PREPARING AUDITORS IN THEIR USAGE OF DATA … · PREPARING AUDITORS 2011 ACFE Asia-Pacific Fraud Conference ©2011 2 NOTES Policies, practices, procedures, reports, and other mechanisms

©2011

PREPARING AUDITORS IN THEIR USAGE OF DATA

ANALYTICS TOOL IN FRAUD PREVENTION PROGRAM

Auditors need to understand that while audit findings are common, they are not

necessarily fraud and due care is needed in building evidence. Corporate frauds are not going

away any time soon, and the traditional role of auditor is being expanded to assist in fraud

detection, investigation, and prevention. This presentation will teach you what to consider

when there is a potential fraud discovered, what other elements need to be considered

moving forward, additional tests to be conducted, and how to preserve evidence.

FRANSISKUS OEY

Group Managing Director

The Prodigy Group

Singapore

Fransiskus Oey is an experienced player in the audit and fraud detection and prevention

fields, and has conducted over 12 years of training and workshops on ACL data analytics,

continuous monitoring, and fraud detection and prevention across the Asia and Middle East

region. His interests include data forensic analysis and fraud detection techniques. He

devotes a substantial portion of his time in research works and plays an active role in creating

awareness on the importance of continuous monitoring for audit productivity, business

process improvement, and fraud prevention to corporations. He has conducted various

specialised workshops on the fraud detection and prevention for banks, retails,

manufacturing, and telecommunication companies, as well as educational institutions.

Mr. Oey was one of the first ACL Certified Trainers in the Asia region, and is also an

active member of the Information Systems Audit and Control Association (ISACA),

Association of Certified Fraud Examiners (ACFE), and the Association of Certified Anti-

Money Laundering Specialists (ACAMS). Mr. Oey’s core competencies include Business

Process Improvement, Business Continuity Planning, Business Assurance Implementation,

Continuous Monitoring, Fraud Prevention and Detection, Anti-Money Laundering, and

Operational Risk Management. He has worked with major corporations in the banking and

finance, insurance, investment, government, manufacturing, and many other diversified

industries in the Asia region.

“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the

ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of

this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without

the prior consent of the author.

PREPARING AUDITORS

2011 ACFE Asia-Pacific Fraud Conference ©2011 1

NOTES Introduction

“Fraud is always intentional as contrasted to errors and

misrepresentations that are unintentional by chance or lack

of training or skill.”

Challenges

Different vulnerabilities at different stages of the

business process

Differentiating “fraud” transactions from “error”

transactions in digital domain of organisation system

network

Lack of robust, scalable, and near real-time preventive

tools

Implementation steps

Automation vs. manual prevention/detection

Auditors' New/Value-Adding Roles

Fraud deterrence for internal auditors requires action to

discourage the perpetration of fraud and limit the entity’s

exposure to fraud. If fraud does occur, the internal auditor

should help in its investigation and deter fraud by

examining apparent control system weaknesses and

establishing procedures to limit the entity’s exposure to

future risk.

Specifically, the internal auditor is supposed to determine

that:

The organisational environment fosters control

consciousness.

Realistic organisational goals and objectives are set.

Written corporate policies (a code of conduct) exist and

describe prohibited activities as well as action required

upon the discovery of violations.

Appropriate authorisation policies for transactions are

established and maintained.

PREPARING AUDITORS


NOTES Policies, practices, procedures, reports, and other

mechanisms to monitor activities and safeguard assets,

particularly in high-risk areas, are developed.

Communication channels provide management with

adequate and reliable information.

Recommendations are made for the establishment or

enhancement of cost-effective controls to help deter

fraud.

Fraud detection consists of identifying fraud problems that

warrant an examination. These potential fraud problems

may be indicated by the control system established by

management, tests performed by internal or external

auditors, or other sources, such as customers and

employees.

Examples of fraud indicators:

Unauthorised transactions

Override of internal controls

Unexplained accounts or transactional document

exceptions (such as pricing exceptions)

Personal characteristics (mood changes in employees or

management)

Motivations of management

PREPARING AUDITORS


NOTES Cost of Fraud

Reputation for integrity is one of the most valuable

assets of an organization.

While compliance reporting mandated by

government legislation sets baseline standards, a

reputation for integrity remains one of the most

valuable assets of a financial institution.

Failure to take the necessary steps to detect and

prevent financial transactions supporting criminal or

terrorist activity may result in stiff fines, criminal

charges, and negative publicity.

Action plan for detection and prevention control.

Evidence of non-compliance can irreparably

damage a financial institution’s reputation with

customers, regulators, and shareholders, and present

a serious challenge to continued viability.

Prevention is better and cheaper than investigation.

The cost/investment for prevention is lower than

cost of investigation. Furthermore, the whole

PREPARING AUDITORS


NOTES process of investigation can be very stressful and

lengthy.

Simplified Analytic Capability Model

The traditional approach to audit has always been to take a

historic or retrospective view of what has happened over a

period of time. While this approach delivers necessary and

proven hindsight for audit planning, today’s environment

demands a more proactive and comprehensive view for

effective risk management and business assurance.

(Level 1) General Purpose

Current state:

Limited to no use of data analysis software

Use of spreadsheets for sampling/light analysis

Data access is manual and delayed

No integration of data analysis in audit process

Desired state is Level 2:

Ability to analyze 100% of transactions

Staff trained on data analysis software

PREPARING AUDITORS


NOTES Knowledge of where to apply data analysis

(Level 2) Specialized

Current state:

Designated individual(s) using data analysis

software to analyze 100% of transactions

Some access to data, but used inconsistently

Decentralized, unsecure environment


Centralized, secure environment with sharing of

data, etc.

Repeatable and sustainable use

Knowledge of how to integrate more data analysis

(Level 3) Managed

Current state:

Centralized, secure environment and able to share

audit content

Data access is controlled and managed

Data analysis still manual


Automate controls testing

Gain deeper insight into key risk areas more

frequently

(Level 4) Automated

Current state:

Automated control tests are in place

Able to easily develop and deploy additional control

tests

Infrequent and unstructured communication of

exceptions to the business


PREPARING AUDITORS


NOTES Continuous assurance—automated controls,

exceptions resolved

Monitoring all key business processes

Develop a risk-based audit plan

(Level 5) Monitoring

Current state:

Continuous assurance

Continuous monitoring of key business processes

Exceptions routed to appropriate business process

owners for resolution

Able to identify and plan future areas of risk

coverage

Demonstrate to senior management a view of

organizational risk

Growing Concerns

Regional and global economy is converging; many

organisations are dealing with both regional and global

customers and suppliers.

Mergers and acquisitions are adding more business

opportunities as well as business risks that auditors

need to quickly identify and monitor.

Advancement in the use of computerised systems for

business operations. These new systems might not

integrate properly with the current system in place, as

so more due care is needed. Also important to note that

during system migration to a new system, auditors

should use Computer Aided Audit Tools (CAATs)

during this phase to verify that data from the previous

system is correctly migrated to the new system.

Stakeholder expectations and requirements:

Increased requirement for new regulatory

compliance based on location, and industries types

of the organisation from:

PREPARING AUDITORS


NOTES Stock exchanges

Federal government

State government

Auditors are playing important role in protecting

shareholders’ interest, as such 100% audit analysis

of the data is very critical to provide better accuracy

into organisational performance and compliance.

There are also increasing public expectations of

how organisations should conduct their business in

terms of good corporate governance, environmental

preservation, ethical business culture, etc.

However, all these require additional resources, and

auditors are overwhelmed as it is. Thus, without relying

on technology for CAATs it will be close to impossible

for auditors to perform efficiently.

Why is it important?

Recent economic crisis, the worst since The Great

Depression

Many organisations still have poor risk

management

Finally, more have recognised the importance of

IA in identifying and mitigating risks

Governments and general public are demanding

better corporate governance of businesses, as:

Corporate frauds are continuing to increase

The penalty associated with an FCPA infraction

has grown tenfold in the past few years

Wastages and inefficiencies (revenue leakages)

Half of companies (and growing) with over

1000 employees are not taking full advantage of

available vendor discount terms by paying their

invoices within a set timeline (source: Institute

of Management and Administration, IOMA

2007)

The cost of a company missing on a 1%

discount on a quarter of its payments amounts to

PREPARING AUDITORS


NOTES $250,000 for every $100 millions. On the other

hand, repayments too early may lead to cash

flow problems (source: IOMA 2007)

Errors

Companies lose about 0.5% in duplicate

payments; however, this amounts to $500,000

for every $100 million in payments made

(source: IOMA 2007)

