This common misstep can create significant risks for the company, such as deriving an audit conclusion based on incomplete or inaccurate information.
Direct access to key underlying databases mitigates this potential issue. It allows compliance professionals and internal auditors to ensure the accuracy and completeness of the information by working directly with IT personnel.
Furthermore, direct data access also reduces the timeline to carry out testing procedures from days or weeks to minutes or hours, as business unit staff are not needed to serve as middlemen at this stage in the process (i.e., initial data collection stage).
Additionally, compliance professionals and internal auditors can understand data limitations and/or exceptions given their interactions with the appropriate IT experts and then determine the impact on the scope of their project.
Connecting disparate sources
Perhaps the most important impact data analytics can have on the effectiveness of compliance assessments and internal audits is in combining disparate data sources.
Case study: Multinational companies and anti-corruption risks.
Multinational companies using third parties, including agents, sales representatives, consultants, intermediaries and distributors, can pose significant risks under anti-corruption laws. These companies should conduct a review of interactions and payments made to these third parties, deemed higher risk on a periodic basis, to ensure adherence to anti-corruption laws and company policies.
To monitor and review this activity, several sources must be considered, such as information from the company’s accounting systems, expense reporting systems, and due diligence databases, among other databases. To review these datasets more effectively, compliance and internal audit teams should use data analytics to assess whether anomalies such as the following require further investigation:
- Was a due diligence/competitive bid review performed on the vendor prior to transacting with them?
- Have third parties charged prices above fair market value? (This may be an indication of a bribe payment).
- Are transactions involving government officials being monitored in accordance with country-specific regulations and internal policies?
- Have high-risk transactions, such as discounts and commissions, been assessed for reasonableness?
Companies should also consider other high risks, such as potential conflicts of interest and other risks identified during the risk assessment process. The data analytics tests are then tailored for these specific risks. For example, compliance and internal audit teams might want to compare the vendor master file to the employee information system to determine if any conflict of interests exist. If an employee has an ownership stake in one of the company’s vendors, it should raise a red flag.