Embed Size (px)
Citation preview
©2014
REAL-TIME SOLUTIONS TO REAL-TIME PROBLEMS TOP 25 TESTS FOR ANALYTIC SUPERHEROES
Data analysis can play a critical role in identifying indicators of fraud in most business process
areas. This session will arm you with 25 simple analytic tests that you can use right away to
increase job performance and maximize efficiency. This session will focus on the key areas:
general ledger, travel and entertainment, payroll, vendor master, pay-to-purchase, and order to
cash.
PHIL LIM
Product Manager
ACL
Vancouver, BC
Phil Lim has worked with compliance and audit groups of Fortune 500 companies, leading
them through implementations of technology-enabled assurance programs to assess, test, and
monitor risk. He is responsible for the integrated content portfolio, from strategy and planning to
execution. Included in his scope is to arm risk and assurance professionals with better tools and
methodologies on how to build data analytic integrated enterprise risk management programs.
“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the
ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of
this paper may not be transmitted, re-published, modified, reproduced, distributed, copied, or sold without
the prior consent of the author.
Top 25 Tests for Analytic Superheroes
By Phil Lim, Product Manager ACL™ Services Ltd.
March 25, 2014 Prepared for the 2014 ACFE Fraud Conference
Contents
Introduction
Rules for Analytic Testing
AREA 1: Travel and Entertainment Expenses
AREA 2: Record to Report (R2R) and General Ledger (GL)
AREA 3: Payroll, Timekeeping, and Human Resources
AREA 4: Information Technology and Information Systems
AREA 5: Procure to Pay
AREA 6: Order to Cash
Resources and References
About ACL
About Phil Lim
Introduction
Our objective is to provide you with superhero combat techniques and analytic superweapons to battle the super
villains of FRAUD, WASTE, and ABUSE.
As fraud examiners, we all know the importance of analytic testing. Still, I spent years in the field with clients who (despite all the best intentions with the required tools and training) just couldn’t quite get started using
analytics on their projects. Some struggle with a similar, but inverse issue, the “in brightest day, in blackest night, no evil shall escape my sight” syndrome. Guess what, Green Lantern? There are SO many potential risks and SO
much company data you could attack with data analysis—If you overdo it early on, your propeller head approach
will get you ignored before anyone has a chance to care about your results.
So here are 25 tests to apply in six risk areas. The techniques we will present today should not to be dealt with reckless abandon. No. It's important that we first set some rules for how we apply the martial arts of analysis-fu.
Rules for Analytic Testing
The problem is that examiners don’t often start from a specific point of pain. Therefore, I (maybe not so) humbly suggest “Rules for Analytic Testing”
1. QUICK WINS
Choose a very specific, very narrow risk or pain point where you know there are likely findings.
We all have areas in our organizations where we just know the business is too busy, too apathetic, too short on integrity or whatever it is that makes your spidey sense tingle. Go there, get the data and sniff out the
transactions that prove you right! Data rarely lies.
QUICK WINS is the name of the game. If you find dollars quickly, your enthusiasm and the organizational support
for your efforts will immediately spike. And your perceived value to the organization will also spike. Up, up, and away!
2. Use Proper Tools
Battling super villains takes analytic super weapons and super powers. What’s in your toolbelt?
Some might call me biased, but others would say I just like to win. My baseball team is the New York Yankees.
Alex Rodriguez is the bane of my existence – somebody ought to run an analytic that tests gross over-payment relative to employee performance on the Yanks payroll files, A-Rod would be the world’s most obvious exception!
Anyway, some of these analytic tests could be completed in spreadsheets, while others can’t. That might be OK for now, but let’s be clear – spreadsheets are like playing for the Toronto Blue Jays (I live in Vancouver, so
Canadian teams are fair game for wisecracks). Everyone likes you. Your performance is fine and, in some cases,
you sort of get the job done. But if you want to win World Series rings, you gotta play for the Yanks. ACL is the Yankees. Take a trade now – it’s harder to make it from the dugout to the batter’s box, but everyone hits more
home runs in Yankee Stadium.
If you still have trouble filling the requirements of rule #1, or your particular pain from rule #1 is too complex to analyze, try some of these tests. There are 25 that you can use to find value in almost any organization.
AREA 1: Travel and Entertainment Expenses
As the new analytic superhero dawns on the city, evil super villains undoubtedly scatter, hiding in the shadow of
their lairs, brooding over their next move. Perhaps they've been preparing for this moment for years, organizing their minions and creating their own dark protocols to avoid capture.
