In summary, many data analytics tests using key information in the hands of the company can be performed to mitigate risks. However, this information is likely located in disparate data sources, so understanding those data sources and connecting that information is essential.
Risk-based vs. random testing. Data analytics allows for compliance and internal audit personnel to select key transactions to test using a risk-based approach versus selecting transactions randomly. A risk-based testing approach shows that the organization is managing risks effectively, in relation to the risk appetite.
For example, if the company wanted to assess certain anti-corruption risks, companies should monitor and test transactions involving government officials in high-risk countries, including particular types of transactions (e.g., cash payment) and other attributes of interest.
Obviously, companies need to determine the appropriate quantitative (e.g., round dollar amounts) and qualitative factors (e.g., transactions involving high-risk third parties) that should be considered to risk-rank and identify high risk transactions on which to conduct further analyses. Using data analytics is the most efficient and effective way to do so.
Repeatability. Establishing parameters for data analytics tests initially requires some effort. Understanding system databases and data structures might have an associated learning curve and it will be necessary to examine other system-specific nuances. Also, in the first instance, critical data analytics tests used to identify key red flags will need to be created.
However, each subsequent compliance assessment and/or internal audit will benefit from this work and future work can be built upon a solid foundation. Repeatability in this sense does not just add efficiency, but it also establishes a process by which one data analyst can be expected to get the same or similar results as another.
With remote working likely here to stay for the foreseeable future, we are provided a glimpse into the new normal. The traditional approach of random sampling and onsite testing is almost certain to evolve to one involving more remote risk-based auditing procedures.