Using Data Analytics to Conduct a Forensic Audit
- 1. Using Data Analytics to
Conduct a Forensic
Audit
February 6, 2013
Special Guest Presenter:
David Zweighaft CPA/CFF, CFE
Copyright © 2013 FraudResourceNet™ LLC
About Peter Goldmann, MSc., CFE
President and Founder of White Collar Crime 101
Publisher of White-Collar Crime Fighter
Developer of FraudAware® Anti-Fraud Training
Monthly Columnist, The Fraud Examiner,
ACFE Newsletter
Member of Editorial Advisory Board, ACFE
Author of “Fraud in the Markets”
Explains how fraud fueled the financial crisis.
Copyright © 2013 FraudResourceNet™ LLC
- 2. About Jim Kaplan, MSc, CIA, CFE
President and Founder of
AuditNet®, the global resource
for auditors
Auditor, Web Site Guru,
Internet for Auditors Pioneer
Recipient of the IIA’s 2007
Bradford Cadmus Memorial
Award.
Author of “The Auditor’s
Guide to Internet Resources”
2nd Edition
Copyright © 2013 FraudResourceNet™ LLC
About David Zweighaft
CPA/CFF, CFE
Principal at DSZ Forensic Accounting
& Consulting Services LLC
David has been practicing Litigation
Consulting and Forensic Accounting
for over 20 years
Assisted the US Dept of Justice in
identifying and tracing asserts
He managed the largest Swiss bank
Holocaust Asset investigation in New
York for the NYS Banking
Department
Copyright © 2013 FraudResourceNet™ LLC
- 3. Webinar Housekeeping
This webinar and its material are the property of AuditNet® and FraudAware®.
Unauthorized usage or recording of this webinar or any of its material is strictly
forbidden. We will be recording the webinar and if you paid the registration fee
you will be provided access to that recording within two business days after the
webinar. Downloading or otherwise duplicating the webinar recording is
expressly prohibited.
Webinar will be recorded and will be made available within 48 hours.
Please complete the evaluation to help us continuously improve our Webinars.
You must answer the polling questions to qualify for CPE per NASBA.
Submit questions via the chat box on your screen and we will answer them
either during or at the conclusion.
If GTW stops working you may need to close and restart. You can always dial
in and listen and follow along with the handout.
Copyright © 2013 FraudResourceNet™ LLC
Agenda
Introduction
Standards & Essentials
What is a “Forensic Audit”?
Pre-Planning & Brainstorming
Data Analysis Tools to Manage Big Data
Data Analysis Techniques
Copyright © 2013 FraudResourceNet™ LLC
5
- 4. The Auditor’s Role
IPPF Standard 1210.A3
Internal auditors must have
sufficient knowledge of…available
technology based audit techniques
to perform their assigned work
Copyright © 2013 FraudResourceNet™ LLC
IIA Guidance – GTAG 13
Internal auditors require appropriate
skills and should use available
technological tools to help them
maintain a successful fraud
management program that covers
prevention, detection, and
investigation. As such, all audit
professionals — not just IT audit
specialists — are expected to be
increasingly proficient in areas such as
data analysis and the use of
technology to help them meet the
demands of the job.
Copyright © 2013 FraudResourceNet™ LLC
- 5. Professional Guidance
Copyright © 2013 FraudResourceNet™ LLC
Polling Question 3
Detecting ghost employees is NOT one
of the areas best suited for using data
analytics
a. True
b. False
Copyright © 2013 FraudResourceNet™ LLC
- 6. Fraud: The Big Picture
According to major accounting firms, professional fraud
examiners and law enforcement:
Fraud jumps significantly during tough economic times
Business losses due to fraud increased 20% in last 12
months, from $1.4 million to $1.7 million per billion dollars of
sales. (Kroll 2010/2011 Global Fraud Report)
Average cost to for each incident of fraud is $160,000
(ACFE) Of Financial Statement fraud: $2 million
Approx. 60% of corporate fraud committed by insiders (PwC)
Approx. 50% of employees who commit fraud have been
with their employers for over 5 years (ACFE)
Copyright © 2013 FraudResourceNet™ LLC
Data Analytics: Introduction
Copyright © 2013 FraudResourceNet™ LLC
- 8. Analytics in Audit Planning
From SAS 99, “Consideration of Fraud in a Financial Statement Audit”:
Discussion Among Engagement Personnel Regarding the Risks of Material
Misstatement Due to Fraud…
Prior to or in conjunction with the information-gathering procedures
described [this document], members of the audit team should discuss the
potential for material misstatement due to fraud. The discussion should
include:
An exchange of ideas or "brainstorming" among the audit team members,
including the auditor with final responsibility for the audit, about how and
where they believe the entity's financial statements might be
susceptible to material misstatement due to fraud, how management
could perpetrate and conceal fraudulent financial reporting, and how
assets of the entity could be misappropriated.
