Technology and Compliance

Data Analytics for Compliance

by Gerry Zack, CCEP, CFE[1]

Introduction

Applications of data analytics in compliance and ethics programs include all the following:

  1. As a tool used in connection with periodically assessing the risk of noncompliance

  2. As a monitoring and auditing tool

    1. To identify potentially suspect or noncompliant transactions or activities or breakdowns in compliance-related internal controls

    2. To monitor the performance of a compliance and ethics program (e.g. compliance training rates, analysis of hotline calls, etc.)

  3. As an investigative tool

    1. To establish whether an allegation merits further investigation

    2. To perform certain aspects of an investigation

A thorough coverage of all these applications is beyond the scope of a single article. Accordingly, the focus of this article is on the use of analytics for identifying transactions or activities that may be associated with noncompliance. This is an incredibly valuable tool for compliance and ethics professionals to use in designing a program that aims for early detection of problems in high-risk areas of compliance.

The main idea behind the use of analytics for compliance is to examine a population of data to identify those transactions or activities most likely to be improper. One of the reasons that using analytics in this manner is so valuable is that it enables the user to analyze 100% of a population for signs of problems. This is often more effective than using a sampling approach, which examines only a small portion of the population.

But analytics is only useful when the following conditions are met:

  1. There is sufficient digital evidence to which analytics can be applied—systems that rely heavily on manual processes may not be a good fit for analytics

  2. The user has access to the relevant data (access to relevant data for compliance personnel is a repeated point of emphasis in the Department of Justice’s March 2023 Evaluation of Corporate Compliance Programs)

  3. The user knows what to look for

Regarding that last issue, there are two broad categories of approaches to performing analytics aimed at finding problems. In the first, the characteristics of a specific risk are identified, and the analysis goes through the population of data looking for items that possess those characteristics. Those identified through this analysis may then be looked at further to determine whether an issue exists.

The second approach uses the opposite philosophy. The characteristics of a proper transaction or activity are identified, and the analysis focuses on segregating any item that falls outside those parameters. Those items are then examined more closely.

The second approach is useful only when there is a very narrow range of acceptable characteristics associated with proper activities. In many situations, however, it can produce a high volume of false positives—the term used to describe an item that data analytics flags as suspect but that, upon further inspection, turns out to be acceptable. For this reason, the first approach is the more commonly used.

Even the first approach carries a risk of false positives, an issue explained later. However, the more refined we design the characteristics of improper activities that we are looking for, the more reliable the result of the analytics.

The ideal data analytics is one that accurately identifies all improper items with a minimum number of false positives. This is a lofty goal, but one the is achievable with careful planning.

Compliance and ethics professionals may not always be the ones who perform the actual testing involved in analytics, which may be performed using simple spreadsheet software or may involve more sophisticated programs or custom-built software. The actual testing is often performed by specialists in the use of analytics software. But these individuals rarely understand the complexities of compliance issues and related internal controls. This is where compliance and ethics professionals play an important role in analytics design.

Regardless of whether compliance professionals have the technical expertise to run the tests, it is important for them to understand and be able to participate in this design stage of analytics.

A Framework for Analytics

Frameworks are useful for ensuring a consistent, complete, and effective approach to a task ripe with opportunities for problems and failures. For compliance analytics, a useful framework focuses on detecting anomalies in the following timeline of events associated with compliance problems:

  1. Leading indicators: Signs that a compliance problem is imminent.

  2. Preventive control breakdowns: Red flags that an internal control designed to prevent noncompliance has failed or been overridden.

  3. The act: Indications that one or more acts of noncompliance has occurred.

  4. Concealment: Indications that steps have been taken to conceal an act of noncompliance.

  5. Detective control breakdowns: Red flags that an internal control designed to detect noncompliance has failed or been overridden.

  6. Lagging indicators: Signs that one or more acts of noncompliance have occurred.

These steps don’t always occur in connection with every noncompliance event, nor does every step in this chain of events always leave a digital trail. But this framework is designed to provide you with ways of catching noncompliance issues in each of the six phases that often occur.

Even better, application of this framework can go beyond detection after the fact to enable the prevention of noncompliance events by recognizing breakdowns in certain controls or identifying steps leading up to noncompliance.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook X LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings