The days of “give me the data and let me play with it until I find something” are over. It’s no longer enough for internal auditors to hope they stumble across something. They need a tactical search plan.
For example, a U.S. District judge recently sentenced a California man to six years in federal prison for his role in a scheme to embezzle more than $3 million from a general contractor. The man was one of six individuals who set up shell companies to submit fake construction services and materials invoices to the construction manager.
Internal auditors must ask whether their fraud data analytics could detect such a scheme. Here is how a tactical analytics methodology can help.
Decide What to Look For
Internal audit should begin with the fraud risk statement, which has five elements: opportunity, entity, fraud action, impact, and financial conversion. The risk statement becomes the technical specifications for programing auditors’ search routines. To illustrate, internal auditors should consider how each element in this risk statement links to the fraud data analytics plan:
Budget owner acting alone / causes a shell company to be set up on the vendor master file / causes the issuance of a purchase order and approves a fake invoice for services not received / causes the diversion of company funds.
Opportunity Viewed as either a direct access function, such as accounts payable, or indirect access such as a budget owner acting alone. Because the opportunity element is a budget owner, auditors expect that all fake invoices are recorded in the budget owner’s cost center.
Entity A vendor, employee, customer, etc., who links to the master file data (name and address). Entities can be false or real. Internal auditors should decide whether they are looking for real or false schemes. They can then decide which permutations to include or exclude from their analysis. They also need to know what they are searching for. In the example fraud risk statement, the entity is a created false entity rather than:
- Assumed — takes over the identity of a dormant or real vendor.
- Hidden — two vendors with a different name but common identity information.
- Conflict of interest — vendor has one customer and ownership links to prior employment.
- Temporary — often associated with one-time payment procedures.
Fraud Action Statement Links to the transactional data. In the risk statement example, auditors should search for a fake invoice for services not performed. The analysis starts with the purchase order, vendor invoice, and payment data using five fields: control number, date, amount, line-item description, and general ledger account. Auditors should then determine the data patterns associated with a fake invoice.
Impact Statement Helps auditors calibrate their analysis regarding total vendor spend levels. Auditors should note that most false billing schemes occur in the bottom-third spend level, whereas pass-through schemes are typically located in the middle third. Conflict of interest schemes can range from the bottom to the top of the spend level.
Determine the Level of Sophistication
Fraud is about misrepresentation and concealment. Internal audit’s plan must anticipate the sophistication of concealment, ranked on a low, medium, and high scale. Fundamentally, this tells auditors what their search routine can detect.
A common test is matching human resource data to vendor data. A bank account illustrates how matching and concealment correlate:
- Low sophistication. Both files have the same bank routing number and bank account number. The test is successful.
- Medium sophistication. Both files have the same bank routing number but different account numbers. The test is useful if an individual is identified through a whistleblower complaint.
- High sophistication. Each file has a different bank routing number and account number. Internal audit’s test fails, which means its only chance of detecting the scheme is through the transactional data.
Internal audit must understand this level of sophistication concept for every data element in its plan.
Choose the Analytics Strategy
Internal auditors use four strategies to search for patterns and frequencies that correlate to the fraud risk statement:
- Direct evidence. Specific identification correlates to low sophistication. Common patterns associated with these tests are match, duplicate, missing, and changed.
- Circumstantial evidence. Internal control avoidance correlates to medium sophistication. An example is finding two vendor invoices with the same date, each below a control level but in total exceeding the control level. Is it a coincidence or fraud?
- Data interpretation. Professional experience correlates to high sophistication. The sample is derived from visual examination of data using the auditor’s knowledge of it. Data exclusion is a critical aspect of this strategy because it reduces the amount of data that auditors must search.
- Number anomaly. That is, round numbers or recurring numbers. Number anomalies do not link to a fraud risk statement per se; the auditor needs to interpret how the number anomaly correlates to the statement.
Look for Data Patterns
Fraud data analytics for transactional data is about pattern recognition and frequency. Here are two examples using the vendor invoice number and the date field.
Invoice Number Auditors should search for a low number, a sequential pattern, and a limited number range pattern. If the perpetrator is of low sophistication, auditors would expect to see a starting number of 1, 100, or 1000; whereas, a medium to high concealment strategy might start with an odd number such as 5019.
Date Field Auditors should perform a speed-of-payment test comparing the invoice date to the payment date. Quick payments are a red flag. Auditors can count on the fraud triangle to cause perpetrators to want their money immediately to satisfy their vice.
Once a pattern is identified, ask whether the frequency is sufficient to indicate a fraud pattern or a business pattern. Although this is subjective, it is an important consideration. In practice, auditors perform multiple pattern tests. The weight of all those tests becomes the basis for their sample selection.
Evaluate the Data
Up to this point, the fraud data analytics plan has been about creating a sample of the data and narrowing the focus based on certain criteria. The final step is to ascertain whether there is credible evidence to suggest that a fraud scheme is occurring. Internal audit needs to have effective procedures — fraud tests — embedded in the plan or the plan may fail to reveal the fraud scheme.
To illustrate a fraud test, auditors should compare the corporate registration date to the first vendor invoice date. If the invoice date is within 90 days of the corporation registration date, that is suspicious. But auditors need to remember it is the weight of all the audit evidence, not just one test.
Even the world’s best auditor using the world’s best audit program cannot detect fraud unless the sample includes a fraudulent transaction. That is why fraud data analytics is so essential to the audit profession and stopping shell company frauds.