Continued…
Copyright © 2013 FraudResourceNet™ LLC
Identifying the Detailed Payroll
Transaction Data
TYPES OF FRAUD RISK
Financial Reporting Risk
(1) Tone set by top management, (2) internal accounting and audit
functions, (3) Audit committee, (4) management and audit committee
reports, (5) practice of seeking second opinions from independent public
accountants, and (6) quarterly reporting.
Operational risk
Risk of loss resulting from inadequate or failed internal processes, people
and systems, or from external events. Operational risk is the amount of
exposure an organization has as a result of its operational structure. This
includes risk due to processes, organizations, and technologies.
Strategic Risk
The risk associated with future business plans and strategies. This risk
category includes plans for entering new business lines, expanding
existing services through mergers and acquisitions, and enhancing
infrastructure (e.g., physical plant and equipment and information
technology and networking). Strategic plans that include market
expansion or addition of new products.
Copyright © 2013 FraudResourceNet™ LLC
- 9. Identifying the Detailed Payroll
Transaction Data
TYPES OF FRAUD RISK (continued)
Reputation Risk
Business reputation is established by gaining and retaining
the confidence and trust of the stakeholders in the business:
customers, suppliers and employees, as well as
shareholders. Reputation is gained over time.
Regulatory/Compliance Risk
Risk of Civil and Criminal violations. Regulatory risk, a term
describing the problems arising from new or existing
regulations, is now one of the greatest threats to business.
Compliance with regulatory requirements and ethical conduct
standards is a major concern of Boards of Directors and Audit
Committees.
Copyright © 2013 FraudResourceNet™ LLC
Analytics in Audit Planning
Common Fraud Scenarios, or “If I were going to
commit fraud, I’d….”
Per SAS 99, PCAOB, AS 2 and 5, fraud risk must be
considered using a Common Fraud Scenario approach.
This allows the auditor to enlist the detailed knowledge of the
stakeholders in the organization in identifying and prioritizing
fraud risks at both the entity, process and account levels.
Copyright © 2013 FraudResourceNet™ LLC
- 10. Analytics in Audit Planning
Common Fraud Scenarios, or “If I were going to
commit fraud, I’d….”
Fraud Scenarios – Treasury – Cash
Executive management in Australia sets up two bank accounts
for deposit of COMPANY receipts. Funds deposited to the first
account is reported to COMPANY Corporate headquarters.
Funds deposited to the second account are used for the
personal pleasure of Executive management in Australia.
Bank reconciliations are conducted by COMPANY Executive
management in Australia and no other accounting is reported
to COMPANY headquarters
Continued
Copyright © 2013 FraudResourceNet™ LLC
Analytics in Audit Planning
Common Fraud Scenarios, or “If I were going to
commit fraud, I’d….”
Fraud Scenario – Tax Law
Bribes are paid to tax authorities in China to reduce
outstanding liabilities and/or audit adjustments. The bribe
payments are disguised as consulting or contracting expense.
Fraud Scenarios - Payroll
The payroll analyst records time and attendance and a salary
of $500,000.00 per year for her boyfriend who never worked
at XXXX. Subsequent to the time the payroll information is
sent to ADP but prior to the time the payroll report is reviewed
by the Payroll Supervisor, the payroll analyst reverses the
entry. The disbursement to the boyfriend is made by ADP but
does not show up on payroll reports.
Copyright © 2013 FraudResourceNet™ LLC
- 11. Analytics in Audit Planning
Identifying and Prioritizing Fraud Risk
By brainstorming the types of fraud schemes the organization is
potentially vulnerable to, the team and the stakeholders can make
estimates of …
i) Vulnerability - how likely the occurrence of these schemes are
(very low to very high), and
ii) Magnitude - what is the potential qualitative impact (very low to
very high).
Using the vulnerability criteria discussed previously, auditors can
produce a risk “heat map” that can assist in identifying HIGH RISK
accounts and processes.
