How data analytics bolster a hybrid approach to controls testing

In recent years, advances in data analytics have made it possible for retail organizations to review large volumes of transactions at either a real-time or close to real-time basis. To that end, many companies are now using data analytics to perform a broader review of all transactions within the organization, which enables them to identify emerging trends and take steps to improve sales by modifying prices in real time. They can also use this data to shift current and future inventory allocations to locations/regions where items are flying off the shelves. As retail companies further embrace data analytics to monitor activity, analyze inefficiencies and forecast trends, internal audit and internal control organizations must also pivot to perform more efficient and effective analysis of financially relevant and related business controls.

Until now, however, few organizations have considered applying data analytics to controls testing to determine whether risks related to revenue recognition/tender, inventory movements, sales discounts and the application of customer loyalty benefits were appropriately mitigated. While sales audit and loss prevention functions have used certain aspects of this data to perform their responsibilities, the internal control and internal compliance groups have not focused on the original entry data captured at the store level. However, as processing abilities have improved and organizations have further automated real-time processing and enhanced data capture and retention, data analytics has emerged as a viable option to digitize the internal audit function.

By using analytics within the audit processes, audit teams can achieve greater risk coverage, invest in areas where results are inconsistent with expectations, potentially complete testing faster. They may unlock strategic value through a deeper understanding of trends on how stores are applying discounts, adjusting inventory and capturing loyalty data. According to the latest EY Global SOX Survey, less than half of the companies that responded said they performed end-to-end walk-throughs of a single transaction for all key processes and controls on an annual basis. Adopting this type of hybrid approach will help retailers broaden their focus on all transactions and reduce their exposure to losses, as well as open the door for finding upside revenue opportunities. It would also set the stage for a deeper dive into localized operations to validate adherence to standard operating procedures and identify deviations.

Implementing the hybrid approach

To move forward with a hybrid approach, internal audit and financial teams need to be ready to link the ERP system with a robust data warehouse that can quickly and accurately capture POS data for deeper analysis. Organizations can perform process mining on the key steps within the POS to understand the complete flow of transactions and existing procedures based on a full analysis of historical data.

Armed with a solid understanding and grasp of the underlying data, retail companies would also need to carefully perform a risk assessment over the related accounts and processes, define the thresholds for what type of transactions and activities would be considered routine, and identify which should be examined as a potential outlier based on risk. From there, analytics will separate the status-quo transactions from true risks and opportunities to the organization.

Sample selections, if required, are not random but specifically tailored to the risks of the organization and unexpected outcomes, such as transactions in which discounts are above an established threshold (or a comparative threshold against peer locations), unexpected movements in items held or released through “buy online, pay in store” type transactions, or where sales of an item exceeded amount in stock per inventory records.

Each period thereafter, internal audit would leverage the analytics to build on the previous analysis to identify trends and specific deviations from the established process with increasing efficiency. Time with business and control owners is hyper-focused on areas of risk and opportunity rather than on random sampling and confirmation of existing processes. 

Natural evolution in internal audit’s role

We view applying advanced data analytics to the controls space as an emerging opportunity for internal audit teams seeking to augment digital capabilities. In addition to data analytics, teams are also using data orchestration tools, process mining and machine learning to handle the volume, speed and complexity of data that must be reviewed. In that light, applying data analytics to perform a deeper assessment of both controls and control failures represents a natural progression in the evolution of the internal audit function.

In the past, many organizations identified and tested multiple controls that addressed the same risk for an account. Today, the adoption of continuous monitoring and validation by the first and second lines has shifted internal audit’s focus from detecting to predicting control failures and risk triggers.

Predictive analytics made possible for internal audit

Looking ahead, internal audit teams may want to consider using data analytics to engage in predictive analytics as they identify areas of risk. This will set the stage to review more targeted risk areas that have experienced problems in the past, as well as those that could result in issues down the road, based on past experiences and future trends.

No matter which set of tools or platform a company chooses, a hybrid approach that fully leverages data analytics with targeted controls testing will help companies gather critical information in a way that helps them identify risk and new revenue opportunities.

With special thanks to John F. Barile, Damaris Fynn and Stephanie R. Ewell for their contributions to this article.