Copyright © 2004 Information Systems Audit and Control Association. All rights reserved. www.isaca.org. How to Use a New Computer Audit Fraud Prevention and Detection Tool By Richard B. Lanza, CPA, PMP W hile occupational fraud takes various forms, the result is always the same: the numbers generated by fraud cannot hold up to the unfailing logic of the accounting equation. If executives add false sales and accounts receivable to increase the organization’s revenue, profits and cash will be out of kilter. The advancement of technology has allowed for this “accounting equation” to be systematized into computer logic and applied to company data.1 Results of this logic could take the form of a simple matching of the human resource file to the accounts payable vendor master file. On the other side of the coin, it could be an advanced neural network application focused on detecting money laundering schemes. Whether it is simple or advanced, data analysis provides many benefits in the prevention and detection of fraud. On one hand, the fraud examiner gains insight on 100 percent of an organization’s transaction data vs. more limited manual methods of selection. Further, this approach can generally be completed in less time than manual procedures, given the automation of the work. Examiners also gain improved business intelligence as the generated reports often lead to conclusions beyond whether just fraud occurred. Such new insights can lead to suggested process improvements to the client. The Institute of Internal Auditors (IIA) Research Foundation recently announced the posting of a free online document to help fraud examiners worldwide use computers to fight fraud. Proactively Detecting Occupational Fraud Using Computer Audit Reports, written by the author of this article, is designed to assist fraud examiners and management in implementing data analysis routines for improved fraud prevention and detection.2 This report provides a comprehensive checklist of data analysis reports as well as general guidance to help audit teams better analyze company data. How to Get Started The free report provides a step-by-step process to implement audit software from the assessment of risk to the ultimate application of software routines. However, the main focus of the document is providing a comprehensive checklist of more than 250 data analysis reports for every fraud type per the Association of Certified Fraud Examiners’ (ACFE) uniform occupational fraud classification system. The step-by-step process for analyzing data is summarized in figure 1. Steps One and Two: Assess Risk and Determine Areas At the highest level, fraud can be categorized into the following three areas: 1. Asset misappropriations—Involving the theft or misuse of an organization’s assets 2. Corruption—When fraudsters wrongfully use their influence in a business transaction to procure some benefit for themselves or another person, contrary to their duty to their employer or the rights of another 3. Fraudulent statements—Involving the falsification of an organization’s financial statements Within the above three global categories, ACFE identifies more than 70 areas of fraud.3 Organizational fraud can be classified using the following, more condensed, 15 categories:4 1. Bribery/illegal gratuities/economic extortion 2. Conflicts of interest 3. Fictitious revenues/timing differences 4. Understated liabilities and expenses 5. Overstated assets/valuation 6. Improper disclosures 7. Nonfinancial fraudulent statements 8. Cash larceny 9. Skimming Figure 1—Step-by-step Process 1. Assess Risk 2. Determine Areas – Brainstorm risk factors. – Supplier management – Determine areas of risk. – Customer management – Identify risk responses. – Enterprise and financial – Computer system mgmt. – Human resource mgmt. 3. Select Software – Audit-specific – Benford’s Law – Database/spreadsheet – Regression – Monte Carlo – Neural network tools – Sampling INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2004 4. Get Data 5. Run Reports – Request data. – Types of data. – Verify data. – Run reports. – Analyze results. – Establish continous routines. 10. Inventory misuse/larceny 11. Billing schemes 12. Payroll schemes 13. Expense reimbursement schemes 14. Check tampering 15. Register disbursements Once the fraud types are known, any good audit software assessment begins with risk assessment. Blindly running fraud reports is a dangerous proposition, both for the company and the fraud examiner. Therefore, it is best to first start identifying fraud-prone areas and then employ ACFE’s uniform fraud classification to pinpoint the precise frauds that are of most concern. One popular method is to assign a risk value to each fraud type in the organization based on the following equation: Risk Value = Likelihood (%) * Impact (Dollar Value) Although it may be difficult to assign a precise dollar impact value, one can be estimated based on the size of the account balance and a reasonable level of impact based on the total. For example, the risk of fictitious sales may be represented as total company sales, e.g., US $100 million, multiplied by 2 percent, which would be the amount that may go undetected assuming the right type of fraud scheme. Using this estimating approach, frauds with the highest risk value would be selected for further analysis. Once examiners have selected a fraud type (e.g., billing schemes), they should review the associated reports outlined in that section of the IIA paper. There are roughly 20 reports for every fraud type. The piggyback brainstorming method in which fraud examiners identify numerous other permutations of a selected report may be useful. For example, one may use the report “extract vendor purchases that exceed the 12-month average purchases to that vendor by a specified percentage (e.g., 200 percent)” to