Using Data Analytics to Conduct a Forensic Audit

Using Data Analytics to
Conduct a Forensic
Audit
February 6, 2013
Special Guest Presenter:
David Zweighaft CPA/CFF, CFE

Copyright © 2013 FraudResourceNet™ LLC

About Peter Goldmann, MSc., CFE



President and Founder of White Collar Crime 101

Publisher of White-Collar Crime Fighter
Developer of FraudAware® Anti-Fraud Training
Monthly Columnist, The Fraud Examiner,
ACFE Newsletter

 Member of Editorial Advisory Board, ACFE
 Author of “Fraud in the Markets”
Explains how fraud fueled the financial crisis.


About Jim Kaplan, MSc, CIA, CFE
 President and Founder of
AuditNet®, the global resource
for auditors
 Auditor, Web Site Guru,
Internet for Auditors Pioneer
Recipient of the IIA’s 2007
Bradford Cadmus Memorial
Award.
 Author of “The Auditor’s
Guide to Internet Resources”
2nd Edition

About David Zweighaft
CPA/CFF, CFE
 Principal at DSZ Forensic Accounting
& Consulting Services LLC
 David has been practicing Litigation
Consulting and Forensic Accounting
for over 20 years
 Assisted the US Dept of Justice in
identifying and tracing asserts
 He managed the largest Swiss bank
Holocaust Asset investigation in New
York for the NYS Banking
Department

Webinar Housekeeping
This webinar and its material are the property of AuditNet® and FraudAware®.
Unauthorized usage or recording of this webinar or any of its material is strictly
forbidden. We will be recording the webinar and if you paid the registration fee
you will be provided access to that recording within two business days after the
webinar. Downloading or otherwise duplicating the webinar recording is
expressly prohibited.
Webinar will be recorded and will be made available within 48 hours.
Please complete the evaluation to help us continuously improve our Webinars.
You must answer the polling questions to qualify for CPE per NASBA.
Submit questions via the chat box on your screen and we will answer them
either during or at the conclusion.
If GTW stops working you may need to close and restart. You can always dial
in and listen and follow along with the handout.

Agenda







Introduction
Standards & Essentials
What is a “Forensic Audit”?
Pre-Planning & Brainstorming
Data Analysis Tools to Manage Big Data
Data Analysis Techniques


5

The Auditor’s Role

 IPPF Standard 1210.A3
 Internal auditors must have
sufficient knowledge of…available
technology based audit techniques
to perform their assigned work


IIA Guidance – GTAG 13
Internal auditors require appropriate
skills and should use available
technological tools to help them
maintain a successful fraud
management program that covers
prevention, detection, and
investigation. As such, all audit
professionals — not just IT audit
specialists — are expected to be
increasingly proficient in areas such as
data analysis and the use of
technology to help them meet the
demands of the job.


Professional Guidance


Polling Question 3

Detecting ghost employees is NOT one
of the areas best suited for using data
analytics
a. True
b. False


Fraud: The Big Picture
According to major accounting firms, professional fraud
examiners and law enforcement:

 Fraud jumps significantly during tough economic times
 Business losses due to fraud increased 20% in last 12
months, from $1.4 million to $1.7 million per billion dollars of
sales. (Kroll 2010/2011 Global Fraud Report)
 Average cost to for each incident of fraud is $160,000
(ACFE) Of Financial Statement fraud: $2 million
 Approx. 60% of corporate fraud committed by insiders (PwC)
 Approx. 50% of employees who commit fraud have been
with their employers for over 5 years (ACFE)

Data Analytics: Introduction


Data Analytics: Introduction


Analytics in Audit Planning


From SAS 99, “Consideration of Fraud in a Financial Statement Audit”:
Discussion Among Engagement Personnel Regarding the Risks of Material
Misstatement Due to Fraud…
Prior to or in conjunction with the information-gathering procedures
described [this document], members of the audit team should discuss the
potential for material misstatement due to fraud. The discussion should
include:
An exchange of ideas or "brainstorming" among the audit team members,
including the auditor with final responsibility for the audit, about how and
where they believe the entity's financial statements might be
susceptible to material misstatement due to fraud, how management
could perpetrate and conceal fraudulent financial reporting, and how
assets of the entity could be misappropriated.
Continued…


Identifying the Detailed Payroll
Transaction Data
TYPES OF FRAUD RISK
 Financial Reporting Risk
(1) Tone set by top management, (2) internal accounting and audit
functions, (3) Audit committee, (4) management and audit committee
reports, (5) practice of seeking second opinions from independent public
accountants, and (6) quarterly reporting.
 Operational risk
Risk of loss resulting from inadequate or failed internal processes, people
and systems, or from external events. Operational risk is the amount of
exposure an organization has as a result of its operational structure. This
includes risk due to processes, organizations, and technologies.
 Strategic Risk
The risk associated with future business plans and strategies. This risk
category includes plans for entering new business lines, expanding
existing services through mergers and acquisitions, and enhancing
infrastructure (e.g., physical plant and equipment and information
technology and networking). Strategic plans that include market
expansion or addition of new products.

