Mezzio et al., 2019) (Osmundsen et al., 2019). However, not all processes are suitable for RPA, and a thorough assessment of potential candidates is necessary. In this specific instance, an interview with the head of finance from the healthcare organization was conducted to deal with this issue. Options were discussed in the interview, and this discussion yielded a selection of possible processes. One process was chosen in the end, the billing of seconded medical specialists.
Second, the robotic process must be routinized and standardized. The transaction volume or transaction value should also be high and predictable (Mezzio et al., 2019). The billing of seconded medical specialists meets these conditions. Though the exact transaction volume is unclear, the interviews suggest that this particular task meets the conditions related to volume.
The third condition, which is only based on interviews, is that major healthcare organizations are working with many IT systems. These systems provide different sets of information. It is necessary to determine what data and systems are the best to use. Since the robot has to check a lot of data, the underlying data must be digital and in the correct format. This condition is not mentioned in the literature. In this case, the interviews revealed that the healthcare organization uses three digital systems for the secondment of medical specialists and that these systems can cooperate with RPA. There is a
21
possibility that RPA is not the best solution for this process and that automation options are already built into the so-called ecosystems of the hospital’s current IT system. To determine whether these things are true or not, the current systems must be examined more deeply, and such an analysis is beyond the scope of this study.
Once the process has been chosen, it must be investigated more specifically. Before designing a robot, the business rules of the specific process must be clearly defined, and there should be no need for advanced cognitive assessments. When this is not possible, then it is necessary to look at the governance and compliance of the organization. This is the first step, before the design and implementation of RPA. According to Mezzio et al. (2019), the implementation of an RPA project can seem intimidating, since it must address many moving parts and issues. The organization needs to fully understand the process to assess the scope of needed change and to develop effective deployment and change-management strategies. Based on the interviews, there is a chance that the process will have to be redesigned. Redesign becomes necessary when a process is not completely logical and/or some steps of its steps become bottlenecked. As the literature suggests, introducing RPA to a firm requires a strategic management approach, since the implementation of RPA affects more than one department of a business and involves cooperation between different actors and across a variety of projects (Bygstad et al., 2017) (Bygstad and Iden, 2017). This notion was not mentioned during the interviews. Such a management approach is part of the governance of an organization and is out of the scope of this research.
The acceptance theory is also involved in this phase. In line with the interview II and IV, acceptance by personnel is needed to ensure that RPA functions successfully for the specific process. According to acceptance theory Davis, (1989), perceived usefulness and perceived ease of use must be sufficiently present among personnel. Such perceptions create a good attitude toward using RPA. In the first and third interview, employees of the healthcare organization mentioned that they did not know what RPA is. Therefore, it is important to explain what RPA is because understanding RPA contributes to its successful implementation. According to the second and fourth interview, enabling acceptance can be created by explaining that RPA exists simply to assist. Its purpose is not to replace everything. RPA can help management delegate tasks in a way that flows with employees. In this light, exposure to RPA can actually help enabling acceptance. Such a notion is in line with the ideas of Davis (1989), who notes that in order for RPA to be perceived as being sufficiently useful, there should be sufficient perceived usefulness and perceived ease of use among the staff. Without a high degree of enabling acceptance, there is a high probability, based on the literature and interviews, that the implementation of RPA will fail within the healthcare organization. Therefore, the employees’ degree of acceptance must be further investigated in the healthcare institution.
22
4.2.2 Preconditions for the Implementation of RPA for a Suitable Process
The preconditions for the implementation of RPA for a suitable process are preconditions that contribute to a successful implementation of a chosen process for which RPA is suitable. These preconditions must ensure that the RPA works successfully and thus ensures a successful implementation of RPA.
Based on the interviews and the limited possibilities available to conduct research during the Covid-19 crisis, it was not possible to analyze an existing billing process in a healthcare institution that has already been replaced by RPA. Therefore, the discussion in this section will be based on data taken from the literature, interviews with RPA experts, and interviews with the healthcare organization. As already mentioned, there is no need to take extra account of preconditions that specifically focus on healthcare in the standard business processes, like contract billing of medical specialists. The controls from the theoretical background, matched with the interviews, will lead an understanding of what preconditions are necessary to successfully design and implement an RPA that is to be used by a healthcare organization.
