IN THEIR USAGE OF DATA ANALYTICS TOOL IN FRAUD PREVENTION PROGRAM Auditors need to understand that while audit findings are common, they are not necessarily fraud and due care is needed in building evidence. Corporate frauds are not going away any time soon, and the traditional role of auditor is being expanded to assist in fraud detection, investigation, and prevention. This presentation will teach you what to consider when there is a potential fraud discovered, what other elements need to be considered moving forward, additional tests to be conducted, and how to preserve evidence. FRANSISKUS OEY Group Managing Director The Prodigy Group Singapore Fransiskus Oey is an experienced player in the audit and fraud detection and prevention fields, and has conducted over 12 years of training and workshops on ACL data analytics, continuous monitoring, and fraud detection and prevention across the Asia and Middle East region. His interests include data forensic analysis and fraud detection techniques. He devotes a substantial portion of his time in research works and plays an active role in creating awareness on the importance of continuous monitoring for audit productivity, business process improvement, and fraud prevention to corporations. He has conducted various specialised workshops on the fraud detection and prevention for banks, retails, manufacturing, and telecommunication companies, as well as educational institutions. Mr. Oey was one of the first ACL Certified Trainers in the Asia region, and is also an active member of the Information Systems Audit and Control Association (ISACA), Association of Certified Fraud Examiners (ACFE), and the Association of Certified Anti- Money Laundering Specialists (ACAMS). Mr. Oey s core competencies include Business Process Improvement, Business Continuity Planning, Business Assurance Implementation, Continuous Monitoring, Fraud Prevention and Detection, Anti-Money Laundering, and Operational Risk Management. He has worked with major corporations in the banking and finance, insurance, investment, government, manufacturing, and many other diversified industries in the Asia region. Association of Certified Fraud Examiners, Certified Fraud Examiner, CFE, ACFE, and the ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without the prior consent of the author. 2011
Introduction Fraud is always intentional as contrasted to errors and misrepresentations that are unintentional by chance or lack of training or skill. Challenges Different vulnerabilities at different stages of the business process Differentiating fraud transactions from error transactions in digital domain of organisation system network Lack of robust, scalable, and near real-time preventive tools Implementation steps Automation vs. manual prevention/detection Auditors' New/Value-Adding Roles Fraud deterrence for internal auditors requires action to discourage the perpetration of fraud and limit the entity s exposure to fraud. If fraud does occur, the internal auditor should help in its investigation and deter fraud by examining apparent control system weaknesses and establishing procedures to limit the entity s exposure to future risk. Specifically, the internal auditor is supposed to determine that: The organisational environment fosters control consciousness. Realistic organisational goals and objectives are set. Written corporate policies (a code of conduct) exist and describe prohibited activities as well as action required upon the discovery of violations. Appropriate authorisation policies for transactions are established and maintained. 2011 1
Policies, practices, procedures, reports, and other mechanisms to monitor activities and safeguard assets, particularly in high-risk areas, are developed. Communication channels provide management with adequate and reliable information. Recommendations are made for the establishment or enhancement of cost-effective controls to help deter fraud. Fraud detection consists of identifying fraud problems that warrant an examination. These potential fraud problems may be indicated by the control system established by management, tests performed by internal or external auditors, or other sources, such as customers and employees. Examples of fraud indicators: Unauthorised transactions Override of internal controls Unexplained accounts or transactional document exceptions (such as pricing exceptions) Personal characteristics (mood changes in employees or management) Motivations of management 2011 2
Cost of Fraud Reputation for integrity is one of the most valuable assets of an organization. While compliance reporting mandated by government legislation sets baseline standards, a reputation for integrity remains one of the most valuable assets of a financial institution. Failure to take the necessary steps to detect and prevent financial transactions supporting criminal or terrorist activity may result in stiff fines, criminal charges, and negative publicity. Action plan for detection and prevention control. Evidence of non-compliance can irreparably damage a financial institution s reputation with customers, regulators, and shareholders, and present a serious challenge to continued viability. Prevention is better and cheaper than investigation. The cost/investment for prevention is lower than cost of investigation. Furthermore, the whole 2011 3
process of investigation can be very stressful and lengthy. Simplified Analytic Capability Model The traditional approach to audit has always been to take a historic or retrospective view of what has happened over a period of time. While this approach delivers necessary and proven hindsight for audit planning, today s environment demands a more proactive and comprehensive view for effective risk management and business assurance. (Level 1) General Purpose Current state: Limited to no use of data analysis software Use of spreadsheets for sampling/light analysis Data access is manual and delayed No integration of data analysis in audit process Desired state is Level 2: Ability to analyze 100% of transactions Staff trained on data analysis software 2011 4