Copyright © 2013 FraudResourceNet™ LLC
Analytics in Audit Planning
Level
Descriptor
Vulnerability Description
Probability Per
Occurrence
5
Very High
Controls, testing, monitoring & reporting are non-existent
or ineffective; previous significant adverse experience;
lack of skills, influence & knowledge to mitigate risk;
and/or significant process or system issue.
Almost Certain
4
High
3
Medium
2
Low
1
Very Low
Controls, testing, monitoring & reporting are minimally
effective; previous major adverse experience; limited
skills, influence & knowledge to mitigate risk; and/or
major process or system issue.
Controls, testing, monitoring & reporting are somewhat
effective; previous moderate adverse experience, minor
skills, influence & knowledge to mitigate risk; and/or
moderate process or system issue.
Controls, testing, monitoring & reporting are effective;
previous minor adverse experience, significant skills,
influence & knowledge to mitigate risk; and/or no
process or system issue.
Controls, testing, monitoring & reporting are very
effective; no previous adverse experience, very significant
skills influence & knowledge to mitigate risk
Copyright © 2013 FraudResourceNet™ LLC
Probable
Reasonably
Possible
Remote
Rare
- 12. Analytics in Audit Planning
Business Impact
Per Occurrence
Level
Descriptor
Magnitude Description
5
Very High
High damage control requiring public /
regulatory communication, huge financial
loss, fraud perpetrated by senior mgmt
> $20 million
4
High
Business impact requires significant
additional resources to mitigate (internal or
external), high financial loss
> $5 million to
< $20 million
3
Medium
Business impact may require (mainly
internal) additional resources, medium/high
financial loss
> $1 million
< $5 million
2
Low
Business impact easily mitigated,
medium/low financial loss
> $500,000 to
< $1 million
1
Very Low
Insignificant business impact, low financial
loss
< $500,000
Copyright © 2013 FraudResourceNet™ LLC
Analytics in Audit Planning
1 Facilities
Identification & Prioritization of Fraud Risk
18
2 Fixed Assets
High Magnitude/High Vulnerability
High Vulnerability/Low Magnitude
3 Inventory
4 Information Technology
16
0 GA
20
5
14
6
1
3
12
Vulnerability
7
6 CATS-Procurement
16
8
9
10
7 Customer Support
14
8 Direct Sales
2
4
5 CATS-A/P
19
13
9 Entity Level Controls
11
10 Finance-Accounting
17
10
11Finance-Payroll
12
18
12 Finance Regulatory
8
13 Finance Tax
15
6
14 Finance-Treasury
Cash
15 HR-Benefits
4
16 Indirect Sales
17 Law
2
18 Marketing
19 R&D
0
20 Sales
0
2
4
6
8
10
Low Magnitude/Low Vulnerability
12
Magnitude
14
16
18
20
High Magnitude/Low Vulnerability
Copyright © 2013 FraudResourceNet™ LLC
0 GA
- 13. Polling Question 3
Who should participate in the
identification and prioritization of
fraud exercise?
a.
b.
c.
d.
Finance
Legal
Internal Audit
All of the above
Copyright © 2013 FraudResourceNet™ LLC
Analytics in Audit Planning
Identify Relevant Data Sources within the organization:
Financial – General Ledger, Sub Ledgers, Payroll
Non-Financial – Personnel files, Access logs, Emails, Vendor Files
Identify data sources
Areas or issues of focus
Collect or gather data
Prepare data (“data
normalization”)
Analyze data
Interpret data
Monitor results
Identify issues for further
research or investigation
Assess Resources Needed for the Audit:
Staffing – Headcount, locations
Skills – Languages, Experience, Expertise (CFEs, IT skills)
Tools – Computer Automated Analytic Tools (CAATs) Software
Copyright © 2013 FraudResourceNet™ LLC
- 14. Data Analysis - Forensic Audit
Data Analysis Techniques
Copyright © 2013 FraudResourceNet™ LLC
Analytics in Audit Planning
Analytical Approaches to Planning
Industry Comparatives – Benchmarking
Time Series (Horizontal) Analysis
Common Size (Vertical) Analysis
Copyright © 2013 FraudResourceNet™ LLC
- 15. Analytics in Audit Planning
Analytical Approaches to Planning
Vertical – a/k/a “common-sized statements”
Analyzes each line as a % of its relevant total
Income items as a % of total revenue
Expenses as a % of total expense
Identifies disproportionate items
Identifies fluctuations between periods
Horizontal – a/k/a “time-series analysis”
Measures $ and % changes from period to period
Identifies fluctuations and seasonality
Copyright © 2013 FraudResourceNet™ LLC
Demo
Horizontal & Vertical Analysis
Demo: Performing Financial Statement Analyses
Learn How to:
Identify patterns and anomalies in financial statements
Copyright © 2013 FraudResourceNet™ LLC
- 16. Demo
Account Reconciliations
Demo: Converting and Matching Subledger Data
to the General Ledger
Learn How to:
Extract data from legacy systems and reconcile to General
Ledger data
Copyright © 2013 FraudResourceNet™ LLC
Analytics in Audit Planning
Top-Down vs. Bottom-Up Approach
Depending on the area being audited, the auditor may choose between
Top-Down Approach – Best for entity-level controls and compliance
policies
Code of conduct issues
Corporate Governance
Vendor selection policies
Bottom-Up Approach – Best for process-level and account detail testing
Travel & Expense reporting
Cash disbursements and approvals
Copyright © 2013 FraudResourceNet™ LLC
- 17. Polling Question 3
When comparing companies in the
same industry, which analytic tool is
least helpful?
