Data-driven risk management for first and second lines of defence

How do you use data generated from business and IT processes for risk management and internal control (IC) purposes in an effective and efficient way? How can your data serve IC purposes by providing risk insights?

This article explains how data analytics can help IC practitioners gain a proper understanding of the processes to improve controls testing and execution. It starts by tapping into the data that’s already available in your enterprise resource planning (ERP) systems, while stepping away from traditional analysis methods like inquiry, manual data extraction and querying tables.

Why data analytics?

Driven by new technologies and rapid growth, business processes in large and mid-size companies are generating an increasing volume of transactions.

  • Challenges arise around full awareness of risks and the effectiveness of controls

  • Smart data techniques enable organisations to overcome these challenges through efficient and effective control execution by the first line of defence (LOD), and testing by the second LOD

Throughout a company’s journey to stay in control of business processes and risks, the first and second LOD can benefit from data analytics techniques that support an understanding of the process and risks, as well as the testing and execution of mitigating controls.

Process understanding and risk identification

There is often a discrepancy between the expected and actual outcomes of business processes, but also within the processes between business entities. Rather than updating your understanding of the business process through (often subjective and incomplete) interviews, more objective and complete insights can be obtained through the use of data. Specifically, process mining techniques make use of factual transactional data to analyse the actual process and identify key risks like late purchase orders, approvals being bypassed and segregation of duty conflicts. With the data at hand, insights can easily be compared between entities in just a couple of clicks!

Example of a process flow benchmark between company BRAVO and company ALPHA

Example of a process flow benchmark between company BRAVO and company ALPHA

Control execution and testing

When testing and executing high-volume transaction controls, it’s very often about finding the right balance between completion and efficiency. Data analytics, when properly applied, brings assurance to the total population with minimal effort. Due to their substantive nature, control execution and testing with smart data queries and clustering techniques will help assess the residual risk on 100% of the transactions.

Whether it’s an automated control, such as a three-way match or copy controls, or a manual control like a manual journal review, the first and second lines of defence can benefit greatly from data analytics to quantify and cover residual risks.

Three way matching in the SAP MM module

The three way matching control assures the accuracy of invoices. The SAP system allows configuring automated matching in the SAP MM module. This report reperforms three way matching by showing the volume of invoices for which three way matching is applicable. This report also details the volume of purchase orders that have mismatches, the percentage within accepted tolerances and purchase order pricing deviations with material master pricing. 

Example of a 3-way match re-performance based on actual data

Example of a 3-way match re-performance based on actual data

Advantages of data-enabled first and second lines of defence

  • Cover 100% of transactions 

  • Increase control execution and testing efficiency

  • Provide objective and up-to-date information

  • Allow for root cause analysis of residual risks

  • Visualise results and facilitates reporting


Get in touch with one of our specialists


Wim Rymen

Partner, Brussels, PwC Belgium

+32 47 326 9227


Vincent Gaukema

Senior Manager, Brussels, PwC Belgium

+32 49 490 4064


Kristin De Rudder

Senior Manager, Brussels, PwC Belgium

+32 492 74 39 76



{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}
Follow PwC Belgium