The paper reads, "Excessive Expenses Now
Under Analytic Superhero's Scrutiny". Evil-
doers are ready though. They still need to finance their plans somehow, and splitting
transactions is a favored tactic.
$75 individual meal limits. $150 hotel per night
limits. Or how about a single transaction limit of $1000? It's easy to identify the individual
transactions over these limits, but what analytic superpowers can we apply to target
the transactions that were split to avoid scrutiny?
Data Acquisition:
Chances are, if your organization isn’t using spreadsheets to submit and reimburse expenses, you’re using either
Concur® or an ERP-provided solution.
If you’re using Concur, Concur provides a standard detailed interface file that’s used to integrate with accounting
systems, called the Concur Standard Accounting Extract (SAE for short). Luckily for us, the SAE contains all of the data elements that you’ll need to perform this analysis (and nearly anything else you’d want to test expenses).
If you're using an ERP provided solution, then you'll have to obtain a dump of the travel and entertainment
expenses within the audit period you want to review. You'll want at least these fields (probably more):
Required Nice to have for context/other analysis
Expense Report Number
Expense Line Number Cost Center (Business Unit/Division/Department)
Expense Category
Expense Amount (Functional Currency, FC) Employee Number
Employee Name Employee Department
Expense Date
Number of Attendees
Expense Country
Expense Amount (Original Currency, LC) Expense Currency
Attendee Name
Expense Payment Type (i.e. Cash vs Card) Expense Description
Expense MCC Merchant Name
Merchant Country
Merchant Address Merchant State
Expense Approver
TEST 1: T&E Split Transactions
Risk: An employee submits two separate expense transactions for a single expense to avoid a transaction limit.
Test: Identify travel and entertainment (T&E) expenses by the same employee, to the same expense type, on the same date, where each expense is less than the limit, but total to greater than the limit.
TEST 2: T&E Double Dip
Risk: An employee submits a corporate card transaction receipt as an out-of-pocket (OOP) expense for
reimbursement.
Test: Identify travel and entertainment (T&E) expense transactions where there is both a corporate card transaction and an out-of-pocket (OOP) to the same employee for the same amount.
TEST 3: Gasoline, Mileage, and Car Rentals
Risk: An employee submits a gasoline expense when using a personal vehicle for corporate travel Test: Identify travel and entertainment (T&E) reports where there is both a mileage and gasoline expense. Also
identify where reports where there was a gasoline expense without a car rental expense.
As an analytic superhero, you may have cringed when Bane's gang stole some Wayne Enterprise Batmobiles during the "Dark Knight Rises". Surely Alfred would properly impair the fixed asset values of the damaged
Batmobiles, but what about the gasoline expenses? Should we also account for mileage depreciation when the
gang was merely "renting" the rides?
Hopefully, Bane's gang was up to speed on the Wayne Enterprises' corporate expense policies. Mileage expenses are reimbursed when a personal vehicle is used for corporate travel. It includes gasoline and vehicle depreciation,
so employees shouldn't be claiming gasoline separately. Based on that, gasoline expenses should only occur
when there is a car rental. This can all get very confusing for the non-superhero employee so mistakes (or fraud) can happen.
TEST 4: T&E Expense Profiling
Risk: A corporate culture exists where travel and entertainment (T&E) expenses are not well controlled. Test: Identify average expense transaction sizes by business unit/division/department.
This analysis might highlight that your human resource department has been spending significant amounts on
travel for prospective candidates. Or it might show that your legal department has been traveling business class for short domestic trips. It can also guide you to which expense categories might warrant further detailed
analytics. Sharing these results with the CFO or other executives on a regular basis (made possible by the
scripting power of ACL™ Analytics, and the dashboarding capabilities of ACL™ Analytics Exchange) might drive a top-down shift in corporate culture -- no executive wants to be in charge of a department that is tops for a
particular expense category.
TEST 5: T&E Excessive Group Meals
Risk: Documentation of group meal attendees is incomplete, creating a compliance or policy issue.
Test: Identify average amount of group meals per attendee; report cases where the average amount per attendee is greater than a specified threshold.
TEST 6: T&E Round Amounts
Risk: Transactions with round amounts may be an indication of use for purchasing gift cards or cash advances. Test: Identify transactions with amounts that are divisible by a specified divisor, totaling greater than a specified
threshold for an employee.
One particular risk is the use of corporate cards to pay for gift cards or cash advances. While typically not prohibited outright, the purchase of gift cards or advances require additional scrutiny as they can be used for
fraud or abuse. So how do we identify the round amounts that would be an indicator of gift card purchases?
