Beyond GRC tools – Analytics for internal audit and fraud discovery
In a sense SOX, was a landmark legislation. It altered audit and internal control landscape forever. It is not as if internal controls did not exist prior to SOX. But SOX brought internal controls in fore front.
First couple of years of SOX compliance was nightmare for companies. Every company setup a project office, reporting to CFO. If we look back in time, both the consultants and the companies were bit unsure on SOX compliance. Most companies were uncertain about extent of controls to be monitored. Gradually, the controls were rationalized as in the count of control to be monitored were reduced. Similarly, controls were optimized i.e. redundant controls were removed from the process. This improved process efficiency.
In terms of automation, first came various document management tools, which helped companies to save all documentation in single repository instead of spreadsheets scattered in desktops. Some web based GRC tools were introduced to manage entire compliance functions. It stored all process, risk and control documentation besides test plans and results. Workflows enabled tasks were introduced. The focus was on automation of compliance process.
Then came GRC tools, that performed automated testing. It significantly reduced the effort required for testing controls and also improved quality of testing. It fetched data from source ERP system and performed analysis. Thus, the automation shifted to controls monitoring.
Now there is focus on automating control execution. If the control is automated, it can be tested by GRC tools, thereby automating testing.
While GRC usage has resulted in significant improvement over manual testing of controls, technology is now available to look beyond GRC tools. Most of the GRC tools cannot process huge transaction data. Even if it could, there is limitation on type of analysis it can do.
As with other areas, analytics can greatly enhance efficacy of audit, particularly internal audit. There are many sophisticated tools available today to analyze of millions of records. Combination of results can be analyzed to eliminate false positives. The technology available is not restricted to Fortune 500 companies. For e.g. an open PO used for a dormant vendor.
Auditors can audit the entire data instead of sampling, that too, in quick time. Over a period of time, when the data is sufficiently large, predictive analysis can also be performed. For e.g., when a particular vendor will delay on supply or which customer is likely to default on payment. Such analysis is not confined only to financial data or data within ERP. One of the powerful features can be to analyze data in light of third party data which is publically available in various government websites, third party maps or even social media!!! Both structured and unstructured data can be analyzed.
Another area where analytics can help is fraud. World over significant revenue is lost due to frauds. Since it is possible to analyze huge amount of data, the auditor can dissect anomalies using different parameters to identify suspicious transactions. Of course, some amount of field work may be required to confirm fraudulent transaction. For e.g. you need to approach your banker to identify who was the ultimate beneficiary of the manual check payment or the account where the money was transferred.
With advancement in technology, using analytics for audit does not require huge investment. As mentioned earlier, it is no longer limited to Fortune 500 companies. It also calls for compliance professionals and auditors to embrace the technology. While they may not be required to code or write scripts, it is imperative that they are well versed with features and limitations.
In the next series, I will discuss on key technology features where analytics can help consultants and auditors.