Following the conclusions of Romney and Steinbart (2016), project development and acquisition controls have a proven methodology for governing the development, acquisition, implementation, and maintenance of information systems. In this particular case, the RPA is the information system. The RPA should contain appropriate controls for management approval, user involvement, analysis, design, testing, implementation, and conversion. An important thing to note here is that completeness and accuracy are very important to a well-functioning robot. If the robot does not perform all the tasks that should be processed, the turnover, in this case, may not be complete or correct. The healthcare organization should have a back-up plan in situations where a critical financial process is taken over by a robot. Several employees and departments are involved in the process of seconding medical specialists and invoicing them. When the robot fails, tasks are not carried out within the different departments. In this situation, the organization must always keep trained personnel at hand to be able to take over the process manually. The personnel must be available in all the departments affected by the automated process. This is in line with business continuity of the process. The conditions are similar and required for the maintenance of major systems, this will improve the business continuity.
The first control activity mentioned by Romney and Steinbart (2016) is the proper authorization of transactions and activities in information systems. According to Lacity and Willcocks (2015), RPA has three distinctive features compared to other automation tools: RPA is easily configured, implementing it does not require that developers need programming abilities, and RPA is also a non-invasive in the sense that RPA software sits on top of existing systems. The researchers are not talking here about how the RPA executes and guarantees transactions. One of the risks that can arise when using RPA is that there may be no proper authorization of transactions and activities. This risk was highlighted in the interviews. The risk is that the management and/or the auditor will not be able to check the code
23
regarding authorization, as this code has been written by and can most likely only be understood by an RPA developer. Consideration must be given to which transactions the robot can perform and which it cannot, and in some situations, authorization must be granted by the management. In addition, though a robot is not susceptible to fraud, the 4-eye principle is not valid here, and there is a certain level of risk when one robot performs two processes. Here too, the management of the organization must consider the situation and give an opinion. A check must be carried out on the code of the robot, a check designed to ensure that the robot does not exceed both processes and that certain authorizations are not carried out. It is important to completely smooth out a process in advance. Then it can be determined what can be automated relatively easily and whether these transactions should be authorized. Since the healthcare organization this study worked with has no experience with RPA, an authorization matrix must be drawn up for the robot. This matrix includes a description of the amounts up to which the robot can automatically execute transactions without management approval. This matrix can be based upon the authorization matrix currently in place for manual actions by employees.
According to Romney and Steinbart (2016), the second control activity, segregation of duties, is an important part of RPA theory. Good internal control requires that no single employee be given too much responsibility over business transactions or processes. An employee should not be in a position to commit and conceal fraud. An RPA, as a robot assigned a login ID and a password, works at solving recurring tasks in the same way that a human employee does (Osmundsen et al., 2019). According to Lacity and Willcocks (2015), the RPA must be enterprise safe, yet, following the recommendations of Romney and Steinbart (2016), it must also have proper segregation of duties to reduce the risks associated with the processes it carries out. The risk in this case is that an unauthorized employee of the healthcare institution may log in with the credentials of the robot. The systems in the healthcare organizations are SAP and INSITE. These systems are managed by the internal ICT department, called “medical information technology”. All authorizations carried out by the medical information technology department, must be requested and then approved by the sector controller.
The proper design and use of electronic and paper documents and records can help ensure the accurate and complete recording of all relevant transaction data by the robot. The form and content of documents should be as simple as possible in order to minimize errors and facilitate review and verification (Romney & Steinbart, 2016). During the interviews, it became clear that invoicing seconded doctors will require the robot to check a large amount of underlying data, data which must be digital. In addition, it also became clear that PDF and photo documents are difficult to read, and that a program that can convert PDF information into system information will be required for the RPA to function. In this process, the management of the healthcare organization must pay extra attention to the digitization standards of its contracts. When there is no maximum standardization, the RPA has no added value and is in most cases unusable. In such a situation, the RPA may only be used temporarily.
24
Regarding changes to management controls, Romney and Steinbart (2016) recommend that organizations modify existing systems to reflect new business practices and take advantage of IT advancements. Those in charge of changes should make sure they do not introduce errors that may facilitate fraud. The interviews revealed that completeness and accuracy are very important for a well-functioning robot. If the robot does not perform all the tasks that should be processed, the turnover may not be complete or correct. This risk arises when changes are made to the process or the robot without going through the appropriate steps needed to ensure things are still working properly. Since the organization is not yet using RPA, a separate process must be set up to ensure that change-management controls are in place.
