Upload
donhu
View
215
Download
1
Embed Size (px)
Citation preview
©2011
PREPARING AUDITORS IN THEIR USAGE OF DATA
ANALYTICS TOOL IN FRAUD PREVENTION PROGRAM
Auditors need to understand that while audit findings are common, they are not
necessarily fraud and due care is needed in building evidence. Corporate frauds are not going
away any time soon, and the traditional role of auditor is being expanded to assist in fraud
detection, investigation, and prevention. This presentation will teach you what to consider
when there is a potential fraud discovered, what other elements need to be considered
moving forward, additional tests to be conducted, and how to preserve evidence.
FRANSISKUS OEY
Group Managing Director
The Prodigy Group
Singapore
Fransiskus Oey is an experienced player in the audit and fraud detection and prevention
fields, and has conducted over 12 years of training and workshops on ACL data analytics,
continuous monitoring, and fraud detection and prevention across the Asia and Middle East
region. His interests include data forensic analysis and fraud detection techniques. He
devotes a substantial portion of his time in research works and plays an active role in creating
awareness on the importance of continuous monitoring for audit productivity, business
process improvement, and fraud prevention to corporations. He has conducted various
specialised workshops on the fraud detection and prevention for banks, retails,
manufacturing, and telecommunication companies, as well as educational institutions.
Mr. Oey was one of the first ACL Certified Trainers in the Asia region, and is also an
active member of the Information Systems Audit and Control Association (ISACA),
Association of Certified Fraud Examiners (ACFE), and the Association of Certified Anti-
Money Laundering Specialists (ACAMS). Mr. Oey’s core competencies include Business
Process Improvement, Business Continuity Planning, Business Assurance Implementation,
Continuous Monitoring, Fraud Prevention and Detection, Anti-Money Laundering, and
Operational Risk Management. He has worked with major corporations in the banking and
finance, insurance, investment, government, manufacturing, and many other diversified
industries in the Asia region.
“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the
ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of
this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without
the prior consent of the author.
PREPARING AUDITORS
2011 ACFE Asia-Pacific Fraud Conference ©2011 1
NOTES Introduction
“Fraud is always intentional as contrasted to errors and
misrepresentations that are unintentional by chance or lack
of training or skill.”
Challenges
Different vulnerabilities at different stages of the
business process
Differentiating “fraud” transactions from “error”
transactions in digital domain of organisation system
network
Lack of robust, scalable, and near real-time preventive
tools
Implementation steps
Automation vs. manual prevention/detection
Auditors' New/Value-Adding Roles
Fraud deterrence for internal auditors requires action to
discourage the perpetration of fraud and limit the entity’s
exposure to fraud. If fraud does occur, the internal auditor
should help in its investigation and deter fraud by
examining apparent control system weaknesses and
establishing procedures to limit the entity’s exposure to
future risk.
Specifically, the internal auditor is supposed to determine
that:
The organisational environment fosters control
consciousness.
Realistic organisational goals and objectives are set.
Written corporate policies (a code of conduct) exist and
describe prohibited activities as well as action required
upon the discovery of violations.
Appropriate authorisation policies for transactions are
established and maintained.
PREPARING AUDITORS
2011 ACFE Asia-Pacific Fraud Conference ©2011 2
NOTES Policies, practices, procedures, reports, and other
mechanisms to monitor activities and safeguard assets,
particularly in high-risk areas, are developed.
Communication channels provide management with
adequate and reliable information.
Recommendations are made for the establishment or
enhancement of cost-effective controls to help deter
fraud.
Fraud detection consists of identifying fraud problems that
warrant an examination. These potential fraud problems
may be indicated by the control system established by
management, tests performed by internal or external
auditors, or other sources, such as customers and
employees.
Examples of fraud indicators:
Unauthorised transactions
Override of internal controls
Unexplained accounts or transactional document
exceptions (such as pricing exceptions)
Personal characteristics (mood changes in employees or
management)
Motivations of management
PREPARING AUDITORS
2011 ACFE Asia-Pacific Fraud Conference ©2011 3
NOTES Cost of Fraud
Reputation for integrity is one of the most valuable
assets of an organization.
While compliance reporting mandated by
government legislation sets baseline standards, a
reputation for integrity remains one of the most
valuable assets of a financial institution.
Failure to take the necessary steps to detect and
prevent financial transactions supporting criminal or
terrorist activity may result in stiff fines, criminal
charges, and negative publicity.
Action plan for detection and prevention control.