Knowledge of where to apply data analysis (Level 2) Specialized Current state: Designated individual(s) using data analysis software to analyze 100% of transactions Some access to data, but used inconsistently Decentralized, unsecure environment Desired state is Level 3: Centralized, secure environment with sharing of data, etc. Repeatable and sustainable use Knowledge of how to integrate more data analysis (Level 3) Managed Current state: Centralized, secure environment and able to share audit content Data access is controlled and managed Data analysis still manual Desired state is Level 4: Automate controls testing Gain deeper insight into key risk areas more frequently (Level 4) Automated Current state: Automated control tests are in place Able to easily develop and deploy additional control tests Infrequent and unstructured communication of exceptions to the business Desired state is Level 5: 2011 5
Continuous assurance automated controls, exceptions resolved Monitoring all key business processes Develop a risk-based audit plan (Level 5) Monitoring Current state: Continuous assurance Continuous monitoring of key business processes Exceptions routed to appropriate business process owners for resolution Able to identify and plan future areas of risk coverage Demonstrate to senior management a view of organizational risk Growing Concerns Regional and global economy is converging; many organisations are dealing with both regional and global customers and suppliers. Mergers and acquisitions are adding more business opportunities as well as business risks that auditors need to quickly identify and monitor. Advancement in the use of computerised systems for business operations. These new systems might not integrate properly with the current system in place, as so more due care is needed. Also important to note that during system migration to a new system, auditors should use Computer Aided Audit Tools (CAATs) during this phase to verify that data from the previous system is correctly migrated to the new system. Stakeholder expectations and requirements: Increased requirement for new regulatory compliance based on location, and industries types of the organisation from: 2011 6
Stock exchanges Federal government State government Auditors are playing important role in protecting shareholders interest, as such 100% audit analysis of the data is very critical to provide better accuracy into organisational performance and compliance. There are also increasing public expectations of how organisations should conduct their business in terms of good corporate governance, environmental preservation, ethical business culture, etc. However, all these require additional resources, and auditors are overwhelmed as it is. Thus, without relying on technology for CAATs it will be close to impossible for auditors to perform efficiently. Why is it important? Recent economic crisis, the worst since The Great Depression Many organisations still have poor risk management Finally, more have recognised the importance of IA in identifying and mitigating risks Governments and general public are demanding better corporate governance of businesses, as: Corporate frauds are continuing to increase The penalty associated with an FCPA infraction has grown tenfold in the past few years Wastages and inefficiencies (revenue leakages) Half of companies (and growing) with over 1000 employees are not taking full advantage of available vendor discount terms by paying their invoices within a set timeline (source: Institute of Management and Administration, IOMA 2007) The cost of a company missing on a 1% discount on a quarter of its payments amounts to 2011 7
$250,000 for every $100 millions. On the other hand, repayments too early may lead to cash flow problems (source: IOMA 2007) Errors Companies lose about 0.5% in duplicate payments; however, this amounts to $500,000 for every $100 million in payments made (source: IOMA 2007) Error rates in excess of 5% of T&E expenditures are reported by 40% of companies (source: IOMA 2007) 4.6% of invoices contain errors and 44% of companies pay without original invoices (sources: IOMA 2007) Fraud 85% of companies have been hit by corporate fraud in the past three years, up 80% from the previous year s survey (source: Kroll Global Fraud Report 2008) An increase of 22% of an average company s losses to fraud from 2007 to 2008. The average business lost $8.2 million to fraud during the past three years, compared with a loss of $6.7 million the previous year (source: Kroll Global Fraud Report 2008) $994 billion is the estimated total of U.S. occupational fraud and abuse in 2008 $835 billion is the total losses that were never recovered The amount employees around the world are pocketing every year in fake expense claims is 6 billion (source: Global Expense Survey) 2011 8
Using CAATs for Audit Vs. Fraud Prevention Auditors may find the potential fraud, but many are not able to build the modus operandi, so first of all they need to understand a few fundamentals: Business Environment RELATIONSHIP AND MONITORING OF ALL THE BUSINESS ENVIRONMENTS Process is looking at internal controls. Basically, it is the policies and procedures of the organisation that provide some reasonable assurance that the compliance and control objectives are achieved. Technology is looking at the different systems that are available in the organisation. How do you monitor and analyse these data from disparate systems? People are the most complex environment of the three. People s integrity can change, especially when there is opportunity for them to commit fraud. 2011 9
UNIFORM OCCUPATIONAL FRAUD CLASIFICATION SYSTEM - ACFE This is a very good table to classify the different types/categories of occupational fraud; three main classifications with examples of questions that auditors should ask themselves on which area of potential fraud they want to start with the analysis: Corruption Is there conflict of interest between the staff and the customers/vendors/suppliers? Is there collusion to disadvantage the company between staff and the customers/vendors/suppliers? Is the company facing cash flow issues? (Might want to check on early repayment of payables) Asset misappropriation (generally lower in value but higher in volume) Ghost employees? Cash register s end-of-day balance does not tally with the stock on hand? Purchases of resources/inventory do not tally with the purchase trend (are the resources/inventory being skimmed away)? 2011 10
