2016 MSCPA Fraud Conference Presentation

Using Data Analytics to Find Fraud Indicators

Ron SteinkampJoe Montes

November 30, 2016

2

• COSO Fraud Risk Management• What is Data Analysis?• Data Analysis Benefits & Challenges• Perspectives on Data Analysis• Using Data Analysis to Find Fraud Indicators• Exercise

Agenda

© 2016 All Rights Reserved Brown Smith Wallace LLP

COSO Fraud Risk Management

© 2016 All Rights Reserved 3 Brown Smith Wallace LLP

4

• COSO issued Fraud Risk Management Guide.• Guidance on how to deter fraud.• 5 Fraud Risk Management Principles.• Aligned with the COSO Framework Components

and Principles.• Further detailed in Points of Focus related to

each Principle.• Can be used as a starting point to develop a

Fraud Risk Management Program.

COSO Fraud Risk Management Guide


5

1. The organization establishes and communicates a Fraud Risk Management Program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk.

CONTROL ENVIRONMENT

Fraud Risk Management Principles


6

2. The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks.

RISK ASSESSMENT



7

3. The organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner.

CONTROL ACTIVITIES



8

4. The organization establishes a communication process to obtain information about potential fraud and deploys a coordinated approach to investigation and corrective action to address fraud appropriately and in a timely manner.

INFORMATION & COMMUNICATION



9

5. The organization selects, develops, an performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates Fraud Risk Management Program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board.

MONITORING ACTIVITIES



10

• Data analytics is addressed as a Point of Focus within the Fraud Risk Management Principles.

Use data analytics for fraud risk assessment and response.

Use proactive data analytic procedures to identify transactions or events for further investigation.

• Appendix E of the COSO Fraud Risk Management Guide covers the use of data analytics in fraud risk management.

What Does This Have to Do With Data Analytics?


What is Data Analysis?


12

• Process of extracting, inspecting, cleaning, transforming, and modeling data in order to discover useful information, derive conclusions, and support decision-making– Employees are not using a system field as intended– Controls are not functioning properly– Vendor master access should be restricted

Data Analysis Defined


Data Analysis Benefits & Challenges


14

• 100% vs. sampling• Brings Operational and IT together• Comparison to an outside source• Identification of control weaknesses• Re-performable• Red flags and trends• Log = Workpaper

Data Analysis Benefits


15

Challenges


Overall•Employee Resources

• Limited know how• Analysis is most effective with good business,

process, and system knowledge• Check the box mentality

•What is Success?•Technology Choices•Boiling the Ocean

16

Data Quality and Availability• Lack of access• Disparate systems• Weak system controls lead to bad data• Bad data leads to bad information• Integrity tests:

• Corruption• Completeness• Uniqueness• Logical relationships• Proper boundaries

Client Logo

Challenges


17

Actual Objectives

• Ability to effectively achieve objectives selected

• Defining exceptions

• Investigating exceptions

• Business processes change

Client Logo

Challenges


Perspectives on Data Analysis


19

• The AICPA has said that use of technological improvements in Audit have been incremental rather than transformative

• To advance data analytics in Internal Audit– Data analytics must be part of the mission– Funding must be available to buy the tools and provide training– Auditors must learn the appropriate skills– Time must be budgeted and allocated– The data must be readily available– The data must be accurate

Data Surveys


20

• Internal Audit initially detecting fraud increased from 14.4% to 16.5% between 2012 and 2016

• Larger organizations showed Internal Audit detecting 18.6% of cases

• Greatest Inhibitors to Data Analysis Success– Lack of appropriate skills– Data to be integrated is not clean – Complexity of implementation– Inability to integrate necessary data sources– Lack of integration with existing systems– Solutions are difficult to use– Inability to customize for specific needs

ACFE


21

“Not auditing the data in your company’s ERP system wastes the amount of money and time spent implementing it.”

“Analysts can’t just be good at scripting, they have to be able to identify risks, interpret results, and audit exceptions.”

“None of the technologies understand relationships, business changes, or critical thinking. The Human factor will always be there. You will never set it and forget it.”

“Everything IT serves the business and is not just an IT risk.”

“In 10 years, computers will do all of this and humans won’t be needed.”

Recent Conferences


22

“Analytics should be used to add, drop, and accelerate audits in the audit plan. It should not be a document updated yearly.”

“Coordination between Compliance and Internal Audit to share data and coordinate schedules will increase everyone’s effectiveness.”

“Data analysis is worth the effort. So much to gain. Hang in there.”

“Every control review can have a fraud focus with data analytics and the right auditors.”

Intelligence should not be acquired just for the sake of integrating more data; the strategic focus should be on ‘acquiring intelligence with a purpose’.”

Recent Conferences


Using Data Analysis to Find Fraud Indicators


24

• First Thing!

