Copyright © 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.
How to Use a New Computer Audit Fraud
Prevention and Detection Tool
By Richard B. Lanza, CPA, PMP
W
hile occupational fraud takes various forms, the
result is always the same: the numbers generated by
fraud cannot hold up to the unfailing logic of the
accounting equation. If executives add false sales and accounts
receivable to increase the organization’s revenue, profits and
cash will be out of kilter. The advancement of technology has
allowed for this “accounting equation” to be systematized into
computer logic and applied to company data.1 Results of this
logic could take the form of a simple matching of the human
resource file to the accounts payable vendor master file. On the
other side of the coin, it could be an advanced neural network
application focused on detecting money laundering schemes.
Whether it is simple or advanced, data analysis provides many
benefits in the prevention and detection of fraud. On one hand,
the fraud examiner gains insight on 100 percent of an
organization’s transaction data vs. more limited manual methods
of selection. Further, this approach can generally be completed in
less time than manual procedures, given the automation of the
work. Examiners also gain improved business intelligence as the
generated reports often lead to conclusions beyond whether just
fraud occurred. Such new insights can lead to suggested process
improvements to the client.
The Institute of Internal Auditors (IIA) Research Foundation
recently announced the posting of a free online document to
help fraud examiners worldwide use computers to fight fraud.
Proactively Detecting Occupational Fraud Using Computer
Audit Reports, written by the author of this article, is designed to
assist fraud examiners and management in implementing data
analysis routines for improved fraud prevention and detection.2
This report provides a comprehensive checklist of data analysis
reports as well as general guidance to help audit teams better
analyze company data.
How to Get Started
The free report provides a step-by-step process to
implement audit software from the assessment of risk to the
ultimate application of software routines. However, the main
focus of the document is providing a comprehensive checklist
of more than 250 data analysis reports for every fraud type per
the Association of Certified Fraud Examiners’ (ACFE) uniform
occupational fraud classification system. The step-by-step
process for analyzing data is summarized in figure 1.
Steps One and Two: Assess Risk and Determine Areas
At the highest level, fraud can be categorized into the
following three areas:
1. Asset misappropriations—Involving the theft or misuse of
an organization’s assets
2. Corruption—When fraudsters wrongfully use their influence
in a business transaction to procure some benefit for
themselves or another person, contrary to their duty to their
employer or the rights of another
3. Fraudulent statements—Involving the falsification of an
organization’s financial statements
Within the above three global categories, ACFE identifies
more than 70 areas of fraud.3 Organizational fraud can be
classified using the following, more condensed, 15 categories:4
1. Bribery/illegal gratuities/economic extortion
2. Conflicts of interest
3. Fictitious revenues/timing differences
4. Understated liabilities and expenses
5. Overstated assets/valuation
6. Improper disclosures
7. Nonfinancial fraudulent statements
8. Cash larceny
9. Skimming
Figure 1—Step-by-step Process
1. Assess Risk
2. Determine Areas
– Brainstorm risk factors. – Supplier management
– Determine areas of risk. – Customer management
– Identify risk responses. – Enterprise and financial
– Computer system mgmt.
– Human resource mgmt.
3. Select Software
– Audit-specific
– Benford’s Law
– Database/spreadsheet
– Regression
– Monte Carlo
– Neural network tools
– Sampling
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2004
4. Get Data
5. Run Reports
– Request data.
– Types of data.
– Verify data.
– Run reports.
– Analyze results.
– Establish continous
routines.
10. Inventory misuse/larceny
11. Billing schemes
12. Payroll schemes
13. Expense reimbursement schemes
14. Check tampering
15. Register disbursements
Once the fraud types are known, any good audit software
assessment begins with risk assessment. Blindly running fraud
reports is a dangerous proposition, both for the company and
the fraud examiner. Therefore, it is best to first start identifying
fraud-prone areas and then employ ACFE’s uniform fraud
classification to pinpoint the precise frauds that are of most
concern. One popular method is to assign a risk value to each
fraud type in the organization based on the following equation:
Risk Value = Likelihood (%) * Impact (Dollar Value)
Although it may be difficult to assign a precise dollar
impact value, one can be estimated based on the size of the
account balance and a reasonable level of impact based on the
total. For example, the risk of fictitious sales may be
represented as total company sales, e.g., US $100 million,
multiplied by 2 percent, which would be the amount that may
go undetected assuming the right type of fraud scheme. Using
this estimating approach, frauds with the highest risk value
would be selected for further analysis.
Once examiners have selected a fraud type (e.g., billing
schemes), they should review the associated reports outlined in
that section of the IIA paper. There are roughly 20 reports for
every fraud type. The piggyback brainstorming method in
which fraud examiners identify numerous other permutations
of a selected report may be useful.
