PROACTIVELY DETECTINGOCCUPATIONAL FRAUD USINGCOMPUTER AUDIT REPORTS

SELF-STUDY COURSE

ByRichard B. Lanza, CPA, CFE, PMP

DisclosureCopyright © 2005 by The Institute of Internal Auditors Research Foundation (IIARF), 247 Maitland Avenue,Altamonte Springs, Florida 32701-4201. All rights reserved. Printed in the United States of America. No partof this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means— electronic, mechanical, photocopying, recording, or otherwise — without prior written permission of thepublisher.

The IIARF publishes this document for informational and educational purposes. This document isintended to provide information, but is not a substitute for legal or accounting advice. The IIA does notprovide such advice and makes no warranty as to any legal or accounting results through its publicationof this document. When legal or accounting issues arise, professional assistance should be sought andretained.

The Professional Practices Framework for Internal Auditing (PPF) was designed by The IIA Board of Directors’Guidance Task Force to appropriately organize the full range of existing and developing practice guidancefor the profession. Based on the definition of internal auditing, the PPF comprises Ethics and Standards,Practice Advisories, and Development and Practice Aids, and paves the way to world-class internal auditing.

This guidance fits into the Framework under the heading Development and Practice Aids.

The mission of The IIA Research Foundation (IIARF) is to be the global leader in sponsoring, disseminating,and promoting research and knowledge resources to enhance the development and effectiveness of theinternal auditing profession.

ISBN 0-89413-568-605078 02/05First Printing

SELF-STUDY CONTENTS

About the Author

Learning Objectives

Provide a Step by Step Plan to Reading/Completing the Course

Review Questions

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Appendix A: Case Study

ABOUT THE AUTHOR

Richard B. Lanza, CPA, CFE, PMP, enables organizations in the use of technology to (1)generate cash recoveries, (2) stop profit leaks, (3) move away from control issues, and (4) worktoward process improvements. With automated report systems and personalized coaching, Richhelps companies get quality results in minutes. This is done by maximizing the technology thatcompanies already have and showing professionals how to become “info magicians.” He is theauthor of numerous publications and training courses in ACL, IDEA, Access, ActiveData, andExcel. While he has over 12 years of experience and is a recognized leader in the use of technology,Rich also founded of AuditSoftware.Net, a free Web site devoted to using technology forgenerating bottom-line results. This Web site recently started providing a free diagnostic serviceto help companies better implement their audit software technology. To contact Rich, receive hisfree e-newsletter, get a free diagnostic, or to order his products, e-mail him at rich@richlanza.comor visit his Web site at www.infomagician.com.

LEARNING OBJECTIVES

The purpose of this course is to assist auditors, fraud examiners, and management in implementingdata analysis routines for improved fraud prevention and detection. To that end, the courseprovides training in:

The various types of audit software.Applying a comprehensive checklist of data analysis reports to company audits based oneach occupational fraud category per the Association of Certified Fraud Examiner’sclassification system.A method to requesting data from a company to start a data analysis audit.

The need for this course arises from the fact that there are many publications that discuss auditingfor fraud using a computer, but there is no attempt at a comprehensive resource for the types ofaudit reports that need to be run for each individual fraud type ….until now.

Please note that this course is not expected to explain audit software technical usage concepts atlength but rather to provide guidance as to which of the product’s features can be used in a frauddetection setting.

If you would like to provide feedback on the course, we welcome and encourage it as we plan tocomplete later versions. Please provide your feedback via e-mail at rich@auditsoftware.net.For more information on the use of audit software, and countless ways of applying it to yourbusiness, please see www.auditsoftware.net.

PROVIDE A STEP-BY-STEP PLAN TO READING/COMPLETING

THE COURSEIn order to complete this course, the following steps are suggested:

Step One — Read each chapter and complete the review questions at the end.

The four chapters in this course should be read in sequential order:

••••• Chapter 1 – Introduction and Definitions••••• Chapter 2 – Types of Audit Software Tests••••• Chapter 3 – Data Analysis Reports for Each Major Fraud Area••••• Chapter 4 – How to Obtain Data, Files, and Software

The review questions at the end of each chapter should be completed without looking at thesuggested answers. Once that has been completed, review the suggested answers and the reasonsfor the answers. If you answered any questions incorrectly, the course text associated with thequestion should be reviewed again before you move on to the next chapter.