Romney and Steinbart (2016), state that a company must protect its cash and physical assets as well as its information. The typical robot collects structured data from one or several systems, performs some predefined calculations, and registers the results into another system. The robot itself does not store any data (Lacity and Willcocks, (2015) (Osmundsen et al., 2019). According to Lacity and Willcocks (2015), IT requirements such as security, scalability, and auditability are easily met. Risks may be incurred if the robot stores confidential data in an unsecured location or transmits it via an unsecured connection. The robot may also incorrectly manipulate data. Based on the theory of Lacity and Willcocks (2015) and Osmundsen et al. (2019), data is recorded and secured by the current IT systems and not by the robot. At the moment, there is knowledge of which software the robot will use and which security method the robot will use. The healthcare organization must have these systems in order at all times. Access to the robot itself has been discussed previously. Processes related to the administration must take extra account of the regulations and the privacy of medical data. In these types of processes, the feasibility and sensitivity of information must be considered. Such concerns are mainly linked to the acceptance part of a case and not the process part of a case, this means that the RPA developer does not accept the robot design assignment, because sensitive information carries risks.
Independent checks of the RPA’s performance must be done to help ensure that transactions are being processed accurately. They must be done by someone other than the person performing the original operation. There is a risk that failed transactions and/or manual changes will not be logged or communicated to the robot. In addition, management and employees may have no control over failed transactions and/or changes. Therefore, tasks and responsibilities will have to be defined within the departments. For this process, the responsible parties in this case are the medical information technology department and the sector controller. Following the interviews, the independent checks may be performed by someone from outside the organization. Furthermore, different manual handlings should be controlled to give more reliability to the accounting information system (Romney and Steinbart, 2018) and the RPA.
25
4.3 Artifact
The artifact was created based on all the collected information. The artifact is presented in figure 5. For each precondition, a short explanation is written.
FIGURE 5 Developed artifact
1.
When an RPA is introduced to a firm, the implementation process requires a strategic management approach, as an RPA affects more than one department of a business and involves cooperation between different actors and across different projects. The organization needs to fully understand the process to assess the scope of needed change and develop effective deployment and change-management strategies. This step is not part of the research. If step five is not sufficient, research must first be carried out on governance and compliance in the organization to determine where improvements must take place.
2.
Not all processes are suitable for RPA, and a thorough assessment of potential candidates is necessary. This precondition must ensure that a process is chosen that could possibly be taken over by an RPA. It must be taken into account if the process is not running smoothly or if the process requires many
26
administrative actions. In this case, the research was done with the head of finance from the healthcare organization.
3.
After the assessment of potential candidates, the process should be routinized and standardized. The billing for the secondment of medical specialists meets this precondition. If this condition is not met, go back to step 2.
4.
It is necessary to determine the right data and systems. Since the robot has to check a lot of data, the underlying data must be digital and in the correct format. In this case, the healthcare organization must use IT systems with digital data regarding the invoicing of seconded of medical specialists. The healthcare organization uses three digital systems for the secondment of medical specialists, each of which can cooperate with RPA. The data that will be used in the process is also created in these systems. If this condition is not met, go back to step 2.
5.
The process needs to be investigated more specifically. Before designing a robot, the business rules of the specific process must be clearly defined, and there should be no need for advanced cognitive assessments. If these conditions are not met, go back to step 1 regarding the governance and compliance of an organization.
6.
Before the design and implementation of the RPA, it is important that staff accept the use of new IT systems in their process. Enabling acceptance among personnel is of great importance. In this case, it is unclear to what degree there is acceptance among the staff. The degree of enabling acceptance about the implementation of RPA should be clarified with further research.
7.
The RPA should contain appropriate controls for management approval, user involvement, analysis, design, testing, implementation, and conversion. In addition, the healthcare organization should have a back-up plan when a critical financial process is taken over by a robot in case the robot is temporary out of service. This condition also applies to maintenance of the systems. This condition can take the form of a working guide describing which departments and which staff should be able to take over the process manually. To make this working guide, the management of different departments must be involved. After setting up the guide, it must be available in all the departments involved in the process to ensure that the revenues are guaranteed.