Identifying the Detailed Payroll
Transaction Data
TYPES OF FRAUD RISK (continued)
 Reputation Risk
Business reputation is established by gaining and retaining
the confidence and trust of the stakeholders in the business:
customers, suppliers and employees, as well as
shareholders. Reputation is gained over time.
 Regulatory/Compliance Risk
Risk of Civil and Criminal violations. Regulatory risk, a term
describing the problems arising from new or existing
regulations, is now one of the greatest threats to business.
Compliance with regulatory requirements and ethical conduct
standards is a major concern of Boards of Directors and Audit
Committees.

Common Fraud Scenarios, or “If I were going to
commit fraud, I’d….”
Per SAS 99, PCAOB, AS 2 and 5, fraud risk must be
considered using a Common Fraud Scenario approach.
This allows the auditor to enlist the detailed knowledge of the
stakeholders in the organization in identifying and prioritizing
fraud risks at both the entity, process and account levels.


Fraud Scenarios – Treasury – Cash
Executive management in Australia sets up two bank accounts
for deposit of COMPANY receipts. Funds deposited to the first
account is reported to COMPANY Corporate headquarters.
Funds deposited to the second account are used for the
personal pleasure of Executive management in Australia.
Bank reconciliations are conducted by COMPANY Executive
management in Australia and no other accounting is reported
to COMPANY headquarters
Continued

Fraud Scenario – Tax Law
Bribes are paid to tax authorities in China to reduce
outstanding liabilities and/or audit adjustments. The bribe
payments are disguised as consulting or contracting expense.
Fraud Scenarios - Payroll
The payroll analyst records time and attendance and a salary
of $500,000.00 per year for her boyfriend who never worked
at XXXX. Subsequent to the time the payroll information is
sent to ADP but prior to the time the payroll report is reviewed
by the Payroll Supervisor, the payroll analyst reverses the
entry. The disbursement to the boyfriend is made by ADP but
does not show up on payroll reports.

Identifying and Prioritizing Fraud Risk
By brainstorming the types of fraud schemes the organization is
potentially vulnerable to, the team and the stakeholders can make
estimates of …
i) Vulnerability - how likely the occurrence of these schemes are
(very low to very high), and
ii) Magnitude - what is the potential qualitative impact (very low to
very high).
Using the vulnerability criteria discussed previously, auditors can
produce a risk “heat map” that can assist in identifying HIGH RISK
accounts and processes.

Level

Descriptor

Vulnerability Description

Probability Per
Occurrence

5

Very High

Controls, testing, monitoring & reporting are non-existent
or ineffective; previous significant adverse experience;
lack of skills, influence & knowledge to mitigate risk;
and/or significant process or system issue.

Almost Certain

4

High

3

Medium

2

Low

1

Very Low

Controls, testing, monitoring & reporting are minimally
effective; previous major adverse experience; limited
skills, influence & knowledge to mitigate risk; and/or
major process or system issue.
Controls, testing, monitoring & reporting are somewhat
effective; previous moderate adverse experience, minor
skills, influence & knowledge to mitigate risk; and/or
moderate process or system issue.
Controls, testing, monitoring & reporting are effective;
previous minor adverse experience, significant skills,
influence & knowledge to mitigate risk; and/or no
process or system issue.
Controls, testing, monitoring & reporting are very
effective; no previous adverse experience, very significant
skills influence & knowledge to mitigate risk

Probable

Reasonably
Possible
Remote

Rare

Business Impact
Per Occurrence

Level

Descriptor

Magnitude Description

5

Very High

High damage control requiring public /
regulatory communication, huge financial
loss, fraud perpetrated by senior mgmt

> $20 million

4

High

Business impact requires significant
additional resources to mitigate (internal or
external), high financial loss

> $5 million to
< $20 million

3

Medium

Business impact may require (mainly
internal) additional resources, medium/high
financial loss

> $1 million
< $5 million

2

Low

Business impact easily mitigated,
medium/low financial loss

> $500,000 to
< $1 million

1

Very Low

Insignificant business impact, low financial
loss

< $500,000


1 Facilities

Identification & Prioritization of Fraud Risk
18

2 Fixed Assets

High Magnitude/High Vulnerability

High Vulnerability/Low Magnitude

3 Inventory
4 Information Technology

16

0 GA
20
5

14

6

1
3

12

Vulnerability

7

6 CATS-Procurement

16
8

9

10

7 Customer Support

14

8 Direct Sales

2

4

5 CATS-A/P

19

13

9 Entity Level Controls

11

10 Finance-Accounting

17

10

11Finance-Payroll

12

18

12 Finance Regulatory

8

13 Finance Tax

15
6

14 Finance-Treasury
Cash
15 HR-Benefits

4

16 Indirect Sales
17 Law

2

18 Marketing
19 R&D

0

20 Sales
0

2

4

6

8

10

Low Magnitude/Low Vulnerability

12

Magnitude

14

16

18

20

High Magnitude/Low Vulnerability


0 GA

Polling Question 3

Who should participate in the
identification and prioritization of
fraud exercise?
a.
b.
c.
d.