Step Two — Complete the case study to ensure a solid understanding of all coursecontents.

In Appendix A, a case study is provided to help you apply the concepts learned in this course toa practical audit situation. This case study should be completed after all chapters are read,review questions are answered, and any follow-up reading is completed.

Step Three — Complete the final exam questions. A total of four (4) CPE hours areavailble. Important Notice: Be sure to keep your order number from your packing slip. Youwill be prompted to enter your order number before your packing slip can be printed. If you donot have you rorder number, please contact The IIA Research Foundation Bookstore before youbegin to assist you in locating your order number.

IIARF Bookstore Contact Information+1-877-867-4957(toll free in the U.S. and parts of Canada)

+1-770-280-4183Fax +1-770-280-4013

E-mail iiapubs@pbd.com

REVIEW QUESTIONS

Chapter OneQuestions

1. The definition of occupational fraud contains all components except the following:A. Is clandestine.B. Violates the perpetrator’s fiduciary duties to the victim organization.C. Can be committed for the purpose of direct or indirect financial benefit to the perpetrator,

yet this is not a requirement.D. Costs the employing organization assets, revenue, or reserves.

2. Which of the following is in the three major categories of the fraud classification system?A. Larceny.B. Asset misappropriations.C. Purchase schemes.D. Skimming.

3. Risk scores can be applied to a fraud risk using the following formula:A. Impact/Likelihood.B. Impact + Likelihood.C. Likelihood/Impact.D. Impact * Likelihood.

4. Fraud can be prevented using proactive computer-assisted audit tools.A. True.B. False.

5. Which of the following is not a reason for using audit software over an ERP system in thedetection of fraud?A. The audit software is independent of the system being run.B. The computer system does not generally provide documentation of each test performed

in the software that can be used as documentation in the auditor’s workpapers.C. The audit software uses many audit specific routines such as sampling.D. The computer system provides one tool to use across multiple data sets, since most

system report writers are only developed for the system at hand.

Chapter OneAnswers

1. The definition of occupational fraud contains all components except the followingA. Is clandestine.B. Violates the perpetrator’s fiduciary duties to the victim organization.C. Can be committed for the purpose of direct or indirect financial benefit to the perpetrator,

yet this is not a requirement.D. Costs the employing organization assets, revenue, or reserves.

Correct Answer: CReason for Answer/Reasons for Not Selecting Other AnswersPer the Association of Certified Fraud Examiners, the definition of occupational fraud includesthe four following components:

• Is clandestine.• Violates the perpetrator’s fiduciary duties to the victim organization.• Is committed for the purpose of direct or indirect financial benefit to the perpetrator.• Costs the employing organization assets, revenue, or reserves.

Therefore, the perpetrator must directly or indirectly financially benefit from the occupationalfraud and answer C notes that this is not a requirement, which is incorrect.

2. Which of the following is in the three major categories of the fraud classification system?A. Larceny.B. Asset misappropriations.C. Purchase schemes.D. Skimming.

Correct Answer: BReason for Answer/Reasons for Not Selecting Other AnswersPer fraud classification system, as proposed by the Association of Certified Fraud Examiners,includes the following three major categories:

1. Asset misappropriations — involving the theft or misuse of an organization’s assets.2. Corruption — when fraudsters wrongfully use their influence in a business transaction in order to procure some benefit for themselves or another person, contrary to their duty to their employer or the rights of another.3. Fraudulent statements — involving the falsification of an organization’s financial statements.

In the above list of answers, answer B, asset misappropriations, is the only one that is listed inthe major categories. The other fraud categories are minor ones in the fraud classificationsystem.

3. Risk scores can be applied to a fraud risk using the following formula:A. Impact/Likelihood.B. Impact + Likelihood.C. Likelihood/Impact.D. Impact * Likelihood.

Correct Answer: DReason for Answer/Reasons for Not Selecting Other AnswersThe calculation for applying a risk score to an event such as a particular fraud occurring is tomultiply the impact by the likelihood of the risk. For example, if the potential risk of loss due toa particular fraud type is $10,000,000 and the likelihood is 1%, then the risk score to be appliedto this risk occurring is $100,000.