• Various standard steps to understand a file

• Experience Hours Reputation

Client Logo

Data Integrity Verification


25

Main Categories• Statistics• Counts• Totals• Blanks• Classifies• Duplicates• Gaps• Logical Relationships

Client Logo

Data Integrity Verification


26

Ghost Employee red flags

• Duplicate addresses, routing numbers, SSNs• Employee record has been accessed/edited by one person • HR compared v. Payroll v. other systems • No withholdings or deductions • No vacation or sick time• No overtime for hourly• Blank fields• PO Box

Client Logo

Payroll


27

Payment Red Flags

• Frequent changes to bank numbers• Terminated employees with current pay• Employees with multiple bank accounts• Bank accounts with multiple employees• Excessive Overtime

Client Logo

Payroll Continued


28

Process Red Flags

• Segregation of duties • Date Comparisons• Quantity Comparisons• Amount Comparison

Client Logo

Accounts Payable


29

Employee / Vendor Red Flags

• Same name • Matching addresses or

routing numbers• Last name or Initials as part

of vendor name• Disclosure and emergency

contact comparison

Client Logo

AP Continued


30

Vendor Red Flags

• Same vendor with different vendor number • Vendor type does not match vendor spend• Vendor type does not match purchaser• Frequent or Inappropriate changes• Inactive vendor with activity• Unusual payment terms• PO Box or no address• One-time vendors

Client Logo

AP Continued


31

Payable Red Flags

• Frequent or Inappropriate changes• Single payment run• Payment runs at unusual times• Checks to different address than master• Invoice and check sequence

Client Logo

AP Continued


32

Duplicate Red Flags

Same expense reimbursed more than once • Identify employees that report expenses for the same

transaction dates on multiple expense reports. This makes duplication harder to identify.

• Look at transactions not paid via company card, could also be duplicate of card transaction (same date, transaction amount, and vendor/expense type).

• Identify same transaction reported on different individuals’ expense reports.

Client Logo

Travel & Entertainment


33

Other Red Flags• Unexpected dates, vendor names, individual names, or

keywords• Round dollars (gift cards, cash)• Employees who have more than the average quantity or

amount of transactions in higher risk or specific expense categories.

• Identify expenses with unusual Merchant Category Codes

(MCC) based on company policy or transaction type selected by the employee.• Spending zip code

Client Logo

T & E Continued


34

Other Red Flags

• Weekends or holidays• Declined or disputed transactions• Large transactions• Active cards v. current employee• Approval workflow• Missing receipts

Client Logo

P-Card


35

Foreign Corrupt Practices Act

• It is unlawful to make a corrupt payment to a foreign official for the purpose of influencing the official in order to assist in obtaining/retaining business

• Companies who file reports with the SEC must maintain records that accurately reflect transactions and the nature and quantity of corporate assets and liabilities

• Yates memo made it personal• Lower fines by making corruption as

difficult to perpetrate as you can

Client Logo

FCPA


36

Other Red Flags

• Names and addresses on the SAM list, etc.• Keyword search in payables, general ledger, P-Cards, T&E• Journal entries with unexpected account combinations of

accounts (e.g. debit to sales/credit to cash)• Analyze sales and commission information • Identify payroll, travel advances, or travel reimbursements to non-employee• Test currency exchange expectations• Purchasing costs

Client Logo

FCPA


EXERCISE


38

What data analysis procedures can we utilize to help identify a fraud where

employees create approximately 2 million fake bank/credit card accounts?

Client Logo

Question???


39

Employees/Managers/Locations Who• Consistently meet or beat performance quotas• Have more than average number of accounts that have not been

accessed by account holder (activity files exist for everything)• Have more than average number of accounts opened without

customer service interaction (in person, phone, app, online is traced)• Have more than average number of accounts closed within # days of

opening• Have more than average number of accounts opened for the same

customer within # of days• Have complaints against them (textual analysis of complaint tracking

system)Challenges

• What about the really good salesperson?• No complaints, surely has a bad month,

• Widespread could cause averages to be skewed

Client Logo

Audience Participation


40

• Fraud is not going away and we need to devise better methods to prevent and detect it as early as possible.

• The new COSO Fraud Risk Management Guide encourages the use of data analytics.

• Data analysis is a great preventative and detective control for fraud.

• If people think you are watching, they are less likely to try to commit fraud

• Payroll, P2P, T&E, and FCPA are great places to start• Hindsight is 20/20, but it can be applied to the future.

Client Logo

In Summary


41

Any Questions?Ron Steinkamp | [email protected] | 314-983-1238

Joe Montes | [email protected] | 314-983-1380

A Measurable Difference


6 CityPlace Drive, Suite 900│ St. Louis, Missouri 63141 │ 314.983.1200 1520 S. Fifth St., Suite 309 │ St. Charles, Missouri 63303 │ 636.255.3000

2220 S. State Route 157, Ste. 300 │ Glen Carbon, Illinois 62034 │ 618.654.3100 1.888.279.2792 │ bswllc.com

Brown Smith Wallace is a Missouri Limited Liability Partnership

mailto:[email protected]

mailto:[email protected]

Documents

2016 MSCPA Fraud Conference Presentation