Error rates in excess of 5% of T&E expenditures

are reported by 40% of companies (source:

IOMA 2007)

4.6% of invoices contain errors and 44% of

companies pay without original invoices

(sources: IOMA 2007)

Fraud

85% of companies have been hit by corporate

fraud in the past three years, up 80% from the

previous year’s survey (source: Kroll Global

Fraud Report 2008)

An increase of 22% of an average company’s

losses to fraud from 2007 to 2008. The average

business lost $8.2 million to fraud during the

past three years, compared with a loss of $6.7

million the previous year (source: Kroll Global

Fraud Report 2008)

$994 billion is the estimated total of U.S.

occupational fraud and abuse in 2008

$835 billion is the total losses that were never

recovered

The amount employees around the world are

pocketing every year in fake expense claims is €

6 billion (source: Global Expense Survey)

PREPARING AUDITORS


NOTES Using CAATs for Audit Vs. Fraud Prevention

Auditors may find the potential fraud, but many are not

able to build the modus operandi, so first of all they need to

understand a few fundamentals:

Business Environment

RELATIONSHIP AND MONITORING OF ALL THE

BUSINESS ENVIRONMENTS

Process is looking at internal controls.

Basically, it is the policies and procedures of the

organisation that provide some reasonable

assurance that the compliance and control

objectives are achieved.

Technology is looking at the different systems

that are available in the organisation. How do

you monitor and analyse these data from

disparate systems?

People are the most complex environment of the

three. People’s integrity can change, especially

when there is opportunity for them to commit

fraud.

PREPARING AUDITORS


NOTES

UNIFORM OCCUPATIONAL FRAUD

CLASIFICATION SYSTEM - ACFE

This is a very good table to classify the different

types/categories of occupational fraud; three main

classifications with examples of questions that

auditors should ask themselves on which area of

potential fraud they want to start with the analysis:

Corruption

Is there conflict of interest between the staff

and the customers/vendors/suppliers?

Is there collusion to disadvantage the

company between staff and the

customers/vendors/suppliers?

Is the company facing cash flow issues?

(Might want to check on early repayment of

payables)

Asset misappropriation (generally lower in

value but higher in volume)

Ghost employees?

Cash register’s end-of-day balance does not

tally with the stock on hand?

Purchases of resources/inventory do not

tally with the purchase trend (are the

resources/inventory being skimmed away)?

PREPARING AUDITORS


NOTES Any anomalies in the expense claims

(duplicate claims, dubious expenses, and

claims while on holiday)?

Fraudulent statements (generally lower in

volume but higher in value)

Is the revenue recognition timing adhering

correctly?

Is management dominated by a single

person or a small group (is there sufficient

segregation of duty policy in place)?

Does management display a significant

disregard for regulations or controls?

Has management restricted the auditor’s

access to documents or personnel?

Has management set unrealistic financial

goals?

Does management have any past history of

illegal conduct?

Has that employee’s lifestyle or behaviour

changed significantly?

The Technology

The CAATs software that will be familiar to auditors

are ACL and IDEA. While there are others, none are as

mature as these two softwares in the current time. The

characteristics of the software that you are looking for

should consist of:

Very fast processing speed

Interrogates data 100% of the data, no sampling

required

Log files provide required audit trail of activities

Ability to create multiple log files to separate audit

from fraud investigation

Ability to upload evidence (documents, pictures,

audio, data files, etc.) See below for example:

PREPARING AUDITORS


NOTES

Automation can be built to provide a systematic

analysis, from data access, verification, and

analysis, to reporting

Secure knowledgebase retention

The Techniques

Preparing for investigation requires a lot of planning.

However, before auditors jump into a conclusion that

they have uncovered fraud, they should firstly initiate

investigation predication model as shown in the

diagram below to determine if this is a potential fraud

or is it just an error.

PREPARING AUDITORS


NOTES

PREPARING AUDITORS


NOTES Preparing for investigation is initiated once the above

predication is completed and results points to possible

fraudulent activities, then auditors can begin their

planning of fraud investigation.

Set context or parameter (risk-based).

Define indicators of fraud.

Determine the presence of elements that make up

the fraud, for each indicator.

Identify the required sources of information.

Obtain the data required for analysis. Ideally it

should be original/raw format data (no conversion).