Evidence of non-compliance can irreparably
damage a financial institution’s reputation with
customers, regulators, and shareholders, and present
a serious challenge to continued viability.
Prevention is better and cheaper than investigation.
The cost/investment for prevention is lower than
cost of investigation. Furthermore, the whole
PREPARING AUDITORS
2011 ACFE Asia-Pacific Fraud Conference ©2011 4
NOTES process of investigation can be very stressful and
lengthy.
Simplified Analytic Capability Model
The traditional approach to audit has always been to take a
historic or retrospective view of what has happened over a
period of time. While this approach delivers necessary and
proven hindsight for audit planning, today’s environment
demands a more proactive and comprehensive view for
effective risk management and business assurance.
(Level 1) General Purpose
Current state:
Limited to no use of data analysis software
Use of spreadsheets for sampling/light analysis
Data access is manual and delayed
No integration of data analysis in audit process
Desired state is Level 2:
Ability to analyze 100% of transactions
Staff trained on data analysis software
PREPARING AUDITORS
2011 ACFE Asia-Pacific Fraud Conference ©2011 5
NOTES Knowledge of where to apply data analysis
(Level 2) Specialized
Current state:
Designated individual(s) using data analysis
software to analyze 100% of transactions
Some access to data, but used inconsistently
Decentralized, unsecure environment
Desired state is Level 3:
Centralized, secure environment with sharing of
data, etc.
Repeatable and sustainable use
Knowledge of how to integrate more data analysis
(Level 3) Managed
Current state:
Centralized, secure environment and able to share
audit content
Data access is controlled and managed
Data analysis still manual
Desired state is Level 4:
Automate controls testing
Gain deeper insight into key risk areas more
frequently
(Level 4) Automated
Current state:
Automated control tests are in place
Able to easily develop and deploy additional control
tests
Infrequent and unstructured communication of
exceptions to the business
Desired state is Level 5:
PREPARING AUDITORS
2011 ACFE Asia-Pacific Fraud Conference ©2011 6
NOTES Continuous assurance—automated controls,
exceptions resolved
Monitoring all key business processes
Develop a risk-based audit plan
(Level 5) Monitoring
Current state:
Continuous assurance
Continuous monitoring of key business processes
Exceptions routed to appropriate business process
owners for resolution
Able to identify and plan future areas of risk
coverage
Demonstrate to senior management a view of
organizational risk
Growing Concerns
Regional and global economy is converging; many
organisations are dealing with both regional and global
customers and suppliers.
Mergers and acquisitions are adding more business
opportunities as well as business risks that auditors
need to quickly identify and monitor.
Advancement in the use of computerised systems for
business operations. These new systems might not
integrate properly with the current system in place, as
so more due care is needed. Also important to note that
during system migration to a new system, auditors
should use Computer Aided Audit Tools (CAATs)
during this phase to verify that data from the previous
system is correctly migrated to the new system.
Stakeholder expectations and requirements:
Increased requirement for new regulatory
compliance based on location, and industries types
of the organisation from:
PREPARING AUDITORS
2011 ACFE Asia-Pacific Fraud Conference ©2011 7
NOTES Stock exchanges
Federal government
State government
Auditors are playing important role in protecting
shareholders’ interest, as such 100% audit analysis
of the data is very critical to provide better accuracy
into organisational performance and compliance.
There are also increasing public expectations of
how organisations should conduct their business in
terms of good corporate governance, environmental
preservation, ethical business culture, etc.
However, all these require additional resources, and
auditors are overwhelmed as it is. Thus, without relying
on technology for CAATs it will be close to impossible
for auditors to perform efficiently.
Why is it important?
Recent economic crisis, the worst since The Great
Depression
Many organisations still have poor risk
management
Finally, more have recognised the importance of
IA in identifying and mitigating risks
Governments and general public are demanding
better corporate governance of businesses, as:
Corporate frauds are continuing to increase
The penalty associated with an FCPA infraction
has grown tenfold in the past few years
Wastages and inefficiencies (revenue leakages)
Half of companies (and growing) with over
1000 employees are not taking full advantage of
available vendor discount terms by paying their
invoices within a set timeline (source: Institute
of Management and Administration, IOMA
2007)
The cost of a company missing on a 1%
discount on a quarter of its payments amounts to
PREPARING AUDITORS
2011 ACFE Asia-Pacific Fraud Conference ©2011 8
NOTES $250,000 for every $100 millions. On the other
hand, repayments too early may lead to cash
flow problems (source: IOMA 2007)
Errors
Companies lose about 0.5% in duplicate
payments; however, this amounts to $500,000
for every $100 million in payments made
(source: IOMA 2007)
Error rates in excess of 5% of T&E expenditures
are reported by 40% of companies (source:
IOMA 2007)
4.6% of invoices contain errors and 44% of
companies pay without original invoices
(sources: IOMA 2007)
Fraud
85% of companies have been hit by corporate
fraud in the past three years, up 80% from the
previous year’s survey (source: Kroll Global
Fraud Report 2008)
An increase of 22% of an average company’s
losses to fraud from 2007 to 2008. The average
business lost $8.2 million to fraud during the
past three years, compared with a loss of $6.7
million the previous year (source: Kroll Global
Fraud Report 2008)
$994 billion is the estimated total of U.S.
