Being able to review a reliable assessment of the risk and control universe is a great starting point, but your enterprise resource planning (ERP) system simply isn’t designed to help you here.
The next essential (but often missing) step is to get insight into what is actually happening: what is working well and what is in reality a problem. It is here that ERP systems really start to let you down.
Traditionally, your internal auditors and other internal control specialists review procedures, perform walk-throughs and test sample transactions occasionally. You could also be asked to confirm that the controls you are responsible for are effective.
Data analytics has fundamentally transformed risk assessment
The new basic concept is not complicated: Use data analysis software to examine every transaction in an entire population of data (e.g., every recorded activity thing that took place within a financial or business process) to determine whether:
This is achieved by testing every transaction in multiple ways. For example, a payment amount to a vendor can be examined to determine that:
Best-in-class leaders apply dozens of similar automated tests across transactions in each business process area on a regular basis to get insight into their process health.
Examine big data volumes to find unusual trends and predict performance
Another important form of data analysis and monitoring is to examine all the transactions that took place within a given business process in search of problems and opportunities to improve. Your data is very telling in response to questions like:
- Why are overtime payments, or travel expenses, unusually high in one specific office?
- Why is one vendor paid twice as much as other vendors for the same type of item?
- Why is a previously dormant account suddenly used for a series of journal entries?
- What trends indicate a problem that’s consistently worsening?
- Or what turns out to be far less of an actual problem than was originally thought?
Why not just rely on the controls in the ERP system?
It is a fair question. In an ideal world, every business process application would have built-in controls that prevent any erroneous, invalid or suspicious transactions from taking place.
Unfortunately, the reality is that no control is perfect or foolproof. And adding more controls isn’t necessarily the answer: the more controls that are in place, the more likely that processes become unacceptably slow and cumbersome—spurring employees to come up with innovative ways to bypass controls just to get their work done. Furthermore, you may not be able to easily have your ERP configured to match your process, especially when it’s a shared service across multiple organizations and your change may have several unforeseen downstream impacts.
When data analysis and transaction monitoring is performed after the fact, it is relatively simple to determine where the primary control weaknesses are occurring. Problem transactions can be quickly identified and addressed. Control weaknesses that allowed the problem to occur can be strengthened to prevent a recurrence. And no one has to stay late jumping through hoops.
And, big bonus: transaction analysis and monitoring can actually become an additional level of control, both reinforcing those controls that are already in place and compensating for those ERP-based controls that are either not working effectively or not in place at all.
The Finance Leader’s Guide to Balancing Risk and Performance
A guide for government finance leaders, this eBook will help you identify the gaps in your ERP system controls, maximize performance, and ensure that you are adhering to the highest levels of integrity over public funds. It also provides five performance hacks for improving payroll and expense systems and reducing the risks of corruption and fraud.