a.
b.
c.
d.
Industry benchmarks
Time series analysis
Common-sized statements
None of these
Copyright © 2013 FraudResourceNet™ LLC
Data Analysis - Forensic Audit
Data Analysis ToolsTo Manage Big
Data
Copyright © 2013 FraudResourceNet™ LLC
- 18. Analytics in Forensic Audits
BIG DATA
Forget the cloud; Big Data is the new new thing. Here are some commonly
available tools to help manage, analyze and present findings:
ACL or IDEA – data interrogator, capable of extracting information from a
variety of file formats. Can run pre-scripted tests and handle unlimited
amount of data. Interfaces with Excel and Access.
MICROSOFT ACCESS – database program, programmable input
screens, data validation, ad hoc queries and formatted report outputs.
MICROSOFT EXCEL– spreadsheet program, versatile and almost
universally accepted business and data analysis tool. Pivot tables can
present field-by-field analytical views of huge data files
Copyright © 2013 FraudResourceNet™ LLC
Case Study Background
Hey Big Spender
Embezzled union retirement funds
Cost to the Company: $42.6 M over
6 years
Fraudster Profile
Fund Administrator; Female
Wrote checks to herself and her family
Used multiple credit card accounts for friends & family
No monitoring or oversight of her work
Spent money on travel, cars, horses, jewelery
Copyright © 2013 FraudResourceNet™ LLC
- 19. Demo
Pivot Tables
Demo: Presenting Big Data
Learn How to:
Present Travel & Expense Fraud findings using Pivot Tables
Copyright © 2013 FraudResourceNet™ LLC
Polling Question 3
Detecting lack of segregation of duties
is NOT one of the areas best suited for
using data analytics
a. True
b. False
Copyright © 2013 FraudResourceNet™ LLC
- 20. Case Study Background
The Out-of-Control Controller
Perpetrator failed to reconcile accounts
Cost to the Company: $6.8 M over 4 years
Fraudster Profile
Financial Operations Sr VP; Male
Prepared fictitious support for account reconciliations
Directed staff to post fraudulent J/Es to the G/L
No monitoring or oversight of his work
Copyright © 2013 FraudResourceNet™ LLC
Case Study Background
The Out-of-Control Controller (cont’d)
Additional Tests – Segregation of Duties
Matching Journal Entry originators to
authorizers
Identifying E-mails to staff instructing them to post
fictitious Journal Entries
Copyright © 2013 FraudResourceNet™ LLC
- 21. Demo
Account Reconciliations
Demo: Matching Data Fields for Segregation of
Duties Testing
Learn How to:
Match Journal Entry Initiators to Authorizers to identify SOD
violations
Copyright © 2013 FraudResourceNet™ LLC
Questions?
Any Questions?
Don’t be Shy!
Copyright © 2013 FraudResourceNet™ LLC
- 22. Thank You!
Jim Kaplan
AuditNet LLC®
703-255-3388
Email: webinars@auditnet.org
http://www.auditnet.org
Peter Goldmann
White Collar Crime 101 LLC/FraudAware®
800-440-2261
Email: pgoldmann@fraudaware.com
http://www.fraudaware.com
David Zweighaft
DSZ Forensic Accounting Services LLC
212-699-0901
Email: dzweighaft@dszforensic.com
http://www.dszforensic.com
Copyright © 2013 FraudResourceNet™ LLC