We can use ACL's Modulus function. This function cuts through numbers with a specified divisor and returns the
remainder after the divisor has been divided out. For example, 78 modulus 25 is 3. Identifying round amounts is easy with this weapon; just look for those amounts which, after applying modulus, are zero.
TEST 7: T&E Dormant Cards
Risk: Lost or stolen corporate cards may be used for fraudulent purchases. Test: Identify all active corporate cards that have not had any transactions for the previous X days.
AREA 2: Record to Report (R2R) and General Ledger (GL)
When auditing, where else would we start than right in the guts of things, the general ledger. If I can’t find
something interesting in the GL to talk about with management, I consider myself a failure as an auditor. So here is one suggested way to get quick and dirty with the journal entries and find at least that next topic of discussion:
TEST 8: Suspicious Keyword in Journal Entries
Risk: Posted entries may not be authorized or valid.
Test: Identify any journal entries containing descriptions that could indicate an invalid or suspicious entry.
TEST 9: GL Stratification of Accounts
Risk: Posted Entries may not be authorized or valid.
Test: Stratify a particular general ledger account to look for journal entries that are outside of the normal range
of values posted to the account.
General investigative approaches like stratification can highlight risks that you may not have been aware of when building an audit plan, and it doesn't have to be a major time-drain. Adjustments made by corporate accounting
might not be communicated to the process owners. Also, you don't have to limit yourself to General Ledger. Consider this approach for payables sub-ledgers, or detailed payroll transactions.
TEST 10: GL Entries with Outlier Amounts
Risk: Posted Entries may not be authorized or valid.
Test: Select journal entries that deviate more than two standard deviations from the average posted amount to
the account.
To do this, we want to figure out what would be the typical sized posting to each account, and look for unusually sized postings. Now, some accounts will inherently have a large range of sized transactions posted to them, but
some will have a very narrow range. We'll take this into consideration when we identify our outliers.
Applying outlier analysis can reveal the transactions that are 'unusual'. Instead of applying a hard threshold
(there are probably many Journal Entries larger and smaller than $500K in your General Ledger), we can analyze the trends of all your accounts to highlight transactions that might require additional scrutiny. These transactions
are unusual because their amounts deviate vastly from the expected amounts posted to the account.
AREA 3: Payroll, Timekeeping, and Human Resources
Ye analytic superheroes have battled back the petty crimes of T&E expenses, building your superhero personas
and developing your reputation for wielding analytic superpowers. Now it’s time to concentrate your focus on payroll.
The general risks this time are around employee salaries, phantom employees, and timekeeping. But just like GL
postings and T&E expenses, the first step is to survey the risk landscape, sizing up your opponents and forming a strategy to flush them out. Human resources and payroll administration are typically considered support
functions, and these seldom examined areas often hide significant amounts of recurring waste.
Do you feel like your risks are more concentrated in your salary, or hourly wage workers? How much
management control and visibility is there into the HR system? The payroll process? The timekeeping process?
Data Acquisition
Throughout our payroll analysis, there are three main areas of data we’ll be on the hunt for. Even though we’ll
probably only need payroll transaction data today, it’s a good idea to get all of the payroll data at once to support the other analyses you’re going to perform:
1. HR Data Employee Master data: employee names, statuses, start dates and end dates, salaries, titles, reporting
structures 2. Payroll Transaction data
Pay checks: deductions, pay codes 3. Timekeeping data
Timesheets: worked hours, approvals, overtime
Keep in mind that while many organizations keep their internal HR files internal and secured, most organizations
outsource their payroll function, often to ADP. If this is the case, then it’s likely that your finance team is already receiving a file interface from ADP of the payroll transactions, and you should endeavor to tap into that interface
by requesting the files. You’ll also need a mapping of the pay codes to understand what each code means.
Timekeeping applications can vary, but one that this analytics mastermind has often encountered is Kronos.
We’ve had great success accessing data directly from Kronos using an ODBC connection. Contact your Kronos administrator for the Database Views Reference to help you map out the data. ACL Consulting Services can also
be of great help, especially if you’re looking to do continuous monitoring of the payroll processes.