Identify the people that should be involved in the

investigation team. Assigning appropriate roles to

appropriate individuals is central to success of the

investigation.

The team need to then study the business environment

of the business process carefully. Building a flowchart

will greatly help in visual clarification of the process.

See diagram below for example:

PREPARING AUDITORS


NOTES From flowchart, auditors can further evaluate these

questions:

What is the fraud being committed?

Who might be involved?

Which systems can the evidence or indicators be

found?

When did it occur?

How has the fraud been committed and for how

long?

Analytical tests that can be performed to identify

potential fraud:

Purchases, payments, and payables

Duplicate payments

Early repayments

Others

Analyse and age A/P

Analyse and combine payables for external

auditors

Audit paid invoices for manual comparison

with actual invoices

Correlate vouchers or invoices posted versus

purchase order amounts

Create activity summary for suppliers with

duplicate products

Extract invoices posted with duplicate

purchase order numbers

Extract total posted invoices for the year for

accurate vendor rebates

Generate cash requirements by bank, period,

product, vendor, etc.

Identify credits given before discount terms

of payment days

Identify distributions to accounts not in

suppliers account ledgers

Isolate vendor unit price variances by

product, over time

Reconcile cheque register to disbursements

by vendor invoice

Reconcile selected vendors payables posted

against purchase orders

PREPARING AUDITORS


NOTES Report on cheque disbursements for

unrecorded liabilities

Report on selected vouchers for manual

audit or examination

Review recurring monthly expenses and

compare to posted/paid invoices

Summarise large invoices without purchase

orders by amount, vendor, etc.

Travel and entertainment

Duplicate claims

Dubious claims

Travel claims during period when staff is on

vacation or sick leave

Salaries and payroll

Compare and summarise costs for special pay,

overtime, premium, etc.

Report entries against authorisation records for

new or terminated employees

Extract all payroll checks where the gross dollar

amount exceeds set amount

Identify changes in exemptions, gross pay,

hourly rates, salary amounts, etc.

Summarise and print payroll by selection

criteria for general review

Identify duplicate or missing payroll checks by

check, bank, etc.

Summarise payroll distributions for

reconciliation to general ledger

Common CAATs analysis commands that can be

applied onto the data:

Calculation of statistical parameters such as

averages, standard deviations, highest and

lowest values, which are used to identify

statistical anomalies

Classifications to find patterns and associations

among groups of data

PREPARING AUDITORS


NOTES Stratifications of numeric values to identify

unusual and outlying values

Digital analysis, using Benford’s Law, to

identify statistically unlikely occurrences of

numeric amounts

Joining or relating of data fields between

disparate systems, typically looking for

expected matches or differences for data such as

name, address, telephone, part or serial number

“Sounds like” function that identify fraudulent

variations of valid company and employee

names

“Character Day of Week” function that convert

date fields into weekdays and weekends to

identify suspicious transactions

Duplicates testing to identify simple or complex

combinations of duplication

Gaps testing that identifies missing sequential

data

Summing and totals to check control totals that

may be falsified

Graphing to provide visual identification of

anomalous transactions

Conclusion

Use powerful CAATs software that provides simplified

access to all of an enterprise's data and transactions in

any structure or format & not just sampled data. Ideally,

use the software that allows evidence preservation and

robust analytics.

Assess if it is a potential fraud or is it just an error using

the initiating investigation predication model.

Build up a fraud team, and they should consist of other

people outside of the audit, such as the corporate

lawyers, fraud investigation specialist, etc.

PREPARING AUDITORS


NOTES Build a fraud plan, with detailed flowchart of business

process to help identify the perpetrators; system and

which process that have been exploited by the frausters.

Fraudsters often seek out interfaces between computer

systems, knowing there may be little or no cross-system

validation.

Getting access to raw/original data format is paramount

for fraud investigation to reduce the potential

conversion error of data conversion. If the raw/original

data format is not accessible, then a data verification

test needs to be conducted first to determine if there are

conversion errors that could affect the investigation.

Create early warning through continuous monitoring

applications through automation for future fraud

prevention.

Create a fraud awareness culture.

Documents

PREPARING AUDITORS IN THEIR USAGE OF DATA … · PREPARING AUDITORS 2011 ACFE Asia-Pacific Fraud Conference ©2011 2 NOTES Policies, practices, procedures, reports, and other mechanisms