How do you use data generated from business and IT processes for risk management and internal control (IC) purposes in an effective and efficient way? How can your data serve IC purposes by providing risk insights?
This article explains how data analytics can help IC practitioners gain a proper understanding of the processes to improve controls testing and execution. It starts by tapping into the data that’s already available in your enterprise resource planning (ERP) systems, while stepping away from traditional analysis methods like inquiry, manual data extraction and querying tables.
Driven by new technologies and rapid growth, business processes in large and mid-size companies are generating an increasing volume of transactions.
Challenges arise around full awareness of risks and the effectiveness of controls
Smart data techniques enable organisations to overcome these challenges through efficient and effective control execution by the first line of defence (LOD), and testing by the second LOD
Throughout a company’s journey to stay in control of business processes and risks, the first and second LOD can benefit from data analytics techniques that support an understanding of the process and risks, as well as the testing and execution of mitigating controls.
There is often a discrepancy between the expected and actual outcomes of business processes, but also within the processes between business entities. Rather than updating your understanding of the business process through (often subjective and incomplete) interviews, more objective and complete insights can be obtained through the use of data. Specifically, process mining techniques make use of factual transactional data to analyse the actual process and identify key risks like late purchase orders, approvals being bypassed and segregation of duty conflicts. With the data at hand, insights can easily be compared between entities in just a couple of clicks!
Example of a process flow benchmark between company BRAVO and company ALPHA
When testing and executing high-volume transaction controls, it’s very often about finding the right balance between completion and efficiency. Data analytics, when properly applied, brings assurance to the total population with minimal effort. Due to their substantive nature, control execution and testing with smart data queries and clustering techniques will help assess the residual risk on 100% of the transactions.
Whether it’s an automated control, such as a three-way match or copy controls, or a manual control like a manual journal review, the first and second lines of defence can benefit greatly from data analytics to quantify and cover residual risks.
The three way matching control assures the accuracy of invoices. The SAP system allows configuring automated matching in the SAP MM module. This report reperforms three way matching by showing the volume of invoices for which three way matching is applicable. This report also details the volume of purchase orders that have mismatches, the percentage within accepted tolerances and purchase order pricing deviations with material master pricing.
Example of a 3-way match re-performance based on actual data
Cover 100% of transactions
Increase control execution and testing efficiency
Provide objective and up-to-date information
Allow for root cause analysis of residual risks
Visualise results and facilitates reporting