In Part 1 of this article, we looked at how big data analytics can be used to perform smart testing of financial transactions that flow through common business process areas, such as procure-to-pay, payroll, and order-to-cash. This approach helps detect instances of fraud, error, and non-compliance, as well as strengthen internal control systems. In part two, we look at other aspects of how data analytics can improve risk and control performance.
Continuous Monitoring
While analytics can be performed on an occasional basis, the greatest benefits are achieved when transaction testing is performed as part of a regular, ongoing process. Continuous transaction monitoring is best performed as frequently as makes sense for the underlying business cycle. This typically means testing on a weekly or bi-weekly basis for payroll and travel and entertainment (T&E) expenses – or more frequently, perhaps even daily, for purchases and payments.
The Association of Certified Fraud Examiners (ACFE) 2018 Report to The Nation on Occupational Fraud and Abuse shows that data monitoring/analysis results in 52 percent lower losses and 58 percent faster detection, compared to using traditional methods for identifying fraud. More frequent testing means that instances of fraud and other control breakdowns can be identified and resolved before they are able to escalate and create greater damage.
Data-Driven Risk Management and Risk Assessment
The greatest value from data analytics and transaction testing is usually achieved when performed as a core component of an overall approach to risk management. A well-designed risk management process identifies risks, as well as the related mitigation and control processes, in the context of impact on organizational objectives. When analytics and transaction monitoring are integrated into the risk management process, they can drive the content of visual dashboards that provide executive management with continuous, quantified insights into the status of risks and control effectiveness across the organization.
Exception Management
One practical issue that comes with using data analysis and continuous monitoring is responding to the results. Someone needs to be responsible for reviewing “exceptions” and anomalies, trend reports, or any other output of fraud and error monitoring systems—and decide what needs to be done.
The most efficient approach is to implement automated workflow that routes specific types of exceptions and results to appropriate individuals for resolution, and, if necessary, escalation. Automated rules can also be used to minimize the occurrence and potential challenges of false positives.
SOX Testing and Internal Controls over Financial Reporting
Requirements for testing Internal Controls over Financial Reporting (ICFR) remain a resource burden for many organizations - particularly so for finance and control specialists. The good news is that data analysis is now well proven as a method of reducing that burden. SOX compliance can be made far more efficient by using transaction analysis to automate key control tests, particularly around general ledger journal entries.
Many external audit firms use standard suites of journal entry data analytics as part of their annual audit procedures and to support SAS 99 requirements. It often makes sense for the finance team to run similar analytics ahead of an audit to help ensure “audit readiness”.
Typical analytics to test journal entries include: looking for a lack of appropriate segregation of duties between entry and approval, checking approval authorization limits, and examining journal entries posted at unusual times (i.e. when an employee is on vacation). Other common tests involve detection of postings between unusual combinations of accounts and irregular inter-company transfers.
More Effective Compliance with Anti-Bribery and Corruption Regulations
Data analytics play a big role in addressing the risks of failure to comply with the FCPA anti-bribery and corruption regulations. They not only help find specific instances of potential bribery, but also make the overall compliance process more efficient.
In cases where FCPA violations have occurred, the U.S. Department of Justice (DoJ) has accepted that the implementation of data analysis and monitoring can result in the reduction of fines and penalties. This in itself can justify the use of data analysis to test for possible instances of bribery and corruption.
The types of analytics applied for FCPA compliance purposes include: searching for suspect keywords relating to corrupt payments or other forms of benefit, and identifying unusual payments or funds transfers made through bank accounts in high-risk regions.
Transforming Financial Control Practices
Technology – particularly in the form of big data analytics and AI – has done so much to transform business processes including such as marketing, product management, and customer service. Now it’s time to consider how analytics and transaction monitoring can transform control processes and improve performance in financial systems.
John Verver, CPA CA, CISA, CMC, is an advisor to ACL.