Please note that in no way are risk probabilities added or divided by their associated impacts toarrive at a final risk score.

4. Fraud can be prevented using proactive computer-assisted audit tools.A. True.B. False.

Correct Answer: BReason for Answer/Reasons for Not Selecting Other AnswersFraud cannot be prevented from occurring, as this is a function of the employee or externalparty committing the fraud against the company. Rather, computer-assisted tools and reportscan detect, as close as possible to the time of occurrence, the fraud for action by management.

5. Which of the following is not a reason for using audit software over an ERP in the detection offraud?A. The audit software is independent of the system being run.B. The computer system does not generally provide documentation of each test performed in

the software that can be used as documentation in the auditor’s workpapers.C. The audit software uses many audit specific routines such as sampling.D. The computer system provides one tool to use across multiple data sets, since most system

report writers are only developed for the system at hand.

Correct Answer: DReason for Answer/Reasons for Not Selecting Other AnswersThe company’s ERP computer system does not generally provide one tool to report on multipledata sources. Generally, the system only can report on the data that resides in that systemwhile audit software can report on various types of databases. Please note that audit software

is independent of the system being analyzed, provides documentation of work performed, andhas various audit specific routines.

Chapter TwoQuestions

1. Which of the following is not an analytical test?A. Stratify.B. Regression.C. Gaps.D. Aging.

2. Is Benford’s Law designed to find abnormal duplications of specific digits, digit combinations,specific numbers, and round numbers in corporate data?A. Yes.B. No.

3. Which analytical test provides the least level of precision?A. Stratify.B. Regression.C. Ratio.D. Aging.

4. The first step in an analytical is:A. Investigate differences.B. Calculate analytical.C. Develop expectation.D. Complete risk assessment.

5. To confirm an analytical test, which one of the following procedures is not recommendedwhen differences are identified?A. Inquiring of internal employees.B. Inquiring of external parties.C. Reviewing the results of other analytical tests.D. None of the above.

6. Which data management test lets you analyze character fields by setting them in rows andcolumns?A. Cross tabulate.B. Filter.C. Index.D. Relate.

7. Which data management test lets you combine specified fields from two different files into asingle file using key fields?A. Cross tabulate.B. Relate.C. Summarize.D. Calculated field.

Chapter TwoAnswers

1. Which of the following is not an analytical test?A. Stratify.B. Regression.C. Gaps.D. Aging.

Correct Answer: CReason for Answer/Reasons for Not Selecting Other AnswersAnalytical tests are those that provide general relationships among data and are generallymore high-level in nature. The gaps function is a specific command that identifies detailedgaps within sequential numbers and is therefore a data analysis report.

2. Is Benford’s Law designed to find abnormal duplications of specific digits, digit combinations,specific numbers, and round numbers in corporate data?A. Yes.B. No.

Correct Answer: AReason for Answer/Reasons for Not Selecting Other AnswersBenford’s Law is a law that is designed to find abnormal duplications of specific digits, digitcombinations, specific numbers, and round numbers in corporate data.

3. Which analytical test provides the least level of precision?A. Stratify.B. Regression.C. Ratio.D. Aging.

Correct Answer: CReason for Answer/Reasons for Not Selecting Other AnswersRegression analysis provides the highest level of analytical precision as it tries to findrelationships among independent variables to statistically estimate a dependent variable.Stratifications and agings provide specific information of dollar amounts and item countsbetween certain limits. Ratio analysis provide high-level information on financial statementbalances, generally requiring further investigation into the details of the associated balanceswithin the ratio calculation.

4. The first step in an analytical is:A. Investigate differences.B. Calculate analytical.C. Develop expectation.D. Complete risk assessment.

Correct Answer: CReason for Answer/Reasons for Not Selecting Other AnswersWhile completing a risk assessment would be done at the beginning of an audit to set thescope for the engagement, developing an expectation is the first step in completing an analytical.With that expectation, the results can be mapped to the analytical that is calculated and thenany differences can be investigated.

5. To confirm an analytical test, which one of the following procedures is not recommendedwhen differences are identified?A. Inquiring of internal employees.B. Inquiring of external parties.C. Reviewing the results of other analytical tests.D. None of the above.

