Almost every compliance officer would say that analytics is marching its way into corporate compliance, and everyone is looking for guidance on how to make sense of the endless sea of data available.

Many times, the data itself isn’t crucial for good analytics; it’s the data about the data—that is, the characteristics that describe the raw data—that give compliance officers the most insight. Which means you, as a compliance professional, need to think carefully when you are building a new compliance process to be sure that it generates data you can analyze later. The lynch-pin to successful data analytics is having good data to analyze.

That task isn’t as daunting as it seems if you just remember that this is what people mean when they say compliance professionals must “know the business.” Knowing the business is code for understanding the flow of activity in your company. Yes, that means you need to work closely with business operations leaders, and your enterprise risk assessments will need to be timely and accurate. (So be nice to the internal audit folks down the hall doing that assessment.)

As a starting point, let’s compare data analytics for auditing (which is way ahead of compliance on this front) and how the insights from auditing may (or may not) apply to data analytics for compliance.

The First Thing You Need to Know:

Internal audit has an edge over compliance when it comes to data analytics.

Internal audit deals in financial transactions with business processes that lend themselves to bulk analysis. You can start with the purchase-to-payment cycle, looking for duplicate payments, which is a fairly straightforward exercise. Then you can move on to travel and entertainment spending, or perhaps look at spending patterns on company credit cards to see whether anyone is splitting one big purchase across multiple payments to evade spending limits.

The basic unit in all of these examples is the dollar (or some other currency). Dollars tend to float around the economic world, so you have plenty of records from other parties (banks, vendors, customers) that let you compare one set of data to another.

That’s only half of the battle.

You also need to ensure that your employees hiring these third parties follow due diligence procedures and, you know, actually record the right data about your third parties. To put it another way: you need a robust “Know Your Customer” compliance program before you can even begin to perform useful analysis. That means you need strong training on due diligence procedures that leads to a high degree of confidence in the accuracy of your data.

Over in the internal audit department, where they’re analyzing travel expenses, all that is much easier. The data is much more likely to be in a standardized format. You can confirm reported transactions against multiple sources. If all else fails, internal audit can also use the nuclear option and refuse to allow reimbursement to an employee until he or she cooperates on documentation.

Compliance metrics will have it harder. Your employee might mean well and try to collect data to be entered into a third-party database, but miss one or two fields. He might misspell a name. She might not know that in China, people often change their names when they move into “the city” for their upwardly mobile career. Maybe the data gets recorded in Excel, and of course, nothing ever goes wrong when that happens. 

That’s just an example from due diligence. Compliance officers will face similar questions when you want to analyze hotline data, or perhaps closure rates for litigation or internal investigations.

In every instance, ask yourself “Are we recording useful data correctly?” and, “Are we recording it in a format that lends itself to analysis?”

It’s all part of understanding the business. Once you understand the business, you can describe the data you want to capture and analyze.