occupational fraud and abuse in 2008
$835 billion is the total losses that were never
recovered
The amount employees around the world are
pocketing every year in fake expense claims is €
6 billion (source: Global Expense Survey)
PREPARING AUDITORS
2011 ACFE Asia-Pacific Fraud Conference ©2011 9
NOTES Using CAATs for Audit Vs. Fraud Prevention
Auditors may find the potential fraud, but many are not
able to build the modus operandi, so first of all they need to
understand a few fundamentals:
Business Environment
RELATIONSHIP AND MONITORING OF ALL THE
BUSINESS ENVIRONMENTS
Process is looking at internal controls.
Basically, it is the policies and procedures of the
organisation that provide some reasonable
assurance that the compliance and control
objectives are achieved.
Technology is looking at the different systems
that are available in the organisation. How do
you monitor and analyse these data from
disparate systems?
People are the most complex environment of the
three. People’s integrity can change, especially
when there is opportunity for them to commit
fraud.
PREPARING AUDITORS
2011 ACFE Asia-Pacific Fraud Conference ©2011 10
NOTES
UNIFORM OCCUPATIONAL FRAUD
CLASIFICATION SYSTEM - ACFE
This is a very good table to classify the different
types/categories of occupational fraud; three main
classifications with examples of questions that
auditors should ask themselves on which area of
potential fraud they want to start with the analysis:
Corruption
Is there conflict of interest between the staff
and the customers/vendors/suppliers?
Is there collusion to disadvantage the
company between staff and the
customers/vendors/suppliers?
Is the company facing cash flow issues?
(Might want to check on early repayment of
payables)
Asset misappropriation (generally lower in
value but higher in volume)
Ghost employees?
Cash register’s end-of-day balance does not
tally with the stock on hand?
Purchases of resources/inventory do not
tally with the purchase trend (are the
resources/inventory being skimmed away)?
PREPARING AUDITORS
2011 ACFE Asia-Pacific Fraud Conference ©2011 11
NOTES Any anomalies in the expense claims
(duplicate claims, dubious expenses, and
claims while on holiday)?
Fraudulent statements (generally lower in
volume but higher in value)
Is the revenue recognition timing adhering
correctly?
Is management dominated by a single
person or a small group (is there sufficient
segregation of duty policy in place)?
Does management display a significant
disregard for regulations or controls?
Has management restricted the auditor’s
access to documents or personnel?
Has management set unrealistic financial
goals?
Does management have any past history of
illegal conduct?
Has that employee’s lifestyle or behaviour
changed significantly?
The Technology
The CAATs software that will be familiar to auditors
are ACL and IDEA. While there are others, none are as
mature as these two softwares in the current time. The
characteristics of the software that you are looking for
should consist of:
Very fast processing speed
Interrogates data 100% of the data, no sampling
required
Log files provide required audit trail of activities
Ability to create multiple log files to separate audit
from fraud investigation
Ability to upload evidence (documents, pictures,
audio, data files, etc.) See below for example:
PREPARING AUDITORS
2011 ACFE Asia-Pacific Fraud Conference ©2011 12
NOTES
Automation can be built to provide a systematic
analysis, from data access, verification, and
analysis, to reporting
Secure knowledgebase retention
The Techniques
Preparing for investigation requires a lot of planning.
However, before auditors jump into a conclusion that
they have uncovered fraud, they should firstly initiate
investigation predication model as shown in the
diagram below to determine if this is a potential fraud
or is it just an error.
PREPARING AUDITORS
2011 ACFE Asia-Pacific Fraud Conference ©2011 14
NOTES Preparing for investigation is initiated once the above
predication is completed and results points to possible
fraudulent activities, then auditors can begin their
planning of fraud investigation.
Set context or parameter (risk-based).
Define indicators of fraud.
Determine the presence of elements that make up
the fraud, for each indicator.
