The following is CCI Publisher Maurice Gilbert’s interview with John Verver, VP, Strategy at ACL. Mr. Verver is a Chartered Accountant, Certified Management Consultant, and Certified Information System Auditor, as well as a member of the Center for Continuous Auditing’s advisory board.
Big Data is a hot topic right now – how does it relate to GRC and the practical issues of risk management and compliance?
The term Big Data is used in a wide range of contexts, but it generally refers to the gathering and integration of data from various sources, both traditional and non-traditional, in order to obtain better insights into customers, prospects, market opportunities, and corporate performance. Although it is not often used in reference to risk management, controls, and compliance, it’s interesting to note that analysis of very large volumes of data from disparate sources has played a significant role in GRC for at least the past 10 years.
Could you elaborate?
It all depends on the particular industry, but many people think about Big Data in terms of improving effectiveness of sales and marketing by combining data from various sources, such as web analytics, customer demographics, marketing program response, sales patterns, and supplier activity, in a way that leads to more targeted marketing initiatives.
In the world of internal audit, fraud detection, and compliance, this idea is far from new. For many years, internal auditors have been analyzing massive amounts of data from all sorts of sources to find instances of fraud, error, abuse, and non-compliance.
Can you provide some specific examples?
Let’s take a common business process area, such as a purchasing and payment system. In many large multinational organizations that have hundreds of subsidiaries and multiple ERP and accounting systems, there can easily be hundreds of millions of transactions, worth many billions of dollars, flowing through these systems on an annual basis.
In theory, there should be controls in place to prevent fraud, error, and other undesirable things from happening. In practice, it is almost impossible to control every aspect of any payment system. Computer systems are only as good as the way in which they are programmed and configured. As soon as human interaction becomes involved, plenty of opportunities for things to go wrong are introduced. The result is that there are usually significant risks of controls being circumvented or breaking down, resulting in undetected fraud by employees or vendors, duplicate payments, corrupt payments, or bribes.
This is where data analysis comes into play. Imagine if every single purchase order, goods received record, invoice, and payment from every system within a global organization was brought together, analyzed, and tested in 20 different ways. Then, let’s assume that the data could then be matched against all employee data, vendor data, and prohibited vendor databases.
This process, whether performed as part of internal audit procedures or as part of a continuous risk monitoring program, can provide unique insights into control weaknesses and specific problem transactions. This is exactly what internal and external auditors have been doing for years. Now, risk management and compliance professionals are increasingly applying the approach as well.
What about examples that are specific to regulatory compliance?
This is probably one of the fastest growing areas of Big Data monitoring. Take the Foreign Corrupt Practices Act (FCPA) as an example. At a fundamental level, this monitoring involves testing every payment transaction against a PEP (Politically Exposed Person) database to see if there is evidence of a payment prohibited by the FCPA. A more sophisticated approach is to examine payment transactions and look for more subtle indicators of FCPA violations. This may involve text searches for terms such as “facilitation payments” or “donations.” It could also involve analyzing patterns of usage of unusual offshore bank accounts or suspicious journal entries.
There are so many areas of compliance issues in closely regulated industries, such as healthcare, finance, and insurance, that there are almost unlimited opportunities for using Big Data analysis. Large corporations in all of these industries typically process millions, or even billions of transactions per year.
So far you have referred primarily to payment systems. Do you have examples of other areas where very large volume data analysis can be used in risk management and compliance?
In practice, this approach can be applied across virtually any business process area, such as the revenue or order-to-cash cycle, as well as inventory or supply chain management. It is also used heavily in industry-specific applications at financial, insurance, and healthcare institutions, where it can be a very effective way of monitoring risks involving loans, claims, and patient care procedures. Usage is not confined to financial and accounting systems, as it can be applied to any operational area or business process that involves large volumes of transactions that may pose risks if procedures don’t work as intended.
How does Big Data analysis fit into GRC processes?
In order to be truly effective, it is important to integrate data analysis and monitoring closely into risk management and compliance processes. For example, risk management involves identifying the range of risks that an organization faces, assessing and prioritizing them, and then determining the best way to efficiently and effectively mitigate the risk. This usually involves implementing and managing various forms of control procedures to reduce the likelihood of a risk turning into an actual problem. Big Data analysis is highly effective in determining if control procedures are in fact working effectively and risks being properly managed.
The results of ongoing risk and control monitoring procedures provide insight into specific transactions that represent the actual occurrence of risks, such as errors, operational breakdowns, fraud, or failure to comply with regulations. They also provide very valuable information on trends that indicate patterns of increasing or decreasing risk, which can then be appropriately addressed through risk management processes
To what extent can these data analysis processes be automated?
To a relatively high degree. In most cases, Big Data analysis for GRC is best performed on a continuous, or regularly recurring basis. This could mean a daily analysis of every payment or billing transaction or a bi-weekly testing of payroll or operational process. The important thing is to perform the analysis on a timely basis, so that instead of finding out about a risk and control problem months after it actually began to occur, it can be found quickly and addressed before the risk escalates into something that can have a significant negative impact on a corporation.
How widely is this form of Big Data analysis for GRC actually performed in practice?
Certain aspects of this approach are used in many corporations in specific functions such as audit or regulatory compliance. At present, few organizations use this approach across multiple financial and operational areas as part of enterprise-wide risk management (or ERM). However, this is where the greatest benefit can occur. By providing executive management with ongoing, timely insight into risk trends and profiles across the entire enterprise, organizations can achieve the greatest value. In many ways, this approach to using Big Data can be thought of as “data-driven GRC”.
John Verver is acknowledged internationally as an expert authority and thought leader on the application of data analysis technology in audit, risk management, and compliance. He is regularly asked to speak at global audit, compliance, risk, and control conferences and is a member of the advisory board of the Continuous Auditing Research Lab. John was also a key contributor to the Institute of Internal Auditors’ Global Technology Audit Guide #3 on continuous auditing, assurance monitoring, and risk assessment.
John Verver is currently a strategic advisor to ACL. Until recently he was a vice president with ACL, with overall responsibility for ACL’s product and services strategy, as well as for relationships with key organizations in the audit, compliance, risk, and control market. His previous responsibilities at ACL included leadership and growth of ACL’s professional services organization, including consulting, training, and technical support. He led the overall development of ACL’s industry-transforming continuous controls monitoring solution.
Prior to joining ACL, John spent 15 years with Deloitte in the UK and Canada. During his tenure, he was director of computer services, with responsibility for IT audit and security services, as well as accounting systems consulting and implementation. He subsequently became a principal, responsible for building and managing the system development and implementation practice in British Columbia.
John is a Chartered Accountant, Certified Management Consultant and Certified Information System Auditor. He has served on the Council of the Institute of Management Consultants of British Columbia and on committees of the Institute of Chartered Accountants of BC. He has an honors degree from King’s College, University of London, England.