Point of view

Internal control analytics: Six steps to prevent improper payments

  • Facebook
  • Twitter
  • Linkedin
  • Email

To avoid the risk of material financial leakage and meet the demands from increased regulatory pressure, organizations must find and fix improper financial transactions and broken business processes. Traditional measures are proving inadequate due to growing business complexities. As a result, companies are becoming vulnerable to heavy losses, bad publicity, and, in some instances,bankruptcy. Faced with these challenges, forward-looking companies are adopting internal control analytics (ICA)—a process that analyzes terabytes of data from disparate sources, provides insights on control KPIs, highlights fraud, and flags improper transactions.

Delivering the full value from ICA, however, requires intelligent analytics through processes that enable Data-to-Insight-to-Action and continuous improvement.

To introduce ICA successfully, enterprises should undertake six steps:

  1. Build a strong foundation
  2. Access the right data
  3. Analyze data
  4. Manage exceptions
  5. Create visibility and catalyze action
  6. Drive continuous improvement

These steps can generate significant improvements in their transaction monitoring operations,processes, and assurance metrics, while also mitigating financial and regulatory risks.

Traditional controls are prone to failure while the stakes get higher

The lack of central ownership for transaction control and monitoring, combined with the absence of standard technology and processes, makes it difficult for enterprises to monitor key risks and critical transactions. The biggest challenge is trying to stay on top of all of the financial transactions that flow through the books. Evaluating whether an exception is genuine can be difficult if there are a large number of business-as-usual exceptions accompanied by significant process complexity.

Organizations can make erroneous payments for many reasons, from accidental double invoicing to willful acts of employee or contractor fraud.Traditional controls over payments include approvals as preventive controls and rudimentary duplicate checks before payments. These controls are not error-proof, standardized, or timely enough to stop payments or identify instances of over payment. Centralizing payment processes and anti-fraud measures like the USA Patriot Act and Europe's Financial Services Action Plan have provided additional incentives for companies to tighten financial controls.

Addressing the problem

Organizations are coming to terms with these transaction challenges by adopting one or more of the following measures:

  • Standardizing and simplifying business processes
  • Increasing accountability for processes and controls
  • Changing the role of internal audit from a policing agency to an independent business advisor
  • Creating and empowering internal controls departments

Key among these activities is the ability of organizations to monitor and mine all available data for business insights and red flags. In order to do so, companies are adopting internal control analytics, which enables them to extract and analyze transaction data in near real time.

With the use of analytics, organizations can run their customer order processing, purchasing, and other business-critical transactions through preset filters, such as value thresholds and data completeness parameters. These exceptions reports act as an early warning system for potential business risks and regulatory non-compliance and reduce the risk of material financial leakage.

An effective organization-wide ICA program must be tightly aligned to business outcomes to eliminate unnecessary interventions, increase compliance, and reduce audit costs. By incorporating analytics in transaction monitoring, multiple business functions, including finance, procurement, and human resources, can benefit from the Data-to-Insight-to-Action arc to deliver Intelligent OperationsSM. They can then continuously improve by responding to insights and modifying processes, technology, and organizational models.

To run internal control analytics effectively, there are six key steps to follow:

1. Build a strong foundation
Before implementing a ICA program, organizations must establish a control environment that is linked to business objectives by assessing and identifying the:

  • Key risks to organizational goals
  • Current control environment
  • Controls that can be tested using analytics
  • Frequency for monitoring the controls
  • Data that can be used to measure the effectiveness of the controls

2. Access the right data
As a result of the high volume of mergers in the past two decades, many large organizations are juggling a patchwork of systems. Before an organization can attempt ICA, it must be able to extract data from every disparate system in its universe. To ensure that a business has clean data that can be easily extracted and analyzed, it should develop:

  • Pre-built data request templates by process, vendor, analysis, and type of enterprise resource planning (ERP) system
  • Custom scripts to automatically and rapidly extract data
  • Standard analytics libraries supporting numerous processes
  • Skills and experience in data gathering, and ensuring the accuracy and integrity of data, before analyzing and interpreting extracted data in real time

3. Analyze data
Large organizations process thousands of transactions each day, so detecting fraud or other irregularities is like finding a needle in a haystack.Organizations can only succeed if they have access to the most sophisticated algorithms and analytics.By identifying error patterns, cutting-edge analytics tools can enable organizations to take immediate corrective action, offering:

  • Heuristic algorithms that learn and improve continuously
  • Predictive logic, including fuzzy logic and pattern recognition, to enable behavioral analysis
  • Granular and actionable insights by process and sub-process, IT system, and nature of transaction
  • Lists of analytics performed under each function and sub-function, with detailed sub-analytics by process, vendor, and ERP system

4. Manage exceptions
Most organizations can't quickly identify which out of countless exceptions that occur each day are truly worth investigating. To stay on top of its data in real time, organizations must be proficient in exception management and root-cause diagnostics to close process gaps. This requires:

  • Risk profiling of exceptions based on factors such as process type, vendor, or criticality
  • Following-up genuine exceptions, and recommendations on process, and implementing technology fixes
  • Determining and managing genuine exceptions

5. Create visibility and catalyze action
Very often control assurance activities are hard pressed to demonstrate real benefits in terms of either risk reduction or cost savings.Management teams need comprehensive reports and documentation for every relevant exception.This enables executives to take action against fraud or compliance failures. It also helps organizations measure the real value added by control monitoring mechanisms like ICA. Finance teams should be able to deliver:

  • Granular reporting of exceptions based on criteria such as process type, vendor, or ERP system
  • Assessments of the root cause of the exception, and validation with the business/process owner
  • Details of initiatives, including process changes or technology improvements, that can eliminate exceptions
  • Recommendations on new analytics based on reporting and business changes

6. Drive continuous improvement
While control monitoring systems start flagging irregular transactions, organizations must remember that this is an ongoing learning process as types of waste, fraud, and abuse continue to change. To stay abreast of the latest trends, organizations need to adapt and continually fine tune their analytics scripts, and incorporate learnings from previous exceptions and false positives to make analytics more effective.

Improved financial outcomes with lower risk

Even as the risks of financial irregularities have grown, significant improvement in operating, process, and assurance metrics can be achieved through ICA (figure 1). Companies can expect to achieve:

  • Bottom-line growth up to 0.5% and top line growth of up to 1% upon coverage of all major transactions, for example, source to pay, order to cash, record to report, travel and entertainment, and payroll
  • Up to 100% audit coverage of transactions, providing improved assurance towards organizational and regulatory compliance
  • Up to 30% reduction in audit costs due to pragmatic use of technology

A robust yet dynamic analytical system helps organizations embed an effective early warning system for control lapses and their consequences. ICA enables companies to safeguard their businesses from revenue loss and reputational damage.

Visit our Risk and Compliance solutions

Learn More

Case Study

How an analytics-based framework identifies erroneous refunds for a multinational company 

Challenge - The accounts payable and accounts receivables team at a global pharmaceutical and consumer healthcare company was granting excess discounts to customers. Some refund requests received reimbursements far beyond those required by contracts thanks to duplicate remittances.

Solution - Genpact ran a detailed analysis to understand the rules and transaction level configurations used to determine cash discounts. It then scripted the logic necessary to identify the right discounts.

Impact - Genpact’s analytics capabilities helped identify ~$20 million in erroneous discounts granted to customers and enabled the company to prevent them from reoccurring in the future.

This paper was authored by Subhashis Nath, Global Senior Partner for Corporate Governance and Controllership Solutioning at Axis Risk Consulting, owned by Genpact.

Figure1: Significant improvement in operating, process and assurance metrics can be achieved through ICA