Any anomalies in the expense claims (duplicate claims, dubious expenses, and claims while on holiday)? Fraudulent statements (generally lower in volume but higher in value) Is the revenue recognition timing adhering correctly? Is management dominated by a single person or a small group (is there sufficient segregation of duty policy in place)? Does management display a significant disregard for regulations or controls? Has management restricted the auditor s access to documents or personnel? Has management set unrealistic financial goals? Does management have any past history of illegal conduct? Has that employee s lifestyle or behaviour changed significantly? The Technology The CAATs software that will be familiar to auditors are ACL and IDEA. While there are others, none are as mature as these two softwares in the current time. The characteristics of the software that you are looking for should consist of: Very fast processing speed Interrogates data 100% of the data, no sampling required Log files provide required audit trail of activities Ability to create multiple log files to separate audit from fraud investigation Ability to upload evidence (documents, pictures, audio, data files, etc.) See below for example: 2011 11
Automation can be built to provide a systematic analysis, from data access, verification, and analysis, to reporting Secure knowledgebase retention The Techniques Preparing for investigation requires a lot of planning. However, before auditors jump into a conclusion that they have uncovered fraud, they should firstly initiate investigation predication model as shown in the diagram below to determine if this is a potential fraud or is it just an error. 2011 12
2011 13
Preparing for investigation is initiated once the above predication is completed and results points to possible fraudulent activities, then auditors can begin their planning of fraud investigation. Set context or parameter (risk-based). Define indicators of fraud. Determine the presence of elements that make up the fraud, for each indicator. Identify the required sources of information. Obtain the data required for analysis. Ideally it should be original/raw format data (no conversion). Identify the people that should be involved in the investigation team. Assigning appropriate roles to appropriate individuals is central to success of the investigation. The team need to then study the business environment of the business process carefully. Building a flowchart will greatly help in visual clarification of the process. See diagram below for example: 2011 14
From flowchart, auditors can further evaluate these questions: What is the fraud being committed? Who might be involved? Which systems can the evidence or indicators be found? When did it occur? How has the fraud been committed and for how long? Analytical tests that can be performed to identify potential fraud: Purchases, payments, and payables Duplicate payments Early repayments Others Analyse and age A/P Analyse and combine payables for external auditors Audit paid invoices for manual comparison with actual invoices Correlate vouchers or invoices posted versus purchase order amounts Create activity summary for suppliers with duplicate products Extract invoices posted with duplicate purchase order numbers Extract total posted invoices for the year for accurate vendor rebates Generate cash requirements by bank, period, product, vendor, etc. Identify credits given before discount terms of payment days Identify distributions to accounts not in suppliers account ledgers Isolate vendor unit price variances by product, over time Reconcile cheque register to disbursements by vendor invoice Reconcile selected vendors payables posted against purchase orders 2011 15
Report on cheque disbursements for unrecorded liabilities Report on selected vouchers for manual audit or examination Review recurring monthly expenses and compare to posted/paid invoices Summarise large invoices without purchase orders by amount, vendor, etc. Travel and entertainment Duplicate claims Dubious claims Travel claims during period when staff is on vacation or sick leave Salaries and payroll Compare and summarise costs for special pay, overtime, premium, etc. Report entries against authorisation records for new or terminated employees Extract all payroll checks where the gross dollar amount exceeds set amount Identify changes in exemptions, gross pay, hourly rates, salary amounts, etc. Summarise and print payroll by selection criteria for general review Identify duplicate or missing payroll checks by check, bank, etc. Summarise payroll distributions for reconciliation to general ledger Common CAATs analysis commands that can be applied onto the data: Calculation of statistical parameters such as averages, standard deviations, highest and lowest values, which are used to identify statistical anomalies Classifications to find patterns and associations among groups of data 2011 16
Stratifications of numeric values to identify unusual and outlying values Digital analysis, using Benford s Law, to identify statistically unlikely occurrences of numeric amounts Joining or relating of data fields between disparate systems, typically looking for expected matches or differences for data such as name, address, telephone, part or serial number Sounds like function that identify fraudulent variations of valid company and employee names Character Day of Week function that convert date fields into weekdays and weekends to identify suspicious transactions Duplicates testing to identify simple or complex combinations of duplication Gaps testing that identifies missing sequential data Summing and totals to check control totals that may be falsified Graphing to provide visual identification of anomalous transactions Conclusion Use powerful CAATs software that provides simplified access to all of an enterprise's data and transactions in any structure or format & not just sampled data. Ideally, use the software that allows evidence preservation and robust analytics. Assess if it is a potential fraud or is it just an error using the initiating investigation predication model. Build up a fraud team, and they should consist of other people outside of the audit, such as the corporate lawyers, fraud investigation specialist, etc. 2011 17
Build a fraud plan, with detailed flowchart of business process to help identify the perpetrators; system and which process that have been exploited by the frausters. Fraudsters often seek out interfaces between computer systems, knowing there may be little or no cross-system validation. Getting access to raw/original data format is paramount for fraud investigation to reduce the potential conversion error of data conversion. If the raw/original data format is not accessible, then a data verification test needs to be conducted first to determine if there are conversion errors that could affect the investigation. Create early warning through continuous monitoring applications through automation for future fraud prevention. Create a fraud awareness culture. 2011 18