PREPARING AUDITORS IN THEIR USAGE OF DATA ANALYTICS TOOL IN FRAUD PREVENTION PROGRAM
Auditors need to understand that while audit findings are common, they are not
necessarily fraud and due care is needed in building evidence. Corporate frauds are not going away any time soon, and the traditional role of auditor is being expanded to assist in fraud detection, investigation, and prevention. This presentation will teach you what to consider when there is a potential fraud discovered, what other elements need to be considered moving forward, additional tests to be conducted, and how to preserve evidence.
FRANSISKUS OEY Group Managing Director
The Prodigy Group Singapore
Fransiskus Oey is an experienced player in the audit and fraud detection and prevention fields, and has conducted over 12 years of training and workshops on ACL data analytics, continuous monitoring, and fraud detection and prevention across the Asia and Middle East region. His interests include data forensic analysis and fraud detection techniques. He
devotes a substantial portion of his time in research works and plays an active role in creating awareness on the importance of continuous monitoring for audit productivity, business process improvement, and fraud prevention to corporations. He has conducted various specialised workshops on the fraud detection and prevention for banks, retails,
manufacturing, and telecommunication companies, as well as educational institutions. Mr. Oey was one of the first ACL Certified Trainers in the Asia region, and is also an active member of the Information Systems Audit and Control Association (ISACA), Association of Certified Fraud Examiners (ACFE), and the Association of Certified Anti-Money Laundering Specialists (ACAMS). Mr. Oey’s core competencies include Business Process Improvement, Business Continuity Planning, Business Assurance Implementation, Continuous Monitoring, Fraud Prevention and Detection, Anti-Money Laundering, and Operational Risk Management. He has worked with major corporations in the banking and finance, insurance, investment, government, manufacturing, and many other diversified industries in the Asia region.
“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without the prior consent of the author.
NOTES Introduction
“Fraud is always intentional as contrasted to errors and misrepresentations that are unintentional by chance or lack of training or skill.”
Challenges
Different vulnerabilities at different stages of the business process
Differentiating “fraud” transactions from “error”
transactions in digital domain of organisation system network
Lack of robust, scalable, and near real-time preventive tools
Implementation steps
Automation vs. manual prevention/detection Auditors' New/Value-Adding Roles
Fraud deterrence for internal auditors requires action to discourage the perpetration of fraud and limit the entity’s exposure to fraud. If fraud does occur, the internal auditor should help in its investigation and deter fraud by
examining apparent control system weaknesses and establishing procedures to limit the entity’s exposure to future risk.
Specifically, the internal auditor is supposed to determine that:
The organisational environment fosters control consciousness.
Realistic organisational goals and objectives are set.
Written corporate policies (a code of conduct) exist and describe prohibited activities as well as action required upon the discovery of violations.
Appropriate authorisation policies for transactions are established and maintained.
NOTES
Policies, practices, procedures, reports, and other mechanisms to monitor activities and safeguard assets, particularly in high-risk areas, are developed.
Communication channels provide management with adequate and reliable information.
Recommendations are made for the establishment or enhancement of cost-effective controls to help deter fraud.
Fraud detection consists of identifying fraud problems that warrant an examination. These potential fraud problems may be indicated by the control system established by management, tests performed by internal or external auditors, or other sources, such as customers and employees.
Examples of fraud indicators:
Unauthorised transactions
Override of internal controls
Unexplained accounts or transactional document exceptions (such as pricing exceptions)
Personal characteristics (mood changes in employees or management)
NOTES Cost of Fraud
Reputation for integrity is one of the most valuable assets of an organization.
While compliance reporting mandated by
government legislation sets baseline standards, a reputation for integrity remains one of the most valuable assets of a financial institution.
Failure to take the necessary steps to detect and prevent financial transactions supporting criminal or terrorist activity may result in stiff fines, criminal charges, and negative publicity.
Action plan for detection and prevention control. Evidence of non-compliance can irreparably
damage a financial institution’s reputation with customers, regulators, and shareholders, and present a serious challenge to continued viability.
Prevention is better and cheaper than investigation. The cost/investment for prevention is lower than
NOTES process of investigation can be very stressful and
lengthy.
Simplified Analytic Capability Model
The traditional approach to audit has always been to take a historic or retrospective view of what has happened over a period of time. While this approach delivers necessary and proven hindsight for audit planning, today’s environment demands a more proactive and comprehensive view for effective risk management and business assurance.
(Level 1) General Purpose Current state:
Limited to no use of data analysis software Use of spreadsheets for sampling/light analysis Data access is manual and delayed
No integration of data analysis in audit process Desired state is Level 2:
Ability to analyze 100% of transactions Staff trained on data analysis software
NOTES Knowledge of where to apply data analysis
(Level 2) Specialized Current state:
Designated individual(s) using data analysis software to analyze 100% of transactions Some access to data, but used inconsistently Decentralized, unsecure environment Desired state is Level 3:
Centralized, secure environment with sharing of data, etc.