27 8.
An authorization of transactions and activities matrix for the robot must be created. Consideration must be given to which transactions the robot can perform and which it cannot. It must also be determined when authorization must grant by the management. A check must be carried out on the code of the robot to ensure that the robot does not exceed both processes with each other and that certain authorizations are not carried out. It is important to completely smooth out a process in advance. The matrix must also ensure that the RPA is not used for processes for which it was not designed. In addition, the matrix must determine the limits of the amounts to which the robot may automatically invoice, and it must also determine which persons must give approval when amounts are exceeded.
9.
The process must have proper segregation of duties in order for the robot to reduce the risk of fraud. All authorizations that would be carried out by the medical information technology department, must be requested and approved by the sector controller. An authorization matrix will be desirable here as well. This matrix must determine who still has access to the systems that have been taken over by the robot and who can still perform the process manually. In addition, it is necessary to register who has access to the robot and when changes have been made to the process.
10.
The proper design and use of electronic and paper documents and records will help ensure the accurate and complete recording of all relevant transaction data. The data must be digital. PDFs and pictures are not allowed. The contracts of medical specialists should be standardized.
11.
The data used by the robot must be stored in a secure environment. The data should not be stored by the robot itself, but in the existing systems. The security must be based on existing protocols. Processes related to the administration must take extra account of the regulations and the privacy of medical data. In these types of processes, the feasibility and sensitivity of information must be considered.
12.
There should be a check on the performance of the robot. This check must be independent. Logging of the transactions of the robot is required. The logs must be controlled by management and independent advisors. In this case, the most obvious candidates are the medical information technology department and the sector controller. Such a task can also be delegated to someone outside the organization, such as the auditor or robot developer.
28
4.4 Demonstration and Validation of the Artifact
Tests were performed during validation to verify compliance with the nine requirements derived from the validation study by Shukor et al. (2017). The following requirements must be met for this validation: (1) The artifact requires clear representation on all preconditions of the design and implementation of an RPA; (2) The artifact clearly points to the needs of preconditions in the process of the secondment of MS; (3) The use of a flowchart helps to ensure that all preconditions are available in the artifact; (4) The framework is clear and easy to follow and understand; (5) The entire process of designing and implementing an RPA can be performed using the flowchart; (6) There are no exceptionally important preconditions missing that could compromise the reliability of the artifact; (7) The framework can contribute to a more effective and efficient process for the design and implementation of the RPA in the healthcare organization; (8) The template is very useful as guidance to identify the preconditions of an RPA; and (9) The explanation provided is comprehensive; more importantly, it clarifies how the framework and template are used. The different methods of validation, as described in the method section, must show whether these nine requirements are met.
Based on the data gathered from the interviews, the following subjects are uncertain and limited in the artifact. First, there is a lack of clarity about how the salary of the medical specialists is paid on the basis of two formation distributions. The limiting conditions of the artifact do not specifically take this into account; this data is also unavailable. Secondly, in the artifact process uses three different systems. Based on the collected data, it is clear that two systems use an authorization matrix that is managed by the medical information technology department and the sector controller. This is unclear for the third system. In addition, there are several uncertainties that have not been further investigated: no investigation has been conducted into whether the governance and compliance is in order within the organization. The business rules of the process have not been studied in detail; a global picture of the process has been investigated. Further, it should be noted that no research has been conducted into employee acceptance within the organization; this sub-process should be investigated in subsequent research. The design of the authorization matrix and the segregation of duties within the organization has not been investigated; this should be further investigated during the design and implementation of the RPA. Last, there should be more clarity about the models that will be used for data security and authorization of transactions. Because no RPA is used within the organization, there are still many uncertainties regarding issues related to data security. In addition, no data has been collected yet on how the organization has organized its data security.
The validation has also been performed using a standard billing process. In this validation, a check was carried out to see whether all the preconditions of the standard billing process, which should also apply to a billing process with RPA, are present in the artifact. Based on the literature from Romney and Steinbart (2016), the authors identified four general risks for sales-based processes: (1) inaccurate or invalid master data; (2) unauthorized disclosure of sensitive information; (3) loss or destruction of data;