identify false expenses billed by employees. A piggyback report may be the same report but only if the vendor was newly added within the year—an increased sign of the transaction’s fraudulent nature. Therefore, through brainstorming, fraud examiners can expand their potential tests while also refining the selected reports to be more specific to particular entities. The planning portion of this assignment should not be rushed; roughly 30 to 40 percent of the allotted project time should be used for planning these reports. This time spent is so critical because it drives the rest of the process and the ultimate effectiveness of the resulting fraud detection tests. This is similar to software development in which best practices dictate that more time be spent in the requirements definition phase to ensure that the intended system meets all of the expected needs of its users. Steps Three and Four: Select Software and Get Data The list of identified reports drives the actual software to complete the exercise. Note that the report list provided in Proactively Detecting Occupational Fraud Using Computer Audit Reports identifies the actual test being completed in the report. The list provides a summary of computer test types available to the fraud examiner, as summarized in figure 2. Figure 2—Computer Test Types Test Description Horizontal analysis This analyzes the increases and decreases in a given balance—normally financial statement items— over two or more periods. This can be completed for balance sheet, income statement and/or budget-to-actual analysis. Vertical analysis The elements of a financial statement are examined for a single period whereby each balance sheet item is shown as a percentage of the total assets and every income statement item is shown as a percentage of the net sales. Ratios One or more balance is compared with one or more other balance, such as the relation of total assets to the net sales of an organization. Ratios can be organized into broad categories of “liquidity/debt” (used to measure a company’s ability to pay its vendors or debt obligations in a timely manner) and “profitability” (indicates the success of the organization in earning a net return on sales or on an investment). Trend analysis This involves comparing any of the analytical tests (horizontal, vertical, ratio, etc.) described above over two or more periods. The use of trend analysis is practically a given in doing any fraud work because fraud tends to create variances over time that would go undetected if only the single year were being analyzed. Performance The identification of critical success factors that lead to measures can be tracked over time to measures assess progress made in achieving specific targets linked to an entity’s vision. For example, the following represent a sampling of performance measures that could be used for accounts payable processing: • Number of invoices processed • Number of open invoices at period-end • Average invoice dollar amount Stratification This counts the number and monetary value of records of a population falling within specified intervals. Stratifications also provide a useful view into the largest, smallest and average monetary transactions. Aging This is similar to stratification in that it produces aged summaries of data based on established cutoff dates. Proposed Software Tool Excel (Microsoft) Excel (Microsoft) Excel (Microsoft) Excel (Microsoft) Excel (Microsoft) ACL Excel (Microsoft) IDEA ACL Excel (Microsoft) IDEA INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2004 Figure 2—Computer Test Types cont. Test Description Digital analysis/ Benford’s Law Audit technology designed to find abnormal duplications of specific digits, digit combinations, specific numbers and round numbers in corporate data. Since the objective is to find abnormal duplications, fraud examiners need a benchmark that indicates a normal level of duplication. Benford’s Law gives fraud examiners the expected frequencies of the digits in tabulated data. The premise is that one would expect authentic and unmanipulated data to exhibit these patterns. If a data set does not follow these patterns, this may be a cause for fraud examiner concern and review. Regression analysis calculates a dependent variable balance (e.g., net sales) based on various independent variables (e.g., product purchases, inventory levels, number of customers, etc.). Note that this test generally provides the greatest level of precision because an explicit expectation is formed using all relevant data and is incorporated into the model. It also provides a specific precision percentage for each test so that the fraud examiner can assess the reliability of the test. For more information on regression analysis, please see the article at www.auditsoftware.net/community/how/tool/tools/regexce.doc. This combines two files with identical fields into a single file. An example would be to merge two years worth of accounts payable history into one file. Regression Append/merge Calculated field/ functions A calculated field (which can use a function such as ABS for the absolute value of the field) is created using data within the file. For example, the net payroll pay to an employee could be recalculated using the gross pay field and deducting any withholding/taxes. Duplicates Duplicate items are identified within a specified field in a file. For example, this report could be used to identify duplicate billings of invoices within the sales file. Excel (Microsoft) IDEA Entity’s report writer Specified items are extracted from one file and copied to another file, normally using an “if” or “where” statement. Examples include extracting all balances over a predefined limit. Extract/filter Export Gaps Index/sort Join/relate Sample Summarize Proposed Software Tool Access (Microsoft) ACL Excel (Microsoft) IDEA Excel (Microsoft) Access (Microsoft) ACL Excel (Microsoft) IDEA Entity’s report writer Access (Microsoft) ACL Excel (Microsoft) IDEA Entity’s report writer Access (Microsoft) ACL Access (Microsoft) ACL Excel (Microsoft) IDEA Entity’s report writer This creates a file in another software format (e.g., Excel, Word) for testing. An example would be to Access (Microsoft) export customer address information to Word to mail merge with customer confirmation letters. ACL Excel (Microsoft) IDEA Entity’s report writer Gaps are identified within a specified field in a file, e.g., gaps in a check sequence. Access (Microsoft) ACL Excel (Microsoft) IDEA Entity’s report writer Files are sorted in ascending or descending order. An example would be sorting a file by Social Access Security (Microsoft) number to see if any blank or 999999999 numbers exist. ACL Excel (Microsoft) IDEA Entity’s report writer Specified fields from two different files are combined into a single file using key fields. This function Access (Microsoft) is used to create relational databases on key fields. For example, the vendor master file could be ACL related to the invoice file to obtain address information for each invoice. Excel (Microsoft) IDEA Entity’s report writer Random or monetary unit samples are created from a specified population. Access (Microsoft) ACL Excel (Microsoft) IDEA Numerical values are accumulated based on a specified key field. An example would be summarizing Access (Microsoft) travel and entertainment expense amounts by employee to identify unusually high payments. ACL Excel (Microsoft) IDEA Entity’s report writer INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2004 Once the reports and software tools are known, a data request letter can be arranged to obtain the actual data files for testing. To jumpstart the process, the data files identified in the IIA document should be tallied (the document identifies the expected data files for each report). Within each file, such as the accounts payable paid history file, it is wise to identify the specific data fields needed (e.g., vendor number, vendor name, invoice amount, etc.). Once again, the report being executed drives the process to arrive at a final list of files and fields to request. With the final list, a data request letter (a sample is provided in Proactively Detecting Occupational Fraud Using Computer Audit Reports) should be issued to the organization with the following key elements: • Specific data fields/files needed • Format of files needed (e.g., text, comma-delimited, Excel file) • Record layout of the file explaining the fields in each of the provided files • Timing of the transfer (e.g., one-time, monthly) • Method of transfer (e.g., CD, e-mail, floppy disk) • Arrangements for verification information • A printout of the first 100 rows, matched to the data file • Computed totals for key data fields that are agreed-to control totals supplied by the company’s MIS personnel • Agreed account totals to general ledger balances Step Five: Run Reports After receiving the data file, all that is left is to execute the actual report and deliver the answer. Although the IIA paper does not specifically explain how to run each of these tests, many of them can be completed with minimal training (e.g., horizontal analysis in Excel). Assuming an audit staff member is competent in the use of a report writer, these reports can be processed, or the organization’s MIS department can run the tests in the entity’s report writer. Conclusion Fraud examiners should look first at the numerous software tools available to prevent and detect fraud. They can begin with Proactively Detecting Occupational Fraud Using Computer Reports and then find more than 100 free tools at www.auditsoftware.net/community, a free site that works to increase organizational benefits from the use of audit software. Although these tools greatly assist in the reduction of fraud, the reality is that no amount of computer analysis can guarantee that all fraud will be uncovered. Endnotes Wells, Joe; The Foreword, Proactively Detecting Occupational Fraud Using Computer Audit Reports 2 Lanza, Richard; Proactively Detecting Occupational Fraud Using Computer Audit Reports, Institute of Internal Auditors, www.theiia.org/ecm/iiarf.cfm?doc_id=4248. The report is posted as a free download; however, the IIA does request a voluntary US $40 donation. 3 For more information on the fraud categories and their relative organizational cost, please see the 2002 Report to the Nation: Occupational Fraud and Abuse, Association of Certified Fraud Examiners, www.cfenet.com. 4 Op. cit., Lanza 1 Rich Lanza, CPA, PMP is a manager of internal audit at a Fortune 200 retailer, where he focuses mainly on using computer-assisted audit tools to improve business intelligence, increase efficiencies and identify bottom-line savings. He is also a leading authority on the use of data extraction/analysis technology and a frequent speaker on data analysis/project management. Lanza is also the founder of www.auditsoftware.net/community, which works to increase organizational benefits from the use of audit software by providing free tools, case studies, a newsletter and a discussion area to visitors. He can be reached at questions@richlanza.com. Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the Information Systems Audit and Control Association, Inc.. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal. Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content. © Copyright 2004 by Information Systems Audit and Control Association Inc., formerly the EDP Auditors Association. All rights reserved. ISCATM Information Systems Control AssociationTM Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited. www.isaca.org INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 1, 2004