Customer paying with NFC technology with smart watch

How data analytics bolster a hybrid approach to controls testing

Related topics

Retailers can improve the effectiveness of point-of-sale controls by combining a traditional approach with data analytics.

In brief:

  • Recent advances in data analytics enable retail organizations to review large volumes of transactions on a real-time basis.
  • By combining this approach with traditional controls testing, they can now assess whether controls are working much faster and more accurately.
  • The hybrid approach allows for greater risk coverage and drives a deeper understanding of trends on how controls are working at the point of sale.

For years, internal audit and internal compliance teams for retail companies have relied on traditional sample-based control testing methods to evaluate whether controls are operating as intended. Retailers process a high volume of transactions every day through their point of sale (POS) systems at individual store locations. In addition to the actual sale, the POS systems also record sales and related discounts, provide inventory tracking and movement, and monitor customer loyalty. The complete and accurate capture and processing of these business transactions is critical in the running of an effective merchandising organization, as well as in recording transactions for financial reporting purposes.

While financial reporting is primarily focused on the capture of actual transactions processed, merchants also utilize this data as key inputs for replenishment, maximizing revenue through product assortment and for appealing to a loyal customer base. Store-level transactions are batched together and fed to a headquarters enterprise resource planning (ERP) system, where sale audit and other corporate functions perform high-level analysis over the data to validate sale and inventory transaction completeness and assess business operations.

Data analytics driving major changes in retail transaction review

In recent years, advances in data analytics have made it possible for retail organizations to review large volumes of transactions at either a real-time or close to real-time basis. To that end, many companies are now using data analytics to perform a broader review of all transactions within the organization, which enables them to identify emerging trends and take steps to improve sales by modifying prices in real time. They can also use this data to shift current and future inventory allocations to locations/regions where items are flying off the shelves. As retail companies further embrace data analytics to monitor activity, analyze inefficiencies and forecast trends, internal audit and internal control organizations must also pivot to perform more efficient and effective analysis of financially relevant and related business controls.

Until now, however, few organizations have considered applying data analytics to controls testing to determine whether risks related to revenue recognition/tender, inventory movements, sales discounts and the application of customer loyalty benefits were appropriately mitigated. While sales audit and loss prevention functions have used certain aspects of this data to perform their responsibilities, the internal control and internal compliance groups have not focused on the original entry data captured at the store level. However, as processing abilities have improved and organizations have further automated real-time processing and enhanced data capture and retention, data analytics has emerged as a viable option to digitize the internal audit function.

By using analytics within the audit processes, audit teams can achieve greater risk coverage, invest in areas where results are inconsistent with expectations, potentially complete testing faster. They may unlock strategic value through a deeper understanding of trends on how stores are applying discounts, adjusting inventory and capturing loyalty data. According to the latest EY Global SOX Survey, less than half of the companies that responded said they performed end-to-end walk-throughs of a single transaction for all key processes and controls on an annual basis. Adopting this type of hybrid approach will help retailers broaden their focus on all transactions and reduce their exposure to losses, as well as open the door for finding upside revenue opportunities. It would also set the stage for a deeper dive into localized operations to validate adherence to standard operating procedures and identify deviations.

Implementing the hybrid approach

To move forward with a hybrid approach, internal audit and financial teams need to be ready to link the ERP system with a robust data warehouse that can quickly and accurately capture POS data for deeper analysis. Organizations can perform process mining on the key steps within the POS to understand the complete flow of transactions and existing procedures based on a full analysis of historical data.

Armed with a solid understanding and grasp of the underlying data, retail companies would also need to carefully perform a risk assessment over the related accounts and processes, define the thresholds for what type of transactions and activities would be considered routine, and identify which should be examined as a potential outlier based on risk. From there, analytics will separate the status-quo transactions from true risks and opportunities to the organization.

Sample selections, if required, are not random but specifically tailored to the risks of the organization and unexpected outcomes, such as transactions in which discounts are above an established threshold (or a comparative threshold against peer locations), unexpected movements in items held or released through “buy online, pay in store” type transactions, or where sales of an item exceeded amount in stock per inventory records.

Each period thereafter, internal audit would leverage the analytics to build on the previous analysis to identify trends and specific deviations from the established process with increasing efficiency. Time with business and control owners is hyper-focused on areas of risk and opportunity rather than on random sampling and confirmation of existing processes. 

Natural evolution in internal audit’s role

We view applying advanced data analytics to the controls space as an emerging opportunity for internal audit teams seeking to augment digital capabilities. In addition to data analytics, teams are also using data orchestration tools, process mining and machine learning to handle the volume, speed and complexity of data that must be reviewed. In that light, applying data analytics to perform a deeper assessment of both controls and control failures represents a natural progression in the evolution of the internal audit function.

In the past, many organizations identified and tested multiple controls that addressed the same risk for an account. Today, the adoption of continuous monitoring and validation by the first and second lines has shifted internal audit’s focus from detecting to predicting control failures and risk triggers.

Predictive analytics made possible for internal audit

Looking ahead, internal audit teams may want to consider using data analytics to engage in predictive analytics as they identify areas of risk. This will set the stage to review more targeted risk areas that have experienced problems in the past, as well as those that could result in issues down the road, based on past experiences and future trends.

In addition, many internal audit teams are shifting toward an automated suite of tools to help with data analytics and controls testing. While most solutions address one part of the problem, EY Virtual Internal Auditor (EY VIA) provides a holistic approach that fully covers the entire risk universe for the whole organization. A digital solution that transforms the way internal controls testing is performed, EY VIA reallocates the workload from humans to machines, enabling the full digitalization of the controls testing life cycle.

No matter which set of tools or platform a company chooses, a hybrid approach that fully leverages data analytics with targeted controls testing will help companies gather critical information in a way that helps them identify risk and new revenue opportunities.

With special thanks to John F. Barile, Damaris Fynn and Stephanie R. Ewell for their contributions to this article.


As they evaluate internal point-of-sale controls, many retail organizations may find that a hybrid approach that combines traditional sample-based control testing methods with data analytics may help them improve the effectiveness of those controls. For retail organizations that process thousands of transactions every day, this approach can help them identify outliers faster, improving sales and avoiding potential losses.

About this article

Related articles

How do you decrease the cost of controls without increasing risk?

We describe the ACE approach (automate, centralize, eliminate), which rationalizes the controls environment without compromising risk coverage. Learn more.

17 Dec 2020 Milene Carvalho + 2