Finance
Legal
Internal Audit
All of the above


Identify Relevant Data Sources within the organization:
Financial – General Ledger, Sub Ledgers, Payroll
Non-Financial – Personnel files, Access logs, Emails, Vendor Files
Identify data sources
Areas or issues of focus
Collect or gather data
Prepare data (“data
normalization”)

Analyze data
Interpret data
Monitor results
Identify issues for further
research or investigation

Assess Resources Needed for the Audit:
Staffing – Headcount, locations
Skills – Languages, Experience, Expertise (CFEs, IT skills)
Tools – Computer Automated Analytic Tools (CAATs) Software

Data Analysis - Forensic Audit

Data Analysis Techniques


Analytical Approaches to Planning
 Industry Comparatives – Benchmarking
 Time Series (Horizontal) Analysis
 Common Size (Vertical) Analysis


Analytical Approaches to Planning
Vertical – a/k/a “common-sized statements”
Analyzes each line as a % of its relevant total
Income items as a % of total revenue
Expenses as a % of total expense
Identifies disproportionate items
Identifies fluctuations between periods
Horizontal – a/k/a “time-series analysis”
Measures $ and % changes from period to period
Identifies fluctuations and seasonality


Demo
Horizontal & Vertical Analysis
Demo: Performing Financial Statement Analyses
Learn How to:
Identify patterns and anomalies in financial statements


Demo
Account Reconciliations
Demo: Converting and Matching Subledger Data
to the General Ledger
Learn How to:
Extract data from legacy systems and reconcile to General
Ledger data


Top-Down vs. Bottom-Up Approach
Depending on the area being audited, the auditor may choose between
Top-Down Approach – Best for entity-level controls and compliance
policies
 Code of conduct issues
 Corporate Governance
 Vendor selection policies
Bottom-Up Approach – Best for process-level and account detail testing
 Travel & Expense reporting
 Cash disbursements and approvals


Polling Question 3

When comparing companies in the
same industry, which analytic tool is
least helpful?
a.
b.
c.
d.

Industry benchmarks
Time series analysis
Common-sized statements
None of these


Data Analysis - Forensic Audit

Data Analysis ToolsTo Manage Big
Data


Analytics in Forensic Audits
BIG DATA
Forget the cloud; Big Data is the new new thing. Here are some commonly
available tools to help manage, analyze and present findings:

ACL or IDEA – data interrogator, capable of extracting information from a
variety of file formats. Can run pre-scripted tests and handle unlimited
amount of data. Interfaces with Excel and Access.
MICROSOFT ACCESS – database program, programmable input
screens, data validation, ad hoc queries and formatted report outputs.
MICROSOFT EXCEL– spreadsheet program, versatile and almost
universally accepted business and data analysis tool. Pivot tables can
present field-by-field analytical views of huge data files

Case Study Background

Hey Big Spender
Embezzled union retirement funds
 Cost to the Company: $42.6 M over
6 years
 Fraudster Profile
 Fund Administrator; Female
 Wrote checks to herself and her family
 Used multiple credit card accounts for friends & family
 No monitoring or oversight of her work
 Spent money on travel, cars, horses, jewelery

Demo
Pivot Tables
Demo: Presenting Big Data
Learn How to:
Present Travel & Expense Fraud findings using Pivot Tables


Polling Question 3

Detecting lack of segregation of duties
is NOT one of the areas best suited for
using data analytics
a. True
b. False



 The Out-of-Control Controller
 Perpetrator failed to reconcile accounts
 Cost to the Company: $6.8 M over 4 years
 Fraudster Profile
 Financial Operations Sr VP; Male
 Prepared fictitious support for account reconciliations
 Directed staff to post fraudulent J/Es to the G/L
 No monitoring or oversight of his work



The Out-of-Control Controller (cont’d)
Additional Tests – Segregation of Duties
 Matching Journal Entry originators to

authorizers
 Identifying E-mails to staff instructing them to post

fictitious Journal Entries


Demo
Account Reconciliations
Demo: Matching Data Fields for Segregation of
Duties Testing
Learn How to:
Match Journal Entry Initiators to Authorizers to identify SOD
violations


Questions?
 Any Questions?
Don’t be Shy!


Thank You!
Jim Kaplan
AuditNet LLC®
703-255-3388
Email: webinars@auditnet.org
http://www.auditnet.org
Peter Goldmann
White Collar Crime 101 LLC/FraudAware®
800-440-2261
Email: pgoldmann@fraudaware.com
http://www.fraudaware.com
David Zweighaft
DSZ Forensic Accounting Services LLC
212-699-0901
Email: dzweighaft@dszforensic.com
http://www.dszforensic.com

Using Data Analytics to Conduct a Forensic Audit

Related slideshows

More Related Content

Using Data Analytics to Conduct a Forensic Audit