Developing a
Forensic Continuous
Audit Model
Grover S. Kearns, PhD, CPA, CFE
University of South Florida St. Petersburg
1
Motivation
Organizations are under pressure to
proactively recognize and react to
potential fraud in a comprehensive and
cost-efficient manner.
2
Background





Excesses of past two decades and
increase in financial statement fraud.
Increased laws and regulation.
Need to improve ‘tone at the top.’
Inability to provide results using
traditional audit approaches.
Increasing costs of IT security and
forensic methods.
3
Corporate Fraud
4
Increased Laws & Regs

Sarbanes Oxley Act of 2002 (SOX)


Sec 404 – system of internal controls
Sec 409 – acceleration of SEC filings
PCAOB Statements
SAS 99
COSO & COBIT Frameworks

These have led to increased costs, increased
pressures on management and on auditors.
5
PCAOB Audit Standard 5
“An Audit of Internal Control over Financial Reporting that is
Integrated with an Audit of Financial Statements.”


Increases reliance on internal audit
departments as evidence external auditors
can use in order to reduce duplication of
efforts and lower audit costs.
Continuous auditing tools are capable of
monitoring internal controls for SOX
compliance reporting.
6
Technology and the Accountant



SOX and SAS 99 encourage management and
external auditors to employ technological
approaches and embedded audit modules to audit
financial transactions and internal controls.
SOX Section 409 accelerates the SEC filings for
Form 10-Q and annual report Form 10-K.
The FTC’s red flag rules, effective December 31,
2010 for financial institutions and certain other
firms under FTC jurisdiction including CPA firms,
require companies to check for and report specific
violations.
7
Tone at the Top





Executive management sets tone.
Organizational tone is most important
to internal control.
Committee of Sponsoring Organizations
(COSO)
Control Objectives for IT (COBIT)
Lack of ‘tone’ can imply lack of controls
8
Internal Controls

PCAOB Auditing Statement 2, An Audit of
Internal Control over Financial Reporting
Performed in Conjunction with an Audit of
Financial Statements, states that it is
management’s responsibility to design
and implement a program of controls to
prevent, detect and deter fraud.
9
Traditional Audit Approach


Tests of transactions when limited to
small sample sets may not be
representative and cannot be expected
to detect a large percent of errors or
fraudulent activities.
Given the increased transaction
processing for most firms and increased
regulatory pressures, the traditional
approaches appear inadequate and
require increased substantive testing.
10
Q. Why did the Auditor cross the road?
A. Because according to the Audit
File, that’s what he did 3 years ago!
11
Traditional Audit Approach
Ineffective for Fraud

Internal and external audits combined
only responsible for uncovering 19% of
fraud.



ACFE 2010 Report to the Nations
Audits are isolated events that examine
a small part of all transactions
Auditors lack technical skills
12
Solution
Use forensics in a proactive manner to
continuously and methodically examine
a significant number of transactions in a
cost-efficient manner in order to flag
incidents of error, misuse, and fraud.
To do so we use a modified continuous
forensics auditing approach.
13
Continuous Audit Defined
“A continuous audit is a methodology that
enables independent auditors to provide
written assurance on a subject matter, for
which an entity’s management is responsible,
using a series of auditors’ reports issued
virtually simultaneously with, or a short
period of time after, the occurrence of events
underlying the subject matter.”
CICA/AICPA Research Study on Continuous Auditing,
1999.
14
Forensic Accounting


Forensic accounting offers the highest level
of assurance, is suitable for legal review,
and arrives at conclusions in a scientific
fashion. (Crumbley)
As a result of new regulatory requirements
for compliance and emphasis on IT
governance, auditors with forensic IT skills
have been in increased demand. (Hoffman,
2004)
15
Forensic Continuous Audit Timing


Judicious application of the cost/benefit rule
based upon the likelihood and severity of the
risk.
Performing analytical procedures on a routine
basis reduces cost of external auditors and
time on-site.
16
Embedded Audit Modules



EAMs depends upon audit specific software that
resides in the targeted application (Alles, 2002).
EAM allows auditors to determine which
transactions are to be tested and at what
frequency. Results are collected and reported
real-time. (Groomer and Murthy, 1989).
Companies often do not activate the EAM
because of the significant resource requirements
which can slow overall processing dramatically
(Kuhn and Sutton, 2010; Debreceny et al., 2005).
17
Embedded Audit Module (Cont)


As the selected transaction is being processed
by the host application, a copy of the
transaction is stored in an audit file for
subsequent review.
The EAM approach allows selected
transactions to be captured throughout the
audit period, or at any time during the period,
thus significantly reducing the amount of
work the auditor must do to identify
significant transactions for substantive testing.
18
Continuous Fraud Auditing System
Production
Server
Audit Server
Target
Application
Ghosted
Application
Business
Transactions
Fraud
Audit
Tests
Refinements &
Modifications
Selected
Transactions
Exception
Handling
Fraud Audit
Application
(Embedded Audit
Module)
Control
Reports
Alarms
Management
Audit Committee
Internal Auditors
External Auditors
19
Exception Handling

CA performs a large number of tests over a much
higher percentage of transactions and can reduce
reliance upon analytical procedures (Alles et al.,
2008).