Repeatable and sustainable use
Knowledge of how to integrate more data analysis
(Level 3) Managed Current state:
Centralized, secure environment and able to share audit content
Data access is controlled and managed Data analysis still manual
Desired state is Level 4: Automate controls testing
Gain deeper insight into key risk areas more frequently
(Level 4) Automated Current state:
Automated control tests are in place
Able to easily develop and deploy additional control tests
Infrequent and unstructured communication of exceptions to the business
NOTES Continuous assurance—automated controls,
exceptions resolved
Monitoring all key business processes Develop a risk-based audit plan
(Level 5) Monitoring Current state:
Continuous assurance
Continuous monitoring of key business processes Exceptions routed to appropriate business process
owners for resolution
Able to identify and plan future areas of risk coverage
Demonstrate to senior management a view of organizational risk
Growing Concerns
Regional and global economy is converging; many organisations are dealing with both regional and global customers and suppliers.
Mergers and acquisitions are adding more business opportunities as well as business risks that auditors need to quickly identify and monitor.
Advancement in the use of computerised systems for business operations. These new systems might not integrate properly with the current system in place, as so more due care is needed. Also important to note that during system migration to a new system, auditors should use Computer Aided Audit Tools (CAATs) during this phase to verify that data from the previous system is correctly migrated to the new system.
Stakeholder expectations and requirements: Increased requirement for new regulatory
compliance based on location, and industries types of the organisation from:
NOTES Stock exchanges
Federal government State government
Auditors are playing important role in protecting shareholders’ interest, as such 100% audit analysis of the data is very critical to provide better accuracy into organisational performance and compliance. There are also increasing public expectations of
how organisations should conduct their business in terms of good corporate governance, environmental preservation, ethical business culture, etc.
However, all these require additional resources, and auditors are overwhelmed as it is. Thus, without relying on technology for CAATs it will be close to impossible for auditors to perform efficiently.
Why is it important?
Recent economic crisis, the worst since The Great Depression
Many organisations still have poor risk management
Finally, more have recognised the importance of IA in identifying and mitigating risks
Governments and general public are demanding better corporate governance of businesses, as:
Corporate frauds are continuing to increase The penalty associated with an FCPA infraction
has grown tenfold in the past few years Wastages and inefficiencies (revenue leakages)
Half of companies (and growing) with over 1000 employees are not taking full advantage of available vendor discount terms by paying their invoices within a set timeline (source: Institute of Management and Administration, IOMA 2007)
The cost of a company missing on a 1%
NOTES $250,000 for every $100 millions. On the other
hand, repayments too early may lead to cash flow problems (source: IOMA 2007)
Errors
Companies lose about 0.5% in duplicate payments; however, this amounts to $500,000 for every $100 million in payments made (source: IOMA 2007)
Error rates in excess of 5% of T&E expenditures are reported by 40% of companies (source: IOMA 2007)
4.6% of invoices contain errors and 44% of companies pay without original invoices (sources: IOMA 2007)
Fraud
85% of companies have been hit by corporate fraud in the past three years, up 80% from the previous year’s survey (source: Kroll Global Fraud Report 2008)
An increase of 22% of an average company’s losses to fraud from 2007 to 2008. The average business lost $8.2 million to fraud during the past three years, compared with a loss of $6.7 million the previous year (source: Kroll Global Fraud Report 2008)
$994 billion is the estimated total of U.S. occupational fraud and abuse in 2008
$835 billion is the total losses that were never recovered
The amount employees around the world are pocketing every year in fake expense claims is € 6 billion (source: Global Expense Survey)
NOTES Using CAATs for Audit Vs. Fraud Prevention
Auditors may find the potential fraud, but many are not able to build the modus operandi, so first of all they need to understand a few fundamentals:
Business Environment
RELATIONSHIP AND MONITORING OF ALL THE BUSINESS ENVIRONMENTS
Process is looking at internal controls.
Basically, it is the policies and procedures of the organisation that provide some reasonable assurance that the compliance and control objectives are achieved.
Technology is looking at the different systems that are available in the organisation. How do you monitor and analyse these data from disparate systems?
People are the most complex environment of the three. People’s integrity can change, especially when there is opportunity for them to commit fraud.
NOTES
UNIFORM OCCUPATIONAL FRAUD CLASIFICATION SYSTEM - ACFE
This is a very good table to classify the different types/categories of occupational fraud; three main classifications with examples of questions that auditors should ask themselves on which area of potential fraud they want to start with the analysis:
Corruption
Is there conflict of interest between the staff and the customers/vendors/suppliers? Is there collusion to disadvantage the
company between staff and the customers/vendors/suppliers?
Is the company facing cash flow issues? (Might want to check on early repayment of payables)
Asset misappropriation (generally lower in value but higher in volume)
Ghost employees?
Cash register’s end-of-day balance does not tally with the stock on hand?
Purchases of resources/inventory do not tally with the purchase trend (are the resources/inventory being skimmed away)?
NOTES Any anomalies in the expense claims
(duplicate claims, dubious expenses, and claims while on holiday)?
Fraudulent statements (generally lower in volume but higher in value)
Is the revenue recognition timing adhering correctly?