Correct Answer: DReason for Answer/Reasons for Not Selecting Other AnswersThe following techniques are recommended to corroborate an analytical test:

• Inquiries of persons outside the client’s organization.• Inquiries of independent persons inside the client’s organization.• Evidence obtained from other auditing procedures.• Examination of supporting evidence.• Relation of results to prior year results and/or industry benchmarks.• Relation of results of one test to another.

6. Which data management test lets you analyze character fields by setting them in rows andcolumns?A. Cross tabulate.B. Filter.C. Index.D. Relate.

Correct Answer: AReason for Answer/Reasons for Not Selecting Other AnswersThe Cross Tabulate function lets you analyze character fields by setting them in rows andcolumns. The Index function sorts data while the Relate function relates two tables togetheron a key field, and the Filter function will extract certain items for further analysis.

7. Which data management test lets you combine specified fields from two different files into asingle file using key fields?A. Cross tabulate.B. Relate.C. Summarize.D. Calculated field.

Correct Answer: BReason for Answer/Reasons for Not Selecting Other AnswersThe Relate/Join function combines specified fields from two different files into a single fileusing key fields. Cross Tabulate lets you analyze character fields by setting them in rows andcolumns, the Summarize function accumulates numerical values based on a specified keyfield, and the Calculated Field function creates a new calculated field using data within thefile.

Chapter ThreeQuestions

1. Which of the following will generally be found in the data when bribery has taken place?A. Inventory prices will be understated.B. Inventory quantity will be overstated.C. High levels of obsolete inventory.D. Low levels of obsolete inventory.

2. Which tests will not work to identify a billing scheme?A. Blank vendor master file information.B. Match addresses between the customer master file and an employee.C. Match addresses between the vendor master file and an employee.D. High dollar amount invoices to a vendor.

3. Payroll rate schemes would be detected using all but which of the following tests?A. Search for ghost employees.B. Stratify pay rates.C. Summarize gross pay by employee.D. Compare one pay period to another based on employee.

4. Register schemes would be detected using all but which of the following tests?A. Extract sales with discounts over X %.B. Listing top 10 employees by register adjustments.C. Identifying employees that have produced register adjustments over 300% more than the

average employee.D. Identifying employees that have produced lower than average register adjustments.

5. Overstated asset schemes can be identified through which of the following tests?A. List of inventory with prices lower than the retail-selling price.B. Inventory that is within or slightly over the economic order quantity for that inventory

part.C. An average day’s sales outstanding calculation that is higher than average.D. Inventory with an exceptionally high turnover.

Chapter ThreeAnswers

1. Which of the following will generally be found in the data when bribery has taken place?A. Inventory prices will be understated.B. Inventory quantity will be understated.C. High levels of obsolete inventory.D. Low levels of obsolete inventory.

Correct Answer: CReason for Answer/Reasons for Not Selecting Other AnswersBribery of an employee will lead to purchasing of inordinate quantities of inventory, or athigher than average prices, which generally becomes obsolete because it cannot be used/sold in an appropriate amount of time.

2. Which tests will not work to identify a billing scheme?A. Blank vendor master file information.B. Match addresses between the customer master file and an employee.C. Match addresses between the vendor master file and an employee.D. High dollar amount invoices to a vendor.

Correct Answer: BReason for Answer/Reasons for Not Selecting Other AnswersBilling schemes occur when a fraudster causes the victim organization to issue a payment bysubmitting invoices for fictitious goods or services, inflated invoices, or invoices for personalpurchases. It is common for vendors to be established with employee master file informationor with blank information so as to avoid detection. Customers and associated informationare not involved in a billing scheme so this information is non sequitur.

3. Payroll rate schemes would be detected using all but which of the following tests?A. Search for ghost employees.B. Stratify pay rates.C. Summarize gross pay by employee.D. Compare one pay period to another based on employee.

Correct Answer: AReason for Answer/Reasons for Not Selecting Other AnswersTo identify inappropriate increases to payroll rates can be detected through an analysis ofgross payroll and pay rate amount fields.

4. Register schemes would be detected using all but which of the following tests?A. Extract sales with discounts over X %.B. Listing top 10 employees by register adjustments.C. Identifying employees that have produced register adjustments over 300% more than the

average employee.D. Identifying employees that have produced lower than average register adjustments.