For example, one may use the report “extract vendor
purchases that exceed the 12-month average purchases to that
vendor by a specified percentage (e.g., 200 percent)” to identify
false expenses billed by employees. A piggyback report may be
the same report but only if the vendor was newly added within
the year—an increased sign of the transaction’s fraudulent
nature. Therefore, through brainstorming, fraud examiners can
expand their potential tests while also refining the selected
reports to be more specific to particular entities. The planning
portion of this assignment should not be rushed; roughly 30 to
40 percent of the allotted project time should be used for
planning these reports. This time spent is so critical because it
drives the rest of the process and the ultimate effectiveness of
the resulting fraud detection tests. This is similar to software
development in which best practices dictate that more time be
spent in the requirements definition phase to ensure that the
intended system meets all of the expected needs of its users.
Steps Three and Four: Select Software and Get Data
The list of identified reports drives the actual software to
complete the exercise. Note that the report list provided in
Proactively Detecting Occupational Fraud Using Computer
Audit Reports identifies the actual test being completed in the
report. The list provides a summary of computer test types
available to the fraud examiner, as summarized in figure 2.
Figure 2—Computer Test Types
Test
Description
Horizontal analysis This analyzes the increases and decreases in a given balance—normally financial statement items—
over two or more periods. This can be completed for balance sheet, income statement and/or
budget-to-actual analysis.
Vertical analysis
The elements of a financial statement are examined for a single period whereby each balance
sheet item is shown as a percentage of the total assets and every income statement item is shown
as a percentage of the net sales.
Ratios
One or more balance is compared with one or more other balance, such as the relation of total
assets to the net sales of an organization. Ratios can be organized into broad categories of
“liquidity/debt” (used to measure a company’s ability to pay its vendors or debt obligations in a
timely manner) and “profitability” (indicates the success of the organization in earning a net return
on sales or on an investment).
Trend analysis
This involves comparing any of the analytical tests (horizontal, vertical, ratio, etc.) described above
over two or more periods. The use of trend analysis is practically a given in doing any fraud work
because fraud tends to create variances over time that would go undetected if only the single year
were being analyzed.
Performance
The identification of critical success factors that lead to measures can be tracked over time to
measures
assess progress made in achieving specific targets linked to an entity’s vision. For example, the
following represent a sampling of performance measures that could be used for accounts payable
processing:
• Number of invoices processed
• Number of open invoices at period-end
• Average invoice dollar amount
Stratification
This counts the number and monetary value of records of a population falling within specified
intervals. Stratifications also provide a useful view into the largest, smallest and average monetary
transactions.
Aging
This is similar to stratification in that it produces aged summaries of data based on established
cutoff dates.
Proposed Software
Tool
Excel (Microsoft)
Excel (Microsoft)
Excel (Microsoft)
Excel (Microsoft)
Excel (Microsoft)
ACL
Excel (Microsoft)
IDEA
ACL
Excel (Microsoft)
IDEA
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2004
Figure 2—Computer Test Types cont.
Test
Description
Digital analysis/
Benford’s Law
Audit technology designed to find abnormal duplications of specific digits, digit combinations,
specific numbers and round numbers in corporate data. Since the objective is to find abnormal
duplications, fraud examiners need a benchmark that indicates a normal level of duplication.
Benford’s Law gives fraud examiners the expected frequencies of the digits in tabulated data. The
premise is that one would expect authentic and unmanipulated data to exhibit these patterns. If a
data set does not follow these patterns, this may be a cause for fraud examiner concern and review.
Regression analysis calculates a dependent variable balance (e.g., net sales) based on various
independent variables (e.g., product purchases, inventory levels, number of customers, etc.).
Note that this test generally provides the greatest level of precision because an explicit expectation
is formed using all relevant data and is incorporated into the model. It also provides a specific
precision percentage for each test so that the fraud examiner can assess the reliability of the test.
For more information on regression analysis, please see the article at
www.auditsoftware.net/community/how/tool/tools/regexce.doc.
This combines two files with identical fields into a single file. An example would be to merge
two years worth of accounts payable history into one file.
Regression
Append/merge
Calculated field/
functions
A calculated field (which can use a function such as ABS for the absolute value of the field) is
created using data within the file. For example, the net payroll pay to an employee could be
recalculated using the gross pay field and deducting any withholding/taxes.
Duplicates
Duplicate items are identified within a specified field in a file. For example, this report could be used
to identify duplicate billings of invoices within the sales file.
Excel (Microsoft)
IDEA
Entity’s report writer
Specified items are extracted from one file and copied to another file, normally using an “if” or
“where” statement. Examples include extracting all balances over a predefined limit.