To help you get started, here’s a starting point for your data needs when analyzing payroll, HR, and timekeeping:
Required Nice to have for context/other analysis
HR/Employee Master Data
Employee ID Number Employee Name
Employee Address (incl. state, zip) Employee Business Unit
Employee Department
Employee Title/Job Code Employee Salary/Pay Grade
Employee Type (e.g. Salary/Hourly/Contractor) Employee Start Date
Employee End Date Employee Status
Employee Tax ID Employee Bank Account
Employee Reports To Employee Birthdate
Employee Created Date
Employee Created By Employee Modified Date
Employee Modified By
Payroll Transactions
Employee ID Number
Check Number Transaction ID Number
Pay Code Pay Date
Pay Amount
Payroll Type (e.g. Check or Direct Deposit)
Pay Period End Date
Timekeeping
Employee ID Number
Timesheet Number Timesheet Status
Time entry Effective Date Time entry number of hours
Time entry hours type (e.g. regular, holiday, overtime)
Timesheet Entered By Timesheet Entered Date
Timesheet Approver Timesheet Approval date
TEST 11: PAYROLL - Multiple Salary Increases
Risk: Unauthorized salary increases create an opportunity for fraud or waste.
Test: Identify any employees with more than three different base salaries in the past 12 months.
Evil villains could not effect their corrupt plots without the help of loyal lieutenants. The analytic superpower
above can shine light on potential cases for further investigation and interrogation. Keep in mind that you'll need to work closely with local deputies like the Payroll Administrators to target the exact pay codes needed. Using the
results, we can further target the actual range of each employee's regular pay, identifying employees with an unusually wide range of regular pay amounts.
TEST 12: PAYROLL - Timesheet Self-Editing
Risk: Unauthorized changes to historical paycodes may represent an opportunity for fraud or waste. Test: Identify any employees that have applied more than a certain threshold of paycode edits to their own
timecards within the investigation period.
TEST 13: PAYROLL - Phantom Employees
Risk: Phantom employees on the payroll may be used to channel funds to an unauthorized party, or as a vehicle
for fraud.
Test: Identify duplicate employee records where there is more than one employee associated with the same bank account or address.
You'll want to be aware that spouses who are both employees will likely show up in this test, and that's good!
That way you know your analysis is working. This is just one of a set of analytic superpowers you can use to identify phantom employees. Others might include analyzing employee addresses for PO Boxes, or identifying
employees without any payroll deductions, or invalid/duplicate tax identification numbers (SSN or SIN).
AREA 4: Information Technology and Information Systems
TEST 14: IT - Segregation of Duties
Risk: An employee’s temporary access or changes in role may allow a breach in segregation of duties to occur
Test: Identify invoices where the creator or modifier of the invoice is also the creator or modifier of the vendor
TEST 15: IT - Privileged User Access
Risk: Users with elevated access for system administration or maintenance abuse their access
Test: Identify prohibited activities by super users for review by management
AREA 5: Procure to Pay
TEST 16: P2P - Employee Vendor Match
Risk: Vendors matching employee addresses may be used to channel funds to an employee in an unauthorized
manner Test: Identify invoices to vendors matching the numeric address of an employee
TEST 17: P2P - Non-PO Purchases
Risk: Vendor payments not following the standard purchasing process present a higher risk •Identify vendors with non-PO transactions greater than a specified threshold
TEST 18: P2P - Duplicate Payments (Duplicate Vendors)
Risk: Multiple vendors exist in the payables system leading to duplicate payments Test: Identify invoices with the same amount, to different vendors, with one of:
•Same numeric address
•Same bank account •Same vendor tax id
•Same vendor name
•Same invoice document reference
TEST 19: P2P - Duplicate Payments (miskeying invoice number)
Risk: A miskeying of the invoice number leads to a duplicate payment
Test: Identify invoices with the same amount, to the same vendor, with different invoice number pattern
TEST 20: P2P - Blanket Receipts
Risk: Purchases for services or multiple scheduled shipments are received all at once, creating a recognition
issue and a risk that the services/goods are never received. Test: Identify purchase receipts larger than a threshold where the largest related invoice is smaller than a certain
percentage of the purchase receipt.
TEST 21: P2P - Vendor Master Changes
Risk: Critical data elements of a vendor may be manipulated to channel funds to an unauthorized party
Test: Identify vendors where critical data elements (address, bank account number, name) have changed more than X times in a short time.
TEST 22: P2P - Early Payments
Risk: Early payments present an opportunity cost of capital and may be an indication of a conflict of interest between an employee and vendor.
Test: Based on a standard payment term and cost of capital rate, identify early payments that have created an opportunity cost greater than a threshold.
AREA 6: Order to Cash
Doesn't it seem convenient that super villains so often reside in the same city as the would-be superhero?
The next chapter in our saga is order to cash analysis.