Correct Answer: DReason for Answer/Reasons for Not Selecting Other AnswersRegister schemes are those where funds are taken from the register and hidden throughphony transactions such as register adjustments (i.e., voids) or discounts. Therefore, thoseemployees with lower than average register adjustments are less likely to have committed aregister scheme.

5. Overstated asset schemes can be identified through which of the following tests?A. List of inventory with prices lower than the retail-selling price.B. Inventory that is within or slightly over the economic order quantity for that inventory

part.C. An average day’s sales outstanding calculation that is higher than average.D. Inventory with an exceptionally high turnover.

Correct Answer: CReason for Answer/Reasons for Not Selecting Other AnswersOverstated assets are the fictitious inflation of asset values or other improper valuations,generally to enhance the appearance of financial statements. Inventory that is lower than theretail price is normal and expected, as is an inventory balance at or slightly over the normalordering quantity. Inventory with high turnover is selling well and generally not showing signsof misstatement, yet a company with a high day’s sales outstanding shows signs of accountsreceivable that may be phony and never expected to be paid by a customer. This, therefore,is the appropriate selection for a test that would indicate the potential for overstated assets.

Chapter FourQuestions

1. Given the below list of steps, what is the sequence in order to obtain data?1. Making Arrangements with the Client to Obtain Data.2. Determining the Reports for Risk Mitigation/Prevention.3. Verifying the Data Received.4. Transferring the Client’s Data.

A. 2, 1, 4, 3B. 1, 2, 3, 4C. 1, 4, 3, 2D. 1, 3, 2, 4

2. Data verification techniques include all but the following:A. Obtain a printout of the first 100 rows and match “on screen” to the data file.B. Agree account totals to general ledger balances.C. Summarizing the data file on a key field.D. Select a sample of data items and trace the information to client records.

3. Data requests should include which of the following components?A. Specific data fields/files needed.B. Record layout of the file.C. Timing of the transfer.D. All of the above.

Chapter FourAnswers

1. Given the below list of steps, what is the sequence in order to obtain data?1. Making Arrangements with the Client to Obtain Data.2. Determining the Reports for Risk Mitigation/Prevention.3. Verifying the Data Received.4. Transferring the Client’s Data.

A. 2, 1, 4, 3B. 1, 2, 3, 4C. 1, 4, 3, 2D. 1, 3, 2, 4

Correct Answer: AReason for Answer/Reasons for Not Selecting Other AnswersThe first step to obtaining data is to arrive at a hypothesis of the reports needed for analysis,after which the arrangements are made with the client to get data and then the data istransferred.

2. Data verification techniques include all but the following:A. Obtain a printout of the first 100 rows and match “on screen” to the data file.B. Agree account totals to general ledger balances.C. Summarizing the data file on a key field.D. Select a sample of data items and trace the information to client records.

Correct Answer: CReason for Answer/Reasons for Not Selecting Other AnswersVerifying data files to ensure a complete and accurate load of data was received can becompleted by reviewing printouts of data to the file received, agreeing totals, and selectingsamples for further analysis. Summarizing a file on a key field may provide information forverification purposes but is not providing an independent source for validation and thereforenot a suggested step for data verification.

3. Data requests should include which of the following components?A. Specific data fields/files needed.B. Record layout of the file.C. Timing of the transfer.D. All of the above.

Correct Answer: DReason for Answer/Reasons for Not Selecting Other AnswersRequests for data should include the following components:• Specific data fields/files needed.• Format of files needed.• Record layout of the file.• Timing of the transfer.• Method of transfer. • Arrangements for verification information.

APPENDIX ACASE STUDY

Instructions

Please read the below setting and complete the associated case study deliverables. It is stronglyrecommended that this case study be completed to confirm learning objectives.

Setting

Recently, a payroll audit was completed and it was determined that the accounts payable supervisor(Jim) had not taken vacation in over a year. When the controller (Susan) was asked about thismatter, she indicated that Jim has a very busy workload and has been understaffed for some timegiven the budgetary constraints. The company had been under some tough times, given higherthan average selling, general, and administrative costs in relation to revenues.

Based on this information, the internal auditor decided to complete a two-hour process reviewwith Jim to ensure that the proper controls were in place and to see if efficiency could be improved.