Extract/filter
Export
Gaps
Index/sort
Join/relate
Sample
Summarize
Proposed Software
Tool
Access (Microsoft)
ACL
Excel (Microsoft)
IDEA
Excel (Microsoft)
Access (Microsoft)
ACL
Excel (Microsoft)
IDEA
Entity’s report writer
Access (Microsoft)
ACL
Excel (Microsoft)
IDEA
Entity’s report writer
Access (Microsoft)
ACL
Access (Microsoft)
ACL
Excel (Microsoft)
IDEA
Entity’s report writer
This creates a file in another software format (e.g., Excel, Word) for testing. An example would be to Access (Microsoft)
export customer address information to Word to mail merge with customer confirmation letters.
ACL
Excel (Microsoft)
IDEA
Entity’s report writer
Gaps are identified within a specified field in a file, e.g., gaps in a check sequence.
Access (Microsoft)
ACL
Excel (Microsoft)
IDEA
Entity’s report writer
Files are sorted in ascending or descending order. An example would be sorting a file by Social
Access
Security (Microsoft) number to see if any blank or 999999999 numbers exist.
ACL
Excel (Microsoft)
IDEA
Entity’s report writer
Specified fields from two different files are combined into a single file using key fields. This function Access (Microsoft)
is used to create relational databases on key fields. For example, the vendor master file could be
ACL
related to the invoice file to obtain address information for each invoice.
Excel (Microsoft)
IDEA
Entity’s report writer
Random or monetary unit samples are created from a specified population.
Access (Microsoft)
ACL
Excel (Microsoft)
IDEA
Numerical values are accumulated based on a specified key field. An example would be summarizing Access (Microsoft)
travel and entertainment expense amounts by employee to identify unusually high payments.
ACL
Excel (Microsoft)
IDEA
Entity’s report writer
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2004
Once the reports and software tools are known, a data
request letter can be arranged to obtain the actual data files for
testing. To jumpstart the process, the data files identified in the
IIA document should be tallied (the document identifies the
expected data files for each report). Within each file, such as
the accounts payable paid history file, it is wise to identify the
specific data fields needed (e.g., vendor number, vendor name,
invoice amount, etc.). Once again, the report being executed
drives the process to arrive at a final list of files and fields to
request.
With the final list, a data request letter (a sample is
provided in Proactively Detecting Occupational Fraud Using
Computer Audit Reports) should be issued to the organization
with the following key elements:
• Specific data fields/files needed
• Format of files needed (e.g., text, comma-delimited, Excel
file)
• Record layout of the file explaining the fields in each of the
provided files
• Timing of the transfer (e.g., one-time, monthly)
• Method of transfer (e.g., CD, e-mail, floppy disk)
• Arrangements for verification information
• A printout of the first 100 rows, matched to the data file
• Computed totals for key data fields that are agreed-to control
totals supplied by the company’s MIS personnel
• Agreed account totals to general ledger balances
Step Five: Run Reports
After receiving the data file, all that is left is to execute the
actual report and deliver the answer. Although the IIA paper
does not specifically explain how to run each of these tests,
many of them can be completed with minimal training
(e.g., horizontal analysis in Excel). Assuming an audit staff
member is competent in the use of a report writer, these
reports can be processed, or the organization’s MIS department
can run the tests in the entity’s report writer.
Conclusion
Fraud examiners should look first at the numerous software
tools available to prevent and detect fraud. They can begin
with Proactively Detecting Occupational Fraud Using
Computer Reports and then find more than 100 free tools at
www.auditsoftware.net/community, a free site that works to
increase organizational benefits from the use of audit software.
Although these tools greatly assist in the reduction of fraud,
the reality is that no amount of computer analysis can
guarantee that all fraud will be uncovered.
Endnotes
Wells, Joe; The Foreword, Proactively Detecting
Occupational Fraud Using Computer Audit Reports
2
Lanza, Richard; Proactively Detecting Occupational Fraud
Using Computer Audit Reports, Institute of Internal Auditors,
www.theiia.org/ecm/iiarf.cfm?doc_id=4248. The report is
posted as a free download; however, the IIA does request a
voluntary US $40 donation.
3
For more information on the fraud categories and their
relative organizational cost, please see the 2002 Report to the
Nation: Occupational Fraud and Abuse, Association of
Certified Fraud Examiners, www.cfenet.com.
4
Op. cit., Lanza
1
Rich Lanza, CPA, PMP
is a manager of internal audit at a Fortune 200 retailer, where
he focuses mainly on using computer-assisted audit tools to
improve business intelligence, increase efficiencies and
identify bottom-line savings. He is also a leading authority on
the use of data extraction/analysis technology and a frequent
speaker on data analysis/project management. Lanza is also the
founder of www.auditsoftware.net/community, which works to
increase organizational benefits from the use of audit software
by providing free tools, case studies, a newsletter and a
discussion area to visitors. He can be reached at
questions@richlanza.com.
Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary
organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.
Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit
and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal
does not attest to the originality of authors' content.
© Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the
association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles
owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume,
and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the
association or the copyright owner is expressly prohibited.
www.isaca.org
INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2004