Operate a Data Analytics Compliance Program | American Conference Institute (ACI)

Over the past few years, U.S. law enforcement authorities have reported that a data-driven compliance program is more than a benefit, it’s a must-have if companies want to become more able to demonstrate the effectiveness of their anti-corruption compliance programs to regulators.

When the US Department of Justice released its updated “corporate compliance assessment program” guidelines in June 2020, for example, it stressed that prosecutors should assess whether companies have put in place a data-driven compliance program to detect potential misconduct and continuously monitor effectiveness. of their compliance programs.

To assess whether a compliance program is “adequately resourced and empowered,” the Department of Justice asks prosecutors to consider the following questions: “Do compliance and enforcement personnel have direct or indirect sufficient to relevant data sources to enable rapid and effective monitoring and surveillance? /or test policies, controls and transactions? Are there barriers that limit access to relevant data sources and, if so, what is the company doing to address these barriers? »

Companies in highly regulated sectors, such as financial services, pharmaceuticals and life sciences, or companies that have been subject to enforcement action in the past are more likely to have a program data-based compliance programs more mature than those in less regulated sectors or with no history of enforcement action.

For companies that don’t fit into any of these compartments, or for small and medium-sized businesses that don’t have massive compliance budgets, establishing a data-driven compliance program can seem like a daunting and costly task. , but this is not the case. it must be like that.

Although compliance officers are not data scientists, they still have a vital role to play in integrating data analytics into compliance processes and can do so by following these steps:

Identify all relevant and easily accessible data sources. Compliance officers should familiarize themselves with the organization’s relevant data sources that are easily accessible and can help detect risks such as fraud, waste and abuse; risk of sanctions; and third-party risks. Data readily available in most businesses includes Accounts Payable (AP) data; travel and entertainment expenses (T&E); data on gifts and hospitality; hotline data; and sales and marketing data, to name a few.

The best use cases often reside in this readily available data. Expenses are a key risk area to monitor, for example, unusually high employee expenses associated with a certain customer account or unusually high expenses for a particular vendor. Travel and examination costs, such as reimbursements associated with civil servants, are another area of ​​risk.

Another red flag is invoices received before a PO is created. “You shouldn’t see an invoice date before a purchase order date,” said Andy Miller, director of analytics at Lextegrity. “Also, you shouldn’t see a payment date before a purchase order date.” Other red flags to watch for include duplicate spend or duplicate vendors, he said, which can signal messy processes and departments that are much more susceptible to bribes and bribery schemes. corruption.

In addition to identifying all the data necessary to detect and monitor the company’s unique fraud and corruption risks, prudent compliance officers know the value of building partnerships and having strategic conversations with responsible for relevant business units – the end users who own the data – such as finance and accounting. In a small company, these departments may also play an internal audit or risk monitoring role.

By talking with the finance team, compliance officers often come away with a good amount of data that they can start working with right away, said Mason Pan, director of data analytics at BDO. Such a partnership could also offer advantages from a cost perspective, because while compliance and finance can both leverage the same data, they may also be able to share the budget, making it less of a financial demand, did he declare.

Establishing a relationship with the IT department is also important. “Take your chief technology officer to lunch,” Pan said. If the company has a data officer, establish a relationship with that person as well.

Start with a risk-based approach. To avoid creating an overly elaborate compliance program and analyzing more data than necessary, focus on the highest risk areas first, based on the inherent risks of the business. “It needs to be built from a risk-based approach,” Pan said.

“Start small,” added Pan. “Start with a proof of concept…focused on a geographic area or business unit for a type of risk you’re trying to monitor”, such as starting with a two- or three-year history of data on third-party payments made by a business unit to see if there are any potentially problematic payments in progress, he said.

Starting small will also make it easier for compliance to prove to the C-suite and the board the ROI when applying to expand a data-driven compliance program, “like live monitoring or doing another historical look and focusing on another business unit or another type of risk,” Pan said. “It’s really critical to get that initial scope right.”

For companies that are in the first stage of a data-driven compliance program to help spot risk, consider turning to benchmark reports like Transparency International’s annual Corruption Perceptions Index and the TRACE Corruption Risk Matrix, which ranks countries according to corruption risk. These reports can help compliance officers “better understand where you might want to start looking, where the lower fruit might be,” Miller said.

Set up a data repository. A data-driven compliance program requires having a tool that pulls data from all systems, databases, and parts of the business. Some companies choose to have their IT team build an in-house data analytics system or manage an in-house data lake, where structured and unstructured data is stored.

Companies that go this route also typically have data scientists who then analyze the data looking for outliers and trends to identify risks. However, this still requires getting input from the compliance officer and forensic accountant to ensure relevant data is extracted regarding anomalies and trends that may indicate things like fraud, corruption or waste and abuse.

However, many service providers today enable compliance scanning without the IT department having to create an on-premises infrastructure. The benefit of this option from a compliance perspective is that it puts more direct control in the hands of compliance from a data analytics perspective, rather than handing it over to IT, which may not prioritize such a project the same way compliance would, Miller says.

“Data harmonization doesn’t just mean bringing data together in one place, it also means making data understandable,” Miller said. Lextegrity’s Integrity Gateway software platform, for example, applies analytics to a company’s expense and revenue transactions globally, supplemented with procurement data, approval data, and a variety of basic data to monitor and detect high-risk transactions in real time.

Additionally, Lextegrity’s risk library contains dozens of risk, behavioral, statistical, and policy-based analyzes that eliminate the need for data scientists or data engineers. End users also have the ability to drill down even further into the data to analyze spend for specific vendors or employees over time, or based on a specific geographic area.

Historically, companies had to randomly select a group of transactions to audit, but thanks to machine learning and artificial intelligence capabilities, companies today can analyze all transactions in real time, applying a scoring algorithm to risks. “It’s a defensible approach because the methodology used to assess the risk is transparent,” Pan said.

Lextegrity’s trade monitoring app, for example, ranks the risks of each trade and provides an overall risk score, taking into account dozens of individual risk analysis results. Regardless of the solution a company uses to rank the risks of its transactions or geographic regions, this risk score indicates to compliance areas that may require enhanced due diligence, or may even result in an internal investigation.

Clean data. Once the data is in a centralized location, the data cleansing process can begin. “The cleaner the data, the fewer false positives you’ll get,” Miller said.

A key part of ensuring data is as clean as possible is ensuring compliance, audit and other end users provide an ongoing “feedback loop,” Miller said. For example, maybe a certain keyword (eg Spa) is creating too many false positives and needs to be adjusted and refined, he said.

“Don’t just set it and forget it,” Pan said. “We recommend always looking at the output and giving that feedback to the model. That feedback and iterative process is another absolute essential to getting it right.

Demonstrate program effectiveness through data visualization. Data visualization basically means making large amounts of data visually appealing through the creation of charts and graphs to make it easier for the C suite and board to interpret the data and get a visual picture of risk areas or risk models. .

However, a picture is only worth a thousand words if you understand the data. Getting started with data visualization would be “like trying to paint the Mona Lisa without having any basic painting skills,” Miller said.

Act on the data. No data-driven compliance program would be truly effective unless compliance, audit, and business acted on what was gleaned from analytics. This means taking all necessary corrective actions, documenting those actions and further holding the culprits accountable for any wrongdoing discovered.

Ryan H. Bowman