We are looking for instances where sales reps were pushing more product than necessary (potentially at a
discount) at the end of the fiscal quarter to make quota, but then there was a high likelihood of the customer returning the product in the following weeks.
TEST 23: O2C - Channel Stuffing
Risk: Sales orders created during critical periods (e.g. at the end of the fiscal quarter) are sold in higher quantity than necessary and/or heavily discounted, resulting in an overstatement in revenues or overpayment of
commissions.
Test: Identify patterns of potential channel stuffing in sales representatives, sales management, or sales branches/locations.
1. Identify the critical periods for the organization, including critical period begin and end dates. In my
example above, the critical periods would be the fiscal quarters. 2. Define the timeframes for beginning of periods and end of periods. If channel stuffing exists, there might
be a relationship between the sales volumes at the beginning of periods (e.g. the first 2 weeks of a fiscal
quarter), end of periods (e.g. the last week of a fiscal quarter), and regular periods (e.g. any week that is not either of the above).
3. Define the key fields that will be used for identifying patterns. The data will be aggregated, averaged, and trended on these key fields to look for patterns. For example, you could use customer account
number, sales representative number, sales location branch number, product number, etc.
4. Calculate comparable sales volume rates and sales return rates for the beginning of period, end of period, and normal periods for each of the key fields defined in (3). These are key metrics that would be
monitored for identifying patterns. For example, you could identify the average weekly volumes by a sales location branch for the beginning of quarter weeks, end of quarter weeks, and regular weeks.
5. Based on the key fields in (3) and metrics in (4), identify suspicious outlier patterns. For example, you
could identify any sales location branch that had a greater than 20% difference between average end of quarter week volume and average beginning of quarter week volume.
TEST 24: O2C - Customer Credit Limits
Risk: Credit limits to customers are not reviewed on a regular basis
Test: Identify customers with unusual credit limits or with credit limits that have not been reviewed in more than X months
TEST 25: O2C - Sanctioned Customer Testing
Risk: The organization is doing business with an entity that is on a sanction list by the US government Test: Report transactions with customers having names matching the SAM list (System for Award Management,
sam.gov)
Resources and References
If you enjoyed learning about these analytic superpowers, they’re available on ACL’s blog for review:
http://www.acl.com/?s=top+25
On the blog, we go into detail about the individual steps taken as well as key considerations for conducting data analytics.
If you’re interested in adding ACL Analytics to your toolbelt, you can learn more at our website as well in the
About ACL section below, or reach out to me directly at [email protected].
If you’re an existing user of ACL technologies, there are a wealth of resources available. The ACL Support
Center (support.acl.com) has a vibrant community of analytic superheroes ready to take charge and help in the forums. ACL Consulting Services are also available to you if you would like the help of experts to help you as
well. If you need help on how to use something in particular about ACL Analytics, the technical reference at
docs.acl.com is a tremendous resource. And finally, guided learning options are available either online or in the classroom (http://www.acl.com/services/acl-training-services/classroom-training/).
About ACL
ACL delivers technology solutions that are transforming audit and risk management. Through a combination of
software and expert content, ACL enables powerful internal controls that identify and mitigate risk, protect
profits, and accelerate performance.
Driven by a desire to expand the horizons of audit and risk management so they can deliver greater strategic business value, we develop and advocate technology that strengthens results, simplifies adoption, and improves
usability. ACL’s integrated family of products—including our cloud-based governance, risk and compliance (GRC)
solution and flagship data analytics products—combine all vital components of audit and risk, and are used seamlessly at all levels of the organization, from the C-suite to front line audit and risk professionals and the
business managers they interface with. Enhanced reporting and dashboards provide transparency and business context that allows organizations to focus on what matters.
And, thanks to 25 years of experience and our consultative approach, we ensure fast, effective implementation, so customers realize concrete business results fast at low risk. Our actively engaged community of more than
14,000 customers around the globe—including 89% of the Fortune 500—tells our story best. Here are just a few. Visit us online at www.acl.com.
ACL Services Ltd.
1550 Alberni Street
Vancouver, BC, Canada
V6G 1A5 1 604 669 4225
About Phil Lim
Phil Lim has worked with compliance and audit groups of Fortune 500 companies, leading them through implementations of technology-enabled assurance programs to assess, test and monitor risk. He is responsible for
the integrated content portfolio, from strategy and planning to execution. Included in his scope is to arm risk and assurance professionals with better tools and methodologies on how to build data analytic integrated enterprise
risk management programs.
Phil Lim
Product Manager, ACL [email protected]
