The following is a contributed piece from Greg Buchanan, partner, Michael Costa, managing director, and Ed Levy, manager, of business management consulting firm StoneTurn. Opinions expressed are authors' own.
The pandemic presents challenging times for many corporate compliance and internal audit functions. Despite a new way of working, the mandate for compliance and internal audit professionals remains the same: identify and manage risks to the business. To do so, companies must continue strengthening their compliance programs, updating their risk assessments, adjusting audit plans and priorities, and tailoring internal controls.
For most companies, these internal challenges are mounting as resources are streamlined and other external factors arise. Nevertheless, the compliance and internal audit functions must provide assurances to senior management and boards of directors that they have taken steps to mitigate significant risks.
Compliance and internal audit teams must determine how to conduct effective compliance and internal audit testing procedures in this new world. The right solution will vary depending on the company's risk profile, results of risk assessments, and other variables such as the nature of the business and industry. However, the use of data analytics, which continues to be an efficient tool for compliance and internal audit professionals, has proven to be effective in ensuring necessary steps are being taken to mitigate fraud and abuse.
Data analytics and the risk-based approach
Data analytics let companies employ a risk-based approach and prioritize efforts where issues might arise. Organizations relying on random sampling when testing internal controls or conducting substantive testing over high-risk transactions rarely have material findings or meaningful audit procedure results; it's a needle in the haystack approach.
Well before COVID-19, data analytics was delivering value in compliance efforts. A good example is its use in identifying college admissions fraud. So, it's no surprise regulators increasingly turn to it in investigations.
In fact, the most recent update to Department of Justice guidelines regarding the effectiveness of corporate compliance programs encourages prosecutors to review whether compliance and control personnel have sufficient access, direct or indirect, to relevant data to allow for timely monitoring of the compliance program.
These questions indicate the DOJ expects a company to make compliance-related data readily available to the chief compliance officer and compliance function and to remedy any "impediments ... that limit access to relevant sources of data."
Since compliance and internal audit functions are increasingly doing more with less, here's some practical guidance on the importance of accessing data directly, how to best leverage data analytics by connecting disparate data sources, and how data analytics can add efficiency and effectiveness at this crucial time.
Data sources and direct data access
Remote testing is the new norm, and it provides a good indication of how we can expect internal audit teams to work in the foreseeable future. Collecting, assimilating and analyzing critical datasets to carry out compliance and/or internal audit procedures is essential.
For example, some data fields might be used to identify high-risk transactions, with the results providing a valuable subset of information. The internal audit team could use this information to determine the most appropriate audit procedure to reach a conclusion.
Not all data sources are created equal. Data quality is the most important part of data analytics. Data analytics ― and, specifically, direct access and data querying ― is a key component that second- and third-line defense personnel should consider to meet their objectives.
We have seen companies rely on local business units to provide information from data sources, which are available to them for purposes of performing their daily tasks. Far too often, however, a system's front-end users are not fully aware of the complexity of the data tables that might only be properly accessible through back-end queries.
This common misstep can create significant risks for the company, such as deriving an audit conclusion based on incomplete or inaccurate information.
Direct access to key underlying databases mitigates this potential issue. It allows compliance professionals and internal auditors to ensure the accuracy and completeness of the information by working directly with IT personnel.
Furthermore, direct data access also reduces the timeline to carry out testing procedures from days or weeks to minutes or hours, as business unit staff are not needed to serve as middlemen at this stage in the process (i.e., initial data collection stage).
Additionally, compliance professionals and internal auditors can understand data limitations and/or exceptions given their interactions with the appropriate IT experts and then determine the impact on the scope of their project.
Connecting disparate sources
Perhaps the most important impact data analytics can have on the effectiveness of compliance assessments and internal audits is in combining disparate data sources.
Case study: Multinational companies and anti-corruption risks.
Multinational companies using third parties, including agents, sales representatives, consultants, intermediaries and distributors, can pose significant risks under anti-corruption laws. These companies should conduct a review of interactions and payments made to these third parties, deemed higher risk on a periodic basis, to ensure adherence to anti-corruption laws and company policies.
To monitor and review this activity, several sources must be considered, such as information from the company's accounting systems, expense reporting systems, and due diligence databases, among other databases. To review these datasets more effectively, compliance and internal audit teams should use data analytics to assess whether anomalies such as the following require further investigation:
- Was a due diligence/competitive bid review performed on the vendor prior to transacting with them?
- Have third parties charged prices above fair market value? (This may be an indication of a bribe payment).
- Are transactions involving government officials being monitored in accordance with country-specific regulations and internal policies?
- Have high-risk transactions, such as discounts and commissions, been assessed for reasonableness?
Companies should also consider other high risks, such as potential conflicts of interest and other risks identified during the risk assessment process. The data analytics tests are then tailored for these specific risks. For example, compliance and internal audit teams might want to compare the vendor master file to the employee information system to determine if any conflict of interests exist. If an employee has an ownership stake in one of the company's vendors, it should raise a red flag.
In summary, many data analytics tests using key information in the hands of the company can be performed to mitigate risks. However, this information is likely located in disparate data sources, so understanding those data sources and connecting that information is essential.
Improving testing
Risk-based vs. random testing. Data analytics allows for compliance and internal audit personnel to select key transactions to test using a risk-based approach versus selecting transactions randomly. A risk-based testing approach shows that the organization is managing risks effectively, in relation to the risk appetite.
For example, if the company wanted to assess certain anti-corruption risks, companies should monitor and test transactions involving government officials in high-risk countries, including particular types of transactions (e.g., cash payment) and other attributes of interest.
Obviously, companies need to determine the appropriate quantitative (e.g., round dollar amounts) and qualitative factors (e.g., transactions involving high-risk third parties) that should be considered to risk-rank and identify high risk transactions on which to conduct further analyses. Using data analytics is the most efficient and effective way to do so.
Repeatability. Establishing parameters for data analytics tests initially requires some effort. Understanding system databases and data structures might have an associated learning curve and it will be necessary to examine other system-specific nuances. Also, in the first instance, critical data analytics tests used to identify key red flags will need to be created.
However, each subsequent compliance assessment and/or internal audit will benefit from this work and future work can be built upon a solid foundation. Repeatability in this sense does not just add efficiency, but it also establishes a process by which one data analyst can be expected to get the same or similar results as another.
Conclusion
With remote working likely here to stay for the foreseeable future, we are provided a glimpse into the new normal. The traditional approach of random sampling and onsite testing is almost certain to evolve to one involving more remote risk-based auditing procedures.
Therefore, it is critical for companies to leverage data analytics to tackle the corporate compliance and internal audit challenges of today and tomorrow.