Are your risk management and control measures effective?

John Verver

John Verver

CPA CA, CMC, CISA

Once you’ve put controls in place to manage risks, how do you know they’re working? Find out how data analytics can help give you peace of mind.

Data analytics makes it possible to examine your risk and control processes more closely, and reduce instances of control failures. Something your ERP system can’t deliver.

An often (yet surprising) missing step in risk and control monitoring is stopping to assess what’s working well and what’s not.

Traditionally, internal auditors and other internal control specialists review procedures, perform walkthroughs, and occasionally test sample transactions. They could be asked to confirm that the controls themselves are actually effective. But this is complicated and time consuming.

“Leaders in our industry apply dozens of automated tests across transactions in each business process area on a regular basis to get insight into their process health.”

Data analytics has totally transformed risk assessment

The concept isn’t complicated: Use data analytics to examine every single transaction in an entire population of data (e.g., every recorded activity that took place within a financial or business process) to determine whether:

  1. The transaction complies with the control procedures in place.
  2. There may be risks and problems with no effective control is in place.

You can do this by testing every transaction in multiple ways. For example, a payment amount to a vendor can be examined to determine that:

  • The vendor is a valid one, properly approved, and not duplicated in the vendor master file; not included in a list of excluded individuals/entities, or on a do-not pay list; or in a FCPA politically exposed persons database.
  • The payment matches an invoice, goods received records, and a properly-approved purchase order (PO), and there’s been no attempts to circumvent approval controls (e.g., by splitting PO payments into smaller amounts just under an approval threshold).
  • Payments have not been duplicated due to erroneous or deliberate changes in invoice number details.

These are just a few examples, but data analysis can be used in countless ways to test a variety of internal controls, and create 100% data coverage. All of these analytics, and many more, can be set-up and run in minutes. They can also be automated and repeated, designed to run on a regular basis.

Leaders in our industry apply dozens of similar automated tests across transactions in each business process area on a regular basis to get insight into their process health.

Look at big data volumes to find odd trends or predict performance

Another important use of data analysis and monitoring is examining all the transactions that took place within a given business process to find problems and areas for improvement. Your data can reveal answers to questions like:

  1. Why are overtime payments, or travel expenses, unusually high in one specific office?
  2. Why is one vendor paid twice as much as other vendors for the same type of item?
  3. Why is a previously dormant account suddenly used for a series of journal entries?
  4. What trends indicate a problem that’s consistently worsening?
  5. What turns out to be far less of an actual problem than was originally thought?

Why not just rely on the controls in the ERP system?

It’s a fair question. In an ideal world, every business process application would have built-in controls that prevent any incorrect, invalid, or suspicious transactions from taking place.

But no control is perfect or foolproof. And adding more controls isn’t the answer. The more controls in place, the more processes become slow and bulky. Employees will get frustrated and come up with innovative ways to bypass controls just to get their work done. You also might not be able to have your ERP configured to match your process, especially when it’s a shared business service and may have several downstream impacts.

When data analysis and transaction monitoring is performed after the fact, it’s relatively simple to spot where the primary control weaknesses are happening. Problem transactions can be quickly identified and addressed. Control weaknesses that allowed the problem to occur can be strengthened to prevent a recurrence.

And, big bonus: transaction analysis and monitoring can actually become an additional level of control, both reinforcing those controls that are already in place and compensating for those ERP-based controls that are either not working effectively or not in place at all.

eBook

7 Steps to Performance Enhancing ERM

This eBook highlights:

  • 7 key trends in the “era of ERM”
  • 6 characteristics of data-driven, performance-enhancing ERM
  • The ERM process flow that will help you identify, respond, monitor, and manage risks, report on results, and continuously improve the process
  • How to identify if you’re making common (and risky) ERM errors

Download eBook

Related Articles

lang="en-US"
X

Galvanize is now part of Diligent.

To stay up to date on the latest product offerings, research and GRC resources please visit or to login to your Galvanize products please visit www.diligent.com

Visit Diligent Login