Is management dominated by a single person or a small group (is there sufficient segregation of duty policy in place)? Does management display a significant
disregard for regulations or controls? Has management restricted the auditor’s
access to documents or personnel? Has management set unrealistic financial
goals?
Does management have any past history of illegal conduct?
Has that employee’s lifestyle or behaviour changed significantly?
The Technology
The CAATs software that will be familiar to auditors are ACL and IDEA. While there are others, none are as mature as these two softwares in the current time. The characteristics of the software that you are looking for should consist of:
Very fast processing speed
Interrogates data 100% of the data, no sampling required
Log files provide required audit trail of activities Ability to create multiple log files to separate audit
from fraud investigation
Ability to upload evidence (documents, pictures, audio, data files, etc.) See below for example:
NOTES
Automation can be built to provide a systematic analysis, from data access, verification, and analysis, to reporting
Secure knowledgebase retention
The Techniques
Preparing for investigation requires a lot of planning. However, before auditors jump into a conclusion that they have uncovered fraud, they should firstly initiate investigation predication model as shown in the diagram below to determine if this is a potential fraud or is it just an error.
NOTES Preparing for investigation is initiated once the above
predication is completed and results points to possible fraudulent activities, then auditors can begin their planning of fraud investigation.
Set context or parameter (risk-based). Define indicators of fraud.
Determine the presence of elements that make up the fraud, for each indicator.
Identify the required sources of information. Obtain the data required for analysis. Ideally it
should be original/raw format data (no conversion). Identify the people that should be involved in the investigation team. Assigning appropriate roles to appropriate individuals is central to success of the investigation.
The team need to then study the business environment of the business process carefully. Building a flowchart will greatly help in visual clarification of the process. See diagram below for example:
NOTES From flowchart, auditors can further evaluate these
questions:
What is the fraud being committed? Who might be involved?
Which systems can the evidence or indicators be found?
When did it occur?
How has the fraud been committed and for how long?
Analytical tests that can be performed to identify potential fraud:
Purchases, payments, and payables Duplicate payments
Early repayments Others
Analyse and age A/P
Analyse and combine payables for external auditors
Audit paid invoices for manual comparison with actual invoices
Correlate vouchers or invoices posted versus purchase order amounts
Create activity summary for suppliers with duplicate products
Extract invoices posted with duplicate purchase order numbers
Extract total posted invoices for the year for accurate vendor rebates
Generate cash requirements by bank, period, product, vendor, etc.
Identify credits given before discount terms of payment days
Identify distributions to accounts not in suppliers account ledgers
Isolate vendor unit price variances by product, over time
Reconcile cheque register to disbursements by vendor invoice
Reconcile selected vendors payables posted against purchase orders
NOTES Report on cheque disbursements for
unrecorded liabilities
Report on selected vouchers for manual audit or examination
Review recurring monthly expenses and compare to posted/paid invoices
Summarise large invoices without purchase orders by amount, vendor, etc.
Travel and entertainment Duplicate claims Dubious claims
Travel claims during period when staff is on vacation or sick leave
Salaries and payroll
Compare and summarise costs for special pay, overtime, premium, etc.
Report entries against authorisation records for new or terminated employees
Extract all payroll checks where the gross dollar amount exceeds set amount
Identify changes in exemptions, gross pay, hourly rates, salary amounts, etc.
Summarise and print payroll by selection criteria for general review
Identify duplicate or missing payroll checks by check, bank, etc.
Summarise payroll distributions for reconciliation to general ledger
Common CAATs analysis commands that can be applied onto the data:
Calculation of statistical parameters such as averages, standard deviations, highest and lowest values, which are used to identify statistical anomalies
Classifications to find patterns and associations among groups of data
NOTES Stratifications of numeric values to identify
unusual and outlying values
Digital analysis, using Benford’s Law, to identify statistically unlikely occurrences of numeric amounts
Joining or relating of data fields between disparate systems, typically looking for
expected matches or differences for data such as name, address, telephone, part or serial number “Sounds like” function that identify fraudulent variations of valid company and employee names
“Character Day of Week” function that convert date fields into weekdays and weekends to identify suspicious transactions
Duplicates testing to identify simple or complex combinations of duplication
Gaps testing that identifies missing sequential data
Summing and totals to check control totals that may be falsified
Graphing to provide visual identification of anomalous transactions
Conclusion
Use powerful CAATs software that provides simplified access to all of an enterprise's data and transactions in any structure or format & not just sampled data. Ideally, use the software that allows evidence preservation and robust analytics.
Assess if it is a potential fraud or is it just an error using the initiating investigation predication model.
Build up a fraud team, and they should consist of other people outside of the audit, such as the corporate lawyers, fraud investigation specialist, etc.
NOTES
Build a fraud plan, with detailed flowchart of business process to help identify the perpetrators; system and which process that have been exploited by the frausters.
Fraudsters often seek out interfaces between computer systems, knowing there may be little or no cross-system validation.
Getting access to raw/original data format is paramount for fraud investigation to reduce the potential
conversion error of data conversion. If the raw/original data format is not accessible, then a data verification test needs to be conducted first to determine if there are conversion errors that could affect the investigation.
Create early warning through continuous monitoring applications through automation for future fraud prevention.