It will also result in a large number of selected
transactions that have failed the audit tests.
Exception handling of selected transactions is key
to the effectiveness of the fraud audit system.
20
Impact of a Continuous
Forensic Audit System
Continuous
Forensic
Auditing
Exception
Handling
Forensic
Evaluation
Refinement
of Rules
Decreased Governance Costs
Heightened Internal Controls
Decreased Risk of Fraudulent Transactions
21
Things that won’t stay in Vegas
22
Irrational Ratios




Ratios that signify an inconsistent
relationship or outlier that requires
investigation.
Can be based on relationships, trends,
deviations from standards.
Must be fine-tuned to prevent too many
false positives.
Should reflect audit objectives.
23
Irrational Ratios (cont.)




Days Sales in Receivables
Accounts Receivable t-1 / Sales t-1
Gross Margin Index
Sales t-1 – COGS t-1 / Sales t-1
Sales Growth Index
Sales t / Sales t-1
Accruals to Assets Index
Changes: (Working Capital – Cash – Current Taxes
Payable) – Depr. & Amortiz. / Total Assets
Adapted from Grove and Cook, 2004
24
Employee Expenses March 2010
3.5
Z-Statistic
3
2.5
2
1.5
1
0.5
0
1
2
3
4
5
6
First Digit
7
8
9
25
PCT Change in Revenues and Cost of Goods Sold
COGS ($000) 2010/2009
Revenues ($000) 2010/2009
0.5
0.4
0.3
0.2
0.1
0
-0.1
1
2
3
4
5 6
7
8
9 10 11 12 13 14 15 16 17 18 19 20
Week
-0.2
-0.3
26
Transaction Activity
Transactions (000)
PCT Errors (x000)
Outliers
25
20
15
10
5
0
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Week
27
Data Analysis using Forensic
Continuous Audit Model

Risk Assessment – examination of key
performance metrics and risk indicators to determine
if the risk profile of a particular function has changed.
For a finance function you might look at the
following.
 Cash balance compared to plan and prior period
 Cash transactions that exceed authority limit
 Significant differences identified between planned
and actual taxes
 Significant unexplained financial fluctuations
28
Data Analysis using Forensic
Continuous Audit Model

Fraud detection – examine data for
potential fraud indicators.






Vendor/Employee/Agent address comparison
Vendor SSN/EIN validation
Employee name/Payee comparison
Benford analysis (expected frequency)
Ratio analysis
Supplemental payments under authority
29
Data Analysis using Forensic
Continuous Audit Model


Control evaluation – tests of specific controls to
determine if they are working as intended.
 Access control to a particular system
 Payments exceeding authority limits
 Appropriate approvals of transactions
 Review of entries that may indicate a management
override of controls
Recovery opportunities
 Duplicate payments
 Travel expense irregularities
30
Where No Data Has Gone Before
31
Technology and the
Accountant




Traditional audit approaches and sampling methods cannot
be expected to uncover the majority of transactional errors
or occupational fraud (Wells, 2011; Oringel and Aldhizer,
2009).
Technology offers opportunities to perform detect and
deter fraud more efficiently and effectively.
SAS 99, Consideration of Fraud in a Financial Statement
Audit, codifies many fraud detection procedures and
encourages their use by auditors to detect client fraud risk
and identify transactions to be tested
Technological skills, however, often exceed the
competency of auditors causing them to resort to less
effective manual approaches .
32
PCAOB Audit Standard 2
“An Audit of Internal Control over Financial Reporting
Performed in Conjunction with an Audit of Financial
Statements.”

CPAs will have to become more
knowledgeable and competent
concerning IT controls and IT auditing


Auditing “around” the computer is dead
Auditing “through” the computer requires
technical skills
33
CAAT’S



Regulatory standards encourage the use of
computer assisted audit tools (CAATs) for
accessing and analyzing data files and
suggest that risk assessment reflect the client
IT standards (AICPA 2001, 2006).
Research indicates only a minority of firms
use CAATs for substantive testing because of
high level of complexity (Janvrin et al., 2009).
CA can provide much of this testing and
relieve auditors from the more complex tasks.
34
CAATs
 ACL and IDEA widely used.
 AKA Data Extraction Software – can import
data with various filetypes
 An important use is in performing substantive
tests.
 Most audit testing occurs in the substantivetesting phase of the audit.
 Used to substantiate dollar amounts in
account balances.
35
CAATs Functionality







Importing and cleansing data
Stratifying and classifying
Statistical analysis
Benford’s Law analysis
Duplicates and Gaps
Sampling
Graphical analysis
36
Substantive Tests
 Determining the correct value of inventory
 Determining the accuracy of prepayments
and accruals
 Confirming accounts receivable with
customers
 Searching for unrecorded liabilities
examples . . .
# shipments received = # P.O.s sent
inventoryt = (inventory - sales + purchases)t-1
37
Substantive Tests (Cont)
 In an IT environment, the records needed to
perform these tests are stored in various
databases
 Before substantive tests can be performed,
the data need to be extracted from the host
system and presented to the auditor in a
usable format
38
Refinement of Audit Tests
Based on results and back-testing,
 Reduce transaction sets
 Increased attention on areas of interest
 Change granularity of formulas
example …
# shipments received = # P.O.s sent to
# shipments receivedt = δ # P.O.s sentt + ε
# vouchers processedt = δ# shipments receivedt
39
Questions?
Thank you for your attention!
Grover S. Kearns, PhD, CPA, CFE
University of South Florida St. Petersburg
gkearns@mail.usf.edu
40