Building an efficient internal control system in the company
Part 2 of the blog post series – Automating an internal control system with data analytics
The German Parliament passed the Financial Market Integrity Strengthening Act (FISG) in 2021, creating a clear requirement for all industries to "establish an adequate and effective internal control system and risk management system" (§91 (3) AktG) if they are a listed public company. Previously, the establishment of an internal control system (ICS) was only mandatory for regulated industries, such as banks and insurance companies. However, with the insolvency of Wirecard AG, it became clear that further, stricter requirements were needed.
As a result of these changes, many companies are now legally required to establish an ICS that meets the specified requirements. In the first part of our blogpost series on the topic of "building an internal control system", we mainly focused on the question of which steps are necessary to establish an internal control system. This is now available in the form of a catalogue of controls. Automatable, data-supported controls were developed and marked accordingly in part one. In the second article, we will now examine these in more detail and show more automation possibilities based on data analytics.
Why an automation of the ICS makes sense?
In most cases, it is still up to humans to carry out the checks and recognise exceptions. Nevertheless, in times of shortage of personnel and skilled workers, the employee resource is a very limited commodity, which should, as far as possible, only carry out those activities that a computer could not do or could only do much worse.
This already begins with the creation of the data basis necessary for the analyses: manual extraction of data from systems such as SAP represents a large investment of time that must be prevented. It is also difficult to compare the analytics if the extractions are not always carried out according to the same scheme, and thus the data set on which the analytics are based does not follow any reproducible, stable rules.
Which controls can be automated?
Not all controls can be easily automated with data analytics. The condition, of course, is that the data to be checked is available in a digitally verifiable, structured form. If this is the case, it can be formulated as a rule of thumb that "binary questions", i.e. if a question can be answered very well with yes or no and the rules for this can be described correspondingly clearly, are best suitable for automation by means of data analytics.
To illustrate this a little more clearly, a small example will help:
The company policy states that one-off payments to CpD (Conto per Diverse) are only permitted for bookings up to €50.
The question can be answered with yes or no.
Is this booking a one-off payment whose value is over €50?
Similarly, the rules can be easily derived from the policy.
Payment is a one-off payment and amount is greater than €50.
Thus, this question could be easily mapped via data analytics.
The example just described is deliberately kept simple to illustrate the rule of thumb. Of course, data analytics is also suitable for more complex issues, such as the verification of tax codes or the incorrectly calculated taxes on export goods; even more extensive requirements can thus usually be mapped well in the form of digital analytics.
Excursus: New possibilities through artificial intelligence
Even if data analytics based on clearly formulable rules are desirable - this condition is not always given. The new possibilities opened up by artificial intelligence (AI) algorithms help to ensure that more open questions, i.e. those that cannot be answered with a yes or no, can also be automated. It should be noted, however, that depending on the evaluation, the number of false positives can be higher than with conventional analyses that examine a closed yes/no question. It is also possible that the AI must first be trained until it can carry out checks of adequate quality on its own.
As an example, one can cite the outlier analytic "unusual bookings". It is hardly possible to formulate a clear, deterministic set of rules that differentiate a normal booking record from an unusual one. The AI learns independently when comparing all bookings which of them are rather unusual. These can include, for example, incorrect postings in which an incorrect contra account was specified, an incorrect posting key was entered, or an incorrect transaction was used. Of course, transactions that were made with fraudulent, manipulative intentions and differ in their structure or attributes from "normal" transactions of the day-to-day business are also conceivable as "unusual bookings".
What happens to the results?
Producing analytical results is one thing but processing them and making a valid statement about the controls is another. Therefore, simply producing results is not enough. Rather, they must be validated and processed. This applies to all types of data analytics, whether deterministic rule-based or AI-supported. Processing can mean correcting errors, adjusting the process or even changing the control design. It is also possible that there are deliberate, necessary exceptions to rules that have been legitimately approved by the department. For example, due to high time pressure, such as omissions sanctioned by contractual penalties in the above-mentioned CpD example, it could be necessary to approve an exception in the form of a higher outgoing payment, since the financial consequences are to be assessed as more serious than exceeding the rule. A certain vagueness will thus always remain, even if the questions are supposedly simple.
The processing can therefore be complex, should be transparently documented and, due to the often necessary interdepartmental cooperation, should be done with suitable collaborative tools. Especially in the case of many data-based controls, the circulation of many individual files to different ones can lead to version conflicts, etc. It therefore makes more sense to rely on professional tools such as Diligent HighBond, which supports both control execution and result processing in the form of a special ICS platform; or, in simpler scenarios, to rely on shareable alternatives with Microsoft Sharepoint.
How can we as dab support you in setting things up?
"Making data analytics fundamental" is the vision of dab: Daten - Analysen & Beratung GmbH. For almost 20 years, we have been developing data analytics, especially for SAP systems, which answer questions from the internal control system. With the tools that we develop and sell, we can efficiently map the entire process of an internal control system in your company.
We support you in integrating the ICS holistically into your company, which means that we map both the data analytics and the ICS management with our software solutions. And if you have already mapped your controls in appropriate ICS software and you are only missing data automation, for example in the area of SAP, we are also pleased to assist you with our comprehensive, ready-to-use control catalogues and analytics solutions.
Our standardised analytics are suitable for SAP R/3, ECC as well as for SAP S/4HANA. Our references in the interaction of ICS and SAP systems are excellent and include international corporations of all sizes.
If you have any questions about our products and services in the context of ICS, please feel free to contact our consultant Philipp Kiencke or colleagues at any time.