In the process review, the internal auditor determined that Jim had numerous segregation of dutyissues, blamed on the staff reductions and budget constraints, that led him to:

• Enter invoices, as well as new vendors, into the system.• Process checks (which are then signed by the controller) and send them to vendors.

The internal auditor also sensed that Jim was unhappy about completing the process review.When the internal auditor asked some follow-up questions, Jim answered, “How much longer doI have to endure this?” When the internal auditor suggested a segregation of duties, Jim becamevery anxious in his body language and defended the status quo. He said that he needs to have thisaccess to get the job done as efficiently as possible, again due to the staffing constraints. Jim thenabruptly called the meeting to a close due to his need to get back to work.

Case Study Deliverables

Given the above setting, please complete the following to ensure an understanding of all conceptsdiscussed in this course:

1. Identify the key fraud schemes that could be enacted in the purchasing/accounts payableprocess flow.

2. Select two fraud schemes and detail five reports for each fraud scheme (total of 10 reports).3. Draft a data request letter for submittal to the company in order to get the necessary data to

process the reports.4. List the key audit software types based on the selected reports.

Case Study Sample Response

1. Identify the key fraud schemes that could be enacted in the purchasing/accounts payableprocess flow.• Billing schemes• Expense reimbursement schemes• Check tampering schemes

2. Select two fraud schemes and detail five reports for each fraud scheme (total of 10reports).Based on the setting above, the following two schemes were selected, under which five mostdesired reports were listed:• Billing schemes

o Extract vendor payments where the payment is a specified percentage (i.e., 200%)greater than the last largest payment to that vendor.

o Extract all purchases with no purchase orders and summarize by vendor and issuer.o Compare check register to invoice payment file to identify any checks with no related

system invoices.o Match vendor master file to the accounts payable invoice file.o List all vendors who had multiple invoices immediately below an approval limit (e.g.,

many $999 payments to a vendor when there is a $1,000 approval limit) highlightinga circumvention of the established control.

• Check tamperingo Stratification and aging of check voids.o Extract all voided checks and summarize by issuer for reasonableness.o Identify duplicate payments based on various means.o Extract all employee payments equal to zero in any given pay period.o Sequence gaps in checks.

3. Draft a data request letter for submittal to the company in order to get the necessarydata to process the reports.

Mr. XIS ManagerABC Company

Dear Mr. X:

As part of our audit, we will be performing certain audit tests in the accounts payable areausing audit software.

We require the following files be available for us on 12/1/20XX. We believe the followingfields are required from the file:

• Invoice Payment • Employee Master Fileo Invoice Number o Employee Numbero Invoice Amount o Employee Nameo Invoice Date o Employee Addresso Vendor Number • Vendor Master Fileo Purchase Order o Vendor Number

• Check Register o Vendor Nameo Check Number o Vendor Addresso Check Amounto Voided Check Flag

If you believe, after looking at the reports we expect to process (see below table), that wewill need more data fields besides those listed above, please provide these fields in the fileextraction. If it would be easier, we can receive the entire file from which we can extract anddefine our desired fields.

We will need this file in a flat file format (no delimiters). Please do not translate the file toASCII in the download if you are downloading the file from a mainframe computer. To assistin downloading the file to our PC, we prefer that the file be provided on a CD-ROM.

Please contact us if you are unclear as to the source or significance of any of the itemsrequested.

Thank you for your assistance.

Sincerely,Internal Auditor

Expected Reports To Produce

Report Name

• Extract vendor payments where the payment is a specified percentage (i.e., 200%) greaterthan the last largest payment to that vendor.

• Extract all purchases with no purchase orders and summarize by vendor and issuer.• Compare check register to invoice payment file to identify any checks with no related

system invoices.• Match vendor master file to the accounts payable invoice file.• List all vendors who had multiple invoices immediately below an approval limit (e.g.,

many $999 payments to a vendor when there is a $1,000 approval limit) highlighting acircumvention of the established control.

• Stratification and aging of check voids.• Extract all voided checks and summarize by issuer for reasonableness.• Identify duplicate payments based on various means.• Extract all vendor payments equal to zero in any given pay period.• Sequence gaps in checks.

4. List the key audit software types based on the selected reports.The following analytical and data management tasks would be completed on the data files:

• Extract/Filter• Summarize• Sequence Duplicates• Sequence Gaps• Join/Relate• Stratify• Age