Earlier this week I eavesdropped on a webcast hosted by Financial Executives International, talking about how data analytics continues to march its way into the heart of auditing. Almost every compliance officer would say that analytics is marching its way into corporate compliance as well, but let’s be honest—the audit world is ahead of the compliance world on this front.
So let me describe a few insights about data analytics for auditing, and how they may (or may not) apply to data analytics for compliance.
First, internal audit has an edge here because so often it deals in financial transactions, with business processes that lend themselves to bulk analysis. Maybe you start with the purchase-to-payment cycle, looking for duplicate payments; that’s a fairly straightforward exercise. Then you can move on to travel and entertainment spending, or perhaps look at spending patterns on company credit cards to see whether anyone is splitting one big purchase across multiple payments to evade spending limits.
The basic unit in all of those examples is the dollar (or some other currency). Dollars tend to float around the economic world, so you have plenty of records from other parties (banks, vendors, customers) that let you compare one set of data to another. And internal auditing is a big business, so it’s no surprise that software vendors—ACL, CaseWare Analytics, Oversight Systems, to name only a few—fall all over themselves to offer analytics tools.
Compliance analytics is an order of magnitude more complicated.
Let’s take the example of analyzing your due diligence program to find high-risk third parties. The lynchpin to successful data analytics is having good data to analyze—so first, you need to trust that any outside vendor you use to provide screening of third parties (World-Check, Kroll, Arachnys or one of those outfits) is performing well.
But that’s only half the battle of ensuring you have good data. You also need to ensure that your employees hiring these third parties follow due diligence procedures and, ya know, actually record the right data about your third parties. To put it another way: you need a robust Know Your Customer compliance program before you can even begin to perform useful analytics. So you need strong training on due diligence procedures, and a high degree of confidence in the accuracy of your data.
Over in the internal audit department, where they’re analyzing travel expenses, all that is much easier. The data is much more likely to be in standardized format. You can confirm reported transactions against multiple sources. If all else fails, internal audit can also use the nuclear option, and refuse to allow reimbursement to an employee until he or she cooperates on documentation.
Compliance analytics will have it harder. Your employee might mean well and try to collect data to be entered into a third-party database, but miss one or two fields. He might misspell a name. She might not know that in China, people often change their names when they move into “the city” for their upwardly mobile career. Maybe the data gets recorded in Excel, and of course, nothing ever goes wrong when that happens. And if all else fails, employees can try their own nuclear option of telling more senior executives, “Compliance is holding up the business and we need to get this done.” Sure, you might have great executive support that overrules the employee, but you’re still wasting time having that conversation.
Know What You Need to Know
That’s just an example from due diligence. Compliance officers will face similar questions when you want to analyze hotline data, or perhaps closure rates for litigation or internal investigations. Are you recording useful data correctly? Are you recording it in a format that lends itself to analysis?
Many times, the data itself isn’t crucial for good analytics; it’s the data about the data—that is, the characteristics that describe the raw data—that give compliance officers the most insight. Which means you, the chief compliance officer, need to think carefully when you are building a new compliance process, to be sure that it generates data you can analyze later. (You can read a previous post about hotline metrics for a deeper look at this point.)
That task isn’t as daunting as it seems if you just remember—this is what people mean when they say compliance professionals must “know the business.” Knowing the business is code for understanding the flow of activity in your company. Yes, that means you need to work closely with business operations leaders in the First Line of Defense, and your enterprise risk assessments will need to be timely and accurate. (So be nice to the internal audit folks down the hall doing that assessment.)
But once you understand the business, you can describe the data you want to capture about it. Then the task just a matter of working with the right IT vendors to analyze all that data.
Which will be the subject of another column, on another day.
In a Related Vein
Compliance officers in the Boston area, don’t forget: Convercent will be hosting a luncheon on Tuesday, July 19, to talk about many of these same subjects. Attendance is free, but registration is required and I’m told only three seats remain. This is a great chance to talk shop with your peers, so if you are in town and interested, sign up and I’ll see you there.