By John Verver, CPA CA, CISA, CMC, advisor to ACL
Being able to review a reliable assessment of the risk and control universe is a great starting point, but your enterprise resource planning (ERP) system simply isn’t designed to help you here. The next essential (but often missing) step is to get insight into what is actually happening: what is working well and what is in reality a problem. It is here that ERP systems really start to let you down.
Traditionally, your internal auditors and other internal control specialists review procedures, perform walk-throughs and test sample transactions occasionally. You could also be asked to confirm that the controls you are responsible for are effective.
Data analytics transforms risk assessment
The new basic concept is not complicated: Use data analysis software to examine every transaction in an entire population of data (e.g., every recorded activity thing that took place within a financial or business process) to determine whether:
- The transaction complies with the control procedures that should be in place.
- There are indications that there are risks and problems for which no effective control is in place.
This is achieved by testing every transaction in multiple ways. For example, a payment amount to a vendor can be examined to determine that:
- the vendor is a valid one, properly approved, and not duplicated in the vendor master file; not included in a list of excluded individuals/entities, or do-not pay list; or in a FCPA politically exposed persons database
- the payment matches to an invoice, which matches to goods received records, which matches to a properly approved purchase order (PO) and that there have been no attempts to circumvent approval controls by splitting PO payments into smaller amounts just under an approval threshold
- payments have not been duplicated due to erroneous or deliberate changes in invoice number details.
Best-in-class leaders apply dozens of similar automated tests across transactions in each business process area on a regular basis to get insight into their process health.
Using data to find unusual trends
Another important form of data analysis and monitoring is to examine all the transactions that took place within a given business process in search of problems and opportunities to improve. Your data is very telling in response to questions like:
- Why are overtime payments, or travel expenses, unusually high in one specific office?
- Why is one vendor paid twice as much as other vendors for the same type of item?
- Why is a previously dormant account suddenly used for a series of journal entries?
- What trends indicate a problem that’s consistently worsening?
- Or what turns out to be far less of an actual problem than was originally thought?
Why not rely on the ERP system?
It is a fair question. In an ideal world, every business process application would have built-in controls that prevent any erroneous, invalid or suspicious transactions from taking place.
Unfortunately, the reality is that no control is perfect or foolproof. And adding more controls isn’t necessarily the answer: the more controls that are in place, the more likely that processes become unacceptably slow and cumbersome—spurring employees to come up with innovative ways to bypass controls just to get their work done. Furthermore, you may not be able to easily have your ERP configured to match your process, especially when it’s a shared service across multiple organizations and your change may have several unforeseen downstream impacts.
When data analysis and transaction monitoring is performed after the fact, it is relatively simple to determine where the primary control weaknesses are occurring. Problem transactions can be quickly identified and addressed. Control weaknesses that allowed the problem to occur can be strengthened to prevent a recurrence. And no one has to stay late jumping through hoops.
And, big bonus: transaction analysis and monitoring can actually become an additional level of control, both reinforcing those controls that are already in place and compensating for those ERP-based controls that are either not working effectively or not in place at all.