Identify the required sources of information.
Obtain the data required for analysis. Ideally it
should be original/raw format data (no conversion).
Identify the people that should be involved in the
investigation team. Assigning appropriate roles to
appropriate individuals is central to success of the
investigation.
The team need to then study the business environment
of the business process carefully. Building a flowchart
will greatly help in visual clarification of the process.
See diagram below for example:
PREPARING AUDITORS
2011 ACFE Asia-Pacific Fraud Conference ©2011 15
NOTES From flowchart, auditors can further evaluate these
questions:
What is the fraud being committed?
Who might be involved?
Which systems can the evidence or indicators be
found?
When did it occur?
How has the fraud been committed and for how
long?
Analytical tests that can be performed to identify
potential fraud:
Purchases, payments, and payables
Duplicate payments
Early repayments
Others
Analyse and age A/P
Analyse and combine payables for external
auditors
Audit paid invoices for manual comparison
with actual invoices
Correlate vouchers or invoices posted versus
purchase order amounts
Create activity summary for suppliers with
duplicate products
Extract invoices posted with duplicate
purchase order numbers
Extract total posted invoices for the year for
accurate vendor rebates
Generate cash requirements by bank, period,
product, vendor, etc.
Identify credits given before discount terms
of payment days
Identify distributions to accounts not in
suppliers account ledgers
Isolate vendor unit price variances by
product, over time
Reconcile cheque register to disbursements
by vendor invoice
Reconcile selected vendors payables posted
against purchase orders
PREPARING AUDITORS
2011 ACFE Asia-Pacific Fraud Conference ©2011 16
NOTES Report on cheque disbursements for
unrecorded liabilities
Report on selected vouchers for manual
audit or examination
Review recurring monthly expenses and
compare to posted/paid invoices
Summarise large invoices without purchase
orders by amount, vendor, etc.
Travel and entertainment
Duplicate claims
Dubious claims
Travel claims during period when staff is on
vacation or sick leave
Salaries and payroll
Compare and summarise costs for special pay,
overtime, premium, etc.
Report entries against authorisation records for
new or terminated employees
Extract all payroll checks where the gross dollar
amount exceeds set amount
Identify changes in exemptions, gross pay,
hourly rates, salary amounts, etc.
Summarise and print payroll by selection
criteria for general review
Identify duplicate or missing payroll checks by
check, bank, etc.
Summarise payroll distributions for
reconciliation to general ledger
Common CAATs analysis commands that can be
applied onto the data:
Calculation of statistical parameters such as
averages, standard deviations, highest and
lowest values, which are used to identify
statistical anomalies
Classifications to find patterns and associations
among groups of data
PREPARING AUDITORS
2011 ACFE Asia-Pacific Fraud Conference ©2011 17
NOTES Stratifications of numeric values to identify
unusual and outlying values
Digital analysis, using Benford’s Law, to
identify statistically unlikely occurrences of
numeric amounts
Joining or relating of data fields between
disparate systems, typically looking for
expected matches or differences for data such as
name, address, telephone, part or serial number
“Sounds like” function that identify fraudulent
variations of valid company and employee
names
“Character Day of Week” function that convert
date fields into weekdays and weekends to
identify suspicious transactions
Duplicates testing to identify simple or complex
combinations of duplication
Gaps testing that identifies missing sequential
data
Summing and totals to check control totals that
may be falsified
Graphing to provide visual identification of
anomalous transactions
Conclusion
Use powerful CAATs software that provides simplified
access to all of an enterprise's data and transactions in
any structure or format & not just sampled data. Ideally,
use the software that allows evidence preservation and
robust analytics.
Assess if it is a potential fraud or is it just an error using
the initiating investigation predication model.
Build up a fraud team, and they should consist of other
people outside of the audit, such as the corporate
lawyers, fraud investigation specialist, etc.
PREPARING AUDITORS
2011 ACFE Asia-Pacific Fraud Conference ©2011 18
NOTES Build a fraud plan, with detailed flowchart of business
process to help identify the perpetrators; system and
which process that have been exploited by the frausters.
Fraudsters often seek out interfaces between computer
systems, knowing there may be little or no cross-system
validation.
Getting access to raw/original data format is paramount
for fraud investigation to reduce the potential
conversion error of data conversion. If the raw/original
data format is not accessible, then a data verification
test needs to be conducted first to determine if there are
conversion errors that could affect the investigation.
Create early warning through continuous monitoring
applications through automation for future fraud
prevention.
Create a fraud awareness culture.